Impact of EU AI Act on India

“Extra territorial Jurisdiction” was one of the aspects of GDPR which created a scare in the Indian industry in 2018. This was also the reason for the birth of FDPPI the organization which has today grown to be a premier Privacy and Data Protection organization in India.

Today the EU-AI act is threatening to be another more potent legislation of the EU that could have an adverse impact on the Indian IT industry.

As regards GDPR, the Indian industry so far has not been much affected since it is working under the radar as “Processors” to a “Controller in EU”. The SCC which were tightened after the Schrems judgement got rationalized after the EU-US Privacy framework adoption.

However EU-AI act appears to be re-igniting the controversies of an attempt by EU to create global hegemony though the Act and it’s penalty clauses.

EU commission has established “The European AI Office” and will be the regulator for the Act. The first point we need to note about the EU-AI act is the penalty clause (Article 70).

According to Article 70,

a) non compliance with the prohibition of the AI practices referred to in Article 5 shall be subject to administrative fines upto Euro 35 million or 7% of the Worldwide turnover whichever is higher

b) non compliance of an AI system with any of the provisions other than in Article 5, as laid down in Article 16, 25, 26, 27, 29 (para 1 to 6a), Articles 33, 4(1),34(3),34 (4), 34a, and 52 may result in administrative fines upto Euro 15 million or upto 3% of worldwide turnover

c) Supply of in-corrrect, incomplete or misleading information in reply to a request may result in administrative fine upto Euro 7.5 million or 1% of total worldwide annual turnover

d) In case of SMEs the administrative fine will be the lower of the above..

Scope of the Act

Article 2 defines the scope of the Act . The essence of the scope in brief are indicated below. (An in-depth discussion of the applicability will follow)

According to article 2.1, the regulation applies to

a) Providers placing a product or service in the Union irrespective of whether they are established or located within the Union or not.

b) Deployers of AI systems that have their place of establishment or who are located within the Union

c) Providers and deployers of AI systems that have their place of establishment or location in a hird country where the output produced is used in the Union.

d) Importers and distributors of AI systems

e) Importers and distributors of AI systems

f) product manufacturers placing their product under their own name and trademark

g) authorized representatives of providers which are not established in the Union.

h) affected persons that are located in the Union

This regulation shall not apply to areas outside the scope of EU law and matters concerning national security, scientific research etc

This Regulation shall not affect the application of the provisions on the liability of intermediary service providers set out in Chapter II, Section 4 of Directive 2000/31/EC of the European Parliament and of the Council [as to be replaced by the corresponding provisions of the Digital Services Act].

This Regulation shall not apply to obligations of deployers who are natural persons using AI systems in the course of a purely personal non-professional activity.

The obligations laid down in this Regulation shall not apply to AI systems released under free and open source licences unless they are placed on the market or put into service as high-risk AI systems

Though the Act is considered as a “Risk Based” system nd technology neutral it defines the AI system as follows:

‘AI system‘ is a machine-based system designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments;

The general reading of the Act implies that Indian software developers placing their products and services in the EU Union either directly or through distributors etc need to be aware of the need to cover the risks.

(More discussions will follow…continued)



EU Commission-AI

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.