As Artificial Intelligence (AI) continues to revolutionize industries, an increasingly intricate web of laws and regulations has emerged to guide its use. Understanding these laws is crucial to adopting AI in a compliant and ethical manner. This blog aims to provide a brief primer on the most significant AI governance and compliance laws and regulations currently in effect.
General Data Protection Regulation (GDPR)
Enacted in 2018 by the European Union, GDPR impacts any organization that processes the data of EU citizens. This regulation imposes stringent rules on data protection and privacy, and includes stipulations on AI and automated decision-making. Non-compliance can result in substantial fines, up to €20 million or 4% of the annual global turnover.
California Consumer Privacy Act (CCPA)
Effective from January 2020, CCPA gives California residents new rights regarding their personal information. It provides consumers the right to know what personal data is being collected, the right to delete personal data held by businesses, and the right to opt-out of the sale of personal data.
Algorithmic Accountability Act (AAA)
Initially proposed in the U.S. in 2019, AAA seeks to protect consumers from harmful and discriminatory automated decision systems, including AI. The bill, updated and reintroduced in 2022, would require companies to conduct impact assessments on their high-risk automated decision systems, create new transparency about when and how automated systems are used, and empower consumers to make informed choices about the automation of critical decisions.The Bill failed to pass Congress before session ended and was rejected in January 2023.
EU Artificial Intelligence Regulation (AI Act)
In April 2021, the European Commission proposed a legal framework on AI aiming to ensure AI's safe and lawful use. The proposal categorizes AI systems based on their risk and imposes corresponding requirements. If adopted, it will profoundly impact the use and development of AI in the EU. A committee of lawmakers in the European Parliament on May 11, 2023 approved the EU's AI Act, making it closer to becoming law.
Personal Data Protection Act (PDPA)
Singapore's primary data protection law, PDPA, enacted in 2012, governs the collection, use, and disclosure of personal data by organizations. In 2021, it was updated to include AI and data governance provisions, emphasizing the ethical use of AI and data.
Data Protection Act 2018 (UK)
The UK's DPA 2018 complements the GDPR and replaces the DPA 1998. It incorporates the GDPR's provisions and adds several others, addressing law enforcement processing, intelligence services processing, and some aspects of automated decision-making.
These are just a handful of the regulations that organizations must navigate when adopting AI. It underscores the importance of having a robust AI governance and compliance platform that can keep abreast of changing laws and regulations, ensuring your AI initiatives are always compliant and risk-managed.
Protection of Personal Information Act (POPIA)
South Africa’s primary data protection law, POPIA, came into full effect on July 1, 2021. It regulates the processing of personal information and imposes stringent requirements on organizations to ensure that personal data is handled in a lawful and transparent manner.
Brazil’s General Data Protection Law (LGPD)
Effective from August 2020, the LGPD is similar to the GDPR and applies to any business, regardless of location, that processes the data of individuals in Brazil. It provides a comprehensive framework for data protection, including rules related to AI and automated decision-making.
Personal Information Protection Law (PIPL)
China's first comprehensive data privacy law, PIPL, came into effect in November 2021. It strengthens data protection and imposes strict limitations on data processing, including rules that apply to AI applications.
Data Governance Act (DGA)
Proposed by the European Commission in 2020, the DGA aims to establish a framework for data sharing across the EU. This regulation, once enacted, will have implications for AI systems that rely on data from different EU countries.
Canada’s Bill C-27: Artificial Intelligence and Data Act (AIDA)
The stated purposes of the AIDA are to:
regulate trade and commerce in AI systems by establishing common requirements applicable across Canada for the design, development and use of those systems; and
prohibit certain conduct in relation to AI systems that may result in serious harm to (physical, psychological, property or economic).
The Bill is currently in it’s second reading.
For further reading, please refer to these resources:
EU: What is GDPR?
Singapore: PDPA Overview
South Africa: POPIA
Brazil: LGPD
China: PIPL