What the European Union’s Artificial Intelligence Act Means for Hoteliers Around the World
The European Union is once again taking the lead on setting ethical guidelines for advanced technology use, this time in regard to artificial intelligence.
Last month, the EU passed the Artificial Intelligence Act, or AI Act, the world’s first comprehensive legal overview of the use of AI technology in both the public and private sector. Parts of the law will go into effect starting June 10, although other parts of the legislation will not take effect for two years.
In short, the AI Act specifies different levels of risk associated with AI technology, what amount of transparency companies that use AI must share, establishes several EU watchdog bodies to enforce the rule and lays out penalties for violations. The law outright bans certain use cases of AI that are harmful to individual rights, such as “cognitive behavioral manipulation and social scoring… predictive policing based on profiling and systems that use biometric data to categorize people according to specific categories such as race, religion or sexual orientation,” according to a news release issued by the Council of the European Union.
The act attempts to merge and dovetail two regulatory concepts in one piece of law, said Dr. Nils Rauer, a Frankfurt-based partner at law firm Pinsent Masons. Rauer is also Pinsent Masons’ head of intellectual property for Germany, and global co-lead on artificial intelligence.
“In principle, the new AI regulation follows a risk-based approach. There are AI systems that are deemed too risky, which are therefore banned within the EU. High-risk AI systems are made subject to a fairly strict regime of provisions requesting ex-ante risk assessments, dedicated transparency about what the AI algorithms actually do and human surveillance,” Rauer said.
“AI systems with less of a risk potential need to comply with a more moderate regulatory regime,” he said. “On top of this categorization, there is a separate chapter on so-called general-purpose AI (GPAI) models. The categorization of GPAIs follows a different logic. If those models involve a so-called ‘systemic risk,’ stricter obligations apply. Immensely powerful large language models such as GPT 4.0 are likely to fall into that category.”
The EU’s AI Act is the first such IT-related law of this magnitude since the 2017 passing of the EU’s General Data Protection Regulation, which came into effect on May 25, 2018. As with that law, the new AI Act will apply to not only European Union businesses but also apply to any global company doing business in the EU.
Hoteliers will need to keep abreast of the law and any changes to it, especially in the area of employment, which is one of the act’s focal points, said Moyn Uddin, director of IT and security consultancy at Cyber Counsel.
Violations of GDPR regulations and data breaches can come at a heavy price, with the EU now able to impose fines of — depending on which is higher — up to €35 million ($38 million) or 7% of annual global turnover, Uddin said.
“AI is a buzzword, and it seems to be everywhere. Hoteliers will need to keep a handle on where it is being used. It needs to be under control,” he said.
Rapid advancements in technology often require a regulatory framework, Rauer said. He applauded the EU for passing the comprehensive AI Act.
“This is true for areas such as medical care, for social welfare or for financial services. The development and deploying of AI are therefore just another example where we as a society should establish legal guidelines and guardrails,” he said.
To use AI, hotel firms need best practices, just as they would for other disciplines in the industry. Uddin said there is a lot of information about AI that needs to be considered, including around ethical considerations and legal questions.
“There are privacy concerns, so the right legal basis is required,” Uddin said. “With GDPR, the stuff we were grappling with five years still exists and needs to be complied with, and laws around AI will have to be considered in parallel. Anyone who does business with the EU is obligated, regardless of where they are based.”
Thibault Catala is founder and managing director of Catala Consulting, which is currently developing a framework called Experimental Revenue Optimization with the aim of fostering a collaborative approach between hotel revenue management and AI. Catala agreed that the EU’s new AI Act has significant implications for hoteliers and the broader hospitality industry.
“Unlike the GDPR, which primarily focuses on data protection and privacy, the AI Act addresses the broader scope of AI usage, including ethical considerations, transparency and employment impacts,” Catala said. “For hoteliers, this means ensuring that any AI systems used, such as those for guest services, booking algorithms, pricing algorithms or operational management, comply with the new standards of transparency and accountability.”
AI issues are compounded by government legislation and framework, and its use along supply chains.
“We’re just starting in this AI journey, and it is fast-moving. Trust is key as AI in itself has no objective morality,” Uddin said.
