Adapting to the EU AI Act: Four Key Takeaways for General Counsels

The role of General Counsels (GCs) in navigating the complex and evolving legal landscape, especially concerning data protection and privacy in not just the European Union (EU) but around the world, is becoming increasingly pivotal. With new regulations like the Digital Markets Act (DMA), Digital Services Act (DSA), and the EU AI Act, GCs face a daunting task, especially as external stakeholders apply pressure on in-house teams to urgently pivot and adapt.  

Axiom recently hosted a webinar on Navigating Privacy in the EU: Top Legal Challenges and Implications that provided GCs with a comprehensive understanding of current challenges and practical strategies for data privacy and cybersecurity compliance in the EU. The event was moderated by Axiom’s own Managing Director and Vice President of Europe Daniel Hayter, with first-hand insight provided by the following panelists:

• Lucy McGrath, Managing Director, Dasein Privacy
• Richard Magnan, General Counsel, Rising Tide

What did the webinar reveal? Four key takeaways:

1. The Call of Enhanced Accountability and Ethical Standards

2. The Importance of Cross-Functional Teams

3. The Value of Continuous Adaptation and Learning

4. The Creation and Implementation of Mapping Technology and Data Use

Looking for more educational resources on data privacy and cybersecurity? Find more legal webinars and blog posts for legal tech.

The Current Legal Landscape and Resourcing Challenges

The European Commission's approach to data privacy and cybersecurity as it relates to Artificial Intelligence is rapidly evolving, placing substantial pressure on legal departments. Legislation such as the DMA, DSA, and the recently passed Artificial Intelligence Act (AI Act) are setting new standards and impacting businesses across sectors. These regulations not only heighten the demand for compliance but also stress the existing resources of legal departments.

Specific Challenges

• Data Privacy: Integrating the General Data Protection Regulations (GDPR with new regulations like the DMA and DSA adds layers of complexity to compliance, making data privacy an ongoing challenge for GCs.
• Cybersecurity: As Rick Magnan notes, the need for robust cybersecurity measures has never been more critical. The complexity of ensuring cybersecurity compliance alongside dynamic business processes and legacy systems is a significant challenge.
• EU AI Act: The AI Act introduces new dimensions of compliance, particularly around ethical AI use and safety standards. The act categorizes AI systems based on their risk levels, identifying high risk AI systems and affecting how organizations deploy these technologies.

Four Key Takeaways

1. Enhanced Accountability and Ethical Standards:

Both McGrath and Magnan emphasized that new regulations would require increased accountability from companies. This is an opportunity for in-house teams to take advantage of the great position they are in when thinking about the business and understanding what laws might apply.

“Just do a bit of a heat map by looking at where your company exists in the industry and the services/products you provide,” McGrath recommends. “While you’re not going to get all of that straight from the start, I do think that there is a real role for lawyers in being able to absorb a lot of this complexity in order to ask the right questions and have a sense and feel of where the risks might be.” McGrath believes this analysis will add value to the management of an already anxiety-inducing project. By narrowing down and simplifying quite complex and sometimes convoluted laws for the other non-legal stakeholders, in-house teams can become better partners for their business counterparts.

They also highlighted the need for standardization in privacy practices brought about by AI and other digital transformations. With the increased number of regulations and acts that are coming out, McGrath knows from experience the complexity of the effect they have on the business: “I think that the way people organize their business standards, advertise their products/services, and structure their businesses in Europe, are going to have to moderate service depending on what sort of online platform they are. The complexity and the type of acts are going to increase the number of requirements that people must apply. But I do think underneath that there are some really core standards.”

Looking at those core standards helps McGrath and her clients find similarities between the acts and regulations and then improve their processes rather than starting from scratch every time a new one is introduced.

2. Importance of Cross-Functional Teams:

While it may feel like the obvious next step, McGrath, Magnan, and Hayter couldn’t stress enough how important it is to address these complex challenges by forming cross-functional teams that include but are not limited to legal, IT, and business leaders.

