0
Flag of California, depicting a large brown bear beside a red star, above the words "California Republic."

CPRA regulations finalized and effective immediately

[Update: On March 30, 2023, the California Chamber of Commerce filed suit against the California Privacy Protection Agency, arguing that the amended regulations should not enter force until once year following finalization of the regulations. The court agreed, holding that enforcement cannot occur until one year after the regulations were finalized, thereby pushing the enforcement date from March 29, 2023, to March 29, 2024. The case is being appealed, but it is not expected to be finalized until after the new enforcement date.]
On March 30, 2023, the California Privacy Protection Agency (the Agency) announced that its first rulemaking package for the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), was approved by the California Office of Administrative Law (OAL).[1] Approval by the OAL marks the completion of the rulemaking process, thereby making the regulations effective immediately. “This is a major accomplishment, and a significant step forward for Californians’ consumer privacy. I’m deeply grateful to the Agency Board and staff for their tireless work on the regulations, and to the public for their robust engagement in the rulemaking process,” CPPA Board Chair Jennifer Urban said in a statement.[2] The regulations build upon and clarify provisions within the CPRA, which amended and expanded the CCPA. For example, the regulations allow businesses to offer a “Your Privacy Choices” mechanism on a website’s homepage instead of a “Do Not Sell or Share My Personal Information” mechanism. The regulation had originally been scheduled for completion for July 1, 2022, but due to insufficient staffing and resources, the Agency announced an extended delay to the process.[3] This delay of almost a year left businesses and privacy professionals scrambling, because the CPRA came into effect on January 1, 2023, yet many of its provisions were unclear. Now, finalization begets clarity. That said, the Agency’s enforcement efforts will begin July 1, 2023, which gives little time to comply with the regulations. The Agency has indicated a soft initial approach to enforcement though. Section 7301(b) of the finalized regulation state that the Agency may “consider all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements, and good faith efforts to comply with those requirements.” While this leaves some breathing room, it does not alleviate non-compliance in all instances, and businesses should move to finalize compliance with these regulations. The final regulations, although effective immediately, will not be published publicly until they are processed, which is expected to happen next week. The final regulations will be made available here: https://cppa.ca.gov/regulations/consumer_privacy_act.html
[1] https://cppa.ca.gov/announcements/ (announcement on March 30, 2023) [2] Id. [3] https://iapp.org/news/a/cpra-regulations-delayed-past-july-1-deadline-expected-q3-or-q4/
0
This is the flag of Iowa, depicting an eagle holding a banner that reads, "Our liberties we prize and our rights we will maintain."

And then there were six!

On March 28, 2023, Gov. Reynolds of Iowa signed into law SF 262, a bill for an act relating to consumer data protection. By signing the bill into law, Gov. Reynolds established Iowa as the sixth state to establish a comprehensive data protection framework. “In our digital age, it’s never been more important to state, clearly and unmistakably, that consumers deserve a reasonable level of transparency and control over their personal data,” said Gov. Reynolds. “That’s exactly what this bill does, making Iowa just the sixth state to provide this kind of comprehensive protection.”[1] Full text of the law: here. Iowa’s approach to data protection is similar to Utah’s approach, but it shares a basic framework with Colorado, Connecticut, and Virginia. However, California’s approach remains unique among the pack. We will continue monitoring all state legislatures for more developments.
[1] https://governor.iowa.gov/press-release/2023-03-28/gov-reynolds-signs-sf-75-and-sf-262-law
0

Metaverse Law’s Lily Li to guest star on Threat Watch podcast to discuss risks of ChatGPT, generative AI, and LLMs

Near the end of 2022, generative AI models became something of a sensation. Art-based models like Midjourney, DALL-E, and Stable Diffusion threw the art world into a panic, prompting companies to ban AI-generated art.[1] Models like ChatGPT—and its underlying GPT-3.5 and GPT-4 LLMs—seemingly invaded every social sphere, from academia[2] to big tech,[3] and prompted many to start asking, “Will AI replace us?”[4] Given all this buzz around generative AI and LLMs, it’s only natural to consider the IT and security risks stemming from these emerging technologies. Afterall, there have been numerous recorded instances of actors using ChatGPT to build malware,[5] to improve malware,[6] to send phishing emails,[7] and more. To discuss these topics, Metaverse Law’s founder Lily Li will join host Dr. Rebecca Wynn on BrightTALK’s Threat Watch podcast to discuss the many issues, risks, and concerns arising out of the use of AI. WHAT: Metaverse Law’s founder Lily Li will join host Dr. Rebecca Wynn on the Threat Watch podcast to discuss AI, chatbots, LLMs, and more. WHEN: March 30, 2023 — 12:00 pm ET WHERE: Online (with free registration) TOPICS:
  • Data leaking and misuse in the AI supply chain.
  • Data transfer issues resulting from the use of AI.
  • IT and cyber security concerns.
  • Social engineering stemming from AI.
  • And more!
Whether you are currently using or thinking about using AI in your business, you do not want to miss Lily’s discussion on the risks and issues arising from this technology.
[1] https://brushwarriors.com/art-websites-that-ban-ai/ [2] https://www.tidio.com/blog/ai-in-education/ [3] https://www.zdnet.com/article/how-to-use-chatgpt-to-write-code/ [4] https://www.forbes.com/sites/robtoews/2021/02/15/artificial-intelligence-and-the-end-of-work/?sh=75edd9c456e3 [5] https://www.hackread.com/chatgpt-blackmamba-malware-keylogger/ [6] https://blog.checkpoint.com/2023/02/07/cybercriminals-bypass-chatgpt-restrictions-to-generate-malicious-content/ [7] https://research.checkpoint.com/2022/opwnai-ai-that-can-save-the-day-or-hack-it-away/
0
Graphic depicting the three phases of analysis under NIST's AI RMF: map, measure, manage.

