解读欧盟人工智能法案（英）-毕马威.docx

umf¾rJrfWDecodingtheEUAlActUnderstandingtheAlAct,simpactandhowyoucanrespondKPMG.MaketheDifference.KPMGInternationalContents07ExecutivesummaryExaminingtheAlAcfsimpactandscopeUnravellingtheAlAcfskeycomponentsNextstepsIntroductionArtificial Intelligence (AI) is offering new benefits to society and businesses, aiming to transform the workplace and major industries along the way.Simply put, the race is on to embrace the remarkable and evolving power of Al and automation.AsKPMG'sGlobalTeChReDOrt2023reveals,mostglobalexecutives(62percent)reportanincreaseinperformanceorprofitabilityfromdigitaltransformationinitiativesrelatedtoAlandmachinelearningoverthepast24months.And68percentsaythesetechnologieswillplaya*vital,roleinhelpingthemachievetheirbusinessobjectivesoverthenextthreeyears,while57percentbelieveAlandmachinelearningwillbe'important*inmeetingshort-termobjectives.ButastheworldwideAlproliferationinbusinessandoreverydaylivesunfolds,thereisacriticalneedforguardrailsandlegislationtodealwithsignificantnewrisksregardingtheappropriateandethicaluse,developmentanddistributionofAl.AccordingtoTnJStinartificialintellience,aglobalsurveyconductedbyKPMGAustraliaandtheUniversityofQueensland,threeinfivepeoplearewaryabouttrustingAlsystems,and71percentexpectAltoberegulated.Morerecently,CEOsfromglobaltechgiantscalledforgreaterAlregulationatameetingonCapitolHilltoprotectpeoplefromtheworsteffectsofAl.Inresponse,theEuropeanUnion(EU)hasreachedaground-breakingprovisionalagreementonacomprehensiveArtificialIntelligenceAct(AlAct)thattakesarisk-basedapproachtoprotectingfundamentalrights,democracy,theruleoflawandenvironmentalsustainability.iThoughit'sexpectedtobecomelawin2024,withcomplianceexpectedby2025,thislegislationthefirstofitskindisanticipatedtoemergeasthede-factonewglobalstandardforAlregulation.WiththeintroductionoftheAlAct,theEUaimstostrikeabalancebetweenfosteringAladoptionandensuringindividuals'righttoresponsible,ethicalandtrustworthyuseofAl.Inthispaper,weexplorewhattheAlActmaymeantoyourorganizationandexaminethestructureoftheAlAct,theobligationsitimposes,thetimelinesforcomplianceandtheactionplanthatorganizationsshouldconsider.OrganizationalleadershipshoulddriveinitiativesinlinewiththeAlAct,companybrand,valuesandrisktolerancetopromoteresponsibleuseofAl.Thiscanhelppromoteethicaldevelopment,regulatorycompliance,riskmitigationandstakeholdertrust.，DavidRowlandsGlobalAlLeaderKPMGInternationalAlshouldbedevelopedandusedwithafocusonsafetyandethics,turningtechnologicaladvancementintoapositiveforceforsociety.TheEUAlActwillhelpfosterinnovationwhileprotectingend-users.，1.aurentGobbiGlobalTrustedAlLeaderKPMGInternationaliEuropeanParliament.(December9,2023).ArtificialIntelligenceAct:dealoncomprehensiverulesfortrustworthyAlPressrelease.ExecutivesummaryTheAlActaimstoregulatetheethicaluseofAlAlholdsimmensepromisetoexpandthehorizonofwhatisachievableandtoimpacttheworldforourbenefit-butmanagingAsrisksandpotentialknownandunknownnegativeconsequenceswillbecritical.TheAlActissettobefinalizedin2024andaimstoensurethatAlsystemsaresafe,respectfundamentalrights,fosterAlinvestment,improvegovernance,andencourageaharmonizedsingleEUmarketforAl.MostAlsystemsneedtocomplywiththeAlActbythefirsthalfof2026TheAlAct'sdefinitionofAlisanticipatedtobebroadandincludevarioustechnologiesandsystems.Asaresult,organizationsarelikelytobesignificantlyimpactedbytheAlAct.Mostoftheobligationsareexpectedtotakeeffectinearly2026.However,prohibitedAlsystemswillhavetobephasedoutsixmonthsaftertheAlActcomesintoforce.Therulesforgoverninggeneral-purposeAlareexpectedtoapplyinearly2025.2Providersandusersofhigh-riskAlsystemsfacestringentobligationsTheAlActappliesarisk-basedapproach,dividingAlsystemsintodifferentrisklevels:unacceptable,high,limitedandminimalrisk.3High-riskAlsystemsarepermittedbutsubjecttothemoststringentobligations.Theseobligationswillaffectnotonlyusersbutalsoso-called'providers'ofAlsystems.Theterm,provider,intheAlActcoversdevelopingbodiesofAlsystems,includingorganizationsthatdevelopAlsystemsforstrictlyinternaluse.Itisimportanttoknowthatanorganizationcanbebothauserandaprovider.Providerswilllikelyneedtoensurecompliancewithstrictstandardsconcerningriskmanagement,dataquality,transparency,humanoversight,androbustness.UsersareresponsibleforoperatingtheseAlsystemswithintheAlAct'slegalboundariesandaccordingtotheprovider'sspecificinstructions.Thisincludesobligationsontheintendedpurposeandusecases,datahandling,humanoversightandmonitoring.GuardrailsforgeneralAlsystemsNewprovisionshavebeenaddedtoaddresstherecentadvancementsingeneral-purposeAl(GPAI)models,includinglargegenerativeAlmodels.”ThesemodelscanbeusedforavarietyoftasksandcanbeintegratedintoalargenumberofAlsystems,includinghigh-risksystems,andareincreasinglybecomingthebasisformanyAlsystemsintheEU.ToaccountforthewiderangeoftasksAlsystemscanaccomplishandtherapidexpansionoftheircapabilities,itwasagreedthatGPAIsystems,andthemodelstheyarebasedon,mayhavetoadheretotransparencyrequirements.Additionally,high-impactGPAImodels,whichpossessadvancedcomplexity,capabilities,andperformance,willfacemorestringentobligations.Thisapproachwillhelpmitigatesystemicrisksthatmayariseduetothesemodels'widespreaduse.5TheAlActdoesnotaffectexistingUnionlawExistingUnionlaws,forexample,onpersonaldata,productsafety,consumerprotection,socialpolicy,andnationallaborlawandpractice,continuetoapply,aswellasUnionsectorallegislativeactsrelatingtoproductsafety.CompliancewiththeAlActwillnotrelieveorganizationsfromtheirpre-existinglegalobligationsintheseareas.UnderstandingtheAlAcfsimpactonyourorganizationwillbepivotaltosuccessOrganizationsshouldtakethetimetocreateamapoftheAlsystemstheydevelopanduseandcategorizetheirrisklevelsasdefinedintheAlAct.IfanyoftheirAlsystemsfallintothelimited,highorunacceptableriskcategory,theywillneedtoassesstheAlAct'simpactontheirorganization.Itisimperativetounderstandthisimpactandhowtorespondassoonaspossible.2EuropeanCommission.(December12.2023).ArtificialIntelligenceQuestionsandAnswersPressrelease.3EuropeanCouncil.(December9,202).ArtificialIntelligenceActTrilogue:PressconferencePart4.Video.4EuropeanParliament.(March2023).General-purposeartificialintelligenceBackgroundmaterial.5EuropeanCommission.(December12,2023).ArtificialIntelligenceQuestionsandAnswersPressrelease.ExaminingtheAlAcfsimpactandscopeKPMQ ImemaiionalDecoding the EU Al Act 7-TheEuropeanCommission(EC)proposedtheAlActinApril2021.AsofDecember2023,theEuropeanParliament,theEuropeanCouncilandtheEuropeanCommissionhavereachedaprovisionalagreementtomaketheAlActlaw.Through our lens: The potential impact of the Al ActTheproposedAlActisexpectedtoreshapehowwethinkaboutandmanageAlsimilarlytowhathashappenedindataprivacyoverthelastcoupleofyears.Expectedtobecomelawin2024,theAlActwilllikelyhaveanimmediatewide-rangingimpactonanybusinessoperatingintheEUthatoffersAlproducts,servicesorsystems.ThelawintroducesadefinitionforAlintheEU,categorizesAlsystemsbyrisk,laysoutextensiverequirementsandnecessarysafeguardingmechanismsforAlsystems,andestablishestransparencyobligations.Whatitaimstodo?TheECaimstobalancepromotingAldevelopmentandboostinginnovationwithmanagingemergingriskseffectively.Thisisreflectedintheobjectivesoftheproposals