AI Act and Individual Rights: A Juridical and Technical Perspective Costanza Alfieri1,† , Francesca Caroccia1,† and Paola Inverardi1,*,† 1 Università degli Studi dell’Aquila, L’Aquila, Italy Abstract In April 2021, the EU Commission published a new proposal, laying down harmonized rules on Artificial Intelligence (AI Act). In the Commission’s view, such a harmonized solution has the double role of strengthening the internal market and remaining competitive with other regions of the world while providing legal certainty and adequate remedies to consumers and producers. In this contribution, we present an analysis of the AI Act by addressing the problem of liability and respect of individual rights. The analysis shows that the AI Act takes into consideration the social dimension of the risks, whereas the hypothesis of a concrete breech of individual rights is neglected. In this context, we propose both technical and juridical solutions which are based on the idea of improving human-machine interaction. The technical solution aims at empowering the user when interacting with the digital world, whereas the juridical solutions provide a legal ground both for supporting the technical proposal and for guaranteeing augmented interaction between machine and the users. Keywords AI Act, Autonomous System, Liability, Human-machine Interaction 1. Introduction 1.1. AI Act: Balancing Technological Competitiveness and Fundamental Rights. In April 2021, the EU Commission published a proposal, laying down harmonized rules on Artificial Intelligence (AI). The Commission’s initiative has been the first ever attempt to build a specific EU legal framework, to regulate (some aspects of) the use and commercialization of AI Systems. Until now, the question was subject to a wide range of national and supranational law and principles, on singular and specific aspects: such a harmonized solution has a crucial importance, not only to strengthen the internal market and remain competitive with other regions of the world, but also to provide legal certainty and adequate remedies to consumers and producers. In the Commission’s view, the legislative intervention should ensure that European companies IAIL 2022 - Imaging the AI Landscape after the AI Act, 13𝑡ℎ of June 2022, Amsterdam, Netherlands * Corresponding author. † All Authors have read and agreed to the published version of the manuscript. F. Caroccia is responsible for par. 1, 1.1, 1.2, 2, 2.1, 2.2, 2.3, 3.2, 3.3; C. Alfieri and P. Inverardi are responsible for par. 3, 3.1, 4. $ costanza.alfieri@student.univaq.it (C. Alfieri); francesca.caroccia@univaq.it (F. Caroccia); paola.inverardi@univaq.it (P. Inverardi)  0000-0002-5082-3844 (C. Alfieri); 0000-0002-2328-9527 (F. Caroccia); 0000-0001-6734-1318 (P. Inverardi) © 2022 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). CEUR Workshop Proceedings http://ceur-ws.org ISSN 1613-0073 CEUR Workshop Proceedings (CEUR-WS.org) maintain competitive advantages and technological leadership but, at the same time, “that people can trust the technology is used in a way that is safe and compliant with the law, including the respect of fundamental rights”1 . The respect of fundamental rights, protected both under the Treaties of the European Union and the EU Charter of Fundamental Rights, is a key-theme, when AI technologies are concerned. Most notably, it is underlined that AI systems may affect the right to non-discrimination, freedom of expression, human dignity, privacy. In this regards, it is not useless to recall the necessity of the proportionality test: any interference with a Charter right needs to be examined as to whether the given legitimate aim could not be obtained by other means that interfere less with the right guaranteed. Concerning new technologies, the ECHR expressly observed that States should “strike a right balance” between protecting fundamental rights and developing new technologies2 . The new rules should be applied to a wide range of actors: as usual, to users of AI systems located in the EU, to providers of AI systems established within the EU or placing AI systems on the EU market, but also to users and providers of AI systems located in a third country, where the output produced by those systems is used in the EU. Moreover, the EU’s law is expected to be one of the first of the world on AI technology, setting a global standard for emulation by other jurisdictions [1]. This entails, inter alia, the opportunity and responsibility of proposing a “European human-centered model” [2] of interacting with AI that is, a model found “in respect for human dignity, in which the human being enjoys a unique and inalienable moral status” 3 . 