Draft Government Proposal on the Implementation of EU’s AI Act Published

On 25 October 2024, the Ministry of Economic Affairs and Employment of Finland published its draft government proposal regarding the implementation of EU’s Artificial Intelligence Act (the “AI Act”) in Finland. The draft proposal was sent out for public consultation, and the deadline for comments is 4 December 2024.

The AI Act is the world’s first comprehensive regulation on artificial intelligence (“AI”) that governs the development and use of AI. As a regulation, the AI Act will be binding and directly applicable in all EU Member States as it is. The Finnish Implementation Act will supplement the AI Act by designating supervisory authorities in Finland, their powers to impose administrative fines and other penalties and by specifying national leeway.

The EU’s AI Act has entered into force on 1 August 2024, but it will be fully applicable after two-year transition period on 2 August 2026, with some exceptions. The Finnish implementation act is expected to enter into force on 2 August 2025.

Further, there will be separate government proposals e.g. on test environments (so-called sandboxes).

The draft government proposal (in Finnish) is here.

Supervisory Authorities

According to the Finnish draft proposal, several authorities in Finland will be responsible for the supervision. Instead of one single authority, several market surveillance authorities are tasked with supervision of AI systems — the same authorities who are already today responsible for the supervision in the field of product safety, road traffic, digital infrastructure, medical devices, and financial services, etc. This decentralised model adopted in the draft proposal is not a surprise. Firstly, the current authorities have experience and expertise on their respective fields. Secondly, Finland has transposed more than one EU Directive and Regulation into national laws by using this same decentralised model — the ePrivacy Directive and the Network and Information Security Directive (“NIS”) are just a few examples.

The Finnish Transport and Communications Agency (“Traficom”) will act as the single point of contact under the AI Act and will be responsible for the coordination. Although the European Data Protection Board (the “EDPB”) has called for the appointment of a data protection authority as a single point of contact at the Member State and EU level (see the EDPB’s Statement 3/2024) under the AI Act, Traficom is the natural choice in Finland. Traficom acts as the single point of contact under the Digital Services Act (the “DSA”) and the NIS Directive. Based on pending government proposal on the NIS2 Directive and working group memorandum on the Data Act, Traficom will be designated as the single point of contact also under these laws. The centralisation of power has its benefits. Inconsistencies between decisions taken by different supervisory authorities and bodies can (hopefully) be prevented and synergies can be exploited in the interests of legal certainty.

While the Office of the Data Protection Ombudsman is not designated as the single point of contact, it has a strong role under the draft proposal. The Office of the Data Protection Ombudsman is appointed as the supervisory authority regarding prohibited AI systems and for many high-risk AI systems, like biometrics, law enforcement, migration, education, and employment.

Prohibited AI Systems (Art. 5 of the AI Act)

High-Risk AI Systems: Annex I (Art. 6.1 of AI Act)

High-Risk AI Systems: Annex III (Art. 6.2 of AI Act)

Administrative Fines and Other Penalties

The supervisory authorities will have powers to impose administrative fines less than EUR 300 000. A new Sanctions Board will be established with the powers to impose administrative fines higher than EUR 300 000. The Sanctions Board will act in connection with Traficom and will be made up of chair of board (appointed by Traficom), vice chairman (appointed by the Office of the Data Protection Ombudsman), and two other members. The Members of the Board will act independently and not as representatives of their organisations.

Other penalties applicable to infringements include a threat of a fine and threat of action. No warnings or criminal penalties are proposed.

For further information and advice, please contact Counsel Maria Aholainen or Partner Jesper Nevalainen.