{"id":1895,"date":"2021-09-13T08:09:23","date_gmt":"2021-09-13T08:09:23","guid":{"rendered":"https:\/\/blogs.kcl.ac.uk\/kslr\/?p=1895"},"modified":"2022-06-07T17:25:15","modified_gmt":"2022-06-07T17:25:15","slug":"eus-new-ai-regulation-addressing-liability-concerns-and-its-interplay-with-the-gdpr-sanjana-l-b-and-sanah-javed","status":"publish","type":"post","link":"https:\/\/blogs.kcl.ac.uk\/kslr\/2021\/09\/13\/eus-new-ai-regulation-addressing-liability-concerns-and-its-interplay-with-the-gdpr-sanjana-l-b-and-sanah-javed\/","title":{"rendered":"EU\u2019s New AI Regulation: Addressing Liability Concerns and Its Interplay with the GDPR – Sanjana L B and Sanah Javed"},"content":{"rendered":"
\n
\n
\n
\n

Sanjana L. B. and Sanah Javed[1]<\/a><\/p>\n

Abstract<\/strong><\/p>\n

The European Union has spearheaded regulation in the digital space and the recent proposal to regulate artificial intelligence is a testament to this. Much like the GDPR, the proposed AI regulation envisages extraterritorial application. The new framework leans towards industry self-regulation, and broadly categorises artificial intelligence systems based on the risk involved in their usage. Further, the liability framework, according to the risk categories under the proposal, goes beyond the existing product liability regime. This article analyses the nuances of a long-arm liability framework under the new regulations. Additionally, the authors discuss the need for congruence between the new regulation and the GDPR, given the EU\u2019s innovation-centric approach and the relationship between AI and data.<\/p>\n

 <\/p>\n

Introduction<\/strong><\/p>\n

On April 21, 2021, the European Union (\u2018EU<\/strong>\u2019) put forth the \u2018Proposal for a Regulation Laying Down Harmonised Rules on Artificial Intelligence\u2019 (\u2018AI framework<\/strong>\u2019 or \u2018proposed framework<\/strong>\u2019).[2]<\/sup><\/a>\u00a0 The AI framework is rooted in making Artificial Intelligence (\u2018AI<\/strong>\u2019) technology ethical and enhancing the EU\u2019s position as a \u2018future-proof\u2019 and \u2018innovation-friendly\u2019 jurisdiction.[3]<\/sup><\/a><\/p>\n

The broad intent behind the AI framework is to provide guidance for developing AI, and make the EU a favourable jurisdiction for developers.[4]<\/sup><\/a>\u00a0Soft-touch regulations such as these, enable both the industry and regulators to continuously learn about the technology, its challenges, and risks,[5]<\/sup><\/a>\u00a0allowing regulations to withstand AI technology\u2019s constant growth.[6]<\/sup><\/a>\u00a0Accepting industry insights, the EU has chosen to omit red lines in the AI framework,[7]<\/sup><\/a>\u00a0but rather impose hefty penalties. Further, the framework addresses issues surrounding liability for \u2018AI Output\u2019.[8]<\/sup><\/a>\u00a0It proposes that providers and users of AI in third countries must also comply with the framework in cases where the AI Output is used in the EU, hence extending the liability regime outside the EU.[9]<\/sup><\/a><\/p>\n

This article discusses\u00a0firstly,<\/em>\u00a0the liability and responsibility mechanism under the framework for developers and users of AI; and\u00a0secondly,<\/em>\u00a0the interplay of the AI framework with the General Data Protection Regulation (\u2018GDPR<\/strong>\u2019)[10]<\/sup><\/a>\u00a0\u00a0<\/sup>and\u00a0 ways to further strengthen the AI framework, keeping in view the industry-friendly stance of the EU.<\/p>\n

I.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 How does the proposed framework tackle liability for harms arising out of AI technology?<\/strong><\/p>\n

The AI framework outlines the liability on developers, distributors and third parties engaged in functioning of AI systems.[11]<\/sup><\/a>\u00a0This, read with the Product Liability Directive, makes the producer of the technology strictly liable for any harm that arose from the use of such technology.[12]<\/sup><\/a><\/p>\n

