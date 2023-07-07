Artificial intelligence (AI) amplifies the ability to analyze personal information in ways that can infringe on privacy interests, which can lead to legal issues. Generally, there are two types of concerns about AI and privacy: input concerns, including the use of large datasets that may include personal information, and output concerns (a more recent with the rise of AI), as if AI is used to arrive at certain conclusions.

Although they don’t always specifically talk about AI, there are regulations and guidelines in the UK, Europe and the US that cover privacy principles.

European Union

In Europe, there is a comprehensive privacy law in the European Union and the UK: the General Data Protection Regulation (GDPR). It concerns all business sectors and applies to all personal data, regardless of type or context, including automated data processing, which is strictly regulated. It contains a strict requirement to tell people how their data will be used and what will happen to it. It notably includes the obligation to carry out a data protection impact assessment, which could lead to further investigation by regulators.

The GDPR also covers “automated individual decision-making, including profiling” requiring a data subject’s explicit consent for data processing, with certain exceptions. For AI tools, legality, fairness and transparency are key GDPR requirements.

Proposed AI Ethics Framework

In 2021, the European Commission proposed new rules and actions with the aim of making Europe a “trustworthy” global hub for AI, the AI ​​law and a coordinated plan, which is a plan that goes hand in hand with the AI ​​law. Some AI systems are prohibited under AI law, including a number that are sometimes highlighted as issues in the context of social media.

Great Britain

The AI ​​Act no longer applies in the UK, but it is still relevant for UK businesses due to its extraterritorial reach, like in the US. From a privacy perspective, the UK must maintain data protection equivalence with the EU to maintain its adequacy status, which must be reviewed by December 2024.

In 2022, the UK government announced a 10-year plan to make the UK an “AI superpower” in its National AI Strategy, and in March 2023 published its White Paper setting out the framework and the UK Government’s approach to AI regulation, providing a principles-based approach. UK regulators are expected to issue non-statutory guidance over the next 12 months demonstrating their divergence from the EU’s approach.

UK white paper

The Department of Science, Innovation and Technology (DSIT) also released a highly anticipated white paper on AI in March 2023, setting out five principles regulators should consider to build trust and provide clarity. ‘innovation. UK regulators will incorporate these principles into guidance to be published over the next 12 months. Following its 2022 Toolkit, the ICO has published its own detailed guidance and practical toolkit on AI and data protection, updated in March 2023.

United States

The United States includes a myriad of jurisdiction- and industry-based privacy laws that contain AI-related principles; however, specific guidance on AI is awaited. The White House announced a plan for an AI Bill of Rights, with recommended principles for deploying AI, in particular privacy provisions.

The National Institute of Standards and Technology’s cybersecurity guidelines have been widely adopted. The AI ​​risk management framework released in January 2023 specifically identifies privacy as an important entry and exit risk factor.

FTC Enforcement Actions

The Federal Trade Commission (FTC) is the enforcement authority that regulates data privacy issues and has released a series of reports on AI and related consumer and privacy issues, most recently in April 2021. There have been a series of enforcement actions regarding algorithms, particularly algorithmic rendition where underlying data has been found to be illegally used to target individuals for advertising purposes.

California Consumer Privacy Act

The California Consumer Privacy Act (CCPA), effective July 1, 2020, is similar to GDPR principles and involves a broad definition of personal information, intended to include robust consumer profile and preference data collected by privacy companies. social media and online advertisers.

The CCPA has been amended in a way that begins to speak directly to AI, including a definition of “profiling” and rules on “automated decision-making”. It requires a data privacy impact assessment for processing activities, including profiling, and requires the new California Privacy Agency to issue regulations “governing access and opt-out rights regarding business use of automated decision-making technology, which contains a broad mandate. The draft regulations are expected in the coming months.

In 2023, similar rules were enacted by the Virginia Consumer Data Protection Act, Colorado Privacy Act, and Connecticut Data Privacy Act.

The path to follow

New regulations and directives are on the way in the UK, EU and US, requiring AI projects to protect the often large data sets at hand. There are ways to potentially manage the risks through anonymization and de-identification, the use of privacy policies and contractual provisions; however, careful consideration should be given to whether the AI ​​has the right to use the data in an AI system and how the system uses and discloses the information.

Morgan Lewis lawyers discussed issues surrounding AI and privacy in more detail in the presentation AI and Data Privacy: US and European Privacy Laws, part of the firm’s Technology Marathon webinar series.