Module 6

Question 1

AI adoption generally falls within one of two broad categories, name them

Answer 1

1. To perform an existing function in a new way
2. To accomplish a new process that has not been done or was not possible before AI

Question 2

When using AI to perform an existing function in a new way, what laws and regulations would it have to adhere to?

Answer 2

• Safety standards
• Software liability
• Consumer protection requirements
• Data retention and disclosure rules
• Any other existing frameworks it would otherwise be accountable under if the work were conducted manually by a human

Question 3

List 3 important questions that AI has raised in the context of law and regulation

Answer 3

• How do the principles and protections of copyright laws apply to AI?
• Can the output of AI be considered original and therefore warrant copyright protection?
• How much human intervention/participation is necessary to meet the threshold of invention or development that can be patented? Where is the line and how do we measure it?

Question 4

What issues have been raised in relation to how the principles and protections of copyright laws apply to AI?

Answer 4

Data scraping and collection practices leveraged to train generative AI systems have already been putting pressure on our understanding and expectations around intellectual property protections

Question 5

What decision was recently made in relation to AI and patents in the US?

Answer 5

A recent U.S. federal court decision determined AIs cannot be listed as “inventors” for the purposes of obtaining a patent

Question 6

What laws in the US will have to be interpreted to determine how and when they apply to AI technologies?

Answer 6

Related to employment:
- Title VII
- EEOC regulations
Related to consumer finance:
- Equal Credit Opportunity Act
- The Fair Credit Reporting Act
- SR 11-7
OSHA’s guidelines for robotics safety and “hazard analysis”
The Food and Drug Administration’s systemic approval processes for software as a medical device

Question 7

What is SR 11-7?

Answer 7

A regulatory standard set out by the U.S. Federal Reserve Bank that gives guidance on model risk management

Question 8

A joint statement was published by the FTC and other US agencies clarifying that existing legal authorities apply to automated systems and innovative new technologies. Which authorities did they list?

Answer 8

• The Consumer Financial Protection Bureau
• The Department of Justice’s Civil Rights Division
• The Equal Employment Opportunity Commission
• The Federal Trade Commission

Question 9

What laws in the EU will have to be interpreted to determine how and when they apply to AI technologies?

Answer 9

• European Union’s Digital Services Act
• Local intellectual property and competition laws
• Product safety laws

Question 10

Provide 2 examples where the EU Digital Services Act overlaps the GDPR with regard to transparency

Answer 10

• Recommender systems, which is ML that recommends products: online platforms should ensure users are informed about how recommender systems impact the way information is displayed, and how and what information is presented
• Online advertising: recipients should have information directly accessible from the online interface where an ad is presented, such as parameters used for determining why an ad was directed to them (the logic used and whether it was based on profiling)

Question 11

When was the GDPR enacted?

Answer 11

May 2018

Question 12

What is the subject of Article 22 of the GDPR?

Answer 12

Automated decision-making

Question 13

When does Article 22 of the GDPR apply?

Answer 13

Where there is an impact for individuals that might be adverse or material

Question 14

What is the requirement of Article 22 of the GDPR?

Answer 14

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her

Question 15

Describe the prohibition on automated decision-making in Article 22 of the GDPR

Answer 15

• There is a general prohibition on automated decision-making that can have a serious effect on an individual
• Some exceptions exist, for example where there is the fulfilment of a contract or explicit consent or necessity, but generally, the prohibition is pretty broad
• Not easy to understand what a significant effect might be, and they are evaluated on a case-by-case basis
• We are still trying to understand through court cases and how it is applied within different organizations

Question 16

What are the challenges in implementing Article 22 of the GDPR?

Answer 16

• Getting explicit consent
• Data Subject Rights
• Automated decision-making that requires a manual review of the AI decision

Question 17

Describe how getting explicit consent may be challenging, in the context of Article 22 of the GDPR

Answer 17

For GDPR compliance, there must be explicit, freely given and informed consent; and you must have an option to opt-out
- Where you are going to get that consent, and where will individuals be able to opt-out
- What is the context of the decision – you have to provide broad interpretation of fairness, lawfulness and transparency to ensure the data subject knows they are talking to a chatbot or robot, so they are fully aware of the implications of continuing on and providing personal information

Question 18

Describe how data subject rights may be challenging, in the context of Article 22 of the GDPR

Answer 18

How are you going to enforce accuracy, correction and right to erasure
- If you remove or correct the data from the training set, right now the only way to correct the model is to have the model go through re-training
- AI models are not set to dynamically update their inference based on new training data without going through a formalized training process

Question 19

Describe how automated decision-making that requires a manual review of the AI decision may be challenging, in the context of Article 22 of the GDPR

Answer 19

• The reviewer must be competent with the AI technology to know what to look for and make an accurate decision of whether or not the AI decision needs to be overturned
• If the AI is a black box, then it makes it very difficult for anyone to honor the automated decision right to review the outcome, they don’t understand how the AI came to that decision

Question 20

What is the process of redress?

Answer 20

A way for data subjects to register a formal complaint or request a review of an automated decision

Question 21

What is the subject of Article 25 of the GDPR?

Answer 21

DPIAs of high-risk processing

Question 22

The current draft of the EU AI Act includes a requirement to perform what assessment?

Answer 22

AI conformity assessment

Question 23

What does the requirement to perform an AI conformity assessment in the EU AI Act depend on?

Answer 23

The risk to health, safety and fundamental rights of individuals

Question 24

In the EU AI Act, can an AI conformity assessment be required when there is no personal information being processed?

Answer 24

Yes

Question 25

What makes DPIAs and AI conformity assessments similar?

Answer 25

Both are at heart a method for providing accountability in developing new technology and using data

Question 26

What is the focus of a DPIA?

Answer 26

• The DPIA is really focused on the processing of personal information that is an underlying requirement
• But also, the scenarios where that processing may result in a high risk to the rights and freedoms of individuals

Question 27

Are DPIAs always required?

Answer 27

• No, because they are tied to personal information
• But they are a best practice to understand the implications of AI processing

Question 28

What makes AI conformity assessments different?

Answer 28

• They are also intended as an accountability tool
• They are much broader and holistic in the way they analyze the technology

Question 29

What should you identify in an AI conformity assessment?

Answer 29

• How the AI was developed
• Its data set
• How the learning process was developed
• The AI behavior and potential impacts

Question 30

How do you ensure your DPIA and AI conformity assessments are effective?

Answer 30

Ensure they include:
- A privacy risk threat model
- Identifying potential harms and mitigations
- Covering business, technical and risk aspects

Question 31

Why should your DPIA include a data flow diagram?

Answer 31

To ensure your mitigations are targeted and narrow (and therefore more effective)

Question 32

Which is more technical, the DPIA or the AI conformity assessment?

Answer 32

AI conformity assessment

Question 33

Which assessment might include a logic diagram, the DPIA or AI conformity assessment?

Answer 33

AI conformity assessment

Question 34

What is the subject of Recital 26 of the GDPR?

Answer 34

Pseudonymization and anonymization

Question 35

What are some of the issues to consider when deidentifying data for use in AI systems?

Answer 35

• How can you deidentify at scale?
• When do you do it (pre-processing, within the algorithm, on the output)?

Question 36

List the 2 distinct approaches to product liability

Answer 36

• Fault liability regimes
• Strict liability regimes (sometimes referred to as no-fault liability regimes)

Question 37

Describe fault liability regimes

Answer 37

• The individual must prove an action or inaction by the product maker caused the harm
• For example, non-compliance with product safety law, or some form of negligence where they fail to exercise due care

Question 38

Describe strict liability regimes

Answer 38

• The individual does not need to prove intentional wrongdoing or fault, only that a product defect caused harm

Question 39

In a strict liability regime, what is the process for determining whether compensation is required?

Answer 39

• The AI product was defective
• They suffered some sort of damage
• The products defectiveness caused that damage

Question 40

What are the 2 big reasons why it is difficult to prove liability and to compensate for AI induced harm?

Answer 40

• It is difficult to attribute harm due to the autonomous, constantly evolving and changing nature of AI systems
• AI systems are highly complex and technical in nature, so it can be difficult to understand what led to harm

Question 41

Which 2 proposals did the EU publish in September 2022 to make it easier for victims to prove liability and receive compensation?

