One thing
that is for sure is that there are a lot of data privacy laws out there. As I have written about many times before,
some of the most notable ones are the GDPR, CCPPA, and HIPAA. In the simplest terms, they have tenets and legislations
embedded into them to make sure that businesses are maintaining all of the
needed controls in order to make sure that the datasets that they have in their
possession about their customers and employees are in safe hands.
There is much
more to it of course, but the good news is that at least there are the regulators
out the who are watching these companies, and should they go astray, they will
come under the eyes of a comprehensive audit and possible financial penalties. But the main problem here is that at least in
the United States, there is no one central law that can handle all of the 50
states.
In other words,
there can be 50 different privacy laws created each with their own set of
requirements and caveats. So, what if a
business owner transacts business in all of the states, is he or she still
responsible for becoming compliant with them?
The short answer to this is yes.
It will of course be a herculean task to accomplish, but whether it is
fair or not, they will ultimately be held responsible.
Now, there is
another issue which is further compounding this problem even more: The explosion of AI on a global basis. Obviously, AI models will be holding and transacting
a ton of information and data. After
all, that is how they function and operate.
Because of the “black box” nature of AI, many people are now concerned
about how they personal data will be protected here as well, and rightfully so.
So far, 8
states in total have come out with their own version of a data privacy law, and
some of those include Oregon, Montana, and Texas. Privacy surrounding the use of AI has also
been addressed in these pieces of legislation.
But, even from within these states, these laws are wildly
different. For example, because of its
much smaller population size (only about one million), the threshold of what constitutes
data privacy has been set much lower, thus resulting in a lower ratio of audits
and penalties if businesses are not compliant.
In terms of
Texas, they have spelled out various financial thresholds in which businesses
have to meet certain data privacy requirements.
For example, an organization that produces far less revenue will not be
held to nearly the same standards as one that is a Fortune 500 company. And in Oregon, the data privacy laws have
been extended to include protection for linked devices (such as IoT based
ones), to fitness watches, to even transgender health records.
So now as AI becomes
much more entrenched into American Society, these data privacy laws will have
to be adjusted on a big-time basis in order to accommodate and take into these
advancements. Here are four top trends
to be on the lookout for as this year continues to unfold:
*Data leaks
and exfiltration from Large Language Models (LLMs), which is a component of AI.
*Using
existing customer information to train new AI models, without their knowledge
or consent. A good example of this is
the recent fiasco with Zoom. More
details about this can be found at the link below:
*Expect more passage
of widely varying data privacy laws from states located in the Northeast sector
of the United States.
*Many
unforeseen security breaches will occur as businesses continue to adopt AI on a
rapid scale. To this effect, the Federal Trade Commission (FTC) will be a key
regulatory body here.
*The Presidential
Election of this year will only heighten the negative uses of AI, especially
when it comes to Deepfakes, Phishing email attacks, and phony websites asking for
political donations.
*There will
be an increased awareness in terms of determining who owns the data, and under
which data privacy law it should fall under.
This is also known as “Data Sovereignty”. For example, suppose you run an online
business, and you store all of your customer’s information and data in the Cloud. Who owns it?
You? Your Cloud Provider? Also, which
data privacy law should it fall under?
The CCPA, or the GDPR?
My
Thoughts On This:
Right now, it
is the United States Federal Government who is our best friend right now to
make sure that the states follow data privacy and protection. In fact, the Biden Administration has passed
some key pieces of legislation and even Executive Orders (EOs) to enforce this. But the problem is that the technology is
advancing far too rapidly than what the laws can keep up with.
For example,
if a set of law is passed today, it will quickly become outdated tomorrow with the
pace of innovation that is taking place in AI today. One way to possibly resolve this to some
degree is to have another department within the Federal Government called the “Department
of Cybersecurity”. From here, all of the
AI and data privacy laws can be created and passed here, then trickling down to
all of the 50 states.
The prime benefit
here will be that there will be just one common set of standards and best
practices, with no wild variations in the legislation, as we are seeing today.
No comments:
Post a Comment