The ‘Brussels Effect’ of the EU’s ‘AI Act’ on Data Privacy Outside Europe

The European Commission’s publication of a proposal for a Regulation on Artificial Intelligence (also described as an ‘AI Act’) is likely to become a pivotal moment in the global regulation of artificial intelligence, but it will also have major global implications for privacy and data protection. Many businesses located outside Europe are keeping a wary eye on the GDPR because of the risks that its extra-territorial application might apply to them, or because they might even be held to have an establishment in the EU. Such businesses need to be equally concerned that the AI Act may apply to any of their AI-related activities that can affect individuals, and may do so in situations outside the scope of the GDPR. The AI Act will also a be data privacy regulation, but one that is different from the GDPR. This is likely to be good news for data privacy and human rights in the EU, but for some businesses outside Europe it will be another significant regulatory obligation requiring consideration. There are four main questions that this article considers: (i) why will the AI Act be important for privacy protection?; (ii) how and why will businesses outside Europe acquire obligations under it?; (iii) what are those obligations?; and (iv) will the EU’s AI Act have broader implications for local regulation of AI outside Europe?