Open-source AI models: from ICO's previously-asked questions, this Q&A was added recently even though currently the "Last updated" date indicates 11 April 2024.
Q: We want to develop a speech transcription service for use in our organisation, using an open-source artificial intelligence (AI) model. Can we do this even though we don’t have detailed information about how the model was trained? (see the answer!)
AI Act: from Deloitte's AI Act Survey 2024, not many companies surveyed have started prep, nearly half feel partially/poorly prepared, over half think the Act constrains their innovation capabilities in AI, there were mixed views on legal certainty and on the Act's impact on trust in AI, and almost half thought the Act's more of a hindrance to AI-based applications! But, over a 100 companies have signed the Commission's voluntary AI Pledge under its AI Pact, that seeks to encourage organisations to implement AI Act measures ahead of its formal applicable dates.
Beyond the AI Act, see more generally:
- the European Commission's policy brief on Competition in Generative AI and Virtual Worlds, and
- Europol's report on AI and policing and its benefits and challenges for law enforcement (summary).
Revised EU Product Liability Directive: the new EU Parliament has approved the text (Eur-Lex), so it just remains for the Council to adopt it (although Estonia is against the procedural rules); when published in the OJ thereafter it will become law. Significance? For the purposes of no-fault liability for defective products, "product" will explicitly include software including that supplied via SaaS. The text also mentions software as including AI systems. Also:
"A developer or producer of software, including AI system providers within [AI Act] should be treated as a manufacturer"... "Where a substantial modification is made through a software update or upgrade, or due to the continuous learning of an AI system, the substantially modified product should be considered to be made available on the market or put into service at the time that modification is actually made."
"National courts should presume the defectiveness of a product or the causal link between the damage and the defectiveness, or both, where, notwithstanding the defendant’s disclosure of information, it would be excessively difficult for the claimant, in particular due to the technical or scientific complexity of the case, to prove the defectiveness or the causal link, or both... Technical or scientific complexity should be determined by national courts on a case-by-case basis, taking into account various factors. Those factors should include...the complex nature of the causal link, such as... a link that, in order to be proven, would require the claimant to explain the inner workings of an AI system... ...in a claim concerning an AI system, the claimant should, for the court to decide that excessive difficulties exist, neither be required to explain the AI system’s specific characteristics nor how those characteristics make it harder to establish the causal link."
EU Cyber Resilience Act (CRA) on "horizontal cybersecurity requirements for products with digital elements": the new EU Parliament has approved the text (Eur-Lex), so it just remains for the Council to adopt it; when published in the OJ thereafter, it will become law. Note, this aims to "set the boundary conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and that manufacturers take security seriously throughout a product’s lifecycle". Also note, "Products with digital elements classified as high-risk AI systems pursuant to Article 6 of [AI Act] which fall within the scope of this Regulation should comply with the essential cybersecurity requirements set out in this Regulation..." (see much more in Art.12 and Rec.51 which specifically cover high-risk AI systems, and Art.52(14)). BTW, the Commission is inviting cybersecurity experts to apply to join its CRA Expert Group. Various criticisms of the CRA have been mentioned in my book/free companion PDF; here's another critique.
UK: the AI Act doesn't apply in the UK post-Brexit, so perhaps there are indeed more AI opportunities in the UK, on which Google has published a blog and fuller paper. The UK will make the AI Safety Institute (AISI) a statutory body as well as "identifying and realising the massive opportunities of AI" including for government/public services. (Here, the UK's not alone: a study for the European Commission emphasises AI's "significant potential" to improve EU public sector services.) AISI work includes assessing AI capabilities, e.g. Early Insights from Developing Question-Answer Evaluations for Frontier AI.
But, the GDPR still applies in the UK: ICO statement on LinkedIn's changes to its AI policy, so it is no longer training genAI models using UK users' data (opt-out link for others). There was separately an AI opt-out hoax that fooled a lot of people!
The recently-published UK MoD's annual analysis of future global strategic trends 2024 mentions cyber and AI, of course. UK civil servants (but not the rest of us!) are being offered free training AI-related courses, covering various aspects of AI, illustrating what's considered most important: Fundamentals, Understanding AI Ethics, The business value of AI, Gen AI Tools and Applications, Working with Large Language Models, Machine Learning and Deep Learning, Natural Language Processing and Speech Recognition, Computer Vision, and a Technical Curriculum.
Separately, case studies summarised based on the DSIT AI assurance techniques have been boosted by the addition of more products/platforms, on areas from governance, facial recognition e.g. for verification/identification, compliance management and bias assessment (even for NIST AI RMF, ISO, and NYC 144 bias audit with synthetic data!) to AI monitoring/audit. If you're planning to offer AI products to government (or beyond), it wouldn't be a bad idea to get your own products assured and listed similarly.