Creating trustworthy AI and reducing liability with NIST’s AI Risk Management Framework

On January 26, 2023, the National Institute of Standards and Technology (NIST) released the first version of the Artificial Intelligence Risk Management Framework (AI RMF).[1] The AI RMF is a voluntary resource meant to help organizations “manage the many risks of AI and promote trustworthy and responsible development and use of AI systems.”[2] To support the goal of the AI RMF, NIST supplemented its release with a companion NIST AI RMF Playbook,[3] AI RMF Explainer Video,[4] an AI RMF Roadmap,[5] AI RMF Crosswalk,[6] and statements from organization and individuals interested in the success of the AI RMF.[7] Together, these resources provide organizations with a comprehensive toolbox for identifying and managing AI risks. Given the growing regulatory interest in scrutinizing AI, these resources — although voluntary to use — provide important insights into what regulators may or may not want to see in AI products, services, and systems.

Background

The US Federal Government has long recognized the need for AI regulation. In 2016, the National Science and Technology Council produced a report stating that “the approach to regulation of AI-enabled products to protect public safety should be informed by assessment of the aspects of risk.”[8] In 2018, President Donald Trump signed a law establishing the National Security Commission on Artificial Intelligence to consider how to defend against AI threats and promote AI innovation.[9] In 2019, following Executive Order 13859,[10] the White House’s Office of Science and Technology Policy released guidance detailing the ten principles that Federal agencies should consider when determining how to regulate AI.[11] In response, NIST released a position paper, which called for US agencies to create globally relevant, non-discriminatory AI standards. Recognizing that AI has the potential to transform every sector of the US economy and society, Congress passed the National AI Initiative Act of 2020, which established the National Artificial Intelligence Initiative (NAIA), and directed NIST to “develop voluntary standards for artificial intelligence systems.”[12] On July 29, 2021, NIST issued a Request for Information to Help Develop an AI Risk Management Framework,[13] in which NIST asked individuals, groups, and organizations to submit comment on the goals of the AI RMF and on how those goals should be achieved. On October 15, 2021, NIST published a summary analysis of those comments,[14] and on December 13, 2021, the agency published a concept paper incorporating input from the initial Request for Information.[15] NIST released a draft AI RMF on March 17, 2022,[16] but, based on comments received during a NIST workshop held that same month,[17] the agency released a modified second draft on August 18, 2022,[18] and held another workshop in October 2022.[19] Four months later, NIST released the first version of the AI RMF.

Seven characteristics of trustworthy AI

As a flexible framework designed to adapt to a wide range of systems, products, and organizations, the AI RMF does not prescribe specific technical requirements that must be satisfied before an AI is considered trustworthy. Instead, the AI RMF provides a list of characteristics that must be balanced “based on the AI system’s context of use.”[20] These characteristics are:
  1. Valid and reliable
    1. Valid: Confirmation, though the provision of objective evidence, that the requirements for the AI’s specific intended use or application have been fulfilled. (ISO 9000:2015.)
    2. Reliable: The ability of AI system to perform as required, without failure, for a given time interval, under given conditions, including the entire lifetime of the system. (ISO/IEC TS 5723:2022.)
    3. Accurate: The closeness of the AI system’s results of observations, computations, or estimates to the true values or the values accepted as being true. (ISO/IEC TS 5723:2022.)
    4. Robust / Generalized: The ability of an AI system to maintain its level of performance under a variety of circumstances, which includes performing in ways that minimize potential harm to people if it is operating in an unexpecting setting. (ISO/IEC TS 5723:2022.)
  2. Safe
    1. AI systems should not, under defined conditions, lead to a state in which human life, health, property, or the environment is endangered. (ISO/IEC TS 5723:2022.)
  3. Secure and resilient
    1. Secure: AI systems should maintain confidentiality, integrity, and availability through protection mechanisms that prevent unauthorized access and use. (NIST Cybersecurity Framework and Risk Management Framework.)
    2. Resilient: AI systems, as well as the ecosystems in which they are deployed, should withstand unexpected adverse events or unexpected changes in their environment or use — or if they can maintain their functions and structure in the face of internal and external change and degrade safely and gracefully when this is necessary. (ISO/IEC TS 5723:2022.)
  4. Accountable and transparent
    1. Transparent: Information about an AI system and its outputs should be available to individuals interacting with such a system, regardless of whether they are even aware that they are doing so, and be tailored to the role or knowledge of AI actors or individuals interacting with or using the AI system.
    2. Accountable: AI systems should incorporate actionable redressability related to AI system outputs that are incorrect or otherwise lead to negative impacts.
  5. Explainable and interpretable
    1. Explainable: The AI system should describe how the AI system functions, with descriptions tailored to individual differences such as the user’s role, knowledge, and skill level.
    2. Interpretable: The AI system should communicate a description of why an AI system made a particular prediction or recommendation. (“Four Principles of Explainable Artificial Intelligence” and “Psychological Foundations of Explainability and Interpretability in Artificial Intelligence.”[21])
  6. Privacy-enhanced
    1. Privacy values such as anonymity, confidentiality, and control should guide choices for AI system design, development, and deployment, but privacy-enhancing technologies (PETs) may be needed to support privacy-enhanced AI design.
  7. Fair — with harmful bias managed
    1. Fair: AI systems should incorporate equality and equity by addressing issues such as harmful bias and discrimination, which includes taking into consideration cultural context and demographic differences.
    2. With harmful bias managed: AI systems should consider and manage three major categories of AI bias:
      1. Systemic: Bias found in the AI datasets, the organizational norms, practices, and processes across the AI lifecycle, and the broader society that uses the AI system.
      2. Computational and statistical: Bias found in AI datasets and algorithmic processes, and often stems from systematic errors due to non-representative samples.
      3. Human-cognitive: Bias relating to how an individual or group perceives AI system information to make a decision or fill in missing information, or how humans think about purposes and functions of an AI system.

