[Updated: August 3, 2023]
For many of us, Artificial Intelligence (“AI”) represents innovation, opportunities, and potential value to society.
For data protection professionals, however, AI also represents a range of risks involved in the use of technologies that shift processing of personal data to complex computer systems with often opaque processes and algorithms.
Data protection and information security authorities as well as governmental agencies around the world have been issuing guidelines and practical frameworks to offer guidance in developing AI technologies that will meet the leading data protection standards.
Below, we have compiled a list* of official guidance recently published by authorities around the globe.
- 1/17/2022 – Government of Ontario, “Beta principles for the ethical use of AI and data enhanced technologies in Ontario”
The Government of Ontario released six beta principles for the ethical use of AI and data enhanced technologies in Ontario. In particular, the principles set out objectives to align the use of data enhanced technologies within the government processes, programs, and services with ethical considerations being prioritized.
- 12/12/2022 – Cyberspace Administration of China, Regulations on the Administration of Deep Synthesis of Internet Information Services
http://www.cac.gov.cn/2022-12/11/c_1672221949354811.htm (in Chinese) and
http://www.cac.gov.cn/2022-12/11/c_1672221949570926.htm (in Chinese)
The Regulations target deep synthesis technology, which are synthetic algorithms that produce text, audio, video, virtual scenes, and other network information. The accompanying Regulations FAQs state that providers of deep synthesis technology must provide safe and controllable safeguards and conform with data protection obligations.
- 9/26/2021 – Ministry of Science and Technology (“MOST”), New Generation of Artificial Intelligence Ethics Code
http://www.most.gov.cn/kjbgz/202109/t20210926_177063.html (in Chinese)
The Code aims to integrate ethics and morals into the full life cycle of AI systems, promote fairness, justice, harmony, and safety, and avoid problems such as prejudice, discrimination, privacy, and information leakage. The Code provides for specific ethical requirements in AI technology design, maintenance, and design.
- 1/5/2021 – National Information Security Standardisation Technical Committee of China (“TC260”), Cybersecurity practice guide on AI ethical security risk prevention
https://www.tc260.org.cn/upload/2021-01-05/1609818449720076535.pdf (in Chinese)
The guide highlights ethical risks associated with AI, and provides basic requirements for AI ethical security risk prevention.
- European Telecommunication Standards Institute (“ETSI”) Industry Specification Group Securing Artificial Intelligence (“ISG SAI”)
The ISG SAI has published standards to preserve and improve the security of AI. The works focus on using AI to enhance security, mitigating against attacks that leverage AI, and securing AI itself from attack.
- 4/21/2021 – European Commission, “Proposal for a Regulation of the European Parliament and of the Council Laying Down Harmonised Rules on Artificial Intelligence (Artificial Intelligence Act) and Amending Certain Union Legislative Acts”
The EU Commission proposed a new AI Regulation – a set of flexible and proportionate rules that will address the specific risks posed by AI systems, intending to set the highest global standard. As an EU regulation, the rules would apply directly across all European Member States. The regulation proposal follows a risk-based approach and calls for the creation of a European enforcement agency.
- 4/5/2022 – French Data Protection Authority (“CNIL”), AI and GDPR Compliance Guide and Self-Assessment Tool
https://www.cnil.fr/fr/intelligence-artificielle/ia-comment-etre-en-conformite-avec-le-rgpd (in French)
https://www.cnil.fr/fr/intelligence-artificielle/guide (in French)
In its newest set of resources for AI compliance, CNIL offers a step-by-step guide to GDPR compliance when utilizing AI. Additionally, CNIL published a Self-Assessment Guide for AI Systems, which allows organizations to assess the maturity of their AI systems with regard to the GDPR, along with best practice guidance.
- 9/3/2020 – CNIL, Whitepaper and Guidance on Use of Voice Assistance
https://www.cnil.fr/sites/default/files/atoms/files/cnil_livre-blanc-assistants-vocaux.pdf (in French)
This whitepaper explores legal and technical considerations for developers and businesses which may utilize voice assistance technology in light of recent AI technology development. It further includes best practices and recommended approaches.
- 5/24/2022 – Federal Office for Information Security, Towards Auditable AI Systems whitepaper
This paper emphasizes the need for methods to audit AI technology, to guarantee trustworthiness and ensure integration of emerging AI standards. The paper seeks to embolden the auditability of AI systems by proposing a newly developed certification system.
- 6/15/2021 – Federal Financial Supervisory Authority (“BaFin”), “Big Data and Artificial Intelligence”
This paper provides key principles and best practices for the use of algorithms and AI in decision making processes.
