Australia
Voluntary AI Ethics Principles guide responsible AI development in Australia, with potential reforms under consideration.
Artificial intelligence (AI) has made enormous strides in recent years and has increasingly moved into the public consciousness.
Increases in computational power, coupled with advances in machine learning, have fueled the rapid rise of AI. This has brought enormous opportunities, as new AI applications have given rise to new ways of doing business. It has also brought potential risks, from unintended impacts on individuals (e.g., AI errors harming an individual's credit score or public reputation) to the risk of misuse of AI by malicious third parties (e.g., by manipulating AI systems to produce inaccurate or misleading output, or by using AI to create deepfakes).
Governments and regulatory bodies around the world have had to act quickly to try to ensure that their regulatory frameworks do not become obsolete. In addition, international organizations such as the G7, the UN, the Council of Europe and the OECD have responded to this technological shift by issuing their own AI frameworks. But they are all scrambling to stay abreast of technological developments, and already there are signs that emerging efforts to regulate AI will struggle to keep pace. In an effort to introduce some degree of international consensus, the UK government organized the first global AI Safety Summit in November 2023, with the aim of encouraging the safe and responsible development of AI around the world.
Most jurisdictions have sought to strike a balance between encouraging AI innovation and investment, while at the same time attempting to create rules to protect against possible harms. However, jurisdictions around the world have taken substantially different approaches to achieving these goals, which has in turn increased the risk that businesses face from a fragmented and inconsistent AI regulatory environment. Nevertheless, certain trends are becoming clearer at this stage:
Businesses in almost all sectors need to keep a close eye on these developments to ensure that they are aware of the AI regulations and forthcoming trends, in order to identify new opportunities and new potential business risks. But even at this early stage, the inconsistent approaches each jurisdiction has taken to the core questions of how to regulate AI is clear. As a result, it appears that international businesses may face substantially different AI regulatory compliance challenges in different parts of the world. To that end, this AI Tracker is designed to provide businesses with an understanding of the state of play of AI regulations in the core markets in which they operate. It provides analysis of the approach that each jurisdiction has taken to AI regulation and provides helpful commentary on the likely direction of travel.
Because global AI regulations remain in a constant state of flux, this AI Tracker will develop over time, adding updates and new jurisdictions when appropriate. Stay tuned, as we continue to provide insights to help businesses navigate these ever-evolving issues.
Voluntary AI Ethics Principles guide responsible AI development in Australia, with potential reforms under consideration.
The enactment of Brazil's proposed AI Regulation remains uncertain with compliance requirements pending review.
AIDA expected to regulate AI at the federal level in Canada but provincial legislatures have yet to be introduced.
The Interim AI Measures is China's first specific, administrative regulation on the management of generative AI services.
The Council of Europe is developing a new Convention on AI to safeguard human rights, democracy, and the rule of law in the digital space covering governance, accountability and risk assessment.
The EU introduces the pioneering EU AI Act, aiming to become a global hub for human-centric, trustworthy AI.
France actively participates in international efforts and the EU AI Act negotiations, and proposes sector-specific laws.
The G7's AI regulations mandate Member States' compliance with international human rights law and relevant international frameworks.
Germany evaluates AI-specific legislation needs and actively engages in international initiatives.
National frameworks inform India’s approach to AI regulation, with sector-specific initiatives in finance and health sectors.
Israel promotes responsible AI innovation through policy and sector-specific guidelines to address core issues and ethical principles.
Italy plays a prominent role in EU AI Act negotiations and engages in political discussions for future laws.
Japan adopts a soft law approach to AI governance but lawmakers advance proposal for a hard law approach to generative AI foundation models.
Kenya's National AI Strategy and Code of Practice expected to set foundation of AI regulation once finalized.
Nigeria's draft National AI Policy underway and will pave the way for a comprehensive national AI strategy.
Position paper informs Norwegian approach to AI, with sector-specific legislative amendments to regulate developments in AI.
The OECD's AI recommendations encourage Member States to uphold principles of trustworthy AI.
Saudi Arabia is yet to enact AI Regulations, relying on guidelines to establish practice standards and general principles.
Singapore's AI frameworks guide AI ethical and governance principles, with existing sector-specific regulations addressing AI risks.
