AI, machine learning and big data laws and regulations 2024

AI, machine learning and big data laws and regulations 2024

In a recent publication of Global Legal Insights, intellectual property partner Boriana Guimberteau wrote regarding current French regulation on AI, machine learning and big data laws and regulations.


In recent years, society has been confronted with the increasing development of new technologies. In a digital era, European and national institutions must set new rules, best practices and recommendations to regulate Artificial Intelligence (AI), machine learning and big data in order to be competitive and to promote and protect innovation.

In March 2018, French President Emmanuel Macron announced that he wanted to make France the world’s leader in AI through the implementation of a national strategy. Four years later, France entered the second phase of the strategy, which runs from 2018 to 2025. Based on the Villani report, it has three main objectives: attracting talent and investment in AI; disseminating AI and big data in the economy; and promoting an ethical AI system. Emmanuel Macron intends to carry on the efforts in this area since he unveiled the France 2030 investment plan in October 2021. Thirty billion euros are to be invested over five years to develop French industrial competitiveness and, through it, national solutions on AI and new technologies.

France is therefore particularly proactive and dynamic in the development of AI. Following the Villani report’s ambition, the French government has, in particular, created the platform Health Data Hub in November 2019 to promote research and to financially support project leaders for selected projects. The platform helps research by enabling the access of a large amount of health data obtained from various health data systems, including public health agencies. The platform collects and enables access to health data, henceforth promoting innovation in its use. It also contributes to the dissemination of standardisation norms for the exchange and use of health data. These missions, as well as some additional ones, are detailed in Article L. 1462-1 of the Public Health Code.

In parallel, France has also been actively promoting and ensuring an ethical AI system. As a reminder, France has always been interested in researching ethics as it was the first country to create a National Consultative Ethics Committee for Health and Life Sciences. If, at the beginning, it was only addressing health and science matters such as medically assisted procreation, the scope of the Committee quickly broadened to integrate new issues at stake caused by the increasing development of new technologies. In December 2019, the National Ethics Committee created a Digital Ethics Pilot Committee, which has the purpose of addressing in a comprehensive way the ethical issues of digital and AI. The Committee issued its first opinion in May 2020 on digital monitoring for pandemic management. Similarly, in December 2017, the Commission Nationale Informatique & Libertés (CNIL) released a study on ethics in AI entitled “How can Humans keep the upper hand? The ethical matters raised by algorithms and artificial intelligence1 addressing the issue of AI and algorithms, recommending on that matter the creation of a platform auditing algorithms.

The French government is therefore very committed in ensuring the development of AI and machine learning, while ensuring that it has a framework.

In this context, on 19 September 2023, former French Prime Minister Élisabeth Borne established a Commission on AI to help the Government adapt to the growing influence of AI. The Commission submitted a report on 13 March 2024, consisting of 25 recommendations to the public authorities.

Acknowledging that AI is an inescapable technological revolution impacting all sectors of activity, in this report, the Commission proposes six main lines of actions:

  • Immediately launch a national awareness and training plan.
  • Structurally redirect savings towards innovation and create, in the short term, a 10 billion euro “France & AI” fund, to finance the emergence of the AI ecosystem and the transformation of the French economic fabric.
  • Make France a major centre of computing power.
  • Facilitate access to data.
  • Assume the principle of an “AI exception” in public research.
  • Promote global governance of AI.

Finally, on 12 September 2023, the French Parliament introduced a proposal for a bill to regulate AI in relation to French copyright law.

In parallel, the European Union, driven by the ambition of becoming the world’s leader in AI technologies, has considered the digital evolutions induced by AI systems by adopting new regulations.

In October 2020, the European Parliament adopted three reports designed to address issues related to the development and increasing use of AI systems in relation to ethics,2 liability3 and intellectual property (IP) rights.4 These reports pave the way for the establishment of European rules that will herald future legislation. To this end, they aim to create new legal frameworks embracing AI’s specificities while promoting a dynamic and secured AI environment system.

