News & Insights  |  Newsletters

What’s the Next Phase of AI Regulation in the U.S. and Abroad?

August 2019

Privacy in Focus®

Recent developments in the United States and on the international stage suggest we’re moving into a new phase in regulatory approaches to artificial intelligence (AI) – one where countries are moving forward on determining whether and how AI will be regulated within and across sectors.

AI can be broadly used in a range of applications, from voice assistants to autonomous vehicles to medical diagnoses to credit and other financial decisions, and one big question is whether countries will adopt a “one size fits all” approach or one tailored to individual sectors. Despite the differences among AI applications, both the U.S. and other countries have shown openness to adopting principles and standards across sectors. At the same time, in certain areas – like AI-powered facial recognition – lawmakers and regulators have pushed for more swift and sector-specific action.

Below we recap the current developments in AI regulation, and look at what is coming next. This includes international efforts that – as we have seen with the EU’s General Data Protection Regulation (GDPR) – can directly affect American companies and drive U.S. federal and state regulatory approaches. For further information, check out our latest podcast, in which we discuss these developments in more detail.

International Efforts

Internationally, over the past few months, leading global intergovernmental organizations have issued public policy frameworks for AI, typically with input from a range of experts and stakeholders. These are intended to be models for use by governments and other parties around the world. The Organization for Economic Cooperation and Development (OECD) adopted principles for “trustworthy” AI, first released in March and finalized at highest levels in May. These establish expectations for all actors who participate in the AI system life cycle. The OECD is also developing practical guidance on ways to act consistently with these principles. And in June, the G20 adopted the OECD framework with some variations on details.

Regional and national initiatives are also underway. The European Commission (EC) has conducted an extensive effort to develop ethics guidelines for AI that were released in April. Their implementation guidance is occurring through a pilot, using an assessment list in which participants report on 130+ detailed questions as to their practices in this area. Just a few weeks ago, the expert group advising the EC on AI published a report on policy recommendations that includes a section on possible legislative changes to address AI.

Notably, against this backdrop, German Chancellor Angela Merkel recently called for “regulation” of AI along the lines of the GDPR. And the newly elected President of the European Commission, Ursula von der Leyen, has announced her intention to propose legislation on the “human and ethical implications” of AI within her first 100 days in office. The OECD and EC frameworks could provide road maps for national regulators intent on taking such action. AI is also an area in which many countries follow the lead of – or at least draw ideas from – the first countries to approach regulation. Indeed, information-sharing and other collaboration among countries on AI is already occurring regularly. At a hearing on international engagement and emerging technologies conducted by the Federal Trade Commission (FTC) in March, the FTC used AI as a timely case study, with panelists that included experts from other countries who expressed interest in heightened collaboration.

U.S. Efforts

In the United States, the National Institute of Standards and Technology (NIST) at the Department of Commerce recently issued a federal AI engagement plan that calls for federal agencies to move forward on a range of AI standards, including some that can form the basis of a regulatory approach. The Administration’s Executive Order on AI, released in February, had required NIST to develop a plan for federal engagement on AI standards based on public input. The plan, which was submitted on August 9, calls for development and use of standards to support deployment of “reliable, robust, and trustworthy systems that use AI technologies.”

While the NIST plan discusses a number of technical standards, it also sees a role for standards development being used to address substantive concerns around AI, such as safety, data quality, and explainability of AI decisions – though the plan is cautious about moving too quickly and not achieving sufficient consensus. In the category of standards “more primed” for development, it includes (among various relatively technical standards) standards for data, which encompass data analytics, data quality, and data privacy. And other standards it considers to be at “formative stages” are AI safety, risk management, explainability, and security. It also suggests that ethical considerations may be incorporated into standards “tied tightly to the type, likelihood, degree, and consequence of risk to humans.”

Who will drive standards development? The NIST plan proposes that most of the domestic engagement on AI standard-setting will be driven by individual agencies, with a central coordinator at the National Science and Technology Council. And it heavily emphasizes the role of public-private partnerships, encouraging agencies and industry to work together where they can.

Beyond NIST, one area that has received significant scrutiny by a wide range of lawmakers is the use of AI in facial recognition. In May, the San Francisco Board of Supervisors voted to ban the use of facial recognition software by the police and other agencies. The city of Somerville, Massachusetts followed suit last month. On the federal level, Senators Roy Blunt (R-MO) and Brian Schatz (D-HI) released proposed legislation in March that generally would require notice and affirmative consent for collection and sharing of commercial facial recognition data, and require meaningful human review of decisions based on facial recognition technology in some circumstances. The draft legislation would also require companies making facial recognition technology available as an online service to set up an API to enable independent testing for accuracy and bias. Lawmakers continue to look at regulatory approaches to facial recognition that presage an approach to other technologies that use AI.

Overall, we expect AI regulatory approaches to advance on both the domestic and international fronts in the coming months. Stakeholder participation is key as lawmakers and regulators continue their discussions – and move beyond discussing to proposing potential laws or regulations. As with privacy law, input by industry participants before laws or regulations are passed will be critical in avoiding unintended consequences that can stifle beneficial AI innovation.

© 2019 Wiley Rein LLP