Practical benefit of complying with the AI RMF

As a voluntary framework, the AI RMF does not mandate compliance with its principles; however, as the NIST Cybersecurity Framework demonstrates, voluntary compliance may help shield an organization from legal risks. The NIST Cybersecurity Framework offers a risk-based approach to cybersecurity and a methodology for developing a comprehensive information security program. Like the AI RMF, the Cybersecurity Framework is voluntary, and therefore does not form the basis for any regulatory action. Yet, if a cybersecurity incident occurs, an organization that has implemented the Cybersecurity Framework can use their adherence in their favor. For example, if a regulator alleges the organization was negligent in its cybersecurity practices, the organization can rebut the allegations by demonstrating that its program was designed in accordance with the Cybersecurity Framework and therefore was reasonably designed to counter foreseeable risks. Compliance with the AI RMF may produce similar benefits, given that NIST created the AI RMF for AI industry stakeholders to “cultivate trust in the design, development, use, and evaluation of AI technologies and systems in ways that enhance economic security and improve qualify of life.”[22]
[1] https://www.nist.gov/itl/ai-risk-management-framework [2] https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.100-1.pdf [3] https://pages.nist.gov/AIRMF/ [4] https://www.nist.gov/video/introduction-nist-ai-risk-management-framework-ai-rmf-10-explainer-video [5] https://www.nist.gov/itl/ai-risk-management-framework/roadmap-nist-artificial-intelligence-risk-management-framework-ai [6] https://www.nist.gov/itl/ai-risk-management-framework/crosswalks-nist-artificial-intelligence-risk-management-framework [7] https://www.nist.gov/itl/ai-risk-management-framework/perspectives-about-nist-artificial-intelligence-risk-management [8] https://obamawhitehouse.archives.gov/sites/default/files/whitehouse_files/microsites/ostp/NSTC/preparing_for_the_future_of_ai.pdf [9] https://www.govinfo.gov/content/pkg/COMPS-15483/uslm/COMPS-15483.xml; https://www.nscai.gov/ [10] https://trumpwhitehouse.archives.gov/presidential-actions/executive-order-maintaining-american-leadership-artificial-intelligence/ [11] https://www.whitehouse.gov/wp-content/uploads/2020/01/Draft-OMB-Memo-on-Regulation-of-AI-1-7-19.pdf [12] https://www.congress.gov/bill/116th-congress/house-bill/6216 [13] https://www.federalregister.gov/documents/2021/07/29/2021-16176/artificial-intelligence-risk-management-framework [14] https://www.nist.gov/system/files/documents/2021/10/15/AI%20RMF_RFI%20Summary%20Report.pdf [15] https://www.nist.gov/system/files/documents/2021/12/14/AI%20RMF%20Concept%20Paper_13Dec2021_posted.pdf [16] https://www.nist.gov/system/files/documents/2022/03/17/AI-RMF-1stdraft.pdf [17] https://www.nist.gov/news-events/events/2022/03/building-nist-ai-risk-management-framework-workshop-2 [18] https://www.nist.gov/system/files/documents/2022/08/18/AI_RMF_2nd_draft.pdf [19] https://www.nist.gov/news-events/events/2022/10/building-nist-ai-risk-management-framework-workshop-3 [20] https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.100-1.pdf [21] https://www.nist.gov/artificial-intelligence/ai-fundamental-research-explainability [22] https://www.nist.gov/itl/ai-risk-management-framework/ai-risk-management-framework-faqs
0
A minimalistic picture of a human brain being digitized into technological lines that also look like a human brain.