The AI framework provides that developers of \u2018high risk\u2019 AI are required to establish a risk management system where the developer must foresee the possible risks that might arise from the use of the technology.[13]<\/sup><\/a>\u00a0Further, Articles 11 and 12 impose obligations of technical documentation and automated records. However, industry players have pointed out that when the AI is being developed, the complete scope of its functionality and usability cannot accurately be predicted.[14]<\/sup><\/a>\u00a0Often, AI developed for a particular purpose has the ability to go beyond that intended purpose.[15]<\/sup><\/a>\u00a0These ex-ante obligations on the AI developers are overly burdensome because\u00a0firstly<\/em>, the applicability of the framework extends to AI technology developed abroad but may be used within the EU,[16]<\/sup><\/a>\u00a0and\u00a0secondly,<\/em>\u00a0because the scope of liability exceeds the Product Liability Directive.[17]<\/sup><\/a><\/p>\n

i.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/strong>Extra-territorial Application of the AI framework<\/strong><\/p>\n

The application of the AI framework extends to cases where the AI technology is neither developed, nor deployed in the EU but AI Output is used in the EU.[18]<\/sup><\/a>\u00a0Hence, the AI framework has broad extraterritorial application.[19]<\/sup><\/a>\u00a0A foreign developer must ensure that in case there is a possibility that the AI Output will be used in the EU, the risk assessment, transparency, monitoring requirement and other obligations are fulfilled.<\/p>\n

Hence, the developer may face liability in cases where the AI Output was never intended to be introduced in the EU market. On this note, observations have been previously made on the parallels between the proposed framework and GDPR\u2019s extraterritorial application.[20]<\/sup><\/a>\u00a0Further, it has been noted that in order to extend extra-territorial application of the framework, the AI systems produced elsewhere must have an EU nexus.[21]<\/sup><\/a>\u00a0It is proposed that the AI framework must account for the developer\u2019s intention to make the product available in the EU market before liability can be attributed to the developer, by adopting the \u2018Offerings Test\u2019 as applied to the GDPR.[22]<\/sup><\/a>\u00a0A connection between the AI developer\u2019s outcome of the technology and its services or output being offered in the EU[23]<\/sup><\/a>\u00a0must be established; if the output is available inadvertently, a significant number of developers that have no commercial presence in the EU, and therefore no nexus, would also be covered under the framework.[24]<\/sup><\/a><\/p>\n

ii.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/strong>Going beyond the Product Liability regime<\/strong><\/p>\n

The European Parliament in its \u2018Recommendations on a civil liability regime for artificial intelligence\u2019[25]<\/sup><\/a>\u00a0acknowledges that AI has self-learning capabilities that go beyond the intention of the producer\/product developer. Hence, the operator \u2013 both at the frontend and backend must also be accountable for harms caused by AI.[26]<\/sup><\/a>\u00a0The recommendations specify that the liability framework must work ex-ante to minimise risk or ex-post to compensate for the risk.[27]<\/sup><\/a>\u00a0The AI framework for liability is modelled along the lines of the recommendations, however, it does more than just minimise risk; it imposes an obligation of technical documentation and record keeping, further requiring risk assessment and transparency about the manner in which the system\u2019s output takes place, raising concerns over disclosure of trade secrets and competitively sensitive information.[28]<\/sup><\/a><\/p>\n

The framework indicates that the Directive on Trade Secrets[29]<\/sup><\/a>\u00a0will take precedence, and if information that falls within the ambit of a trade secret is required to be disclosed to the authorities, the latter are bound by confidentiality obligations.[30]<\/sup><\/a>\u00a0However, the confidentiality obligation includes broadly worded exceptions and lacks sanctions in case the authorities breach confidentiality. Industry players value their trade secrets as it gives them a competitive edge in the market; asking them to comply with transparency obligations at the risk of losing this edge hinders their incentive to innovate.<\/p>\n

In response to the EU\u2019s White Paper on AI, stakeholders suggested that the AI developer\u2019s liability must be restricted to harms that arise in the development phase, and not extend to the exploitation phase, as their ability to mitigate harms in the latter case are low.[31]<\/sup><\/a>\u00a0AI functionality may change beyond the developer\u2019s initial intent on the basis of the self-learning capabilities of the technology making the requirements of technical documentation and record keeping impractical.[32]<\/sup><\/a><\/p>\n

