It’s Now, or Never Part II: The Era of Convergent and Collaborative Regulation

I recently advised a young team from a global Tech startup on AI Governance; we discussed the issue of divergent and evolving regulatory frameworks in different jurisdictions. How can a young company design its internal governance framework in such a scenario? While the EU leads the way with its AI Act, the UK and Australia are still debating the issues, and the US has already adopted a self-regulatory model. In India, AI regulation is on the cards but has not taken concrete shape. 

Even as their respective regulatory frameworks evolve, many nations have taken action on privacy, data protection and intellectual property rights issues related to AI. In an article titled “How Data Protection Authorities are De Facto Regulating Generative AI,” Gabriela Z. Fortuna from the FPP states that,

“Generative AI took the world by storm in the past year, with services like ChatGPT becoming “the fastest growing consumer application in history.” For generative AI applications to be trained and function, immense amounts of data, including personal data, are necessary. It should be no surprise that Data Protection Authorities (‘DPAs’) were the first regulators around the world to take action, from opening investigations to actually issuing orders imposing suspension of the services where they found breaches of data protection law.

Their concerns span from the lack of a justification (a lawful ground) for processing personal data used for training the AI models, lack of transparency about the personal data used for training, and about how the personal data collected while users are interacting with the AI service is used, lack of avenues to exercise data subject rights such as access, erasure, and objection, impossibility to exercise the right of correcting inaccurate personal data when it comes to the output generated by such AI services, insufficient data security measures, unlawfully processing sensitive personal data and children’s data, to not applying data protection by design and by default. “

The question is:  Can the world have a highly fragmented approach to AI regulation, or for that matter, personal data protection, cybersecurity, intellectual property, or competition in digital markets? 

What implications does this overlap of regulatory jurisdictions have on AI Governance? Four stand out. 

• Firstly, the regulation of AI demands collaboration between the respective national regulators. 
• Secondly, in an interconnected digital and increasingly virtual world, it’s not feasible for any nation to have a regulatory approach that diverges markedly from global trends and best practices. 
• Thirdly, there is a need for international harmonisation of governance principles and standards and the reinvigoration of multilateral organisations.

Digressing a bit before we arrive at the last (but not least) fourth point, I always draw my students’ attention to convergence and collaboration as hallmarks of digital regulation. My Tech. Policy cohort always practices the identification of these overlaps to hone their digital regulation skillset. My students are trained not to miss the woods for the trees. The advice I gave the startup was the same, bringing me to the fourth point. 

• It is preferable for a young firm to induct international best practices by design in their DNA and distinguish themselves by doing so rather than playing the expensive, long game of ignoring consumer protection issues in whichever jurisdiction one can. Eventually, one will find oneself at the regulatory compliance altar after paying handsome fees to lawyers. 

Besides ethical considerations, retrofitting good AI governance practices into internal or external frameworks may be akin to putting toothpaste back in the tube!

Read Part I to know more about this topic. If you want to learn from first-hand interaction with regulators, policymakers and key stakeholders in the digital regulation life cycle, you are welcome to join me and my team of international practitioner instructors in the upcoming Course on digital regulation under the ‘Walk in My Shoes- In Conversation with Key Stakeholders’ series of courses.