1.2. The “Risk-based Approach”: Liability Rules vs. Accountability Rules. As it is known, the Commission proposal is focused on a “risk-based” approach, according which AI systems are classified on the basis of the level of risk they represent for fundamental rights. In this perspective, AI systems are categorized as “unacceptable” risks systems (prohibited), “high-risk” systems (authorized, but subject to requirements and certifications to access to the EU market – following a premarket conformity regime), “limited risk” systems (subject to very light transparency obligations: codes of conduct and similar), “low or minimal” risk systems. Some AI systems presenting limited risks (such as systems that interacts with humans, i.e. chatbots) would be subject to a limited set of specific transparency obligations (see Figure 1). By this way, a minimalist regulatory approach is designed, where legal intervention “is tailored to those concrete situations where there is a justified cause for concern or where such concern can reasonably be anticipated in the near future” [3]. At a national level, the respect of the new rules should be ensured by market surveillance au- thorities, which would be responsible for assessing operators’ compliance with the requirements for high-risk systems (pre-market assessment). At a central level, an European Artificial Intelli- gence Board is previewed, to ensure harmonised implementation of the Act and cooperation between national authorities and the Commission. 1 The EP Resolution on a Framework of Ethical Aspects of Artificial Intelligence, Robotics and Related Technologies (October 20, 2020) specifically recommended to the Commission to propose legislative action balancing opportunities and benefits of AI, with protection of ethical principles. 2 ECHR, S. and Marper v. the UK, Nos. 30562/04 and 30566/04, 4 December 2008, par. 112 3 See definition provided by the High-Level Expert Group on AI (glossary section of the Ethics Guidelines for Trustworthy AI). Figure 1: Pyramid of Risk. Administrative fines are set out to sanction non-compliance with the AI Act. This model is not too far from GDPR: it implies a set of norms aimed to evaluate the conduct of the actors (here we refer to the “producers” actors, but in the digital world there are also other actors, the consumers and/or other actors that are no producer and no consumers but may be anyhow impacted by the technology); a governance to guarantee compliance with behavioral rules (national market surveillance authorities or similar); the existence of possible sanctions4 . It shows to actors how they might act in order to be compliant, on the assumption that producers and users should respect predetermined criteria. As it was already observed with regards to GDPR, the shift from liability to accountability is evident [2, 4, 5]. In such a new accounting model, the agents are requested to adopt strategies and concrete measures, in order to reduce risks connected with the use of AI. At the same time, they can autonomously determine modes, guarantees and limits of their own conduct, provided that they build a strategy to reduce risks, within the new European legal framework. By this way, producers can pre-determine the level of risk, that allows them to maximize utilities and minimize responsibility. Within this context, liability rules should be called to integrate and complete the system, providing solutions when a damage occurs, despite the respect of prevention measures. Instead, in the AI Act liability rules are completely absent: the Commission merely points out that the proposal has to be complemented by other initiatives that address liability issues related to new technologies (including the revision of product safety legislation)5 . In other words, the normative focus shifts from the ex post (after the damage) to 4 European Parliament resolution of 16 February 2017 with recommendations to the Com-mission on Civil Law Rules on Robotics (2015/2103(INL)). 5 On 30 June 2021, the Commission adopted a proposal for a regulation on general product safety, which would the ex ante (harms prevention) phase. This is a significant novelty, in the European strategy of AI regulation: even if the previous interventions (as, for example, the European Parliament resolution on Civil Law Rules on Robotics) do not ignore the risk management approach (which was expressly indicated in the mentioned resolution as a strategic tool to reduce risks), they were focused right on liability rules. By this way, the Commission seems to accept the suggestion of adopting prevention policies, enabling companies to quantify the costs of accidents, on the grounds that liability rules fundamentally are instruments to allocate loss, while accountability systems offer effective incentives to risks prevention. 2. Some Critical Issues After its publication, the Commission’s proposal received a number of non positive feedback from stakeholders. Most of them called for a major revision of the AI Act, aimed to ensure a better allocation of responsibility, to strength enforcement mechanisms and to foster democratic participation6 . To achieve those objectives of preserving individual safety and fundamental rights, without overly inhibiting innovation in AI, a “balanced” approach is put in place. However, the Com- mission seems to fail to translate her intention into concrete and effective action, considering that the regulatory framework is built following criteria of “minimum necessary requirements”. It is evident the Commission’s concern of preserving the EU’s technological competitiveness: the solution adopted promotes the AI development, avoiding the increasing of the costs of AI systems commercialization, “without unduly constraining or hindering technological develop- ment” [3]. On the contrary, the question of the consistency with Union values and fundamental rights is clearly declared, but substantially underestimated. Many experts, indeed, underline that the described approach does not guarantee an adequate level of protection of fundamental rights (and, at the same time, it disadvantages small and medium enterprises, which will not be able to manage the procedural burden imposed by legislation, as the experience of GDPR clearly showed). 