February 13, 2024
Legaltech News
The United States does not currently have a comprehensive federal privacy law, though multiple states have begun to fill the void in the absence of federal policy. Similarly, multiple countries outside the United States have passed privacy laws, and most of this legal activity — domestic and international — is not sector- or industry-specific. Against this backdrop, artificial intelligence systems, trained on vast amounts of data, continue to advance without a clear consensus on principles or a process to assess and mitigate AI risk. However, state and federal governments around the world are developing approaches to measuring and mitigating risks, with many of the governance requirements reflecting a parallel to privacy governance requirements.
Privacy practitioners utilize the Fair Information Practice Principles to assess privacy risk. Different countries have adopted variations of this structure, though these principles usually include:
Thematic consistencies in privacy governance also exist in the international and domestic privacy laws that have been passed. First, these laws are not sector-specific or geographically bound. As a general matter, they tend to apply to any company, regardless of geographic location, that processes personal data of residents covered by the law, even if those companies are not physically located in the jurisdiction.
Second, these laws tend to carry significant financial penalties. For example, the European General Data Protection Regulation allows EU data protection authorities to assess fines of up to €20 million ($22.1 million) or 4 percent of a company’s worldwide annual revenue, depending on the specific GDPR provision violated.
Third, the laws give individuals increased ability to access and control how their information is collected and used. Individuals may request and receive access to the information companies hold about them, request deletion of that information, receive access to information in a format that facilitates transport of the data to other organizations, and have the ability to refuse to consent to tracking or the sale of their data.
Fourth, there are increased governance responsibilities. Some governance requirements include establishing a Data Protection Officer specifically charged with overseeing privacy within an organization. If a use of information is particularly sensitive or novel, new laws may require a company to complete a privacy impact assessment before data processing begins. In some instances, the law requires companies to establish privacy training programs and conduct regular privacy audits.
In January 2023, the National Institute of Standards and Technology issued the AI Risk Management Framework (AI RMF), a voluntary framework designed to provide guidance for using, designing, or deploying AI systems. Per the NIST Framework, a trustworthy AI system contains the following elements:
The National Security Commission on Artificial Intelligence also released a wide-ranging report in 2021 designed to present a national strategy to reorganize the government’s approach to artificial intelligence. Among its many recommendations, the Commission recommended that Congress should require AI Risk Assessment reports and AI Impact Assessment reports from the Intelligence Community, the Department of Homeland Security, and the Federal Bureau of Investigations for AI systems that impact US citizens and legal permanent residents. The focus on transparency and accountability are governing principles also seen within privacy governance frameworks.
Most recently, European negotiators have reached a political agreement to sign the Artificial Intelligence Act, the first comprehensive AI law. Like its comprehensive privacy law, the General Data Protection Regulation, the EU’s Artificial Intelligence Act utilizes a risk-based approach to governance and carries significant financial penalties for non-compliance. Fines range from €7.5 million or 1.5% of global turnover to €35 million or 7% of global turnover, depending on company size and the nature of the violation.
These emerging AI frameworks and laws reflect the importance of measures that demonstrate trustworthiness, accountability, and rigor in AI systems. The frameworks often draw on risk assessment requirements and notice requirements commonly seen in privacy law. As artificial intelligence law continues to develop, it is highly likely that the lessons learned and mechanisms implemented for ensuring responsible and trustworthy use of personally identifiable information for privacy governance will continue to be applied to the data-driven field of artificial intelligence.
Originally printed in Legaltech News on February 13, 2024. This article is for informational purposes, is not intended to constitute legal advice, and may be considered advertising under applicable state laws. This article is only the opinion of the authors and is not attributable to Finnegan, Henderson, Farabow, Garrett & Dunner, LLP, or the firm’s clients
Workshop
Life Sciences Workshop: Updates and Key Trends in Pharmaceutical and Biotechnology IP Law
May 2, 2024
Cambridge
Hybrid Seminar
Pandora’s Pixels: Can Privacy and Choice Survive in our Generative AI World?
April 11, 2024
Richmond
IAPP Global Privacy Summit 2024
April 3-4, 2024
Washington
Conference
2024 Hispanic National Bar Association Corporate Counsel Conference
March 20-22, 2024
Seattle
Due to international data regulations, we’ve updated our privacy policy. Click here to read our privacy policy in full.
We use cookies on this website to provide you with the best user experience. By accepting cookies, you agree to our use of cookies. Please note that if you opt not to accept or if you disable cookies, the “Your Finnegan” feature on this website will be disabled as well. For more information on how we use cookies, please see our Privacy Policy.
Finnegan is thrilled to announce the launch of our new blog, Ad Law Buzz, devoted solely to breaking news, developments, trends, and analysis in advertising law.