Compliance Requirements for AI Developers

On August 1, 2024, the European Union's AI Act came into force, bringing in new regulations that will impact how AI technologies are developed and used within the E.U., with far-reaching implications for U.S. businesses. The AI Act represents a significant shift in how artificial intelligence is regulated within the European Union, setting standards to ensure that AI systems are ethical, transparent, and aligned with fundamental rights. This new regulatory landscape demands careful attention for U.S. companies that operate in the E.U. or work with E.U. partners. Compliance is not just about avoiding penalties; it's an opportunity to strengthen your business by building trust and demonstrating a commitment to ethical AI practices. This guide provides a detailed look at the key steps to navigate the AI Act and how your business can turn compliance into a competitive advantage. 🔍 Comprehensive AI Audit: Begin with thoroughly auditing your AI systems to identify those under the AI Act’s jurisdiction. This involves documenting how each AI application functions and its data flow and ensuring you understand the regulatory requirements that apply. 🛡️ Understanding Risk Levels: The AI Act categorizes AI systems into four risk levels: minimal, limited, high, and unacceptable. Your business needs to accurately classify each AI application to determine the necessary compliance measures, particularly those deemed high-risk, requiring more stringent controls. 📋 Implementing Robust Compliance Measures: For high-risk AI applications, detailed compliance protocols are crucial. These include regular testing for fairness and accuracy, ensuring transparency in AI-driven decisions, and providing clear information to users about how their data is used. 👥 Establishing a Dedicated Compliance Team: Create a specialized team to manage AI compliance efforts. This team should regularly review AI systems, update protocols in line with evolving regulations, and ensure that all staff are trained on the AI Act's requirements. 🌍 Leveraging Compliance as a Competitive Advantage: Compliance with the AI Act can enhance your business's reputation by building trust with customers and partners. By prioritizing transparency, security, and ethical AI practices, your company can stand out as a leader in responsible AI use, fostering stronger relationships and driving long-term success. #AI #AIACT #Compliance #EthicalAI #EURegulations #AIRegulation #TechCompliance #ArtificialIntelligence #BusinessStrategy #Innovation 

The Belgium Data Protection Agency (DPA) published a report explaining the intersection between the GDPR and the AI Act and how organizations can align AI systems with data protection principles. The report emphasizes transparency, accountability, and fairness in AI, particularly for high-risk AI systems. The report also outlines how human oversight and technical measures can ensure compliant and ethical AI use. AI systems are defined based on the AI Act as machine-based systems that can operate autonomously and adapt based on data input. Examples in the report: spam filters, streaming service recommendation engines, and AI-powered medical imaging. GDPR & AI Act Requirements: The report explains how both frameworks complement each other: 1) GDPR focuses on lawful processing, fairness, and transparency. GDPR principles like purpose limitation and data minimization apply to AI systems which collect and process personal data. The report stresses that AI systems must use accurate, up-to-date data to prevent discrimination or unfair decision-making, aligning with GDPR’s emphasis on data accuracy. 2) AI Act adds prohibitions for high-risk systems, like social scoring and facial recognition. It also stresses bias mitigation in AI decisions and emphasizes transparency. * * * Specific comparisons: Automated Decision-Making: While the GDPR allows individuals to challenge fully automated decisions, the AI Act ensures meaningful human oversight for high-risk AI systems in particular cases. This includes regular review of the system’s decisions and data. Security: - The GDPR requires technical and organizational measures to secure personal data. - The AI Act builds on this by demanding continuous testing for potential security risks and biases, especially in high-risk AI systems. Data Subject Rights: - The GDPR grants individuals rights such as access, rectification, and erasure of personal data. - The AI Act reinforces this by ensuring transparency and accountability in how AI systems process data, allowing data subjects to exercise these rights effectively. Accountability: Organizations must demonstrate compliance with both GDPR and the AI Act through documented processes, risk assessments, and clear policies. The AI Act also mandates risk assessments and human oversight in critical AI decisions. See: https://lnkd.in/giaRwBpA Thanks so much Luis Alberto Montezuma for posting this report! #DPA #GDPR #AIAct

