Back to the overview
10-08-2024Article

Update Data Proctection No. 185

Artificial intelligence: These legal obligations will already apply from February 2025

Some days ago, the German government confirmed that the Federal Network Agency will take over official supervision of compliance with the AI Regulation. The state data protection authorities have been left behind; they had also put themselves forward as the AI supervisory authority due to their proximity to data protection law. However, there are exceptions to the above responsibility: For example, the Federal Motor Transport Authority is to be responsible for AI applications in the automotive sector, the Federal Institute for Drugs and Medical Devices (BfArM) for those in the medical devices sector and the Federal Financial Supervisory Authority for AI applications in the financial sector.

1. Implementation obligations

But what specific obligations will companies face now that the AI Regulation has come into force in August 2024?

For example, users of AI systems are obliged to train their employees and service providers in AI competence (Art. 4). Prohibited AI systems may not be used (Art. 5). When using AI systems for emotion recognition or biometric categorization, there are comprehensive information obligations, as well as when creating deepfakes or uncontrolled generation or manipulation of relevant texts, for example on websites or social networks (Art. 50). If, on the other hand, high-risk AI pursuant to Art. 6 is used in the company, for example to assess learning outcomes (education) or to screen job applications (employment context), a large number of additional obligations apply: implementation of technical and organizational measures in accordance with the operating instructions, establishment of human supervision with appropriate AI expertise, use of purposeful and representative input data, establishment of monitoring procedures, informing the provider or retailer and the authority if a risk is identified, comprehensive information obligations, and the provision of information to the data subject. merchant and authority in the event of risk identification, comprehensive logging, informing employees and, if applicable, affected customers about the use of high-risk AI, registration in EU database, carrying out data protection impact assessment or obtaining official approval and reporting when using remote biometric identification (Art. 6 para. 1 lit. a GDPR).
26).

Providers of AI systems are also subject to extensive information and notification obligations, for example in the case of functions for interacting with natural persons or for generating audio, image, video or text content (Art. 50). They must also train their relevant employees in AI competence (Art. 4). When offering high-risk AI, they must also prepare technical documentation (Art. 11), carry out a conformity procedure (Art. 43) and issue a declaration of conformity and CE marking (Art. 16, 47 et seq.), provide contact details on the AI system or packaging (Art. 16), carry out registration (Art. 49), initiate corrective measures in the event of non-compliance with AI (Art. 20), fulfill retention obligations (Art. 18 f.), introduce a quality management system (Art. 17), risk management (Art. 9) and a comprehensive logging system (Art. 12) and, among other measures, ensure an appropriate level of accuracy, robustness and cybersecurity (Art. 15).

2. Implementation deadline until February 2025

Most of the above obligations only apply after a transitional period of two years, i.e. from August 2026. However, Art. 113 stipulates that Chapter 1 and Chapter 2 must be implemented by February 2, 2025.

But what are the obligations for companies under Chapter 1 and Chapter 2?

  • On the one hand, Art. 4 states that providers and operators of AI systems must take measures to create AI competence among their employees and authorized persons with AI access.
  • On the other hand, from February 2, 2025, the bans under Art. 5 will already apply, prohibiting the placing on the market, commissioning and use of certain AI systems under threat of a fine of up to EUR 35 million.

2.1. AI competence training

The management is responsible for ensuring that a concept for training staff in the use of AI systems and AI models is drawn up by February 2, 2025, regardless of whether simple or high-risk AI is used. Appropriate training must then take place immediately from February 2025. Please contact us if you are interested. At HEUKING, we are already carrying out corresponding training courses for our clients.