Further, extending these obligations to developers in cases where merely the AI Output is used in the EU would increase compliance burdens.[33]<\/sup><\/a>\u00a0Obligations in this regard must only extend to users of the technology[34]<\/sup><\/a>\u00a0or those directly involved with usage of AI Output. Hence, the ex-ante framework must impose merely a basic due diligence obligation on the developer and impose the burden of risk assessment on the deployer of AI technology, especially in cases where the AI is multi-purpose and risks cannot adequately be predicted by the developer.[35]<\/sup><\/a><\/p>\n

II.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Attaining congruence between the AI framework and the GDPR?<\/strong><\/p>\n

The AI framework is expected to demonstrate the \u2018Brussels Effect\u2019 like the GDPR,[36]<\/sup><\/a>\u00a0as it aims to set a standard for ethical technology.[37]<\/sup><\/a>\u00a0However, while the AI framework takes a self-regulatory approach, the GDPR is stricter with its extraterritorial application, close oversight and robust sanctions, despite industries having lobbied for self-regulation.[38]<\/sup><\/a>\u00a0There is a need to reconcile provisions in both frameworks owing to AI\u2019s dependency on large datasets and the EU\u2019s strict enforcement of data rights under the GDPR<\/p>\n

i.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/strong>Relationship between data protection and AI regulation<\/strong><\/p>\n

AI systems are dependent on data sets[39]<\/sup><\/a>\u00a0as AI processes data for the algorithmic training phase, and the usage phase.[40]<\/sup><\/a>\u00a0Therefore, AI development presupposes the access to, and creation of, massive data sets.[41]<\/sup><\/a><\/p>\n

When AI processes personal data, the provisions of the GDPR will apply.[42]<\/sup><\/a>\u00a0The key points of concern between AI and data protection include the risk of re-identification of data subjects, profiling, and classification of inferred personal information as \u2018personal data\u2019.[43]<\/sup><\/a>\u00a0Further, the concepts of consent and purpose limitation under the GDPR\u00a0may\u00a0<\/em>be consistent with AI applications, subject to whether consent is specific to AI-related processing or application, whether consent to profiling practices becomes a prerequisite to availing services, the degree of freedom available to a data subject when providing such consent, and freedom to withdraw consent.[44]<\/sup><\/a><\/p>\n

Further, the AI framework imposes obligations of high accuracy, transparency, and security on high-risk AI systems when it comes to data governance[45]<\/sup><\/a>\u00a0\u2013 all of which must be enabled by access to accurate, complete and representative data sets.[46]<\/sup><\/a>\u00a0Given the close relationship between AI and data, any new rules to regulate AI must take into consideration the rights and obligations under the GDPR and their interaction with obligations under the new rules.<\/p>\n

ii.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/strong>How does the AI framework fit into the GDPR?<\/strong><\/p>\n

A potential concern arising from the GDPR\u2019s interplay with the AI framework is the grounds to process \u2018special categories of personal data\u2019 (\u2018SCPD<\/strong>\u2019)[47]<\/sup><\/a>.[48]<\/sup><\/a>\u00a0Processors are prohibited from processing SCPD except as provided under a limited list of grounds in the GDPR.[49]<\/sup><\/a>\u00a0The AI framework allows providers of AI to process SCPD to carry out bias monitoring, detection and correction in high-risk AI.[50]<\/sup><\/a><\/p>\n

Providers of high-risk AI need to, on the one hand, carefully monitor bias in algorithms, and on the other hand comply with the GDPR on processing SCPD. The GDPR permits processing of SCPD when the data subject provides explicit consent for specific purposes, and for substantial public interest;[51]<\/sup><\/a>\u00a0however, as discussed above, algorithm training for AI systems requires massive data sets,[52]<\/sup><\/a>\u00a0and therefore, it is not\u00a0 feasible for AI developers to obtain explicit consent from individual data subjects when they train their systems.[53]<\/sup><\/a>\u00a0However, providers of high-risk AI may be permitted to process SCPD under the public interest ground due to risks of biased algorithms,[54]<\/sup><\/a>\u00a0subject to the safeguards mentioned in the GDPR.[55]<\/sup><\/a><\/p>\n

