As Goes GDPR, So Goes AI: EU Leads With Proposed AI Law

Just as it did so many years ago in the data privacy arena, the EU has stepped out ahead of the pack with proposed legislation that would govern the use of AI and could be used for a blueprint by other countries looking to put guardrails around the technology.

A draft of the law released this month takes a decidedly risk-based approach to protections around AI apps. The Future of Life Institute said “[i]t divides apps into three categories—unacceptable risk, high risk and apps that aren’t banned or seen as high risk. That latter group is “largely left unregulated,” the group said on a website dedicated to analyzing the act.

AWS Builder Community Hub

The EU noted that most AI systems won’t be high risk. The unacceptable risk category includes government-run social scoring apps (like the ones that China uses) that will be banned. An example of a high-risk app is a CV-scanning tool used to rank job applicants, the Future of Life Institute said. There are specific legal requirements around those apps.

In those cases, people will be notified “that they are interacting with an AI system, unless this is evident” and will be informed “that emotional recognition or biometric categorisation systems are applied to them.” Additionally, deepfakes will be labeled (unless [they are] necessary for the exercise of a fundamental right or freedom or for reasons of public interests),” the EU said.

“European Union lawmakers have taken a decisive step in shaping the future of artificial intelligence,” Ani Chaudhuri, CEO, Dasera, said. “This landmark legislation challenges the power of American tech giants and sets unprecedented restrictions on AI usage. This move is long overdue as it prioritizes data security and protects individuals from potential harm caused by unchecked AI systems.”

Some of the tightest restrictions in the proposed law are around generative AI, which also must be labeled and copyrighted data summarized.

“One significant aspect of the legislation is its focus on generative AI, including systems like ChatGPT. Requiring content generated by such systems to be labeled and mandating the publication of summaries of copyrighted data used for training promotes transparency and protects intellectual property rights,” said Chaudhuri. “These measures address growing concerns and ensure responsible AI development.”

The proposed law is far from perfect, though. “There are several loopholes and exceptions in the proposed law. These shortcomings limit the act’s ability to ensure that AI remains a force for good in your life,” the Future of Life Institute wrote. “Currently, for example, facial recognition by the police is banned unless the images are captured with a delay or the technology is being used to find missing children.”

What’s more, the group said, “the law is inflexible. If, in two years’ time, a dangerous AI application is used in an unforeseen sector, the law provides no mechanism to label it as ‘high-risk.’”

But Chaudhuri said the EU deserves kudos for its efforts. “While some voices express concern over the potential impact on AI development and adoption, the European Parliament’s determination to lead the global dialogue on responsible AI should be applauded.  European lawmakers have proactively developed comprehensive AI legislation that accounts for evolving technologies and potential risks,” he said.

“The EU’s commitment to data privacy, tech competition and social media regulation aligns with its ambitious AI regulations. This cohesive framework ensures that European companies adhere to high standards, promoting consumer trust and privacy,” he explained. “It also strengthens Europe’s position as the global tech regulator, setting precedents that will shape international tech policies.”

And the law will likely inspire other countries to follow suit. Already Germany has put forth its own initiative. “As Europe leads in establishing AI standards, the United States must step up its efforts to keep pace,” said Chaudhuri. “Congress must pass comprehensive legislation addressing AI and online privacy. Falling behind Europe risks hindering innovation and surrendering the opportunity to lead the global debate on AI governance.”

He said that “responsible AI development should be a global endeavor” and “as Europe sets the bar, it is incumbent upon the United States to catch up and play an active role in shaping AI policies.”

Chaudhuri is confided that “we can strike the right balance and ensure AI benefits society by fostering innovation while safeguarding individual rights.”

Regardless, security pros relish the discussion around guardrails for AI.

“Let the debate begin! Similar to data privacy years ago, the EU has just taken a position at the far end of the spectrum to frame the parameters of the discussion,” said Craig Burland, CISO at Inversion6.

“Putting aside the many challenges of enforcement as well as the ubiquitous use of AI in modern technology projects, the EU has documented intriguing concepts centered on ensuring the validity of the content and proper use cases. Contrast this with Google’s pronouncement last week that focused primarily on protecting the technology itself,” said Burland. “What was announced today will shift and transition as the debate plays out in the media and behind closed doors. But, in planting this flag, the EU has started what will be a fascinating dialog that affects businesses and individuals alike.”

Avatar photo

Teri Robinson

From the time she was 10 years old and her father gave her an electric typewriter for Christmas, Teri Robinson knew she wanted to be a writer. What she didn’t know is how the path from graduate school at LSU, where she earned a Masters degree in Journalism, would lead her on a decades-long journey from her native Louisiana to Washington, D.C. and eventually to New York City where she established a thriving practice as a writer, editor, content specialist and consultant, covering cybersecurity, business and technology, finance, regulatory, policy and customer service, among other topics; contributed to a book on the first year of motherhood; penned award-winning screenplays; and filmed a series of short movies. Most recently, as the executive editor of SC Media, Teri helped transform a 30-year-old, well-respected brand into a digital powerhouse that delivers thought leadership, high-impact journalism and the most relevant, actionable information to an audience of cybersecurity professionals, policymakers and practitioners.

teri-robinson has 185 posts and counting.See all posts by teri-robinson