As it is, the report on ethics sets new obligations that must be respected during the development and use of AI in terms of security, transparency, privacy, data protection, etc. In terms of liability, the report makes those who use high-risk AI liable for any damage resulting from its use. In the IP report, the EU recognises the importance of setting up a system of IP rights that provides sufficient guarantees to patent developers and promotes and secures innovation. Those three reports were closely followed up in 2021 by resolutions on AI in criminal matters, education, culture and audiovisual.5

In addition, the report on liability led to the presentation by the European Commission on 21 April 2021 of the Artificial Intelligence Act (AI Act)6 which is a proposed horizontal regulatory framework on AI. The purpose of this act is to set harmonised rules at the European level for the development, placement on the market and use of AI systems, as well as to address the risks brought out by AI. The AI Act sets numerous obligations based on the level of risk the AI can cause, with some use being strictly banned. Its final text should be adopted in April 2024.

Alongside the AI Act, on 28 September 2022, the European Commission published a proposal for a Directive of the EU Parliament and Council “on adapting non-contractual civil liability rules to artificial intelligence”, called the “AI Liability Directive”.7 This Directive aims to ensure that persons harmed by AI systems enjoy the same level of protection as persons harmed by other technologies in the EU. Within the Directive, national courts would furthermore be given the power to order disclosure of evidence about high-risk AI systems suspected of having caused damage. Indeed, the 2018 evaluation report of the Product Liability Directive8 identified several shortcomings in relation to digital technologies in general and AI in particular.

A regulation of AI is therefore beginning to emerge at the European level. New rules and obligations are being created to regulate the development and use of AI, ensuring competitiveness and securing innovation.

Regarding the protection of data, on 23 March 2022, the European Commission published a Proposal for a Regulation of the European Parliament and the Council on harmonised rules on fair access to and use of data, called “the Data Act”.9 This Regulation would apply alongside the General Data Protection Regulation of 27 April 2016 (GDPR)10 and introduces new rules on who can use and access all types of data (personal and non-personal) generated in the EU and in all economic sectors. This Regulation shall apply to AI systems. The Data Act entered into force on 11 January 2024.

Ownership/ protection

According to the WIPO (World Intellectual Property Organization), AI is a “discipline of computer science that is aimed at developing machines and systems that can carry out tasks considered to require human intelligence, with limited or no human intervention”.11

Big data refers to structured and unstructured data that is so large, fast or complex that it is difficult or impossible to process using traditional methods or storage.

Deep learning requires big data as it is necessary to isolate hidden patterns and to find answers without overfitting the data.12

As AI encompasses a various range of elements (software, hardware, algorithms, computer programs, databases, etc.), different grounds of IP rights may be triggered.

Moreover, on 12 September 2023, the French Parliament introduced a proposal for a bill to regulate AI in relation to French copyright law. This proposal aims at protecting authors, allowing them to perceive fair and equitable remuneration, and encouraging innovation and promoting artistic diversity. In this context, the use of AI tools shall be strictly controlled.

Protection of AI tools


Since 1985, computer programs have been protected under copyright law. The European Union has followed the lead since the European Directive n°91/250 CEE of 14 May 1991 on the legal protection of computer programs,13 and later, harmonised the rules on the matter at the European level.

Software is therefore protected by copyright, whether it is the computer program itself (source and object codes), the program structure or the instruction programs that are addressed to the machine. In this respect, the French Supreme Court (Court of Cassation) had modified the definition of originality in a decision of 7 March 1986: the author must show a personalised effort going beyond the simple implementation of an automatic and constraining logic for the work to be original. Originality is therefore characterised by the author’s intellectual contribution.

Consequently, the software part of an AI could be protected under copyright law as long as it fits the definition of originality. However, algorithms cannot be protected under copyright law as it is a “succession of operations which only translates a logical statement of functionalities, devoid of all the functional specifications of the product concerned”.14 It does not demonstrate the intellectual contribution of the author. In principle, copyright is granted to the creator of the work, and this, from its creation. In this sense, the author of the software will own the copyright. However, in the case of an employment contract, the rights related to the software will automatically be transferred to the employer.


Article L. 611-10 of the Intellectual Property Code (IP Code) explicitly excludes from patentable inventions algorithms, computer programs and mathematical models as they cannot be considered as inventions. However, AI elements can still be protected by patent law as a combination invention insofar as the invention meets the regular criteria of protection (novelty, inventive step, susceptible to industrial application) and is not based solely on algorithms and mathematical methods. In this case, AI elements, taken as a whole, could be patentable and protected under French patent law.

