An Overview of Emerging Global AI Regulations

Australia

Legislation

Federal

Australia does not yet have a dedicated AI regulation. Most of its regulatory actions related to AI either come through existing laws or regular government policy papers guiding various regulatory bodies on how to approach different challenges posed by AI.

State

The New South Wales (NSW) Government came up with the first AI strategy, recognizing the challenges that come with the use of AI and charting a course for AI to be used safely across the government with the right safeguards in place.

For this purpose, the NSW Government published the AI Assurance Framework to assist agencies in designing, building, and using AI-enabled products and solutions. It is mandatory for all projects that incorporate an AI component or utilize AI-driven tools. This encompasses the utilization of large language models and generative AI, explicitly falling within the framework's application scope. The framework is intended to be used by:

• project teams who are using AI systems in their solutions,
• operational teams who are managing AI systems,
• Senior Officers who are accountable for the design and use of AI systems,
• internal assessors conducting agency self-assessments, and
• the AI review body (TBC).

However, a project is not expected to use the framework if it meets the following criteria:

• It uses an AI system that is a widely available commercial application.
• The solution is not customized or used in any way other than intended.

The AI Assurance Framework became effective in March 2022. The State Government also established the NSW AI Review Committee to provide expert guidance and oversight on using AI within the government. As the first of its kind in Australia, this committee plays a vital role in fostering community trust and ensuring transparency in our AI initiatives.

Additional Resources

In March 2022, the government issued a call for papers on the regulation of AI, calling on various stakeholders on how the government should approach AI regulation in a manner that enables the creation of a harmonic legislative framework without jeopardizing the use of AI to its maximum potential.

In the paper, the government referred to several of its own reports and guides as examples of what kind of ideas it hoped to receive. These include the following:

• The Artificial Intelligence Ethics Framework, published in 2019 as a guide for government and private bodies on how to responsibly design, develop, and implement AI in Australia;
• The Review of the Privacy Act, which contained several recommendations related to automated decision-making systems and mechanisms;
• The Australian Human Rights Commission Human Rights and Technology Final Report, published in 2021, recommended the establishment of an independent AI safety commissioner to oversee various aspects related to commercial AI use in Australia;
• The AI Action Plan, published in 2021, laid down Australia's strategic vision to become a global leader in developing reliable AI technologies and systems;
• The Blueprint for Critical Technologies, published in 2021 as "framework for capitalizing on critical technologies to drive a technologically-advanced, future-ready nation."

Various other regulatory bodies in Australia have also undertaken steps on their own to promote the responsible use of AI under their jurisdiction. For example, since the Online Safety Act of 2021 has come into effect, the National eSafety Commissioner requires all organizations to appropriately inform their users of the use of automated recommendation systems.

Similarly, the Commonwealth Scientific and Industrial Research Organisation (CSIRO) launched its own independent Responsible AI Network to promote collaboration between various Australian firms and create ethically safe and viable AI technologies.

While the government has so far not revealed any of the submissions it received in response to its March 2022 call for papers apart from those sent in by KPMG and the Law Council of Australia, there is growing consensus that most paper submissions contain similar recommendations such as the creation of dedicated AI regulatory body and a federal guideline on the responsible use of AI, both commercially and individually.

Brazil

Legislation

Federal

To date, there is no comprehensive federal legislation regulating the use of AI in Brazil.

However, in May 2023, the Bill of Law 2338/2023, which provides for the use of Artificial Intelligence (AI) in Brazil, was introduced in the Brazilian Federal Senate. The bill replaces three bills, Bill of Law 5.051/2019, Bill of Law 21/2020, and Bill of Law 872/2021, which were pending before the legislature over the past four years.

