Notes from the IAPP Europe: What happened on the AI front in Europe this April

April has wrapped without the widely anticipated milestone passage for artificial intelligence regulation in Europe. The European Parliament and European Council did not manage to reach an agreement on the Digital Omnibus on AI Regulation proposal during the latest trilogue 28 April, despite high hopes that it would be the last session.

The interinstitutional negotiations on this file have been speedy — Parliament and the Council first met to discuss the technical matters concerning the proposal a month ago. Both institutions' negotiating positions aligned on many issues, but there were also points of contention, especially concerning the EU AI Act's Annex I merger, in which Parliament suggests moving sectoral rules from Annex I Section A to B. 

Despite the expeditious beginning, progress stalled in the latest meeting over this disputed point, as the Council did not agree with Parliament's demands to integrate the EU AI Act's rules into sectoral regimes, including on machinery and toys. 

This simplification instrument is intended to introduce several targeted changes to the AI Act, including postponing entry into application of its obligations for high-risk AI systems. Reaching an agreement fast is important so that the proposed changes could take effect before 2 Aug., when the current act's obligations for high-risk AI systems become enforceable. 

It remains to be seen whether this is still possible with the delays caused by the ongoing search for an interinstitutional deal, which is not expected to resume until the new Council's mandate is in place — at least a few more weeks.

Aside from the Digital Omnibus on AI, the EU is working on various other AI-related initiatives. Thursday 9 April marked the one-year anniversary of the EU AI Continent Action Plan's publication. This extensive initiative aims to transform the EU into a global leader in AI, with some of its elements, including the European Data Union Strategy and the Apply AI Strategy, already launched and more to come. 

In addition to some ongoing efforts to strengthen Europe's AI and supercomputing infrastructure, such as the AI Gigafactories project, the Commission will propose the Cloud and AI Development Act. The proposal was supposed to be tabled earlier this year, but its publication was delayed until 27 May. 

The broader topic of AI was prevalent across various communications from national authorities in different European countries this month.  

The U.K. Department for Science, Innovation and Technology published an open letter to business leaders on AI cyber threats, warning about AI-driven cyber threats, with a focus on the risks posed by AI models that detect cybersecurity vulnerabilities, as well as providing a few tips for organizations' cybersecurity enhancement. They also provide an overview of what is being done at a national level, including the establishment of the AI Security Institute and the new Cyber Security and Resilience Bill that is currently in the legislative process. 

The U.K. National Cyber Security Centre also issued guidance on improving organizations' cybersecurity capabilities to be able to withstand severe cyber threats that are becoming easier to carry out quickly and at a large scale with the help of new technologies like AI. And the European Securities and Markets Authority recently warned about the cyber risks posed by rapidly evolving AI. 

In the Netherlands, data protection and competition regulators are working together on guidelines on responsible use of chatbots in customer service and are asking all stakeholders to share their experiences and expectations when it comes to these AI systems. The draft guidelines will be open for feedback this summer and their final version is planned to be available this autumn.  

On 13 April, Belgium's Data Protection Authority released guidance on AI's impact on privacy. This is the first publication in its series aimed to raise awareness concerning AI and data protection. 

More updates on the intersection between data protection and AI can also be expected from Sweden's DPA, Integritetsskyddsmyndigheten, as it recently announced a budget increase that should allow it to fulfill its duties under the EU AI Act.

In Spain, the topic of AI is being addressed in the Agencia Española de Protección de Datos' new guidance on the impact on data protection of voice transcription services that use AI. The guidance elaborates on obligations associated with their use, including transparency, accuracy, right of access and consent.