The Monitor - 009
Italy is investigating a large-scale AI data collection
Italy's privacy watchdog is investigating the collection of personal data online to train AI algorithms. The authority is reviewing whether online platforms are complying with GDPR regulations and preventing AI from extensive personal data collection through data scraping. The probe, which doesn't name specific companies, shows the authority's commitment to ensuring AI platform adherence to privacy regulations. Input has been invited from academics, AI experts, and consumer groups for a 60-day period as part of the investigation. Last April, Italy temporarily banned ChatGPT for retaining massive amounts of personal data.
California has new rules for AI and automated decision-making tools (“ADMT”)
California continues to lead the data debate in the U.S. by proposing regulations on ADMT. The regulations would apply to consumers and employees, and require businesses to disclose the usage of ADMT, explain its decision-making process, and offer an opt-out choice. Plus, a risk assessment will be needed if personal data processing potentially endangers consumer privacy. These drafts are not final and may change; however, businesses should begin examining their ADMT practices in anticipation. Stay tuned for updates!
ADMT : “any system, software, or process - including one derived from machine-learning, statistics, or other data-processing or AI - that processes personal information and uses computation to make or facilitate a decision.”
Unpacking the Federal U.S. AI Accountability act of 2023
AI aficionados, take note: The Artificial Intelligence Research, Innovation, and Accountability Act of 2023 is in the spotlight. This bipartisan bill is all about transparency and accountability in AI tools. Think AI that's not just for the Department of Defense or intelligence agencies and is used for legal or significant decision-making? That's "critical-impact" AI. Organizations using such AI will need to self-certify their compliance standards. And it's not just them on the task list – the Commerce Department will be rolling out a five-year plan for testing and certifying these AI systems. Meanwhile, NIST is on the hook for developing authenticity standards for online content and technical safeguards for "high-impact" AI systems. And for the cherry on top, companies deploying high-impact AI systems have to submit transparency reports.
The European Draft Standard Provisions for the AI Act are out!
The EU AI Act now has draft Standard Contractual Clauses available for public organizations. The clauses cover various obligations, but don't address broader legal and commercial issues like GDPR or liability. They offer a starting point for public entities procuring external AI systems.
Music Publishers are Engaging in a Copyright Lawsuit against Anthropic
Universal Music Group and other music publishers have taken legal action against Anthropic for reportedly distributing copyrighted lyrics through its AI. The lawsuit alleges that the AI company's Claude 2 replicated almost identical lyrics to popular tracks without permission, which could constitute copyright infringement. The outcome of the lawsuit may require AI companies to enter into licensing agreements with publishers to train their AI and promote new solutions for the music industry.
UK: AI Regulation Bill Proposed
In his November 22, 2023 proposal of the Artificial Intelligence (Regulation) Bill, Lord Holmes introduces a distinctive approach to AI regulation in the UK. The bill's definition of AI, including generative AI, veers from the usual, focusing on the technology's application rather than its technical aspects. It emphasizes the need for regulation due to AI's autonomy and adaptability, suggesting a tailored regulatory framework. The bill also proposes establishing a new AI regulatory body, signaling a targeted shift in managing AI's evolving role.
Further AI Directives from the U.S.
The new AI directive in the U.S. affects federal agencies, requiring them to appoint a Chief AI Officer and establish AI governance bodies within 60 days. Compliance plans must be submitted to oversee innovation, governance, and risk management. Though focused on federal agencies, its implications extend to the public sector. Private firms working with government agencies may need to align with these standards, influencing practices in cybersecurity and data protection. This directive is indicative of the increasing integration of AI in government operations and the corresponding need for comprehensive legal frameworks.
Canadian AI Act (c-27) Proposed Amendments Submitted for Review
Minister of Innovation, Science, and Industry, Francois-Philippe Champagne, has submitted his complete proposed amendments to the (‘INDU’) committee, which is currently examining bill C-27. The proposal includes the introduction of novel categories of "high-impact systems", with a total of seven distinct classes.
Custom GPTs by OpenAI: Innovation Unleashed, but Privacy Concerns Linger
Since November, OpenAI has enabled the creation of custom ChatGPT models, or "GPTs," for various applications. However, security concerns have arisen as researchers discovered these GPTs could unintentionally expose their initial setup instructions and customization files, risking the leakage of sensitive data. This vulnerability underscores the importance of cautious data management in custom GPTs. To bolster security, implementing "defensive prompts" to prevent file downloads and thoroughly cleansing data before uploading can help mitigate privacy risks. Users should be vigilant about the information shared with these custom models.
Google Takes Legal Action Against Scammers
Google is suing three unidentified scammers, allegedly based in Vietnam, for using the company’s trademarks to deceive users into downloading a fake version of Google’s AI chatbot Bard that is infected with malware. The scammers, posing as Google representatives on Facebook, offer a purported “latest version” of Google Bard for download, but the link installs malware on users’ devices, stealing social media login credentials. Google is seeking a permanent injunction, damages for willful trademark infringement, and an order for the scammers to disgorge profits from their alleged illegal acts.
Nations Unite for Frontier AI Safety Accord
The Bletchley Declaration, endorsed by 28 countries, emphasizes the urgent need for a joint global effort to ensure the safe and responsible development and deployment of AI. The agreement recognizes substantial risks, encompassing intentional misuse, control issues, cybersecurity, biotechnology, and disinformation. Countries commit to international cooperation, scientific collaboration, and the establishment of a network for research on frontier AI safety. The declaration, aiming to inform risk-based policies globally, outlines a forward process for international collaboration.
