2024-05-24
The EU AI Act passed - what UK charities need to know
The UK isn't subject to the EU AI Act. But its risk-based framework is the most useful thinking tool we've seen for charities trying to work out which AI use cases need governance and which just need common sense.
The EU Council gave final approval to the AI Act on 21 May 2024, completing a legislative process that began with the European Parliament's 523-46 vote in March. It will be published in the Official Journal this summer and enter into force in August. It's the world's first comprehensive AI law.
The Act uses a risk-based framework with four tiers: prohibited (social scoring, real-time biometric surveillance in public spaces), high-risk (AI in employment, education, law enforcement, critical infrastructure), limited risk (chatbots, deepfakes requiring transparency), and minimal risk (spam filters, AI in games, largely unregulated). Enforcement is phased: prohibited practices are banned from February 2025, obligations for general-purpose AI models apply from August 2025, and full enforcement begins August 2026.
The UK government has taken a different approach, opting for sector-led, principles-based regulation rather than comprehensive legislation. So you might reasonably ask: why should UK charities care?
Why the framework matters more than the law
Most charities we work with are trying to figure out which AI use cases to pursue and which to be cautious about. The EU's four-tier risk model is a practical thinking tool for that, regardless of whether it applies to you legally.
Using ChatGPT to draft a newsletter, summarising meeting notes, generating social media posts: these are minimal risk. They involve no personal data about beneficiaries and the outputs are low-stakes. Basic good practice is sufficient. If your charity uses a chatbot on your website, that's limited risk; visitors should know they're talking to AI. Using AI to assess beneficiary needs, triage service requests, or inform decisions about vulnerable people is high risk and needs impact assessments and proper human oversight. Most charities aren't doing this yet, but as AI adoption grows, more will.
The honest observation is that most AI use cases charities are likely to pursue right now fall comfortably into the minimal or limited risk categories. The legislation was quite flat in order to get through, and the delineation between tiers is fairly obvious. So the framework doesn't tell you much you couldn't work out for yourself. What it does do is give you a structure for the conversation, a way to say "we've thought about this proportionately" rather than either ignoring risk entirely or applying the same heavy governance to everything.
There's also a direct legal angle for some charities. Any charity processing personal data of EU residents through AI systems may fall within scope, similar to how GDPR applies to UK organisations serving EU individuals. Charities with European programmes, partners, or beneficiaries should check whether their AI use cases are caught, and get specific legal advice rather than guessing.
The UK isn't a regulation-free zone
The UK's approach of not legislating doesn't mean anything goes. The ICO's data protection framework, the Equality Act, and existing sector regulation all apply to AI use. The absence of an AI-specific law doesn't mean an absence of rules. It means the rules are scattered across different regulators, which is arguably harder to navigate than a single comprehensive Act.
And the current approach won't last forever. When UK regulation does arrive, it will probably draw on elements of the EU framework. Charities that have already thought about risk-based AI governance will be better placed than those scrambling to comply.
If you're developing or updating an AI policy, the four-tier model gives you a ready-made structure for proportionate governance. You don't need a formal regulatory assessment. A simple table listing each AI use case with its risk level and the governance you have in place is enough to start.