Understanding Luxembourg’s New Law on EU AI Act Enforcement
A new legislative proposal in Luxembourg aims to empower the country’s data protection authority, alongside various sectoral regulators, to enforce compliance with the EU AI Act. This draft law, introduced just before Christmas, marks a significant step in the regulation of artificial intelligence within the framework of European law.
Key Features of the Draft Law
The draft law designates the National Data Protection Commission (CNPD) as the primary authority for matters related to the EU AI Act in Luxembourg. This designation is crucial, as it emphasizes the importance of personal data processed by AI systems, which forms a significant part of the discussions surrounding AI regulation.
Regulatory Responsibilities
The CNPD will oversee AI systems not currently regulated by existing sectoral legislation in Luxembourg. Additionally, sector regulators in banking, insurance, and medicine will maintain oversight over AI applications that fall under their existing remits. This collaborative approach aims to prevent gaps or overlaps in regulatory responsibilities.
Supervision of High-Risk AI Systems
According to the proposed law, the Luxembourg Regulatory Institute (ILR) will supervise businesses deploying ‘high-risk’ AI systems that provide essential or important services. This dual-layered supervision is designed to ensure comprehensive oversight of AI practices within Luxembourg’s regulatory landscape.
Sanction Powers and Penalties
The draft law outlines specific sanction powers for the CNPD and other regulatory authorities. These include:
- Fines up to €35 million or 7% of a company’s total global annual turnover for breaches related to prohibited AI practices.
- Fines of €15 million or 3% of turnover for other violations concerning AI use.
- Fines of €7.5 million or 1% of turnover for supplying incorrect information to authorities.
In addition to financial penalties, authorities may issue warnings or reprimands, allowing for a more nuanced approach to enforcement that does not immediately resort to significant financial penalties.
Regulatory Sandbox for AI
The draft law also mandates the CNPD to establish a regulatory sandbox for AI. This initiative aims to foster innovation while ensuring strict compliance with the European General Data Protection Regulation (GDPR) and fundamental rights.
Implementation Timeline
While most provisions of the EU AI Act will come into effect in August 2026, Chapters I and II will be applicable from February 2025. This includes regulations on prohibited AI practices and other essential aspects of AI regulation.
The proposed law represents a proactive move by Luxembourg to align its regulatory framework with the evolving landscape of AI technology, ensuring that compliance, innovation, and the protection of personal data go hand in hand.
