{"id":108071,"date":"2025-03-26T13:51:29","date_gmt":"2025-03-26T17:51:29","guid":{"rendered":"https:\/\/cdt.org\/?post_type=insight&p=108071"},"modified":"2025-03-27T03:34:16","modified_gmt":"2025-03-27T07:34:16","slug":"cdt-europes-ai-bulletin-march-2025","status":"publish","type":"insight","link":"https:\/\/cdt.org\/insights\/cdt-europes-ai-bulletin-march-2025\/","title":{"rendered":"CDT Europe\u2019s AI Bulletin: March 2025"},"content":{"rendered":"\n

Policymakers in Europe are hard at work on all things artificial intelligence, and CDT Europe is here with our monthly Artificial Intelligence Bulletin to keep you updated. We cover laws and policies that relate to AI, and their implications for Europe, fundamental rights, and democracy. To receive the AI Bulletin, you can sign up here<\/strong><\/a><\/em>.<\/p>\n\n\n\n

Third GPAI Code of Practice Draft Excludes Discrimination <\/strong><\/p>\n\n\n\n

The third version of the General-Purpose AI (GPAI) Code of Practice \u2013 and the last to be put to multistakeholder consultation \u2013 was published<\/a> on 11 March, alongside a FAQ page<\/a> on the Code of Practice. The draft is now split into four parts dealing with commitments, transparency, copyright, and safety and security, respectively. The latter section addresses obligations relative to risk assessment and mitigations, and has been subject to significant changes that regress the draft\u2019s fundamental rights protections. <\/p>\n\n\n\n

As we covered in our initial reaction<\/a> to the draft, the list of risks that are mandatory to assess \u2014 also known as the \u201cselected\u201d systemic risks taxonomy \u2014 now excludes discrimination and is largely focussed on existential risks. Discrimination was moved to the list of risks that are optional to assess, joining other risks to fundamental rights such as privacy harms and increased spread of child sexual abuse material or non-consensual intimate imagery. The draft cautions GPAI model providers to only assess these risks when they are specific to models\u2019 high-impact capabilities. <\/p>\n\n\n\n

As we addressed in fuller comments<\/a> to the draft, the explanations given \u2013 that fundamental rights risks don\u2019t arise from high-impact capabilities, and that the EU digital rulebook better accounts for these risks \u2013 do not stand up to scrutiny and fail to justify the changes. A wide range of organisations have critically<\/a> reacted<\/a> to the changes in the systemic risk taxonomy, while also acknowledging some positives, such as that the draft\u2019s provisions concerning external assessment were strengthened, and it now requires greater consideration of acceptability of risks<\/a> by model providers.<\/p>\n\n\n\n

This draft Code of Practice will undergo one final round of review before the final version is presented and published by 2 May. The AI Office and the AI Board will subsequently review the draft and publish their assessment, but the decision to go forward with the Code ultimately rests on the European Commission. The EC can choose to either approve the Code through an implementing Act, or \u2013 if the code is not finalised or simply deemed inadequate \u2013 to provide common rules for how GPAI model providers should follow their obligations by 2 August, the same date those obligations become applicable. Independent of this process, the European Commission can request standardisation of the rules for GPAI models. Once those standards are finalised, covered providers of GPAI models will be presumed to comply with their obligations under the AI Act. <\/p>\n\n\n\n

Spain Takes a Robust Approach to Prohibited AI Practices<\/strong><\/p>\n\n\n\n

The Spanish government approved a bill implementing the AI Act<\/a> at the national level, marking the first step towards its formal adoption. Notably, the bill sets out narrow conditions under which remote biometric identification (RBI) may be lawfully used for law enforcement purposes. The practice is in principle prohibited by the AI Act, but technically allowed for three law enforcement purposes \u2013 search of missing persons and victims of specified crimes, prevention of threats or terrorist attacks, and identification of suspects of specified criminal offences. It can only be lawfully carried out in a member state where it is explicitly authorised by implementing national legislation, which can be stricter \u2013 but not broader \u2013 than the terms set by the Act. The Spanish bill as written only authorises RBI use for one of the three purposes the AI Act lists, namely to locate and identify individuals suspected of committing criminal offences of a given degree of seriousness, as specified in Annex II of the Act.<\/p>\n\n\n\n

The bill builds on the AI Act by categorising infringements in three categories: minor, severe, and very severe. Any use of an AI practice the law prohibits, including RBI use outside of the draft law\u2019s only exception, is deemed very severe. Failure to notify users when they directly interact with an AI system, or to label AI-generated content<\/a> in line with the AI Act\u2019s requirements, will constitute a \u201csevere\u201d infringement.<\/p>\n\n\n\n

Italian Draft Law Aspires to Set Limits on AI Uses in Critical Sectors <\/strong><\/p>\n\n\n\n

An Italian government law decree<\/a> approved by the Senate sets general conditions for the use of AI, delineating and limiting the uses of AI in critical sectors. <\/p>\n\n\n\n

The law specifies that minors below 14 years old may only access AI systems with parental consent. It identifies key areas that stand to benefit from AI \u2013 such as the healthcare sector and the working environment \u2013 and also emphasises key safeguards, such as creating an AI Observatory within the Ministry of Labor, and limiting uses of AI systems in the judicial sector to administrative purposes specifically excluding legal research. <\/p>\n\n\n\n

Further, the law amends aspects of Italian criminal law to cover the use of AI in committing criminal offenses. The law notably introduces a new legal offense for dissemination of AI-generated content \u2013 ostensibly including deepfakes \u2013 without a person\u2019s consent, resulting in unjust damage, that is punishable by imprisonment from one to five years.<\/p>\n\n\n\n

The law is in draft form and will need to be approved by the Italian Chamber of Deputies.<\/p>\n\n\n\n

AI Identified as a Key Priority in Europe\u2019s Defence Strategy <\/strong><\/p>\n\n\n\n

A joint white paper<\/a> released last week by the European Commission and the High Representative for Foreign Affairs and Security Policy on AI in European Defence identified AI as a key area of priority defense capability, noting that new ecosystems and value chains for cutting-edge technologies such as AI \u201ccan feed into civilian and military applications\u201d. The paper highlights AI-powered robots as a concrete area of opportunity. <\/p>\n\n\n\n

The white paper announces a strategic dialogue with the defence industry to identify regulatory hurdles and address challenges ahead of presenting a dedicated Defence Omnibus Simplification proposal by June 2025. This new simplification proposal adds to the five recently announced simplification initiatives \u2014 reviews of legislation from the digital<\/a>, agricultural, and other domains \u2014 outlined in the Commission\u2019s communication on simplification<\/a>.<\/p>\n\n\n\n

The paper further announces a forthcoming European Armament Technological Roadmap to be published this year \u2014 \u201cleveraging investment into dual use advanced technological capabilities at EU, national and private level\u201d \u2014 that will focus on AI and quantum in an initial phase.<\/p>\n\n\n\n

In Other \u2018AI & EU\u2019 News<\/strong> <\/p>\n\n\n\n