We agree that "a regulatory framework should concentrate on how to minimise the various risks of potential harm", and that the risks identified, "both material (safety and health of individuals, including loss of life, damage to property) and immaterial (loss of privacy, limitations to the right of freedom of expression, human dignity, discrimination for instance in access to employment)", are appropriate and relevant.
We note that the Commission proposes to implement this risk-based approach using the following process and mechanisms:
- Every proposed AI application (product or service) is required to be risk-assessed, and the White Paper implies that this should take place before development.
- If the AI application is deemed "high-risk", it will need to meet a set of mandatory legal requirements in order to mitigate risk.
- Once the development of a high-risk application is complete, its conformity with the mandatory requirements will be assessed by regulators prior to its placement on the market.
- In case the conformity assessment reveals that the application does not meet the mandatory requirements, the shortcomings identified will need to be remedied, and presumably, conformity re-assessed.
- Once the application passes the conformity assessment, it can be placed on the market.
- Any prior conformity assessment will be without prejudice to monitoring compliance and ex post enforcement by competent national authorities. This would apply to high-risk AI applications as well as other AI applications subject to legal requirements, potentially with particular attention paid to the former.
We agree that those elements (risk assessment, mandatory legal requirements, prior conformity assessment, and monitoring and ex post enforcement) are likely to be necessary for implementing an effective EU regulatory framework. We also believe that successful implementation of the framework will require a parallel investment in capability-building for all the actors concerned, within the EU and in third countries.
We note the Commission's view that the requirements should be "applicable to all relevant economic operators providing AI-enabled products or services in the EU, regardless of whether they are established in the EU or not." We therefore particularly welcome this consultation, and believe it is important that the Commission continues to engage with a broad range of stakeholders both within and outside the EU, to ensure that the framework is effective and proportionate throughout its proposed global range.
Finally, we agree that remote biometric identification, for instance using facial recognition technology, comes with unique risks. It has come under scrutiny in the UK, and has been banned in certain US cities. We therefore welcome the EU's intentions to further consider how best to use AI with biometric identification, and encourage the Commission to engage widely on this topic, exploring both public and private sector uses.
In addition, although the development and use of AI for military purposes is outside the scope of the White Paper, we would suggest that the Commission considers the risk for dual use (military, or terrorism) of broader categories of AI applications, such as computer vision and autonomous driving/flying, although we recognise that it will be challenging to mitigate this risk.