When regulating AI the legislator may formulate positive requirements for AI to be lawful, or identify blacklisted AI practices that are found to be inconsistent with fundamental European values, e.g. discrimination, exploitation or manipulation of individuals.
When regulating a particular area the European legislator may formulate mandatory requirements that need to be fulfilled for some activity to be lawful. Normally, these mandatory requirements take the form of principles (e.g. the principles for the processing of personal data in Art 5 GDPR), rules (e.g. the requirement of a legal ground under Art 6 GDPR), rights (e.g. the data subject’s rights), and procedures (e.g. a data protection impact assessment, documentation). This ‘PRRP approach’, which has been taken, for example, by the GDPR, has a number of benefits, including: (i) it sends a positive message and is of high symbolic value; and (ii) it is relatively straightforward to formulate (e.g. it does not take much ingenuity to add information or documentation duties on top of existing lists). The major downside, however, is that it tends to put up a lot of red tape and to mean a lot of extra bureaucracy and costs, potentially being to the detriment of SMEs and enhancing the competitive advantages and market power of the big players.
An alternative to this PRRP approach is blacklisting, which is often combined with a general clause. This second regulatory technique has successfully been applied, e.g., for unfair contract terms control in consumer contracts (Directive 93/13/EC) and unfair commercial practices (Directive 2005/29/EC). Blacklisting means the regulator mainly restricts itself to stating what should definitely NOT be done, and possibly combining this with a fall-back option for similar cases in order to prevent circumvention and obvious gaps. The main drawbacks of this approach are: (i) it tends to send a ‘negative message’, i.e. is much more difficult to defend from a PR perspective; and (ii) it is relatively difficult to get the formulation of the blacklisted practices right, in particular for sensitive and ‘fuzzy’ areas, such as discrimination or manipulation. A major advantage of this approach, however, is that it hits in a much more targeted manner precisely what we all agree we want to avoid because of its inconsistency with fundamental European values, and leaves full freedom otherwise. It is also much easier to adapt to changing developments. This approach may be much more beneficial for innovation, in particular by SMEs.
The European legislator may thus wish to consider whether – at least to a certain extent – an ‘unfair AI practices approach’ might be better for an innovation friendly environment in Europe than a comprehensive PRRP framework.
At the end of the day, what might be the most beneficial solution is a combination of the following:
1. A set of fully horizontal principles whose main function would be to confirm basic European values and to guide the interpretation and application of the whole framework
2. A list of blacklisted AI practices, targeting effects we want to avoid in any case, such as discrimination (taking into account that AI may not discriminate along the same criteria as humans do), exploitation of vulnerabilities, profiling and scoring with regard to most intimate human characteristics, total surveillance, manipulation, etc.
3. For defined high-risk applications only: a comprehensive regulatory framework that includes rules, procedures and rights of the types mentioned in the EU White Paper (p. 18 ff.).