EU lawmaking in the Artificial Intelligent Age: Act-ification, GDPR mimesis, and regulatory brutality

A few months ago the authors identified, in respective posts that were kindly hosted on this blog, two phenomena observable in recent EU law, namely its ‘act-ification’ and its ‘GDPR mimesis’. The first denoted the tendency of the EU legislator, perhaps affected by its US counterpart, to introduce eponymous ‘Acts’ rather than anonymous, sequentially numbered pieces of legislation. The second aimed to describe the GDPR’s heavy-handed influence on all new pieces of EU law that aim to protect individuals from perceived perils of technology. Before long both trends were vindicated, and are visible, in the Commission’s recent release of a draft Artificial Intelligence (‘AI’) Act. After a discussion of both trends, we introduce a reflection about regulatory brutality and the – apparent – lack of concern from the EU side about legal coherence in domestic law systems.

Act-ification in the Artificial Intelligence Act 

The ‘act-ification’ of EU law continues unhindered: The new draft follows the pattern of its predecessors, introducing in a parenthesis a short title with the word ‘Act’ in it. Its full title is ‘Regulation of the European Parliament and of the Council laying down harmonised rules on Artificial Intelligence (Artificial Intelligence Act) and amending certain Union legislative acts’. Once again, the Commission deliberately chose, first, to introduce a short title to refer to its legislative initiative, and, second, to include the word ‘Act’ in it instead of, for example, ‘Regulation’, which would have been the obvious choice (see, for example, the GDPR). The draft AI Act is the latest addition to a long series of other EU law ‘Acts’, as outlined in our previous blog post. The authors welcome this development, because of the proximity and the intimacy it creates between EU law and Europeans, and look forward to a point in the hopefully not so distant future where EU law will require Popular Name Tools, as is the case also in US law (where Popular Name Tools, or Tables, are by now necessary, in order to translate the short title given to many laws (e.g. PATRIOT Act or CLOUD Act) into the citations that will help locate them in the correct section of the U.S. Code).

GDPR mimesis in the Artificial Intelligence Act 

There are perhaps less reasons to celebrate as regards the second EU law phenomenon met in the draft AI Act, namely that of ‘GDPR mimesis’. The GDPR model is clearly visible in the provisions of the draft AI Act. Similarities come in two forms, a structural and a case-specific one. From a structural point of view the GDPR effect is best viewable in the suggested AI supervision and enforcement model: In essence, the draft AI Act replicates the GDPR model of establishing supervisory authorities at national level (Art. 3(42) and 59 of the draft AI Act) that are to be coordinated at EU level by a Board (in this case, the European AI Board, see Art. 56 of the draft AI Act). In addition, same as with the GDPR, the principle of accountability underlies the draft AI Act (see, for example, Art. 23 or Art. 26(5)).

From a case-specific perspective, provisions in the draft AI Act that are visibly affected by the GDPR (not including, of course, those provisions that directly refer to it, as is for example the case in Art. 10(5)) include, indicatively, the household exemption of Art. 3(4), the certification mechanisms (declarations of conformity and codes of conduct in Articles 48 and 69), the AI registration system (see Articles 51 and 60), or the mandatory appointment of representatives in the EU for any AI non-EU actors (see Art. 25 of the AI Act).

Why is this a problem? While there is certainly nothing wrong with the Commission trying to export a successful regulatory model such as that of the GDPR into other fields of law, difficulties are bound to emerge when attempting to do so while regulating AI because the two cases are fundamentally different.

Personal data protection aims to protect a fundamental human right and regulates only a single, easily identifiable human activity, that of personal data processing. AI regulation is much wider in scope. It presumably aims both to protect individuals and to help the development of AI. It does not refer to any specific activity or field but is rather all-encompassing, aiming at any and all AI instances in human life. Any attempt to catalogue AI in its entirety so as to bring it under the supervision of a single state authority reveals a highly structuralist, bureaucratic approach that the authors believe will prove ineffective, if for nothing else, then only due to the sheer volume of the work anticipated for such an over-ambitious task.

EU law brutality

While the draft AI Act has validated our older points on EU law’s ‘act-ification’ and ‘GDPR mimesis’, we would like to use this opportunity to identify yet another phenomenon that, in contrast with the ones identified above, is neither novel nor recent. However, the draft AI Act is the latest addition to a series of recent EU technology-related regulatory initiatives that, to our mind at least, not only validate its existence but also bring it forcefully to the fore: EU law’s ‘brutality’.

In essence, the EU regulates technology in Europe in void: Because all technology-related issues broadly fall within EU law competence (with the, rare, exception of state security), new regulatory initiatives are created essentially by the Commission from scratch. Competing Member State law is either completely missing, due to the novelty of the sector under discussion, or has such a short history that is not yet entwined into national legal orders creating insurmountable difficulties if replaced. Taking this for granted, the EU legislator feels free to introduce new constructs and legal mechanisms to support its law-making options in what could be described as a ‘brutal’ manner, in the sense that Member State particularities, whether legal, relating to public administration or of another kind, are in one way or another glossed over.