“If I'm an in-house counsel sitting there right now thinking ‘I don't know either what data we have or how technology is using it or how the business is using it,’ I think is it fair to say one of the first things that they need to convene is a committee of those different business units to work out exactly how this is going to impact their business standards,” says Magnan. “Lawyers aren't necessarily very technical, and computer scientists aren't very legally focused. So how do you best bring all those parties together to work that out well? From other colleagues that I've talked to, the solution is a cross-functional committee, not a single department.”

Magnan doesn’t believe that the adaptation of the company’s business standards should be assigned to just the risk department, legal department, or business units. GCs need to gather information that they’re going to use to establish company policies and compliance requirements. After all, it’s what makes them cross-functional. So, Magnan argues it’s important to bring in the right participants from the start: “If you don't, you won't get the right set of information and then you'll create rules or compliance obligations that when you parcel them out, those who hadn't participated may object because they didn't participate or may raise reasons why.”

To save GCs time and potential headaches, Mangan suggests that it’s important to get a full spectrum view of the issue or the problem, data, and systems then apply the law to that. And McGrath couldn’t agree more, saying that “the cross-functional team is absolutely essential.”

3. Continuous Adaptation and Learning:

The legal landscape's dynamic nature means that GCs (and their in-house teams) must be committed to continuous learning and adaptation. As technologies and regulations evolve, so too must the strategies and practices of legal departments.

“I think that one thing I would say to lawyers is that everyone's going to have to learn,” McGrath explains, “And one of the things that I'm also seeing is that a lot of times people rely on the cyber security teams or the IT teams, but it's really important to be open to the fact that they may not understand a lot of this technology as well.”

According to both McGrath and Magnan, both legal and IT will need to build out their skill-sets to help analyze the changes that need to be made. They stress that it’s important to be open to your team members not having an answer and learning together. “The worst thing you can do is pretend you know everything,” McGrath says. “Everyone will need to openly accept that they're going to have to learn quite a lot in more technical detail.”

4. Mapping Technology and Data Use:

Understanding the interplay between technology and data is crucial. Magnan highlighted the importance of creating detailed maps of software and data use within organizations to determine compliance needs accurately.

“When we had to implement GDPR,” Magnan shared, “we had to create a record of processing activities, which was based on a data map. We had to go find all the data that we had, find the data we were collecting, how we're using it, where is it stored, and who had access to it. Now we have to do the same thing for software.”

This mapping opens up an opportunity for the legal team to assist their business teams in understanding three levels of complexity: 1) what data and software the company is using, 2) who is using what software and what it’s being used for, and 3) which software is using which data, how it’s using it, who has access to each list of data, software, systems, and what countries they are being used in.

Mapping each level of complexity and building an ongoing strategy will assist in solving the multi-dimensional problem, which according to Magnan, is far more challenging: “This is going to take considerable effort, and I think it's an ongoing effort. It's not ‘set it and forget it.’ You're going to have to continually update things.”

Best Practices and Solutions

1. Proactive Legal Strategies: Developing proactive compliance strategies that anticipate potential regulatory changes and their impacts on business operations is crucial.
2. Leveraging Legal Tech: Utilizing legal technology can help manage the increased workload efficiently and ensure compliance across jurisdictions.
3. Investment in Training and Governance: Investing in continuous training for legal and tech teams and establishing robust governance frameworks to manage regulatory compliance effectively with minimal risk.
4. Cost-effective and strategic resourcing: McGrath, Magnan, and Hayter all advocated for leveraging alternative legal services providers (ALSPs) to address the growing and complex demands of data privacy and cybersecurity. Flexible legal talent, like Axiom lawyers, can provide a wide range of experience levels and knowledge while also providing GCs with an adaptable resourcing model to their day-to-day needs, which is invaluable in a rapidly changing regulatory environment.

Conclusion

The insights from the Axiom webinar underscore the critical role of GCs in navigating the complexities of EU regulations on data privacy, cybersecurity, and AI. The discussed strategies and insights provide a roadmap for legal departments to adapt and thrive in this challenging environment. 

For a deeper exploration of these topics and to harness more of these experts’ advice, access the full webinar on-demand. Additionally, explore the possibilities with Axiom’s data privacy and cybersecurity legal talent to enhance your organization’s capacity to meet these evolving challenges effectively. Let us help you navigate the complex legal landscape of the EU AI Act.

💡 Navigate the complex landscape of the EU AI Act.