On October 13, 2022, the European Data Protection Supervisor (“EDPS”) released its Opinion 20/2022 on a Recommendation issued by the European Commission in August 2022 calling for a Council Decision authorising the opening of negotiations on behalf of the European Union for a Council of Europe convention on artificial intelligence, human rights, democracy and the rule of law.

The resulting convention – to be called the “AI Convention” –  would complement the EU’s proposed AI Act and the proposed AI Liability Directive, both currently under negotiation.  (See our previous blog post on the proposed AI Act here and on the proposed AI Liability Directive here).

The AI Convention would be the first legally binding international instrument on AI, and would be open to participation by non-member States.  In September 2022, the Council of Europe’s Committee on Artificial Intelligence (“CAI”) examined a first draft, which focused on developing common principles to ensure continued application of and respect for human rights, democracy and the rule of law, where AI systems assist or replace human decision-making.  The AI Convention would cover both public and private providers, and users of AI systems.

The EDPS welcomes the AI Convention as an opportunity to complement the EU’s AI Act and supports the EU Commission’s aim to ensure consistency with the EU’s proposed AI Act.  Moreover, the EDPS endorses the AI Convention’s suggested definition of “AI subject”, i.e., a person affected by the use of AI systems (such as workers affected by the use of AI in work management systems, or individuals applying for loans relying on AI-powered creditworthiness systems), and of procedural safeguards and rights for AI subjects.

The EDPS’ key recommendations on the EU’s negotiating directives include the following:

  • Prioritize safeguards and fundamental human rights for individuals as general objectives;
  • Include (1) an explicit reference to the AI Convention’s compliance with the EU’s data protection framework, and (2) a methodology for assessing the risks posed by AI systems to fundamental rights, in order to establish clear, concrete and objective criteria for conducting “human rights impact assessments”;
  • In line with a risk-based approach, ensure that risks to societal and specific groups posed by AI systems be assessed and mitigated, and impose a prohibition on AI systems presenting “unacceptable risks”.  In the EDPS’ view, AI systems using (1) social scoring, (2) biometric identification in publicly accessible spaces, and (3) biometrics and emotional categorization, in addition to certain other systems, should generally be prohibited;
  • Promote a data protection by design and by default approach in every step of an AI system’s lifecycle, to allow effective implementation of data protection principles by means of state-of-the-art technologies;
  • Specify that the AI Convention should (1) include ex ante third-party conformity assessments for high-risk AI systems, and a procedure for new assessments in case of significant changes to those systems, and (2) provide minimum requirements on transparency, explainability and auditability of AI systems; and
  • Ensure that competent supervisory authorities be vested with adequate investigatory and enforcement powers, and cross-border cooperation among authorities be facilitated.

Although further negotiations are scheduled to take place, a final proposal for the AI Convention is expected to be adopted by the Council of Europe’s Committee of Ministers in November 2023.

***

Covington regularly advises  companies on their most challenging regulatory and compliance issues in the EU and other major markets.  Our team is happy to assist with any inquiries relating to the new AI Convention and the EU AI Act, and other tech regulatory matters.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.

Photo of Lisa Peets Lisa Peets

Lisa Peets leads the intellectual property and technology and media groups in the firm’s London office. Ms. Peets divides her time between London and Brussels, and her practice embraces legislative advocacy, trade and IP enforcement. In this context, she has worked closely with…

Lisa Peets leads the intellectual property and technology and media groups in the firm’s London office. Ms. Peets divides her time between London and Brussels, and her practice embraces legislative advocacy, trade and IP enforcement. In this context, she has worked closely with leading multinationals in a number of sectors, including many of the world’s best-known software and hardware companies.

On behalf of her clients, Ms. Peets has been actively engaged in a wide range of law reform efforts in Europe, on multilateral, regional and national levels. This includes advocacy on EU and national initiatives relating to e-commerce, copyright, patents, data protection, technology standards, compulsory licensing, IPR enforcement and emerging technologies. Ms. Peets also counsels clients on trade related matters, including EU export controls and sanctions rules and WTO compliance.

In the IP enforcement space, Ms. Peets coordinates a team of lawyers and Internet investigators who direct civil and criminal enforcement actions in countries throughout Europe and who conduct global notice and takedown programs to combat Internet piracy.

Ms. Peets is a member of the European Commission’s Expert Group on reform of the IP Enforcement Directive.

Photo of Sam Jungyun Choi Sam Jungyun Choi

Sam Jungyun Choi is an associate in the technology regulatory group in the London office. Her practice focuses on European data protection law and new policies and legislation relating to innovative technologies such as artificial intelligence, online platforms, digital health products and autonomous…

Sam Jungyun Choi is an associate in the technology regulatory group in the London office. Her practice focuses on European data protection law and new policies and legislation relating to innovative technologies such as artificial intelligence, online platforms, digital health products and autonomous vehicles. She also advises clients on matters relating to children’s privacy and policy initiatives relating to online safety.

Sam advises leading technology, software and life sciences companies on a wide range of matters relating to data protection and cybersecurity issues. Her work in this area has involved advising global companies on compliance with European data protection legislation, such as the General Data Protection Regulation (GDPR), the UK Data Protection Act, the ePrivacy Directive, and related EU and global legislation. She also advises on a variety of policy developments in Europe, including providing strategic advice on EU and national initiatives relating to artificial intelligence, data sharing, digital health, and online platforms.

Photo of Laura Somaini Laura Somaini

Laura Somaini is an associate in the Data Privacy and Cybersecurity Practice Group.

Laura advises clients on EU data protection, e-privacy and technology law, including on Italian requirements. She regularly assists clients in relation to GDPR compliance, international data transfers, direct marketing rules…

Laura Somaini is an associate in the Data Privacy and Cybersecurity Practice Group.

Laura advises clients on EU data protection, e-privacy and technology law, including on Italian requirements. She regularly assists clients in relation to GDPR compliance, international data transfers, direct marketing rules as well as data protection contracts and policies.