Guidance on Artificial Intelligence and Data Protection

[Updated: March 7, 2024] For many of us, Artificial Intelligence (“AI”) represents innovation, opportunities, and potential value to society. For data protection professionals, however, AI also represents a range of risks involved in the use of technologies that shift processing of personal data to complex computer systems with often opaque processes and algorithms. Data protection and information security authorities as well as governmental agencies around the world have been issuing guidelines and practical frameworks to offer guidance in developing AI technologies that will meet the leading data protection standards. Below, we have compiled a list* of official guidance recently published by authorities around the globe. Canada
  • 1/17/2022 – Government of Ontario, “Beta principles for the ethical use of AI and data enhanced technologies in Ontario” https://www.ontario.ca/page/beta-principles-ethical-use-ai-and-data-enhanced-technologies-ontario The Government of Ontario released six beta principles for the ethical use of AI and data enhanced technologies in Ontario. In particular, the principles set out objectives to align the use of data enhanced technologies within the government processes, programs, and services with ethical considerations being prioritized.
China
  • 3/1/2023 – National Information Security Standardization Technical Committee, Technical Document on Basic Requirements for Security of Generative Artificial Intelligence https://www.tc260.org.cn/upload/2024-03-01/1709282398070082466.pdf (in Chinese) The Technical Document provides security requirements for the use of generative AI services. These requirements include conducting a security assessment before collecting data for a generative AI model, entering legally binding contracts with generative AI service providers, and acquiring consent for certain use cases of generative AI services.
  • 12/12/2022 – Cyberspace Administration of China, Regulations on the Administration of Deep Synthesis of Internet Information Services http://www.cac.gov.cn/2022-12/11/c_1672221949354811.htm (in Chinese) and http://www.cac.gov.cn/2022-12/11/c_1672221949570926.htm (in Chinese) The Regulations target deep synthesis technology, which are synthetic algorithms that produce text, audio, video, virtual scenes, and other network information. The accompanying Regulations FAQs state that providers of deep synthesis technology must provide safe and controllable safeguards and conform with data protection obligations.
  • 9/26/2021 – Ministry of Science and Technology (“MOST”), New Generation of Artificial Intelligence Ethics Code http://www.most.gov.cn/kjbgz/202109/t20210926_177063.html (in Chinese) The Code aims to integrate ethics and morals into the full life cycle of AI systems, promote fairness, justice, harmony, and safety, and avoid problems such as prejudice, discrimination, privacy, and information leakage. The Code provides for specific ethical requirements in AI technology design, maintenance, and design.
  • 1/5/2021 – National Information Security Standardisation Technical Committee of China (“TC260”), Cybersecurity practice guide on AI ethical security risk prevention https://www.tc260.org.cn/upload/2021-01-05/1609818449720076535.pdf (in Chinese) The guide highlights ethical risks associated with AI, and provides basic requirements for AI ethical security risk prevention.
Denmark:
  • 3/5/2024 – Datatilsynet, New regulatory sandbox for AI https://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2024/mar/ny-regulatorisk-sandkasse-for-ai The Danish Data Protection Authority, in collaboration with the Danish Agency for Digitalisation, established a regulatory sandbox for AI, where companies and entities can access relevant expertise and GDPR guidance when they develop or use AI.
  • 2/29/2024 – Danish Ministry of Business and Industry, Recommendations on tech development and use of artificial intelligence https://em.dk/Media/638447961317309808/Tech-ekspertgruppens%20anbefalinger.pdf (in Danish) The Danish Government’s expert group announced recommendations on tech giants’ development and use of AI, which aims to explore the potential of AI while negating its potential harmful effects. The recommendations focus on regulation of unauthorized use of copyrighted material, imposing responsibility on tech giants for the credibility of information, and default standards for chatbots.
E.U.:
  • 2/21/2024 – European Commission, Creation of AI Office https://digital-strategy.ec.europa.eu/en/policies/ai-office The European Commission announced the creation of the European AI Office, which is established within the Commission and will play a key role in implementing the EU’s AI Act. The AI Office will work with public and private entities to promote cooperation and adoption of the EU’s AI Act.
  • 1/20/2022 – European Institute of Innovations & Technology (“EIT”), AI Maturity Tool https://ai.eitcommunity.eu/ai-maturity-tool/ The EIT published a web-based AI maturity tool which allows businesses to assess how prepared they are for the use of AI, and which will allow businesses to compare their maturity level to that of other organizations in the future.
  • European Telecommunication Standards Institute (“ETSI”) Industry Specification Group Securing Artificial Intelligence (“ISG SAI”) https://www.etsi.org/committee/1640-sai The ISG SAI has published standards to preserve and improve the security of AI. The works focus on using AI to enhance security, mitigating against attacks that leverage AI, and securing AI itself from attack.
  • 7/14/2021 – European Commission’s Joint Research Center (“JRC”), Report https://publications.jrc.ec.europa.eu/repository/handle/JRC125952 Most recently, the JRC published this report on the AI standardization landscape. The report describes the ongoing standardization efforts on AI and aims to contribute to the definition of a European standardization roadmap.
