Some of Europe's top data regulators said enforcing the new EU Artificial Intelligence Act is a tall order.
Adopted by the European Parliament in March, the proposed regulation has been closely watched as a potential benchmark for other countries looking to navigate the AI landscape. But even with likely entry into force in May or June, the AI Act has several deadlines built in before all provisions are fully in place.
That's just one of the challenges facing the regulators that may find themselves stepping into the role of overseers in an industry that is new to them. A panel of regulators unpacked their concerns during a 4 April breakout session at the IAPP Global Privacy Summit 2024.
A new AI Office within the European Commission will oversee the implementation of the act overall, but entities within member states will be picked to enforce the regulation at the local level. That raises uncertainty for some regulators.
"We are not ready, for many different reasons," Guido Scorza, a board member of Italy's data protection authority, the Garante, said. "We haven't enough resources in terms of finances, in terms of skills and of people we have at the Garante."
Scorza added a public agency like the Garante does not have the ability to compete with the private sector compensation for AI professionals. It was a nod to a challenge governments around the world are dealing with. Nations, including the U.K., the U.S., Singapore and Canada, have dedicated hundreds of millions of dollars to upskilling their workers to include AI skills as they impose frameworks around the technology.
Scorza also worries EU DPAs may not be able to do their jobs effectively because they are appointed by their governments, saying it would create a "conflict of interest" to have the entity that is supportive of an industry also be the one in charge of supervising it.
However, other DPAs on the panel detailed a general level of comfort with taking up AI, highlighting they have been dealing with AI issues for years before the AI Act's passage.
Commissioner Bertrand du Marais of France's DPA, the Commission nationale de l'informatique et des libertés, pointed to enforcement actions his agency has taken concerning smart technology and facial recognition. He also argued the EU General Data Protection Regulation has given DPAs experience in certifications and personal data protection, a cornerstone of the AI Act.
The AI Act proposes penalties for AI violations, including up to 7% of annual revenue for prohibited uses of AI and 3% for other infractions. But the European Commission still has to issue guidelines around how fines are to be handled.
European Data Protection Supervisor Wojciech Wiewiórowski anticipated member state authorities would be advised to consider the seriousness of the infraction, as well as the duration and effort made to fix the problem by the institution in question. But he said the level of fines may differ depending on whether the institution in question is public or private because they may use AI differently.
Scorza added it will likely take some time for local agencies to issue AI Act penalties as they wait for guidance from the Commission. He said it will be important to distinguish AI Act fines from GDPR penalties to avoid confusion.
The EU's landmark data protection regulation will also provide a path on the issue of fines, said du Marais, who argued the GDPR's calculation of administrative fines is similar to the AI Act's. He said companies who have navigated DPA's enforcement processes with the GDPR will undergo a similar process.
"The AI Act is, without prejudice, the continuation of the GDPR," he said.
One opportunity businesses may want to look out for is the establishment of a regulatory sandbox for EU institutions under the EDPS. But Wiewiórowski reminded GPS 2024 attendees that participation in those sandboxes — which are meant to give private firms a chance to test their products under regulator monitoring and receive feedback on any potential issues — are not mandatory. And institutions should not expect the supervisor to have checklists and templates for how to conform exactly.
"And if you think the AI Office will prepare the guidelines for each part of the industry, I would just like to ask them to know what they wish for," he said. "That is on the market."