Breakdown of AI Compliance in 2024. Why Focus On Privacy?

AI can be dangerous. The stronger it becomes, the more people worry about AI compliance. There are good reasons for this. AI development goes through enormous datasets; they can misuse private data, cause discrimination, or simply generate false predictions.

That’s why we hear much about AI regulation: the EU AI Act or the AI Bill of Rights in the US. But they are not enforced yet. Instead, we have many local and industry-specific laws that regulate AI.

For now, companies need to focus on privacy regulations. AI solutions complicate compliance with GDPR, ISO 27001, and others. If you’re dealing with clients from the EU, US, or China, be on guard.

This article lays out major regulations for AI compliance. Let’s dive in.

Note: this isn’t legal advice. Use this article for general understanding, but do consult your legal advisors before building an AI system.

The act is focused on high-risk AI applications, protecting people from the worst side effects of AI.

Here’s how it works. It puts all AI into 4 risk categories:

• Unacceptable risk solutions are outright banned. These include social scoring systems, biometric classification, and facial recognition in public places. Yet there can be some exceptions for law enforcement.
• High-risk solutions will be regularly assessed by the EU regulators. This includes products that require EU product safety: toys, medical devices, cars, aviation, and lifts. But it also applies to critical industries, like education, employment, law enforcement, or legal interpretation.
• General purpose and generative AI will have to be transparent and safe. Advanced models like GPT-4 will be audited. But even simple generative AIs should disclose that the content is AI-generated, and it should never generate illegal content.
• Limited risk models will have minimal transparency requirements, but won’t have to be evaluated. For example, such solutions will have to disclose when users interact with an AI.

Fines for non-compliance can be severe. They’ll go up to €36 million or 7% of yearly turnover – whichever is higher.

Other countries will be looking at the EU Act. Meanwhile, they are rolling out regulations, too:

• Canada’s Artificial Intelligence and Data Act;
• China’s Administrative Measures for Generative Artificial Intelligence Services (Generative AI Measures);
• Brazil’s Bill 21/20;
• Several other countries in the Americas and Asia are also developing their regulations.

Blueprint for an AI Bill of Rights is a purely voluntary document. Yet, future regulations may rely on it. The blueprint has 5 main principles:

• Safe and Effective Systems. It would protect users from unsafe systems by pre-deployment testing, risk identification, and ongoing monitoring;
• Algorithmic Discrimination Protections. It protects users against discrimination, based on race, gender, age, or any other sensitive characteristics;
• Data Privacy. It requires AI systems to have built-in privacy protections, and users should have agency over how their private data is used;
• Notice and Explanation. Systems should notify users when they use AI and how it would impact them.
• Human Alternatives, Consideration, and Fallback. Whenever appropriate, users should be able to opt out of the AI tool and communicate with a person instead.

The Algorithmic Accountability Act has been introduced, but it’s far from becoming law. If passed, it would require companies to do 3 major things:

• Assess the impacts of the AI systems;
• Be transparent about using AI;
• Empower consumers to make informed choices when they interact with AI systems.

The act applies to critical decisions in healthcare, housing, education, employment, and personal life.

Locally, US Regulations Already Require AI Compliance

While general AI regulations are still yet to come, we already have laws that govern specific AI applications. Usually, these are state or local laws, here are some of them:

NYC Law 144 prohibits biased automatic recruitment tools. Before using automated employment decision tools, any company has to pass an audit proving that such tools are unbiased.

Colorado SB21-169 prohibits insurance companies from discriminating against customers. With Big Data, insurance companies could unintentionally harm protected groups. The new law protects algorithm discrimination based on race, color, national or ethnic origin, religion, sex, sexual orientation, disability, or gender.

Connecticut SB 1103 regulates the state government’s use of AI. Since early 2024 all state agencies will have to inventory AI systems that they use. Furthermore, they need to perform assessments to make sure that their AIs don’t discriminate or provide unfair advantage to anyone.

What are the 7 key principles of GDPR? All principles are equally important for GDPR compliance. Some come from the 1995 Data Protection Directive, others are new.

• Lawfulness, fairness, and transparency. You have to identify legal reasons for data processing. You should be transparent about what you’re doing with the personal data.
• Purpose limitation. You must only collect personal data for explicit and legitimate purposes. In other words, you can’t claim to never sell cookies to 3rd parties, and then… sell cookies to third parties.
• Data minimization. Only collect data that is necessary for your purpose, never just in case.
• Accuracy. Keep personal data accurate and up-to-date. Let your users correct their data or erase it.
• Storage limitation. Store personal data only for as long as necessary. Establish clear timeframes and dispose of the data when it’s no longer needed. Some retention periods are specified in law, like on tax records. In other cases, they can be more fluid – but you need to set an appropriate time frame.
• Security (Integrity and confidentiality). Implement appropriate security measures: encrypt your data, isolate PII from other data, etc. Learn more in our article about personally identifiable information.
• Accountability. The controller (we’ll describe who it is soon) is responsible for compliance with the other 6 principles. Be prepared to demonstrate compliance to supervisory authorities upon request.

What are GDPR controllers and the processors? Under GDPR companies that handle personal data are either controllers or processors.

The status is important because controllers have way more obligations than processors. If there’s a breach on the processor’s end, the controller is still responsible for dealing with it. The status affects your relationship with suppliers and customers.

Controllers determine why and how to process data. In formal terms, they define the purpose and the essential means of processing. Some of the essential means include:

• What data to process?
• What’s the retention period?
• Should they disclose the data?

Processors process the data on behalf of the controller. They follow the controller’s instructions and can’t appoint sub-processors without the controller’s consent. They can define the non-essential means, like:

• Programming languages, frameworks;
• Security measures;
• Architectural measures: APIs, microservices, and virtual machines.

What does GDPR mean for AI compliance? The important part is to determine whether your AI vendor will be a controller or a processor.

Companies working with GDPR are used to granting the processor role to software vendors. However, AI vendors will often need the controller role.

Let’s break down some examples:

In 2023, China eased cross-border data controls in Draft Provisions. Now, there’s a new threshold for security assessment. If a company transfers data of under a million individuals, there’s no need for a security assessment. Here’s the new threshold:

• > 1 million individuals. Requires security assessment;
• 10,000-1 million. Requires security certification or entering a standard contract published by Cyberspace Administration of China (CAC);
• < 10,000 individuals. No required transfer mechanism.

Still, all important data transfers require a security assessment. At first, the definition of “important data” was murky. Now, companies can presume that they don’t possess important data unless they were informed otherwise by regulators or through a public notice.

Other countries have their own rules. In Canada, there’s PIPEDA. In Brazil, there’s LGPD. In Japan, there’s APPI. Be aware of them before entering a local market.