2.1. The lack of enforcement structures Accountability, in this context, means “the ability to determine whether a decision was made in accordance with procedural and substantive standards and to hold someone responsible if those standards are not met”[6]. It is considered desirable, if not necessary, for several reasons. Mainly, - it enables producers to perform the risks assessment process in terms of costs/benefits analysis, ensuring EU competitiveness on global markets; - it responds to the necessity of avoiding damages caused by hazardous activities, on the assumption that the consequences of this kind of damages could be devastating and impossible to remove (i.e. nuclear disasters). replace the current General Product Safety Directive and cover product safety of emerging technologies (COM (2021) 346 30.6.2021. 6 EPRS European Parliamentary Research Service: Artificial intelligence act. Briefing,www.europarl.europa.eu/ ReData/etudes/BRIE/2021/698792/EPRS_BRI(2021)698792_EN.pdf, last accessed 2022/3/25. But, what happens in case of failure to comply with the requirements, or when a damage is caused, despite the adoption of preventive measures? While the proposal disciplines the preventive phase, it does not answer to the question about the breech of the law [1, 7]. Scholars stress that the AI Act fails to establish effective enforcement structures [8]. The power transferred to Member States in this domain is not sufficient and the experience of GDPR has showed that enforcement by national authorities leads to different levels of protection across the EU, not only due to resources assigned but also to cultural context. Moreover, the weakness of public enforcement is not compensate by private tools. Implementation is essentially left to the self assessment and private control (EPOs) (a kind of voluntary phase), and users (individuals affected by AI systems, civil rights organizations, etc...) have no right to complain to market surveillance authorities or to sue a provider. More in general, the AI Act does not provide for any individual rights, nor for remedies by which damaged parties could react against failures under the AI Act. To explain this question, the example of GDPR could still be useful. The GDPR clearly lists both the rights of the data subject (chap. 3, artt. 12-23) and remedies and penalties (artt. 77-84) in case of unlawful conduct, expressly stating, among others, that “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered”. In the AI Act, on the contrary, similar rule are lacking: the act does not contain any reference to individuals’ rights, does not recognize any right to compensation to damaged users. The legal framework is entirely designed from the companies’ perspective [9]. Said otherwise, in this part AI Act only takes into consideration the social dimension of the risks (that is, it prevents and reduce the costs of accidents for the entire society), whereas the hypothesis of a concrete breech of individual rights is neglected (that is, it ignores the question of the allocation of the loss, when an individual is concretely damaged). Yet, “the major concern for any responsibility system is ensuring victim compensation”: as Scholars pointed out, “ex ante safety should be decoupled from ex post compensation” [10]. Besides the accountability directives, liability rules have to be taken into consideration, to build an effective responsibility model: accountability and liability rules need to be reciprocally integrated and completed. Probably, it would be necessary to know the entire regulatory plan conceived by the Commis- sion, in order to express a judgement. As we said, the AI Act is only an element of a complex picture, which includes the revision of the safety legislation7 (such as the Machinery Regulation and the General Product Safety Directive) in order to develop an ecosystem of trust for AI. It is not a case if two months after, on 30 June 2021, the European Commission published an inception impact assessment for a Directive on “Civil liability - adapting liability rules to the digital age and artificial intelligence”. Accountability and liability rules are both necessary to build an efficient system of damage control, since they govern two different moments (ex ante-ex post) of the same problem. However, it seems that some consideration may be expressed, even at this stage. 