The EU AI Act has passed and the hard work of regulation begins, but is the flawed bill the best approach we have globally?
View in browser

Data Privacy Happenings 📰

Hello from MineOS's monthly newsletter, The Privacy Mindset! 👋

 

The European Union’s Artificial Intelligence Act is here, the world’s first comprehensive law to regulate AI. As was the case with GDPR, the EU AI Act applies globally as its applicability threshold simply covers EU markets and citizens.

 

This means that any company selling to even a single citizen of a European Union country must comply, which has set off a chain reaction of global enterprises beginning to prioritize AI governance. While the drive to comply is admirable and a step in the right direction, it presents a complicated undertaking as the AI Act seems imperfect.

 

Kai Zenner, a Digital Policy Advisor for the European Parliament and a key player in the creation of the AI Act, noted its conceptual flaws, “[Conceptually] … mixing product safety and fundamental rights as well as using New Legislative Framework concepts such as ‘substantial modification’ is not working for evolving AI systems.”

 

Granted, this was an unprecedented law that took three years and thousands of contributors to hammer out, inevitably relying on innumerable compromises to cross the finish line. Still, the end result being imperfect will lead to conflicting interpretations of the law the same way various EU member states have enforced GDPR differently. Zenner writes, “the AI Act is creating an overcomplicated governance system … As a result, Member States will designate very different national competent authorities, which will - despite the Union Safeguard Procedure in Article 66 - lead to very different interpretations and enforcement activities.”

 

Despite these criticisms, the EU approach is the favorite to emerge as the standard bearer, given the activity–or lack thereof–on AI globally. 

 

India is currently choosing to let generative AI developers self-regulate and label their own products, as updates out of the country recently dropped the requirement to obtain government permission to make products available to users within India. 

 

The UK is also taking a looser approach than the EU despite sharing a risk-based framework. Within the UK, it will be up to regulators to assess AI-specific risks as they see fit within their area of expertise, guided by the principles of safety and transparency to establish sector-specific AI regulators.

 

Much of what the US will do on AI regulation remains stuck at the posturing level, with guidelines and endless commentary on how to approach AI but little in the way of legislative progress. With how data privacy has unfolded within the country, expect a decentralized approach that many countries will likely not look to emulate.

Put Your 💰 Where Your 🤑 is

Here's your chance to test your privacy knowledge and win a $25 Amazon gift card!

 

Just respond to this email with your answer and we'll draw one winner from those who answered it correctly within the first 24 hours!

 

What does the U.S. law COPPA stand for?

A) Consumer Online Privacy Protection Agreement                  

B) Consumer Oriented Protection Plan Act

C) Children's Online Protection and Prioritization Act                           

D) Children's Online Privacy Protection Act

 

Product Spotlight 🔦

Scanning data systems is vital for data governance, which is why MineOS introduced the Data Classifier feature.

 

Inside you’ll find all the systems you can integrate with MineOS to get a more complete scanning of PII.

 

This is a bit more straightforward than MineAI, which uses context to accurately assign data types to your systems. PII Classification brings more versatility through continuous, exhaustive coverage of all data types and their locations within a data source.

 

Regulation Focus 🔬

EU Digital Services Act Article 12.1

"Providers of intermediary services shall designate a single point of contact to enable recipients of the service to communicate directly and rapidly with them, by electronic means and in a user-friendly manner, including by allowing recipients of the service to choose the means of communication, which shall not solely rely on automated tools."

 

The EU's AI Act is getting all the hype, but another major data protection law, the Digital Services Act, recently came into effect. The DSA (as well as the similarly named Digital Markets Act) is aimed at bringing tech giants more under the umbrella of data privacy to ensure they are responsibly handling data, and largely applies to companies like Google, Meta, and Amazon.

 

Among the key aspects of the DSA are things like algorithmic transparency, with platforms needing to clearly disclose how automated content moderation tools works, further restrictions against the use of dark patterns to trick consumers, and most importantly, a ban on ads using profiling or targeting based on sensitive data.

 

All those are strides forward, but it is also interesting that the DSA requires these large companies to appoint what is essentially a DPO position on steroids (it's also interesting that each new EU data protection-aligned law ends up creating new positions, as there will likely be a proliferation in positions like Chief AI Officer to help align compliance with the AI Act as well). This is outlined in articles 11 & 12, and includes making it as easy as possible for members of the public to contact this representative. 

 

With how many people use the tools that are currently governed by the DSA, one person is likely not enough to actually read and respond to every legitimate consumer request, but opening up this level of transparency is an interesting start in the fight to contain Big Tech's data practices.

Founder's Corner 🎙️

CEO & co-founder Gal Ringel

 

Q: How would you rate early regulatory efforts around AI so far? Do you think they will be successful in establishing usage guardrails? 

 

A: These early regulatory efforts are good in theory and I applaud their speed in responding to the issue of AI, but they still lack real substance so I wouldn't say they are excellent. The US's Executive Order on AI serves more as guidelines than meaningful regulation, and with 2024 being an election year, it's fairly unlikely anything big on AI will pass.

 

In the EU the AI Act has passed, but as pointed out by many privacy professionals, it's still quite complicated and vague in places. There were real, drawn-out arguments over how the AI Act should look in the European Parliament, and those fractures are visible in the bill.

 

However, passing a law this quickly does put pressure on the business community to approach regulation seriously from the outset, which hopefully will yield safer and more responsible AI.

Webinars & Events 📅

MineOS will be IAPP's Global Privacy Summit 2024 in Washington DC in less than a week's time!

 

Come by booth #253 for great swag, tasty ice cream, live demos, and a HUGE announcement on the future of the MineOS platform 📣

 

Also make sure to catch us at the LGBTQ+ & Allies Wonderland Afterparty at Pitchers Bar on April 3 at 8:30 for fun times off the clock!
Talk with us

How did you like this month's issue?

Let us know
footer

SayMine Technologies Ltd., 94 Igal Alon st., Alon 1, Tel Aviv, Israel, 6789155

Unsubscribe Manage preferences