The European Union’s (EU’s) General Data Protection Regulation (GDPR) has reshaped how companies worldwide manage personal data, demonstrating the far-reaching impact of EU regulations. Now, with the newly enforced EU AI Act, we may witness a similar transformation—this time centered on the regulation of artificial intelligence. For global businesses using AI, this legislation is crucial to understand, as its implications extend well beyond European borders. Key questions arise:
- Will the AI Act become the “GDPR of AI,” with global influence compelling compliance across regions?
- Will it push other jurisdictions to establish similar regulations, offering robust protections like GDPR has for data privacy?
Drawing parallels to the GDPR
The answer to the first question is a resounding yes.
As we’ve seen with GDPR, the extraterritorial reach of EU regulations can significantly impact businesses worldwide. The AI Act, similarly, will not only affect European companies but any organization providing AI systems to EU residents. Both developers and businesses utilizing AI must ensure their systems align with the AI Act’s requirements. Failing to comply could result in fines surpassing those imposed by GDPR—up to €35 million or 7% of annual turnover—as well as severe reputational damage. Even companies not yet directly affected will likely need to adapt soon, or risk falling behind.
Will other regions follow the EU’s lead?
The answer to the second question is likely yes, though the path forward is complex.
The EU’s leadership in AI regulation raises the question of whether other territories—especially those with progressive data privacy laws, like California—will follow suit. Much like GDPR influenced the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), the EU AI Act may inspire similar legislation at state, federal, or even global levels. However, as seen with GDPR, the journey to enforce similar protections can be fraught with challenges, as evidenced by the EU-U.S. Privacy Shield's invalidation after the Schrems II ruling. The road to robust AI regulation will be no less intricate.
Conclusion
For companies leveraging AI, particularly those already subject to GDPR, the message is clear: Compliance with the EU AI Act is not just a regulatory necessity but a strategic imperative. Organizations that proactively align with these regulations—both in their operations and supply chains—will be better equipped to thrive in an era of increasing AI use and oversight. In contrast, those that delay will face significant operational and financial challenges, playing catch-up in a rapidly evolving regulatory landscape.