Protection of AI-generated content

AI can produce different results, some of which could be qualified as creations or inventions, the former falling within the scope of copyright law and the latter of patent law. Hence, it strongly raises the question of authorship and ownership of the works and inventions it generates.


Regarding copyright, many authors have considered the question of whether AI could benefit from the status of author of the generated content.

In France, authors recognise the personalist and humanist conception of copyright: the author is the person who creates the work. Historically, French copyright was created in favorem auctoris, i.e., in favour of the author. Since the philosophy of the Enlightenment placed individuals at the heart of its concerns, copyright was understood as a natural right, justified by the indefectible link between authors and their work. The work being an extension of their person, it is quite logical for them to be the rightful owners and to be protected accordingly.

The condition of eligibility also reflects this conception. To be protected, the work must be an original creation: this criterion is intrinsically linked to the author’s person, since originality is the imprint of the author’s personality. With this condition being found within the author’s person, the results of AI cannot meet the conditions of copyright unless there is human intervention in the process.

The recognition of copyright protection to AI is therefore not likely under the applicable laws unless there is a human intervention, and the AI system is used as a tool.

Consequently, if the current French IP law does not seem to apply to contents generated only by an AI, it could apply considering the degree of involvement of the user of the AI system. This position is the one taken by the French Parliament in the proposal for a French bill to regulate AI. Indeed, the proposed amended Article L.321-2 of the French IP Code would grant copyright to artworks exploited by an AI system or tool, or their beneficiaries, provided that the generated content is due to human intervention. Nevertheless, in the absence of legal and/or regulatory provisions to date, it is case law that will be required to draw the contours of copyright protection applied to AI.


Patent law adopts a similar position to copyright law as it requires the identification of a natural person. Once again, the question of the AI as a potential inventor arises. In the IP Code, inventors are only referred to as natural persons. Indeed, according to Article L. 611-6, paragraphs 1 and 2 of the present code: “The right to the industrial property title referred to in Article L611-1 shall belong to the inventor or his successor in title. If two or more persons have made an invention independently of each other, the right to the industrial property title shall belong to the person who can prove the earliest date of filing.” Therefore, an AI cannot be recognised as the inventor of the content obtained through its operation. The reasoning mentioned in copyright also applies to patent law.

One landmark case has, however, stirred debate by addressing the status of AI inventors. Quite recently, the inventor and scientist Stephen Thaler submitted several patent applications listing DABUS (Device for the Autonomous Bootstrapping of Unified Sentience) as an inventor. DABUS is an artificial neural network that has autonomously generated two inventions, including a beverage container based on fractal geometry. Those applications were rejected by numerous IP offices worldwide, on the ground that only a natural person could be an inventor.15 Such requests were therefore explicitly in contradiction with the applicable law.

Some countries have taken a particularly innovative approach by recognising DABUS as an inventor. In 2021, South Africa even became the first country in the world to officially recognise an AI as an inventor in a patent application. The Federal Court of Australia also approved the patent application listing DABUS as an inventor; Judge Jonathan Beach even declared that: “[i]t is a fallacy to argue […] that an inventor can only be a human.”16 Ultimately, such recognition was possible insofar as there had been human intervention in the process, as an individual created the AI.

Risk of IP infringement while using AI tools

While the very application of IP law to AI is not obvious, AI may also carry risks of potential infringement of prior IP rights. Indeed, since AI generally feeds on very large datasets, and in particular pre-existing content, it is possible to generate content infringing prior rights via the AI tool.

Responsibility of AI tools

In France, Article L.122-4 of the IP Code defines copyright infringement as the act of representing or reproducing a work in whole or in part without the author’s permission. Nevertheless, Article L.122-5 of the same code provides for exception to this right of representation and reproduction, when the work has been disclosed: the author cannot, for example, prohibit private and free representations made exclusively within a family circle, or any copies and reproductions from a legal source and strictly reserved to private use.

Moreover, pursuant to the proposed modification of Article L.131-3 of the French IP Code, the integration or use of art works by AI tools and/or systems would be subject to the authorisation of the authors or their beneficiaries.