Along with imposing various obligations on businesses using AI systems, the law provides the following rights to the consumers:

• Right to prior information regarding their interactions with artificial intelligence systems.
• Right to an explanation of the decision, recommendation, or prediction made by artificial intelligence systems.
• Right to challenge decisions or predictions of artificial intelligence systems that produce legal effects or significantly impact the interests of the affected party.
• Right to human determination and human participation in decisions of artificial intelligence systems, taking into account the context and the state of the art of technological development.
• Right to non-discrimination and the correction of direct, indirect, illegal, or abusive discriminatory biases.
• Right to privacy and to the protection of personal data, in accordance with the relevant legislation.

State

To date, there are no comprehensive state legislations regulating the use of AI.

United States

Legislation

Federal

To date, there is no comprehensive federal legislation regulating the use of AI in the United States (US).

However, on June 20, 2023, the US lawmakers introduced a bill, the National AI Commission Act, to create a blue-ribbon commission that will review the United States’ current approach to AI regulation, make recommendations on any new office or governmental structure that may be necessary, and develop a comprehensive framework for AI regulation.

State

Following are a few AI regulations that are in force at the state level in the US:

• Connecticut’s Artificial Intelligence Law regulates the state's use of AI and has established a task force to develop an AI bill of rights and make recommendations for the adoption of other AI legislations. Along with establishing the Office of Artificial Intelligence and the Connecticut Artificial Intelligence Advisory Board, the law also establishes a task force to: (a) study artificial intelligence, and (b) develop an artificial intelligence bill of rights.
• Illinois' Artificial Intelligence Video Interview Act requires all employers using AI technologies to analyze candidates interviewing for employment positions to appropriately inform all applicants and gain their consent before subjecting them to this automated processing.
• New York City’s Law on Automated Employment Decision Tools expressly prohibits employers from using an automated employment decision tool (AEDT) to make an employment decision unless the tool is audited for bias annually, the employer publishes a public summary of the audit, and the employer provides certain notices to applicants and employees who are subject to screening by the tool. Pursuant to the adoption of final implementing regulations on April 5, 2023, law enforcement shall begin from July 5, 2023.

Guidances

In 2020, the White House issued the Guidance for Regulation of Artificial Intelligence Applications, the purpose of which was to establish an appropriate framework for all relevant federal agencies that may have to regulate various emerging AI technologies, in addition to the ethical and legal issues that would arise in tandem.

The aforementioned Guidance has helped various US agencies formulate, from time to time, different guidelines, recommendations, and plans of their own. These include:

• The US Department of Defence’s AI Principles: Recommendations on the Ethical Use of Artificial Intelligence;
• The US Food and Drug Administration’s Artificial Intelligence/Machine Learning (AI/ML)-Based Software as a Medical Device (SaMD) Action Plan;
• The Federal Trade Commission's:
  • Using Artificial Intelligence and Algorithms guidelines,
  • Aiming for truth, fairness, and equity in your company’s use of AI,
  • Keep your AI claims in check,
  • Chatbots, deepfakes, and voiceclones: AI deception for sale,
  • The Luring Test: AI and the engineering of consumer trust,

• The Department of Health & Human Services' Trustworthy AI Playbook,
• Consumer Financial Protection Bureau's Rules to Implement the Dodd-Frank Act governing the use of "automated valuation models" in the housing market.

In October 2022, the White House, per current US President Biden's direct instructions, issued a Blueprint for an AI Bill of Rights that laid down critical protections all US citizens must have as AI continues to expand in capabilities and functionalities. These include:

• Data privacy: A consumer should be protected from abusive data practices via built-in protections and the consumer should have an agency over how data about the consumer is used.
• Notice & explanation: A consumer should know that an automated system is being used and understand how and why it contributes to the outcomes that impact the consumer.
• Algorithmic discrimination protection: A consumer should not face discrimination by algorithms and systems should be used and designed in an equitable way.
• Safe & effective systems: A consumer should be protected from unsafe and ineffective systems.
• Human alternatives, consideration, and fallback options: A consumer should be able to opt-out, where appropriate, and have access to a person who can quickly consider and remedy problems the consumer encounters.