  • 4/21/2021 – European Commission, “Proposal for a Regulation of the European Parliament and of the Council Laying Down Harmonised Rules on Artificial Intelligence (Artificial Intelligence Act) and Amending Certain Union Legislative Acts” https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=75788 The EU Commission proposed a new AI Regulation – a set of flexible and proportionate rules that will address the specific risks posed by AI systems, intending to set the highest global standard. As an EU regulation, the rules would apply directly across all European Member States. The regulation proposal follows a risk-based approach and calls for the creation of a European enforcement agency.
France: Germany: Hong Kong:
  • 8/18/2021 – Office of the Privacy Commissioner for Personal Data (“PCPD”), “Guidance on the Ethical Development and Use of Artificial Intelligence” https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_ethical_e.pdf This guidance discusses ethical principles for AI development and management while also highlighting recent development in AI governance around the globe. The guidance further includes a helpful self-assessment checklist in its appendix concerning businesses’ AI strategy and governance, risk assessment and human oversight, development and management of AI systems as well as communication and engagement with stakeholders.
India:
  • 9/28/2021 – INDIAai, “Mitigating Bias in AI – A Handbook For Startups” https://indiaai.s3.ap-south-1.amazonaws.com/docs/AI+Handbook_27-09-2021.pdf INDIAai, a government-based initiative, published this formalized framework for startups. The handbook identifies different risk factors that may lead to bias in AI.
  • 7/15/2021 – Data Security Council of India (“DCSI”), “Handbook on Data Protection and Privacy for Developers of Artificial Intelligence in India” https://www.dsci.in/sites/default/files/documents/resource_centre/AI%20Handbook.pdf The handbook establishes guidelines for responsible and ethical AI development in line with the applicable legal data protection framework. While the handbook does not provide technical solution but instead focuses on the ethical and legal objectives to pursue when designing AI systems, it does provide for a checklist of questions and good practices which developers shall keep in mind while in the design process.
  • 2/24/2021 – National Institution for Transforming India (“NITI Aayog”), “Responsible AI” http://www.niti.gov.in/sites/default/files/2021-02/Responsible-AI-22022021.pdf In this paper, the Government think tank highlights the ethical and legal framework for AI technology management. The paper further includes a self-assessment guide for AI usage in its annex.
International:
  • 3/5/2024 – Organisation for Economic Co-operation and Development (“OECD”), Explanatory Memorandum on the Updated OECD Definition of an AI System https://www.oecd-ilibrary.org/docserver/623da898-en.pdf?expires=1709828184&id=id&accname=guest&checksum=B906C1E98329EC8C1E539374B37DF045 The OECD published a memorandum that revisits the definition of an artificial intelligence system contained within the 2019 OECD Recommendation on AI, by redefining and expanding the term. However, the memorandum recognizes that the new definition, even though it is broader, nonetheless may require additional criteria to tailor the definition to a specific use case or context.
  • 9/28/2023 – OECD, Catalogue of Tools & Metrics for Trustworthy AI https://oecd.ai/en/ The OECD published a catalogue of tools and metrics for building and deploying trustworthy AI systems. This catalogue provides users with a one-stop-shop for tools that can mitigate bias, measure performance, audit systems, and create procedural processes to oversee the system.
  • 8/1/2023 – Future of Privacy Forum (“FPF”), Generative AI for Organizational Use: Internal Policy Checklist https://fpf.org/wp-content/uploads/2023/07/Generative-AI-Checklist.pdf To help organizations initialize the process of regulating the use of generative AI, FPF released a checklist to help organizations revise policies and procedures governing generative AI. The checklist provides a non-exhaustive list of topics to consider when revising such policies and procedures.
  • 5/31/2023 – EU-US Terminology and Taxonomy for Artificial Intelligence https://digital-strategy.ec.europa.eu/en/library/eu-us-terminology-and-taxonomy-artificial-intelligence To align EU and US risk-based approaches to regulating AI, a group of experts created this document to provide a unified approach to AI terminologies and taxonomies. A total number of 65 terms were identified with reference to key documents from the EU and US.
  • International Organization for Standardization (“ISO”) – ISO/IEC 23894:2023 Information technology — Artificial intelligence — Guidance on risk management https://www.iso.org/standard/77304.html This document provides guidance on how organizations that develop, produce, deploy or use products, systems and services that utilize AI can manage risk specifically related to AI. The guidance also aims to assist organizations to integrate risk management into their AI-related activities and functions. It moreover describes processes for the effective implementation and integration of AI risk management.
  • ISO – ISO/IEC 38507:2022 https://www.iso.org/standard/56641.html Together with the International Electrotechnical Commission (“IEC”), ISO has published a number of AI standards in recent years. The newest standards published in April 2022, called “Governance implications of the use of artificial intelligence by organizations”, provides guidance for the governing body of organizations regarding the use and implications of AI.
