Navigating AI data security: strategies for responsible innovation

In late September 2024, more than 100 companies (including Autodesk) signed onto the EU AI Pact, becoming the first companies to pledge to apply the principles of the EU AI Act. Yet even with voluntary efforts by companies to show that they are developing and deploying AI responsibly, many people still want governments to regulate this technology, an AuthorityHacker survey found.

In this survey of US residents, 79.8% believe the government should implement strict AI regulations—even if it slows down technological innovation. A key concern among respondents was privacy, with 82.45% concerned about the use of personal data to train AI systems.

An analysis by the same company also found that nearly two-thirds of the world’s countries are working on regulating AI, with varying levels of progress. Among the leaders in this area is the European Union with its AI Act, which was formally adopted by the European Council on May 21, 2024, and will take effect in phases over the next three years.

The AI Act aims to regulate artificial intelligence by categorizing AI systems based on their risk levels and setting specific requirements for each category. AI systems with limited risk, such as spam filters or AI-enabled video games, would be subject to very light transparency requirements. High-risk AI systems would have a stricter set of requirements to gain access to the EU market; this includes AI-based medical systems or AI systems used for hiring. Certain AI systems deemed to have unacceptable risk—such as those that allow “social scoring” by governments or companies—will be banned.

This approach is quite sensible, says Scannell. “There’s a reason why the prohibited aspects of AI are prohibited—they’re shady,” he says. In addition, “if you look at the AI Act, a lot of the rules are what stakeholders, customers, users, and investors would want a big company to be doing when they’re using AI.”

Overall, Scannell thinks the AI Act’s risk-based approach is “the right way to go, because the more prescriptive you try to be, the more out-of-date it becomes.” Instead, by focusing on high-risk uses of AI, the law continues to be relevant even as the technology changes. “[Generative AI] technology didn’t exist when Europe started looking at regulating AI,” he says.

In terms of data protection, Scannell says the AI Act and the European Union’s earlier General Data Protection Regulation (GDPR) are complementary pieces of legislation. For example, if a company is processing large amounts of personal data for AI uses, the GDPR requires it to carry out a data protection impact assessment. So in the EU’s AI Act, “there are a lot of references back to the GDPR,” he says.

Cooper agrees that the EU’s AI Act, in general, takes the right approach by focusing on high-risk use cases of AI. However, “there are going to be a lot of questions about how [the act] gets implemented,” he says. In particular, he would have liked to see more clarity about the kinds of things that developers and deployers are specifically responsible for.