Fines under the AI Act – A bottomless pit?
On 21 April 2021, the European Commission (“EU Commission”) published its eagerly awaited draft legislation on the Act of the use of artificial intelligence (“AI”) with the “Artificial Intelligence Act” (“AI Act”). It is based on the digital strategy “White Paper on Artificial Intelligence – A European Approach to Excellence and Trust” presented on 19 February 2020 and is the world’s first attempt to regulate AI in this form.
Even if it is not yet foreseeable when the AI Act will actually be enacted, one thing already seems clear: If there are violations of certain prohibited uses of AI, there is a threat of hard-hitting sanctions.
1. What kind of sanctions do you face?
Currently, Art. 71 of the AI Act provides for a three-level sanction concept, which includes different fines depending on the severity of the infringement:
1.1 30 million Euro or 6 percent of annual worldwide turnover
The maximum fine provided for in Article 71 (3) of the AI Act is 30 million Euro or, in the case of companies, 6 percent of their worldwide annual turnover, whichever is higher. This fine is imposed either (a) in case of the use of a prohibited AI system pursuant to Art. 5 AI Act  or (b) insofar as the quality criteria for high-risk AI systems set out in Art. 10 AI Act are not met.
1.2 20 million Euro or 4 percent of annual worldwide turnover
Article 71 (4) of the AI Act provides for a medium fine of up to 20 million Euro or – in the case of companies, 4 percent of the annual worldwide turnover, whichever is higher. This fine is imposed if AI systems violate the other requirements and obligations set out in the AI Act, i.e. outside Articles 5 and 10 of the AI Act. In practice, this fine is likely to play by far the most important role, as the AI Act provides for a whole series of obligations. Probably the most relevant of these are the establishment and documentation of a risk management system (Art. 9 AI Act), the technical documentation (Art. 11 AI Act) and the requirements for high-risk AI systems regarding accuracy, robustness and cybersecurity (Art. 15 AI Act).
1.3 10 million Euro or 2 percent of annual worldwide turnover
The lowest level of fines is set out in Article 71 (5) of the AI Act and provides for fines of up to 10 million Euro or – in the case of companies – 2 percent of their worldwide annual turnover, if the latter amount is higher. These fines may be imposed if false, incomplete or misleading information is provided to the competent authorities in response to their request for information.
Through the three-level sanction concept, the EU Commission makes clear how it assesses AI systems and the associated requirements and obligations. The level of the threatened sanctions even exceeds the fines provided for in the General Data Protection Act (GDPR).
2. Who can be the addressee of a sanction?
In principle, anyone who has to fulfil the requirements and obligations of the AI Act and violates them can be the addressee of a sanction. First of all, this includes providers who, as natural or legal persons, authorities, institutions or other bodies, develop AI systems or have them developed and place them on the market or put them into operation in their own name or under their own brand – whether for payment or free of charge (cf. Art. 3 No. 2 AI Act).
In addition, product manufacturers, importers, traders or users of AI systems (cf. Articles 24 to 29 of the AI Act) can also be the addressees of fines. Finally, even other third parties may be affected by a sanction, although the AI Act does not specify who is to be included here. What all these third parties have in common is that they are considered providers under the conditions of Article 28 of the AI Act and thus also assume the obligations of the provider.
3. Who decides on the fines?
The AI Act provides for decentralised enforcement of the provisions by the Member States. Accordingly, Article 71(1) of the AI Act states that the Member States shall lay down rules on penalties, for example in the form of fines, applicable to infringements of the Act and shall take all measures necessary to ensure that they are properly and effectively enforced. Each Member State must therefore designate at least one national authority to oversee the application and implementation of the rules and to carry out market surveillance. Whether fines are imposed on authorities and institutions can be determined by each Member State itself (cf. Art. 71 (7) AI Act).
4. How is the amount of the fines determined?
In determining the amount of the fine, a two-step test should in principle be applied under the current rules. First, it will have to be determined which of the three ranges of fines is open. Then, the specific amount of the fine within the range of fines will have to be determined. In addition to the requirement that sanctions must be effective, proportionate and dissuasive (cf. Art. 71(1) AI Act), the calculation of the fine must, pursuant to Art. 71(6) AI Act, be made on a case-by-case basis and take into account all relevant circumstances of the specific situation. To this end, the nature, gravity and duration of the infringement and its consequences, fines imposed by other market surveillance authorities for the same infringement as well as the size and market share of the infringer are to be taken into account in the decision. In addition, particular account should be taken of the interests of small suppliers and start-ups and their economic capacity.
A comparison with the fine in Article 83 of the GDPR, the comparable standard from data protection law, makes one thing clear: The GDPR does not contain any criteria that are to be taken into account as mitigating factors when calculating the amount of the fine. Unlike the AI Act, the GDPR takes into account, for example, whether the company itself reported the infringement to the supervisory authority, the extent of cooperation with the supervisory authority or the measures taken to mitigate the damage caused. In practice, such criteria often form a helpful bridge in the cooperation between the company and the supervisory authority. It is therefore hoped that such criteria also find their way into the AI Act in the further legislative process.
5. What preparations can be made already? What happens next?
The draft of the AI Act still has to pass through the European Parliament and the Council of the European Union in the legislative process. In view of the significantly different ideas in the EU Member States regarding the necessity of regulating AI, this is likely to take some time, but will also lead to changes. Whether these changes will also affect the level of fines remains to be seen. However, an increase in the fine framework is unlikely in view of the already quite serious threats of fines, which in the case of Article 71 (3) of the AI Act go far beyond those of the GDPR.
Anyone planning to use or develop AI in the medium and long term or to place it in their business field should nevertheless already deal with and familiarise themselves with the main features of the AI Act. Due to the threat of severe sanctions, attention should already be paid now to the development of AI systems to ensure that the requirements and obligations of the AI Act are taken into account. Once the AI Act has come into force, the big realisation of its consequences will come rather late, as it did for many companies when the GDPR came into force. If AI systems then also process personal data, there could also be the threat of fines for data protection violations. 
One thing remains to be said, however: As is well known, in order to actually become a powerful instrument and to be able to effectively prevent violations, the mere amount of the fine is less relevant than effective control and consistent enforcement of fine provisions. When it comes to enforcing the GDPR, data protection authorities – at least in Germany – have needed a certain amount of time to get up to speed, but have recently significantly increased the frequency of controls and fines. How this will be handled in the case of the AI Act remains to be seen.