Tag: European Commission

Navigating the EU AI Act from a US Perspective: A Timeline for Compliance

After extensive negotiations, the European Parliament, Commission, and Council came to a consensus on the EU Artificial Intelligence Act (the “AI Act”) on Dec. 8, 2023. This marks a significant milestone, as the AI Act is expected to be the most far-reaching regulation on AI globally. The AI Act is poised to significantly impact how companies develop, deploy, and manage AI systems. In this post, NM’s AI Task Force breaks down the key compliance timelines to offer a roadmap for U.S. companies navigating the AI Act.

The AI Act will have a staged implementation process. While it will officially enter into force 20 days after publication in the EU’s Official Journal (“Entry into Force”), most provisions won’t be directly applicable for an additional 24 months. This provides a grace period for businesses to adapt their AI systems and practices to comply with the AI Act. To bridge this gap, the European Commission plans to launch an AI Pact. This voluntary initiative allows AI developers to commit to implementing key obligations outlined in the AI Act even before they become legally enforceable.

With the impending enforcement of the AI Act comes the crucial question for U.S. companies that operate in the EU or whose AI systems interact with EU citizens: How can they ensure compliance with the new regulations? To start, U.S. companies should understand the key risk categories established by the AI Act and their associated compliance timelines.

I. Understanding the Risk Categories
The AI Act categorizes AI systems based on their potential risk. The risk level determines the compliance obligations a company must meet.  Here’s a simplified breakdown:

  • Unacceptable Risk: These systems are banned entirely within the EU. This includes applications that threaten people’s safety, livelihood, and fundamental rights. Examples may include social credit scoring, emotion recognition systems at work and in education, and untargeted scraping of facial images for facial recognition.
  • High Risk: These systems pose a significant risk and require strict compliance measures. Examples may include AI used in critical infrastructure (e.g., transport, water, electricity), essential services (e.g., insurance, banking), and areas with high potential for bias (e.g., education, medical devices, vehicles, recruitment).
  • Limited Risk: These systems require some level of transparency to ensure user awareness. Examples include chatbots and AI-powered marketing tools where users should be informed that they’re interacting with a machine.
  • Minimal Risk: These systems pose minimal or no identified risk and face no specific regulations.

II. Key Compliance Timelines (as of March 2024):

Time Frame  Anticipated Milestones
6 months after Entry into Force
  • Prohibitions on Unacceptable Risk Systems will come into effect.
12 months after Entry into Force
  • This marks the start of obligations for companies that provide general-purpose AI models (those designed for widespread use across various applications). These companies will need to comply with specific requirements outlined in the AI Act.
  • Member states will appoint competent authorities responsible for overseeing the implementation of the AI Act within their respective countries.
  • The European Commission will conduct annual reviews of the list of AI systems categorized as “unacceptable risk” and banned under the AI Act.
  • The European Commission will issue guidance on high-risk AI incident reporting.
18 months after Entry into Force
  • The European Commission will issue an implementing act outlining specific requirements for post-market monitoring of high-risk AI systems, including a list of practical examples of high-risk and non-high risk use cases.
24 months after Entry into Force
  • This is a critical milestone for companies developing or using high-risk AI systems listed in Annex III of the AI Act, as compliance obligations will be effective. These systems, which encompass areas like biometrics, law enforcement, and education, will need to comply with the full range of regulations outlined in the AI Act.
  • EU member states will have implemented their own rules on penalties, including administrative fines, for non-compliance with the AI Act.
36 months after Entry into Force
  • The European Commission will issue an implementing act outlining specific requirements for post-market monitoring of high-risk AI systems, including a list of practical examples of high-risk and non-high risk use cases.
By the end of 2030
  • This is a critical milestone for companies developing or using high-risk AI systems listed in Annex III of the AI Act, as compliance obligations will be effective. These systems, which encompass areas like biometrics, law enforcement, and education, will need to comply with the full range of regulations outlined in the AI Act.
  • EU member states will have implemented their own rules on penalties, including administrative fines, for non-compliance with the AI Act.

In addition to the above, we can expect further rulemaking and guidance from the European Commission to come forth regarding aspects of the AI Act such as use cases, requirements, delegated powers, assessments, thresholds, and technical documentation.

Even before the AI Act’s Entry into Force, there are crucial steps U.S. companies operating in the EU can take to ensure a smooth transition. The priority is familiarization. Once the final version of the Act is published, carefully review it to understand the regulations and how they might apply to your AI systems. Next, classify your AI systems according to their risk level (high, medium, minimal, or unacceptable). This will help you determine the specific compliance obligations you’ll need to meet. Finally, conduct a thorough gap analysis. Identify any areas where your current practices for developing, deploying, or managing AI systems might not comply with the Act. By taking these proactive steps before the official enactment, you’ll gain valuable time to address potential issues and ensure your AI systems remain compliant in the EU market.