Transparency regarding the generated AI works is of utmost importance. In this context, the proposed French bill also amends Article L. 121-2 of the French IP Code to impose the mention of “work generated by AI” on any artwork generated using an AI tool, and credit the authors of the artworks used by the AI tool to generate the final artwork. It remains to be seen to what extent it will be possible for AI tools to identify the authors of artworks that inspired the generation of the result.

The EU Directive 2019/79017 on copyright and related rights in the digital single market has brought an additional exception. Indeed, Articles 3 and 4 of the Directive provide for the exception of “Text and Data mining”. Such exception was transposed in French law with the Ordinance No.2021-1518 of 24 November 2021 in Articles L.122-5 and L.122-5-3 of the IP Code. Such Articles entered into force on 1 January 2023.

Text and Data mining is defined in the Article 2 (2) of the said Directive as “any authorised analytical technique aimed at analysing text and data in digital form in order to generate information which includes but is not limited to patterns, trends and correlations”. AI tools are generally based on such systems. AI tools could therefore fall into the scope of the Text and Data mining exception, provided that:

  • the content that the tool contains has been made public; and
  • it has been lawfully obtained.

Article L.122-5-3 of the IP Code, providing for this exception in French law, adds “unless the author has objected in an appropriate manner, in particular by machine-readable processes for content made available to the public online”.

The content “lawfully obtained” means the reproduction or representation in whole or in part by the AI tool, of a public work, for which Text and Data mining has not been expressly forbidden by its author. Given the recent entry into force of the provisions, we will have to wait for case law to determine the contours of this exception.

Responsibility of the user of the AI tools

In addition to the liability of the AI tool, or more precisely of its developer/owner, the user of the AI tool is also exposed to several types of liability.

Indeed, generally, it is the user who discloses the content generated by the AI tool. The user could therefore engage his/her liability on the basis of French common law in the event of an illicit disclosure.

However, the disclosure of such content may also infringe IP rights. The liability of the user may result from the terms and conditions of the AI tool.

Antitrust/ competition laws

The purpose of competition law is to ensure the regulation of markets and prevent anti-competitive practices. However, the development of AI could contribute to creating new anti-competitive practices, cartels and abuses of dominant position.

To this end, in November 2019, the French Competition Authority and the German Bundeskartellamt have presented a joint study on algorithms and their implications for competition law enforcement while assessing the competitive risks associated with the use of algorithms.18 The two competition authorities have endeavoured to jointly study the effects and potential risks of collusion that the use of algorithms can generate on competition and have considered the question of adapting the rules of competition law with the new practices permitted today by AI.

The price algorithms that are used to set the price lists applied by companies are more particularly targeted. To this extent, the study can be particularly useful to companies who want to ensure the compliancy of their algorithms with antitrust laws.

The algorithms that are used to support the commercial strategy and the pricing policy of companies could encourage competition breaches by hindering the free determination of market prices through the interplay of supply and demand. It could lead to the creation of barriers to market entry.

Algorithms could also be detrimental by enhancing collusion. In this matter, the report identifies three main risks:

  • algorithms could be used to facilitate the implementation of traditional anticompetitive agreements (price fixing, customer sharing, etc.);
  • a third party, for instance a software developer, could provide the same algorithm to several competitors which would cause pricing coordination; and
  • algorithms could be used by companies to facilitate an alignment of the companies’ behaviour.

In February 2020, the French Competition Authority published its study on competition policy regarding the challenges at stake within the digital economy. In its new contribution, the French Competition Authority reviews its analysis and recommendations to better regulate anti-competition practices and unfair competition caused by AI.

In April 2020, a Paper on Big Data and Cartels: The Impact of Digitalization in Cartel Enforcement was released by the ICN (International Competition Network) in order to identify the challenges raised by big data and algorithms in cartel enforcement.19 The report analyses AI as a collusion-creating tool, but also as an interesting one in detecting them.

Consequently, while no legal framework has been currently adopted to regulate the risks caused by AI, big data and machine learning, competition authorities in Europe and beyond are beginning to pay closer attention to the effects of AI and big data on competition.

Boards of directors/ governance

To enhance the benefits of AI while reducing the risks, governments must analyse the scope and depth of the existing risks and develop regulatory and governance processes and structures to address these challenges.