  • ISO – ISO/IEC JTC 1/SC 42  Standards https://www.iso.org/committee/6794475/x/catalogue/p/1/u/0/w/0/d/0 These standards published in March of 2021 provide background about existing methods to assess the robustness of neural networks. Additional AI standards are currently under development.
  • 9/15/2022 – Information Technology Industry Council (“ITI”), Policy Principles for Enabling Transparency of AI Systems https://www.itic.org/documents/artificial-intelligence/ITIsPolicyPrinciplesforEnablingTransparencyofAISystems2022.pdf The ITI published guidance for policymakers, emphasizing the need for transparency as a critical part of developing accountable and trustworthy AI systems.
  • 2/22/2022 – Organization for Economic Co-operation and Development (‘OECD’), Framework for the Classification of AI Systems https://www.oecd-ilibrary.org/science-and-technology/oecd-framework-for-the-classification-of-ai-systems_cb6d9eca-en;jsessionid=lWU_vM8LQfX-wAZgVIjj31FS.ip-10-240-5-181 In the Framework, the OECD has developed a tool to evaluate AI systems from a policy perspective, by providing a baseline to characterize the application of an AI system deployed in specific contexts. The Framework contributed to the OECDS “AI in Work, Innovation, Productivity, and Skills” (“AI-WIPS”) program.
  • 1/26/2022 – Information Technology Industry Council (“ITI”), Recommendations on NIST AI Risk Management Framework https://www.itic.org/documents/artificial-intelligence/ITICommentsonAIRMFConceptPaperFINAL.pdf In response to the AI Risk Management Framework concept paper released by NIST, the ITI has published a series of recommendations in order to improve the framework and encourage NIST to align the framework with prior works as well as standards that are currently under development in international standards bodies.
  • 1/18/2022 – Information Technology Industry Council (“ITI”), Recommendations on AI-enabled Biometric Technologies https://www.itic.org/documents/artificial-intelligence/ITICommentsBiometricTechRFIFINAL.pdf ITI released a series of recommendations addressed to the U.S. Government regarding the use of AI and biometric technologies, elaborating on governance programs and practices that may be useful to consider in the context of biometric technologies, including with regard to performance auditing and post-deployment impact assessment.
Japan:
  • 4/8/2022 – Ministry of Economy, Trade, and Industry (“METI”), Artificial Intelligence Introduction Guidebook for Small and Medium Sized Companies https://www.meti.go.jp/policy/it_policy/jinzai/AIutilization.html (in Japanese) The Guidebook provides SMEs with guidance on how to prepare for and begin utilization of AI in their enterprises, providing practical steps for decision-making.
  • 2/15/2022 – Ministry of Internal Affairs and Communications (“MIC”), Guidebook on Cloud Services Using AI https://www.soumu.go.jp/main_content/000792669.pdf (in Japanese) The Guidebook summarizes the steps to keep in mind when developing and providing AI cloud services while gaining the trust of users and considering data collection requirements.
  • 1/28/2022 – METI, Governance Guidelines for Implementation of AI Principles https://www.meti.go.jp/shingikai/mono_info_service/ai_shakai_jisso/pdf/20220128_2.pdf The METI has released an updated version of its Guidelines for the Practice of Artificial Intelligence Principles, outlining AI governance rules which include risk analysis, systems design, implementation and evaluation, along with providing practical examples.
  • 8/4/2021 – MIC, AI Network Society Promotion Council Report https://www.soumu.go.jp/main_content/000761967.pdf (in Japanese) The report highlights recent trends in AI utilization as well as efforts to promote secure and reliable social implementation of AI.
Jordan
  • 8/5/2022 – Ministry of Digital Economy and Entrepreneurship, National Charter of Ethics for Artificial Intelligence https://tinyurl.com/w4e3acdy The charter provides an ethical baseline to regulate the development of AI technologies. The charter includes a set of principles that include accountability, transparency, impartiality, respect for privacy, promotion of human values, and other such principles that promote democratic values, human rights, and diversity.
Mexico
  • 6/1/2022 – National Institute for Access to Information and Protection of Personal Data (“INAI”), Recommendations for the Processing of Personal Data derived from the Use of Artificial Intelligence https://home.inai.org.mx/wp-content/documentos/DocumentosSectorPublico/RecomendacionesPDP-IA.pdf (in Spanish) The INAI released its recommendations concerning regulation of personal data and AI technology. In particular, the recommendations focus on such topics as AI and its implication in public security, AI in the education sector, AI and privacy by design, AI and cloud computing, and more.
Saudi Arabia:
  • 4/27/2022 – Saudi Food and Drug Authority (‘SFDA’), “Guidance on Review and Approval of AI and Big Data based Medical Devices” https://beta.sfda.gov.sa/sites/default/files/2021-04/SFDAArtificial%20IntelligenceEn.pdf The Guidance sets out the requirements for obtaining a Medical Devices Marketing Authorization for AI-based medical devices within the KSA. It applies to the standalone software type of medical devices, which diagnose, manage, or predict diseases by analyzing medical Big Data using AI, as well as to AI software that is configured with hardware.
Senegal: Singapore: South Korea: Spain: Sweden:
  • 2/28/2024 – Swedish Authority for Privacy Protection, Guidance on the GDPR and AI https://www.imy.se/verksamhet/dataskydd/innovationsportalen/vagledning-om-gdpr-och-ai/ (in Swedish) The guidance discusses artificial intelligence from two viewpoints: technical and legal. The technical portion includes explanations of AI, machine learning, and deep leaning, along with professional insights into AI training models. The legal portion focuses on how to determine when the GDPR applies to the development and use of AI.