- 5/6/2021 – Federal Office for Information Security (“BSI”), “Towards Auditable AI Systems”
This whitepaper addresses current issues with and possible solutions for AI systems, with a focus on the goal of auditability and standardization of AI systems.
- 8/18/2021 – Office of the Privacy Commissioner for Personal Data (“PCPD”), “Guidance on the Ethical Development and Use of Artificial Intelligence”
This guidance discusses ethical principles for AI development and management while also highlighting recent development in AI governance around the globe. The guidance further includes a helpful self-assessment checklist in its appendix concerning businesses’ AI strategy and governance, risk assessment and human oversight, development and management of AI systems as well as communication and engagement with stakeholders.
- 9/28/2021 – INDIAai, “Mitigating Bias in AI – A Handbook For Startups”
INDIAai, a government-based initiative, published this formalized framework for startups. The handbook identifies different risk factors that may lead to bias in AI.
- 7/15/2021 – Data Security Council of India (“DCSI”), “Handbook on Data Protection and Privacy for Developers of Artificial Intelligence in India”
The handbook establishes guidelines for responsible and ethical AI development in line with the applicable legal data protection framework. While the handbook does not provide technical solution but instead focuses on the ethical and legal objectives to pursue when designing AI systems, it does provide for a checklist of questions and good practices which developers shall keep in mind while in the design process.
- 2/24/2021 – National Institution for Transforming India (“NITI Aayog”), “Responsible AI”
In this paper, the Government think tank highlights the ethical and legal framework for AI technology management. The paper further includes a self-assessment guide for AI usage in its annex.
- 8/1/2023 – Future of Privacy Forum (“FPF”), Generative AI for Organizational Use: Internal Policy Checklist
To help organizations initialize the process of regulating the use of generative AI, FPF released a checklist to help organizations revise policies and procedures governing generative AI. The checklist provides a non-exhaustive list of topics to consider when revising such policies and procedures.
- 5/31/2023 – EU-US Terminology and Taxonomy for Artificial Intelligence
To align EU and US risk-based approaches to regulating AI, a group of experts created this document to provide a unified approach to AI terminologies and taxonomies. A total number of 65 terms were identified with reference to key documents from the EU and US.
- International Organization for Standardization (“ISO”) – ISO/IEC 23894:2023 Information technology — Artificial intelligence — Guidance on risk management
This document provides guidance on how organizations that develop, produce, deploy or use products, systems and services that utilize AI can manage risk specifically related to AI. The guidance also aims to assist organizations to integrate risk management into their AI-related activities and functions. It moreover describes processes for the effective implementation and integration of AI risk management.
- ISO – ISO/IEC 38507:2022
Together with the International Electrotechnical Commission (“IEC”), ISO has published a number of AI standards in recent years. The newest standards published in April 2022, called “Governance implications of the use of artificial intelligence by organizations”, provides guidance for the governing body of organizations regarding the use and implications of AI.
- ISO – ISO/IEC JTC 1/SC 42 Standards
These standards published in March of 2021 provide background about existing methods to assess the robustness of neural networks. Additional AI standards are currently under development.
- 9/15/2022 – Information Technology Industry Council (“ITI”), Policy Principles for Enabling Transparency of AI Systems
The ITI published guidance for policymakers, emphasizing the need for transparency as a critical part of developing accountable and trustworthy AI systems.
- 2/22/2022 – Organization for Economic Co-operation and Development (‘OECD’), Framework for the Classification of AI Systems
In the Framework, the OECD has developed a tool to evaluate AI systems from a policy perspective, by providing a baseline to characterize the application of an AI system deployed in specific contexts. The Framework contributed to the OECDS “AI in Work, Innovation, Productivity, and Skills” (“AI-WIPS”) program.
- 4/8/2022 – Ministry of Economy, Trade, and Industry (“METI”), Artificial Intelligence Introduction Guidebook for Small and Medium Sized Companies
https://www.meti.go.jp/policy/it_policy/jinzai/AIutilization.html (in Japanese)
The Guidebook provides SMEs with guidance on how to prepare for and begin utilization of AI in their enterprises, providing practical steps for decision-making.
- 2/15/2022 – Ministry of Internal Affairs and Communications (“MIC”), Guidebook on Cloud Services Using AI
https://www.soumu.go.jp/main_content/000792669.pdf (in Japanese)
The Guidebook summarizes the steps to keep in mind when developing and providing AI cloud services while gaining the trust of users and considering data collection requirements.
- 1/28/2022 – METI, Governance Guidelines for Implementation of AI Principles
The METI has released an updated version of its Guidelines for the Practice of Artificial Intelligence Principles, outlining AI governance rules which include risk analysis, systems design, implementation and evaluation, along with providing practical examples.
