The European Union has warned Microsoft that it could be fined up to 1% of its global annual turnover under the bloc’s online governance regime, the Digital Services Act (DSA), after the company failed to respond to a request for information (RFI) that focused on its generative AI tools. In March 2024, the EU asked Microsoft and several other tech giants for information about systemic risks posed by generative AI tools. On 16 May 2024, the Commission said Microsoft failed to provide some requested documents. An updated version of the Commission’s press release recently tweaked the phrasing, removing an earlier claim that the EU did not receive an answer from Microsoft. The revised version states that the EU is stepping up enforcement action “following an initial request for information.”[1]
The Commission has given Microsoft until 27 May 2024 to supply the requested data or risk enforcement. Fines under the DSA can scale up to 6% of global annual revenue. Still, incorrect, incomplete, or misleading information in response to a formal RFI can result in a standalone fine of 1%. That could sum to a penalty of up to a couple of billion dollars in Microsoft’s case. The company reported revenue of $211.92 billion in the fiscal year ended 30 June 2023.
The Commission itself oversees larger platforms’ systemic risk obligations under the DSA, and this warning sits atop a toolbox of powerful enforcement options that could be far costlier for Microsoft than any reputational ding it might get for failing to produce data on request. The Commission said it lacks information about risks from search engine Bing’s generative AI features, especially the regulator-highlighted AI assistant “Copilot in Bing” and image generation tool “Image Creator by Designer.” The EU said it is particularly concerned about any risks the tools may pose to civic discourse and electoral processes.
The Commission has given Microsoft until the deadline to provide the missing information. If the company fails to produce the data by then, the Commission may impose “periodic penalties” of up to 5% of its average daily income or worldwide annual turnover.
Bing was designated as a so-called “very large online search engine” (VLOSE) under the DSA in April 2023. It is subject to an extra layer of obligations to mitigate systemic risks like disinformation. The DSA’s obligation on larger platforms to mitigate disinformation puts generative AI technologies squarely in the frame. Tech giants have been at the forefront of embedding GenAI into their mainstream platforms despite glaring flaws, such as the tendency for large language models (LLMs) to fabricate information while presenting it as fact.
AI-powered image generation tools have also been shown to produce racially biased or potentially harmful output, such as misleading deepfakes. The EU, meanwhile, has an election coming up next month, which is concentrating minds in Brussels on AI-fueled political disinformation. “The request for information is based on the suspicion that Bing may have breached the DSA for risks linked to generative AI, such as so-called ‘hallucinations,’ the viral dissemination of deepfakes, as well as the automated manipulation of services that can mislead voters,” the Commission wrote in a press release. “Under the DSA, designated services, including Bing, must carry out an adequate risk assessment and adopt respective risk mitigation measures (Articles 34 and 35 of the DSA). Generative AI is one of the risks identified by the Commission in its guidelines on the integrity of electoral processes, particularly for the upcoming elections to the European Parliament in June.”
Reached for comment, a Microsoft spokesperson sent a statement claiming to be “deeply committed to creating safe experiences online and working with regulators on this important topic. We have been fully cooperating with the European Commission as part of the voluntary request for information. We remain committed to responding to their questions and sharing more about our approach to digital safety and compliance with the DSA.” Microsoft also wrote: “Across our diverse range of online services, we take steps to measure and mitigate potential risks. That includes several actions to prepare our tools for the 2024 elections and help safeguard voters, candidates, campaigns, and election authorities. We will also continue collaborating with our industry peers as part of the Tech Accord to Combat Deceptive Use of AI in 2024 Elections.”
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Our services can help detect cyber threats and vulnerabilities. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
[1] https://techcrunch.com/2024/05/17/microsoft-warned-it-could-be-fined-billions-by-eu-over-missing-genai-risk-info/
Comments