US Lawmakers Mull AI, Data Privacy Regulation

Experts and stakeholders on Wednesday pleaded with two US House of Representatives subcommittees to enact legislation to regulate artificial intelligence use and to pass a stalled federal data privacy bill.

Subcommittees from the House’s Science, Space and Technology, and Energy and Commerce committees held separate hearings to explore potential impacts of AI technologies. The Energy and Commerce committee heard testimony from several experts and stakeholders, including tech executives, the former Federal Trade Commission (FTC) chair, and actor Clark Gregg, who talked about the need to create federal-level safeguards around AI and data privacy.

The governments of the European Union and China have already passed significant AI regulation and safeguards as AI use ramps up around the world. Subcommittee members warned that China’s advancement in AI protections puts the US on weak footing when it comes to tech leadership.

Rep. Gus Bilirakis (R., Fla.), chairman of the Innovation, Data and Commerce subcommittee said the US needed to take a leadership role with AI and data privacy legislation. He said previous discussions on the issue have demonstrated that it is “critical for America to lead the world in key emerging technologies, and why it is imperative for Congress, as a first step, enact data privacy and security law.”

Related:OpenAI’s ChatGPT Generates Lawsuits Over Data Use

Need for Federal Data Privacy Law

One point repeated throughout the Energy and Commerce subcommittee hearing was the immediate need for passing the American Data Privacy and Protection Act (ADPPA), the bill that would be the first federal-level data privacy law. The consensus between subcommittee members and experts and stakeholders speaking was that data privacy regulation is interwoven with AI regulation needs and should be a priority for congressional action.

ADPPA passed in the same subcommittee in July 2022 by a 53-2 margin but is still waiting for a full House and then a Senate vote. A federal data privacy law is an important first step toward AI regulation, committee members and experts said.

“Data is the lifeblood of artificial intelligence,” said Rep. Cathy McMorris Rodgers, (R., Wash.) “Failing to enact a national data privacy standard or allowing China to lead the way heightens the risk over the collection and misuse of data, unauthorized access … and greater harms Americans and our families.”

Raffi Krikorian, CTO at social change non-profit Emerson Collective, warned of the dangers of unregulated AI use and its impact on data privacy. “We live in an age of rapidly increasing digital surveillance,” he said. “And very few users understand the trade-off they make when they’re using the phones or the web … In order to move forward, I propose we need to step back and look at the heart of the problem. The data economy is becoming very complicated and it’s increasingly difficult to explain to everyday consumers how their data is being collected and being used.” Therefore, he said, “I believe we need increased efforts to promote and expand digital literacy, especially around the ideas of data and privacy.”

Related:Big Tech Firms Promise AI Safeguards

Ama Kak, executive director of AI Now Institute, said Congress should focus on passing ADPPA as a first step to regulating AI. “Data privacy law is a core mechanism that can help mitigate both the privacy and also the competition implications of large-scale AI,” she said, adding, “data privacy regulation is AI regulation … there are ongoing privacy and security challenges introduced by large language models which routinely and unpredictably produce highly sensitive and inaccurate outputs, including personal information. Regulators in many parts of the world with strong data privacy laws moved very quickly.”

Kak noted Italy’s ban on ChatGPT, which was only lifted when parent company OpenAI provided an opt-out feature for users to prevent conversations from being used for training models. “The lack of a federal privacy law undoubtedly held us back from demanding accountability,” Kak said.

Related:US Data Privacy Relationship Status: It’s Complicated

Victoria Espinel, president and CEO of software industry trade group BSA, said Congress needs to establish regulations for both data privacy and AI quickly. “Actions on both priorities will help promote the responsible use of digital tools and protect how consumers’ data is used,” she said. “For too long, consumers and businesses in the United States have lived in an increasingly data-driven and connected world without a clear set of national rules.”

Espinel said regulation needs to require businesses to only collect, use and share data in ways that respect consumers’ privacy and gives them an option to access, correct, and delete their data. “Thoughtful AI legislation is needed to further protect consumers by ensuring that developers and deployers of artificial intelligence take required steps to mitigate risks, including conducting impact assessments to reduce the risk of bias and discrimination,” she said.

The Future of Data and AI Regulation Still Unclear

In an interview with InformationWeek after the hearings, Ari Lightman, professor of digital media and public policy at Carnegie Mellon University, says it's imperative for Congress to start with one regulation and build from there. “We need a comprehensive privacy legislation when it comes to all the social platforms that are utilizing our data … We need to focus on that first to understand it, assess it, and get it as right as we can and then move on to AI.”

What’s unclear, Lightman says, is whether or Congress will be willing or able to move quickly on either proposed regulation efforts. While he agrees that many voices are needed for input and the rules need to be crafted carefully, the effort should be expedited as much as possible. “I don’t know how to develop a sense of urgency that’s needed … At some point in time, we have to act,” he says.

Müge Fazlioglu, principal researcher for privacy law at the International Association of Privacy Professionals (IAPP), tells InformationWeek via an email interview that federal agencies have issued some guidance with NIST’s AI Risk Management Framework and a statement on discrimination and bias from the US Equal Employment Opportunity Commission.

On an international level, unlike the old days of the internet, there is an existing framework for AI and data privacy regulation, Fazlioglu notes. “Something that global regulators have been stressing throughout the year is that AI is already subject to various existing laws. For better or worse, AI was not born into the same ‘Wild West’ into which the internet came into existence.”

Jonathan Leibowitz, former chair of the Federal Trade Commission (FTC), told lawmakers on Wednesday it’s possible for immediate action on smaller AI and data privacy issues through some existing government organizations, like FTC. But Congress should focus on passing a regulatory framework.

“Some large companies have developed ethical approaches to use AI,” he said. “But most businesses are looking for direction. And unfortunately, they’re not going to get too much direction from existing laws and regulatory authorities, which are not an adequate match to the problems created by the misuse of AI.”

Leibowitz added, “Let me urge you to keep in mind your work on privacy legislation -- even if enacting such a law requires some complicated negotiations and difficult votes, which it will, you will have done something meaningful for American consumers.”