Copyright ©2024 Nelson Mullins Riley & Scarborough LLP
For more on AI, visit the NLR Communications, Media & Internet section.

European Commission Action on Climate Taxonomy and ESG Rating Provider Regulation

On June 13, 2023, the European Commission published “a new package of measures to build on and strengthen the foundations of the EU sustainable finance framework.” The aim is to ensure that the EU sustainable finance framework continues to support companies and the financial sector in connection with climate transition, including making the framework “easier to use” and providing guidance on climate-related disclosure, while encouraging the private funding of transition projects and technologies. These measures are summarized in a publication, “A sustainable finance framework that works on the ground.” Overall, according to the Commission, the package “is another step towards a globally leading legal framework facilitating the financing of the transition.”

The sustainable finance package includes the following measures:

  • EU Taxonomy Climate Delegated Act: amendments include (i) new criteria for economic activities that make a substantial contribution to one or more non-climate environmental objectives, namely, sustainable use and protection of water and marine resources, transition to a circular economy, pollution prevention and control, and protection and restoration of biodiversity and ecosystems; and (ii) changes expanding on economic activities that contribute to climate change mitigation and adaptation “not included so far – in particular in the manufacturing and transport sectors.” The EU Taxonomy Climate Delegated Act has been operative since January 2022 and includes 107 economic activities that are responsible for 64% of greenhouse gas emissions in the EU. In addition, “new economic sectors and activities will be added, and existing ones refined and updated, where needed in line with regulatory and technological developments.” “For large non-financial undertakings, disclosure of the degree of taxonomy alignment regarding climate objectives began in 2023. Disclosures will be phased-in over the coming years for other actors and environmental objectives.”
  • Proposed Regulation of ESG Rating Providers: the Commission adopted a proposed regulation, which was based on 2021 recommendations from the International Organization of Securities Commissioners, aimed at promoting operational integrity and increased transparency in the ESG ratings market through organizational principles and clear rules addressing conflicts of interest. Ratings providers would be authorized and supervised by the European Securities and Markets Authority. The regulation “provides requirements on disclosures around” ratings methodologies and objectives, and “introduces principle-based organizational requirements on” ratings providers activities. The Commission is also seeking advice from ESMA on the presentation of credit ratings, with the aim being to address shortcomings related to “how ESG factors are incorporated into methodologies and disclosures of how ESG factors impact credit ratings.”
  • Enhancing Usability: the Commission set out an overview of the measures and tools aimed at enhancing the usability of relevant rules and providing implementation guidance to stakeholders. The Commission Staff Working Document “Enhancing the usability of the EU Taxonomy and the overall EU sustainable finance framework” summarizes the Commission’s most recent initiatives and measures. The Commission also published a new FAQ document that provides guidance on the interpretation and implementation of certain legal provisions of the EU Taxonomy Regulation and on the interactions between the concepts of “taxonomy-aligned investment” and “sustainable investment” under the SFDR.

Taking the Temperature: As previously discussed, the Commission is increasingly taking steps to achieve the goal of reducing net greenhouse gas emissions by at least 55% by 2030, known as Fit for 55. Recent initiatives include the adoption of a carbon sinks goal, the launch of the greenwashing-focused Green Claims Directive, and now, the sustainable finance package.

Another objective of these regulatory initiatives is to provide increased transparency for investors as they assess sustainability and transition-related claims made by issuers. In this regard, the legislative proposal relating to the regulation of ESG rating agencies is significant. As noted in our longer survey, there is little consistency among ESG ratings providers and few established industry norms relating to disclosure, measurement methodologies, transparency and quality of underlying data. That has led to a number of jurisdictions proposing regulation, including (in addition to the EU) the UK, as well as to government inquiries to ratings providers in the U.S.

© Copyright 2023 Cadwalader, Wickersham & Taft LLP

For more financial legal news, click here to visit the National Law Review.

European Commission Aims to Tackle Greenwashing in Latest Proposal

On March 22, the European Commission unveiled a proposal, the Green Claims Directive (Proposal), aimed at combating greenwashing and misleading environmental claims. By virtue of the Proposal, the EC is attempting to implement measures designed to provide “reliable, comparable and verifiable information” to consumers, with the overall high-level goal to create a level playing field in the EU, wherein companies that make a genuine effort to improve their environmental sustainability can be easily recognized and rewarded by consumers. The Proposal follows a 2020 sweep that found nearly half of environmental claims examined in the EU may be false or deceptive. Following the ordinary legislative procedure, the Proposal will now be subject to the approval of the European Parliament and the Council. There is no set date for entry into force at this time.

