Navigating the Evolving Landscape of AI Regulations: Compliance Strategies and Patent Implications

Council Post: 3 Ways Companies Can Keep Compliant With Evolving AI Regulations

When the EU's General Data Protection Regulation (GDPR) first took effect in May 2018, it was a watershed moment that set a new standard for data protection and privacy. But it also revealed glaring gaps in compliance readiness, even among the most prominent players in tech. Despite their vast resources, companies like Google and Meta found themselves having to deal with unforeseen challenges and hefty fines for non-compliance. GDPR continues to loom large today, and its regulatory requirements are compounded by the newest EU regulation, the EU AI Act. Time will tell if the industry at large has heeded the lessons of GDPR and whether companies will be able to better meet the demands of the EU AI Act. Aside from significant reputational damages that a company could incur, the financial repercussions of violating the EU AI Act are serious. Selling a prohibited AI product in the EU could mean paying a fine of over $37 million or up to 7% of a company's total annual revenue. In the U.S., the regulatory landscape is an array of federal guidelines, executive orders, and state or local legislation, like Colorado's SB205. The mix of requirements complicates matters for enterprises and SMEs that seek to capitalize on AI while insulating themselves from downstream risks and ramifications. Keeping pace with these emerging regulations while building public trust in the technology are growing priorities for companies. To ensure AI models operate safely and responsibly, business leaders must take proactive steps to understand and consider new approaches to tracking and controlling the way they use data to power AI systems. Increasing concern regarding data privacy is leading regulators to advocate for stricter regulation of AI. The EU AI Act, for instance, prohibits applications that pose "unacceptable risk" to personal data, like sourcing remote biometric data to categorize individuals based on race or political views or compiling facial recognition databases from footage taken in public spaces. In the U.S., 30 states have already proposed or passed laws that regulate how companies leverage personal data in profiling and automated decision-making. Before establishing accountability mechanisms, business leaders should first gain clarity on the types of data that their AI models are interacting with. Knowing your data inside and out is important to identify where risks lie and what challenges may impact model deployment down the road. This may involve practices like taking data inventory and conducting lineage analysis, which helps visualize the end-to-end movement of information -- tracing the origins, destinations and transformations throughout its lifecycle. Let's say a retailer uses an AI chatbot to field customer requests. Once data sources are identified -- like from CRM systems, historical chat logs or third-party APIs -- a lineage tool or a data governance platform can be used to trace the path of data as it moves through different stages of interaction. The retailer can then identify where they're processing sensitive customer information and how they're leveraging that data internally to help developers prioritize areas of the system that may need closer monitoring, access controls and regular audits. A crucial component of data governance is feeding AI with information that's accurate, relevant and complete. Working with regulatory experts, legal counsel and internal AI teams to establish data validation procedures and usage standards is one way to ensure their models are making decisions using high-quality data. Data validation, or the process of evaluating the quality and effectiveness of a machine learning (ML) system, is especially important in high-stakes industries like healthcare, where misdiagnosis or the wrong treatment plan can mean life or death for patients. For this reason, the EU AI Act considers most AI applications in the healthcare sector as high-risk. Some hospitals today are even using validation algorithms in AI-driven diagnostic tools to verify patient health information and track real-time performance metrics on data quality. Beyond various explainable AI techniques, companies are also looking to decentralized blockchain networks -- highly serialized, tamper-resistant record-keeping systems -- to bring more clarity to datasets being used in LLMs. The rationale behind every AI-driven decision can be recorded on the chain, providing a transparent audit trail for regulatory compliance and public trust. Companies can revisit previous versions of a given model, root out bad data and prevent AI mishaps. With LLMs in particular, companies can create massive libraries where employees can record and share prompt use cases. They serve as valuable resources to train employees on best practices and real-world examples shared by peers. They also give IT leaders visibility into how AI is being used across their business operations to create more effective safety standards, identify risks and attacks, and support continuous improvements. AI is moving rapidly, and its applications are constantly pushing boundaries. This incredible pace of innovation means regulators, policymakers and leaders in the private sector often find themselves playing catch-up. As such, reporting protocols and requirements should be revised continuously to detect incidents of non-compliance before it's too late. The EU AI Act, for example, requires that any operational anomalies and potential violations in "high-risk" AI products must be reported no later than 15 days after they are detected. Similar guidelines will likely follow in the U.S., as calls for clearer regulations continue to rise. The bottom line is that it's better to be safe than sorry when it comes to mitigating new AI risks. Companies can't afford to wait for laws to be passed before taking action. Delays can leave them more vulnerable to liabilities associated with AI, such as biases and privacy violations. And if building trust in AI is truly a priority, data governance shouldn't be an add-on to be considered a few years down the line; it should be woven into the very fabric of how their organization operates today. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?

