In recent weeks, government bodies — including U.S. financial regulators, the U.S. Federal Trade Commission, and the European Commission — have announced guidelines or proposals for regulating Artificial Intelligence. Clearly, the Regulation of AI is rapidly evolving. But rather than wait for more clarity on what laws and regulations will be implemented, companies can take actions now to prepare. That’s because there are three trends emerging from governments’ recent moves.
Over the last few weeks, regulators and lawmakers around the world have made one thing clear: New laws will soon shape how companies use Artificial Intelligence (AI). In late March, the five largest federal financial regulators in the United States released a request for information on how banks use AI, signaling that new guidance is coming for the finance sector. Just a few weeks after that, the U.S. Federal Trade Commission (FTC) released an uncharacteristically bold set of guidelines on “truth, fairness, and equity” in AI — defining unfairness, and therefore the illegal use of AI, broadly as any act that “causes more harm than good.”
The European Commission followed suit on April 21 released its own proposal for the Regulation of AI, which includes fines of up to 6% of a company’s annual revenues for noncompliance — fines that are higher than the historic penalties of up to 4% of global turnover that can be levied under the General Data Protection Regulation (GDPR).
For companies adopting AI, the dilemma is clear: On the one hand, evolving regulatory frameworks on AI will significantly impact their ability to use the technology; on the other, with new laws and proposals still evolving, it can seem like it’s not yet clear what companies can and should do. The good news, however, is that three central trends unite nearly all current and proposed laws on AI, which means that there are concrete actions companies can undertake right now to ensure their systems don’t run afoul of any existing and future laws and regulations.
The first is the requirement to conduct assessments of AI risks and to document how such risks have been minimized (and ideally, resolved). A host of regulatory frameworks refer to these types of risk assessments as “algorithmic impact assessments” — also sometimes called “IA for AI” — which have become increasingly popular across a range of AI and data protection frameworks.
Indeed, some of these types of requirements are already in place, such as Virginia’s Consumer Data Protection Act — signed into law last month, it requires assessments for certain types of high-risk algorithms. In the EU, the GDPR currently requires similar impact assessments for high-risk processing of personal data. (The UK’s Information Commissioner’s Office, which enforces the GDPR, keeps its own plain language guidance on how to conduct impact assessments on its website).
Unsurprisingly, impact assessments also form a central part of the EU’s new proposal on AI regulation, which requires an eight-part technical document for high-risk AI systems that outlines “the foreseeable unintended outcomes and sources of risks” of each AI system, along with a risk-management plan designed to address such risks. The EU proposal should be familiar to U.S. lawmakers — it aligns with the impact assessments required in a bill proposed in 2019 in both chambers of Congress called the Algorithmic Accountability Act. Although the bill languished on both floors, the proposal would have mandated similar reviews of the costs and benefits of AI systems related to AI risks. That bill that continues to enjoy broad support in both the research and policy communities to this day, and Senator Ron Wyden (D-Oregon), one of its cosponsors, reportedly plans to reintroduce the bill in the coming months.
