Decoding the EU AI Act and Other Key Developments - This Month in AI - Dec 2023

EU Artificial Intelligence Act Nears Implementation after Intense Negotiations

After 35 hours of intensive negotiations, the European Union (EU) has reached a crucial agreement on the final version of the EU Artificial Intelligence Act. The Commission, the Council, and Parliament concluded discussions, marking a significant milestone in developing a comprehensive regulatory framework for artificial intelligence (AI) that has been in the making for over two years.

While the new draft is not yet available, critical aspects of the AI Act have been clarified, demonstrating both compromises and progressive approaches to address contentious issues. The negotiations focused on banned applications, biometric identification systems, and the handling of general-purpose AI models.

Key Compromises:

1. Banned Applications: The list of prohibited AI applications, including biometric categorization systems, untargeted collection of facial images, emotion recognition in workplaces or education, and social scoring systems, has remained unchanged.

2. Biometric Identification Systems (BIS): Instead of a complete ban, exceptions will be made for law enforcement agencies to use BIS but limited to crimes specified in the AI Act.

3. General-Purpose AI (GPAI) Safeguards: A two-tier system has been introduced for GPAI models based on their impact levels. While all GPAI models must adhere to transparency requirements, high-impact models will have additional rules such as adversarial testing, incident reporting, and model evaluations.

4. Consumer Rights: Users will have the right to launch complaints, and the AI Act ensures the right to receive a "meaningful explanation."

Remaining Concerns and Exceptions

The EU Parliament still needs to secure a complete ban on AI-powered biometric identification systems, with exceptions allowed for law enforcement. However, these exceptions are limited to crimes explicitly mentioned in the AI Act, providing some constraints.

A wide-ranging exception related to migrants has been included in the compromise, although the specific details will only be revealed when the final text of the AI Act is published.

Challenges in the Process

The lengthy process began with the EU Commission's first draft in 2021 and has faced challenges. Recent lobbying efforts from governments and industry players have raised concerns about transparency and the influence of industry stakeholders. While providing more information than usual, the negotiation process still needs more transparency.

Upcoming Steps

Despite the agreement on provisions, considerable work lies ahead to finalize the AI Act's text, with adoption expected to occur after an implementation phase, likely in 2025. The EU Commission has introduced the "AI Pact" as a provisional setup for industry players to demonstrate readiness and compliance during this phase.

Historic, Compromised, or Both

While the AI Act represents a historic achievement as the world's first comprehensive framework to regulate AI, it reflects compromises made during negotiation. The final judgment awaits the release of the detailed text. Despite imperfections, the AI Act introduces progressive approaches, differentiating itself from the General Data Protection Regulation (GDPR) by imposing general rules on government and law enforcement.

The EU's commitment to setting robust regulations for AI is recognized globally, positioning the AI Act as a significant step toward guiding AI development in a human-centric direction.

Quebec Introduces Draft Regulation on Anonymization of Personal Information

On December 20, the Quebec government took a significant step in privacy regulation by publishing the Draft Regulation respecting the anonymization of personal information in the Quebec Gazette. Following a 45-day public consultation period, this draft regulation aims to provide detailed guidelines on anonymization practices, particularly in compliance with Law 25, Quebec's private sector privacy law.

Context: Law 25 and Anonymization

Law 25's anonymization provisions, effective September 22, 2023, outline the concept of anonymization, emphasizing its acceptability as an alternative to destroying personal information, provided there are "serious and legitimate reasons" for choosing anonymization. Law 25 does not explicitly exclude anonymized data from its scope but emphasizes compliance with generally accepted best practices and regulatory criteria.

Draft Regulation Highlights:

1. Supervised Anonymization:

- A qualified professional must oversee anonymization processes.

- Removal of direct identifiers is a crucial initial step.

2. Re-Identification Risk Analysis:

- Preliminary analysis considering correlation, individualization, and inference criteria.

- Determination of anonymization techniques based on generally accepted best practices.