7 See footnote 5 2.2. Definition of the risks level and the lack of democracy Following the proposal, AI systems are classified on the basis of the level of risk they represent for fundamental rights. Critics have been raised on the classification model. As it has been underlined, this way of ex ante linking AI systems to different risk categories does not consider that the level of risk also depends on the context in which a system is deployed and cannot be fully determined in advance. The main consequence is a certain level of legal uncertainty for developers, operators, and users of AI systems [11]. From a different perspective, a strategy is suggested, in order to introduce and ensure for EU citizens a right of consultation and participation in public decision-making on AI, in order to ensure democratic procedures and a better level of protection not only for individual rights, but also for societal interests. Scholars highlight an excessive delegation of regulatory power to private bodies, which may produce a societal harm [8]. Within this context, the concept of “societal interest” (and of societal harm) is considered as distinct from the “individual” or “collective”, as it “goes beyond the concern of (the sum of) individuals, but affects society at large“. Indeed, societal harms concern to an interest held by society, “going over and above the sum of individual interests” [12]. As it was observed, quite paradoxically, the AI Act succeeds in ignoring the question of societal harms (i.e. environmental harm, voter manipulation etc.), and, at the same time, neglecting individual rights [12]. 2.3. Ethics guidelines are the best way to protect fundamental rights? Lastly, the question of the use of ethics. Under the AI Act, high-risk systems would have to comply with both technical and legal obligations, while providers of limited risk systems are simply encouraged to adopt ethical rules. This is necessary to preserve individual safety without inhibiting innovation. Nevertheless, this overlap of juridical (technical/legal requirements) and ethical (codes of conduct) rules is not convincing. The approach is not new. With specific regard to AI, it has been observed that, by 2019, more than 80 Ethical Guidelines have been published on national and international level [13], with the involvement of consumers, other stakeholders and their representative organisations. The same EU Commission in April 2019 published a set of non-binding Ethics guidelines for trustworthy AI, prepared by the Commission’s High-Level Expert Group on AI, aimed “to offer guidance on how to foster and secure the development of ethical AI systems in the EU”8 . However: 1. the civil society’s involvement is not in itself a guarantee of fair representation of different interests at stake. A disproportion between the presence and the right balance of different stakeholder’s voices has been observed in many expert hearings in terms of AI policies; 2. the existence of a number of codes of ethical rules could encourage the “ethics shopping”: the risk is the creation of a market of principles and values, “where private and public actors may shop for the kind of ethics that is best retrofitted to justify their current behaviours” [14]; 3. the AI Act does not answer to the question on possible conflicts among different ethical rules/codes of conduct; 8 Independent High-Level Expert Group on AI, Ethics Guidelines for Trustworthy AI, April 8 2019 4. empirical experiments show that ethics guidelines has no significant influence on the decision-making of software developers: ethics rules are often considered as “extraneous”, “imposed from institutions outside of the technical community”. Moreover, “where ethics is integrated into institutions, it mainly serves as a marketing strategy” [15]; 5. the proposed model has been viewed as an “unlawful delegation of the Commission’s rulemaking power to private bodies” [7] (with all that this implies in terms of lack of trans- parency and democracy): “ethics guidelines, as well as other concepts of self-governance, may serve to pretend that accountability can be devolved from state authorities and democratic institutions” [16]; 6. “minimum risk” does not necessarily means “absence of risk”: also in this case, there is no assurance that a harm may occur, and the AI Act does not provide solutions in this case. And then again the adoption of codes of conduct is simply “encouraged”. Scholars point out that ethics has a lack of reinforcement mechanisms and deviations from ethics rules has no consequences. If so, there is a gap in the protection of individual rights against concrete harms, as the AI Act does not recognise specific justiciable and/or enforceable rules. In brief, “those impacted by AI systems – sometimes thought of as end-users, data subjects or consumers – have no rights, and almost no role in the AI Act” [17]. 3. Proposals The question at stake arises as to whether the described strategy (from liability to accountability, we said) optimises the normative tool, in order to achieve the declared goals (that is, a balance between competitiveness and protection of fundamental rights), or is it possible to imagine other solutions to strength and integrate such a model. Moreover, it has been showed that the solution of voluntary ethical guidelines still present several limits. While waiting for a better definition of the EU’s regulatory framework, it is worth under- standing if in the current legal context there are ways to design AI systems and their interactions with users in order to improve the degree of fundamental rights protection, answering the call for more “tangible bridges between abstract values and technical implementations” [15]. From the particular perspective of the human dignity, a possible answer lies in a stronger involvement of users, aimed to raise the level of the human-machine interaction. In [18], the authors affirms that “there is an emerging consensus about the threat that the Big Tech companies pose to democracy” whereas “there is little agreement about how to respond”. To face these concerns, many critics demanded Internet platforms to assume greater responsability on the content they disclose, but only pressuring these platforms to act according to public interest is not a long-term solution [18]. Therefore, they brought up the suggestion of finding a technical solution, a so-called Middleware which is a “software that rides on top of an existing platform and can modify the presentation of underlying data”. Such a software should be added to current technology platforms’ services, and should “allow users to choose how information is curated and filtered for them”. Our technical solution goes in this direction: creating a system that mediates the interaction of the users with the digital world, by offering a personalized exoskeleton. 3.1. A Technical Proposal for Empowering the User and Limiting Producers’ Autonomy. In the absence of a satisfying regulation of autonomous systems, the power and the burden to preserve the users’ rights remain in the hands of their producers. Hence, it seems necessary to raise the level of human-machine interaction, on the one hand, by empowering the user when interacts with the digital world, and on the other hand, by limiting producer’s autonomy. In this direction, the multidisciplinary EXOSOUL project9 [19] aims to empower humans with an automatically generated exoskeleton, i.e. a software shield that protects them and their personal data through the mediation of all interactions with the digital world that would result in unacceptable or morally wrong behaviors according to their ethical and privacy preferences. The exoskeleton, composed by active data and ethical actuator, on one side governs the creation, destruction and sharing of personal data according to the owner ethical preferences, on the other side intercepts the interactions between the autonomous system and the user to prevent behaviours not acceptable according to the user’s ethical profile (see Fig. 2). Therefore, such system relies on the ethical profiling of a user, which reflects her general moral preferences that are used to predict user’s digital behaviors and to interact with the digital world according to this profile [20]. This is a strong point in user’s protection: indeed, the exoskeleton operates according to individual preferences previously established, and it is less subject to the context in which it is deployed, as it is the case for many autonomous systems. The adoption of an exoskeleton from citizen will turn into reality a negotiation between users and the digital world: indeed, the exoskeleton brings the individual preferences of the user and operates accordingly, by reversing the actual paradigm of passively accepting the way autonomous systems work. As suggested in [18, 19], the diffusion and adoption of exoskeletons or mediator software will create new opportunities for existing and new companies in the field of societal-friendly applications. This will create new actors in the digital economy sphere thus balancing the power of autonomous systems’ producers. The non-consideration of end-users in the AI Act has been highlighted by [17], for which their role of “subject of rights [. . . ] has been obscured and their human dignity neglected”. A contribution to the current role of end-users could be provided by the deployment of exoskele- tons, whose purpose to preserve human dignity is pursued by protecting individual preferences and their choices. The ultimate goal of EXOSOUL is to restore a balance of power between users and entities in the digital world. Indeed, a wide adoption of exoskeletons from citizens will eventually force big players (such as Android, Apple, and automotive OEMs) to change the way they manage control policies, users’ data, and ethics [19]. As already suggested in the following section, if user are empowered autonomous system producers will have to offer a wider number of choices and more customized preferences. 9 The project participants’ expertise cover multiple scientific areas: computer science, philosophy, psychology, sociology and jurists. Figure 2: EXOSOUL Ethical Engine Scheme. 3.2. Improving Human-machine Interaction: a Model of Moral Agreement. In order to guarantee such an augmented interaction, a model of moral agreement is proposed, between machine and the users. Following this model, AI systems as far as individual rights are concerned, could leave to the users the choice of what they assume as fair, reasonable, satisfactory, in the aim of making autonomous systems flexible and adaptable to different individual values systems. This solution is expected to reduce the risk that producers influence the machine’s ethical ecosystem and, at the same time, to ensure a wide space to individual values systems. On the grounds of interests, preferences, values selected by the user, the AI system should offer accept- able and tailored solutions. By this way, the same system gains a higher level of adaptability to different, specific needs (and to different individual values systems). From the point of view of the user, this means to have the chance of choosing among a wider and more customized range of preferences, but, at the same time, to accept to release some levels of privacy, since the precondition is the digital modeling of personal data (ethical profiling) although through a secure personalized software. From the point of view of the producer, the model requests to open part of the decision interface to users through a simplification of the selection process and enlargement of choices, but, at the same time, it could reduce some risks (for ex., risk of discrimination) and enhance the user’s trust in the system. 