Compliance in AI: Policies and Best Practices

Editor's Notes

• #11: In Europe, the dominant source of AI governance is the European Union's Artificial Intelligence Act, which went into effect on August 1, 2024 and applies to all 27 member countries. It is expected to be fully implemented by August 2, 2026. Three key objectives: - Ensure trustworthy and ethical AI development. - Mitigate risks like bias and discrimination. - Promote transparency, accountability, and human oversight. Unacceptable risk Unacceptable risk AI systems are systems considered a threat to people and will be banned. They include: Cognitive behavioural manipulation of people or specific vulnerable groups: for example voice-activated toys that encourage dangerous behaviour in children Social scoring: classifying people based on behaviour, socio-economic status or personal characteristics Biometric identification and categorisation of people Real-time and remote biometric identification systems, such as facial recognition Some exceptions may be allowed for law enforcement purposes. “Real-time” remote biometric identification systems will be allowed in a limited number of serious cases, while “post” remote biometric identification systems, where identification occurs after a significant delay, will be allowed to prosecute serious crimes and only after court approval. High risk AI systems that negatively affect safety or fundamental rights will be considered high risk and will be divided into two categories: 1) AI systems that are used in products falling under the EU’s product safety legislation. This includes toys, aviation, cars, medical devices and lifts. 2) AI systems falling into specific areas that will have to be registered in an EU database: Management and operation of critical infrastructure Education and vocational training Employment, worker management and access to self-employment Access to and enjoyment of essential private services and public services and benefits Law enforcement Migration, asylum and border control management Assistance in legal interpretation and application of the law. All high-risk AI systems will be assessed before being put on the market and also throughout their lifecycle. People will have the right to file complaints about AI systems to designated national authorities. The lowest level of risk described by the EU AI Act is minimal risk. This level includes all other AI systems that do not fall under the above-mentioned categories, such as a spam filter. AI systems under minimal risk do not have any restrictions or mandatory obligations. However, it is suggested to follow general principles such as human oversight, non-discrimination, and fairness.
• #12: Penalties for breaking the law: The regulation sets forward a three-tier structure for fines against infringements by AI system operators in general, supplemented by additional provisions for providers of the GPAI models and for Union agencies. The heftiest fines are imposed for violations related to prohibited systems of up to €35,000,00 or 7% of worldwide annual turnover for the preceding financial year, whichever is higher. The lowest penalties for AI operators are for providing incorrect, incomplete, or misleading information, up to €7,500,000 or 1% of total worldwide annual turnover for the preceding financial year, whichever is higher. Penalties for non-compliance can be issued to providers, deployers, importers, distributors, and notified bodies.
• #13: https://www.whitehouse.gov/ostp/ai-bill-of-rights/
• #14: Colorado SB24-205 & SB21-169 In May 2024, Colorado became the first U.S. state to enact a comprehensive law governing AI systems with the passing of SB24-205. All requirements under the law will become effective on February 1, 2026. The law seeks to regulate algorithmic discrimination in AI systems and requires developers and deployers of high-risk AI systems to document AI system capabilities, limitations, and potential impacts on individuals and society. Developers must conduct bias and discrimination risk assessments and implement measures to mitigate these risks over the course of AI system lifecycles. Deployers must disclose AI use to consumers and ensure transparency and accountability, including providing explanations for AI decisions that affect individuals. SB24-205 also emphasizes data privacy and mandates compliance with existing laws. SB21-169 mandates that insurers using AI systems that rely on consumer data must ensure the systems do not result in unfair discrimination. Enacted on July 6, 2021, the law requires insurers to establish a governance and risk management framework, conduct regular testing, and report their findings to the Colorado Division of Insurance. The law seeks to protect consumers by holding insurers accountable for any discriminatory outcomes produced by their AI systems and requires corrective actions if discrimination is detected​. https://www.workforcebulletin.com/colorados-historic-sb-24-205-concerning-consumer-protections-in-interactions-with-ai-signed-into-law-after-passing-state-senate-and-house#:~:text=SB%2024%2D205%20will%20become,%E2%80%94including%20employment%2Drelated%20decisions.
• #15: https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=4015&ChapterID=68
• #16: https://coxandpalmerlaw.com/publication/aida-2024/
• #17: Service Providers are required to manage the use of the services by: - Taking measures to prevent excessive dependence on or addiction to the services; - Guiding the users to understand and use Generative AI in a scientific, rational and legal manner; Suspending or ceasing services to users, if they are found to have violated laws or regulations, commercial ethics or social morality. https://www.twobirds.com/en/insights/2023/china/what-you-need-to-know-about-china%E2%80%99s-new-generative-ai-measures
• #18: https://coxandpalmerlaw.com/publication/aida-2024/
• #21: What is FaceApp? FaceApp is a popular mobile app that uses AI to edit and enhance photos. For example, it can make you look older, younger, or change your hairstyle or facial expressions. These features became viral, making the app widely popular. Where was the privacy concern? The controversy arose from FaceApp's privacy policy. When people uploaded their photos to the app for editing, the policy seemed to indicate that the company could store, use, or even own the photos users uploaded. People became concerned that their personal photos could be used in ways they didn't agree to, such as being shared with third parties, used for marketing, or even sold. What was the issue with data ownership? The heart of the debate was: Who owns your data (photos) once you upload it to an AI-powered service like FaceApp? The app’s policy suggested that they could keep or use those images long after users deleted the app or finished editing their photos, which made people uneasy about losing control over their personal data. An Example of the Controversy: Let's say you upload a selfie to FaceApp to see how you might look in 30 years. After the AI enhances the photo, you’re done using the app. However, because of the privacy policy, FaceApp might still have access to that photo, even if you delete the app. The concern is that FaceApp, or any company with similar policies, could potentially use or sell that photo to advertisers or other companies without your consent. The Broader Debate: This incident led to broader discussions about how AI companies should handle user data. People started questioning whether AI apps should have access to or ownership of personal data (like photos), and how transparent companies should be about how they use that data. It also raised concerns about data security: if a company is hacked, those photos and personal information could be exposed.