Answer 41

• Reform of the EU 1985 Product Liability Directive
• EU AI Liability Directive

Question 42

What important change did the EU make when reforming the EU 1985 Product Liability Directive?

Answer 42

AI and other software and digital products fall under the scope of regulated products

Question 43

Is the reformed EU 1985 Product Liability Directive a fault or strict liability regime?

Answer 43

Strict

Question 44

In a strict liability regime, who has the burden of proof?

Answer 44

The victim

Question 45

List the categories of damage covered by the reformed EU 1985 Product Liability Directive in relation to AI

Answer 45

• Injury, death or psychological harm
• Property or financial damage
• Data loss or corruption

Question 46

According to the reformed EU 1985 Product Liability Directive, can a victim claim compensation for harms caused by products produced in another country?

Answer 46

Yes, it is extraterritorial

Question 47

Is the EU AI Liability Directive a fault or strict liability regime?

Answer 47

Fault

Question 47

Which Act does the EU AI Liability Directive reinforce?

Answer 47

The EU AI Act

Question 48

What 2 core measures are brought into force by the EU AI Liability Directive?

Answer 48

• Courts are going to be empowered to order the disclosure of evidence about high-risk AI systems from providers
• Courts will be able to presume a causal link between non-compliance with relevant laws and AI-induced harm

Question 49

Provide examples of the information courts will be able to order the disclosure of, according to the EU AI Liability Directive

Answer 49

• Technical documentation the provider maintains
• Information about how the AI system was developed
• Which data it was trained on
• What its purpose is
• What model was used
• What its architecture is
• What testing and monitoring is being performed

Question 50

In a fault liability regime, who has the burden of proof?

Answer 50

The defendant

Question 51

Are the following directives in force? The reform of the EU 1985 Product Liability Directive, and the EU AI Liability Directive.

Answer 51

No, they remain under consideration and negotiation by EU institutions

Question 52

How are product liability laws managed in the US?

Answer 52

• Determined at the state level, vary widely
• Much of the law is court-made law - because there isn’t much case law regarding AI, there is a lot of uncertainty on how product liability applies to AI

Question 53

List 3 types of liability claim in the US

Answer 53

• Strict liability, where victims have to prove they were harmed by a defective product
• Negligence, where the product maker has failed to exercise due care, and this led to harm
• Breach of warranty, where promises about a product have not been met and some sort of harm has been caused

Question 54

What is the key difference between product liability laws in the EU and the US?

Answer 54

Within the US system, it is not clear whether AI systems are products (in the EU they have made this very clear)

Question 55

What is the importance of the Rogers vs Christie case in the US in 2020?

Answer 55

• The US district court of New Jersey ruled that AI software does not qualify as a product
• The court ruled that information, guidance, ideas and recommendations are not products
• The system recommended that an inmate be released pre-trial, and then shortly afterward, the plaintiff’s son was murdered
• The court was unable to assign liability because the AI system was not classified as a product

Question 56

What is the importance of the ongoing Connecticut Fair Housing Association vs Core Logit Rental House Solutions case in the US?

Answer 56

• The plaintiff argued that the AI model that was used to reject the plaintiff’s disabled son’s tenancy breached fair housing requirements
• Core logic is the AI vendor that provides technology the landlord uses to make decisions about who should and shouldn’t be able to live in certain properties
• The way the case is going, the vendor may be held liable

Question 57

What has the FTC in the US communicated in relation to product liability and AI?

Answer 57

• FTC standards on non-deception and fair use
• Recently the FTC warned that unsubstantiated claims about the accuracy or efficacy of biometric information sources, such as facial recognition software, may violate the FTC act

Question 57

What is the US federal government doing to address product liability and AI?

Answer 57

• The White House recently published a blueprint for an AI Bill of Rights
• There are several important guidance documents from FTC and FDA
• Application of the NIST Risk Management Framework
• Publication of Presidential Executive Order 14091 on advancing racial equality which states that federal agencies must root out bias in the design and use of AI

Question 58

How can organizations prepare in the absence of legislation and regulation in relation to product liability and AI in the US?

Answer 58

• As the law develops, organizations will increasingly be exposed to risk of litigation, compensating victims and disclosing sensitive information on AI systems and practices
• Organizations need to be educated about possible harms and relevant legislation, and they need to take product safety seriously