On March 25, 2021, the Centre for Information Policy Leadership at Hunton Andrews Kurth organized an expert roundtable on the EU Approach to Regulating AI–How Can Experimentation Help Bridge Innovation and Regulation? (the “Roundtable”). The Roundtable was hosted by Dragoș Tudorache, Member of Parliament and Chair of the Artificial Intelligence in the Digital Age (“AIDA”) Committee of the European Parliament. The Roundtable gathered industry representatives and data protection authorities (“DPAs”) as well Axel Voss, Rapporteur of the AIDA Committee.
The panelists explored how experimentation methodologies such as policy prototyping and regulatory sandboxes, can help create the right rules and frameworks and interpret them constructively to regulate AI in a way that enables responsible innovation and risk mitigation, while still allowing for honest error and constant improvement.
Dragoș Tudorache opened the Roundtable by underscoring the need for states and governments to be up to the task of effective lawmaking that enables both innovation and social order, especially in this era of fast digital transformation. Policy prototyping and regulatory sandboxes could provide for genuine cooperation and co-creation of the rules of the game between lawmakers, regulators and industry. As policy makers, we need to ensure, however, that the results produce social good and remain unbiased.
The Roundtable successively presented the policy prototyping and regulatory sandboxes methodologies, which operate in different contexts. While regulatory sandboxes operate in the context of existing legislation to test specific innovative products under the supervision of a regulator, policy prototyping operates where a new regulatory framework or policy is being contemplated to test a prototype in real conditions and to inform the creation of this new regulatory framework or policy. Policy prototyping also helps identify the limitations of the prototype to ultimately make recommendations regarding how legislation can successfully be drafted. Regulatory sandboxes and policy prototyping are chronologically complementary; once the legislation is enacted, sandboxes allow for continued testing of the legislation. The need for experimentation in digital law making will become even more essential as different types of legal frameworks come into play and may conflict with each other.
In the context of AI, policy prototyping has been used to test the effectiveness of the AI risk assessments—meaning the assessments startups perform on their AI products to identify and assess the likelihood and severity of harm to individuals and society. The earlier the risks for bias or lack of transparency are identified, the better these risks can be addressed and proper mitigation can be built into AI products, which can sometimes accelerate startups’ go-to-market strategy.
The Roundtable also highlighted the need to assess and monitor the adaptation of the rules to AI uses as new risks and challenges continue to appear during the product deployment and use. This requires a close and ongoing collaboration between legal, privacy and innovation teams within companies to mitigate the risks and implement effective privacy by design policies and procedures. The Roundtable emphasized that a multi-stakeholder approach also is key to including different perspectives from data scientists and consumers panels before making decisions on how AI products are built.
The second part of the Roundtable focused on how regulatory sandboxes—that provide for a supervised safe space set up by a regulator for piloting and testing innovative products—can bring assurances that innovation is taking place in a responsible and accountable manner. Regulatory sandbox projects are currently underway with the Norwegian and French DPAs. Regulatory sandboxes help companies better understand the requirements of the EU General Data Protection Regulation by reducing grey areas and overcoming regulatory barriers to move forward with beneficial AI products and uses. They also can help strengthen DPAs understanding of AI, which is needed when they perform audits or undertake enforcement actions. Transparency, minimization and fairness are often discussed during the sandbox. The results of the sandbox may be shared through regulatory guidance, blog posts or workshops to widely communicate best practices and lessons learned from a specific case. Key success factors of a regulatory sandbox include (1) the need for clear rules for engagement between the regulator and the sandbox participant; (2) sufficient resources from both parties; (3) open collaboration; (4) sharing of information; and (5) the freedom to challenge the views of the other party.
In his remarks, Axel Voss expressed full support for using experimentation to bridge innovation and legislation, believing that the EU needs faster regulatory outcomes as compared to traditional lawmaking to be able to compete internationally. The EU also needs experimentation through sandboxes to develop AI that is trustworthy, human-centric, secure, unbiased, environmentally friendly and sustainable, as well as to provide access to data and build data spaces.
In closing remarks, Dragoș Tudorache reinforced the need to move to a concept of staged lawmaking for regulating technologies, starting with prototyping followed by adaptation over time. He will make a recommendation to the European Commission to consider regulatory sandboxing in its upcoming AI regulation.
To learn more about CIPL’s work on smart regulation and AI, please contact Michelle Marcoot at mmarcoot@HuntonAK.com.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code