Extra Cover

Published in Extra Cover

Risk management and liability in new European law on AI

In this world of rapid change, uncertainty and volatility, risk management has proven itself to be indispensable, and it is, now more than ever, helping businesses to identify and analyze the potential threats they face. This approach has also been adopted by European lawmakers in their attempts to regulate the use of artificial intelligence (AI).

By Fernando Peña López

It is evident that European lawmakers believe that risk management provides the optimum framework for assessing risks related to corporate activity. The

The high regard assigned to risk management for example is clear from EU law makers previous approach to occupational health and safety and when developing rules to protect personal data. In both cases, the EU has placed the onus on businesses to adopt risk management techniques and instruments as part of achieving its aims.  t.

This legislative approach is also reflected in new laws being prepared by the EU on the potentially disruptive phenomenon Artificial Intelligence (AI). The signs are that AI will soon become, if it has not already, a major catalyst for change in how many human interactions are carried out, and a tool that will define how the economic and social activities of our communities will both be organized and develop.

Whilst there are many advantages and opportunities afforded by the use of AI it also brings a number of risks and dangers. The latter are not just the known dangers around privacy, image rights, and personal data that sustain the algorithms behind social networks, or the potential for discrimination inherent in the analysis of mass amounts of data by AI. It is also around the danger to many of the human rights or goods we prize most, such as life (self-driving vehicles and city transportation run by AI) or bodily integrity (robot surgeons that can perform high-precision surgery).  To address these extremely meaningful risks and dangers the EU has once again decided that companies should adopt risk management techniques.

The forthcoming AI Law, which European lawmakers put forward in draft legislation in April 2021, and which will establish standards and rules on matters of AI, constitutes a fundamental piece of the new regulatory framework. Lawmakers have used it to lay out the basic duties of companies who create and/or use AI in their internal processes and external relationships. Most of the text looks at what the lawmakers have called “High-risk AI” citing the dangers it poses to safety, security, and fundamental rights. Of most interest in the draft legislation is article 9. It introduces an obligation that users of high-risk AI cannot circumvent: they must establish a risk management system. Before anyone can even deploy a new algorithm of this kind they must identify and describe the potential dangers it presents, conduct an analysis and assessment of its probability and impacts, and also implement steps for prevention, mitigation, and control related to the analysis and assessment. All of this also has to take place through an iterative process that must be embedded as a daily activity in the company’s ongoing affairs.

The legislation above was complemented by a draft Directive, put forward on September 28, 2022, on the adaptation of non-contractual civil liability rules to AI (the artificial intelligence liability directive). The latter wording attempts to modify the way in which some of the underlying principles of civil liability frameworks in Europe are understood, particularly when they apply to claims around of AI liability.

The impending Directive includes norms which, among others, facilitate demonstration of causality chains, or allow the victims of AI-caused damage to have access to the internal documentation of those companies that created or used the AI in question. It is certainly meaningful that the legislation mentions risk management throughout in connection with the core element of civil liability frameworks: culpability or neglect. Risk management becomes, under this draft Directive, an essential part of a companies’ duties of diligence. Diligent companies - those who comply with their duty of care in the eyes of European lawmakers - are those who employ a risk management system as a key component of their decision-making process. Those who do not incur guilt; their conduct is neglectful, careless and worthy of reproach. All of which seems a rather meaningful consequence of the legislation. With these norms, risk management will never again be seen as an optional tool for companies nor one which can be discarded by “fearless” entrepreneurs who decide to take all the risk upon themselves.

VIEW MORE

AUTHORS

Fernando Peña López

Fernando Peña López

Tenured professor - Universidade da Coruña

Fernando Peña López is a tenured professor of Civil Law at the University of A Coruña (Universidade da Coruña) since 2008. In 2015 he became Director of the INADE-UDC Foundation Programme on Risk and Insurance Management.

In addition to his ongoing teaching duties at the University of A Coruña, he coordinates a module of the Masters in Non-Contractual Liability at the Rey Juan Carlos University of Madrid and has been a visiting professor at several European universities (Lovaina Catholic University, Köln, Milan, Trieste, and South Wales) and in the United States (Fordham, and Widener).

As a researcher, he’s devoted his career to insurance law, liability and consumer rights.  With regard to the former, he appears in a few landmark publications of Spanish jurisprudence, such as the Treatise on Civil Liability or the F. Reglero's Commentaries on the LCS (Tratado de responsabilidad civil and Comentarios de la LCS, respectively). He has also published four monographs: La responsabilidad civil y la nulidad por ilícito antitrust (“Civil Liability and Invalidity on Grounds of Antitrust Violation”, Comares 2000), La culpabilidad en la responsabilidad civil extracontractual (“Culpability in Non-Contractual Civil Liability”, Comares 2002), Dogma y realidad del Derecho de daños: causalidad, imputación objetiva y culpa en el Derecho español (“Dogma and Reality of Compensation Law: Causality, Objective Attribution of Liability and Guilt in Spanish Law”, Aranzadi, 2011) and recently «La responsabilidad por daños a la competencia» (“Liability for Damages to Competitors”, Tirant lo Blanch, 2018) in addition to dozens of articles and commentaries. In consumer rights, he currently leads the research project, «Mercado financiero sostenible y consumidores: mecanismos jurídico-privados de control en el escenario postcrisis» (“Sustainable Financial Market and Consumers: Legal and Private Mechanisms for Control in a Post-Crisis Scenario”) funded by the Ministry for the Economy, Industry and Competition (Ministerio de Economía, Industria y Competitividad (Plan Nacional de I+D+i)).

Additionally, Fernando Peña started serving as Academic Advisor with the law firm, Vales y Asociados, of A Coruña.