Yesterday, Colorado’s Consumer Protections for #ArtificialIntelligence (SB24-205) was sent to the Governor for signature. If enacted, the law will be effective on Feb. 1, 2026, and Colorado would become the first U.S. state to pass broad restrictions on private companies using #AI. The bill requires both developer and deployer of a high-risk #AI system to use reasonable care to avoid algorithmic discrimination. A High-Risk AI System is defined as “any AI system that when deployed, makes, or is a substantial factor in making, a consequential decision.” Some computer software is exempted, such as AI-enabled video games, #cybersecurity software, and #chatbots that have a user policy prohibiting discrimination. There is a rebuttable presumption that a developer and a deployer used reasonable care if they each comply with certain requirements related to the high-risk system, including Developer: - Disclose and provide documentation to deployers regarding the high-risk system’s intended use, known or foreseeable #risks, a summary of data used to train it, possible biases, risk mitigation measures, and other information necessary for the deployer to complete an #impactassessment. - Make a publicly available statement summarizing the types of high-risk systems developed and available to a deployer. - Disclose, within 90 days, to the attorney general and known deployers when algorithmic discrimination is discovered, either through self-testing or deployer notice. Deployer: - Implement a #riskmanagement policy that governs high-risk AI use and specifies processes and personnel used to identify and mitigate algorithmic discrimination. - Complete an impact assessment to mitigate potential abuses before customers use their products. - Notify a consumer of specified items if the high-risk #AIsystem makes a consequential decision concerning a consumer. - If the deployer is a controller under the Colorado Privacy Act (#CPA), it must inform the consumer of the right to #optout of profiling in furtherance of solely #automateddecisions. - Provide a consumer with an opportunity to correct incorrect personal data that the system processed in making a consequential decision. - Provide a consumer with an opportunity to appeal, via human review if technically feasible, an adverse consequential decision concerning the consumer arising from the deployment of the system. - Ensure that users can detect any generated synthetic content and disclose to consumers that they are engaging with an AI system. The law contains a #safeharbor providing an affirmative defense (under CO law in a CO court) to a developer or deployer that: 1) discovers and cures a violation through internal testing or red-teaming, and 2) otherwise complies with the National Institute of Standards and Technology (NIST) AI Risk Management Framework or another nationally or internationally recognized risk management #framework.

⚠️Privacy Risks in AI Management: Lessons from Italy’s DeepSeek Ban⚠️ Italy’s recent ban on #DeepSeek over privacy concerns underscores the need for organizations to integrate stronger data protection measures into their AI Management System (#AIMS), AI Impact Assessment (#AIIA), and AI Risk Assessment (#AIRA). Ensuring compliance with #ISO42001, #ISO42005 (DIS), #ISO23894, and #ISO27701 (DIS) guidelines is now more material than ever. 1. Strengthening AI Management Systems (AIMS) with Privacy Controls 🔑Key Considerations: 🔸ISO 42001 Clause 6.1.2 (AI Risk Assessment): Organizations must integrate privacy risk evaluations into their AI management framework. 🔸ISO 42001 Clause 6.1.4 (AI System Impact Assessment): Requires assessing AI system risks, including personal data exposure and third-party data handling. 🔸ISO 27701 Clause 5.2 (Privacy Policy): Calls for explicit privacy commitments in AI policies to ensure alignment with global data protection laws. 🪛Implementation Example: Establish an AI Data Protection Policy that incorporates ISO27701 guidelines and explicitly defines how AI models handle user data. 2. Enhancing AI Impact Assessments (AIIA) to Address Privacy Risks 🔑Key Considerations: 🔸ISO 42005 Clause 4.7 (Sensitive Use & Impact Thresholds): Mandates defining thresholds for AI systems handling personal data. 🔸ISO 42005 Clause 5.8 (Potential AI System Harms & Benefits): Identifies risks of data misuse, profiling, and unauthorized access. 🔸ISO 27701 Clause A.1.2.6 (Privacy Impact Assessment): Requires documenting how AI systems process personally identifiable information (#PII). 🪛 Implementation Example: Conduct a Privacy Impact Assessment (#PIA) during AI system design to evaluate data collection, retention policies, and user consent mechanisms. 3. Integrating AI Risk Assessments (AIRA) to Mitigate Regulatory Exposure 🔑Key Considerations: 🔸ISO 23894 Clause 6.4.2 (Risk Identification): Calls for AI models to identify and mitigate privacy risks tied to automated decision-making. 🔸ISO 23894 Clause 6.4.4 (Risk Evaluation): Evaluates the consequences of noncompliance with regulations like #GDPR. 🔸ISO 27701 Clause A.1.3.7 (Access, Correction, & Erasure): Ensures AI systems respect user rights to modify or delete their data. 🪛 Implementation Example: Establish compliance audits that review AI data handling practices against evolving regulatory standards. ➡️ Final Thoughts: Governance Can’t Wait The DeepSeek ban is a clear warning that privacy safeguards in AIMS, AIIA, and AIRA aren’t optional. They’re essential for regulatory compliance, stakeholder trust, and business resilience. 🔑 Key actions: ◻️Adopt AI privacy and governance frameworks (ISO42001 & 27701). ◻️Conduct AI impact assessments to preempt regulatory concerns (ISO 42005). ◻️Align risk assessments with global privacy laws (ISO23894 & 27701).   Privacy-first AI shouldn't be seen just as a cost of doing business, it’s actually your new competitive advantage.

