Title X: CONFIDENTIALITY AND PENALTIES
TITLE X
CONFIDENTIALITY AND PENALTIES
Article 70
Confidentiality
1. The Commission, national competent authorities and notified bodies, the AI Office and any other natural or legal person involved in the application of this Regulation shall respect the confidentiality of information and data obtained in carrying out their tasks and activities in such a manner as to protect, in particular:
(a) intellectual property rights, and confidential business information or trade secrets of a natural or legal person, in accordance with the provisions of Directives 2004/48/EC and 2016/943/EC, including source code, except the cases referred to in Article 5 of Directive 2016/943 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure apply.
(b) the effective implementation of this Regulation, in particular for the purpose of inspections, investigations or audits;(c) public and national security interests;
(b a) public and national security interests
(c) integrity of criminal or administrative proceedings.
1 a. The authorities involved in the application of this Regulation pursuant to paragraph 1 shall minimise the quantity of data requested for disclosure to the data that is strictly necessary for the perceived risk and the assessment of that risk. They shall delete the data as soon as it is no longer needed for the purpose it was requested for. They shall put in place adequate and effective cybersecurity, technical and organisational measures to protect the security and confidentiality of the information and data obtained in carrying out their tasks and activities;
2. Without prejudice to paragraphs 1 and 1a, information exchanged on a confidential basis between the national competent authorities and between national competent authorities and the Commission shall not be disclosed without the prior consultation of the originating national competent authority and the deployer when high-risk AI systems referred to in points 1, 6 and 7 of Annex III are used by law enforcement, immigration or asylum authorities, when such disclosure would jeopardise public or national security.
When the law enforcement, immigration or asylum authorities are providers of high-risk AI systems referred to in points 1, 6 and 7 of Annex III, the technical documentation referred to in Annex IV shall remain within the premises of those authorities. Those authorities shall ensure that the market surveillance authorities referred to in Article 63(5) and (6), as applicable, can, upon request, immediately access the documentation or obtain a copy thereof. Only staff of the market surveillance authority holding the appropriate level of security clearance shall be allowed to access that documentation or any copy thereof.
3. Paragraphs 1, 1a and 2 shall not affect the rights and obligations of the Commission, Member States and notified bodies with regard to the exchange of information and the dissemination of warnings, nor the obligations of the parties concerned to provide information under criminal law of the Member States.
4. The Commission and Member States may exchange, where strictly necessary and in accordance with relevant provisions of international and trade agreements, confidential information with regulatory authorities of third countries with which they have concluded bilateral or multilateral confidentiality arrangements guaranteeing an adequate level of confidentiality.
Article 71
Penalties
1. In compliance with the terms and conditions laid down in this Regulation, Member States shall lay down the rules on penalties, applicable to infringements of this Regulation by any operator, and shall take all measures necessary to ensure that they are properly and effectively implemented and aligned with the guidelines issued by the Commission and the AI Office pursuant to Article 82b. The penalties provided for shall be effective, proportionate, and dissuasive. They shall take into account the interests of SMEs and start-ups and their economic viability.
2. The Member States shall notify the Commission and the Office by [ 12 months after the date of entry into force of this Regulation] of those rules and of those measures and shall notify them, without delay, of any subsequent amendment affecting them.
3. Non compliance with the prohibition of the artificial intelligence practices referred to in Article 5 shall be subject to administrative fines of up to 40 000 000 EUR or, if the offender is a company, up to 7 % of its total worldwide annual turnover for the preceding financial year, whichever is higher:
(a) <deleted>
(b) <deleted>
3 a. Non-compliance of the AI system with the requirements laid down in Article 10 and 13 shall be subject to administrative fines of up to EUR 20 000 000 or, if the offender is a company, up to 4% of its total worldwide annual turnover for the preceding financial year, whichever is the higher.
4. Non-compliance of the AI system or foundation model with any requirements or obligations under this Regulation, other than those laid down in Articles 5, 10 and 13, shall be subject to administrative fines of up to EUR 10 000 000 or, if the offender is a company, up to 2% of its total worldwide annual turnover for the preceding financial year, whichever is higher.
5. The supply of incorrect, incomplete or misleading information to notified bodies and national competent authorities in reply to a request shall be subject to administrative fines of up to 5 000 000 EUR or, if the offender is a company, up to 1 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.