- 8/4/2021 – MIC, AI Network Society Promotion Council Report
https://www.soumu.go.jp/main_content/000761967.pdf (in Japanese)
The report highlights recent trends in AI utilization as well as efforts to promote secure and reliable social implementation of AI.
- 8/5/2022 – Ministry of Digital Economy and Entrepreneurship, National Charter of Ethics for Artificial Intelligence
The charter provides an ethical baseline to regulate the development of AI technologies. The charter includes a set of principles that include accountability, transparency, impartiality, respect for privacy, promotion of human values, and other such principles that promote democratic values, human rights, and diversity.
- 6/1/2022 – National Institute for Access to Information and Protection of Personal Data (“INAI”), Recommendations for the Processing of Personal Data derived from the Use of Artificial Intelligence
https://home.inai.org.mx/wp-content/documentos/DocumentosSectorPublico/RecomendacionesPDP-IA.pdf (in Spanish)
The INAI released its recommendations concerning regulation of personal data and AI technology. In particular, the recommendations focus on such topics as AI and its implication in public security, AI in the education sector, AI and privacy by design, AI and cloud computing, and more.
- 4/27/2022 – Saudi Food and Drug Authority (‘SFDA’), “Guidance on Review and Approval of AI and Big Data based Medical Devices”
The Guidance sets out the requirements for obtaining a Medical Devices Marketing Authorization for AI-based medical devices within the KSA. It applies to the standalone software type of medical devices, which diagnose, manage, or predict diseases by analyzing medical Big Data using AI, as well as to AI software that is configured with hardware.
- 4/13/2023 – Commission de Protection des Données Personnelles (“CDP”)
https://cdp.sn/content/deliberation-de-portee-generale-n%C2%B000645cdp-du-13-avril-2023-relative-l%E2%80%99utilisation-de (in French)
The Senegalese data protection authority, the CDP, published a deliberation on the use of biometric devices within the workplace, which may includes the use of such information within AI technologies. The deliberation focuses on when and how such biometric processing can occur, how the information must be stored and secured, and the obligations that must be imposed on vendors.
- 5/24/2022 – Infocomm Media Development Authority (“IMDA”) and the Personal Data Protection Commission (“PDPC”), AI Verify governance testing framework and toolkit
https://file.go.gov.sg/aiverify-primer.pdf, along with https://file.go.gov.sg/aiverify.pdf
The AI Verify framework and toolkit seeks to help companies integrate responsible AI and transparency in their products and services, and facilitate interoperability between governance frameworks. The toolkit allows developers and owners to conduct self-testing of AI systems against eight principles, including fairness, transparency, accountability, and human oversight.
- 2/4/2022 – Monetary Authority of Singapore (“MAS”), Fairness, Ethics, Accountability, and Transparency (“FEAT”) assessment methodology whitepapers
The MAS released five whitepapers providing AI assessment guidelines for financial institutions, including a comprehensive checklist for responsible AI development and use.
- 10/20/2020 – Personal Data Protection Commission (“PDPC”), “Compendium of Use Cases”
This practical illustration includes a number of use cases which outline how different organizations have effectively aligned their AI governance practices with the Model Framework.
- 1/21/2020 – PDPC, “Model AI Governance Framework” (Second Edition)
along with “Implementation and Self-Assessment Guide for Organizations” https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Resource-for-Organisation/AI/SGIsago.pdf
The Model Framework focuses on internal governance, decision making models, operations and customer relationship management. The Implementation Guide provides useful industry examples, best practices and specific practice guides for the employment of AI.
- 8/3/2023 – Personal Information Protection Commission (“PIPC”), Guidance for Safe Use of Personal Information in the Age of AI
https://www.pipc.go.kr/np/cop/bbs/selectBoardArticle.do?bbsId=BS074&mCode=C020010000&nttId=9083 (in Korean)
The PIPC’s guidance presents rules on how to interpret and apply the Personal Information Protection Act (PIPA) in the AI environment. The guidance presents a blueprint for how government and the private sector can cooperate to regulate AI.
- 8/30/2022 – Ministry of Science and ICT, Expanded Virtual World Ethics Principles
https://www.msit.go.kr/bbs/view.do?sCode=user&mId=113&mPid=112&pageIndex=&bbsSeqNo=94&nttSeqNo=3182064 (in Korean)
The Ministry of Science and ICT outlined principles to address the growing development of artificial intelligence, among other technologies. The report details eight principles meant to serve as a code of ethics addressing what it calls the expanded virtual world.