The Proposal complements a March 2022 proposal to amend the Consumer Rights Directive to provide consumers with information on products’ durability and repairability, as well as to amend the Unfair Commercial Practices Directive by, among other things, banning “generic, vague environmental claims” and “displaying a voluntary sustainability label which was not based on a third-party verification scheme or established by public authorities.” The Proposal builds on these measures to provide “more specific requirements on unregulated claims, be it for specific product groups, specific sectors or for specific environmental impacts or aspects.” It would require companies that make “green claims to respect minimum standards on how they substantiate and communicate those claims.” Businesses based outside the EU that make environmental claims directed at EU consumers will also have to respect the requirements set out in the Proposal. The criteria target explicit claims, such as “T-shirt made of recycled plastic bottles” and “packaging made of 30% recycled plastic.”

Pursuant to Article 3 of the Proposal, “environmental claims shall be based on an assessment that meets the selected minimum criteria to prevent claims from being misleading,” including, among other things, that the claim “relies on recognised scientific evidence and state of the art technical knowledge,” considers “all significant aspects and impacts to assess the performance,” demonstrates whether the claim is accurate for the whole product or only parts of it, provides information on whether the product performs better than “common practice,” identifies any negative impacts resulting from positive product achievements, and reports greenhouse gas offsets.

Article 4 of the Proposal outlines requirements for comparative claims related to environmental impacts, including disclosure of equivalent data for assessments, use of consistent assumptions for comparisons and use of data sourced in an equivalent manner. The level of substantiation needed will vary based on the type of claim, but all assessments should consider the product’s life-cycle to identify relevant impacts.

Pursuant to Article 10, all environmental claims and labels must be verified and certified by a third-party verifier before being used in commercial communications. An officially accredited body will carry out the verification process and issue a certificate of conformity, which will be recognized across the EU and shared among Member States via the Internal Market Information System. The verifier is required to be an officially accredited, independent body with the necessary expertise, equipment, and infrastructure to carry out the verifications and maintain professional secrecy.

The Proposal is part of a broader trend of governmental regulators, self-regulatory organizations, and standard setters across industries adopting a more formalized approach toward greenwashing. For example, as we recently reported, the UK’s Advertising Standards Authority (ASA) published rules on making carbon neutral and net-zero claims. Instances of enforcement actions over greenwashing allegations have also been on the rise. The Securities and Exchange Board of India recently launched a consultation paper seeking public comment on rules to prevent greenwashing by ESG investment funds, and the European Council and the European Parliament reached an agreement regarding European Green Bonds Standards aimed at, among other things, avoiding greenwashing.

Article By Sukhvir Basran and Rachel Rodman of Cadwalader, Wickersham & Taft LLP

Click here to visit the National Law Review for more environmental law news.

© Copyright 2023 Cadwalader, Wickersham & Taft LLP

Apple, Inc. Probed by European Commission for Possible Antitrust Violations

In late June, the European Commission (EC) opened several formal cases investigating Apple’s mobile payment technology (Apple Pay) and various third-party and user agreements to determine whether the tech giant’s practices and policies infringe on competition rights and abuse market power. Specifically, the Commission will investigate the company’s terms and conditions integrating the payment feature into merchant applications and websites, and the imposition of its proprietary in-app purchase system and accompanying restrictions. The latter prevents third-party developers from informing their users of cheaper alternative purchases available outside the app. The investigations follow complaints made by Spotify, a music streaming service competitor, and an e-book/audiobook distributor competitor, according to the EC’s press release.

In a statement, EC Executive Vice President Margrethe Vestager said that the Commission needs to allay fears that Apple’s “gatekeeper role” in the distribution of apps and content to users does not distort market competition. The impetus, she said, was to ensure that “Apple’s measures do not deny consumers the benefits of new payment technologies, including better choice, quality, innovation and competitive prices.”

Apple is one of the latest tech targets to experience regulatory scrutiny. Facebook, Amazon, and Google are facing antitrust inquiries by EU member states, the European Commission, and the United States’ Department of Justice and Federal Trade Commission.

© MoginRubin LLP

ARTICLE BY the Competition Policy and Advocacy practice at MoginRubin.
For more on mobile payment portals, see the National Law Review Financial Institutions & Banking law section.

