EU AI ACT - EXTRA-TERRITORIAL EFFECT (YES, JUST LIKE THE GDPR)
The intention of the EU AI Act is to protect people in the EU who are affected by AI systems – even if those systems are outside the EU.
Given the prescriptive requirements and potentially significant downsides of non-compliance, businesses who touch AI in some form (developing, using or puttting in their product) should consider whether they may fall within the EU AI Act scope, whether or not they are actually based in the EU.
Who does the EU AI Act apply to?
Developer
You develop and put on the market or put into service an AI system/general purpose AI model in the EU
i.e. you are a ‘provider’ under the EU AI Act – see here for more on the definitions of actors under the EU AI Act
it does not matter whether you are established or located within the EU or not
Deployer
You use an AI system (not in your personal capacity) and you are in the EU
i.e. you are a ‘deployer’ under the EU AI Act – see here for more on the definitions of actors under the EU AI Act
• You are established/located in the EU
Output into EU
You develop or use an AI system, where the output produced by the AI system is used in the EU
i.e. you are a ‘provider’ or a ‘deployer’ under the EU AI Act – see here for more on the definitions of actors under the EU AI Act
it does not matter whether you are in the EU or in a third country
‘Output’ is not defined in the EU AI Act, and it is not clear yet how it will be interpreted. Until then, it is perhaps best to err on the side of caution. Any predictions, content, recommendations, or decisions generated by the system are likely to be considered ‘output’.
There is no requirement for you to intend for the output to be used in the EU, just that it actually is – the effect of this is potentially very broad
Put AI system into EU
You place an AI system on the EU market, or make an AI system available on the EU market
i.e. you are an ‘importer’ or ‘distributor’ under the EU AI Act – see here for more on the definitions of actors under the EU AI Act
it does not matter whether you are in the EU or not
Authorised representative
Just like the GDPR, those inside the EU who are covered by the extra-territorial effect of the EU AI Act must appoint an authorised representative inside the EU. If you are an authorised representative in the EU, you are caught by the EU AI Act yourself.
AI affects those inside the EU
A provider or deployer of an AI system which affects someone in the EU is likely to have obligations in respect of that individual.
What should my business do?
Consider whether any of the above might apply to you. Organisations who are providers or deployers of AI systems anywhere in the world could potentially come within the scope of the EU AI Act. If you are unsure, it is best to err on the side of caution initially and dig deeper to understand the legal scope and how this applies to your operations. Please contact us if you would like help with this.
If you think you fall under the territorial scope of the EU AI Act, you will need to next consider how the AI Act categorises the AI in question which, along with which ‘actor’ you are within the supply chain, determines your obligations under the AI Act).
Even if you are not technically caught by the scope of the EU AI Act, businesses operating internationally may decide to ensure they are compliant with the EU AI Act across its group companies and international operations, rather than consider each scenario individually and repeatedly.
As a result, it is likely that the EU AI Act becomes the ‘gold’ international default standard (similarly to the GDPR).
THANKS FOR READING