• #22: What are Deepfakes? Deepfakes are AI-generated videos or images that look incredibly real. For example, the AI can take a video of one person and replace their face with another person’s face or alter their voice to make it seem like they said something they didn’t. These videos can be so realistic that it’s difficult for people to tell they’re fake. How Do Deepfakes Work? Deepfake technology uses deep learning, a form of AI, to analyze many images or videos of a person, learning their facial features, voice patterns, and movements. Once the AI has enough data, it can generate a new video or image where that person appears to be doing or saying something they never actually did. Why Are They Dangerous? The danger comes from how deepfakes can be used to spread misinformation or cause harm. For instance, someone could create a deepfake video of a politician saying something controversial or damaging that they never said. If this fake video is released to the public, it could cause widespread confusion, distrust, and even harm national security if people believe the false information. Deepfakes can also be used in other ways, such as creating fake evidence in legal cases or manipulating people by making it seem like someone said something they never did. An Example of a Deepfake Threat: Imagine a deepfake video is created showing a world leader announcing a fake military attack. If this video spreads before it’s proven false, it could lead to panic, confusion, or even escalate tensions between countries. This is why deepfakes are considered a significant threat to security and democracy. People may stop trusting videos or media because they can't tell what’s real and what’s fake. Deepfakes and Public Trust: Experts warn that deepfakes could be used by governments or bad actors to undermine public trust in institutions like the media, governments, or even scientific bodies. If people can’t trust what they see or hear, it becomes much easier to spread false information or create doubt about legitimate events. In the wrong hands, this technology could destabilize societies by eroding the trust people have in the information they receive.
• #25: Bias Detection and Mitigation: Regularly audit AI systems to identify and mitigate biases, especially in marketing, hiring, or customer service applications. Bias can lead to unfair outcomes and non-compliance with ethical AI standards. Use diverse datasets and validate AI models to prevent discrimination against certain groups or demographics. Fairness in AI Decision-Making: Ensure that AI models treat all users equally and do not introduce biased outcomes based on sensitive attributes (e.g., gender, race, or socioeconomic status). Conduct fairness audits as part of regular AI system reviews.   A DPIA is a specific type of risk assessment that focuses on the data protection implications of an AI system, especially when it involves processing personal or sensitive data. The proactive AIA and DPIA will help CTOs and CIOs identify and mitigate AI technology's data privacy and compliance risks and determine the appropriate measures and safeguards to implement. https://dataprotection.ie/en/organisations/know-your-obligations/data-protection-impact-assessments#:~:text=Data%20Protection%20Impact%20Assessments%20can,Key%20points
• #26: Use techniques like data anonymization or pseudonymization to protect personal information while still allowing data processing for AI models. Customer Awareness: Inform customers about how AI is being used in your services, especially for marketing purposes (e.g., personalized recommendations or automated chatbots). Provide them with clear information on how their data is being used.
• #27: Staff Training on AI Compliance: Provide regular training for staff on AI regulations, ethical AI principles, and best practices for ensuring compliance. This is crucial for teams involved in marketing, data processing, and AI development. Educate employees on recognizing and mitigating biases in AI and data analytics.
• #28: Fortify your AI systems with advanced cybersecurity measures, including secure multi-party computation, intrusion detection systems, and robust encryption protocols to defend against unauthorized access and cyber threats. In doing so, regularly conduct security audits and vulnerability assessments to ensure the resilience of AI infrastructure. Explanation of Key Terms Differential Privacy: Definition: A technique that adds statistical noise to data in a way that allows insights to be derived from the data without exposing individual data points. Purpose: Protects individual privacy by ensuring that even if someone gains access to a dataset, they can't identify specific individuals from the data. How It Works in AI: AI systems can analyze trends and patterns from large datasets without exposing personal information about any individual. Federated Learning: Definition: A machine learning technique where an AI model is trained across multiple decentralized devices or servers that hold local data samples, without the data being exchanged or stored centrally. Purpose: It allows models to be trained without moving personal data, keeping it secure and private on users’ devices. How It Works in AI: AI models are trained using the data stored on individual devices, ensuring that the raw data never leaves those devices. Only the model updates (not the data) are sent to a central server. Encryption (Both at Rest and in Transit): Encryption at Rest: Definition: Protecting data that is stored (not being used or transmitted) by converting it into an unreadable format unless accessed with the proper decryption key. Purpose: Ensures that data stored on servers or databases is protected from unauthorized access. Encryption in Transit: Definition: Protecting data that is being transferred between systems (e.g., between a user and a server) by encrypting it while in transit. Purpose: Ensures that data remains secure while it is being transmitted across networks, preventing it from being intercepted or compromised.
• #29: Establish continuous monitoring frameworks to systematically track and evaluate AI system performance over time. Deploy monitoring tools and techniques such as real-time analytics, anomaly detection algorithms, and performance dashboards to identify and address deviations promptly. Conduct periodic reviews and updates of your AI compliance program to incorporate lessons learned, address emerging regulatory changes, and integrate advancements in AI ethics and governance.
• #30: https://ico.org.uk/media/2258461/dpia-template-v04-post-comms-review-20180308.pdf https://docs.google.com/document/d/17FQDlOdwVC0lhWnlEGXz0b2ubCOSeFeDoonIboW4iyc/edit?usp=sharing