Artificial intelligence (AI) systems present new risks that existing laws do not entirely address. In response to these shortcomings, the European Union (EU) has established the Artificial Intelligence Act, Regulation (EU) 2024/1689 ("EU AI Act"). This regulatory framework imposes additional obligations on providers and deployers of AI systems, intended to complement rather than replace existing legislation.
This bulletin provides an overview to help users and service providers understand how new regulations like the EU AI Act interact with existing laws, such as the GDPR ("General Data Protection Regulation"). This bulletin can be read in conjunction with the bulletin “Navigating a New Frontier: Artificial Intelligence and Privacy Considerations”.
An Overview of the AI Act
On June 13, 2024, the EU introduced the world’s first comprehensive AI legislation, designed to regulate the use of AI these systems across EU member states. The EU AI Act officially took effect on August 1, 2024, but its provisions will be implemented gradually. None of the requirements apply at this stage, with the first prohibitions on certain AI systems starting on February 2, 2025[1]. On August 2, 2025, additional rules come into force, including those related to notified bodies[2], General-Purpose Artificial Intelligence (“GPAI”) models[3], governance[4], confidentiality[5], and penalties[6]. By August 2, 2026, most of the remaining provisions will apply, except for Article 6(1), which will come into effect on August 2, 2027, along with its corresponding obligations[7].
The EU AI Act functions by providing clear definitions of what qualifies as an AI system and outlines the obligations that must be followed in consequence. Section 3(1) defines AI systems as machine-based systems designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers from the input they receive, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments[8]. It further adopts a risk-based regulatory approach as part of a broader framework designed to identify and manage risks associated with AI. These risks are categorized into four distinct levels:
- Unacceptable Risk: AI systems or uses that pose significant risk of harm and unacceptable risks to individuals and their rights are prohibited. The Act prohibits harmful systems, including those using cognitive manipulation (e.g., dangerous voice-activated toys), social scoring, and biometric identification such as real-time facial recognition[9].
- High Risk: AI systems and uses which fall within specific High-Risk categories of use cases and system types and are not always prohibited or exempt. An example of high-risk AI systems includes those that pose a threat to safety or fundamental rights. These systems will be categorized into two groups: (1) AI systems integrated into products governed by the EU's product safety laws, such as toys, aviation, automobiles (autonomous vehicles), medical devices, and elevators; and (2) AI systems used in specific sectors registered in an EU database, including and not limited to, education and vocational training, and employment, worker management, and access to self-employment[10].
- Limited Risk: AI systems or uses that do not fall within the High-Risk category but do pose certain transparency risks and requirements not associated with Minimal Risk systems. Examples of these systems include deepfakes and chatbots.
- Minimal Risk: AI systems or uses with minimal impact on individuals and their rights and are largely unregulated by the EU AI Act directly[11]. Systems classified as minimal risk are those that do not belong to the three previously mentioned categories.
The EU AI Act imposes a wide range of obligations on the various actors in the lifecycle of a high-risk AI system. For example, high-risk AI systems which make use of techniques involving the training of models with data will have to be developed on the basis of training, validation and testing data sets that meet the quality criteria set by Article 10 of the EU AI Act[12]. These specific obligations also differ depending on whether an entity or individual is the creator of the AI system, referred to as the "Provider", or simply a user of the system, referred to as the "Deployer"[13]. For both providers and deployers of AI systems, it becomes especially important to understand not only when to comply with the EU, but also with the already established legislation, such as the General Data Protection Regulation (GDPR).
Scope of Application
The EU AI Act establishes obligations for providers, deployers, importers, distributors, and product manufacturers of AI systems, with a link to the EU market. The EU AI Act can be applicable to Canadian companies because of its broad territorial scope. For example, the EU AI Act applies to:
- providers which place on the EU market or put into service AI systems, or place on the EU market general-purpose AI models ("GPAI models");
- deployers of AI systems who have a place of establishment/are located in the EU; and
- providers and deployers of AI systems in third countries, if the output produced by the AI system is being used in the EU (Art. 2(1) EU AI Act).