AI uses in the UK: a great use is autonomous robots to maintain fusion facilities. On health, a "novel ... AI tool, validated using NHS eye imaging datasets... could transform the efficiency of screening for Diabetic Retinopathy (DR)", while the MHRA is calling for applications for manufacturers and developers of AI medical devices to join its AI Airlock regulatory sandbox; and, Reflections on building the AI and Digital Regulations Service.
Collaboration on cybersecurity and AI research announced between the UK, US and Canada, to support defence and security
Equality, AI: The public sector equality duty and data protection, Sept 2024, UK EHRC guidance (with ICO input), including helpful examples of proxy data for protected characteristics under the UK Equality Act 2010, and a short section on proxy analysis of AI models, with a case study on the Dutch benefit fraud scandal that led to unlawful discriminatinon (from using biased predictive algorithms)
United Nations: much activity on AI, such as the final Governing AI for Humanity report on global AI governance, gaps, and international cooperation.
The recently (and almost simultaneously) promulgated UN Digital Compact is "a comprehensive framework for global governance of digital technology and artificial intelligence":
- Objectives agreed included: "Enhance international governance of artificial intelligence for the benefit of humanity"
- Principles agreed included: "Safe, secure and trustworthy emerging technologies, including artificial intelligence, offer new opportunities to turbocharge development. Our cooperation will advance a responsible, accountable, transparent and human-centric approach to the life cycle of digital and emerging technologies, which includes the pre-design, design, development, evaluation, testing, deployment, use, sale, procurement, operation and decommissioning stages, with effective human oversight"
- On Digital public goods and digital public infrastructure: "We recognize that digital public goods, which include open-source software, open data, open artificial intelligence models, open standards and open content that adhere to privacy and other applicable international laws, standards and best practices and do no harm, empower societies and individuals to direct digital technologies to their development needs and can facilitate digital cooperation and investment... ...We commit by, 2030, to: (a) Develop, disseminate and maintain, through multi-stakeholder cooperation, safe and secure open-source software, open data, open artificial intelligence models and open standards that benefit society as a whole (SDGs [Sustainable Development Goals] 8, 9 and 10)
- On Objective 3. Foster an inclusive, open, safe and secure digital space that respects, protects and promotes human rights, they "urgently... Call on digital technology companies and developers to continue to develop solutions and publicly communicate actions to counter potential harms, including hate speech and discrimination, from artificial intelligence-enabled content. Such measures include incorporation of safeguards into artificial intelligence model training processes, identification of artificial intelligence-generated material, authenticity certification for content and origins, labelling, watermarking and other techniques (SDGs 10, 16 and 17).
- On Objective 4. Advance responsible, equitable and interoperable data governance approaches, data privacy and security, "We recognize that responsible and interoperable data governance is essential to advance development objectives, protect human rights, foster innovation and promote economic growth. The increasing collection, sharing and processing of data, including in artificial intelligence systems, may amplify risks in the absence of effectivepersonal data protection and privacy norms...
...We commit, by 2030, to: (a) Draw on existing international and regional guidelines on the protection of privacy in the development of data governance frameworks (all SDGs); (b) Strengthen support to all countries to develop effective and interoperable national data governance frameworks (all SDGs); (c) Empower individuals and groups with the ability to consider, give and withdraw their consent to the use of their data and the ability to choose how those data are used, including through legally mandated protections for data privacy and intellectual property (SDGs 10 and 16); (d) Ensure that data collection, access, sharing, transfer, storage and processing practices are safe, secure and proportionate for necessary, explicit and legitimate purposes, in compliance with international law (all SDGs); (e) Develop skilled workforces capable of collecting, processing, analysing, storing and transferring data safely in ways that protect privacy (SDGs 8 and 9) - And Objective 5 was all about AI governance, not quoted in full here but
"We will: (a) Assess the future directions and implications of artificial intelligence systems and promote scientific understanding (all SDGs); (b) Support interoperability and compatibility of artificial intelligence governance approaches through sharing best practices and promoting common understanding (all SDGs); (c) Help to build capacities, especially in developing countries, to access, develop, use and govern artificial intelligence systems and direct them towards the pursuit of sustainable development (all SDGs); (d) Promote transparency, accountability and robust human oversight of artificial intelligence systems in compliance with international law (all SDGs). (Also see UNESCO's consultation from Aug-Sept 2024 with a policy brief summarising emerging regulatory approaches to AI.) - We therefore commit to: (a) Establish, within the United Nations, a multidisciplinary Independent International Scientific Panel on AI with balanced geographic representation to promote scientific understanding through evidence-based impact, risk and opportunity assessments, drawing on existing national, regional and international initiatives and research networks (SDG 17); (b) Initiate, within the United Nations, a Global Dialogue on AI Governance involving Governments and all relevant stakeholders which will take place in the margins of existing relevant United Nations conferences and meetings (SDG 17)."