European Commission Gives Portugal Two Months To Address Issues With Biofuel Law Compliance

On April 28, 2016, the European Commission (EC) encouraged Portugal to become fully compliant with the Renewable Energy Directive (Directive) through the release of an April infringements fact sheet. The Directive has set the goal of 20 percent of the European Union’s (EU) 2020 energy consumption coming from renewable energy, with each Member State consuming at least ten percent renewable energy. Biofuels used in reaching this goal must meet a set of harmonized sustainability requirements, and must be treated equally by Member States regardless of the country of origin. Portugal has been sent a reasoned opinion urging it to stop favoring biofuels produced in Portugal over those produced in other countries, and to reduce sustainability requirements that are not warranted by the Directive. Portugal has two months to address these concerns, or else it could be sent to the Court of Justice of the EU.

Article By Kathleen M. Roberts of Bergeson & Campbell, P.C

©2016 Bergeson & Campbell, P.C.

Unlucky 13: FTC Settles Charges under International Safe Harbor Framework

Thirteen companies have agreed to settle with the Federal Trade Commission (FTC) charges relating to their participation in the U.S.–EU and U.S.–Swiss Safe Harbor Frameworks. Seven companies allegedly failed to renew their Safe Harbor self-certifications, including a sports marketing firm, two software developers, a research organization, a business information firm, a security consulting firm, and an e-discovery service provider. Another six allegedly failed to seek certification under the Frameworks, but nevertheless claimed in their privacy policies to be certified, including an amusement park, two sporting companies, a medical waste service provider, a food manufacturer, and an e-mail marketing firm. Last year, fourteen companies settled with the FTC over similar claims, and advocacy group named 30 companies in a complaint alleging that they were out of compliance with the Safe Harbor Frameworks.

The European Commission’s Directive on Data Protection prohibits the transfer of personal data to non-EU countries that do not meet the EU standard for privacy protection, so the U.S. Department of Commerce (DOC) negotiated the Safe Harbor Frameworks to allow U.S entities to receive such data provided that they comply with the Directive. To participate in the Safe Harbor Frameworks, companies must annually self-certify that they comply with seven key privacy principles for meeting EU’s adequacy standard: notice, choice, onward transfer, security, data integrity, access, and enforcement. Only appropriately self-certified companies may display the Safe Harbor certification mark on their websites, and the FTC is charged with enforcing violations.

This enforcement action is a reminder of the importance of maintaining current Safe Harbor status for those who elect to participate the program. It is also a reminder that companies must act in accordance with their published privacy policies, and periodically review their privacy policies to ensure that they remain current and reflect companies’ actual practices.

ARTICLE BY Sheila A. MillarTracy P. Marshall & Nathan A. Cardon of Keller and Heckman LLP

© 2015 Keller and Heckman LLP

Analysis of the European Commission’s 2015 Work Programme

Covington_NL

The European Commission’s Work Programme for 2015 falls in line with Juncker’s political guidelines for his Presidency. The overall focus lies on the creation of jobs and economic growth, and the vision is to achieve this through a greener, more digital and more unified European economy. At the same time the Commission has restated its ambition to make regulation leaner and relieve markets from unnecessary administrative burden without compromising the high standards in social, environmental and consumer protection.

The Work Programme stands out from prior ones by its emphasis on discarding a total of 80 proposals that have either not progressed or that are not aligned with the objectives of the new Commission. Amongst the most prominent proposals to be withdrawn are the directive for the taxation of energy products and electricity, and the directive on the reduction of national emissions of certain atmospheric pollutants.

Combined with Juncker’s €315 billion investment plan, however, the Commission’s Work Programme is potentially very good news for companies seeking to invest in cutting-edge infrastructure and technologies, but also for those that simply seek to benefit from the single market. There is a renewed focus on a strong European industrial base and the Commission’s introductory note promises measures to improve its competitiveness.

The Commission also intends to work on further pooling sovereignty in economic governance, for example through a Common Consolidated Corporate Tax Base and a Financial Transaction Tax. The focus here is on providing more transparency and a level playing field, mainly in response to the Luxleaks affair. This might imply a revision of state aid rules as well as of the implementation of Juncker’s investment program.

From a broader perspective, the Commission’s Work Programme emphasizes the importance of trade, with the Transatlantic Trade and Investment Partnership Agreement (TTIP) at the very top of the priority list of bilateral agreements. The Work Programme also mentions the intention to promote stability at Europe’s borders, although it is likely that internal security matters, e.g. on cross-border crime, cybercrime, terrorism and radicalization, will trump any focus on external policies.