Do not count out the states on #AIenforcement. New advisory out by the Massachusetts Attorney General's Office outlining specific #consumerprotection considerations when marketing, offering, or using #AI. From past experience, when you see a regulator put out a bulletin/advisory/press release focusing on a particular business practice, it's fairly common to see that office pursue enforcement actions afterwards for practices that conflict with the AG's notice outlining their concerns with practices they're seeing in the marketplace. Some highlights include: 1️⃣ Falsely advertising the quality, value, or usability of AI systems    2️⃣ Supplying an AI system that is defective, unusable, or impractical for the purpose advertised 3️⃣ Misrepresenting the reliability, manner of performance, safety, or condition of an AI system 4️⃣ Offering for sale or use an AI system in breach of warranty, in that the system is not fit for the ordinary purposes for which such systems are used, or that is unfit for the specific purpose for which it is sold where the supplier knows of such purpose 5️⃣ Misrepresenting audio or video content of a person for the purpose of deceiving another to engage in a business transaction or supply personal information as if to a trusted business partner as in the case of deepfakes, voice cloning, or chatbots used to engage in fraud  6️⃣ Failing to comply with Massachusetts statutes, rules, regulations or laws, meant for the protection of the public’s health, safety or welfare 7️⃣ Violating anti-discrimination laws (the advisory warns AI developers, suppliers, and users about using technology that relies on discriminatory inputs and/or produces discriminatory results that would violate the state’s civil rights laws) 8️⃣ Failing to safeguard personal data utilized by AI systems, underscoring the obligation to comply with the state’s data breach notification requirements, (statutory and regulatory requirements -- Note MA has very robust data security regulations). PSA: Can't hurt to confer with your counsel on how your practices stack up to these issues. That's less 💲 than responding to a subpoena. Kelley Drye Advertising Law Kelley Drye & Warren LLP https://lnkd.in/egxfdRZr

Connecticut has introduced Senate Bill No. 2, setting new standards for the development and deployment of AI systems. Here's what companies need to know about their potential obligations under this bill: 🔒 Risk Management and Impact Assessments: Companies developing high-risk AI systems must use reasonable care to protect consumers from algorithmic discrimination and other risks. This includes conducting impact assessments to evaluate the system's potential effects on consumers and mitigating any identified risks. 📝 Transparency and Documentation: Developers of high-risk AI systems are required to provide deployers with detailed documentation, including the system's intended uses, limitations, and data governance measures. This documentation must also be made available to the Attorney General upon request. 🛡️ Deployment Safeguards: Deployers of high-risk AI systems must implement risk management policies and programs, complete impact assessments, and review the deployment annually to ensure the system does not cause algorithmic discrimination. 👁️ Consumer Notifications: Deployers must notify consumers when a high-risk AI system is used to make significant decisions affecting them, providing clear information about the system's purpose and nature. 🤖 General-Purpose AI Systems: Developers of general-purpose AI models must take steps to mitigate known risks, ensure appropriate levels of performance and safety, and incorporate standards to prevent the generation of illegal content. 📊 Reporting and Compliance: Companies must maintain records of their compliance efforts and may be required to disclose these records to the Attorney General for investigation purposes. It also includes prohibitions on synthetic content, especially related to elections or explicit content. This bill represents a significant shift towards more accountable and transparent AI practices in Connecticut. Companies operating in the state should prepare to align their AI development and deployment processes with these new requirements... even if the Bill does not pass, you should be doing most of this stuff anyway. #ArtificialIntelligence #Connecticut #AIEthics #RiskManagement #Transparency Jovana Davidovic, Jeffery Recker, Khoa Lam, Dr. Benjamin Lange, Borhane Blili-Hamelin, PhD, Ryan Carrier, FHCA