Processing SCPD under the AI framework is permitted when \u2018strictly necessary\u2019;[56]<\/sup><\/a>\u00a0but the AI framework itself is not a legal ground to process SCPD.[57]<\/sup><\/a>\u00a0Without a corresponding provision under the GDPR to allow providers to process SCPD for obligations under the AI framework, uncertainties may still persist for AI providers and data subjects. This, coupled with extraterritorial application and the hefty penalties for non-compliance under both frameworks warrants clarity from the regulators. Therefore, the \u00a0authors suggest that the GDPR be suitably modified to establish that obligations of high-risk AI providers under the AI framework can be a valid ground to process SCPD, subject to safety and privacy standards. This will help the industry conduct bias monitoring while still being compliant with the GDPR.<\/p>\n

Conclusion<\/strong><\/p>\n

The AI framework seeks to be forward-looking; and its ramifications will be far-reaching. The authors note above that the application of the AI framework merely on the basis of AI Output appears to be extraneous and therefore to enforce extraterritoriality without hindering global innovation, the AI framework must borrow the \u2018Offering Test\u2019 from the GDPR to determine liability. Further, as obligations under the AI framework will need high-risk AI providers to process SCPD, there is a need to ensure congruence between the AI framework and the GDPR. To this end, modifying the latter to enable high-risk AI providers to process SCPD will help achieve effective bias monitoring, detection, and correction.<\/p>\n

 <\/p>\n

Footnotes<\/strong><\/p>\n

[1]<\/a>\u00a0Sanjana L. B., V-year student, Symbiosis Law School, Hyderabad, and Sanah Javed, Associate, Trilegal. All views expressed in this article are the authors\u2019 personal views.<\/p>\n

[2]<\/sup><\/a>\u00a0Commission, \u2018Proposal for a Regulation of the European Parliament and of the Council Laying Down Harmonised Rules on Artificial Intelligence (Artificial Intelligence Act) and Amending Certain Union Legislative Acts\u2019 COM (2021) 206 final (AI framework)<\/p>\n

[3]<\/sup><\/a>\u00a0\u2018Europe fit for the Digital Age: Commission proposes new rules and actions for excellence and trust in Artificial Intelligence\u2019 (European Commission Press Corner,\u00a0<\/em>21 April 2021) <https:\/\/ec.europa.eu\/commission\/presscorner\/detail\/en\/IP_21_1682<\/a>> accessed 12 June 2021.<\/p>\n

[4]<\/sup><\/a>\u00a0Natasha Lomas, \u2018Europe Lays Out Plan for Risk-Based AI Rules to Boost Trust and Uptake\u2019 (TechCrunch,\u00a0<\/em>21 April 2021) <https:\/\/techcrunch.com\/2021\/04\/21\/europe-lays-out-plan-for-risk-based-ai-rules-to-boost-trust-and-uptake\/<\/a>> accessed 12 June 2021<\/p>\n

[5]<\/sup><\/a>\u00a0Denmark and Others, Innovation and Trust worthy AI: Two Sides of the Same Coin, (Position Paper, 2020) 2<\/p>\n

[6]<\/sup><\/a>\u00a0In a recent event by the Center for Data and Innovation on May 05, 2021, Mr. Kilian Gross, AI Policy Development and Coordination, DG CONNECT, European Commission, also affirmed that the framework envisions a \u2018future-proof\u2019 regulation; See \u2018What\u2019s Next on EU\u2019s proposed AI framework\u2019 (DataInnovation<\/em>, 5 May 2021) <https:\/\/www.youtube.com\/watch?v=vdcSKXeiDAU&t=2s<\/a>> accessed 21 June 2021\u00a0 ; Adam Satariano, \u2018Europe Proposes Strict Rules for Artificial Intelligence\u2019 (The New York Times,\u00a0<\/em>21 April 2021) <https:\/\/www.nytimes.com\/2021\/04\/16\/business\/artificial-intelligence-regulation.html<\/a>> accessed 12 June 2021 ; Javier Espinoza and Madhumita Murgia, \u2018Europe Attempts to Take Leading Role in Regulating Uses of AI\u2019 (Financial Times,\u00a0<\/em>24 April 2021) <https:\/\/www.ft.com\/content\/360faa3e-4110-4f38-b618-dd695deece90<\/a>> accessed 12 June 2021<\/p>\n

