The French presidency of the EU Council has made a series of proposals regarding the enforcement of the EU’s Artificial Intelligence Act, in a new compromise text seen by EURACTIV.
The new text is the last in a series of compromises presented by France, at the helm of the EU until the end of June. Before the end of its presidency, Paris is aiming to present a progress report summarising the achievements made on this file to the Telecom Council on 3 June.
The new document makes significant modifications to the sanction regime, the timeline for the entry into application of the regulation, the confidentiality requirements for the supervisory bodies, and the delegated powers of the European Commission.
The text is to be discussed at the Telecom Working Party of the EU Council on Thursday (5 May).
The article concerning penalties has been changed to also take into account the size of companies, not only small-scale and start-ups but also medium-sized ones.
The highest fines have been limited to unlawful use of prohibited practices, such as social scoring or manipulative algorithms, as the reference to the obligations to make the training datasets representative and without biases was removed.
For these more severe breaches, SMEs and start-ups could face a maximum fine of 3% of their annual turnover or €30 million, whichever is higher. For all other companies, the maximum fine would reach 6% of the annual turnover.
However, given the wording ‘whichever is higher’, the lower cap would only apply to SMEs and start-ups with a market capitalisation of over €1 billion.
For all other breaches of the regulation, the sanctions for a company would be 4% of the annual turnover, except for start-ups or SMEs, where it would be 3%, or €20 million, whichever is higher. The sanctions for providing incomplete or misleading information have not been changed.
A new paragraph has been added stating that the sanctions imposed by the market surveillance authority must be subject to appropriate procedural safeguards that include judicial remedies.
The deadline for the application of the Regulation has been extended from two to three years after its entry into force “to give member states more time to prepare for effective implementation and to give businesses more time to adapt.”
The deadline for member states to set up the relevant national authorities and notified bodies – designated to assess the conformity – has also been extended from three to twelve months.
The confidentiality requirements for the information and data obtained in applying this regulation have been extended to the Commission, the board of national authorities and everyone involved in the application. Confidentiality should be ensured via technical and organisational measures.
Before, the confidentiality rule only applied to notified bodies, the organisations in charge of checking that certain AI systems respect the regulation before they are launched on the market.
“The wording is based on a similar provision of the GDPR,” the Presidency explained in the accompanying note, referring to the EU’s data protection legislation.
Delegated powers and reviews
How much power to give to the European Commission in the form of secondary legislation, laws created by the executive power, is a recurrent contention point between the co-legislators, with the EU Council normally pushing for giving the Commission less independence.
The text now includes a ‘sunset clause’ for the Commission’s power to adopt delegated acts, which is no longer indeterminate but limited to five years from the time the regulation enters into force.
By that time, the Commission will have to provide a report on the use of its delegated powers, which would be automatically extended unless the European Parliament or Council oppose such extension.
France is also proposing an extension to the timeline in terms of evaluation and review of the annexes, critical parts of the regulation.
Annexe I, which includes the definition of AI systems, and Annexe III, which includes the critical list of high-risk AI systems, are to be reviewed every two years until the end of the delegation powers.
In this part of the text, the French presidency did not make modifications to the administrative fines that the European Data Protection Supervisor might impose on EU bodies for breaches of the regulation, the secondary legislation and amendments to related legislation.
[Edited by Zoran Radosavljevic]