Can you scrape laws and court decisions in order to train AI to help make employment related decisions under GDPR? Norway Datatilsynet sandbox opinion opens the door! Important for GDPR companies but also for US based companies looking to use AI tools in compliance with US state laws (profiling) and NYC Local law 144. Using court decisions to train AI: Legitimate interest can work if you promptly deidentify and find a processing condition for the sensitive data Sensitive data processing condition 🔹️The processing condition of necessary for the establishment, exercise or defence of legal claims", Article 9(2)(f), though broad, doesnt apply here. 🔹️The existing process of getting legal permission for the publication of court decisions (if applicable) can be used for publishing the decisions to be used for AI training. GDPR legal basis: The interest is legitimate. Necessity: 🔹️To train AI you need central source of law such as court decisions. 🔹️ You must de-identify (even if not fully anonymize), the court decisions before they are stored and delete the complete court decisions. Balacing Test: Worth reading the full test. Points: 🔹️What is necessary to de-identify must be assessed specifically based on which information contributes to the risk of identification of the data subjects (e.g. names, place names, addresses & buildings; names of employers or small workplaces; smaller companies. Using the trained data for employment decisions: There are several possible legal bases depending on the use and Legitimate interest is possible. You need to ensure that a human is making the actual decision so as to not run afoul of Art 22 automated decision-making- but this is possible. Legitimate interest may be a suitable legal basis: Necessity: 🔹️The use of an AI tool may contribute to achieving the purpose more effectively than through the alternatives. 🔹️ Using an AI solution as an aid and possible decision support does not necessarily mean that the processing of personal data becomes more intrusive. 🔹️Whether an AI tool is suitable for achieving a purpose will also depend on the knowledge, awareness and training of those using the tool. 🔹️ You must have suitable routines and training measures in which situations tools can be used and which personal data may be used in the tool. Automated decision-making 🔹️Such tool can be automated decision-making that produces a significant effect 🔹️The biggest factor in whether the use of the AI solution is covered by the prohibition in Article 22 will often be how the solution is used. The AI solution must be a decision-support tool, not a decision-making tool. 🔹️Blindly trusting the AI tool without making you own assessment =automated 🔹️ Using tool as a starting point then checking procedures and reactions = not automated 🔹️ The opinion goes through several helpful case scenarios. #dataprivacy #privacyFOMO #dataprotection Pic by ChatGPT https://shorturl.at/4YMAM

In a few weeks, on August 2, 2025, a legal line in the sand for AI will be drawn The EU’s AI Act is about to make history. No, it doesn’t ban training on copyrighted content. However, it does make transparency and copyright compliance mandatory for any general-purpose AI model offered in the EU, regardless of where it’s built. If your AI model learns from creative works, you’ll need: • A copyright compliance policy • A public summary of training data • Technical safeguards for infringing outputs • Clear, machine-readable labeling of AI-generated content And here’s what many overlook: Even if you didn’t train the model, if your company uses a non-compliant one to serve EU clients, you’re liable too. The AI Act is opt-out-based: creators must explicitly signal that they don’t want to be included. But for the first time, they have a lever. And for AI, it’s a wake-up call: the days of opaque scraping are numbered. The EU has drawn the line. The real question is: who follows next, how, and when? Read my breakdown of what Article 53 means for developers, rights holders, and anyone building with GPAI: https://lnkd.in/eP95hJcP #AI #Copyright #EUAIAct #GenerativeAI #GPAI #Innovation #DigitalRights #Compliance #ContentCreators #ArtificialIntelligence #visualcontent #visualtech

