The Side Bar

Menu
SideBar

Why Hasn’t AI Been Regulated by the US Government?

6 Mins Read

“As our case is new, so must we think anew, and act anew.” – Abraham Lincoln

On December, 8th 2023 the European Union (EU) reached a historical deal on the AI Act which governs Artificial Intelligence (AI) within Europe. The AI Act has been heralded as a global standard by European regulators as its the first major effort a global power has made to ensure that AI systems are operating legally, safely, and responsibly. 

As a result, calls for the United States (US) to replicate the AI Act, create a separate agency for AI, or even nationalize AI all together. 

But could these legislative options work at the federal level in the US? 

Let’s talk about that. 

The AI Act: What does it do?

The goal of the AI Act is to ensure safe and effective use and development of AI. The regulatory structure of the AI Act, groups systems into four risk categories: minimal, high-risk, unacceptable, and specific transparency. Most of these groups are self-explanatory. Minimal risk poses a small amount of risk to the rights or safety of citizens, high-risk poses a risk to the rights or safety of citizens that is greater than minimal, and unacceptable risk poses a clear threat to the rights and safety of citizens. The Specific Transparency Risk category is of note because it serves as a catch-all to cover outlier systems, such as chatbots, biometric categorization, and emotion regulation systems that don’t fit in the above categories. 

And so, by defining the type of risk and building upon the rights of EU citizens, the AI Act has taken the first step in addressing some of the challenges with regulating AI, such as defining harm and dictating what does and doesn’t need to be regulated. 

The AI Act went one step further than defining and categorizing by establishing the European AI Office and introducing umbrella regulations that would apply to all of the above categories. 

These regulations include the following: 

  • Tech companies must notify users when they are interacting with AI. 
  • AI generated content must be labeled.
  • Systems that detect AI generated content require authorization. 
  • AI models must be documented, comply with EU copyright laws, and be shareable.
  • The categorization of individuals based on bodies and behaviors, untargeted facial scraping, emotion recognition systems, social scoring, manipulative algorithms, and predictive policing were all banned.

Great! Will the US create an AI Act of its own? 

Probably not. 

Let’s look historically at the global response to technological advancements. In 2016, with growing privacy challenges associated with modern communication, the EU adopted the General Data Protection Regulation (GDPR). The GDPR, like the AI Act, was the first data privacy regulation of its kind. It is significant because it established that EU citizens had a right over their own privacy data. 

The United States has not established a GDPR equivalent, nor that its citizens have a right over their own privacy data. (Note: California established the California Consumer Privacy Act). Instead, the US has typically taken a hands-off approach to data privacy regulation and acts only once a specific harm occurs. Examples of US regulations include the Health Insurance Portability and Accountability Act  and the Gramm-Leach-Bliley Act. This results in fragmented regulations that lack comprehensive data privacy protections for its citizens.

An important piece of legal history to note is the development of the Fair Information Practice Principles (FIPPs), the backbone of the EU’s Data Directive (a precursor to the GDPR) and basis of the GDPR.  Ironically, the US government developed, but did not adopt, FIPPS in the 1970’s to ensure that individuals had a choice in how personal information was being used. 

FIPPS Contained the following eight principles: 

  1. Notice – emphasizing the need for transparency in how data is collected, used, and disclosed.
  2. Choice – allowing individuals to have an option whether their personal information is collected.
  3. Access – allowing individuals the right to access their personal information and correct inaccuracies.
  4. Security – establishing the need for organizations to secure and protect the confidentiality and integrity of personal information.
  5. Enforcement – establishing avenues for resource if privacy rights are violated
  6. Purpose Specification – requiring organizations to provide the purpose of the information that is collected at the point of collection.
  7. Data Minimization – limiting the amount of data collected based on the intended use.
  8. Accountability – holding organizations accountable for the other principles.

So, why didn’t the US fully incorporate the principles it created?

The primary challenge the US faced in the past, as it relates to FIPPS, is that it favored regulations that focus on industry specific needs coupled with industry self-regulation rather than a one-size-fits-all regulatory framework. This is a common US approach to regulation known as the sectoral model. 

The sectoral model is based on legislation, regulation, and a business’ ability to self regulate. Essentially, regulations are tailored to different sectors or industries. Instead of a comprehensive, uniform set of rules, like what is favored in the EU, different regulatory agencies oversee and regulate specific industries based on their unique characteristics and needs.  Supporters of this approach agree that it is best for the economy and that businesses have the expertise and knowledge to regulate themselves. Critics of this approach point to its repetitive way and repetitive way agencies must determine a need before creating regulations.

Now that you’re familiar with the regulatory culture of the US Government, let’s take it back to AI Regulations. 

AI regulations will likely develop under the sectoral model just like most US regulations. The cycle will likely go something along these lines-

  1. Political leaders will propose new legislation or threaten stricter rules.
  2. Businesses will react and impose stricter policies on themselves to pacify legislative concerns. 
  3. Eventually, businesses will move away from their self imposed policies or revise them to increase profits. 
  4. The lack of regulation causes harm to occur. 
  5. Public outcry leads to focused attention. 
  6. Legislators react to protect citizens. 

Federal legislators typically have a reactionary approach to legislation where they seek to introduce new laws after a clear harm.  If you don’t believe us, think of the Dodd-Frank Wall Street Reform Consumer Protection Act, legislation to make the US financial system safer and prevent a repeat of excessive risk-taking, after the ‘08 recession. 

As it stands today, data privacy in the US is like a large quilt with a complex patchwork of federal laws and regulations, state laws and regulations, industry standards and policies, common law and consumer protection laws, and adherence to international agreements. AI law goes a step further to add three or four layers to the quilt (or even an extra blanket), where it consists of privacy and data protection as discussed above but it also includes (at a minimum) overlap with intellectual property, employment and labor law, criminal law, and cybersecurity. 

If data privacy laws and regulations are any indication, we can expect to see great difficulty in developing a comprehensive AI Act in the US using current approaches.

In Sum

  • The AI Act was passed on December 8th, 2023, in the EU. It is the first effort to categorize and define AI as well as regulate the technology. 
  • In the past the EU has taken similar regulatory approaches to issues, such as the GDPR, which the US hasn’t replicated. 
  • The US developed FIPPS in the 1970’s to address the emerging challenges with data privacy.
  • The sectoral model is favored in the US. It is based on legislation, regulation, and a business’ ability to self regulate. While it is seen as being business friendly, it has led to a legislative cycle that promotes a reactive regulatory culture. 
  • As it stands, privacy regulations in the US are complex, and AI policy even more so. 

Other Articles