Artificial intelligence (AI) systems present new risks
that existing laws do not entirely address. In response to these
shortcomings, the European Union (EU) has established the
Artificial Intelligence Act, Regulation (EU) 2024/1689
(“EU AI Act“). This regulatory framework
imposes additional obligations on providers and deployers of AI
systems, intended to complement rather than replace existing
legislation.

This bulletin provides an overview to help users and service
providers understand how new regulations like the EU AI Act
interact with existing laws, such as the GDPR (“General Data
Protection Regulation”). This bulletin can be read in
conjunction with the bulletin “Navigating a New Frontier: Artificial Intelligence
and Privacy Considerations“.

An Overview of the AI Act

On June 13, 2024, the EU introduced the world’s first
comprehensive AI legislation, designed to regulate the use of AI
these systems across EU member states. The EU AI Act officially
took effect on August 1, 2024, but its provisions will be
implemented gradually. None of the requirements apply at this
stage, with the first prohibitions on certain AI systems starting
on February 2, 2025¹. On August 2, 2025, additional
rules come into force, including those related to notified
bodies², General-Purpose Artificial Intelligence
(“GPAI”) models³, governance⁴,
confidentiality⁵, and penalties⁶. By August
2, 2026, most of the remaining provisions will apply, except for
Article 6(1), which will come into effect on August 2, 2027, along
with its corresponding obligations⁷.

The EU AI Act functions by providing clear definitions of what
qualifies as an AI system and outlines the obligations that must be
followed in consequence. Section 3(1) defines AI systems as
machine-based systems designed to operate with varying levels of
autonomy and that may exhibit adaptiveness after deployment, and
that, for explicit or implicit objectives, infers from the input
they receive, how to generate outputs such as predictions, content,
recommendations, or decisions that can influence physical or
virtual environments⁸. It further adopts a risk-based
regulatory approach as part of a broader framework designed to
identify and manage risks associated with AI. These risks are
categorized into four distinct levels:

1. Unacceptable Risk: AI systems or uses that pose
   significant risk of harm and unacceptable risks to individuals and
   their rights are prohibited. The Act prohibits harmful systems,
   including those using cognitive manipulation (e.g., dangerous
   voice-activated toys), social scoring, and biometric identification
   such as real-time facial recognition⁹.




2. High Risk: AI systems and uses which fall within
   specific High-Risk categories of use cases and system types and are
   not always prohibited or exempt. An example of high-risk AI systems
   includes those that pose a threat to safety or fundamental rights.
   These systems will be categorized into two groups: (1) AI systems
   integrated into products governed by the EU’s product safety
   laws, such as toys, aviation, automobiles (autonomous vehicles),
   medical devices, and elevators; and (2) AI systems used in specific
   sectors registered in an EU database, including and not limited to,
   education and vocational training, and employment, worker
   management, and access to self-employment¹⁰.




3. Limited Risk: AI systems or uses that do not fall
   within the High-Risk category but do pose certain transparency
   risks and requirements not associated with Minimal Risk systems.
   Examples of these systems include deepfakes and chatbots.




4. Minimal Risk: AI systems or uses with minimal impact
   on individuals and their rights and are largely unregulated by the
   EU AI Act directly¹¹. Systems classified as minimal risk
   are those that do not belong to the three previously mentioned
   categories.

The EU AI Act imposes a wide range of obligations on the various
actors in the lifecycle of a high-risk AI system. For example,
high-risk AI systems which make use of techniques involving the
training of models with data will have to be developed on the basis
of training, validation and testing data sets that meet the quality
criteria set by Article 10 of the EU AI Act¹². These
specific obligations also differ depending on whether an entity or
individual is the creator of the AI system, referred to as the
“Provider”, or simply a user of the system, referred to
as the “Deployer”¹³. For both providers and
deployers of AI systems, it becomes especially important to
understand not only when to comply with the EU, but also with the
already established legislation, such as the General Data
Protection Regulation (GDPR).

Scope of Application

The EU AI Act establishes obligations for providers, deployers,
importers, distributors, and product manufacturers of AI systems,
with a link to the EU market. The EU AI Act can be applicable to
Canadian companies because of its broad territorial scope. For
example, the EU AI Act applies to:

1. providers which place on the EU market or put into service AI
   systems, or place on the EU market general-purpose AI models
   (“GPAI models”);




2. deployers of AI systems who have a place of establishment/are
   located in the EU; and




3. providers and deployers of AI systems in third countries, if
   the output produced by the AI system is being used in the EU (Art.
   2(1) EU AI Act).

