Where AI regulation is concerned, size most definitely does not matter. Where AI Legislation is concerned, the punishment fits the crime so to speak and none are exempt from compliance responsibilities.
In recent times some misconception are common among smaller business owners who feel AI regulations are aimed at larger corporations. However, these regulations are equally applicable to smaller enterprises, particularly those utilising AI for sensitive tasks. Some tasks like personal data processing or automated decision-making, which are key areas of focus in AI legislation.
As an example, the regulation introduces a four-tier system and is stood-by ready to impose fines in case of regulatory breaches. The most severe penalties apply to the use of certain prohibited AI systems while at the other end of the scale, such as providing false or incomplete information. While this appears lower, no less significant fines are applied. Mostly, it’s the providers who are penalised under the AI Act, though users, importers, distributors, and even certifying entities can face fines in case of non-compliance. Here’s a quick-look at the tiered compliance structure, but speak to dForce or Modulos for more details:
Tiered Compliance and associated Penalties
Tier 1 – Non-compliance with prohibitions
[Articles 4b, 16, 23a, 26, 27, 29, 33, 34(1), 34(30, 34(4), 34a, 52]
In summary, systems that are prohibited under the AI Act such as the use or sale of AI systems that present an extreme risk level. This includes systems that manipulate behaviour to cause harm, target vulnerable groups for exploitation, categorise individuals based on protected characteristics, contribute to social scoring leading to negative outcomes, or facilitate remote biometric identification in public spaces.
Up to €40,000,000 or 7% of turnover
Tier 2 – Non-compliance with data and data governance and transparency requirements. For breaches concerning data handling and transparency, defined in Articles 10 and 13 respectively.
Up to €20,000,000 or 4% of turnover
Tier 3 – Non-compliance with other obligations is for non-compliance of AI systems or foundational models with any other requirements or obligations than those laid out in articles 5, 10, and 13.
Up to €10,000,000 or 2% of turnover
Tier 4 – Supplying incorrect, incomplete, or misleading information is an infringement under Article 23, which mandates cooperation with the relevant authorities in each member state. High-risk AI system providers must furnish all necessary information and documentation to demonstrate compliance with the stipulated requirements when requested by a national authority.
Up to €500,000 or 1% of turnover
It’s important to recognise that penalties imposed under the regulations apply equally to all businesses, regardless of their size. What determines the specific Tier of the fine is the nature of the regulatory violation itself.
Are Fines happening now?
YES
1. In February 2022, the Italian regulators imposed a fine amounting to €20,000,000 on Clearview AI Inc, in relation the their facial recognition system, the regulators imposed a ban on further collection and processing, ordered the erasure of the data, including biometric data, processed by the Company’s facial recognition system with regard to persons in the Italian territory and the designation of a representative in the territory of the European Union.
2. In May 2022, Clearview was fined £7,552.800 in the UK by The Information Commissioner’s Office (ICO), for using images of people in the UK, and elsewhere, that were collected from the web and social media to create a global online database that could be used for facial recognition.
The imposition of fines for regulatory infringements across the EU is managed by each Member State, not by a singular central authority. Each Member State will embed these provisions into their own legal systems. This means the responsibility to levy fines lies either with the courts or designated authorities within each country.
The EU’s AI Act is poised to set a precedent, it is considered as the ‘gold standard’ in AI regulation globally. It’s largely accepted that countries outside the EU, including the UK, see the EU AI Act as a benchmark. They will develop their own AI legislations that closely mirror the EU’s framework. This move will likely promote a level of uniformity in AI governance across borders, reflecting the comprehensive nature of the EU AI Act’s approach to ethical, transparent, and responsible use of AI technologies.
For businesses uncertain about navigating this complex regulatory terrain, dForce and Modulos present a compelling solution. Specialising in offering bespoke services that cater to the diverse needs of businesses, regardless of their scale. This collaboration uniquely combines dForce’s deep expertise in business change, strategic system and AI implementation with Modulos‘ cutting-edge automated AI compliance platform. This synergy simplifies the compliance process and makes it more accessible and less daunting for all sizes of business. There are no exclusions, these include those who may until now have considered themselves outside the catchment area.
Why not speak to us – our team are ready and willing to help. The full draft text of the EU AI Act is at this following link here