领英推荐
GSRA 2023 Takes Aim at Government Surveillance Gaps
The Government Surveillance Reform Act of 2023 (‘GSRA’) aims to address issues in government interception without warrants. Spanning 200 pages, the GSRA targets various surveillance loopholes, introducing warrant requirements for certain data access forms. It seeks to end elements of the now-defunct Patriot Act and addresses law enforcement's use of private data broker files. Notable inclusions involve warrant requirements for the FBI's "Stingray" cell-site simulator program and addressing the "smart car" loophole. The bill proposes stronger restrictions on Section 702 data searches and introduces measures to challenge (‘FISA’) surveillance in court. Additionally, federal agencies face restrictions on reverse targeting, and private companies cooperating with surveillance must disclose more information.
New Jersey Parents are Questioning the State's Storage of Newborns' blood for More than Two Decades
A group of New Jersey parents, in collaboration with the Institute for Justice (‘IJ’), has filed a federal lawsuit challenging the state's practice of retaining blood samples taken from newborns for 23 years without parental knowledge or consent. While state law mandates the collection of blood from newborns for disease testing, New Jersey's Department of Health retains the leftover blood without informing parents or seeking their consent. The state can utilize these blood samples in various ways, including selling them to third parties, providing them to law enforcement without a warrant, or selling them to entities like the Pentagon, as seen in a previous case in Texas.
CJEU Shares Significant Insight on Access Rights
In the landmark case of FT v. DW, the Court of Justice of the European Union (“CJEU”) clarified important aspects of data subject access requests under the GDPR. The ruling confirmed that individuals are entitled to a free copy of their personal data, and controllers cannot refuse these requests based on the data subject's stated purpose. Additionally, national laws cannot require data subjects to pay for the first copy of their data, safeguarding against controllers' economic interests. The judgment also emphasized that patients have the right to a comprehensive reproduction of their medical data, rather than just a summary, ensuring full and accurate access to their information.
Michigan Senate Introduces Privacy Bill
The Michigan Senate introduced a bill regarding consumer privacy rights. Michigan is set to join the other states that have passed privacy legislation.
We will keep watching this bill for you, stay tuned!
Quebec Bill 38: Leading Cybersecurity in the Public Sector
Bill 38, Act modifying the Act respecting the governance and management of the information resources of public bodies and government enterprises and other legislative dispositions, proposes significant amendments to the Law on the Governance and Management of Information Resources of Public Bodies and Government Enterprises, as well as to the Law on the Ministry of Cybersecurity and Digital Affairs
It assigns the Minister of Cybersecurity and Digital Affairs a leadership role in the digital transformation and cybersecurity of the Public Administration, charges them with coordinating government actions in these areas, and grants them the power to propose a portfolio of priority projects in information resources. The bill also strengthens information security practices by authorizing the minister to take binding measures, such as obliging certain public bodies to use specific cybersecurity services. Additionally, it gives the minister the responsibility to provide certification and electronic signature services to public bodies, while allowing pilot projects in the fields of cybersecurity and digital affairs.
NY Governor Proposes New Cybersecurity Regulations for Hospitals
The Governor of New York has unveiled proposed cybersecurity regulations for hospitals in response to the escalating digital threat landscape, particularly concerning healthcare data. The initiative mandates risk assessments, the implementation of robust cybersecurity programs, and the appointment of dedicated cybersecurity officers within healthcare facilities. This proactive approach aims to fortify the defenses of the state's healthcare infrastructure, mitigate potential risks, and ensure the protection of sensitive medical information amid the increasing frequency and sophistication of cyberattacks.
EU-Japan Reach Data Transfer Agreement
The EU and Japan unveiled a groundbreaking agreement aimed at facilitating and cost-effectively conducting online business between the two regions. This agreement addresses common approaches for digital trade, intending to overcome previous challenges posed by digital protectionism and arbitrary restrictions. Notably, it eliminates data localization requirements, streamlining data handling without imposing administrative or storage obligations. The removal of these requirements is anticipated to particularly benefit European and Japanese businesses in sectors like financial services, transportation, and machinery, reducing complexities associated with local data storage and mitigating potential privacy threats. The comprehensive agreement, formalized after a year of negotiations that began in October 2022, aligns with the EU’s recent efforts to integrate digital trade elements into its partnerships.
FCC Takes a Stand Against SIM Card Scams
The Federal Communications Commission (‘FCC’) has unanimously approved new rules aimed at combating cellphone SIM card fraud. The regulations require wireless carriers to implement consumer-oriented measures, including customer verification for SIM card transfers. The move addresses the rising issue of fraudsters gaining access to personal information and accounts by transferring victims' SIM cards to their own devices. The rules target two types of scams: "SIM swapping," where a bad actor persuades a wireless provider to transfer a victim's service to a different device, and "portout fraud," where the actor poses as the victim to open an account with a different wireless provider.
German Guidelines on Reidentification Risk Assessments
The German data protection authority, the Baden-Württemberg, published a discussion paper on the legal basis for data protection when using AI, particularly emphasizing the re-identification risks associated with potential model attacks. The Baden-Württemberg highlights the importance of performing regular risk assessments to evaluate the likelihood of re-identification. The paper provides a checklist for data processing with AI for public and private entities. The Baden-Württemberg is inviting the public to comment on the paper until February 1st 2024.
Cybersecurity Analyst | ER Manager - GDG on Campus: KNU | Mentor, Speaker | Chess player | Startup
1 年Good overview!
Partner @ ObscureIQ??Data Broker Expert??Privacy Recovery for VIPs
1 年Great roundup!
Autodidacte & Polymathe ? Chargé d'intelligence économique ? AI hobbyist ethicist - ISO42001 ? éditorialiste & Veille stratégique - Muse? & Times of AI ? Techno humaniste & Techno optimiste ?
1 年Alice Louis