Welcome to AI-Regulation.com, the website of the Chair on the Legal and Regulatory Implications of Artificial Intelligence at MIAI Grenoble Alpes!
The Chair has been chosen by an international panel of experts to form part of the Multidisciplinary Institute on Artificial Intelligence created at the Université Grenoble Alpes, following a particularly competitive selection process commissioned by the French Government. Our members are experts in law, economics, computer and data science, all actively working in the field of data protection, privacy, cybersecurity and AI. The Chair’s objective is to become a valuable point of reference regarding the legal and regulatory questions raised by artificial intelligence and to contribute to national, European and international debates on these issues.
The Chair, and its website, come at a key juncture in the rise of AI. AI has the potential to make breakthrough advances in several areas, but its growing applications raise complex questions and provoke broad concerns throughout society. How can we guarantee that AI is designed and used responsibly? How do we establish ethical and legal rules to protect people, avoid bias and help establish fair and adequate liability schemes? Given the risks posed by the growing power of artificial intelligence and his widespread applications, more and more voices in Europe and the rest of the world are calling for an appropriate regulation of artificial intelligence.
You say you want AI Regulation?
The European Commission President Ursula von der Leyen had initially promised that in her “first 100 days in office” she would “put forward legislation for a coordinated European approach to the human and ethical implications of AI”. The general idea was that the EU should take the lead on regulation of AI – exactly as it did in the field of personal data protection. Regulation of artificial intelligence is seen by some in Europe as a kind of “the next GDPR”.
In reality, Ursula von der Leyen’s promise was overly ambitious: AI is not a monolithic bloc to regulate with a magic wand. Regulation in this field requires a careful, sector-by-sector and risk-based approach.
Instead of “hard rules”, the European Commission finally published on February 19th, 2020 a White Paper on Artificial Intelligence, which will remain open for comments until 19 May 2020. This is not a legally binding text but a kind of roadmap for the future regulatory framework.
Some found it disappointing that the European Commission was unable to go further, at least concerning some important points.
For instance, the part of the White Paper dedicated to facial recognition (or what the Commission prefers to call “remote biometric identification”) might seem at first sight to be disappointing to those who are calling for a moratorium on the use of Facial Recognition Technologies (“FRTs”) in public spaces. Indeed, a first draft of the White Paper, leaked on January 19th, included the eventual option that a “future regulatory framework could include a time-limited ban (e.g. 3-5 years) on the use of FRT in public spaces” in order to provide the leeway required to implement “a sound methodology” for assessing the potential impact of FRTs and to develop possible risk management measures.
The final version of the White Paper does not include any such option. In fact, it does not include anything new at all on a substantive level with regards to FRTs: it just recalls that according to existing EU rules (such as the General Data Protection Regulation (GDPR) and the Law Enforcement Directive) the use of FRTs must be “duly justified, proportionate and subject to adequate safeguards”.
However, the White Paper does include some important news about FRTs: the Commission decided to launch a broad European debate on the specific circumstances, if any, which might justify use of FRTs in public places and on what safeguards should be adopted. Sceptics could say that the Commission is “kicking the can down the road” but “it only seems reasonable that the Commission needs more time to examine such a complicated issue and to advance carefully in this field”.
More generally, the Commission’s adoption of a cautious approach in relation with AI regulation, rather than “scrambling to roll out policies to meet political deadlines”, could be seen in a positive light.
This is not to say that the White Paper does not include strong ideas. There are at least two important elements that need to be highlighted in this respect.
You say you've got a real solution? Well, we'd all love to see the plan
First, the White Paper compiles an impressive list of existing EU rules (see figure 1) that are technologically neutral and apply to the field of AI – and proceeds to an interesting discussion concerning the necessary adjustments to these rules in order to address the specific risks and concerns raised by AI.
Second, the White Paper introduces the strong regulatory idea of protection from harmful AI: “in view of the high risk that certain AI applications pose for citizens and our society”, high-risk AI applications should have to be tested and receive certification before reaching the single market.
The Commission lays out two cumulative criteria for what it considers a “high risk” use of AI. First, is the AI application deployed in a sector (e.g. health, energy or transportation) where, given the characteristics of the activities typically undertaken, significant risks can be expected to occur ? Second, is the AI application used in such a manner as to pose significant risks of injury, death, material or immaterial damage, or harm to the rights of an individual or a company?
For all these cases, the Commission introduces the idea of mandatory, objective, prior conformity assessments to ensure that such AI systems meet some mandatory requirements (especially linked to human rights considerations). In essence, the Commission is inspired here by conformity assessment mechanisms that already exist for a large number of products destined for the EU’s internal market (ex. cars or chemicals). Inversely, the Commission suggests a lighter touch for “non-high-risk” data uses, to avoid hindering innovation.
