The basics of AI regulations: Privacy and security

- As an end user of generative AI, you're not expected to be a lawyer, but you are expected to understand the basics and to do your part to ensure copyright and privacy laws are upheld that harmful or inaccurate AI content is identified and fixed, and that your use of AI doesn't violate any laws in your jurisdiction. Privacy is the most mature area of regulation that relates to data. And since data is involved in developing AI, privacy laws are relevant to consider in our use of generative AI. Every country will have slightly different types of privacy laws, but there are some things that are common amongst these laws that start to intersect with issues related to the use of generative AI. Consider the issue of consent to collect, use and share data. We've touched on that idea briefly with our discussion about the lack of consent from copyright holders to use their data to train AI. However, there are also issues of consent that could arise from prompting AI. For example, let's say you want to use generative AI to write a personalized letter to a client, and you share a bunch of personal information with the generative AI system in order to generate that tailored content. This raises a number of privacy questions about consent to use the information and about data sharing with a third-party, the generative AI vendor. Similar to understanding the terms of use for copyrighted material, you should understand and abide by the terms of use as it relates to personal or sensitive data. This example also raises the issue of cybersecurity and possible breaches of privacy that might ensue from using generative AI. Once information is ingested into generative AI training data, it's virtually impossible to delete information captured in the prompts from users can become part of training data, which can compromise that data. There is also the issue of bad actors who might tamper with an AI model. This could be from directly engaging with an external facing customer service chatbot, or by finding ways to get someone else to inadvertently inject malicious instructions or code into a model. These instructions could be used to gain further access to other information or to reconstruct information compromising privacy. When we talk about the different types of generative AI, we'll address privacy in more depth. But for now, it's important to understand that there is data sharing taking place when we use a generative AI system. So we need to ensure that our use of the personally identifiable information is on side with privacy laws. Another issue with legal implications is the generation of AI content that is defamatory, making statements about a person that are untrue and could damage that person's reputation. In one case that made headlines, a generative AI system output content, which claimed an Australian mayor was involved in the payment of bribes to officials in other countries. This resulted in the first defamation lawsuit involving an AI system, though the mayor ultimately decided not to pursue the case once the offending material was corrected. Finally, we should mention the EU AI Act. The EU AI Act was passed in late 2023 and will likely come into full force by 2026. It takes a risk-based approach whereby certain applications of AI are deemed more risky and require more scrutiny. So if you work in areas like HR, expect to have more regulatory oversight of the systems you use. There are also obligations in the Act to ensure users have AI literacy, a basic understanding of the opportunities and risks involved with using AI. Taking a course like this one is a proactive approach to being ready for regulations. It's expected that other countries will soon have their own AI laws. Both the US and Canada have proposals for specific AI regulations underway. And in the absence of regulation have issued other guidelines or directives, all of which is to say understanding basic legal compliance is a necessary aspect of making responsible choices about how to use generative AI.