by Rocco Panetta
The regulatory initiative on AI (“Proposal for a Regulation laying down harmonised rules on Artificial Intelligence”) is the umpteenth piece of a wider manoeuvre of digital governance by the European Union. After the Data Governance Act, the Digital Services Act and the Digital Markets Act, the Commission has played poker. Four proposals for regulations which, once they have passed their respective approval processes – which we hope will proceed rapidly – promise to revolutionise the European techno-economic space (and not only), while waiting for the eternal laggard, the ePrivacy Regulation, to be approved.
The draft of the Artificial Intelligence Act is full-bodied, structured and, precisely for this reason, fascinating to study. The leak has certainly allowed the preparation of the field for a first complete analysis of the contents and effects of this proposal. However, I believe that, as a lawyer of the data economy, my task is also to offer new and different elements with which to analyse situations like this one. In particular, I would like to present three of them, three different ways of interpreting the new European regulation on AI.
I think it is useful to point out, first of all, what is the structural element on which the Artificial Intelligence Act is built, namely the risk-based approach.
The proposal of regulation – which aims at the pursuit of a delicate and harmonious balance between the needs of protection of the fundamental rights and values of the EU and innovation and technological development – follows a classification of the systems of AI according to whether their use determines an unacceptable risk, a high risk or a low or minimal risk. The general prohibition laid down for the first category (with some limited exceptions) is accompanied by various protective measures to be adopted for the development, marketing and use of artificial intelligence systems, proportionally and progressively linked to the respective levels of risk.
It is also interesting to note the attention shown by the Commission to the constant and fruitful frenzy of technological development. In fact, the succession of innovations in the development of AI systems has the capacity to rapidly render any regulatory declination obsolete. The proposal of regulation seems to take account of this variable, opting for solutions (starting from the definition, crucial, of artificial intelligence) and procedures aimed at keeping the regulation in pace with progress.
In addition, it introduces a system of governance at both central and national level and provides for measures to support innovation in the AI sector (such as regulatory sandboxes).
There are two formal elements that are undoubted of substantial importance. The first concerns the choice of defining a horizontal and uniform legal framework on artificial intelligence for all the Member States, an objective pursued through the adoption of a regulation. As to the second, it is clear that the proposal of the Commission could also strongly differ from the text which will be definitively approved, at the end of its parliamentary process, and which will find direct and common application throughout the territory of the European Union. There is no shortage of issues that will trigger heated discussions over the coming months. One example? The rules on remote biometric identification (an issue on which the European Data Protection Supervisor has immediately expressed its opinion).
The geopolitical challenge: a first checkmate for the US and China
The first perspective from which to comment on the weight of the proposed regulation is the international chessboard. The role of the European Union in the game for technological hegemony between China and the United States has been discussed for some time now. With the Artificial Intelligence Act, the Commission may have changed the rules of the game, turning the table in its favour.
The legal framework proposed by the EU is unprecedented. The importance of such an achievement is obvious. The fact that the flag on the planet for AI regulation is the European one means legal primacy, which in turn could attract economic and technological primacy as well. The Commission itself seems to be acutely aware of the correlation between these three aspects. And, in fact, together with the proposal for a Regulation on artificial intelligence, to which has been flanked also a proposal for a Regulation on machinery (“Proposal for a Regulation on machinery products”), a revision of the Coordinated Plan on Artificial Intelligence has also been presented, with which it is proposed to continue on the road towards the creation of a global leadership of the European Union in matters of reliable AI through a close collaboration between the Commission and the Member States. This, of course, will also be possible thanks to a fresh injection of economic resources.
The Commission therefore seems to want to take the reins in the international game for technological hegemony, standing as a superpower in the AI sector thanks to an approach that, in keeping with its constitutional tradition, aims to combine ethical regulation – and thus protection of fundamental rights and values – with support for innovation.
It seems that even across the Atlantic they have realised that the direction of the wind on the playing field is changing. Indeed, the recent publication by the US Federal Trade Commission of recommendations for companies using artificial intelligence systems cannot be considered a mere coincidence.
The regulatory approach: comparison with the GDPR
The second tool that I would like to propose in order to analyse the work of the Commission is that of the comparison with another European law, that on the protection of personal data.
First of all, it is necessary to note that the proposal of the Artificial Intelligence Act follows and re-proposes many of the elements that characterize the General Data Protection Regulation (GDPR). Evidence of this direct derivation/inspiration can be found both with reference to the valorisation of the risk, and with regard to the mechanisms of accountability and self-assessment, and also with regard to the chosen sanctioning regime and the proposed system of governance. Of course, there are natural differences and deviations, but the relationship is there and it is visible.
At the same time, I think it is important to bring out a further aspect in addition to the positive discipline. The GDPR has, in fact, taken on the role of a global archetype for the regulation of personal data protection, thus becoming an instrument for exporting the principles and values that permeate the legal tradition of the EU and of the individual Member States. And, therefore, the future regulation on artificial intelligence could well replicate this very important achievement.
Back to the origins of the EU
The most attentive reader will not have missed the reference to the fundamental rights and values of the European Union. This reference, besides constituting the third possible perspective from which to comment on the draft regulation, also represents a fil rouge that ties it to all the others.
The proposal of the Artificial Intelligence Act can and indeed must be seen as a clear moment of laying down, in positive terms, a system of rights, freedoms and values proper to the European historical-constitutional tradition. In the legislation on AI – as well as in the entire institutional action of the EU – ethical and human-centred dogmas, such as that of non-discrimination, which have crossed the Community dimension since its foundation, are, in fact, declined. In some cases, it is possible to go back even further, looking at the outcome of individual national experiences, then synthesised at European level. And even earlier, going back to Roman law, the legal and cultural basis of Western civilisation (just think of the relevance, even in this context, of the dogma of neminem laedere). It is the wonderful weight of tradition that continues to shape innovation.
In this regard, I am pleased to quote what was written in the pages of the newspaper Il Messaggero by the Vice-President of the Garante, professor Ginevra Cerrina Feroni: “As in all epochal passages in history, technological development must not be curbed, but neither can it be adhered to uncritically without considering its impact on the shared foundations of ethics and law. There is no need to mobilise new principles, but rather to revitalise the foundations of European liberal-democratic constitutionalism in order to achieve effective and efficient legality: unprecedented solutions are needed for unprecedented technological and social conditions”.
Certainly, it cannot be overlooked to note how, among all the fundamental rights which nourish and on which the proposal under comment is founded, a particular role must be recognized to the right to the protection of personal data. A fundamental right, of constitutional rank (Article 8 of the Charter of Fundamental Rights of the European Union), which, in the specific context of artificial intelligence, invests and protects precisely the crucial and indispensable element for the development of the intelligent machines, that is, the data
The content of the EU Commission’s draft regulation is therefore not surprising. An innovative and courageous act, and at the same time an inevitable consequence of the complex of principles, rights, freedoms and values in which we are, fortunately, immersed.
This article was originally published in Italian on Agenda Digitale.