Global AI Regulations Roundup: Top Stories of September 2024

Securiti has initiated an AI Regulation digest, providing a comprehensive overview of the most recent significant global developments, announcements, and changes in the field of AI regulation. Our website will regularly update this information, presenting a monthly roundup of key activities. Each regulatory update will include links to related resources at the bottom for your reference.

North and South America Jurisdiction

1. California Senate Passes AB 1008, Expanding CCPA to Cover AI Models and Neural Data

Date: 30th August, 2024
Summary: The California Senate has passed AB 1008, amending the California Consumer Privacy Act (CCPA) to include AI models and neural data as personal information. The bill redefines "personal information" to cover abstract digital formats, including AI systems. It also clarifies that biometric data collected without consumer consent is not "publicly available." Consumers can now exercise privacy rights over AI models trained on their personal data, requiring businesses to respond to requests for access, deletion, or correction. This could pose significant compliance challenges, especially for large AI models, due to the need for retraining within 90 days. Read more.

EU Jurisdiction

2. Spanish Data Protection Authority Publishes Blog On Probabilistic Methods & Their Limitations

Date: 3rd September, 2024
Summary: The Spanish Data Protection Authority (AEPD) has published a blog on probabilistic methods and GDPR compliance. In the blog, the AEPD emphasized the importance of accuracy and effectiveness in these methods, mainly concerning personal data.

To ensure this, organizations must only use reliable sources and accurate inferences and the processing methods must undergo the necessity test to guarantee their effectiveness. Simultaneously, the AEPD has highlighted the likelihood of false negatives, false positives, and prediction errors within the probabilistic methods that may affect their accuracy and effectiveness.

The AEPD quotes an example of age verification where age should be confirmed via a trusted source such as an ID card rather than predictions through facial features or voice, which may also violate GDPR provisions due to inaccuracy. Data controllers must rely on accurate and effective verification methods on a case-to-case basis to avoid excessive data collection and operations. More importantly, the AEPD does advise using alternative methods to address these challenges. Read more.

3. Council of Europe Adopts World's First International Legally Binding Agreement on AI

Date: 5th September, 2024
Summary: The Framework Convention on Artificial Intelligence and Human Rights, Democracy, and the Rule of Law has been signed by the European Commission and adopted by the Council of Europe, making it the first legally binding international agreement on AI. The Commission will implement the convention within the EU through the AI Act, ensuring a unified approach to AI regulation and promoting a safe and trustworthy AI environment. Read more.

4. Dutch Data Protection Authority's Investigation Finds Severe Notification Requirements' Violations

Date: 6th September, 2024
Summary: The Dutch Data Protection Authority (AP) investigated 53 major data breaches that affected 10 million people, concluding that none of the organizations complied with the relevant notification requirements relating to notifying affected individuals. Hence, the AP has provided recommendations for effective notification messages, including the use of clear language, a description of the leaked data and breach, an explanation of the consequences and advice, a description of intended measures, and a contact point for questions

The AP has also suggested using easy-to-understand language that avoids legal jargon, is well structured with subheadings and lists, translated into the victim's language, and provides warning messages during ongoing investigations. By doing so, users affected by data breaches can be informed in a timely, clear, and understandable manner. Read more.

Asia Jurisdiction

5. ANPD Publishes Yearly Update On Completed Projects & Possible AI Regulation

Date: 9th September, 2024
Summary: The Brazilian Data Protection Authority (ANPD) published its audit report on its regulatory agenda for the year 2023-24. The report provides information on the ANPD's projects completed within this period in the following areas:

• Data breach notification;
• International data transfers;
• Data protection officer (DPO);
• Legal basis for processing personal data; and
• Processing personal data for research and academic purposes.

Specifically for AI, the ANPD has started a project to analyze the regulatory alternatives for using personal data by AI systems that comply with the General Data Protection Law (LGPD). The report also concludes that the ANPD initiated all the projects scheduled for the reporting period. Read more.

Securiti's AI Regulation round is an invaluable resource for staying ahead of the latest global developments in the AI industry. Our commitment to timely updates ensures that you have access to crucial information and a better understanding of the evolving AI regulatory landscape.

The team has also created a dedicated page showcasing 'An Overview of Emerging Global AI Regulations’ worldwide. Click here to delve deeper and learn more about the evolving landscape of global AI regulations.