The United States does not currently have a comprehensive federal privacy law, though multiple states have begun to fill the void in the absence of federal policy. Similarly, multiple countries outside the United States have passed privacy laws, and most of this legal activity — domestic and international — is not sector- or industry-specific. Against this backdrop, artificial intelligence systems, trained on vast amounts of data, continue to advance without a clear consensus on principles or a process to assess and mitigate AI risk. However, state and federal governments around the world are developing approaches to measuring and mitigating risks, with many of the governance requirements reflecting a parallel to privacy governance requirements.

Privacy practitioners utilize the Fair Information Practice Principles to assess privacy risk. Different countries have adopted variations of this structure, though these principles usually include:

  • Access and Amendment — individuals should have access to the information about them and the right to amend or correct inaccurate data;
  • Accountability — data stewards must be responsible for adhering to the law and utilizing the Fair Information Practice Principles, and validating those actions through monitoring, auditing, and compliance measures;
  • Authority — the data has been collected within the bounds of the law and the collector has authority to collect the information;
  • Minimization — organizations should collect only the amount of information they need to accomplish their stated purpose;
  • Quality and Integrity — information must be relevant and suitable for the purposes for which it is used and should be accurate, complete, and up to date;
  • Individual Participation — an individual has knowledge and provided consent with respect to uses of their personal data, and has the ability to access, amend, or otherwise exercise choice in how the data is used;
  • Purpose Specification and Use Limitation — individuals must receive notice about how their information will be used and all uses must be limited to those purposes disclosed at the time of collection;
  • Security — data must be appropriately safeguarded and secured, regardless of physical or electronic format; and
  • Transparency — organizations should be open about data policies and practices with respect to personally identifiable information.

Thematic consistencies in privacy governance also exist in the international and domestic privacy laws that have been passed. First, these laws are not sector-specific or geographically bound. As a general matter, they tend to apply to any company, regardless of geographic location, that processes personal data of residents covered by the law, even if those companies are not physically located in the jurisdiction.

Second, these laws tend to carry significant financial penalties. For example, the European General Data Protection Regulation allows EU data protection authorities to assess fines of up to €20 million ($22.1 million) or 4 percent of a company's worldwide annual revenue, depending on the specific GDPR provision violated.

Third, the laws give individuals increased ability to access and control how their information is collected and used. Individuals may request and receive access to the information companies hold about them, request deletion of that information, receive access to information in a format that facilitates transport of the data to other organizations, and have the ability to refuse to consent to tracking or the sale of their data.

Fourth, there are increased governance responsibilities. Some governance requirements include establishing a Data Protection Officer specifically charged with overseeing privacy within an organization. If a use of information is particularly sensitive or novel, new laws may require a company to complete a privacy impact assessment before data processing begins. In some instances, the law requires companies to establish privacy training programs and conduct regular privacy audits.

The Intersection of Privacy and Artificial Intelligence

In January 2023, the National Institute of Standards and Technology issued the AI Risk Management Framework (AI RMF), a voluntary framework designed to provide guidance for using, designing, or deploying AI systems. Per the NIST Framework, a trustworthy AI system contains the following elements:

  • Valid and reliable;
  • Safe;
  • Secure and resilient;
  • Accountable and transparent;
  • Explainable and interpretable;
  • Privacy-enhanced; and
  • Fair with harmful bias managed.

The National Security Commission on Artificial Intelligence also released a wide-ranging report in 2021 designed to present a national strategy to reorganize the government's approach to artificial intelligence. Among its many recommendations, the Commission recommended that Congress should require AI Risk Assessment reports and AI Impact Assessment reports from the Intelligence Community, the Department of Homeland Security, and the Federal Bureau of Investigations for AI systems that impact US citizens and legal permanent residents. The focus on transparency and accountability are governing principles also seen within privacy governance frameworks.

Most recently, European negotiators have reached a political agreement to sign the Artificial Intelligence Act, the first comprehensive AI law. Like its comprehensive privacy law, the General Data Protection Regulation, the EU's Artificial Intelligence Act utilizes a risk-based approach to governance and carries significant financial penalties for non-compliance. Fines range from €7.5 million or 1.5% of global turnover to €35 million or 7% of global turnover, depending on company size and the nature of the violation.

These emerging AI frameworks and laws reflect the importance of measures that demonstrate trustworthiness, accountability, and rigor in AI systems. The frameworks often draw on risk assessment requirements and notice requirements commonly seen in privacy law. As artificial intelligence law continues to develop, it is highly likely that the lessons learned and mechanisms implemented for ensuring responsible and trustworthy use of personally identifiable information for privacy governance will continue to be applied to the data-driven field of artificial intelligence.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.