Artificial Intelligence is growing leaps and bounds due the competitive advantages it brings to organizations and far-reaching benefits to entire spectrum of industries. AI Solutions are benefitting healthcare, agriculture, education, media, entertainment, transport, public service and many other industries.
In light of the rapid adoption of this emerging technology and taking into account significant risk to rights and freedom of individuals, European Parliament on 13th March 2024 passed the laying down of harmonized rules on Artificial Intelligence and amending other related legislative acts. The EU AI act is thus far the most comprehensively crafted uniform legal framework pertaining to operationalizing of AI systems. The purpose of this regulation is to promote the uptake of human centric and trustworthy artificial intelligence (AI) while ensuring a high level of protection of health, safety, fundamental rights.
Key Facts:
- The McKinsey expects that around 70% of companies would adopt at least one type of AI Tech by 2030
- The IBM study highlights that Data Privacy (57%) and transparency (43%) concerns are the biggest inhibitors of Generative AI
- - Stringent penalties such as administrative fines up to 35 million EUR or 7% of total worldwide annual turnover, as per the EU AI Act
AI technology uses a combination of Machine Learning (ML), Deep Learning (DL), Natural Language Processing (NLP) to analyse large sets of data and derive extremely meaningful outcomes to business. The benefits of utilizing AI systems are far reaching which contributes to wide array of economic, environmental and societal benefits.
If the controls required to safeguard AI systems are not implemented appropriately, AI may generate risks and cause harm to public interests and fundamental rights of citizens. Some of the harms AI can introduce are: physical, psychological, societal or economic harm. Overall, the emphasis is on human centric and ethical development of AI systems.
Prohibited AI Practices:
AI systems that promote an individual to take a decision that he would have not taken otherwise due to usage of manipulative or deceptive techniques is considered prohibitive practice. Other examples include: exploiting vulnerabilities of persons due to age, disability or other situation in a manner that is likely to cause significant harm to person.
The greater the risks possessed by AI system, the higher the threshold of the regulation. According to the EU AI Act, an AI System shall not be considered to be a high-risk if it does not pose a significant risk of harm to the health, safety or fundamental rights of natural persons, including by not materially influencing the outcome of decision making.
If AI system is used for performing profiling of natural persons, it shall always be considered as high-risk. The systems categorized as High-risk AI Systems will be subject to strict obligations such as adequate risk assessment, higher quality of datasets, logging of activities, detailed documentation, appropriate human oversight, high level of robustness, security and accuracy. Further, all remote biometric identification systems are considered high-risk and subject to strict requirements. The use of remote biometric identification in publicly accessible spaces for law enforcement purposes is, in principle, prohibited.
Kindly read EU AI Act Artificial-Intelligence-Act-European-Commission(Brussels,14-May-2024).pdf
Additional Requirements Pertaining to Processing of High Risk AI Systems:
The EU AI Act requires organizations/providers to incorporate a risk management system to ensure compliance with the requirements:
- A risk management system shall be established, implemented, documented and maintained in relation to high risk AI Systems.
- The risk management system shall be understood as a continuous iterative process planned and run throughout the lifecycle of high-risk AI system, requiring regular systematic review and updating.
- Build transparency in entire ecosystem: collection, use, and storage of data by incorporating AI Processing disclaimers which impact individuals privacy
- Embed privacy by design fundamentals during entire data lifecycle to ensure that we do things proactively
- Perform Data Protection Impact Assessment (DPIA) for all prohibited and high-risk personal data processing such as usage of biometric, facial recognition, geolocation data
- Implement state of art security controls during entire lifecycle such as anonymization, pseudonymization, data encryption, data loss prevention, access controls and log monitoring.
- US-China Battle:
- Chinese investors are acquiring control of US technologies.
- China is also rapidly advancing its own technological capabilities.
- This battle has led to a subsidy race in semiconductors, batteries, and artificial intelligence.
- US-EU Battle:
- The transatlantic regulatory battle centers around data flow and privacy laws.
- Taxation of digital giants is another point of tension.
- Europeans are concerned about US tech firms’ overreach, while Americans worry about European regulators’ protectionism.
- The EU aims to preserve a competitive and fair market while protecting fundamental rights.
- Vertical Battles:
- Beyond horizontal battles between countries, there are vertical battles within tech markets.
- Pre-tech companies are compared to emerging empire powers.
AI Privacy & Security:
Considering the risks associated with regards to EU AI and GDPR regulations, it is paramount for organizations to inculcate a culture of data security to be on the right side. Here are some of the key considerations to protect and safeguard data:
Global Regulatory Environment on AI:
That is the reason EU is leading the world in technology regulation by first finalising the AI Draft Act and then enacting the AI Act 2024 that can be followed by many countries to develop their own version of the AI Act.
The Regulatory Battles are being fought between governments and tech companies, with a focus on the US, China, and the EU. Some key points are:
In summary, these regulatory battles shape the rules for the digital economy and influence the kind of digital society that we are going to create in the world.
We at Data Secure (www.datasecure.ind.in) can help you to understand EU GDPR and its ramifications and design a solution to meet compliance and the regulatory framework of EU GDPR and avoid potentially costly fines.
We can design and implement RoPA, DPIA and PIA assessments for meeting compliance and mitigating risks as per the requirement of legal and regulatory frameworks on privacy regulations across the globe especially conforming to India Digital Personal Data Protection Act 2023. For more details, kindly visit DPO India – Your outsourced DPO service (dpo-india.com).
For any demo/presentation of solutions on Data Privacy and Privacy Management as per EU GDPR, CCPA or Draft India PDPB 2019 and Secure Email transmission, kindly write to us at info@datasecure.ind.in.
For downloading the various Global Privacy Laws kindly visit the Resources page in DPO India