GDPR/AI
This is the aspect of GDPR that is often non-compliant because there is, no current way to remove data from the AI and have it persist with its original training?
What are Data subject rights: Accuracy, correction and right to erasure; key components in ensuring GDPR compliance
This has broad authority over general commercial operations to prevent unfair or deceptive practices, and applies to privacy and security concerns related to programs and algorithms (will continue to apply to AI)
What is the U.S. Federal Trade Commission
What does it mean to have a scope that applies to All providers and users situated in EU member states, Providers not located in the EU but providing products for use in the EU, and Operators located outside of the EU producing output to be used in the EU?
What is an extraterritorial scope
Both of these outline a method of providing accountability when developing new technology and use of data, but should now be done THROUGHOUT an AI lifecycle
What are Data Protetion Impact Assessments (DPIAs) and Conformity Assessments (CAs)
U.S. District Court, New Jersey: Ruled AI software does not qualify, as it generates information, guidance, ideas and recommendations, which are not considered products under New Jersey law
Rodgers vs. Christie (2020)
A way for data subjects to register a formal complaint or request a review of an automated decision
What is a process of redress
Individuals conducting reviews must be knowledgeable of and competent with AI technology to know what to look for and accurately assess whether a decision should be overturned• Have logic already documented for how the AI algorithm works so that it is understandable• Example: If the AI is a black box, it is difficult to honor the automated decisionmaking right to review the outcome – understanding how the AI came to a decision is needed
This overlaps with the EU’s General Data Protection Regulation (GDPR) regarding transparency, and increases overall transparency related to online platforms (like product recommendation and online advertising
What is the EU Digital Services Act (EU DSA)
What are 5 exemption cases for AI usage?
1) Military (national security and defense)
2) AI used in research and development (even private sector)
3. Public authority for law enforcement or judicial cooperation (even in third countries)
4. AI used for non-professional reasons
5. Open Source AI (in some cases)
These are required with technical documentation, and can envision harms that could possibly result from the AI?
What are Conformity Assessments, which are required with technical documentation and can supplement DPIAs in areas more technical or associated with risk
Plaintiff argues the AI model breaches fair housing requirements
Connecticut Fair Housing Association vs. CoreLogic Rental Property Solutions (ongoing)
Key articles of the GDPR that intersect with AI
What are Article 22, 35 and Recital 26 of GDPR
• Article 22: Automated decision-making
• Article 35: Data protection impact assessments, when required in relation to highrisk/important processing
• Recital 26: Techniques for pseudonymization and anonymization of data
Must be proven that some action or inaction by the product maker caused the harm (e.g., noncompliance with a relevant product safety law; negligence resulting from failure to exercise due care)
What is fault liability regime
What 7 types of systems are prohibited as an Unacceptable Risk in the EU Act?
The following techniques, systems and uses will be prohibited:
• Social credit scoring systems
• Emotion-recognition systems used in law enforcement, border patrol and educational institutions
• AI that exploits a person’s vulnerabilities, such as age or disability
• Behavioral manipulation and techniques that circumvent a person’s free will
• Untargeted scraping of facial images to use for facial recognition
• Biometric categorization systems using sensitive characteristics
• Specific predictive policing applications • Real-time biometric identification by law enforcement in publicly accessible spaces, except certain limited, pre-authorized situations
The 3 types of liability claims for US product laws (determined at state level)
What are: 1. Strict liability: Victims must prove they were harmed by a defective product 2. Negligence: Product maker has failed to exercise due care, which leads to harm3. Breach of warranty: Promises about products have not been met and harm has been caused
The White House recently published THIS, taking guidance from the Federal Trade Commission (FTC) and the Food and Drug Administration (FDA), and has incorporated the NIST Risk Management Framework
What is a blueprint for an AI Bill of Rights
AI for recruitment, biometric identification surveilence, safety/medical components, and critical infrastructure must undergo this before going to market.
What is a Conformity Assessment, which must be performed depending on the AI system or technology’s risk to health, safety and fundamental rights of individuals. This requirement is not just for cases where personal information is being processed, and must be compliant to the EU AI Act
Sometimes referred to as no-fault liability regimes. Victims don't need to prove intentional wrongdoing or fault on the part of the product maker, only that the product was defective, and that defect caused the harm
What are Strict Liability Regimes
Providers must establish and document a post-market monitoring system with which four following elements?
• Track how the AI system is performing
• What the AI system is doing after it has been sold • Report any serious incident or malfunctioning which is, may be, or could become a breach of the obligations to protect fundamental rights
• If an incident occurs: required to report to local market surveillance authority
Your organization could be subject what claims for models purchased from a third party.
What are US Copyright claims
What has FTC has warned that unsubstantiated claims about the accuracy or efficacy of may violate the FTC Act
What are biometric information tools (e.g., facial recognition software or practices around collection of biometric data)
The Ideal Outcome for AI in GDPR regulation.
What is ensuring there is a way to make systems successful and achieve goals without using personal information
The Two proposals published in the EU in September 2022 seek to make it easier for victims to prove liability and receive compensation in cases where AI caused harm?
What are the Reformed Product Liability Directive and the AI Liability Directive
RPLD is strict liability
AI Liability directive "Courts will be able to presume a causal link between noncompliance with relevant laws and AI-induced harm"
Even if a system is considered limited risk, where Primary compliance focuses on transparency, providers must:
Inform people from the outset that they will be interacting with an AI system (e.g., chatbots)
Applies to
• Systems designed to interact with people (e.g., chatbots)
• Systems that can generate or manipulate content
• Large language models (e.g., ChatGPT)
• Systems that can create deepfakes
AI systems for services of general interest like banks, schools, hospitals and insurers, for high-risk systems, must undergo this before entering market (along with general compliance to EU AI ACT, GDPR, and local regulation)
What is the obligation to carry out a fundamental rights impact assessment (FRIA) in certain situations
What are the 5 elements of the US Blueprint for an AI Bill of Rights from OSTP: MAKING AUTOMATED SYSTEMS WORK FOR
THE AMERICAN PEOPLE
1. Safe and effective systems
2. Algorithmic Discrimination Protections
3. Data Privacy
4. Notice and Explanation
5. Human Alternatives, Consideration, and Fallbacks