Entertainment and Media Guide to AI

Geopolitics of AI icon - location pin icon

Read time: 8 minutes

The regulatory framework

The EU’s regulatory approach to manage risks associated with AI is complex and multifaceted. It is based on laws that have already been implemented on an EU level or a local member state level, particularly the General Data Protection Regulation (GDPR), Regulation (EU) 2016/6799), copyright and other IP laws such as the Copyright Directive discussed above, the EU Directive on protection of trade secrets (Directive (EU) 2016/943) as well as general commercial contract law principles. The EU’s strategy further includes two major pieces of legislation that have already been enacted and that will certainly also change the digital landscape: the Digital Markets Act (Regulation (EU) 2022/1925) and the Digital Services Act (Regulation (EU) 2022/2065) as well as additional planned legislation like the EU Data Act on making data available by data holders to data recipients.

In addition to these more general laws that apply, but are not tailored, to AI, the EU currently builds on laws that are shaped for AI and currently making their way through the European legislative process, particularly the AI Act and the upcoming AI Liability Directive. It is fair to say that the EU approach to AI risk management is characterized by a comprehensive range of legislation tailored to specific digital environments.

From a territorial perspective and as a general rule, these EU laws apply when either the organization operating the AI system is based in the EU/EEA or if the users of the AI system or the subjects whose data is processed by the AI system are based in the EU/EEA. From a copyright perspective, EU copyright laws also apply if and to the extent protection of the copyright-protected work is sought in the EU/EEA.


GDPR will apply to AI if either the business operating the AI system is based in the EU/EEA or if the users of the AI system are located in the EU (art. 3 GDPR).

In addition to the data protection implications (see Data protection and privacy section), the GDPR contains two important articles related to algorithmic decision-making. First, the GDPR states that algorithmic systems should not make significant decisions affecting legal rights without human oversight. Second, the GDPR guarantees an individual’s right to “meaningful information about the logic” of algorithmic systems. As in many areas, the GDPR is not very clear in that respect, and thus there are many unanswered questions about this clause. How does the GDPR affect machine learning in the enterprise? In particular, how often may data subjects request this information, how valuable is the information to them and what happens when companies refuse to provide the information? As a result, the idea that the GDPR mandates a “right to explanation” from machine learning models has become a controversial subject.

Key takeaways
  • The regulation of AI in the EU is based on existing laws already implemented, such as the GDPR or the Copyright Directive, but also on regulations specifically tailored for AI, such as the upcoming EU AI Act and the Directive on AI Liability