In January 2023, the National Institute of Standards & Technology issued its AI Risk Management Framework (AI RMF), which is aimed at offering a resource to the organizations designing, developing, deploying, or using AI systems to help manage the many risks of AI and promote trustworthy and responsible development and use of AI systems. The AI RMF is intended to be voluntary, rights-preserving, non-sector-specific, and use-case agnostic.

Most recently, in May 2023, the U.S. Congressional Research Service published its Generative Artificial Intelligence and Data Privacy: A Primer focusing on privacy issues and policy considerations for the U.S. Congress. The report sheds light on the collection and use of data by AI developers and the role data privacy legislation can play in regulating such use. The report proposes the following three requirements/mechanisms that may be considered in privacy regulations to govern the use of data by AI developers:

• Notice and disclosure requirements: Companies developing or deploying AI may be required to acquire consent from the individuals before collecting or using their data or notifying them that their data will be collected and used for certain purposes.
• Opt-out requirements: Companies developing or deploying AI may be required to provide the data subjects an option to opt-out of data collection.
• Deletion and minimization requirements: Companies developing or deploying AI may be required to provide mechanisms for data subjects to delete their data from existing datasets.

China

Legislation

Federal

China does not have a comprehensive and specified AI Regulation in place on a federal level. However, the Administration of Deep Synthesis of Internet-based Information Services contains provisions that strictly punish deep synthesis technology such as deepfakes and other forms of AI-generated media.

The new Regulations also required all AI-generated content to be appropriately labeled as such.

The Regulations offer detailed guidance for the application of deep synthesis technology in providing Internet information services within China. They specify the responsibilities of national and local departments, highlighting the importance of information security, robust management systems, user authentication, content oversight, and effective measures against spreading rumors.

Furthermore, the regulations address the management of deep synthesis data and technology, emphasizing data security, regular evaluation of algorithms, and clear labeling of generated content. Adhering to these regulations is essential to prevent misuse, maintain transparency, and ensure responsible use of deep synthesis technology.

Moreover, the national network information department is responsible for coordinating the governance and related supervision and management of national in-depth synthesis services.

These Regulations also come with Frequently Asked Questions (FAQs). The FAQs clarify that deep synthesis service providers have responsibilities such as establishing management systems for user registration, algorithm review, data security, and personal information protection.

State/Provincial

Regulation at the provincial level has been similarly proactive, with the Shanghai Regulations on Promoting the Development of the AI Industry and Shenzhen Special Economic Zone Artificial Intelligence Industry Promotion Regulations placing distinct obligations on subject organizations.

Shanghai Regulations

Shanghai Regulations apply to activities such as AI Science and Technology (S&T) innovation, industrial development, application empowerment, and industrial governance within the administrative region of Shanghai. These Regulations apply to all organizations in Shanghai involved in the AI industry. The regulatory authority is the local municipal economic and information departments and is responsible for planning, implementing, coordinating, and promoting the development of the AI industry.

Shanghai Regulations are formulated in accordance with relevant laws and administrative regulations and based on the actual situation of the Shanghai area in order to promote the high-quality development of the AI industry. Additionally, these Regulations aim to strengthen the functions of new-generation AI S&T innovation sources, promote the deep integration of AI with the economy, everyday life, urban governance, and other fields, and create a world-class AI industrial cluster.

One of the major aims of The Shanghai AI Regulations is to facilitate the responsible and sustainable development of AI technology. It introduces grading management and "sandbox" supervision, which provide companies with opportunities to explore and test their technologies in a regulated environment. This approach encourages innovation while ensuring adherence to guidelines and standards.

Shenzhen Regulations

Shenzhen AI Regulations have been formulated to promote the high-quality development of the AI industry in the Shenzhen Special Economic Zone, encourage AI integration in the economy and society, and ensure orderly and standardized industry growth in accordance with relevant laws and Shenzhen area situation. As per these Regulations, the local government will establish a working mechanism to coordinate and promote the development of the artificial intelligence industry in the city.