- Implementation of security measures to minimize re-identification risks.

3. Risk Mitigation:

- Regular re-identification risk analyses to adapt to technological advancements.

- The demonstration of shallow residual re-identification risk, considering various factors like intended use, nature of information, and available external data.

4. Recordkeeping Requirements:

- Maintenance of records for anonymized personal information, including:

- Description of anonymized data.

- Purpose of anonymized data usage.

- Techniques used for anonymization and security measures.

- Summary of re-identification risk analysis results.

- Dates of completion and updates for re-identification risk analysis.

Challenges and Compromises

While the regulation addresses critical aspects of anonymization, some challenges and compromises exist. The regulation acknowledges that zero risk is unnecessary but requires a shallow residual re-identification risk. It emphasizes the need for periodic re-evaluation due to evolving technological landscapes.

Final Thoughts

Quebec's Draft Regulation on anonymizing personal information presents a comprehensive framework applicable to both public bodies and the private sector. Creating a balance between privacy protection and data utility, the regulation reflects a commitment to evolving privacy standards. The upcoming implementation phase, likely in 2025, will see the practical application of these guidelines. Organizations must familiarize themselves with the draft regulation to ensure readiness and compliance with the evolving privacy landscape.

Global Partnership on Artificial Intelligence (GPAI) Unanimously Adopts New Delhi Declaration for Responsible AI

The Global Partnership on Artificial Intelligence (GPAI), consisting of 29 member countries, has taken a unified step towards promoting responsible artificial intelligence by unanimously adopting the New Delhi declaration. This landmark declaration emphasizes the importance of mitigating risks associated with AI systems and advocates for equitable access to crucial resources, including computing power and high-quality, diverse datasets, for fostering AI innovation.

Key Concerns Highlighted

While recognizing the swift advancements in advanced AI systems and their potential for economic growth, the New Delhi declaration addresses several concerns related to the development and deployment of AI. These concerns include misinformation, unemployment, lack of transparency and fairness, protection of intellectual property and personal data, and potential threats to human rights and democratic values.

India's Lead Role and Collaborative Approach

The declaration supports India's role as the Lead Chair for 2024, emphasizing a collaborative approach to global AI partnerships. India has been a proponent of joint efforts in building AI systems and promoting its model of digital public infrastructure (DPI) worldwide. Access to computing capabilities from member nations is expected to bolster India's plans for developing a sovereign AI system, countering the dominance of a few foreign companies in the AI space.

Inclusive Access to AI Benefits

Minister of State for Electronics and IT, Rajeev Chandrasekhar, highlighted that the declaration aims to ensure the inclusivity of AI benefits, making them accessible to all countries, including those in the Global South. The adoption of the directive followed a five-hour ministerial deliberation.

Democratic Values and Human Rights in the AI Framework

The GPAI members expressed the need for a global AI framework rooted in democratic values and human rights. The framework should safeguard dignity and well-being, protect personal data, protect intellectual property rights, privacy, and security, foster innovation, and promote trustworthy, responsible, sustainable, and human-centered use of AI.

New Thematic Priority: AI Innovation in Agriculture

A significant outcome of the declaration is including AI innovation in the agriculture sector as a new thematic priority. This aligns with India's push to prioritize agriculture in AI innovation, addressing sustainable food production, climate change adaptation, and empowering workers in the agricultural supply chain.

Diverse Membership and Inclusivity

The GPAI commits to pursuing a diverse membership, focusing on including low and middle-income countries, ensuring a broad range of expertise and experiences. Senegal, an existing member, has been elevated to the steering committee of GPAI, further highlighting the commitment to inclusivity.

The New Delhi declaration signifies a collective effort by GPAI members to address contemporary AI challenges, including generative AI platforms, through applied projects to solve societal problems and global challenges while maximizing benefits and mitigating associated risks. The GPAI's commitment to responsible AI practices marks a crucial step in shaping the future of AI on a global scale.