In France, the ACPR (Autorité de Contrôle Prudentiel et de Résolution) released a study “Governance of Artificial Intelligence in Finance20 in November 2020, according to which the following governance concerns need to be taken into account as early as the design phase of an algorithm: integration of AI into traditional business processes; impact of this integration on internal controls, specifically on the role assigned to humans in the new processes; relevance of outsourcing (partially or fully) the design or maintenance phases; and lastly, the internal and external audit functions. According to the study, the most relevant elements of governance when introducing AI into business processes appear to be the operational procedures within those processes, the extension of segregation of duties to the management of AI algorithms, and the management of risks associated to AI. These elements are briefly described in this section.

It is also important to put in place data governance as it is the data which is used for the proper functioning with the AI. In this respect, in November 2020, the Global Partnership on AI, which was established with a mission to support and guide the responsible adoption of AI, issued a report on Data Governance21 which provides guidance on data governance depending on the different types of data:

AI, machine learning and big data laws and regulations 2024      

Regulation / goverment intervention

GDPR and compliance

New technologies have considerably influenced the legislative landscape to the point that new regulations have to be implemented. As AI enables the processing of a large amount of personal data, the EU must ensure the respect of data subject’s rights and privacy. In this respect, the increasing use of AI systems raises the question of their regulation as AI is continuously fed by an exponential amount of data during the machine learning phases. Certain precautions must be taken to protect the rights of data subjects.

Since 25 May 2018, and in addition to the French 1978 Data Protection Act, the principal data protection legislation within the EU has been the Regulation (EU) 2016/679, also known as the GDPR. Data must be collected and used in full compliance with the EU’s GDPR.

In this respect, the GDPR imposes numerous obligations on companies, as they process European citizens’ personal data. Companies engaged in big data, machine learning and AI must ensure that they respect these principles insofar as they process the personal data of European citizens:

  • The processing of personal data carried out during AI phases must follow specified, explicit and legitimate purposes and can only be used for the purposes for which it was collected.
  • The legal bases justifying the processing must be enlightened. Article 6 of the GDPR provides an exhaustive list of legal bases on which personal data may be processed.
  • The data must be kept for a limited time, which must be specified.
  • According to the principle of data minimisation, only the data that is strictly necessary for the processing must be collected.
  • Personal data must be accurate and kept up to date.
  • Transfers of European data outside the EU are prohibited or strictly controlled.
  • Data subjects must be aware of their rights regarding the processing of their personal data.
  • Personal data must be processed in a manner that ensures its appropriate security.
  • The principles of privacy by design and privacy by default must be respected.

Consequently, companies dealing with AI tools and machine learning must follow these principles.

On 29 March 2022, the CNIL published a set of resources for the public and professionals dealing with the challenges of AI in relation to privacy and GDPR compliance.22 Hence, the CNIL has made available to professionals a guide to ensure that companies using AI systems and processing personal data comply with the GDPR and the French Data Protection Act. As such, its main objective is to develop a regulatory framework for AI that respects human rights and helps in building European citizens’ confidence in the system. Moreover, the guide provides an analysis tool allowing organisations to self-assess the maturity of their AI systems with regard to the GDPR and best practices in the field, in view of the future European regulation.

In May 2023, the CNIL published an action plan for the deployment of AI systems that respect the privacy of individuals. The innovative techniques used for the design and operation of AI tools raise new questions about data protection, in particular:

  • the fairness and transparency of the data processing underlying the operation of these tools;
  • the protection of publicly available data on the web against the use of scraping of data for the design of tools;
  • the protection of data transmitted by users when they use these tools, ranging from their collection (via an interface) to their possible re-use and processing through machine learning algorithms;
  • the consequences for the rights of individuals to their data, both in relation to those collected for the learning of models and those which may be provided by those systems, such as content created in the case of generative AI;
  • the protection against bias and discrimination that may occur; and
  • the unprecedented security challenges of these tools.

These aspects will be one of the priority areas of work for the Artificial Intelligence Service and the CNIL Digital Innovation Laboratory.

Tax law

The French 2020 Finance Act has authorised tax authorities, on an experimental basis and for a period of three years, to collect freely accessible data on social network websites and online platform operators. The Finance Act aims to prevent tax fraud and to improve prosecution of tax offences such as hidden activities and false domiciliation abroad of individuals (Article 154 of the 2020 Finance Act).