This includes ensuring the industry's security, fostering its healthy and orderly growth, and harnessing the potential of AI for sustainable development in the economy, society, and ecology.

The regulatory authority under the Shenzhen AI Regulations is the municipal industrial and information technology department which will serve as the competent authority responsible for implementing, coordinating, and supervising its development within the city's jurisdiction.

Shenzhen AI Regulations categorize activities and applications on three levels. High-risk AI applications require pre-assessment and risk early warning, while medium- and low-risk applications need pre-disclosure and post-tracking regulation. The Shenzhen area government will develop separate measures for classifying and supervising AI applications.

Additionally, AI services and products based in Shenzhen that are deemed to pose "low risk" can undergo testing and trials, even in the absence of local and national norms. However, adherence to international standards is a prerequisite for such testing and trials.

Guidances & Additional Resources

China has arguably been the most proactive country regarding regulating AI technologies and engaging various stakeholders to ensure the best ethical standards are adopted.

In 2017, the State Council of the People's Republic of China published A Next Generation Artificial Intelligence Development Plan. The guide contained a detailed roadmap on how various state and private institutions can help in the development, deployment, and oversight of AI technologies in a responsible manner.

Then, in 2021, the National Special Committee of New Generation Artificial Intelligence, a body established by the aforementioned guide, issued a Code of Ethics for New-Generation Artificial Intelligence to ensure any future development of AI technologies is in line with appropriate ethics and regulatory requirements. It also established six critical ethical standards that must be considered in developing such AI technologies. These include:

• Improving human well-being;
• Promoting fairness and justice;
• Protecting privacy and security;
• Ensuring controllability and credibility;
• Strengthening responsibility;
• Improving ethical literacy.

The following year in March 2022, the Internet Information Service Algorithmic Recommendation Management Provisions came into effect that required all organizations that develop, promote, and facilitate the development of AI-based personalized recommendations on mobile devices to allow users to delete any tags about their personal characteristics that the internal AI-recommendation model may have developed based on their browsing patterns.

It also required the organizations to let users disable such recommendations on their devices.

In November, the Ministry of Public Security, the Cyberspace Administration of China (CAC), and the Ministry of Industry and Information Technology released a new set of regulations.

Most recently, CAC released a set of draft measures for managing generative AI services. These include requiring all organizations using such services to submit to an independent security assessment before such tools can be commercially deployed.

United Kingdom

Legislation

In March 2023, the Department for Science, Innovation and Technology announced the introduction of the Data Protection and Digital Information (No. 2) Bill (‘the Bill’). The Bill, amongst other objectives, aims to address the risks associated with AI-powered automated decision-making and determine the data protection controls required for such processes.

The Bill is expected to provide clarity on how the right to not be subjected to automated decision-making, as granted under Article 22 of the UK GDPR, can be invoked and exercised.

Guidances

The UK Information Commissioner's Office, the body primarily responsible for overseeing all data privacy-related affairs in the UK, has released guidelines on how organizations can responsibly explain the use of AI to both their own employees and customers, titled Guidance on AI and Data Protection and AI and Data Protection Risk Toolkit. The ICO has also recently warned organizations using emotional analysis technologies irresponsibly.

The Guidance provides a roadmap to data protection compliance for developers and users of generative AI. The Risk Toolkit enables organizations to identify and mitigate data protection risks and contains eight significant questions that organizations developing or using generative AI should consider.

Moreover, other guidances in relation to the use of artificial intelligence have also been issued by different public entities in the UK. These include the following:

• Data Ethics Framework issued by the Department for Digital, Culture, Media, and Sport,
• Intelligent Security Tools guidance by the National Cyber Security Center,
• Roadmap issued by the UK Medicines and Healthcare Products Regulatory Agency.

Additional Resources

The UK government issued a white paper in March 2023 titled "A pro-innovation approach to AI regulation." Within the whitepaper, the UK government highlighted the role of its existing legal framework in regulating the use of AI and underscored its “reputation for high-quality regulators and [UK’s] robust approach to the rule of law, supported by [its] technology-neutral legislation and regulations. UK laws, regulators, and courts already address some of the emerging risks AI technologies pose.”

