The European AI Act is a comprehensive regulatory response to the challenges and risks posed by the rapid advancement of technology and artificial intelligence (AI) (see our summary here). Originally proposed in 2021, the legislative process faced a notable disruption when OpenAI’s ChatGPT was launched on 30 November 2022. This required a change to the draft text, creating specific regulations for generative AI.
What are General Purpose AI (GPAI) models?
The AI Act defines a “General purpose AI model” (also known as a foundation model) as an AI model that, among others, can perform a wide range of distinct tasks regardless of the way the model is placed on the market and that can be integrated into a variety of downstream systems or applications. This term includes AI models that are built on top of so-called Large Language Models, or generative AI such as image or sound generation tools. Other GPAIs are used to build applications that help with creating computer codes, analysis of medical images or different types of decision-making with economic consequences.
The AI Act is clear that AI models do not constitute AI systems on their own; they are, however, often integrated into and form essential part of AI systems. Providers of GPAI models are subject to obligations that are slightly different from the general obligations for providers of AI systems. This distinction also clarifies that GPAI models do not constitute high-risk AI systems, as they are not AI systems. Instead, the AI Act introduces the sub-category of GPAI models that pose systemic risks, which is further explained below.
Documentation and Transparency Obligations
Overall, the set of obligations that applies to providers of (non-systemic risk) GPAI models can be considered “lighter” than those that apply to providers of AI systems. Providers of GPAI models are required to keep their technical documentation up-to-date and make it available to the (newly founded) AI Office and national regulators. They also have to provide certain information and documentation to downstream providers that have integrated the GPAI model into their AI system. Additionally, they need to make publicly available “a sufficiently detailed summary about the content used for training of the GPAI model, based on a template provided by the AI Office”. This summary should list the main data collections or sets that went into training the model, such as large private or public databases or data archives, and explain which other data sources were used. While the summary does not need to be technically detailed, it should list the main data collections or sets that were used to train the model. It is expected that the template will also take into due account the need to protect trade secrets and confidential business information.
What about Copyright?
Generative AI made headlines mostly due to a wave of infringement claims from rightsholders, mainly in the US, who sued various AI providers such as OpenAI for copyright infringement arising from the alleged use of their works during the training of their AI models. In light of the issues arising from the interplay of generative AI and copyright law, the AI Act requires that providers of GPAI models put in place a policy to ensure compliance with EU copyright law. This policy needs to include, in particular, the provider’s commitment to respect any express “opt out” declaration by a copyright holder that their works may not be used for the purposes of text and data mining (Art. 4(3) of the EU’s Digital Single Market Directive 2019/790).
Recital 60j also deals with the international dimension of said text and data mining exception. It clarifies that providers may not circumvent this minimum standard of protection by placing an AI model on the EU market that has been trained in other jurisdictions with lower copyright standards. This is intended to ensure a level playing field among providers of GPAI models.
GPAI Models with Systemic Risk
The new version of the AI Act includes a new subcategory of GPAI models. They will be considered “GPAI models with a systemic risk” if one of the following two criteria is fulfilled:
- High impact capabilities of the GPAI model, which are presumed when the cumulative amount of compute used for its training measured in floating point operations (FLOPs) is greater than 10^25[1]; or
- An individual designation decision by the EU Commission that takes into account for example the number of parameters, quality and size of the dataset, input and output modalities or the reach measures in business users.
Providers of GPAI models with systemic risk have additional obligations, such as performing tests and model evaluations, conducting risk assessments and taking risk mitigation measures, reporting serious incidents (such as an incident that causes the death of a person, leads to an irreversible disruption of the operation of critical infrastructure, or that causes serious property damage) to the AI Office and national authorities, and ensuring an adequate level of cybersecurity protection.
For more information and assistance related to compliance with the EU Artificial Intelligence Act, please reach out to us at ERM.
[1] The EU Commission will need to adapt this threshold in the light of evolving technological developments, such as algorithmic improvements or increased hardware efficiency, in order to keep up with the ever evolving state of the art.
The review was written by Rotem Perelman – Farhi, Partner and Heads of the firm’s Technology & Data Department and Dr. Laura Jelinek, Associate in the the firm’s Technology & Data Department.
* This newsletter is provided for informational purposes only, is general in nature, does not constitute a legal opinion or legal advice and should not be relied on as such. If you are seeking legal advice, it is essential to review the specific facts of each case in detail with a qualified lawyer.