- 8/11/2021 – PIPC, Summary Report on Data Protection Regulatory Sandbox
https://www.pipc.go.kr/np/cop/bbs/selectBoardArticle.do?bbsId=BS074&mCode=C020010000&nttId=7487#LINK (in Korean)
The report highlights data protection considerations resulting out of 133 cases, specifically including the use of robotics and new technology, such as unmanned moving objects.
- 7/20/2021 – PIPC, “AI Personal Information Protection Self-checklist”
The checklist provides guidelines for the protection of personal information gathered and used by artificial intelligence. The checklist includes requirements and guidelines for each stage of development of AI systems and is meant to account for the flexibility and continuous change of AI technology.
- 1/12/2021 – Spanish Data Protection Authority (“AEPD”), “Audit Requirements for Personal Data Processing Activities Involving AI”
This paper is aimed to help evaluate regulatory compliance of AI systems by providing methodologies and control objectives to be included in data protection audits for processes that incorporate AI components or solutions.
- 9/15/2021 – Turkish Personal Data Protection Authority (“KVKK”), Recommendations When Processing Personal Data Using AI
https://kvkk.gov.tr/SharedFolderServer/CMSFiles/25a1162f-0e61-4a43-98d0-3e7d057ac31a.pdf (in Turkish)
This guidance discusses fundamental principles for AI development and management, and advises developers, manufacturers, and service providers on privacy by design and data minimization approaches.
- 6/7/2023 – Department for Science, Innovation and Technology (“DSIT”), “Find out about artificial intelligence (AI) assurance techniques”
Following up on the UK government’s AI Regulation White Paper (see next bullet), DSIT created a portfolio of use cases illustrating various AI assurance techniques being used in the real-world to support the development of trustworthy AI. The portfolio includes case studies from across multiple sectors and features a range of technical, procedural, and educational approaches to promote responsible AI.
- 3/29/2023 – DSIT, “A pro-innovation approach to AI regulation”
The DSIT published a white paper introducing an AI regulation framework underpinned by five principles: Safety, security, and robustness; appropriate transparency and explainability; fairness; accountability and governance; and contestability and redress. Rather than recommend specific AI legislation, the white paper recommends that existing regulators incorporate these principles into their enforcement efforts.
- 3/15/2023 – Information Commissioner’s Office (“ICO”), Guidance on AI and data protection
The ICO published guidance clarifying requirements for fairness in AI. The document includes guidance on solely automated decision-making and technical approaches to mitigating algorithmic bias.
- 5/4/2022 – ICO, AI and Data Protection Risk Toolkit
ICO recently launched its updated AI and Data Protection Risk Toolkit, which contains risk statements to help organizations using AI to correctly assess the risk of their processing practices. The toolkit provides suggestions and practical steps for technical and organizational measures used to mitigate risks and demonstrate compliance with applicable data protection laws. It further includes references to other core resources.
- 1/12/2022 – Department for Digital, Culture, Media & Sports (“DCMS”) and Office for Artificial Intelligence (“OAI”), AI Standards Hub Pilot
The DCMS and OAI announced the pilot of a new AI Standards Hub as part of the UK’s National AI Strategy. In its pilot phase, the Hub will focus on creating tools and guidance for education, training, and professional development to help businesses engage with creating AI technical standards, and bringing the AI community together through workshops, events, and a new online platform to encourage more coordinated engagement in the development of standards around the world.
- 9/22/2021 – UK Secretary of State for Digital, Culture, Media & Sport (“DCMS”), “National AI Strategy”
The UK Government announced its National AI Strategy, which aims to invest and plan for the long-term needs of the AI ecosystem, support the transition to an AI-enabled economy, and ensure the UK governs AI effectively.
- 5/5/2020 – ICO, “Explaining Decisions Made with AI”
This detailed guidance released by the ICO in cooperation with the lan Turing Institute gives businesses practical advice to explain the legal framework and effects of AI decision-making processes and the necessary considerations for compliance with existing data protection laws.
- 03/09/2023 – U.S. Chamber of Commerce, “CTEC AI Commission 2023″
The U.S. Chamber of Commerce published a report calling for the regulation of AI and outlining five key principles that stakeholders should consider when drafting a regulatory framework. In contrast to the White House Office of Science and Technology Policy’s Blueprint for an AI Bill of Rights, the Chamber’s report seeks to regulate AI without hindering economic development.