[7]<\/sup><\/a>\u00a0Tom Simonite, \u2018How Tech Companies Are Shaping the Rules Governing AI\u2019 (Wired,\u00a0<\/em>16 May 2019) <https:\/\/www.wired.com\/story\/how-tech-companies-shaping-rules-governing-ai\/<\/a>> accessed 16 June 2021; See also, Friederike Reinhold and Angela M\u00fcller, \u2018AlgorithmWatch\u2019s response to the European Commission\u2019s proposed regulation on Artificial Intelligence \u2013 A major step with major gaps\u2019 (AlgorithmWatch,<\/em>\u00a0April 2021) <https:\/\/algorithmwatch.org\/en\/response-to-eu-ai-regulation-proposal-2021\/<\/a>> accessed 12 June 2021<\/p>\n

[8]<\/sup><\/a>\u00a0AI framework, art 3(1); AI \u2018Output\u2019 is understood as \u201ccontent, predictions, recommendations or decisions influencing the environment they interact with<\/em>\u201d that are derived from AI.<\/p>\n

[9]<\/sup><\/a>\u00a0AI framework, recital 11<\/p>\n

[10]<\/sup><\/a>\u00a0Council Regulation (EC) 2016\/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95\/46\/EC (General Data Protection Regulation) [2016] OJ L119\/1 (GDPR)<\/p>\n

[11]<\/sup><\/a>\u00a0AI framework, chapter II-III<\/p>\n

[12]<\/sup><\/a>\u00a0Council Directive of 25 July 1985 on the Appropriation of the laws, regulations and administrative provisions of the Member States concerning liability for defective products (85\/374\/EEC),\u00a0https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/PDF\/?uri=CELEX:31985L0374&from=EN<\/a>\u00a0(Product Liability Directive)<\/p>\n

[13]<\/sup><\/a>\u00a0AI framework, art 9<\/p>\n

[14]<\/sup><\/a>\u2018Recommendations for Regulating AI\u2019, Google, 7, 9 <https:\/\/ai.google\/static\/documents\/recommendations-for-regulating-ai.pdf<\/a>> accessed 16 June 2021<\/p>\n

[15]<\/sup><\/a>\u00a0Ibid<\/p>\n

[16]<\/sup><\/a>\u00a0Marc MacCarthy and Kenneth Propp, \u2018Machines learn that Brussels writes the rules: The EU\u2019s new AI regulation\u2019 (LawfareBlog<\/em>, April 28, 2021) <https:\/\/www.lawfareblog.com\/machines-learn-brussels-writes-rules-eus-new-ai-regulation<\/a>> accessed 16 June 2021<\/p>\n

[17]<\/sup><\/a>\u00a0European Parliament, Annex to \u2018Resolution of 20 October 2020 with recommendations to the Commission on Civil Liability Regime for Artificial Intelligence (2020\/2014(INL)) Civil Liability Regime for Artificial Intelligence\u2019, para B (8), 2020 <https:\/\/www.europarl.europa.eu\/doceo\/document\/TA-9-2020-0276_EN.html#title1<\/a>> accessed 16 June 2021 (Annex to Civil Liability Regime)<\/p>\n

[18]<\/sup><\/a>\u00a0\u2018New Horizons: European Commission Proposes Measures to Regulate AI\u2019 (JDSupra<\/em>, April 27, 2021) <https:\/\/www.jdsupra.com\/legalnews\/new-horizons-european-commission-4961736\/<\/a>> accessed 16 June 2021<\/p>\n

[19]<\/sup><\/a>\u00a0Dan Whitehead, \u2018Why the EU\u2019s AI regulation is a groundbreaking proposal\u2019 (IAPP<\/em>, April 22, 2021) <https:\/\/iapp.org\/news\/a\/why-the-eus-ai-regulation-is-a-ground-breaking-proposal\/<\/a>> accessed 16 June 2021<\/p>\n

[20]<\/sup><\/a>\u00a0Blanca Escribano and Peter Katko, \u2018European draft Regulation on Artificial Intelligence: Key questions answered\u2019 (EY<\/em>, 15 May 2021) <https:\/\/www.ey.com\/en_es\/law\/european-draft-regulation-on-artificial-intelligence-key-questions-answered<\/a>> accessed 16 June 2021<\/p>\n