He said the real pioneers of AI are Asian countries, not the EU or the U.S.
“The U.S. states are less keen on regulations, but they will have to get there eventually. The EU countries are not pioneers any more. Taiwan is the world’s largest provider of this technology, which is why it is always in the news and there are consistent squabbles between the U.S. and China,” Uddin said. “Also, the top seven IT businesses have a combined worth of $14 trillion, far larger than most countries’ gross domestic product. AI is an immense issue.”
On June 6, the BBC reported that Vienna-based nonprofit digital-rights organization NOYB had filed complaints with 11 national data-protection authorities in Europe against Meta’s plans to use “public posts and images from its Facebook and Instagram technology to train AI tools belonging to parent company.”
“We need to protect data and create AI systems to protect AI systems, to keep ahead of the bad guys and people injecting rubbish into AI. This is increasingly of importance in a world where more and more decisions will be based on data,” Uddin said.
Catala said hoteliers should make the immediate step of conducting an audit of their current systems involving AI directly or indirectly.
“This involves understanding the data these systems use, the decision-making processes they follow and ensuring they are free from biases that could affect employment decisions or guest interactions,” Catala said.
Rauer agreed that the EU’s AI Act will likely have the biggest impact on the hotel industry in terms of processing guest data and hiring and recruitment.
“AI systems intended to be used in the context of recruiting and promoting personnel are qualified as high-risk systems. Obviously, deploying AI in recruitment process is a core use case also in the hotel business,” he said. “Equally, AI can be extremely helpful in the context of processing guest data. Smart AI tools clearly have merit when huge quantities of information on guest preferences are to be analyzed for the sake of service optimization. Commonly, this is done by way of deploying [large language models] with high potential. Those are very likely to fall within the category of GPAIs with a systemic risk.”
Going forward, hoteliers should communicate how they’re using AI technology, Catala said.
“Transparency is key. Hoteliers must be prepared to explain how their AI systems work to both regulators and guests. Additionally, maintaining robust documentation of AI processes and decision criteria will be crucial for compliance,” he said.
“While this is probably complicated … I believe hoteliers should get in touch with the respective tech companies — property-management systems, revenue-management systems, customer reservations systems — and ask these questions directly,” Catala said, adding the new act, and others to follow, might have the advantage of getting the large IT firms to be more transparent.
Another important aspect is the need for human oversight, with the EU AI Act emphasizing the importance of human intervention in high-risk AI applications, Catala said.
“For hoteliers, this means ensuring that there are always human checks in place for AI-driven decisions, particularly those affecting employment, guest services and safety. This is a shift from the autonomous decision-making often associated with AI and requires a blend of technology and human judgment to ensure ethical standards are maintained,” he added.
Rauer recommended hoteliers take proactive steps to address their AI usage and test potential use cases for deploying AI tools in daily hotel operations.
“There are obligations that take effect way before the actual tool embarks on being used. An impact assessment might be needed at a much earlier stage,” he said. “Thus, before engaging with a specific service provider and before deciding upon which tool shall be implemented, look at what legal obligations would come with such implementation and use.”
Uddin warned that the potential of AI has yet to be determined, and humans will continue to push it to learn more and grow smarter, regardless of any ethical concerns.
“AI is going on at such a fast pace, people cannot keep up. ChatGPT at the moment is more intelligent than the most intelligent people in history; in the next version, it will be 10 times more intelligent, and this will only increase,” he said. “How we will cope with that intelligence, what efficiencies we use with it and how it is employed in what is a very humanized industry, these are the principal questions. This industry does not wish to see robots everywhere.”
But there are benefits of using AI, Uddin said.
“In countries such as Japan where the population is diminishing, it will be of benefit. Also, [it works] as a predictive model for management, but there are security, privacy and fraud concerns. We will need to create AI to check on AI, and that is being done already,” he said. “My first job in IT no longer exists, [which was] mainframe operations. Business and employers need to use AI, not let AI use them, and the ones who understand that will be the ones who keep their jobs.”
Uddin said this is of critical importance in any industry that is almost completely dependent on human interaction.
“Ask what information is going in, and how accurate is that information? Have emotion and empathy, which is the hotel industry, been considered?” he added.