The CNIL, in its opinion of 12 September 2019, emphasised the need to respect the principle of minimisation, as well as the principle of proportionality; only data that is necessary for the detection of tax fraud should be processed.

Open data

Big data also raises the question of its accessibility to the public. As numerous data is being collected, transparency in the process must be established.

Launched by the French Digital Republic Act in October 2016, the open data policy ensures a public data service by opening the dissemination of administrative data of economic, social, health or environmental interest.

For instance, in the field of Justice, the open data policy is characterised by the dissemination of public data applicable to court decisions. To this end, Articles 20 and 21 of the French Digital Republic Act establish the availability of court decisions to the public free of charge and in electronic form. However, such dematerialised access necessarily implies the dissemination of a significant volume of personal data, including sometimes sensitive data, in the case of access to data relating to criminal convictions.

There is, therefore, a risk of conflict with the protection of personal data. However, this requires the prior removal of the first and last names of the individuals concerned, as well as any element allowing them to be identified.

Prevention of terrorism

The law of July 30, 2021, on the Prevention of Terrorism Acts and Intelligence comes to consider the digital evolution by integrating the new technologies and means of communication used by terrorists. As such, the intelligence services have new means of control and can now implement algorithmic monitoring of connection and browsing data on the Internet to identify potential terrorists. They can also intercept satellite communications.

Electronic communications operators, internet service providers and hosting companies are cooperating in the implementation of this surveillance. In this respect, a generalised obligation to retain connection data is now imposed on them, which is justified by the threat to national security. The law is therefore in line with the decision of the Council of State French Data Network of 21 April 2021.

The law, at the draft stage, had been the subject of three opinion notices of the CNIL dated 8 April, 15 April and 3 May 2021.

Criminal issues

In an increasingly connected environment, the scenario of an AI committing a crime no longer seems so aberrant. While an AI cannot commit crimes such as murders, it could indeed facilitate alternative forms of crime as it creates new criminal models.

In this sense, Europol, the United Nations Interregional Crime and Justice Research Institute and Trend Micro have recently released a report on the malicious uses and abuses of AI, such as AI malware, AI-supported password guessing, and AI-aided encryption and social engineering attacks.23 While some of the scenarios presented may appear quite theoretical, the report helps policymakers and law enforcers by listing existing and potential attacks with recommendations on how to mitigate these risks.

However, algorithms can also be used in criminal matters by the police, legal jurisdictions and public authorities. As AIs process vast quantities of personal data and analytics, it must be ensured that data subjects’ rights regarding privacy and personal data are respected.

In October 2021, the European Parliament adopted a draft report on Artificial intelligence in criminal law and its use by the police and judicial authorities in criminal matters.24 It outlines the European views as well as recommendations on AI data processing by public authorities in the field of law enforcement and in the judiciary. Among other things, the draft report calls for greater algorithmic transparency, explainability, traceability and verification to guarantee the compliance of AI systems with fundamental rights. It also supports the High-Level Expert Group on AI of the European Commission in its desire of banning AI mass-scale scoring of individuals by public authorities. The report emphasises that the security and safety aspects of AI systems used in law enforcement and by the judiciary need to be assessed carefully and be sufficiently sturdy to prevent the consequences of malicious attacks on AI systems.

To illustrate, in France, 2017, the CNIL had issued a warning to the city services of Valencienne for deploying an illegal videosurveillance policy. The city had installed around 300 cameras alongside computer vision software that aimed to detect and analyse “abnormal behaviour”. The CNIL issued a warning, stating that the regulations were not respected, and that the device was disproportionate. The system was installed outside of any legal framework and without seeking the opinion of the CNIL, which is mandatory in such cases. The video protection system includes a certain number of functions (automatic number plate reading device, detection of rapid movements, counting the number of people, etc.) and many cameras were directly monitoring public space. The CNIL found that the system was illegal, given its numerous malfunctions, also due to the lack of a study on other “less intrusive” means of securing the city.

