.jpg)
The European Union’s Artificial Intelligence Act (“EU AI Act”) is a cornerstone step in the regulation of artificial intelligence (“AI”). While its primary purpose is to ensure AI use within the EU is safe, secure and complies with specific technical and other legal requirements, the EU AI Act’s scope is notably extraterritorial. This means that the EU AI Act can also apply outside the EU depending on how the relevant AI system (e.g., SaaS AI tools, machine learning APIs, AI-driven tools) interacts with the EU market. As a result, businesses and end users of AI products worldwide should consider how they might be affected.
Application of the EU AI Act
Article 2 of the EU AI Act establishes the scope of the Act and states that the Act applies to:
- AI service providers placing on the market or putting into service AI systems or placing on the market general-purpose AI models in the Union, irrespective of whether those providers are established or located within the Union or in a third country;
- deployers of AI systems that have their place of establishment or are located within the Union;
- providers and deployers of AI systems that have their place of establishment or are located in a third country, where the output produced by the AI system is used in the Union;
- importers and distributors of AI systems;
- product manufacturers placing on the market or putting into service an AI system together with their product and under their own name or trademark;
- authorised representatives of providers, which are not established in the Union; and
- affected persons that are located in the Union (our emphasis).
Based on the items in bold indicated above, we note that the EU AI Act finds application outside of the EU in the following instances:
- AI Service providers who develop or place an AI system in the EU market; and
- AI Service providers and deployers (i.e. users) of AI systems if the output produced by the system is used within the EU.
In other words, the EU AI Act also applies to foreign businesses and individuals whose AI services or tools are accessed or consumed by end users within the EU. This is rooted in the principle of “market location”, meaning that if an AI system’s output or use affects people in the EU, the EU AI Act may apply. Notably, the EU General Data Protection Regulation also applies these principles, which grants its extraterritorial effect.
How Does This Affect Non-EU Providers?
We consider some instances of when the EU AI Act could apply to non-EU providers:
- If a South African company develops an AI-powered recruitment tool and markets it to EU employers, the company must comply with the EU AI Act’s requirements for high-risk systems, even if all development and hosting occur outside the EU.
- If a Mauritian AI provider offers a cloud-based facial recognition service accessible to EU customers, the EU AI Act applies because the service is used in the EU.
- A Kenyan manufacturer selling smart home devices with embedded AI to EU consumers must ensure those devices comply with the EU AI Act, as they are placed in the EU market.
- If a South African company has imported an AI tool from a French company and then distributes such tool in the South African market will not need to comply with the EU AI Act. In contrast, if it were a French company resells or distributes a South African AI product within the EU market, the French company would be bound by the EU AI Act.
Okay, but What if the Non-EU Company Is a User Rather than a Service Provider?
If you are a customer of AI services located outside the EU, the critical factor is whether the use of that AI has an impact in the EU. If the AI output is used exclusively outside the EU, and neither the service provider nor the user is targeting the EU market, then the EU AI Act typically does not apply.
Let us look at some scenarios:
- A South African corporate customer uses a chatbot tool developed by a French company which is made available both to EU and foreign markets. The French company is subject to the EU AI Act because it has placed an AI system on the EU market. The South African corporate customer is not directly subject to the EU AI Act because its use of the tool does not impact the EU market. EU customers using the AI system’s output are subject to the EU AI Act as users within the EU.
- A Namibian corporate customer uses an AI system developed by an Australian provider that is hosted in the EU. The Australian provider is subject to the EU AI Act because the hosting arrangement means the system is placed on the EU market. The Namibian corporate customer is not directly subject to the EU AI Act in this scenario, as their use of the AI system does not impact the EU market.
Key Considerations for Non-EU Users and Service Providers
For service providers:
- If you develop or provide AI solutions that may be accessed in the EU, you should assess whether the EU AI Act applies.
- If it does, put in place appropriate compliance measures, looking first to see if your solution qualifies as a high-risk system under the EU AI Act.
For users:
- You should thoroughly vet your service providers at the time of vendor selection and evaluation to ensure they meet relevant EU AI Act requirements, if applicable.
- Be mindful when agreeing to any contractual provisions relating to these obligations (for example: look at how the contract defines “applicable law” and how this is linked to the vendor’s obligations; push back on any indemnities for your or your users’ breach of the EU AI Act where the Act is not directly applicable to you).
For companies and customers outside the EU, the key is to assess whether your use of AI affects EU markets or individuals. If it does, such companies will likely need to comply with the provisions of the Act. For more information, please contact:
Priyanka Raath
Senior Associate | Technology, Media and Telecommunications (TMT)
Alexander Powell
Associate | Technology, Media and Telecommunications (TMT)
--
Read the original publication at ENS
