Background information
The AI Act Whistleblower Tool, launched by the AI Office, gives individuals who are professionally connected to an AI model provider the opportunity to report harmful practices by providers of general-purpose AI models and certain AI systems. Individuals can submit their report anonymously, in any EU language, along with supporting documentation. The tool provides a secure inbox which enables whistleblowers to stay up to date on the progress of their report while maintaining anonymity and answering any follow-up questions. Potential whistleblowers may be individuals who are professionally connected to an AI model provider, such as current or former employee, a self-employed collaborator, a shareholder, or a member of the company’s administrative, management, or supervisory body.
The European AI Office, which was established within the European Commission, serves as the AI expertise centre and forms the foundation for a single European AI governance system.
Questions
The tool is based on the following questions, directed at individuals connected to an AI model provider:
- In which organisation or company did the suspected infringement occur?
- Under which jurisdiction (country or region) does the organisation operate?
- What is your relationship with the organisation?
- When did the incident(s) occur?
- Who was involved, if known?
- How did you become aware of this information?
- Do you wish to share any supporting documents or evidence?
- Have you already reported this information to any national competent authority or other body within or outside an EU Member State?
- Have you already reported this information to your own company's or the violating company's (if differing) internal whistleblowing channel or otherwise raised this concern outside of the external channels in any way that could increase the risk of retaliation or your anonymity?
- Are there particular risks to retaliation or pertaining to confidentiality/anonymity you would like the EU AI Office to take into consideration?
Confidentiality
The fundamental principle behind the AI Act Whistleblower Tool is to establish a secure and confidential reporting channel through which individuals, connected to an AI model provider, can report suspected breaches of the AI Act directly to the European AI Office.
According to the FAQ of the AI Office the report will be kept secure through encryption and other security functions that are certified by an independent body. The FAQ directly states that individuals should still refrain from including any personally identifiable information about themselves or any third parties that could directly or indirectly reveal their identity. This includes information such as the names of colleagues, email addresses or phone numbers.
It is also recommended that individuals do not use any technical devices provided by their employer, such as a PC, smartphone or Wi-Fi, when submitting the report.
The AI Office is committed to ensuring that reports are not disclosed to anyone without their explicit consent. It is, however, important to note that the report will be shared with a limited number of staff members at the AI Office who are designated to receive or follow up on reports. These staff members undergo specific training to ensure they are competent in handling reports.
Process
Upon receipt of a report, it is entered into the AI Office’s database in a timely and secure manner.
The process of reviewing the report is the following:
- The report will be received via a secure platform to which only three members of the AI Office staff have access. The authorised staff underwent training to ensure their awareness of their responsibility to maintain whistleblower confidentiality.
- A formal acknowledgement of receipt will be issued within seven working days, thereby confirming the successful submission of the individual’s report.
- Following the receipt of the individual’s approval, the content of their report will be shared with authorised personnel from the AI Office, encompassing individuals with multidisciplinary expertise in domains such as machine learning, model evaluation, cybersecurity, risk assessment, and copyright. Access to the report will be strictly limited to those with the relevant expertise to diligently assess the matter, only following approval and upon having received specific training for the purposes of handling reports.
- A response will be issued within fourteen working days in order to confirm whether the AI office is the correct authority to handle the report in question. Should it be deemed to be the least appropriate authority in this matter, the Office will provide the individual with the relevant point of contact to redirect their report.
- Throughout the process, it is possible that contact will be maintained with the individual concerned in order to share updates, answer questions, collect additional information, or obtain approval to share the content of the report with third parties when required. It is therefore recommended that users check their secure inbox regularly.
- It is our intention to provide feedback within a period of three months; however, should exceptional circumstances arise, this period may be extended to six months. Should the conclusion be reached that a report does not necessitate further follow-up (e.g., in instances where the breach is deemed minor or has already been brought to light), the decision and the underlying rationale will be communicated to the relevant parties.
- The final outcome triggered by the report will be communicated to the individual.
The AI Office may also take the following additional measures as it deems appropriate:
- refer the whistleblower to other relevant authorities and, provided that the whistleblower has given their prior approval, communicate with those authorities to support the protection of the whistleblower; and/or
- transfer the proceedings to a competent authority for further investigation, whilst ensuring that the confidentiality of the whistleblower is protected.
