On Thursday 10 July, the European Commission published the ‘General-Purpose AI Code of Practice’, more than two months after the original deadline.
Divided into three parts (transparency, copyright and security), the ‘Code’ has long been awaited by industry, model providers and NGOs to provide legal certainty on the application of the AI Act.
While the Code remains non-binding, model providers who choose not to adhere will have to prove that they are complying with the obligations of the AI Act by other means and may be exposed to more questions from the Commission to ensure compliance.
Despite the Code’s intense consultative process, it has been widely criticised by civil society, industry and suppliers (see EUROPE 13613/25).
The disproportionate influence of large companies such as Meta or Apple, or the lack of safeguards concerning copyright and respect for fundamental rights, were repeatedly raised during its drafting (see EUROPE 13631/14).
Transparency. This part of the Code includes only one commitment, which concerns documentation (model architecture, training data, algorithms, etc.), which must be kept up to date and shared on a mandatory basis with downstream suppliers and, on request, with the European AI Office or national authorities.
Designers and publishers were calling for mandatory transparency on the data used to drive models (type, sources, proportion, licence). As it stands, the Code does not make publication of these elements systematic, not even for the European AI Office.
Copyright. The Code had been widely criticised for its lack of clarity regarding the respect of copyright by AI models (see EUROPE 13610/3).
This part commits the signatories to reproducing only “legally accessible protected content” and to reducing the risk of copyright infringement by implementing “appropriate and proportionate technical protection measures”.
The term “reasonable efforts”, which had been heavily criticised, has been dropped. But these “appropriate techniques” are not detailed.
Security. The Code lists two types of model-related risk: primary (disinformation, infringement of fundamental rights, deepfakes, etc.) and secondary (hate speech, algorithmic bias, etc.). The latter are exempt from external audit requirements.
The Commission refutes any watering down of the Code and stands by its position on the implementation of the AI Act (see EUROPE 13673/15). However, ‘guidelines’ on the practical application of the Code commitments are being prepared and should arrive in the next few weeks, according to several sources.
The question of the number of signatories remains open. Meta had already announced its refusal (see EUROPE 13574/11).
On the question of deadlines, the obligations of the AI Act, which come into force on 2 August, apply to new models placed on the European market after that date. For pre-existing models, the obligations will apply until August 2027. Application of the Code could be extended to the end of 2025, given the short time remaining until 2 August.
See the Code: https://aeur.eu/f/hth (Original version in French by Isalia Stieffatre)