[21]<\/sup><\/a>\u00a0Julia M Wilson and others, \u2018New Draft Rules on Use of Artificial Intelligence\u2019 (BakerMcKenzie<\/em>, 14 May 2021) <https:\/\/www.bakermckenzie.com\/en\/insight\/publications\/2021\/05\/new-draft-rules-on-the-use-of-ai<\/a>> accessed 16 June 2021<\/p>\n

[22]<\/sup><\/a>\u00a0The \u2018Offering Test\u2019 suggests that the law applies only in case the offerings are available in the EU. Any inadvertent or incidental service would not bring the entity within the framework of the GDPR.<\/p>\n

[23]<\/sup><\/a>\u00a0Dino Wilkinson, \u2018New guidance on the application of the GDPR outside Europe\u2019 (Clyde & Co<\/em>., 27 November 2019) <https:\/\/www.clydeco.com\/en\/insights\/2019\/11\/new-guidance-on-the-application-of-the-gdpr-outsid<\/a>> accessed 16 June 2021<\/p>\n

[24]<\/sup><\/a>\u00a0Dan Whitehead, \u2018AI & Algorithms (Part 3): Why the EU Regulation is a groundbreaking proposal\u2019 (Engage<\/em>, 3 May 2021) <https:\/\/www.engage.hoganlovells.com\/knowledgeservices\/news\/ai-algorithms-part-3-why-the-eus-ai-regulation-is-a-groundbreaking-proposal<\/u>> accessed 28 July 2021<\/p>\n

[25]<\/sup><\/a>\u00a0European Parliament, \u2018Resolution of 20 October 2020 with recommendations to the Commission on Civil Liability Regime for Artificial Intelligence (2020\/2014(INL)) Civil Liability Regime for Artificial Intelligence\u2019, 2020 <https:\/\/www.europarl.europa.eu\/doceo\/document\/TA-9-2020-0276_EN.html#title1<\/a>> accessed 16 June 2021 (Civil Liability Regime)<\/p>\n

[26]<\/sup><\/a>\u00a0Ibid, para 12<\/p>\n

[27]<\/sup><\/a>\u00a0Annex to Civil Liability Regime (n 17)<\/p>\n

[28]<\/sup><\/a>\u00a0Nazrin Huseinzade, \u2018Algorithm Transparency: How to Eat the Cake and Have it Too\u2019 (European Law Blog<\/em>, 27 January, 2021) <https:\/\/europeanlawblog.eu\/2021\/01\/27\/algorithm-transparency-how-to-eat-the-cake-and-have-it-too\/<\/a>> accessed 16 June 2021<\/p>\n

[29]<\/sup><\/a>\u00a0Council Directive (2016\/943) of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure,\u00a0https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/PDF\/?uri=CELEX:32016L0943&from=EN<\/a>; AI framework, para 3.5, explanatory memorandum and art 70(1)(a)<\/p>\n

[30]<\/sup><\/a>\u00a0AI framework, art 70<\/p>\n

[31]<\/sup><\/a>\u00a0Nazrin Huseinzade (n 28)<\/p>\n

[32]<\/sup><\/a>\u00a0\u2018Recommendations for Regulating AI\u2019, Google, 7, 9 <https:\/\/ai.google\/static\/documents\/recommendations-for-regulating-ai.pdf> accessed 28 July 2021<\/p>\n

[33]<\/sup><\/a>\u00a0Sam Shaed, Europe\u2019s proposed A.I. law could cost its economy $36 billion, think tank warns (CNBC, 26 July 2021) <https:\/\/www-cnbc-com.cdn.ampproject.org\/c\/s\/www.cnbc.com\/amp\/2021\/07\/26\/aia-europes-proposed-ai-law-could-cost-its-economy-36-billion.html<\/a>> accessed 28 July 2021<\/p>\n

[34]<\/sup><\/a>\u00a0\u2018Recommendations for Regulating AI\u2019, Google, 7, 9 <https:\/\/ai.google\/static\/documents\/recommendations-for-regulating-ai.pdf> accessed 28 July 2021<\/p>\n

[35]<\/sup><\/a>\u00a0Ibid<\/p>\n

[36]<\/sup><\/a>\u00a0Anu Braford,\u00a0The Brussels Effect: How the European Union Rules the World\u00a0<\/em>(OUP 2020) 131<\/p>\n

