By Jana Farmer and Thomas DeMicco, of Wilson Elser
As artificial intelligence (AI) continues to reshape industries and become integrated in everyday life, the question of how to effectively govern the risks associated with AI technologies has become an urgent legal issue. AI is increasingly integrated into products and services that consumers are interacting with – ranging from autonomous vehicles to medical devices to smart home technologies – raising significant concerns about the potential for harm. As AI systems become more sophisticated in the quest to achieve artificial general intelligence, they rely on multi-layered neural networks to process unstructured data, seek hidden patterns, and engage in unsupervised learning.
The AI systems’ autonomy and its ability to learn, as well as the complexity of the models, makes their decision-making processes opaque and difficult to trace. This complexity, combined with the lack of human supervision over the decision-making process as well as the processing of enormous volumes of data, increases the risk that AI-driven decisions may cause personal injury, property damage, or financial losses; yet these factors also make it more challenging to pinpoint the exact cause of harm and hold any party accountable. Given that AI systems evolve autonomously and may learn from vast datasets in ways that are difficult to predict, the traditional frameworks of product liability will need to adapt to the new reality.
Product liability laws are designed to determine responsibility when a product causes harm, but they were not originally crafted with AI in mind. AI presents unforeseen challenges to manufacturers and regulators. This has led to growing concerns among regulators worldwide, including in the European Union (EU), the United States, and Canada, about whether the existing legal frameworks are obsolete and can no longer deal with this emerging technology, and whether new regulations should be created to address the specific challenges AI presents.
The emerging consensus in many jurisdictions is that organizations should be held liable for damages caused by their AI systems. However, several complex questions remain: How should liability be attributed when an AI system is autonomous and capable of evolving its decision-making over time? How can causation be traced when the outputs of AI systems may be unpredictable? What level of responsibility should be placed on AI developers and deployers to mitigate risks without stifling innovation? These questions underscore the need for legal frameworks that balance consumer protection with technological advancement.
Understanding the EU Proposed Directives on Artificial Intelligence
The EU has taken a significant step toward addressing these challenges with two key legal proposals introduced in September 2022. The first is a reform of the 1985 Product Liability Directive, which expands the scope of regulated products to include AI systems, software, and digital products. Under this reform, a strict liability regime would apply, meaning that victims only need to prove that the AI product was defective, that they suffered damage (such as injury, property damage, or data corruption), and that the defect directly caused the damages. The directive notably will have extraterritorial application, meaning that victims harmed by AI systems developed outside the EU can still seek compensation within the EU. Another key aspect of this reform is the imposition of ongoing responsibilities on developers to monitor and maintain AI systems after deployment, ensuring their safety and continued functionality as they evolve and learn.
The second proposal is the AI Liability Directive, which focuses on fault-based liability and introduces measures designed to simplify the legal process for victims seeking compensation for AI-induced harm. One of the most significant provisions of this directive is the presumption of causality, which allows courts to assume a causal link between noncompliance with an applicable law and harm caused by AI systems, shifting the burden of proof onto the defendant. Thus, for example, if an organization fails to comply with the provisions of the EU Artificial Intelligence Act (discussed below), courts would presume that the organization is liable for any harm caused, and the defendant would need to prove otherwise. Additionally, the directive empowers courts to compel the disclosure of technical information about high-risk AI systems, including development data, compliance documentation, and testing results, which could provide crucial evidence in legal proceedings.
These two proposals, currently under negotiation, aim to create a more transparent and accountable legal framework for AI, seeking to provide possible victims of AI-related damages with clear pathways to redress. By operating in parallel, the two directives provide complementary routes for addressing AI risks along the traditional strict liability and fault-based regimes.
EU AI Act: A Risk-Based Approach to Governance
In terms of a substantive law regulating AI (which can be the basis of the causality presumption under the proposed AI Liability Directive), the European Union’s Artificial Intelligence Act (AI Act) entered into force on August 1, 2024, becoming the first comprehensive legal framework for AI globally. The AI Act applies to providers and developers of AI systems that are marketed or used within the EU (including free-to-use AI technology), regardless of whether those providers or developers are established in the EU or a separate country.