- 1/26/2023 – National Institute of Standards and Technology (“NIST”), “AI Risk Management Framework”
On January 26, 2023, the National Institute of Standards and Technology (NIST) released the first version of the Artificial Intelligence Risk Management Framework (AI RMF). The AI RMF is a voluntary resource meant to help organizations manage the many risks of AI and promote trustworthy and responsible development and use of AI systems. As a flexible framework designed to adapt to a wide range of systems, products, and organizations, the AI RMF provides a list of characteristics that must be balanced based on the AI system’s context of use.
- 10/4/2022 – White House Office of Science and Technology Policy, “Blueprint for an AI Bill of Rights”
The White House Office of Science and Technology Policy published a non-binding white paper detailing a list of principles that, if incorporated into the development and use of AI technologies, should protect the American public during the age of artificial intelligence. The document calls upon policymakers to adopt these principles when considering how to regulate AI technologies.
- 5/13/2022 – Department of Justice Civil Rights Division, “Algorithms, Artificial Intelligence, and Disability Discrimination in Hiring”
The guidance explains how use of algorithms and AI in hiring can lead to disability discrimination and legal consequences. The guidance details how employers can avoid such disability discrimination when using AI technology.
- 7/30/2021 – Department of Homeland Security (“DHS”), “Artificial Intelligence and Machine Learning Strategic Plan”
The strategic plan of DHS’ Science and Technology Directorate (“S&T”) outlines its goals that are committed to ensuring that AI/ML research, development, test, evaluation, and departmental applications comply with statutory and other legal requirements, and sustain privacy protections and civil rights and liberties for individuals. It further advises stakeholders on recent developments in AI/ML and the associated opportunities and risks.
- 5/5/2021 – Electronic Privacy Information Center (“EPIC”), New National Artificial Intelligence Initiative Office Website.
The White House launched its new website, AI.gov, featuring policy priorities, reports, and news regarding AI.
- 4/19/2021 – Federal Trade Commission (“FTC”), “Aiming for Truth, Fairness, and Equity in Your Company’s Use of AI”
In this blog post, the FTC offers guidance for companies in their use of AI, specifically instructing them to show transparency and accountability when employing new algorithms.
- 4/8/2020 – FTC, “Using Artificial Intelligence and Algorithms”
In this blog post, the FTC outlines best practices when relying on algorithms and highlights key principles such as transparency, fairness, accuracy, and accountability.
Additional Industry Whitepapers, Bulletins, and Recommendations:
- 3/16/2022 – National Institute of Standards and Technology (“NIST”), “Towards a Standard for Identifying and Managing Bias in Artificial Intelligence”
In this Special Publication, NIST analyzes the challenges of AI bias, aiming to provide some detailed socio-technical guidance for identifying and managing AI bias.
- 1/26/2022 – Information Technology Industry Council (“ITI”), Recommendations on NIST AI Risk Management Framework
In response to the AI Risk Management Framework concept paper released by NIST, the ITI has published a series of recommendations in order to improve the framework and encourage NIST to align the framework with prior works as well as standards that are currently under development in international standards bodies.
- 1/20/2022 – European Institute of Innovations & Technology (“EIT”), AI Maturity Tool
The EIT published a web-based AI maturity tool which allows businesses to assess how prepared they are for the use of AI, and which will allow businesses to compare their maturity level to that of other organizations in the future.
- 1/18/2022 – Information Technology Industry Council (“ITI”), Recommendations on AI-enabled Biometric Technologies
ITI released a series of recommendations addressed to the U.S. Government regarding the use of AI and biometric technologies, elaborating on governance programs and practices that may be useful to consider in the context of biometric technologies, including with regard to performance auditing and post-deployment impact assessment.
- 12/14/2021 – National Institute of Standards and Technology (“NIST”), “AI Risk Management Framework Concept Paper”
NIST has developed for public review a concept paper for the Artificial Intelligence Risk Management Framework (“AI RMF”), intended for voluntary use and to address risks in the design, development, use, and evaluation of AI products, services, and systems. NIST stated that it intends to release the AI RMF 1.0 in early 2023.
- 7/14/2021 – European Commission’s Joint Research Center (“JRC”), Report
Most recently, the JRC published this report on the AI standardization landscape. The report describes the ongoing standardization efforts on AI and aims to contribute to the definition of a European standardization roadmap.
- 9/9/2019 – National Institute of Standards and Technology (“NIST”) – “U.S. Leadership in AI: A Plan for Federal Engagement in Developing Technical Standards and Related Tool”
Following an executive order directing federal agencies to develop international standards to promote and protect innovation and public confidence in AI technologies, NIST published this plan. The plan intends to provide guidance regarding priorities and appropriate levels of engagement in matters of AI standards.
*While extensive, this list is not meant to be exhaustive. We will do our best to update this list from time to time, and add new guidance as it becomes available.