Rory Campbell: NI businesses providing and using AI may have to comply with both EU and UK AI laws

Rory Campbell: NI businesses providing and using AI may have to comply with both EU and UK AI laws

Rory Campbell

Lewis Silkin NI partner Rory Campbell considers the latest situation around AI regulation in Northern Ireland.

Last week the European Commission proposed that Northern Ireland should have to comply with EU laws regulating AI systems.

The EU’s AI Act came into force in August 2024; the UK hasn’t yet enacted legislation specifically regulating AI.

However, as and when UK AI laws are enacted, NI businesses will have to comply with the laws of both jurisdictions.

This won’t make huge differences to NI AI businesses planning to sell AI systems into the EU, because they would have to comply with EU AI rules anyway. This follows an established pattern where laws of a jurisdiction often extend to external businesses offering services to customers within the jurisdiction — for example, any ROI business providing data services to UK customers may well have to comply with the UK version of the GDPR.

But the UK and EU versions of GDPR are pretty much the same. That’s not the case with AI regulation — the UK is heading in a different direction to the EU’s law.

UK and AI laws: different directions

EU AI law takes a risk-based approach: the higher the risk posed by the AI tool, the greater the level of regulation. The EU divides AI systems into four categories: unacceptable, high, low and minimal risk.

Unacceptable risk systems (e.g. social credit scoring systems, emotion-recognition systems using biometric data, although exceptions apply) are banned from February this year.

High risk systems (e.g. using AI in recruitment processes) may not be banned, but any business which provides or deploys the systems has a large number of legal obligations. Providers and deployers of low risk systems (e.g. text generators, chatbots) have fewer obligations, and mainly have to focus on making it clear that users are dealing with a machine. Minimal risk systems (e.g. spell-checkers, video games) have no extra obligations.

The EU legislation will be policed by a central AI Office, opened in May 2024.

In contrast, the UK’s take on regulation is anticipated to follow the US towards a lighter touch, business and innovation friendly approach, without a central enforcement body.

NI businesses therefore face the challenging possibility of spanning two diverging regimes driven by two different regulatory philosophies.

Providers and deployers

The EU rules aren’t anything unexpected for NI AI businesses who’d been planning on selling to customers in the EU.

However, the rules also apply to “deployers” as well as providers. NI businesses who pay for the deployment of an AI system to be used by their staff or customers may not have expected that they, too, will have to comply with EU law.

Any such business should check the risk status of the AI system it uses, and then identify the legal obligations which the EU AI Act imposes on that category of risk.

A good tip: check carefully whether proper contractual comfort is given by the provider of the AI system to the NI business deploying the AI system.

Final thoughts

A final thought is to offer a prayer for the NI judiciary, who may in the near future have to consider a plaintiff’s case on the basis of two different, possibly conflicting, laws.

It’s not set in stone yet — the EU’s proposal will be determined at the EU/UK Withdrawal Approval Joint Committee’s next meeting. Watch this space.

Share icon
Share this article: