Skip to main content

AI

EU AI Act

info

Full text: Regulation - EU - 2024/1689 - EN - EUR-Lex

Timeline

  • The timeline is provided in Article 113
  • 12 Jul 2024 Publication in the EU Official Journal
  • 01 Aug 2024 Entry into force (publication + 20 days)
  • 02 Aug 2026 AI act applies completely, but:
    • 02 Feb 2025 Chapters I and II apply
    • 02 Aug 2025 Chapter III Section 4, Chapter V, Chapter VII and Chapter XII and Article 78 apply, except Article 101 apply
    • 02 Aug 2027 Article 6(1) and corresponding obligations apply

AI literacy

Training obligation applies from 02 Feb 2025:

AI literacy
Providers and deployers of AI systems shall take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf, taking into account their technical knowledge, experience, education and training and the context the AI systems are to be used in, and considering the persons or groups of persons on whom the AI systems are to be used.

Article 4

AI literacy itself is defined in Article 3 (Definitions):

(56) ‘AI literacy’ means skills, knowledge and understanding that allow providers, deployers and affected persons, taking into account their respective rights and obligations in the context of this Regulation, to make an informed deployment of AI systems, as well as to gain awareness about the opportunities and risks of AI and possible harm it can cause;

Article 3 (highlighted by me)

Provider and deployer are defined in Article 3 (Definitions):

(3) ‘provider’ means a natural or legal person, public authority, agency or other body that develops an AI system or a general-purpose AI model or that has an AI system or a general-purpose AI model developed and places it on the market or puts the AI system into service under its own name or trademark, whether for payment or free of charge;

Article 3

(4) ‘deployer’ means a natural or legal person, public authority, agency or other body using an AI system under its authority except where the AI system is used in the course of a personal non-professional activity

Article 3 (highlighted by me)

Conclusion: Companies using AI systems fall under the definition of 'deployer', e.g. when using Microsoft 365 Copilot Chat or ChatGPT Enterprise, etc.

See also: Verpflichtungen im AI-Act: KI-Kompetenzen im Unternehmen sichern - IHK Hannover (German)

Transparency obligations for deployers

info

The definition of 'deployer' can be found in section AI literacy. Note that companies using AI systems usually fall under this definition.

Article 50 defines transparency obligations. There are obligations for three types of systems for deployers:

Emotion recognition systems / biometric categorisation systems

Inform exposed persons, that if a emotion recognition system or biometric categorisation system is being used

Image / Audio / Video generators

Disclose that content was artificially generated/manipulated for image/audio/video which is a deep fake

info

Limitation for: Evidently artistic, creative, satirical, fictional or analogous work → disclosure can happen in a way, that the presentation of the work is not hampered

Text generation and manipulation

Disclose that text has been generated or manipulated by AI:

  • when text is being published and
  • when purpose of publication is to inform the public on matters of public interest
info

No disclosure necessary when:

Text was reviewed by a human or editorial control by a human or editorial responsibility by natural or legal person

Additional articles

German

heise ix: AI Act: Auswirkungen in der Praxis

heise ix: Vorbereitung auf den AI Act: Wie die ISO 42001 helfen kann

heise ix: AI Act: Weitreichende Pflicht zur KI-Kompetenz

Terms of service provider

  • AI service providers' terms might restrict commercial use of generated outputs.

GDPR

heise ix: DSGVO-konformes Machine Learning aus der Cloud

This paragraph provides an overview of the current situation in Germany.

  • AI-generated content is not safeguarded by copyright laws → public domain
    • For content to be protected under copyright laws, it must be created by a human.
  • Integrating AI as a tool in the creative process can lead to outputs that are copyright protected, for example when you revise a text that includes your own ideas.
  • A prompt may fall under copyright law if it demonstrates a sufficient level of creativity.
  • AI-generated content may include segments of training data that could be protected by copyright laws → be careful when using output
    • Risk management is necessary, since AI will not provide sources of the material

In der Grauzone | c't | heise magazine

Das Urheberrecht und die Fallen bei Nutzung von generativer KI - Verbraucherportal-BW

Bundesministerium der Justiz - FAQ KI und Urheberrecht.docx

heise ix: KI aus der Cloud: Verträge richtig gestalten

Open Source Licences (Copyleft)

If the AI system was trained using Open Source code that carries a copyleft license, the generated output may include snippets of the training data, especially when the prompt asked for standard problems.

This affects the following Open Source licenses:

Affected (copyleft)Not affected
GPL 2.0 / GPL 3.060% of all OSS projectsMPL (Mozilla Public License)Copyleft only if existing code was modifiedBSD LicenseLicense text must be includedMIT LicenseLicense text only for significant parts of the original codeApache License

This leads to the legal issue, that the product using the resulting code might need to be published under the same license as the training code (see Copyleft – Wikipedia) including publication of the source code.

[2502.05023] On the Possibility of Breaking Copyleft Licenses When Reusing Code Generated by ChatGPT

heise ix: Rechtliche Unsicherheit beim Coding mit KI

AI risks

MIT: The AI Risk Repository

Data residency

For customers in the European Union it might be necessary to process data only within the boundaries of the European Union and especially not transfer it to the US.

Microsoft therefore introduces the “EU Data Boundary” (EUDB).

What is the EU Data Boundary? - Microsoft Privacy | Microsoft Learn

Microsoft 365 Copilot Chat

Microsoft 365 Copilot Chat is the version of Copilot included for free in most of the Microsoft 365 business subscriptions.

For the business version of Microsoft 365 Copilot Chat, Microsoft ensures for European users, that EU traffic does not leave the EU Data Boundary.

This includes the API calls to the LLM, which are processed within Europe.

Search queries (Web search triggered by Copilot) using Bing) might be processed outside of the EU Data Boundary!

Prompting

As examples of prompting frameworks, the content behind the following link describes the AUTOMAT framework and the CO-STAR framework:

The Perfect Prompt: A Prompt Engineering Cheat Sheet | by Maximilian Vogel | Medium