It is clear, from the above, that, far from being done in “100 days”, AI regulation in the EU will be a long process, either in order to adjust existing rules (such as those concerning EU liability law) or in order to develop new ones. Similar developments are to be expected in several countries outside Europe, as there is a multiplication of calls for AI regulation worldwide, including in countries such as the US, where Federal agencies are nonetheless strongly called upon to “avoid regulatory or non-regulatory actions that needlessly hamper AI innovation and growth”.
"We're doing what we can": Mission statement and scientific objectives
The main mission of the Chair on the Legal and Regulatory Implications of Artificial Intelligence will be to undertake research on whether and how AI regulation can support sustainable and ethical innovation.
How should the requirements of fairness, non-discrimination, meaningful human oversight, respect for privacy, safety, transparency, accountability and effective redress be implemented and applied in the different fields of application of AI? How can we open the algorithmic “black-box” – thus facilitating the auditability and scrutiny of AI Systems – while at the same time preserving industrial secrets? What are the different legal models of liability and responsibility that we need to design when it comes to algorithmic systems? How should we interpret and apply existing rules to AI, such as the GDPR or technology-neutral rules related to human rights, non-discrimination and competition law? What are the potential legal loopholes and how can we adopt a risk-based approach in order to elaborate new rules? How should we regulate AI’s use in a way that is beneficial to society and protective of fundamental rights while at the same time ensuring that innovation is not hindered and legal regimes do not become obstacles to AI’s development?
Our website aims to become a forum to provide some answers to these questions and share the results of our research as well as insights on these issues from external collaborators and contributors. We publish substantive articles and reports as well as brief notes and news updates on worldwide developments in AI regulation.
Our research covers 8 Focus Areas:
- AI Governance and Regulation (a cross-sectional field of research analysing the appropriateness of existing law (e.g., the RGPD) for AI applications and what AI governance might resemble in the future).
- Facial recognition.
- Virtual assistants and Chatbots.
- Smart cities, smart homes and IoTs.
- Data manipulation, AI and democracy.
- Health, AI and transhumanism.
- Connected and autonomous vehicles.
- AI, National and International Security.
You ask me for a contribution? Our first articles
We are launching our website today with an important study on facial recognition written by two members of our Chair, Claude Castelluccia and Daniel Le Metayer, Directors of research at Inria (the French National Institute for Research in Digital Science and Technology). The two authors highlight the importance of conducting impact assessments of applications and uses of facial recognition technologies and propose elements of methodological approach for the conduct of such impact assessments, illustrated by examples. While their risk analysis framework concerns facial recognition systems, their methodology could apply, mutatis mutandis, to other AI or algorithmic systems.
We are also very pleased to host today an op-ed on the French National Committee for Digital Ethics (FNCDE) by Claude Kirchner, emeritus research director at INRIA and Director of the FNCDE. Following a request by the French prime minister, the FNCDE was created in November 2019 and is composed of 27 members from different disciplines: from IT specialists working in public or private research to philosophers, medical doctors, lawyers and members of civil society. The committee has already been commissioned by the Prime Minister to issue opinions on the ethical issues arising from three specific topics of digital applications using machine learning: 1) Conversational agents (chatbots); 2) Autonomous cars; and 3) Medical diagnosis and health AI.
A third article, written by the Chair’s member Camille Dubedout, a joint PhD candidate at Université Grenoble-Alpes and at the French National Cybersecurity Agency (ANSSI), focuses on the “Safe City” project initiated in the southern French city of Nice. The municipality intends to transform Nice into a model of “Safe city”, through the deployment of AI solutions and, especially, facial recognition technologies. In order to achieve this, the City has planned a series of facial recognition tests in real-time conditions. Interestingly, these trials are also testing the tolerance of the French Data Protection Authority (CNIL). Indeed, CNIL has expressed great concerns over the compatibility of one of these “experiments” (deployed in French High Schools) with the GDPR – leading to a discontinuation of the “experiment” and to some ferocious attacks against the French DPA by the City’s Mayor and a few other politicians involved in this project.
We are also hosting today two contributions from our research fellows Katia Bouslimani and Mathias Becuywe, following the participation of our Chair in CPDP 2020, which was dedicated to “Data Protection and Artificial Intelligence”.
The first paper presents some key takeaways of a CPDP panel discussing the important issue of secondary uses of health data, i.e. the re-use of data for another purpose that the one for which it was originally collected. These highlights include issues such as the role of consent in health AI, the issue of de/re-identification or an interesting discussion on who is benefiting from secondary uses of health data.
The second paper presents a report on another very interesting CPDP panel which focused on the use of FRTs in the United Kingdom. This panel discussed particularly interesting issues such as the following: Is there an appropriate legal basis for the different uses of FRTs by the police? What are/should be the safeguards in these cases? Is there a truly comprehensible review of who is using facial recognition and for what exact purposes? And what about the major issue of transparency?
* Thanks to The Beatles for their help!
These statements are attributable only to the author, and their publication here does not necessarily reflect the view of the other members of the AI-Regulation Chair or any partner organizations.
This work has been partially supported by MIAI @ Grenoble Alpes, (ANR-19-P3IA-0003)