Council Post: What The EU AI Act Means For Your Patent Strategy

The EU AI Act will enter force on Aug. 1, 2024 as the world's first comprehensive legal framework for artificial intelligence (AI) and addresses the risks and opportunities of AI for certain industries, particularly with respect to what the act categorizes as "high-risk" AI. The act considers any AI system high-risk if it poses "significant potential harm to health, safety, fundamental rights, environment, democracy and the rule of law" and is thus subject to strict conformity assessments before being permitted on the EU market. For companies developing or deploying AI that are interested in seeking patent protection, it is important to understand how the EU AI Act impacts patent strategy. Here are the questions you may want to ask. The EU AI Act has an extraterritorial scope, meaning even if your system is developed and deployed outside of the EU, you will still be subject to the act's provisions if your AI system can potentially affect those within the EU. Therefore, American-based companies seeking to market or provide AI-based technology within the EU may be subject to the Act's penalties for noncompliance. Parties failing to conform to the act's provisions are subject to penalties of up to 7% of global annual turnover. You heard that right -- global. In the U.S., companies should expect a growing number of AI governance bearing resemblance to the EU AI Act to arise. On May 17, 2024, Colorado enacted the first comprehensive AI legislation in the U.S., which creates duties for developers and deployers to use reasonable care to protect consumers from any known or reasonably foreseeable risks of "algorithmic discrimination" arising from the intended and contracted uses of "high-risk AI systems." The EU AI Act provides a tiered regulation structure for different classes of AI, ranging from unacceptable, high-risk, general-purpose AI or limited. The bulk of the act applies to the category of high-risk AI, which has the potential to pose a significant risk of harm to people's health, safety or fundamental rights. For example, any AI embedded in a product or article of manufacture is considered high-risk. These could include AI systems that constitute as medical devices, industrial machinery, toys, aircraft or vehicles. Additionally, AI systems used as a safety component are high-risk, such as AI integrated with radars or sensors of aircraft and vehicles for the detection and aversion of external obstacles. AI systems are also always considered high-risk if they profile individuals (e.g., automated processing of personal data to assess various aspects of a person's life like economic and health conditions, personal interests, behavior, location or movement). Industries pertaining to healthcare, transportation, insurance and education should be on particular alert. If your AI is deemed high-risk, developers and deployers must adhere to regulations requiring rigorous testing, proper documentation of data quality and an accountability framework that details human oversight to be permissible on the EU market. Conformity requirements for high-risk AI include, but are in no way limited to, establishing, implementing and maintaining a risk management system to address the risks posed. Additionally, the act requires parties to implement effective data governance such as training, validating and testing data sets. Generally speaking, the scale of conformity requirements for high-risk AI is hefty and expensive. Most likely, companies have to spend a significant amount of money not only to audit their AI practices but to bring those practices into conformity. Given the EU AI Act's extensive scope for regulating what it considers to be high-risk AI, it is important to understand the role your patent applications can play. In a broad sense, as the act's goal is to target AI systems that can potentially result in unfair treatment of different people populations and discriminatory practices, you should be especially aware of whether your patent application describes systems utilizing a user interface (e.g., anything with a screen or touchscreen) where users can input their personal data or a microphone or camera that can be programmed to automatically acquire personal information or behavior on a continuous basis. This is especially true if that data is thereafter stored in some way to impact future decisions or can be used to predict human behavior that could be discriminatory. Other commonly described features in patents include the creation of user profiles or the collection of user preferences, which can be seen as the automated processing of personal data to assess various aspects of a person's life under the act. It is certainly not the case that describing or disclosing these aspects of your system in a patent application would automatically subject you to a high-risk categorization. But it is important for applicants to be aware that these types of disclosed systems could have a higher potential of being subject to greater scrutiny in Europe under the provisions of the new act. The information provided here is not legal advice and does not purport to be a substitute for advice of counsel on any specific matter. For legal advice, you should consult with an attorney concerning your specific situation. Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?