The EU AI Act also enumerates certain exceptions to its material scope (for example, the EU AI Act does not apply to open-source AI systems unless they are prohibited or classified as high-risk AI systems or AI systems used for the sole purpose of scientific research and development).
The EU AI Act and GDPR: Understanding Compliance Obligations
Both the EU AI Act and the GDPR may apply at different stages of the development, deployment, and operation of AI systems[14]. Note that these regulations address distinct aspects; they are designed to complement rather than overlap with one another.
Since the EU AI Act is not yet fully in effect, it is important to assess whether compliance with the EU AI Act, the GDPR, or both will be required once the regulations start to apply. As observed above, this assessment will depend on the specific circumstances surrounding the use and processing of personal data within the context of the system in question.
The Need for Continuous Regulatory Efforts
The EU's regulatory efforts will not stop here although the EU AI Act is designed to address many challenges associated with artificial intelligence. Growing data collection practices across various industries may lead to a greater need for regulatory reforms or the creation of new regulations.
For instance, Algorithmic Management (AM) systems in the workplace are capable of detailed tracking, ranging from monitoring work performance to examining digital behavior and managing breaks[15]. This intensive data collection can raise issues around worker privacy and the transparency of how information is used. Current directives in the EU, some of which have been around for quite some time, cover a range of worker-related issues, such as informing and consulting employees, along with protecting their health and safety. However, these directives may be fortified with more explicit instructions and there are 'sleeping clauses' within these directives that may be revisited[16].
As a result, some stakeholders are calling for new regulations to address emerging risks, while others suggest adjusting existing laws to be more inclusive. What is clear is that as more regulations are introduced, legal compliance becomes significantly more complex, and the debate over whether to create new laws or modify current ones continues.
How can Fasken Help with your AI / Privacy Compliance?
At Fasken, we remain at the forefront of technology regulation in the EU and Canada and will continue provide updates on new developments in this field. For additional resources, please review our Artificial Intelligence knowledge. If you have any questions, we are here to help. Please do not hesitate to contact us if you require assistance with any matters related to AI or privacy law.
About Fasken’s Privacy and Cybersecurity Group
As one of the longest-standing and leading practices in privacy and cybersecurity, our dedicated national privacy team of 36 lawyers offers a wide range of services. From managing complex privacy issues and data breaches to advising on the EU GDPR and emerging legal regimes, we provide comprehensive legal advisory services and are trusted by top cyber-insurance carriers and Fortune 500 companies. Our group is recognized as a leader in the field, earning accolades such as the PICCASO ‘Privacy Team of the Year’ award and recognition from Chambers Canada and Best Lawyers in Canada. For more information, please visit our website.
[1] European Parliament. "Artificial Intelligence Act (AI Act)", Chapter 1 and Chapter 2. 2024.
[2] AI Act, supra note 1, Chapter III, Section 4.
[3] AI Act, supra note 1, Chapter V.
[4] AI Act, supra note 1, Chapter VII.
[5] AI Act, supra note 1, Article 78.
[6] AI Act, supra note 1, Articles 99 and 100.
[7] European Parliament. "Artificial Intelligence Act", Implementation timeline. 2024.
[8] European Union (EU), July 2024. “Artificial Intelligence Act (AI Act)”, OJ L, 2024/1689, 12.7.2024 at art. 3(1).
[9] Ibid, art 6.
[10] European Parliament. "EU AI Act: First Regulation on Artificial Intelligence." June 1, 2023.
[11] AI Act, supra note 1.
[12] AI Act, supra note 1, art. 10.
[13] AI Act, supra note 1, art. 4.
[14] CNIL, July 2024, “Entry into force of the European AI Regulation: the first questions and answers from the CNIL”.
[15] European Parliamentary Research Service, June 2024 “Addressing AI risks in the workplace Workers and algorithms”.
[16] Ibid.