3.3. Juridical Grounds: Informed Consent as Pre-condition for the Moral Agreement’s Validity. From a juridical perspective, the proposed model of moral agreement highlights the theoretical category of contract and reiterates the model of the express and informed consent, also adopted by GDPR and traditionally considered an effective tool to guarantee self-determination and to protect individual rights. Express and informed consent are very close conceptual categories, but not exactly the same, the first (express consent) being a consent pertaining specifically to the activity to which the consent is given, whereas the second (informed consent) requires a substantial understanding of the context in substantial absence of control by others. Informed consent has an ethical dimension, as it facilitates the transfer of information between two parties, allowing them “to become aware of the potential risks that may arise if they consent to a procedure or determine whether consenting to a procedure may conflict with their values or preferences” [21]. Informed consent would also have “a kind of symbolic value for parties, because it acknowledges them as decision makers and recognises their personhood” [21]. However, in the course of time the model of consent has showed a number of limits, with particular reference to: • explainability: a free and specific consent is based on the knowledge and understanding of the context in which the same consent is done. This means that it should be possible to explain the internal mechanisms of a deep learning system in human terms. However, this exigence is limited by several factors, as, among others, the companies’ reluctance to reveal their own internal working, or the extreme complexity of the same system (or the black-box phenomenon: “a machine learning algorithm may be so complex that not even the creators understand how it works) [22]; • transparency: the choice cannot be considered valid, if the user does not know the way of functioning of the algorithm10 . Similarly, an overload of information can make the “informed consent” useless. Consent is no longer effective as it once was as mechanism of control, in case of excessive multiplication of choices; • effectiveness: having a wide range of choice does not mean to express a specific consent for every moral preference. Express consent is not necessarily informed consent, as it could merely be a more complicated process. This implies to rethink the model of continual consent. In sum, the problem of the informed consent lies in its fundamental assumption, that “indi- viduals can understand all facts relevant to true choice at the moment of pair-wise contracting between individuals and data gatherers“ [23]. This limit of the model of consent has been 10 See C. Cass., ord. 25.05.2021, n. 14381, available at http://www.italgiure.giustizia.it/xway/application/nif/clean/hc. dll?verbo=attach&db=snciv&id=./20210525/snciv@s10@a2021@n14381@tO.clean.pdf. clearly showed during the last years in the GDPR implementation, and the experience of data protection can be easily translated to the discussion on AI systems. Considering the above, a number of Authors proposed alternative solutions, such, for example, the adoption of a stringent rule-based approach to permissible and prohibited conducts [21], a ’soft governance’ ethical regulation (not necessarily as an alternative, but as a complement of the first proposal), the growth of representativeness and diversification within AI development teams, the involvement of stakeholders in designing and building AI systems. As a different option, some scholars point out that “consent cannot be confused with choice” and must be defined “by its moral core”, which includes account knowledge, voluntariness, and fairness. None of these proposals is taken into account, in the AI Act [24]. Being aware about these limits does not imply the refuse of the proposed model, but rather the necessity of rethinking informed consent as the unique and most effective tool to guarantee the protection of individual rights [21, 25, 26]. In any case, the paradigm of the contract – as a guarantee of voluntariness – needs to be integrated with the paradigm of responsibility, this last in its twofold dimension, of liability and accountability. 