The white paper further stated that “this strong legal foundation encourages investment in new technologies, enabling AI innovation to thrive and high-quality jobs to flourish."

Additionally, the whitepaper outlined five essential principles that all regulatory bodies must consider when evaluating the use of AI within their scope. These include:

• Safety, security, and robustness;
• Transparency and explainability;
• Fairness;
• Accountability and governance;
• Contestability and redress.

In the same 2023 whitepaper, the UK government also laid down its own plan on how it aims to curate both the national development and regulation of AI technologies. Partly inspired by its 2021 10-Year National AI Strategy, the UK government categorically ruled out establishing a new regulatory body or commission to oversee AI-related regulation.

Instead, existing regulatory bodies such as the Health & Safety Executive, the Equality & Human Rights Commission, and the Competition & Markets Authority will expand their powers and jurisdictions to ensure effective oversight of AI-related technologies within their sectors.

In March 2023, the UK government's Department of Education released another whitepaper titled "Generative Artificial Intelligence in Education" in response to the alarming growth in the use of ChatGPT by students nationwide.

Singapore

Legislation

Singapore is one of the few countries in the world with a dedicated government body tasked with curating Singapore's digitalization journey. It aims to nurture a vibrant digital economy fuelled by technological innovation. The Advisory Council on the Ethical Use of AI and Data was established in 2018 to help Singapore identify and address all ethical questions and dilemmas that may arise. The body's primary responsibility is to advise the government on ethical, policy, and governance issues related to the use of AI technologies.

As a result of the body's recommendation, the country's first National Artificial Intelligence Strategy was published in 2019. Not only did it aim to identify strategic areas where resources need to be deployed most urgently while also addressing the emerging risk of AI becoming expansive beyond control.

Additionally, various existing regulations have been amended to include AI systems and technologies, such as:

• The Road Traffic (Autonomous Vehicles) Rules 2017 - The new amendments regulate the trial of all AI-driven autonomous vehicles;
• The Cybersecurity Act of 2018 - The new amendment requires all AI security methodologies and mechanisms adopted by organizations to be appropriately revealed to the users;
• The Protection From Online Falsehoods and Manipulation Act 2019 - The new amendments require all organizations to ensure their users' personal data is not used to create any fake avatars or personas online.

Guidances

The Infocomm Media Development Authority (IMDA) has identified four distinct "pillar" technologies to drive Singapore's digitalization journey. These include:

• Cybersecurity;
• Immersive Media;
• The Internet of Things;
• Artificial Intelligence.

Each pillar has its own dedicated development program, with the AI section driven by AI Singapore, launched to build and grow Singapore's AI ecosystem, including research institutions, startups, and tech.

Two distinct AI programs, the National AI Program in Government and National AI Program in Finance, were established to guide various regulatory agencies via guidance and policy papers. Additionally, other government bodies have issued various other guides related to the use of AI within their sectors. These include the following:

• The Monetary Authority of Singapore: Principles to Promote Fairness, Ethics, Accountability and Transparency (FEAT) in the Use of Artificial Intelligence and Data Analytics in Singapore's Financial Sector;
• The Monetary Authority of Singapore: Veritas Initiative;
• The Personal Data Protection Commission (PDCP): Model AI Governance Framework;
• The Personal Data Protection Commission (PDCP): Implementation and Self-Assessment Guide for Organisations and a Compendium of Use Cases Volume 1 and Volume 2;
• The Infocomm Media Development Authority (IMDA): A Guide to Job Redesign in the Age of AI;

Japan

Legislation

To date, Japan does not have dedicated AI legislation. However, the Japanese government has been one of the more proactive ones in publishing frequent guidelines for better and more coherent use of AI in professional and social settings.