The EU AI Act also enumerates certain exceptions to its material
scope (for example, the EU AI Act does not apply to open-source AI
systems unless they are prohibited or classified as high-risk AI
systems or AI systems used for the sole purpose of scientific
research and development).

The EU AI Act and GDPR: Understanding Compliance
Obligations

Both the EU AI Act and the GDPR may apply at different stages of
the development, deployment, and operation of AI
systems¹⁴. Note that these regulations address distinct
aspects; they are designed to complement rather than overlap with
one another.

Since the EU AI Act is not yet fully in effect, it is important
to assess whether compliance with the EU AI Act, the GDPR, or both
will be required once the regulations start to apply. As observed
above, this assessment will depend on the specific circumstances
surrounding the use and processing of personal data within the
context of the system in question.

The Need for Continuous Regulatory Efforts

The EU’s regulatory efforts will not stop here although the
EU AI Act is designed to address many challenges associated with
artificial intelligence. Growing data collection practices across
various industries may lead to a greater need for regulatory
reforms or the creation of new regulations.

For instance, Algorithmic Management (AM) systems in the
workplace are capable of detailed tracking, ranging from monitoring
work performance to examining digital behavior and managing
breaks¹⁵. This intensive data collection can raise
issues around worker privacy and the transparency of how
information is used. Current directives in the EU, some of which
have been around for quite some time, cover a range of
worker-related issues, such as informing and consulting employees,
along with protecting their health and safety. However, these
directives may be fortified with more explicit instructions and
there are ‘sleeping clauses’ within these directives that
may be revisited¹⁶.

As a result, some stakeholders are calling for new regulations
to address emerging risks, while others suggest adjusting existing
laws to be more inclusive. What is clear is that as more
regulations are introduced, legal compliance becomes significantly
more complex, and the debate over whether to create new laws or
modify current ones continues.

How can Fasken Help with your AI / Privacy Compliance?

At Fasken, we remain at the forefront of technology regulation
in the EU and Canada and will continue provide updates on new
developments in this field. For additional resources, please review
our Artificial Intelligence knowledge. If you have
any questions, we are here to help. Please do not hesitate to
contact us if you require assistance with any matters related to AI
or privacy law.

About Fasken’s Privacy and Cybersecurity Group

As one of the longest-standing and leading practices in privacy
and cybersecurity, our dedicated national privacy team of 36
lawyers offers a wide range of services. From managing complex
privacy issues and data breaches to advising on the EU GDPR and
emerging legal regimes, we provide comprehensive legal advisory
services and are trusted by top cyber-insurance carriers and
Fortune 500 companies. Our group is recognized as a leader in the
field, earning accolades such as the PICCASO ‘Privacy Team of
the Year’ award and recognition from Chambers Canada and Best
Lawyers in Canada. For more information, please visit our website.

Footnotes

1. European Parliament. “Artificial Intelligence Act
(AI Act)”, Chapter 1 and Chapter 2. 2024.

2. AI Act, supra note 1, Chapter III, Section
4.

3. AI Act, supra note 1, Chapter V.

4. AI Act, supra note 1, Chapter
VII.

5. AI Act, supra note 1, Article 78.

6. AI Act, supra note 1, Articles 99 and
100.

7. European Parliament. “Artificial Intelligence
Act”, Implementation timeline. 2024.

8. European Union (EU), July 2024. “Artificial
Intelligence Act (AI Act)”, OJ L, 2024/1689, 12.7.2024 at art.
3(1).

9. Ibid, art 6.

10. European Parliament. “EU AI Act: First
Regulation on Artificial Intelligence.” June 1,
2023.

11. AI Act, supra note 1.

12. AI Act, supra note 1, art. 10.

13. AI Act, supra note 1, art. 4.

14. CNIL, July 2024, “Entry into force of the
European AI Regulation: the first questions and answers from the
CNIL”.

15. European Parliamentary Research Service, June 2024
“Addressing AI risks in the workplace Workers and
algorithms”.

16. Ibid.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.