4. Conclusion The AI Act is a big step that Europe has put forward in the AI regulation arena. In this paper we focus on its adequacy to protect individual rights and propose a different approach that have juridical and technical implications. The overarching principle that inspires us is that of human dignity: “the principle of human dignity, understood as the recognition of the inherent human state of being worthy of respect, must not be violated by ‘autonomous’ technologies” as stated by the European Group on Ethics in Science and New Technologies in [27]. Our approach to satisfy that principle is to guarantee an even interaction among system and user that may eventually result on the settlement of a moral agreement steered by the user. This is possible if the user during digital interactions can choose how to protect her dignity by means of alternative software tools, as suggested in [18]. In our proposal this role is played by the exoskeleton. Many steps forward have been done in the EXOSOUL project but many more are yet to come, for which a big multidisciplinary effort is demanded within the project’s scientific community. References [1] M. Ebers, Standardizing AI-The Case of the European Commission’s Proposal for an Artificial Intelligence Act, The Cambridge Handbook of Artificial Intelligence: Global Perspectives on Law and Ethics (2021). [2] F. Caroccia, Ancora su responsabilità civile e uso delle intelligenze artificiali., Contratto e Impresa (2022). [3] Artificial Intelligence Act. “Proposal for a regulation of the European Parliament and the Council laying down harmonised rules on Artificial Intelligence (Artifi- cial Intelligence Act) and amending certain union legislative acts", EUR-Lex- 52021PC0206 (2021). URL: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELLAR: e0649735-a372-11eb-9585-01aa75ed71a1. [4] G. Comandé, Intelligenza artificiale e responsabilità tra «liability» e «accountability». Il carattere trasformativo dell’IA e il problema della responsabilità, Analisi Giuridica dell’Economia 18 (2019) 169–188. Società editrice il Mulino. [5] U. Salanitro, Intelligenza artificiale e responsabilità: la strategia della Commissione Europea, Rivista di diritto civile 66 (2020) 1246–1276. [6] F. Doshi-Velez, M. Kortz, R. Budish, C. Bavitz, S. Gershman, D. O’Brien, K. Scott, S. Schieber, J. Waldo, D. Weinberger, et al., Accountability of AI under the law: The role of explanation, arXiv preprint arXiv:1711.01134 (2017). [7] M. Veale, F. Z. Borgesius, Demystifying the draft EU Artificial Intelligence Act—Analysing the good, the bad, and the unclear elements of the proposed approach, Computer Law Review International 22 (2021) 97–112. [8] M. Ebers, V. R. Hoch, F. Rosenkranz, H. Ruschemeier, B. Steinrötter, The european commission’s proposal for an artificial intelligence act—a critical assessment by members of the robotics and ai law society (rails), J 4 (2021) 589–603. [9] F. Ufert, Ai regulation through the lens of fundamental rights: How well does the gdpr address the challenges posed by ai?, European Papers-A Journal on Law and Integration 2020 (2020) 1087–1097. [10] A. BERTOLINI, et al., Artificial intelligence and civil liability (2020). [11] N. A. Smuha, E. Ahmed-Rengers, A. Harkens, W. Li, J. MacLaren, R. Piselli, K. Yeung, How the EU can achieve legally trustworthy AI: A response to the European Commission’s proposal for an Artificial Intelligence Act, Available at SSRN (2021). [12] N. A. Smuha, Beyond the individual: governing AI’s societal harm, Internet Policy Review 10 (2021). [13] R. M. Vasse’i, The ethical guidelines for trustworthy AI–A procrastination of effective law enforcement, Computer Law Review International 20 (2019) 129–136. [14] L. Floridi, Translating principles into practices of digital ethics: Five risks of being unethical, in: Ethics, Governance, and Policies in Artificial Intelligence, Springer, 2021, pp. 81–90. [15] T. Hagendorff, The ethics of ai ethics: An evaluation of guidelines, Minds and Machines 30 (2020) 99–120. [16] R. Calo, Artificial intelligence policy: a primer and roadmap, UCDL Rev. 51 (2017) 399. [17] L. Edwards, Regulating AI in Europe: four problems and four solutions., 2022. URL: https://www.adalovelaceinstitute.org/report/regulating-ai-in-europe/. [18] F. Fukuyama, B. Richman, A. Goel, How to save democracy from technology: ending big tech’s information monopoly, Foreign Aff. 100 (2021) 98. [19] M. Autili, D. Di Ruscio, P. Inverardi, P. Pelliccione, M. Tivoli, A software exoskeleton to protect and support citizen’s ethics and privacy in the digital world, IEEE Access 7 (2019) 62011–62021. [20] P. Migliarini, G. L. Scoccia, M. Autili, P. Inverardi, On the elicitation of privacy and ethics preferences of mobile users, in: Proceedings of the IEEE/ACM 7th International Conference on Mobile Software Engineering and Systems, 2020, pp. 132–136. [21] A. J. Andreotta, N. Kirkham, M. Rizzi, AI, big data, and the future of consent, Ai & Society (2021) 1–14. [22] J. Burrell, How the machine ‘thinks’: Understanding opacity in machine learning algo- rithms, Big Data & Society 3 (2016) 2053951715622512. [23] H. Nissenbaum, A contextual approach to privacy online, Daedalus 140 (2011) 32–48. [24] E. Edenberg, M. L. Jones, Troubleshooting ai and consent (2020). [25] S. C. Robinson, Trust, transparency, and openness: How inclusion of cultural values shapes nordic national public policy strategies for artificial intelligence (ai), Technology in Society 63 (2020) 101421. [26] G. K. Y. CHAN, M. YIP, Ai, data and private law: The theory-practice interface (2021). [27] E. G. on Ethics in Science, N. Technologies, et al., Statement on artificial intelligence, robotics and’autonomous’ systems: Brussels, 9 March 2018., EU: European Union, 2018.