6. Fines may be imposed in addition to or instead of non-monetary measures such as orders or warnings. When deciding on the amount of the administrative fine in each individual case, all relevant circumstances of the specific situation shall be taken into account and due regard shall be given to the following:
(a) the nature, gravity and duration of the infringement and of its consequences, taking into account the purpose of the AI system, as well as, where appropriate, the number of affected persons and the level of damage suffered by them;
(b) whether administrative fines have been already applied by other national supervisory authorities of one or more Member States to the same operator for the same infringement.
(c) the size and annual turnover of the operator committing the infringement;
(c a) any action taken by the operator to mitigate the harm of damage suffered by the affected persons;
(c b) the intentional or negligent character of the infringement;
(c c) the degree of cooperation with the national competent authorities, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
(c d) the degree of responsibility of the operator taking into account the technical and organisational measures implemented by them;
(c e) the manner in which the infringement became known to the national competent authorities, in particular whether, and if so to what extent, the operator notified the infringement;
(c f) adherence to approved codes of conduct or approved certification mechanisms;
(c g) any relevant previous infringements by the operator;
(c h) any other aggravating or mitigating factor applicable to the circumstances of the case.
7. each Member State shall lay down rules on administrative fines to be imposed on public authorities and bodies established in that Member State.
8. Depending on the legal system of the Member States, the rules on administrative fines may be applied in such a manner that the fines are imposed by competent national courts of other bodies as applicable in those Member States. The application of such rules in those Member States shall have an equivalent effect.
8 a. The penalties referred to in this article as well as the associated litigation costs and indemnification claims may not be the subject of contractual clauses or other form of burden-sharing agreements between providers and distributors, importers, deployers, or any other third parties;
8 b. National supervisory authorities shall, on an annual basis, report to the AI Office about the fines they have issued during that year, in accordance with this Article;
8 c. The exercise by competent authorities of their powers under this Article shall be subject to appropriate procedural safeguards in accordance with Union and national law, including judicial remedy and due process;
Article 72
Administrative fines on Union institutions, agencies and bodies
1. The European Data Protection Supervisor may impose administrative fines on Union institutions, agencies and bodies falling within the scope of this Regulation. When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case, all relevant circumstances of the specific situation shall be taken into account and due regard shall be given to the following:
(a) the nature, gravity and duration of the infringement and of its consequences, taking into account the purpose of the AI system concerned as well as the number of affected persons and the level of damage suffered by them, and any relevant previous infringement;
(a a) any action taken by the Union institution, agency or body to mitigate the damage suffered by affected persons;
(a b) the degree of responsibility of the Union institution, agency or body, taking into account technical and organisational measures implemented by them;
(b) the degree of cooperation with the European Data Protection Supervisor in order to remedy the infringement and mitigate the possible adverse effects of the infringement, including compliance with any of the measures previously ordered by the European Data Protection Supervisor against the Union institution or agency or body concerned with regard to the same subject matter;
(c) any similar previous infringements by the Union institution, agency or body;
(c a) the manner in which the infringement became known to the European Data Protection Supervisor, in particular whether, and if so to what extent, the Union institution or body notified the infringement;
(c b) the annual budget of the body;
2. Non compliance with the prohibition of the artificial intelligence practices referred to in Article 5 shall be subject to administrative fines of up to EUR 1 500 000:
(a) <deleted>
(b) non-compliance of the AI system with the requirements laid down in Article 10.
2 a. non-compliance of the AI system with the requirements laid down in Article 10 shall be subject to administrative fines of up to 1 000 000 EUR.
3. the non-compliance of the AI system with any requirements or obligations under this Regulation, other than those laid down in Articles 5 and 10, shall be subject to administrative fines of up to EUR 750 000.
4. Before taking decisions pursuant to this Article, the European Data Protection Supervisor shall give the Union institution, agency or body which is the subject of the proceedings conducted by the European Data Protection Supervisor the opportunity of being heard on the matter regarding the possible infringement. The European Data Protection Supervisor shall base his or her decisions only on elements and circumstances on which the parties concerned have been able to comment. Complainants, if any, shall be associated closely with the proceedings.
5. The rights of defense of the parties concerned shall be fully respected in the proceedings. They shall be entitled to have access to the European Data Protection Supervisor’s file, subject to the legitimate interest of individuals or undertakings in the protection of their personal data or business secrets.
6. Funds collected by imposition of fines in this Article shall contribute to the general budget of the Union. The fines shall not affect the effective operation of the Union institution, body or agency fined.
6 a. the European Data Protection Supervisor shall, on an annual basis, notify the AI Office of the fines it has imposed pursuant to this Article.