This has been invariably the case in all recent technology-related Commission interventions over the past few years: PNR processing mandated the creation of special national units; cybersecurity legislation (the NIS Directive) created its own – and also a certification system (the Cybersecurity Act). The same will be the case with the Digital Services Act, the Digital Governance Act (‘DGA’), and, now, with the AI Act.

In all of the above cases, Member States are asked not to approximate already existing national laws but instead to apply entirely new, EU-made provisions, that come complete with accompanying administrative mechanisms. In practice, as far as the regulation of technology by EU law is concerned, it is only in the case of personal data protection that Member States came in strong with fully developed national systems, shaping the resulting EU law (Directive 95/46, that was later developed into the GDPR) rather than vice versa.

As noted, this is not a new characteristic of EU law. In fact, it is a necessary attribute of EU law supremacy. However, the important change that occurred in the meantime is the exponential increase in the importance of technology. While thirty or forty years back, and most certainly at the time of incorporation of the EU, the fields EU law affected were more or less marginal to the everyday lives of Europeans, today this is not the case. Today technology permeates human lives. There is practically no field of human activity not affected by it. The EU, either by design or by sheer luck, happened to be the one indisputably authorized to regulate digital life, perhaps under a regulatory-instrumentalist mind-set, as identified by Brownsword (p.194 ff.). Now it is confident that its regulatory will dominates – a realisation not entirely unrelated with its recent tendency to issue ‘Acts’.

EU law brutality therefore describes exactly that, the introduction of EU law that directly affects the everyday lives of Europeans without much background compatibility with the legal constructs, notions and systems of Member States. Member States are not expected to amend their already existing systems so as to harmonise them under a common (EU law) denominator, but to introduce entirely new ones, frequently on an ‘as is’ basis, in the form of Regulations. Regulations, in particular, preferably carrying easily identifiable names, such as ‘Acts’, are much more suitable law-making instruments for such ‘EU law brutality’ than Directives.

Political considerations aside, EU law brutality mostly affects Member State law coherence. For the moment EU law does not pose significant coherence issues. First, it only has a history of decades rather than centuries, as is the case in most Member States’ laws. Second, it relies on Member States to monitor and enforce it upon Europeans, avoiding therefore the ‘fuss’ of establishing and operating complex implementation mechanisms on the (European) ground. Consequently, the EU legislator only needs to be coherent with EU law. This is accomplished simply by paying attention to neighbouring legal instruments: For example, the AI Act takes special note in more than one occasions of the GDPR.

Member States, however, are deeply and directly affected by EU law brutality. Being on the receiving end of EU’s rules and regulations, particularly when it comes to the regulation of technology, they need to introduce into their national laws new ideas and mechanisms. They also frequently need to establish new state authorities in a spirit of cooperative federalism (see Paul de Hert, pp.291-324). However, Member States, unlike the EU, do not regulate in void. What for the Commission could be perceived as a simple ‘paper’ exercise, prescribing new rules and introducing new state authorities, for each Member State becomes a complex legal and administrative operation. Transposition of technology-regulating EU laws is rarely an isolated task. Particularly in the case of far-reaching legal instruments such as the GDPR or the DGA or, now, the AI Act, national legislators are not simply required to transpose a single piece of legislation but rather to run a full background check in any and all fields of their national laws in order to root out national provisions that may oppose to the letter or the spirit of newly released EU law. In addition, new state agencies need to be established and become incorporated into existing bureaucracies or the powers of already operating ones need to be amended – each step being a complex exercise including anything from personnel issues to hierarchy placement within Member States Ministries etc.

The lesser evil of EU law brutality? (Conclusion)

What to think of such EU law brutality? The first thing that comes to mind is that it is inevitable. Very few Member States possess the resources and expertise to regulate technology – and even if they do, why spend valuable resources on something where the EU, with immensely more resources and expertise, will intervene anyway? EU law brutality in this manner is a self-fulfilling prophecy: It is bound to continue in the future, at an even increased manner, following the pace of technology change.

The second idea is that such brutality shall decline soon. As seen, for the moment the EU legislates technology more or less in void. Shortly this will stop being the case because the EU will essentially regulate on the legal and administrative premises that it established itself: If the AI regulatory mechanism introduced by the draft AI Act becomes operational, any new EU law initiative will have to take it into account. Therefore, Member States will feel less shocks in their internal legal and administrative systems with every new EU law initiative.

The third idea is that of EU state building. The EU has chosen the path of integration by law, rather than by force of arms, as has been invariably the norm in most of humanity’s history until today. However, integration by law does not mean that (legal) violence can be avoided. EU law will become increasingly prevalent, displacing national particularities and being addressed directly to Europeans, through an increased recourse to Regulations (at least as far as technology matters are concerned) rather than through Directives as was the case in the past. To the authors this is a welcome development. EU law brutality is the (far) lesser evil of any other option out there when it comes to integrating into a comprehensive and coherent whole of centuries-old different legal traditions and cultures.