The EU AI Act sets forth requirements and obligations for developers and deployers of AI systems in accordance with risk-based classification system and a tiered approach to governance, which are two of the most innovative features of the AI Act. The Act classifies AI applications into four risk categories: unacceptable risk, high risk, limited risk, and minimal or no risk. AI systems deemed to pose an unacceptable risk, such as those that violate fundamental rights, are outright banned. Examples are social scoring when used by governments, categorizing persons based on biometric data to make inferences about attributes, or use of internet or CCTV footage for facial recognition purposes.
High-risk AI systems, which include areas such as health care, law enforcement, and critical infrastructure, will face stricter regulatory scrutiny and must comply with rigorous transparency, data governance, and safety protocols. The transparency requirement means that the providers must clearly communicate how their AI operates, including its purpose, decision-making processes, and data sources. Furthermore, users must be informed when they are interacting with an AI system. The goal is to create a sense of accountability, particularly for applications that significantly impact people’s lives, such as AI-driven hiring tools or autonomous decision-making systems in public services.
One of the most significant aspects of the new directives is the emphasis on ethical AI use. Developers and businesses must ensure that their AI systems respect fundamental rights, adhere to nondiscrimination policies and protect personal data. The EU is prioritizing the concept of human-centric AI, meaning systems should support and enhance human capabilities rather than replace or undermine them.
Regulation of General Purpose AI systems
General purpose AI systems, or GPAI, are designed to perform a wide variety of tasks, multi-task, scale to address more complex or more specific challenges, transfer learning, and automate a range of tasks traditionally requiring human input. An example of such systems is OpenAI’s GPT series. GPAI is contrasted with narrow artificial intelligence, which may be used to address one narrow task, such as a voice assistant or an obstacle avoidance system. The AI Act imposes transparency obligations and certain restrictions on the use of GPAI models. For example, systems intended to directly interact with humans must be clearly marked as such, unless this is obvious under the circumstances.
Providers of all GPAI models will be required to:
- Maintain technical documentation of the model and training results, including training and testing process and evaluation results
- Draw up instructions for third-party use, i.e., information and documentation to supply to downstream providers that intend to integrate the model into their own AI systems
- Establish policies to comply with EU copyright laws and specifically text and data mining opt-outs
- Provide to the AI Office a detailed summary about the content used for training the GPAI model.
All providers of GPAI models that present a systemic risk – open or closed – must conduct model evaluations, perform adversarial testing, track and report serious incidents, and ensure cybersecurity protections. GPAI models present systemic risks when they have “high impact capabilities,” i.e., where the cumulative amount of compute used for its training is greater than 1025 floating point operations (FLOPs). Free and open license GPAI model providers only need to comply with copyright laws and publish the training data summary, unless they present a systemic risk.
All GPAI model providers may demonstrate compliance with their obligations if they voluntarily adhere to a code of practice until European harmonized standards are published, compliance with which will lead to a presumption of conformity. Providers that do not adhere to codes of practice must demonstrate alternative adequate means of compliance for European Commission approval.
Applicability Timelines
Organizations will have approximately two years to adjust to these new regulations, with some provisions taking effect earlier: 6 months for prohibitions; 12 months for the governance rules and the obligations for general-purpose AI models; and 36 months for the rules for AI systems embedded into regulated products. In the summer of 2024, the European Commission also launched a consultation on a Code of Practice for providers of GPAI models that will address the requirements for transparency, copyright-related rules, and risk management. The Code of Practice is expected to be finalized by April 2025. Additionally, in early 2024, the European Commission established the new AI Office, endowed with exclusive jurisdiction to enforce the AI Act’s provisions related to GPAI and the power to request technical documentation to assess compliance with the law. The AI Office also oversees the AI Act’s enforcement and implementation with the member states.
Impact on U.S. businesses
The extraterritorial application of the AI Act and the proposed AI Liability Directive and the reform of the 1985 Product Liability Directive will have widespread implications for American businesses operating in Europe. Given that these laws apply not only within the EU but also to businesses outside its borders – such as American firms that sell or use products using AI in Europe – compliance will necessitate significant operational and legal adjustments for U.S. companies that will touch on several key areas, including product development, data management, corporate governance, and transparency, with the goal of reducing risk, ensuring compliance, and protecting both consumers and organizations from potential liabilities.
While the new regulations are strict, the regulators emphasize that they are not designed to stifle innovation. The EU has introduced several initiatives to support research and development within the AI space, including regulatory “sandboxes” that provide companies with a controlled environment to test new AI technologies before full-scale deployment, while ensuring compliance with EU regulations.