AI 数据保护 — 神话、事实、具体细节.pdf

《AI 数据保护 — 神话、事实、具体细节.pdf》由会员分享，可在线阅读，更多相关《AI 数据保护 — 神话、事实、具体细节.pdf（22页珍藏版）》请在三个皮匠报告上搜索。

1、AI Data Protection Myths,Facts,Nuts and BoltsEmma Redmond,Associate General Counsel,Privacy and Data Protection,OpenAILothar Determann,partner,Baker McKenzieWELCOME AND INTRODUCTIONS What is AI?Practical definitions for businesses When and how does generative AI process personal data?Privacy law com

2、pliance issues that are and are not specific to AI and how to address both.Privacy by design for deployment and data subject rights management.Privacy notices and contract terms.Compliance checklists.AGENDADEFINITIONSEU AI Act(Parliament 2023):artificial intelligence system(AI system)means a machine

3、-based system that is designed to operate with varying levels of autonomy and that can,for explicit or implicit objectives,generate outputs such as predictions,recommendations,or decisions,that influence physical or virtual environments.EU AI Act(Commission 2022):artificial intelligence system(AI sy

4、stem)means software that is developed with one or more of the techniques and approaches listed in Annex I and can,for a given set of human-defined objectives,generate outputs such as content,predictions,recommendations,or decisions influencing the environments they interact with.CPPA(2023):Artificia

5、l Intelligence means an engineered or machine-based system that is designed to operate with varying levels of autonomy and that can,for explicit or implicit objectives,generate outputs such as predictions,recommendations,or decisions that influence physical or virtual environments.Artificial intelli

6、gence includes generative models,such as large language models,that can learn from inputs and create new outputs,such as text,images,audio,or video;and facial or speech recognition or detection technology.For purposes of aligning U.S.agencies on AI research,development,and use,the U.S.government ena

7、cted the National AI Initiative Act of 2020 according to whichartificial intelligence means a machine-based system that can,for a given set of human-defined objectives,make predictions,recommendations or decisions influencing real or virtual environments.Artificial intelligence systems use machine a

8、nd human-based inputs to(A)perceive real and virtual environments;(B)abstract such perceptions into models through analysis in an automated manner;and(C)use model inference to formulate options for information or action.The National Institute of Standards and Technology(NIST)proposed understanding A

9、I as aninterdisciplinary field,usually regarded as a branch of computer science,dealing with models and systems for the performance of functions generally associated with human intelligence,such as reasoning and learning.EU AI ACT DEFINITIONS JAN 21,2024 DRAFTU.S.DEFINITIONSU.S.National AI Initiativ

10、e Act of 2020:artificial intelligence means a machine-based system that can,for a given set of human-defined objectives,make predictions,recommendations or decisions influencing real or virtual environments.Artificial intelligence systems use machine and human-based inputs to(A)perceive real and vir

11、tual environments;(B)abstract such perceptions into models through analysis in an automated manner;and(C)use model inference to formulate options for information or action.NIST:“interdisciplinary field,usually regarded as a branch of computer science,dealing with models and systems for the performan

12、ce of functions generally associated with human intelligence,such as reasoning and learning.”DEFINITIONSArtificial Intelligence:computer systems that generate text,images,solutions to problems,and other output,functioning with substantial autonomy and in ways that their developers cannot always pred

13、ict,explain,or control with certainty.Deterministic systems:computer systems that humans program with specific step-by-step instructions to produce output that developers can predict,explain,and control.WHO IS IN CHARGE OF AI COMPLIANCE IN THE ORGANIZATION?Has your company designated an individual o

14、r governance board to be responsible for developing,implementing,and monitoring an AI law compliance and risk mitigation program?Are individual officers or employees accountable for each particular system,as a human systems steward or in another clearly defined role?Are you and all other company rep

15、resentatives appropriately instructed and trained regarding their responsibilities with respect to AI law compliance and risk mitigation?DO YOU KNOW YOUR AI?Have you reviewed key external and internal systems that your organization uses and confirmed which systems are programmed deterministically an

16、d which qualify as AI?Have you analyzed which AI you should develop in-house,acquire from corporate vendors,or use from publicly available sources?HAVE YOU DOCUMENTED IMPACT ASSESSMENTS AND RISK MITIGATION MEASURES?Have you conducted legal assessments under attorney-client privilege to determine app