[37]<\/sup><\/a>\u00a0Jeremy Kahn, \u2018Europe Proposes Strict A.I. Regulation Likely to Have an Impact Around The World\u2019 (Fortune,<\/em>\u00a021 April 2021) <https:\/\/fortune.com\/2021\/04\/21\/europe-artificial-intelligence-regulation-global-impact-google-facebook-ibm\/<\/a>> accessed 12 June 2021<\/p>\n

[38]<\/sup><\/a>\u00a0Bradford\u00a0<\/em>(n 36) 133, 138, 139<\/p>\n

[39]<\/sup><\/a>\u00a0\u2018Big Data is Too Big Without AI\u2019 (Maryville University<\/em>) <https:\/\/online.maryville.edu\/blog\/big-data-is-too-big-without-ai\/<\/a>> accessed 12 June 2021.<\/p>\n

[40]<\/sup><\/a>\u00a0\u2018Artificial Intelligence and Data Protection \u2013 How the GDPR Regulates AI\u2019 (Centre for Information Policy Leadership,<\/em>\u00a0March 2020) <https:\/\/www.informationpolicycentre.com\/uploads\/5\/7\/1\/0\/57104281\/cipl-hunton_andrews_kurth_legal_note_-_how_gdpr_regulates_ai__12_march_2020_.pdf<\/a>> accessed 12 June 2021, 4 stating that the \u2018algorithmic training phase\u2019 refers to the phase where AI is trained using data sets to create a model, identify patterns and connect various data points.<\/p>\n

[41]<\/sup><\/a>\u00a0Giovanni Sartor and Francesca Lagioia,\u00a0The impact of the General Data Protection Regulation (GDPR) on artificial intelligence\u00a0<\/em>(European Union 2020) 16<\/p>\n

[42]<\/sup><\/a>\u00a0Artificial Intelligence and Data Protection \u2013 How the GDPR Regulates AI\u2019 (Centre for Information Policy Leadership,<\/em>\u00a0March 2020) <https:\/\/www.informationpolicycentre.com\/uploads\/5\/7\/1\/0\/57104281\/cipl-hunton_andrews_kurth_legal_note_-_how_gdpr_regulates_ai__12_march_2020_.pdf<\/a>> accessed 12 June 2021, 4<\/p>\n

[43]<\/sup><\/a>\u00a0Sartor and Lagigoia (n 41) 74-76<\/p>\n

[44]<\/sup><\/a>\u00a0Ibid<\/p>\n

[45]<\/sup><\/a>\u00a0AI framework, art 10<\/p>\n

[46]<\/sup><\/a>\u00a0Mark MacCarthy and Kenneth Propp, \u2018Machines learn that Brussels writes the rules: The EU\u2019s new AI regulation\u2019 (Brookings,<\/em>\u00a04 May 2021) <https:\/\/www.brookings.edu\/blog\/techtank\/2021\/05\/04\/machines-learn-that-brussels-writes-the-rules-the-eus-new-ai-regulation\/<\/a>> accessed 12 June 2021<\/p>\n

[47]<\/sup><\/a>\u00a0SCPD includes data revealing ethnic or racial identities, religious beliefs, sexual orientation, and biometric data, among others.<\/p>\n

[48]<\/sup><\/a>\u00a0GDPR, art 9<\/p>\n

[49]<\/sup><\/a>\u00a0GDPR, art 9(2)<\/p>\n

[50]<\/sup><\/a>\u00a0AI framework, art 10(5), recital 44<\/p>\n

[51]<\/sup><\/a>\u00a0GDPR, art 9(2)(a), art 9(2)(g)<\/p>\n

[52]<\/sup><\/a>\u00a0Sartor and Lagigoia (n 41) 16<\/p>\n

[53]<\/sup><\/a>\u00a0Sartor and Lagigoia (n 41) 49<\/p>\n

[54]<\/sup><\/a>\u00a0AI framework, recital 44<\/p>\n

[55]<\/sup><\/a>\u00a0GDPR, art 9(2)(g)<\/p>\n

[56]<\/sup><\/a>\u00a0AI framework, art 10(5)<\/p>\n

[57]<\/sup><\/a>\u00a0AI framework, recital 41<\/p>\n

<\/a><\/p>\n

<\/div>\n<\/div>\n