The EU’s AI Act & Its Impact on Australia

Earlier this year, the European Union enacted the world’s first AI Act – and the prohibition on unacceptable risk AI systems is coming into effect before year’s end, with the remaining regulations entering into force throughout 2025, 2026, and 2027. But, while this is a European law, Australian organisations will fall under the umbrella of the regulations (and penalties for non-compliance are steep). So let’s dig into the major features of the AI Act, and how it impacts Australian organisations. 

What Does The EU’s AI Act Say? 

The AI Act is extremely lengthy, at over 400 pages, but we’ve summarised some of the key regulations: 

Purpose and Scope: The AI Act aims to provide a unified legal framework for the development, marketing, and use of AI systems within the EU. It uses a risk-based approach to the degree of regulation. 

Risk-Based Approach: The Act categorises AI systems based on their potential risks imposing stricter requirements on high-risk systems and transparency obligations on others. The risk profiles provided are unacceptable risk, high risk, limited risk, and minimal risk. 

Prohibited AI Practices: Certain AI practices deemed to pose an unacceptable risk are strictly prohibited, such as AI systems that manipulate individuals, categorise people based on biometric information, lead to social scoring, or attempt to predict whether a person will commit a crime (so that Minority Report doesn’t become a documentary!).

High-Risk AI Systems: High-risk AI systems, such as those used in employment decisions, critical infrastructure or law enforcement, are subject to stringent requirements, including conformity assessments, technical documentation, and human oversight.

Limited Risk: AI systems that are designed to interact with humans (like chatbots) fall into the limited risk category. The requirement for this risk profile is that the system must make it apparent that the individual is interacting with an AI (ie. transparency).

Minimal Risk: AI systems that pose a minimal risk are unregulated. 

Generative AIs: Generative AIs, like ChatGPT, fall under a separate section of the regulation and are classed as “General Purpose AIs” (GPAIs). Developers of these systems must adhere to technical requirements and documentation requirements, including keeping notes in a prescribed format about the content used to train the AI. 

Transparency Obligations: AI systems used for generating content or interacting with humans must be transparent, including providing notice that the output is AI-generated.

Training Requirements: The AI Act requires those who provide and deploy AI systems to promote AI literacy among their team. 

Enforcement and Governance: The Act establishes a framework for market surveillance, enforcement, and penalties and creates the European Artificial Intelligence Board for guidance and support.

Extraterritorial Application: In terms of the law’s application outside of the EU, providers who place an AI system on the market (sell) or put into service (use in) the EU are covered by the Act’s requirements. Additionally, the AI Act states that providers and deployers of AI systems (even in third countries) which have ‘outputs’ used within the EU are also covered. This could have a fairly broad scope, potentially including those organisations that create content (that will be consumed in Europe) using generative AI. 

Action Items For Australian Organisations

In response to the EU’s AI Act, as well as the AI Guardrails being proposed for Australia, we suggest organisations take the following steps: 

1. Create an inventory of your current AI systems, including how and where they are used (ie. are you subject to the requirements laid out for deployers or providers). 
2. Learn about the risk profiles used in the AI Act and catalogue the systems you use based on the AI Act criteria. 
3. Identify compliance requirements for the risk profiles the AI systems you provide and/or deploy fall under. 
4. Map the risks posed by the EU AI Act to your organisation and prioritise them based on a risk matrix and your risk profile. 
5. Create a plan to address the risks, including assigning accountabilities.

And if you’re considering implementing technologies that include artificial intelligence, download a copy of our AI Impact Assessment Form. This template helps organisations ensure that AI technologies are employed in ways that uphold ethical standards, maintain privacy and security, and respect legal boundaries. The goal is to ensure responsible and informed decision-making when implementing AI technologies.

For guidance about compliance with the EU’s AI Act or other privacy laws, reach out.