South Korea's AI Act to act as a consolidated body of law governing AI once approved by the National Assembly.
Spain creates Europe's first AI supervisory agency and actively participates in EU AI Act negotiations.
Switzerland's National AI Strategy sets out guidelines for the use of AI, and aims to finalize an AI regulatory proposal in 2025.
Draft laws and guidelines are under consideration in Taiwan, with sector-specific initiatives already in place.
Turkey has published multiple guidelines on the use of AI in various sectors; Turkish government expected to enact AI-specific regulation in the near future.
The UK prioritizes a flexible framework over comprehensive regulation and emphasizes sector-specific laws.
The UN's new draft resolution on AI encourages Member States to implement national regulatory and governance approaches for a global consensus on safe, secure and trustworthy AI systems.
The US relies on existing federal laws and guidelines to regulate AI but aims to introduce AI legislation and a federal regulation authority.
The EU introduces the pioneering EU AI Act, aiming to become a global hub for human-centric, trustworthy AI.
The primary legislative framework for regulating AI in the EU is the EU AI Act (here; finalized text here). The EU has also proposed the AI Liability Directive (here) which is designed to ensure that liability rules are appropriately applied to AI-related claims.
The EU AI Act was finalized and endorsed by all 27 EU Member States on February 2, 2024, and by the European Parliament on March 13, 2024. After final approval by the Council of the EU on May 21, 2024, the EU AI Act is now set to be published in the EU’s Official Journal. The EU AI Act will enter into force on the 20th day after publication, and will be effective after 24 months,1 except for the specific provisions listed in Article 113. The official entry into force is expected around mid-June of this year.2
The AI Liability Directive is in draft form and is yet to be considered by the European Parliament and Council of the EU.3 Timing remains uncertain.
There are many laws applicable in the EU that may affect the development or use of AI in the EU. A non-exhaustive list of common examples includes:
AI is defined in the EU AI Act using the following terms:
The AI Liability Directive will likely adopt the same definition as the EU AI Act.5
The EU AI Act applies extraterritorially to:6
The AI Liability Directive applies to non-contractual fault-based civil law claims within the EU.8
The EU AI Act is not sector-specific. It applies to all sectors.
The AI Liability Directive is not sector-specific. It applies to non-contractual fault-based civil law claims brought before national courts.
Under the EU AI Act:
Each of these roles comes with a set of compliance obligations.
The AI Liability Directive would increase the likelihood of a successful claim against an AI system developer or the user of an AI system that relied on its output.13
The EU AI Act is intended to promote the uptake of human-centric and trustworthy AI and to ensure a high level of protection of health, safety, fundamental rights, democracy, and rule of law from harmful effects of AI systems while supporting innovation and the functioning of the internal market.14
The AI Liability Directive aims to ensure that persons harmed by AI systems enjoy the same level of protection as persons harmed by other technologies in the EU. Current fault-based liability rules are not suited to handling liability claims for damage caused by AI-enabled products and services. Specifically, it may be difficult (or prohibitively expensive) for victims to prove the fault of a potentially liable person, and/or the causal link between the fault and the damage suffered, owing to the complexity, autonomy and opacity of AI systems.
The EU AI Act classifies AI systems, and imposes requirements, according to different levels of risk:
The AI Liability Directive does not directly govern the risks posed by AI systems.
Compliance obligations are primarily determined by the level of risk associated with the relevant AI system:
The EU AI Act also provides for the development of codes of conduct for AI systems, which the Commission hopes all AI system providers will voluntarily apply.24
The AI Liability Directive does not contain compliance requirements.
Enforcement of the EU AI Act involves a combination of authorities. EU Member States will establish or designate at least one notifying authority and at least one market surveillance authority (together, the “national competent authorities”) and ensure that the national competent authorities have adequate technical, financial and human resources, and infrastructure (that are sufficiently knowledgeable) to fulfill its tasks under the EU AI Act.25
The notifying authority is responsible for setting up and carrying out the assessment and designation procedures that are required under the EU AI Act, in an objective and impartial manner.26
The market surveillance authority may vary for “high” risk AI systems, AI systems used by financial institutions subject to EU legislation on financial services, and other EU institutions, agencies, and bodies.27
The market surveillance authority is primarily responsible for enforcement at the national level.28 If an AI system is non-compliant, the market surveillance authorities can exercise the enforcement powers described below. The market surveillance authorities will report to the Commission and relevant national competition authorities on an annual basis.29
Additionally, an AI Office within the Commission will enforce the common rules across the EU. Enforcement will be supported by a scientific panel of independent experts. An AI Board with Member States’ representatives will advise and assist the Commission and Member States on the consistent and effective application of the AI Act. Finally, an advisory forum for stakeholders will provide technical expertise to the AI Board and the Commission.
