What the European Union AI Act means for the US

The EU AI Act is set to become the world's first comprehensive legal framework for artificial intelligence. Originally proposed by the European Commission in April 2021, the general approach policy was adopted by the European Council last year, and the European Parliament just adopted its position in mid-June. Now the three will negotiate the final details before the policy can become law—in a process called "trilogue," a three-way negotiation. After a final agreement, the law could become enforceable within the next few years.

Stanford HAI convened experts in artificial intelligence, law, and policy to explore the finer points of the regulation, what aspects may still be up for negotiation between the three EU institutions, what's missing, and how likely technology companies will be able to follow it. Here are the highlights of their discussion, moderated by Marietje Schaake, international policy fellow at Stanford HAI and international policy director at Stanford Cyber Policy Center, as well as a former member of the European Parliament. You can watch the full panel here.

Where are the areas of potential disagreement among the legislative bodies?

Dragoș Tudorache is a Member of the European Parliament and co-rapporteur of the European Parliament for the AI Act on behalf of the Committee on Civil Liberties. He also chairs the Special Committee on Artificial Intelligence in the Digital Age. MEP Tudorache highlighted the strong sense of political alignment. However, he expected several areas to surface during the trilogue.

• AI use for biometric surveillance in public spaces. Parliament introduced prohibitions that limit law enforcement's use, which are likely to be objected to by member state governments in council.
• Definition of high-risk AI. Parliament allows for a broader definition of use cases for high-risk AI, while the council would prefer to narrow that definition.
• Governance. The three will need to discuss, among other things, national silos in terms of implementation and enforcement, as well as levels of coordination.

Other areas of disagreement, he noted, include generative AI regulation and assessments for high-risk applications after deployment.

Alex Engler is a fellow in Governance Studies at The Brookings Institution focusing on the implications of artificial intelligence and emerging data technologies for society and governance. He added that more technocratic elements will also be up for discussion: What types of agencies will be regulated, will existing agencies regulate their own expertise (i.e., education agencies handle education algorithms), or should they create a central organization? These technocratic pieces will need to be "worked out first because they're the absolute core function of the law," he said.

How close are companies to complying with the proposed regulations?

Rishi Bommasani, society lead at the Stanford HAI Center for Research on Foundation Models and a Ph.D. candidate of computer science, studied how foundation model providers, such as OpenAI, DeepMind, and Anthropic, currently comply with the draft act.

Areas where they miss the mark include providing a summary of copyrighted data being used to train models, uneven reporting of energy use, inadequate disclosure of risk mitigation, and an absence of evaluation standards or auditing procedures. Foundation model developers who adopt an open-source approach tend to fare better on resource disclosure requirements; whereas closed or restricted access models perform better on deployment-related requirements.

What isn't in the act that should be?

Bommasani noted first that the draft doesn't consider model use. If something like ChatGPT is being used for medical applications or legal applications versus, say, entertainment purposes, this materially influences how much transparency and evaluation might be required. Second, while the act considers downstream uses of models, it doesn't consider other aspects of the supply chain (dataset construction and training method, for example).

Finally, model access—and allowing researchers to assess and evaluate these tools—is paramount but currently lacking in the proposed AI Act. MEP Tudorache promised to take up the issue immediately in response.

What do technology companies need from policymakers to be able to comply?

Companies need further clarification along three areas, says Irene Solaiman, policy director at Hugging Face, who conducts social impact research and leads public policy.

• Transparency: Lawmakers must define the legal requirement for transparency and how to document data sets, models, and processes.
• Model access: Whether a model is open or closed source, researchers need access to systems to conduct evaluations and build safeguards.
• Impact assessments: The research community currently doesn't have standards for what evaluation looks like. "There aren't great ways to robustly evaluate even one aspect of bias for language models," she said.

How will the EU plans impact the U.S.?

"There's a growing disparity between the U.S. and the EU approach [to regulating AI]," Engler said. The EU has moved forward on laws around data privacy, online platforms and online e-commerce regulation, and more, while similar legislation is absent in the U.S.

He warns that the EU Act's passage will make it harder for the U.S. to pass its own laws—companies don't want two different sets of rules for two different markets. "Corporate interests will fight tooth and nail if you have two dramatically different standards for online platforms," he said.

Engler advises U.S. lawmakers to understand the EU Act and look for standards they can align on to ensure laws are easy to implement.

Tudorache, who says he's seen growing interest in regulation from D.C. policymakers, added, "If we're aligned on standards, if we're aligned on principles, even if we diverge in the level of details in our legislation, I think we have a good chance to build convergence between the U.S. and the EU."