The Oregon Department of Justice released new guidance on legal requirements when using AI. Here are the key privacy considerations, and four steps for companies to stay in-line with Oregon privacy law. ⤵️ The guidance details the AG's views of how uses of personal data in connection with AI or training AI models triggers obligations under the Oregon Consumer Privacy Act, including: 🔸Privacy Notices. Companies must disclose in their privacy notices when personal data is used to train AI systems. 🔸Consent. Updated privacy policies disclosing uses of personal data for AI training cannot justify the use of previously collected personal data for AI training; affirmative consent must be obtained. 🔸Revoking Consent. Where consent is provided to use personal data for AI training, there must be a way to withdraw consent and processing of that personal data must end within 15 days. 🔸Sensitive Data. Explicit consent must be obtained before sensitive personal data is used to develop or train AI systems. 🔸Training Datasets. Developers purchasing or using third-party personal data sets for model training may be personal data controllers, with all the required obligations that data controllers have under the law. 🔸Opt-Out Rights. Consumers have the right to opt-out of AI uses for certain decisions like housing, education, or lending. 🔸Deletion. Consumer #PersonalData deletion rights need to be respected when using AI models. 🔸Assessments. Using personal data in connection with AI models, or processing it in connection with AI models that involve profiling or other activities with heightened risk of harm, trigger data protection assessment requirements. The guidance also highlights a number of scenarios where sales practices using AI or misrepresentations due to AI use can violate the Unlawful Trade Practices Act. Here's a few steps to help stay on top of #privacy requirements under Oregon law and this guidance: 1️⃣ Confirm whether your organization or its vendors train #ArtificialIntelligence solutions on personal data.  2️⃣ Validate your organization's privacy notice discloses AI training practices. 3️⃣ Make sure organizational individual rights processes are scoped for personal data used in AI training. 4️⃣ Set assessment protocols where required to conduct and document data protection assessments that address the requirements under Oregon and other states' laws, and that are maintained in a format that can be provided to regulators.

Yesterday, the long-awaited Texas AI bill was released, titled "The Texas Responsible AI Governance Act." As with the Colorado AI Act, it's visible that the drafters read the EU AI Act (and not once) and took notes. The bill is focused on high-risk AI Systems (HRAIS) and sets a reasonable care standard for developers, distributors and deployers of HRAIS to prevent known or foreseeable risks of algorithmic discrimination. The Act excludes small businesses from its obligations. So in very short terms, key requirements under the Act are: -         Conduct semiannual HRAIS Impact Assessments -         Record keeping and Reporting requirements -         AI Literacy -         Intentional and substantial modification to a HRAIS triggers additional responsibilities -         Disclosing HRAIS to consumers and right to explanation for AI-driven decisions (consumer should know they interact with AI, purpose of AI system, nature of any consequential decision in which the system is or may be a contributing factor, factors used in making any consequential decision, deployer’s contact info, description of AI system components) -         Develop AI Risk Management Policy prior to deployment of HRAIS (NIST AI RMF to be used as the standard) Under the Act, any deployer, distributor or any third-party shall be considered as developer of HRAIS if they: -         Put their name or trademark on a HRAIS already placed in the market or put into service -         Modify HRAIS (placed in the market or put into service) in such a way that it remains a HRAIS -         Modify the intended purpose of an AI system in such a way that it becomes a HRAIS The Act does not apply to the development of an AI system used within a regulatory sandbox program, for research, training, testing or open-source AI systems (as long as it’s not high risk and model weights are public). Prohibited Uses and Unacceptable Risks: -         Manipulation of human behavior (subliminal techniques) -         Social scoring -         Biometric identification -         Categorization based on sensitive attributes -         Emotion recognition -         Sexually explicit videos, images, and child pornography Enforcement: As usual, no private right of action. Attorney general has enforcement authority. Violations may result in escalating fines. Online complaint mechanism. “A consumer may appeal a consequential decision made by a high-risk artificial intelligence system regardless of whether the decision was made with human oversight or not.” If consumer proves that developer/ deployer violated their rights under this Act, consumer is entitled to declaratory and injunctive relief.