Artificial intelligence (AI) is undoubtedly one of the defining topics of our time. The speed at which increasingly advanced AI applications are coming onto the market and conquering new, previously unconceivable areas of life has brought European legislators onto the scene. Last week, two major AI agreements cleared crucial legislative hurdles. The EU's Artificial Intelligence Act (AI Act) and the Council of Europe's Convention on Artificial Intelligence (AI Convention) will likely have a lasting impact on AI regulation in Switzerland.
AI regulation is coming – and soon Following the clear decision by the EU Parliament on 13 March 2024, it is all but certain that the AI Act will become a reality in the near future. It is expected to enter into force as an EU regulation at the latest by the end of the current legislative period in July 2024. As such, the AI Act will be directly enforceable in EU member states within 24 months, and for some applications even sooner.
However, even companies outside the EU may fall under the purview of the AI Act, for example if they use AI systems whose output is used in the EU. This will prompt numerous Swiss companies to confront the question of how the AI Act affects their operations and what measures they must implement to comply with its requirements.
Less than 48 hours after the EU Parliament's decision, the Council of Europe adopted its own ground breaking AI Con vention. As chair of the pertinent working group, Switzerland holds a vested interest in the successful implementation of the AI Convention. We presume that Switzerland will try to ratify the AI Convention sooner rather than later.
Objective and scope of AI regulation
The European Union has set itself the ambitious goal of comprehensively regulating AI now, aiming to ensure that future AI usage and development are safe, transparent and fully align with fundamental rights. To realise this ambition, the EU is ready to introduce detailed and multi-layered AI regulation, including detailed provisions for monitoring and sanctioning the new rules. With over 450 pages and 113 articles, the complexity of the AI Act also significantly exceeds the GDPR, which will make compliance with the AI Act challenging.
In contrast, the Council of Europe's AI Convention operates at a much higher level. As an intergovernmental convention, it focuses primarily on establishing principles to ensure the use of AI is compliant with human rights. In addition to the member states of the Council of Europe, countries such as the USA and Japan as well as representatives from the technology industry and civil society also took part in the negotiations. The result is a very broad-based agreement with global reach, but it only represents a minimum standard for the responsible use of AI. The concrete implementation of the defined principles will take place at member state level. Switzerland is likely to model itself primarily on the EU's AI Act.
The AI Act is analysed in more detail below.
"The Risk-Based Approach" of the AI Act: from unacceptable to minimal risk
The AI Act defines "AI systems" as machine-based, (semi-)autonomous, adaptive systems that process inputs into outputs such as predictions, recommendations or decisions. This broad definition includes everything from simple automation to complex machine learning models, and thus emphasises the comprehensive regulatory approach of the AI Act across a wide range of sectors and areas of application.
At the heart of the AI Act is a risk-based approach to categorising AI systems based on their potential for harm. The following risk categories are distinguished:
Regulation of "General Purpose Artificial Intelligence" (GPAI)
In addition to regulation by risk category, the AI Act pre scribes specific regulation for General Purpose AI systems (GPAI). These technologies, developed for a wide range of applications and not just specific tasks, are considered fundamentally risky due to their flexibility and application potential. If a certain computing power is exceeded, they are considered "high impact" systems that are subject to strict rules.
Monitoring and enforcement of the AI Act
Various national and pan-European institutions are re sponsible for the implementation, monitoring and enforcement of the AI Act. This includes the establishment of a new European AI Office, which will become part of the EU Commission and will be responsible for a wide range of measures at the European level. Among other things, the AI Office will develop voluntary model clauses for contracts between providers of high-risk AI systems and third parties, draw up codes of conduct, evaluate and monitor compliance with these codes, and pub lish summaries of the training data used in AI models.
The AI Act also includes a range of measures to enforce the regulation. Depending on the type and severity of the offence, fines of up to EUR 15 million or 3% of annual global turn over can be imposed. However, this only affects providers of GPAI platforms such as Open AI and Google AI.
Regulatory developments in Switzerland
After a certain delay, Switzerland is now addressing the issue of AI regulation. At the end of 2023, the Federal Council1 announced that it would evaluate the need for AI regulation. It expects a report on possible regulatory approaches by the end of 2024.
In view of the importance of the AI Act and the aim of harmonising with EU law and international standards, it can be assumed that Switzerland will follow a similar path in the medium term.
However, the "Swiss Finish" – similar to data protection – is likely to be less comprehensive but may provide for other obligations. AI systems that process personal data must already comply with the revised Swiss Data Protection Act.
Challenges for practical implementation
The AI Act marks a turning point in technology regulation and poses considerable challenges for Swiss companies. The key points are:
- Complexity: at over 450 pages, the AI Act is probably one of the world's most comprehensive and complex legal documents on technology regulation. This makes compli ance with the AI Act challenging and resource intensive.
- Broad scope of application: the AI Act regulates a wide range of sectors and applications and therefore affects many organisations. Due to its extraterritorial effect, it is a challenge for Swiss companies to know to which rules of the AI Act they are subject, in which situation and to what extent.
- Legal uncertainty: unclear and partially overlapping legal terms could lead to uncertainties and demarca tion problems in practice. For example, it is likely to be a challenge for many companies to clearly determine the context in which they are acting, as a "provider", "deployer", "distributor" and/or "operator" of AI systems.
- "Dual-use" problem: the possibility of using technolo gies in both authorised and prohibited areas harbours significant liability and compliance risks. In certain situations, it will be almost impossible for companies to prevent their AI systems from being used for prohibited purposes. The question arises as to whether and to what extent they can be held liable for the misuse of their AI systems.
The clarification of these uncertainties by the newly created European AI supervisory authority and the courts will take time. In the meantime, companies will face the challenge of implementing and interpreting the AI Act independently.
Summary
In view of the complex challenges posed by the AI Act, it is advisable for the Swiss to keep a close eye on its imple mentation and further legal developments. Especially as they may be directly subject to the AI Act, and the fines can be con siderable. Ultimately, however, the legal challenges in AI regu lation are not unusual, and are similar to other regulated eco nomic sectors in which undefined legal terms are used in order to anticipate developments that are not yet foreseeable.
Keyfacts
01 Last week, the EU and the Council of Europe adopted ground-breaking AI agreement
02 The AI Act is expected to come into force as early as July 2024. It will be binding for all companies by 2026 at the latest.
03 Due to its complexity and the potenti ally high fines, compliance with the AI Act will pose major challenges for many companies.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