The Japanese government has amended several of its existing legislations to incorporate AI systems' rapidly developing capabilities and functionalities. Some examples include:

• Road Traffic Act - Amended to regulate automated driving cars and driving systems;
• Financial Instruments & Exchange Act - Amended to require registration of organizations using AI in their daily trading operations;
• Digital Platform Transparency Act - Amended to appropriately inform users about how search results are displayed to them.

Guidances

In 2019, the Japanese government published the Social Principles of Human-Centric AI, which laid down distinct principles that would help individuals and enterprises implement AI systems within society. These principles include:

• Fair competition;
• Accountability;
• Innovation;
• Principle of Literacy;
• Human-centric principle;
• Transparency;
• Privacy Protection.

Since then, the Social Principles of Human-Centric AI have led to further guidances that have strategically focused on AI's applications in various sectors of government, education, defense, and corporate governance. Some of these include:

• The Governance Guidelines for Implementation of AI Principles
• The Guidebook on Corporate Governance for Privacy in Digital Transformation
• The Guidebook for Utilization of Camera Images
• The Machine Learning Quality Management Guideline

Canada

Legislation

Federal

To date, there is no comprehensive federal legislation regulating the use of AI in Canada.

However, in June 2022, the Government of Canada tabled the landmark Artificial Intelligence and Data Act (AIDA) as part of the omnibus Bill C-27, Digital Charter Implementation Act 2022. The AIDA aims to set out new measures to regulate international and inter-provincial trade and commerce in AI systems and establish common requirements for the design, development, and use of AI systems.

The law establishes common requirements for the design, development, and use of artificial intelligence systems and would also prohibit specific practices with data and artificial intelligence systems that may result in serious harm to individuals or their interests.

In March 2023, the Government of Canada issued the AIDA Companion document aimed at highlighting Canada’s approach towards the regulation of AI and how AIDA shall contribute to that approach once enacted. The Companion document also identified a number of existing frameworks for consumer protection, human rights, and criminal law that apply to the use of AI, including the following:

• The Canada Consumer Product Safety Act;
• The Food and Drugs Act;
• The Motor Vehicle Safety Act;
• The Bank Act;
• The Canadian Human Rights Act and provincial human rights laws; and
• The Criminal Code.

As per the consultation timeline provided in the Companion document, AIDA would come into force no sooner than 2025.

Provincial

To date, no province in Canada has enacted comprehensive legislation regulating the use of AI. However, the provincial human rights laws apply to the use of AI and afford some protections to consumers.

Guidances

In November 2020, the Office of the Privacy Commissioner of Canada (OPC) issued A Regulatory Framework for AI: Recommendations for PIPEDA Reform containing OPC’s final recommendations after the public consultation on proposals for ensuring the appropriate regulation of AI in the Personal Information Protection and Electronic Documents Act (PIPEDA). The recommendations, among others, included the recognition of privacy as a human right, specific provisions of automated decision-making, and demonstrable accountability of the business community.

In May 2021, the Government of Ontario published its report on Consultation: Ontario’s Trustworthy Artificial Intelligence (AI) Framework. The report provided an overview of the potential actions the government could take to ensure the responsible and safe use of AI and the feedback from the consumers on those actions.

In April 2023, the Government of Canada issued a report on the Responsible use of artificial intelligence (AI), which describes how the government makes sure that the use of AI by its department and agencies is responsible and accountable. Among other things, the document outlines the following actions that need to be taken and monitored so governments may use AI responsibly:

• Understand and measure the impact of using AI by developing and sharing tools and approaches.
• Be transparent about how and when we are using AI, starting with a clear user need and public benefit.
• Provide meaningful explanations about AI decision-making, while also offering opportunities to review results and challenge these decisions.
• Be as open as we can by sharing source code, training data, and other relevant information, all while protecting personal information, system integration, and national security and defense.
• Provide sufficient training so that government employees developing and using AI solutions have the responsible design, function, and implementation skills needed to make AI-based public services better.