National courts of EU Member States will be responsible for implementing the AI Liability Directive in the case of non-contractual fault-based civil law claims brought before them.
Where the market surveillance authority finds that there is: (i) non-compliance with the obligations of the EU AI Act; or (ii) compliance from a high-risk AI system with the obligations of the EU AI Act, but still presents a risk to the health and safety of persons, the fundamental rights of persons, or other aspects of public interest protection; then the relevant market surveillance authority can (a) require the relevant operator to take all appropriate corrective actions (in the event of (ii), to ensure the AI system concerned no longer presents that risk) or withdraw/recall the AI system from the market; or (b) where the operator fails to do so, the relevant authority shall prohibit/restrict the AI system being made available on its national market or put into service, or withdraw/recall the product or the standalone AI system from the market.30
Penalties range from (i) the higher of €35,000,000 or up to 7 percent of a company’s total worldwide annual turnover for non-compliance with prohibited AI practices, to (ii) the higher of €7,500,000 or up to 1 percent of a company’s total worldwide annual turnover for the supply of incorrect, incomplete, or misleading information to notified bodies and national competent authorities.31
The AI Liability Directive increases the claimants’ likelihood of a successful claim by creating a rebuttable presumption of causality on the defendant. In practice, the new rule means that if a victim can show that someone was at fault for not complying with a certain obligation relevant to their harm, and that a causal link with the AI performance is reasonably likely, the court can presume that this non-compliance caused the damage.32
The AI Liability Directive also gives national courts the power to order disclosure of evidence about high risk AI systems that are suspected of causing damage, to help victims access relevant evidence to identify the person(s) that could be held liable.33
1 See EU AI Act, Article 113.
2 See the Council's press release.
3 See Procedure File: 2022/0303(COD) | Legislative Observatory | European Parliament (europa.eu).
4 See EU AI Act, Articles 3(1), 3(63) and 3(66).
5 See AI Liability Directive, Article 2(1).
6 See EU AI Act, Articles 2(1)(a) to (c). Responsibilities along the AI value chain (including distributors, importers, deployers) are set out in Article 25.
7 See EU AI Act, Recital 22.
8 See AI Liability Directive. Article 1(2).
9 See EU AI Act, Article 3(7).
10 See EU AI Act, Article 3(6) .
11 See EU AI Act, Article 3(4).
12 See EU AI Act, Article 3(8).
13 See AI Liability Directive, Article 4(b).
14 See “Purpose” in the Procedure File: printficheglobal.pdf (europa.eu); and EU AI Act, Article 1(1)
15 See EU AI Act, Recital 179.
16 See EU AI Act, Article 5.
17 See EU AI Act, Article 6 and Annex III.
18 See EU AI Act, Articles 50(1) to 50(4).
19 See EU AI Act, Article 50(4).
20 See page 4 of the briefing note.
21 See EU AI Act, Articles 8-15 and 49.
22 See EU AI Act, Article 50.
23 See page 4 of the briefing note.
24 See EU AI Act, Chapter X (Codes of Conduct and guidelines).
25 See EU AI Act, Article 70.
26 See EU AI Act, Article 32.
27 See EU AI Act, Article 80.
28 See EU AI Act, Article 80.
29 See EU AI Act, Article 74.
30 See EU AI Act, Articles 80(1) to(3), 80(4) and 82 (1).
31 See EU AI Act, Articles 99(3) and (5).
32 See AI Liability Directive, Article 4(1).
33 See AI Liability Directive, Article 3(1).
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2024 White & Case LLP
Timo Gaudszun (Legal Intern, White & Case, Berlin), Jeffrey Shin (Trainee Solicitor, White & Case, London) and Daniel Mair (Trainee Solicitor, White & Case, Paris) contributed to this publication.