The links below open analysis pieces on topics and initiatives linked to particular sectors, focused on by the Commission:

  • Energy and transport, read the overview here
  • Life sciences, read the overview here
  • ICT and telecoms, read the overview here

The European Commission’s full Work Programme for 2015 can be found here.

ARTICLE BY

Sebastian F.A. Vos
OF
Covington & Burling LLP
© 2014 Covington & Burling LLP

European Commission Discusses Big Data

Morgan Lewis logo

The European Commission (the Commission) recently issued a press release recognizing the potential of data collection and exploitation (or “big data”) and urging governments to embrace the positive aspects of big data.

The Commission summarized four main problems that have been identified in public consultations on big data:

  • Lack of cross-border coordination
  • Insufficient infrastructure and funding opportunities
  • A shortage of data experts and related skills
  • A fragmented and overly complex legal environment

To address these issues, the Commission proposed the following:

  • A public-private partnership to fund big data initiatives
  • An open big data incubator program
  • New rules on data ownership and liability for data provision
  • Mapping of data standards
  • A series of educational programs to increase the number of skilled data workers
  • A network of data processing facilities in different member states

The Commission stated that, in order to help EU citizens and businesses more quickly reap the full potential of data, it will work with the European Parliament and the European Council to successfully complete the reform of the EU’s data protection rules. The Commission will also work toward the final adoption of the directive on network and information security to ensure the high level of trust that is fundamental for a thriving data-driven economy.

Article By:

Barbara Murphy Melby
Doneld G. Shelkey
Of:
Morgan, Lewis & Bockius LLP

 

European Commission Considers Taking Over Cartel Investigations to Prevent Exploitation of German Law Loophole

Recently The National Law Review published an article by Martina Maier and Philipp Werner of McDermott Will & Emery regarding the European Commissions Investigation of a German Law Loophole:

Under German law, companies may escape cartel fines by undertaking an internal restructuring. The German competition authority has indicated a willingness to reallocate such cases to the European Commission, which can impose a fine on the corporate group regardless of any internal restructuring. Commission officials speaking at a conference have suggested recently that the Commission would be willing to take over cartel cases from EU Member States, even at a late stage in the proceedings, in order to fine undertakings for their anti-competitive behaviour.

Background

The German competition authority can impose fines on undertakings that have violated European competition law by forming a cartel. Under German law, if the undertaking ceases to exist, for example by merging with another undertaking, only in exceptional circumstances can the legal successors be held liable for the violation of Article 101 TFEU. For the legal successor to bear any liability for the anti-trust infringement, the restructured company must be identical, or nearly identical, to the company that committed the infringement, such as in the case of a mere change of the company’s name or its legal structure.

This has created a loophole that can be exploited by internally restructuring the legal entity that has committed the infringement so it ceases to exist and no other legal entity within the group is (nearly) identical. Companies may thus escape cartel fines by, for example, redistributing their assets to affiliated companies within the corporate group, or by merging with a sister company, even if the original company’s assets remain within the same group and under the control of the same ultimate parent company. This loophole has been confirmed explicitly by the German Supreme Court. Although Germany is currently amending its competition legislation, it is not yet clear whether the proposed changes will be sufficient to solve the problem.

In the European Union, due to the broad interpretation of the concept of an “undertaking”, as well as the possibility of holding parent companies jointly and severally liable, the European Commission has broad discretion when it comes to imposing fines on parent companies, so an internal restructuring does not present a solution for infringing companies.

Reallocation of Cases

According to the Commission Notice on cooperation within the Network of Competition Authorities, reallocation of cases should normally take place within a period of two months, starting from the date of the first information sent by the relevant national competition authority to the European Competition Network. In general, the competition authority that is dealing with a case at the end of the two month period should continue to handle the case until completion of the proceedings. Reallocation of a case after the two month period should only occur where the facts known about the case change materially during the course of the proceedings. After the two month period, the Commission should in principle initiate proceedings only in exceptional cases.

If the Commission initiates proceedings, the relevant authorities of the Member States are relived from their competence to apply Article 101 TFEU and Article 102 TFEU. This means, once the Commission has opened proceedings, national competition authorities cannot act under the same legal basis against the same agreement or practices by the same undertaking on the same relevant geographic and product market.

Despite these procedural concerns, the Commission seems to be willing to accept a late reallocation of cases in cooperation with the German competition authority. It is not clear how this principle could or will be extended to other Member States and whether it could be applied under different circumstances where a Member State is prevented from fining a cartelist due to the application of a national law.

© 2012 McDermott Will & Emery