The ‘Brussels effect’ of the EU’s ‘AI Act’ on data privacy outside Europe

Graham Greenleaf analyses the proposed EU regulation’s GDPR-like territorial reach, and its impact on business outside Europe in relation to the AI systems that they provide or use.

The European Commission’s publication of a proposal for a Regulation on Artificial Intelligence (also described as an “AI Act”)(1) is likely to become a pivotal moment in the global regulation of artificial intelligence, but it will also have major global implications for privacy and data protection.

Many businesses located outside Europe are keeping a wary eye on the GDPR because of the risks that its extra-territorial reach might apply to them, or because they might even be held to have an establishment in the EU. Such businesses need to be equally concerned that the AI Act may apply to any of their AI-related activities that can affect individuals, and may do so in situations outside the scope of the GDPR. The AI Act will also be a data privacy regulation, but one that is different from the GDPR. This is likely to be good news for data privacy and human rights in the EU, but for some businesses outside Europe(2) it will be another significant regulatory obligation requiring consideration.

Continue reading

International Report subscribers please login to access the full article.

If you wish to subscribe please see our subscription information.