Mr. Harris goes to Brussels (Adventures in AI Policy Part II)

If you missed my previous “Mr. Harris Goes to Washington” post in this series, see link in comments or scroll back to Sep 27 on my timeline.

The “Brussels Effect,” in case you haven’t heard of it, is the outsize power that the de facto capital of the European Union has on global public policy. The EU has been able to move more quickly than the United States and many other legislatures, and has already created influential laws on tech topics like online privacy and social media. Laws passed in Brussels tend to impact much of the world—both because they serve as an inspiration for other nations to enact similar laws and also because it’s harder for companies to comply with multiple standards, so they often choose the most stringent because that’s the most straightforward option, and it’s likely for other countries to follow to som degree.?

The EU AI Act, currently in draft form, is slated to be finalized in the very near future. Having had many conversations with EU officials stationed here at the EU in SF office and their visitors, as well as at the European Union Delegation to the United States in Washington DC, and over numerous video calls, I thought it was a good time for me to pay them a visit at their headquarters.

The EU in SF team and the Integrity Institute helped me set up a series of meetings with officials at the European Commission offices, with the Directorate-General for Communications Networks, Content and Technology (DG CONNECT) and the European Centre for Algorithmic Transparency (ECAT), which included people responsible for AI policy development (the EU AI Act in particular), cybersecurity policy (the Cyber Resilience Act) and the implementation of the EU’s Digital Services Act.

I went into the building expecting to be meeting with four people, in a series of consecutive meetings. I was having so many meetings there, that they actually booked me a conference room of my own for 2.5 hours, into which 18 different people cycled, mostly in person, but also joining over video conference from their offices in Spain and Luxembourg. I went in with my own lists of question to ask them, but it turned out that they all had their own lists too, so it was quite an exchange. The conversation in the office continued past 6pm on a Friday, and I was lucky enough to then be treated to a few more illuminating hours of conversation over some delightful Belgian beer.

It would be impossible to sum up everything I covered in those meetings in a single post, but here are some highlights from the conversations:

1. Open Source AI Systems - This is a big topic that quite a few EU officials (and US officials too) have wanted to talk to me about. There is currently significant debate that swings widely between whether open source AI systems should be more heavily regulated than closed systems because of the heightened risks that they post, all the way to the opposite view that they should actually have less regulation because of their economic value in the tech ecosystem. This debate is so white hot in the EU that the latest European Parliament draft of the EU AI Act may actually have conflicting statements on this topic. I’ll be writing more about this soon.?
2. Trilogue - This word that many people have never heard before is the process by which the European Parliament, Council of the European Union, and the European Commission get together and finalize multiple proposed versions of laws. There is a big rush to wrap up the trilogue for the EU AI Act now, before regular leadership changes and a new election potentially complicate its passage.?
3. The EU Cyber Resilience Act - I wasn’t tracking this one closely, but now I am, specifically because, if passed, it has a clause that makes software developers liable for the “reasonably foreseeable misuse” of their products. This is already being interpreted by the The Linux Foundation as likely to apply to open source software. Depending where the final text lands, this could be incredibly important for Artificial Intelligence. I’ll be writing more about this too.
4. The Digital Services Act - it’s already in force, and it will be very important to watch how implementation plays out over the next few years. The “Very Large Online Platforms” (VLOPs) and “Very Large Online Search Engines” (VLOSEs) submitted their Risk Assessment reports in August and they are now being evaluated.
5. “Delegated Acts,” “Implementing Acts,” and CEN and CENELEC - Even after big laws like the EU AI Act and Digital Services Act are passed, there are often still many key decisions to be made that come in the form of “delegated acts” and “implementing acts” as well as decisions that are delegated to CEN-CENELEC. This could include things like the threshold for general purpose (aka foundation) AI models to enter into certain risk categories, guidelines for audit and transparency processes, and more. Even once the laws are passed, watch for these follow-on effects.

I’ll be writing much more on all of these topics, so if you’re interested, please comment below on what you’d like to hear more about, and follow this space!