EnsuringthatAlsystemsontheEUmarketaresafeandrespectpublicrightsandvalues. ProvidinglegalcertaintytofacilitateinvestmentandinnovationinAlsystems. Enhancinggovernanceandeffectiveenforcementofethicsandsafetyrequirements. FacilitatingthedevelopmentofasingleEUmarketforlawful,safe,trustworthyAlapplicationswhilepreventingmarketfragmentation.Stimulatethepositive Stimulateinnovationthroughregulatorysandboxeswheresmallandmedium-sizedenterprisescantesttheirAlsystemswithoutimminentregulatoryscrutiny. Promoteharmonizationofstandards,codesofconductandcertification. OffergreatertransparencyregardingAlsystems. Createalevelplayingfieldforthoseinvolved. SafeguardfundamentalrightsandprovidelegalcertaintyforindividualsresidingintheEU.Adoptbestpractices CategorizeyourAlsystemsandunderstandtheassociatedrisks. Imposemorestringentrequirementsforhigh-riskAlsystems(obligatoryriskmanagement,datagovernance,technicaldocumentation,etc.). Carryoutconformityassessmentsandpostmarketmonitoringforhigh-riskAlsystems. Establisheffectiveoversightandenforcementmechanisms.Manageandreducerisks ProhibitunacceptablerisksinAlsystems. Avoidfundamentalrightsviolations. Preventtheuseofsubliminalorunethicaltechniquesthatmightinfluenceordistortaperson'sbehaviorinsuchawaythatitcausesharmtothatpersonoranotherperson. Minimizebiasthatcouldresultinunfairorinadequateoutcomes. Restricttheexploitationofvulnerablepeopleorgroupsduetotheirage,disability,politicalopinionorotherfactors.EuropeanCommission.(April21,2021).ProposalforaRegulationoftheEuropeanParliamentandoftheCouncil,"LayingDownHarmonisedRulesonArtificialIntelligence(ArtificialIntelligenceAct)andAmendingCertainUnionLegislativeAct."Toachievetheseobjectives,theAlActappliesarisk-basedapproach.ThisallowsforestablishingspecificminimumrequirementstoaddresstherisksandproblemslinkedtoAlsystemswithoutundulyconstrainingorhinderingtechnologicaldevelopmentordisproportionatelyincreasingcostsrelatingtoplacingAlsystemsonthemarket.Whowillbeaffected?Mostorganizations,bothinsideandoutsidetheEU,aredevelopingorusingAlsystemsthatwilllikelyqualifyasAlunderthescopeoftheAlAct.Giventheshortimplementationperiod,however,organizationsshouldgainaprofoundunderstandingoftheAlsystemstheyaredevelopingand/ordeployingandhowtheymeasureuptotheAlAcfsrequirements.Whatpartiesarecovered? AnyproviderplacingAlsystemsonthemarketorputtingthemintoservicewithintheEU,regardlessoflocation. AnyproviderofAlsystemslocatedoutsidetheEU,whosesystemoutputcanorisintendedforuseintheEU. AnyproviderofAlsystemslocatedintheEU. AnyimporterordistributorplacingAlsystemsonthemarketormakingthemavailablewithintheEU. ProductmanufacturersplacingproductswithAlsystemsonthemarketorputtingthemintoservicewithintheEUundertheirnameortrademark. UsersofAlproductsandserviceswithintheEU.Whatisnotcovered? Alsystemsdevelopedorusedexclusivelyformilitarypurposes. Alsystemsusedbypublicauthoritiesorinternationalorganizationsinnon-UnioncountrieswhenusedforlawenforcementorjudicialcooperationwiththeEUunderaframeworkofinternationalagreements. Alsystemsdevelopedandusedforthesolepurposeofscientificresearchanddiscovery.Alsystemsintheresearch,testing,anddevelopmentphasebeforebeingplacedonthemarketorputintoservice(thisincludesfreeandopen-sourceAlcomponents).PeopleusingAlforpersonaluse.InthesamewaytheGeneralDataProtectionRegulation(GDPR)isenforced,theECunderstandsthatnon-EropeanentitiessellingtheirproductsinEuropeanmarketsshouldberegulatedsimilarlytothememberstates.TheEUisexpectedtobethecentergroundforglobalAlstandards,withdivergenceintheUSandpossiblytheUK.LiketheGDPR,theAlActwillhaveandextra-territorialeffect.Whoisaffectedinyourorganization?Executiveswhomanagecompliance,datagovernanceandthedevelopment,deploymentanduseofAltechnologieswilllikelyseetheirrolesandresponsibilitiesimpactedbytheAlAct.Beyondseniorrolesintheorganization,theBoardofDirectorsandvariousGovernanceCommitteesmayalsobeaffected,andtheyshoulddevelopawarenessandknowledge.GiventhebroaddefinitionofAlandthecurrentpaceofproliferation,organizationsshouldtakeaholisticapproach.Seniorexecutivesshouldcollaborateonpurposefulinnovationanddevelopment,riskmanagement,andgovernanceofAlsystemstoachievecompliancewiththeAlAct.HowitwillbeenforcedandwhatarethepenaltiesTheEChasproposedastructureforenforcingAlproviderrequirementsbyestablishinganArtificialIntelligenceBoardandExpertGroup.BothpartiessitattheEUlevelandareresponsiblefor: Contributingtoeffectivecollaborationwithnationalsupervisoryauthorities. Providingrecommendationsforbestpractices. Ensuringconsistentapplicationoftheregulation.EachmemberstatewillbeexpectedtocreateordesignateaNationalCompetentAuthoritytoensuretheimplementationoftheregulationandtosafeguardtheobjectivityandimpartialityoftheiractivities.TheEU'sproposedregulationwilllikelyhaveafar-reachingimpactonallorganizationsleveragingthevastpowerofAl5andtheconsequencesofnoncompliancecouldrangefromrestrictingmarketaccesstosignificantfinesdependingonthelevelofnoncompliance.Finesmayrangefrom35millioneurosor7percentofglobalturnoverto7.5millionor1.5percentofturnover,dependingontheinfringementandsizeofthecompany.77EuropeanParliament.(December9,2023).ArtificialIntelligenceAct:dealoncomprehensiverulesfortrustworthyAlPressrelease.TrackingtheEU,slegislativeSpring>026ThefinalAlActtakeseffectinitserirety.journey1.ate2024Prohibitionson,unacceptablerisk'Alsystemswillapply.Mid2025Severalobligationstogeneral-purposeAlwillapply.Whenwillitapply?MostoftheobligationsoutlinedintheAlActareexpectedtobecomeeffectivebythefirsthalfof2026.Prohibitionsareanticipatedtotakeeffectbytheendof2024,andobligationsregardinggeneral-purposeAl(GPAI)areexpectedtotakeeffectasearlyas2025.GPAIreferstoAlsystemsthatperformgenerallyapplicablefunctions,suchasimageandspeechrecognition,audioandvideogeneration,pattern/detection,questionanswering,translationandot*rs,butcanhaveawiderangeofpossibleuses,Mfiintendedandunintended.Thesesystemsutilizedashigh-riskAlsystemsorincorpgtedascomponentsofotherhigh-riskAlJune2023-December2023FinalAlActnegotiationsoccurbetweentheCouncil,Commission,andParliament.AprovisionalagreementtofinalizetheproposedrulesisreachedinDecember2023.WearehereThefinaltextisexpectedinthefirsthalfof2024.December2022TheCouncilhasadopteditscommonposition('generalapproach*)ontheAlAct.April2021TheEuropeanCommissionunveilsaproposalforanewArtificialIntelligenceAct.June2023TheParliamentadoptstheirnegotiationpositionforthedraftAlAct.UnravellingtheAlAcfskeycomponents©2024Copyrightownedbyon©OCmoreofth©KPMGInternationalnlit>s.KPMGIntemationaJentitiesprovidenoservicestoclients.Alrightsreserved.DCdi9thEUAlAct11-TheAlActisacomprehensivedocumentdesignedtohelpprovideacleardefinitionofartificialintelligence,enablingEU-widealignmentandconsistencywithotherUnionlawsandregulations.TheAlAcfsprimarygoalistoestablishauniformandhorizontallegalframeworktopromotetheuptakeofAlsystemswhileprovidingahighlevelofprotectionagainsttheirharmfuleffects.ThisframeworkcanhelptobuildtrustinAltechnologyandgiveindividualsandorganizationsgreaterconfidenceinusingit.Defining artificial intelligenceThe Al Act applies a broad definition of an Al system derived from the recently updated Organisation for Economic Co-operation and Development (OECD) definition. While the Al Act's text is not yet publicly available, the OECD definition is as follows:uAn Al system is a machine-based system that, for explicit or implicit