Forecasting AI Compliance at the State, Federal, and International Levels

Print Friendly, PDF & Email

In this special guest feature, Kim Peretti, Alston & Bird partner and co-leader of the firm’s National Security & Digital Crimes and Privacy, Cyber & Data Strategy teams, suggests that given the vast amounts of data that goes into artificial intelligence, it’s no surprise that data protection laws are on the vanguard of regulating AI. Peretti tracks the legal implications of AI in her role at Alston & Bird. The ways data protection laws regulate AI is top-of-mind for her, having recently spoken on the topic at the ABA Science & Technology Law Section’s 2002 AI & Robotics National Institute.

2023 promises to usher in a new wave of immediate AI obligations for organizations as various new state privacy laws impose GDPR-level requirements around automated decision-making, one of the most common AI applications. Organizations, however, should also begin considering the impacts of recently enacted and pending international and U.S. federal AI regulatory developments. For example, China’s new regulation governing companies’ use of algorithms in online recommendation systems took effect in March 2022, and requires that companies be transparent about the purposes of an algorithm, adhere to mainstream value orientations, and actively prevent the dissemination of harmful or illegal information. The regulation further imposes notice and opt out requirements when AI is used to target users and prohibits the use of algorithms that use personal data to offer different prices to consumers. In Europe, the proposed AI Act, which was first presented by the Commission in 2021, would build on these themes through a comprehensive AI framework that brings structure to an opaque regulatory landscape by developing a risk-based approach. We expect these regulations to set the stage for how global companies integrate AI moving forward.

In the U.S., we saw a glimpse of the FTC’s enforcement priorities over AI when the FTC issued an advance notice of proposed rulemaking (ANPR) on August 22, 2022, requesting public comment on whether new rules are needed to address the harms resulting from commercial surveillance and lax data security practices. The ANPR marks an intentional shift toward a more holistic regulatory framework that addresses algorithmic error, deception, data manipulation, and other abuses. The FTC acknowledged that its current enforcement approach may not be enough to combat these abuses without affirmative rulemaking. While it is difficult to predict what these new rules will look like, the FTC will clearly be exploring rulemaking possibilities from all angles. This may include a set of standards to safeguard against algorithmic error, new rules to govern corporate surveillance, and granular disclosure requirements regarding AI mechanics and socioeconomic impact. The ANPR further suggests that automated decision-making and profiling activities may be completely prohibited in certain industries and ponders whether other federal agencies should be included in developing a comprehensive framework. 

While the regulatory approaches vary at the state, federal, and national level, there are common themes found throughout all approaches that can guide compliance efforts. Companies that develop, deploy, or use AI systems should: (1) assess their current and future AI dependencies and craft policies that govern dataset integrity, accuracy, transparency, foreseeable risks, and social impacts, with appropriate monitoring in place to ensure AI systems do not lead to disparate and unfair outcomes; (2) develop a firm understanding of the AI system’s mechanics and be prepared to provide detailed explanations to regulator and consumer inquiries regarding the logic involved; and (3) determine whether more traditional processes would be a better approach to AI after performing a cost-benefit analysis. 

Sign up for the free insideBIGDATA newsletter.

Join us on Twitter:

Join us on LinkedIn:

Join us on Facebook:

Speak Your Mind