Turkey: U.K.:
  • 2/26/2024 – Information Commissioner’s Office (“ICO”), Generative AI second call for evidence: Purpose limitation in the generative AI lifecycle https://ico.org.uk/about-the-ico/what-we-do/our-work-on-artificial-intelligence/generative-ai-second-call-for-evidence/ The ICO launched a consultation series on generative AI, which, in part, focuses on how the data protection principle of purpose limitation should be applied at different stages in the generative AI life cycle. The consultation highlights the importance for AI developers to sufficiently set out clear purposes for each stage of the AI and to explain what personal data is processed in each stage.
  • 6/7/2023 –  Department for Science, Innovation and Technology (“DSIT”), “Find out about artificial intelligence (AI) assurance techniques” https://www.gov.uk/ai-assurance-techniques Following up on the UK government’s AI Regulation White Paper (see next bullet), DSIT created a portfolio of use cases illustrating various AI assurance techniques being used in the real-world to support the development of trustworthy AI. The portfolio includes case studies from across multiple sectors and features a range of technical, procedural, and educational approaches to promote responsible AI.
  • 3/29/2023 –  DSIT, “A pro-innovation approach to AI regulation” https://www.gov.uk/government/publications/ai-regulation-a-pro-innovation-approach/white-paper The DSIT published a white paper introducing an AI regulation framework underpinned by five principles: Safety, security, and robustness; appropriate transparency and explainability; fairness; accountability and governance; and contestability and redress. Rather than recommend specific AI legislation, the white paper recommends that existing regulators incorporate these principles into their enforcement efforts.
  • 3/15/2023 – ICO, Guidance on AI and data protection https://ico.org.uk/for-organisations/guide-to-data-protection/key-dp-themes/guidance-on-ai-and-data-protection/ The ICO published guidance clarifying requirements for fairness in AI. The document includes guidance on solely automated decision-making and technical approaches to mitigating algorithmic bias.
  • 5/4/2022 – ICO, AI and Data Protection Risk Toolkit https://ico.org.uk/for-organisations/guide-to-data-protection/key-dp-themes/guidance-on-ai-and-data-protection/ai-and-data-protection-risk-toolkit/ ICO recently launched its updated AI and Data Protection Risk Toolkit, which contains risk statements to help organizations using AI to correctly assess the risk of their processing practices. The toolkit provides suggestions and practical steps for technical and organizational measures used to mitigate risks and demonstrate compliance with applicable data protection laws. It further includes references to other core resources.
  • 1/12/2022 – Department for Digital, Culture, Media & Sports (“DCMS”) and Office for Artificial Intelligence (“OAI”), AI Standards Hub Pilot https://www.gov.uk/government/news/new-uk-initiative-to-shape-global-standards-for-artificial-intelligence The DCMS and OAI announced the pilot of a new AI Standards Hub as part of the UK’s National AI Strategy. In its pilot phase, the Hub will focus on creating tools and guidance for education, training, and professional development to help businesses engage with creating AI technical standards, and bringing the AI community together through workshops, events, and a new online platform to encourage more coordinated engagement in the development of standards around the world.
  • 9/22/2021 – UK Secretary of State for Digital, Culture, Media & Sport (“DCMS”), “National AI Strategy” https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1020402/National_AI_Strategy_-_PDF_version.pdf The UK Government announced its National AI Strategy, which aims to invest and plan for the long-term needs of the AI ecosystem, support the transition to an AI-enabled economy, and ensure the UK governs AI effectively.
  • 5/5/2020 – ICO, “Explaining Decisions Made with AI” https://ico.org.uk/for-organisations/guide-to-data-protection/key-data-protection-themes/explaining-decisions-made-with-ai/ This detailed guidance released by the ICO in cooperation with the lan Turing Institute gives businesses practical advice to explain the legal framework and effects of AI decision-making processes and the necessary considerations for compliance with existing data protection laws.
U.S.:
  • 10/31/2023 – National Institute of Standards and Technology (“NIST”), “Executive Order FAQs” https://www.nist.gov/artificial-intelligence/executive-order-safe-secure-and-trustworthy-artificial-intelligence/executive-order-faqs The Biden Administration’s EO on Safe, Secure, and Trustworthy Artificial Intelligence issued on October 30, 2023, charges multiple agencies – including NIST – with producing guidelines and taking other actions to advance the safe, secure, and trustworthy development and use of artificial intelligence. In response, NIST released a short series of FAQs addressing the agency’s role in developing guidelines under the EO.
  • 10/30/2023 – The White House, “Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence” https://www.whitehouse.gov/briefing-room/presidential-actions/2023/10/30/executive-order-on-the-safe-secure-and-trustworthy-development-and-use-of-artificial-intelligence/ The Biden Administration issued an Executive Order that establishes new safety and security standards for the use of AI. This whole-of-government approach requires numerous agencies to develop standards for what constitutes “responsible” uses of artificial intelligence.