17、licable compliance requirements and address known risks,including algorithmic bias?Have you documented impact assessments to satisfy specific legal requirements or as a measure to defend your practices in case of incidents and legal challenges?DO YOU KEEP SYSTEMS AND DATA CONFIDENTIAL AND SECURE?Do

18、you have a security protocol that describes sufficient physical,technical,and organizational data security measures,e.g.,database access controls and device encryption?Are all employees familiar with the protocol and actually complying with it?Are service providers carefully selected and monitored w

19、ith respect to data security,and are appropriate contracts in place?Do you have a data retention and deletion program in place that ensures that data is securely discarded after it is no longer needed or legal to store?HAVE YOU SIGNED ADEQUATE DATA PROCESSING AGREEMENTS WITH AI PROVIDERS?AI users ne

20、ed data processing and confidentiality agreements with AI providers to satisfy requirements under privacy and data protection laws and to protect trade secrets.AI users can benefit if AI providers improve capabilities with user data,but need to ensure adequate trade secret protection and compliance

21、with privacy and data protection laws.HAVE YOU ISSUED NECESSARY WARNINGS AND REQUIRED NOTICES AND OBTAINED CONSENT WHERE REQUIRED?Companies have to disclose automated decision-making,AI chatbots,and other details under existing laws and myriad draft bills.Do your notices satisfy all applicable requi

22、rements regarding form,content,organization,terminology,and translation?Have you issued sufficient just-in-time warnings to users to reduce the risk of AI misuse and harm?DO YOU HAVE PROCESSES AND RESOURCES IN PLACE TO RESPOND TO SECURITY INCIDENTS,GOVERNMENT SUBPOENAS,USER QUESTIONS,CONSUMER COMPLA

23、INTS,AND DATA SUBJECT REQUESTS FOR DATA ACCESS,CORRECTION,AND DELETION?Companies must grant requests for information about personal data processing,copies of data in transferable formats,corrections and deletion under the GDPR,the CCPA,and other laws;controllers need support from processors and shou

24、ld update their contracts accordingly.Do you have protocols in place on responding to dawn raids and requests for personal data by governments?Have you assessed how your vendors respond to government requests for personal data?ARE YOU DEVELOPING,PROVIDING,AND USING AI IN THE RIGHT PLACE?Given widely

25、 diverging laws on data processing,scraping,copyright infringement,and fair use,have you identified the best legal environments for data acquisition and AI development in light of applicable laws and litigation risks?Have you implemented appropriate measures to ensure that your data and AI are not u

26、nreasonably exposed to foreign government access and surveillance?Is your company or are your customers required to retain data locally under data residency laws?ARE YOUR COMMERCIAL CONTRACTS PERTAINING TO AI ADEQUATE?Have you agreed on clear rights,duties,and liabilities with respect to AI in comme

27、rcial contracts with AI developers,providers,and users?Do your contract terms for customers offer your customers all legally required and reasonably expected representations and terms relating to compliance,data protection,international data transfers,and data security?Do your contract terms with in

28、dividual AI users justify your data processing and allocate adequate rights and obligations on the parties?Are you sufficiently insured under existing policies or specific new coverage arrangements?HAVE YOU DOCUMENTED YOUR COMPLIANCE MEASURES?Have you prepared sufficiently detailed records of your A

29、I compliance measures to answer questions from customers and internal users,demonstrate compliance and accountability,respond to authorities,satisfy due diligence requests in M&A transactions,and defend against claims alleging violations of AI laws?Do you have a process for conducting impact assessm

30、ents before you adopt new AI products or processes,including automated decision-making?HAVE YOU DOCUMENTED YOUR COMPLIANCE MEASURES?Do you seek input from your data protection officer and legal department early on in the product development process?Do you provide customers,prospects,and end users wi

31、th guidance(for example,in user manuals,white papers,and FAQs)on how they can use your AI products in compliance with applicable laws and how to avoid pitfalls?Do you provide effective instructions to employees in focused protocols to ensure they develop,provide,use,and monitor AI appropriately?RESO

32、URCE LISTHOW DID THINGS GO?(WE REALLY WANT TO KNOW)Did you enjoy this session?Is there any way we could make it better?Let us know by filling out a speaker evaluation.1.Open the Cvent Events app.2.Enter IAPP DPIUK24(case and space sensitive)in search bar.3.Tap“Schedule”on the bottom navigation bar.4.Find this session.Click“Rate this Session”within the description.5.Once youve answered all three questions,tap“Done”.Thank you!