In 2021, the CNIL submitted a draft position on so-called “intelligent” or “augmented” video devices in places open to the public in order to accompany their deployment and to ensure the respect of data subjects’ rights. In this report, the CNIL noted that use for civil security, health or traffic-flow purposes, which are of little harm to individuals, is not authorised by the current regulations as it is not possible in practice to respect the right of opposition. The CNIL therefore considers that it is up to the public authorities to decide whether to enable such processing.

Also, given the increase of cyberattacks, the EU Directive “NIS2” of 14 December 2022 aims to strengthen security requirements, streamline reporting obligations, and introduce stricter supervisory and enforcement mechanisms.25 The Directive entered into force on 16 January 2023 and the Member States have until 17 October 2024 to transpose it in national legislation. It broadens the scope of application of the previous “NIS” Directive, and for example, requires companies to implement cyber risk management measures, including risk mitigation requirements and due diligence of third-party suppliers and services.

Finally, a Proposal for a Regulation26 of the EU Parliament and Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020 was published on 15 September 2022, called the “Cyber Resilience Act”. This proposal for a Regulation was drafted in reaction to the increase of successful cyberattacks on hardware and software products, leading to an estimated global annual cost of cybercrime of 5.5 trillion euros by 2021. It mainly aims to create conditions for the development of secure products with digital elements, by ensuring that manufacturers take security seriously throughout a product’s life and create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements.

Discrimination and bias

According to the European Parliament, AI technology must be trained using unbiased data sets to prevent discrimination.27

 In a press release dated 16 March 2021, the European Parliament indeed informed about the risks of the use of AI in the education, culture and audiovisual sector, notably the potential impact on the “backbone of fundamental rights [and] values of our society”.

The Culture and Education Committee then called for AI technologies to be regulated and trained so as to protect non-discrimination, gender equality and pluralism, as well as cultural and linguistic diversity.

In this regard, the European Parliament affirmed that the Commission “must establish a clear ethical framework for how AI technologies are used in EU media to ensure people have access to culturally and linguistically diverse content”. This should be the role of the proposed AI Act, and the AI Liability Directive.

In the context of the increased use of AI-based technologies, in particular to improve decision-making processes, it is necessary to ensure that all Europeans can benefit from these new technologies in full respect of EU values and principles.

In this regard, the EU has proposed a Directive, alongside the proposed AI Act, which aims to raise a common set of rules for a non-contractual liability regime, called the “EU Artificial Intelligence Liability Directive”. The purpose of the proposed Directive is to modernise the current liability regime.

For example, such proposition creates a rebuttable “presumption of causality” to ease the burden of proof for victims to establish harm caused by an AI system. It would furthermore give national courts the power to order disclosure of evidence about high-risk AI systems suspected of having caused damage.28

National security and military

In terms of military use of AI, the European Parliament has raised awareness, in a press release dated 20 January 2021. In fact, it considers that:

AI can replace neither human decision-making nor human contact;
EU strategy prohibiting lethal autonomous weapon systems is needed.

jAs per more general security concerns, in particular regarding the risk of mass surveillance and deepfakes by public authorities “the increased use of AI systems in public services (…) should not replace human contact or lead to discrimination”. More specifically in the health sector, the European Parliament warns on the necessity to highly protect the patients’ personal data.

Moreover, EU Member States warn on the threats to the fundamental rights and state sovereignty arising from the use of AI technology in massive civil and military surveillance (for example, highly intrusive social scoring applications should be banned).29

 In France, the Ministry of the Armed Forces is developing its relations with the French scientific community in the field of AI and is supporting projects that could lead to new technologies of interest to national Defence. The development of AI will aim to significantly increase the strategic autonomy and the operational and technological superiority of the armed forces.30




11 WIPO/IP/AI/2/GE/20/1 REV., “WPO conversation on intellectual property (IP) and artificial intelligence (AI)”, May 21, 2020, §11.
12 Wayne Thompson SAS Research & Development, Big Data: What it is and why it matters | SAS.
14 Cour d’appel de Caen, 18 March 2015, Ministère public/Skype Ltd and Skype Software Sarl.
15 In 2019, the European Patent Office rejected the patent applications submitted in the name of DABUS, followed by the USPTO in 2021 and the IPO the same year. The Thaler appeal in the UK was also dismissed.
16 Federal Court of Australia, Thaler v. Commissioner of Patents [2021] FCA 879, §12.