One practical effect of this approach can be seen in the launch of the Directive on Automated Decision Making - which is a policy directive by the Federal Government of Canada on how to responsibly incorporate AI decision-making within the public sphere.

The European Union

As with data privacy regulations in the form of the General Data Protection Regulation, the European Union (EU) looks increasingly likely to provide the rest of the world with an appropriate blueprint on how to proceed with AI regulation.

Legislation

The AI Act

The proposed AI Act provides a standardized definition of what constitutes an AI system and contains provisions that protect the rights of individuals in relation to the use of AI systems. One of the key highlights of the Act is that it classifies AI systems into four distinct categories depending on the four levels of risks for AI systems:

These include:

• Unacceptable Risk AI systems; this includes AI systems that pose a clear threat to the safety, livelihoods and fundamental rights of people, the use of such AI systems is prohibited.
• High-Risk AI systems; this includes AI systems that create a high risk to the health and safety or fundamental rights of natural persons, the use of such AI systems is permitted subject to compliance with certain requirements, including ex-ante conformity assessment.
• Limited risk AI systems; this includes AI systems with specific transparency obligations.
• Minimal risk AI systems; this includes AI systems that represent minimal or no risk for citizen’s risks or safety such as AI-enabled video games or spam filters.

Depending on their classification, different legal provisions, obligations, and penalties will apply to AI technologies. For example, any automated service or technology that can alter a human's behavior that constitutes a high-risk AI system, leading to potential or actual physical or psychological harm and carries fines of up to €30,000,000 per offense or 6% of a company’s annual turnover for the preceding financial year, whichever is higher.

The Act elaborates at great length on how different technologies are categorized.

An AI system is deemed as having an Unacceptable Risk if it clearly endangers people's safety, livelihood, and fundamental rights. Such AI systems are completely prohibited.

Since the mechanism that will be used to categorize systems as either High Risk or Low Risk is still being debated, the aforementioned criteria is likely to be adjusted in the future.

The AI Act is expected to be adopted by the end of 2023 after due consideration, discussion, and necessary adjustments due to dynamic AI developments.

Additional Resources

In June 2023, the Confederation of European Data Protection Organisations (CEDPO) published an AI and Personal Data guidance for Data Protection Officers. In the guidance, the CEDPO answered some fundamental questions that arise in relation to the intersection of the data protection legislative framework and the use of artificial intelligence and machine learning.

The guidance delves into matters such as the need for the AI Act, whether the GDPR regulates artificial intelligence and machine learning and which core data protection principles apply thereto, and the role of DPOs in the ever-evolving digital and technological landscape. The European Commission has also released guidelines on the Ethical Use of Artificial Intelligence in educational settings.

Regulatory Actions

EU member countries have been in the headlines for their regulatory actions against emerging AI technologies. Italy became the first European country to temporarily ban the use of ChatGPT after its data protection authority, Garante, raised serious suspicions about ChatGPT's collection, use, and maintenance of users' personal data. The ban led other regulatory bodies in EU countries, such as France and Spain, to review the use of the famous chatbot in their own jurisdictions.

The Italian DPA also issued a provisional limitation on further processing of data by Replika - a chatbot with a written and vocal interface based on AI that generates a “virtual friend” - highlighting violations of the GDPR.

Recently, the French DPA issued a 20 million Euro fine on Clearview AI for processing biometric data without an appropriate legal basis and the failure to exercise data subjects’ rights and requests to erase their data. The Austrian DPA has also ruled that Clearview AI cannot process biometric data and must delete complainants' existing personal data.

The Finnish DPA has warned healthcare providers that automated decisions for detecting patients’ healthcare needs can fail to meet data protection requirements.

Finally, in April 2023, the European Data Protection Board set up a taskforce dedicated to cooperation and exchange of information on possible enforcement actions by various data protection agencies across the EU. The EU Advocate General has also issued an opinion on the lawfulness of processing and automated decision-making under the GDPR and noted that an appropriate legal basis of data processing for AI systems to ensure compliance with the requirements of the GDPR.