  • 10/30/2023 – The White House, “FACT SHEET: President Biden Issues Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence” https://www.whitehouse.gov/briefing-room/statements-releases/2023/10/30/fact-sheet-president-biden-issues-executive-order-on-safe-secure-and-trustworthy-artificial-intelligence/ This is the accompanying Fact Sheet for the Biden Administration’s Executive Order regarding the development of safe, secure, and trustworthy development and use of AI (immediately above).
  • 03/09/2023 – U.S. Chamber of Commerce, “CTEC AI Commission 2023″ https://www.uschamber.com/assets/documents/CTEC_AICommission2023_Report_v5.pdf The U.S. Chamber of Commerce published a report calling for the regulation of AI and outlining five key principles that stakeholders should consider when drafting a regulatory framework. In contrast to the White House Office of Science and Technology Policy’s Blueprint for an AI Bill of Rights, the Chamber’s report seeks to regulate AI without hindering economic development.
  • 1/26/2023 – NIST, “AI Risk Management Framework” https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.100-1.pdf On January 26, 2023, the National Institute of Standards and Technology (NIST) released the first version of the Artificial Intelligence Risk Management Framework (AI RMF). The AI RMF is a voluntary resource meant to help organizations manage the many risks of AI and promote trustworthy and responsible development and use of AI systems. As a flexible framework designed to adapt to a wide range of systems, products, and organizations, the AI RMF provides a list of characteristics that must be balanced based on the AI system’s context of use.
  • 10/4/2022 – White House Office of Science and Technology Policy, “Blueprint for an AI Bill of Rights” https://www.whitehouse.gov/wp-content/uploads/2022/10/Blueprint-for-an-AI-Bill-of-Rights.pdf The White House Office of Science and Technology Policy published a non-binding white paper detailing a list of principles that, if incorporated into the development and use of AI technologies, should protect the American public during the age of artificial intelligence. The document calls upon policymakers to adopt these principles when considering how to regulate AI technologies.
  • 5/13/2022 – Department of Justice Civil Rights Division, “Algorithms, Artificial Intelligence, and Disability Discrimination in Hiring” https://beta.ada.gov/resources/ai-guidance/ The guidance explains how use of algorithms and AI in hiring can lead to disability discrimination and legal consequences. The guidance details how employers can avoid such disability discrimination when using AI technology.
  • 3/16/2022 – National Institute of Standards and Technology (“NIST”), “Towards a Standard for Identifying and Managing Bias in Artificial Intelligence” https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1270.pdf In this Special Publication, NIST analyzes the challenges of AI bias, aiming to provide some detailed socio-technical guidance for identifying and managing AI bias.
  • 12/14/2021 – NIST, “AI Risk Management Framework Concept Paper” https://www.nist.gov/system/files/documents/2021/12/14/AI%20RMF%20Concept%20Paper_13Dec2021_posted.pdf NIST has developed for public review a concept paper for the Artificial Intelligence Risk Management Framework (“AI RMF”), intended for voluntary use and to address risks in the design, development, use, and evaluation of AI products, services, and systems. NIST stated that it intends to release the AI RMF 1.0 in early 2023.
  • 7/30/2021 – Department of Homeland Security (“DHS”), “Artificial Intelligence and Machine Learning Strategic Plan” https://www.dhs.gov/sites/default/files/publications/21_0730_st_ai_ml_strategic_plan_2021.pdf The strategic plan of DHS’ Science and Technology Directorate (“S&T”) outlines its goals that are committed to ensuring that AI/ML research, development, test, evaluation, and departmental applications comply with statutory and other legal requirements, and sustain privacy protections and civil rights and liberties for individuals. It further advises stakeholders on recent developments in AI/ML and the associated opportunities and risks.
  • 5/5/2021 – Electronic Privacy Information Center (“EPIC”), New National Artificial Intelligence Initiative Office Website. https://www.ai.gov/ The White House launched its new website, AI.gov, featuring policy priorities, reports, and news regarding AI.
  • 4/19/2021 – Federal Trade Commission (“FTC”), “Aiming for Truth, Fairness, and Equity in Your Company’s Use of AI” https://www.ftc.gov/news-events/blogs/business-blog/2021/04/aiming-truth-fairness-equity-your-companys-use-ai In this blog post, the FTC offers guidance for companies in their use of AI, specifically instructing them to show transparency and accountability when employing new algorithms.
  • 4/8/2020 – FTC, “Using Artificial Intelligence and Algorithms” https://www.ftc.gov/news-events/blogs/business-blog/2020/04/using-artificial-intelligence-algorithms In this blog post, the FTC outlines best practices when relying on algorithms and highlights key principles such as transparency, fairness, accuracy, and accountability.
  • 9/9/2019 – NIST, “U.S. Leadership in AI: A Plan for Federal Engagement in Developing Technical Standards and Related Tool” https://www.nist.gov/artificial-intelligence/ai-standards-federal-engagement Following an executive order directing federal agencies to develop international standards to promote and protect innovation and public confidence in AI technologies, NIST published this plan. The plan intends to provide guidance regarding priorities and appropriate levels of engagement in matters of AI standards.
*While extensive, this list is not meant to be exhaustive. We will do our best to update this list from time to time, and add new guidance as it becomes available.
1 4 5 6 7 8