2.2 Prohibited AI systems

But what are the AI systems prohibited under Art. 5? Here is a non-binding list:

a)    Manipulative AI systems

  • Subliminal manipulation: AI systems that use techniques of subliminal manipulation outside of a person's awareness to substantially change their behavior and thereby cause or are reasonably likely to cause significant harm (Article 5(1)(a)).

b)    Exploitative AI systems

  • Exploitation of vulnerabilities: AI systems that exploit a vulnerability or vulnerability of a natural person or a specific group of persons due to their age, disability or a specific social or economic situation in order to significantly alter their behavior and thereby cause or be reasonably likely to cause significant harm (Article 5(1)(b)).

c)    Social rating systems

  • Social behavior assessment: AI systems to assess or classify natural persons or groups of persons over time on the basis of their social behavior or known, inferred or predicted personal characteristics or personality traits that lead to unjustified or disproportionate disadvantages (Article 5(1)(c)).

d)    Predictive policing systems

  • Prediction of criminal offenses: AI systems for carrying out risk assessments in relation to natural persons in order to assess or predict the risk that a natural person will commit a criminal offense based solely on the profiling of a natural person or the assessment of his or her personal characteristics and attributes (Article 5(1)(d)).

e)    Facial recognition systems

  • Creation or extension of databases: AI systems that create or extend facial recognition databases through the untargeted extraction of facial images from the internet or from surveillance footage (Article 5(1)(e)).

f)    Emotion recognition systems

  • Derivation of emotions in the workplace and in educational institutions: AI systems for inferring emotions of a natural person in the workplace and in educational establishments, unless the use of the AI system is intended to be introduced or placed on the market for medical or safety reasons (Article 5(1)(f)).

g)    Biometric categorization systems

  • Categorization by sensitive attributes: AI systems for biometric categorization used to categorize natural persons individually on the basis of their biometric data in order to infer or deduce their race, political opinions, trade union membership, religious or philosophical beliefs, sex life or sexual orientation (Article 5(1)(g)).

3. Conclusion

The vast majority of obligations for companies under the AI Regulation apply to providers and users of high-risk AI. However, there are also important implementation obligations for users of simple AI systems. In principle, all of these obligations do not have to be fulfilled until August 2026; there is therefore still some time (as with the GDPR in 2016).

However, from February 2, 2025, in particular

  • the obligation to establish AI competence in the company (Art. 4) and
  • the ban on placing certain types of AI systems on the market and putting them into operation.

4. Checklist

What is the checklist for companies with a view to February 2025?

  • Inventory of software systems in use: Which of the software applications we use already meet the requirements for AI systems? Which of these could be considered high-risk AI in accordance with Art. 6?
  • Prohibited AI systems: Comparison of the above inventory list (taking into account planned acquisitions) with the list of prohibited AI systems in Art. 5 and implementation of the resulting consequences.
  • AI competence (part 1): Definition of concrete specifications for the introduction and use of AI systems in the company, i.e. creation of an AI guideline.
  • AI competence (part 2): Creation of an AI training concept for the purpose of preparing the training measures required from February 2, 2024 for employees and any contracted service providers.
Download as PDF
Download as PDF

Contact persons

Dr. Hans Markus Wulf
Hamburg
Dr. Johannes Rolfs, LL.M.
Hamburg

Contact persons

Dr. Hans Markus Wulf
Hamburg
Dr. Johannes Rolfs, LL.M.
Hamburg

Related articles

10-08-2024
Artificial intelligence: These legal obligations will already apply from February 2025
09-24-2024
German Federal Government issues Consent Management Ordinance – (No) end in sight for cookie banners?
08-01-2024
NIS2 Directive: Update on the German Implementation Act
07-18-2024
Patent Applications for Genetic Resources: WIPO Agreement Brings New Disclosure Obligations
07-15-2024
LDI NRW confirms: Telecommunications secrecy does not apply to employers who allow the private use of email and telecommunications services
07-10-2024
News from the ECJ on claims for damages under data protection law
07-08-2024
Mercedes-Benz: Use of third-party license plates for advertising purposes permissible under certain circumstances
07-04-2024
NIS2 Directive: Update on the German Implementation Act and the new EU Implementing Regulation
07-01-2024
International regulation for AI systems by the Council of Europe
05-24-2024
BGH rules on the scope of the right to a copy
05-24-2024
Facebook's obligation to review content of similar meaning and the reasonableness of human evaluations in individual cases
05-15-2024
Data protection compliant use of artificial intelligence – Data protection authorities publish guidance

You are currently using an outdated and no longer supported browser (Internet Explorer). To ensure the best user experience and save you from possible problems, we recommend that you use a more modern browser.