The United States does not currently have a comprehensive federal privacy law, though multiple states have begun to fill the void in the absence of federal policy. Similarly, multiple countries outside the United States have passed privacy laws, and most of this legal activity — domestic and international — is not sector- or industry-specific. Against this backdrop, artificial intelligence systems, trained on vast amounts of data, continue to advance without a clear consensus on principles or a process to assess and mitigate AI risk. However, state and federal governments around the world are developing approaches to measuring and mitigating risks, with many of the governance requirements reflecting a parallel to privacy governance requirements.
Privacy practitioners utilize the Fair Information Practice Principles to assess privacy risk. Different countries have adopted variations of this structure, though these principles usually include:
- Access and Amendment — individuals should have access to the information about them and the right to amend or correct inaccurate data;
- Accountability — data stewards must be responsible for adhering to the law and utilizing the Fair Information Practice Principles, and validating those actions through monitoring, auditing, and compliance measures;
- Authority — the data has been collected within the bounds of the law and the collector has authority to collect the information;
- Minimization — organizations should collect only the amount of information they need to accomplish their stated purpose;
- Quality and Integrity — information must be relevant and suitable for the purposes for which it is used and should be accurate, complete, and up to date;
- Individual Participation — an individual has knowledge and provided consent with respect to uses of their personal data, and has the ability to access, amend, or otherwise exercise choice in how the data is used;
- Purpose Specification and Use Limitation — individuals must receive notice about how their information will be used and all uses must be limited to those purposes disclosed at the time of collection;
- Security — data must be appropriately safeguarded and secured, regardless of physical or electronic format; and
- Transparency — organizations should be open about data policies and practices with respect to personally identifiable information.