Clifford Chance

The US perspective

Although the US Congress is still deliberating on proposed AI laws that would directly regulate private industry, in October 2023, President Biden announced the Executive Order on the Safe, Secure and Trustworthy Development and Use of Artificial Intelligence, which tasks government agencies with creating rules and guidelines in certain areas. The Executive Order includes provisions around AI safety testing, AI transparency and addressing potential AI risks in areas such as cybersecurity (see our overview: What businesses need to know (for now) about the Biden Executive Order on AI). With some of the deadlines for actions under the Executive Order having now expired, a number of guidelines and reports are being published and structures are being put into place. For example, the Secretary of Homeland Security has established an AI Safety and Security Board which will act as an advisory committee on AI usage in critical infrastructure. The National Institute of Standards and Technology (NIST) has also been tasked with developing further guidance on AI safety in addition to its AI Risk Management Framework and has, for example, recently published draft guidelines on managing the risks of generative AI.

“AI regulation is expected at federal level but, in the meantime, existing regulations on privacy, cybersecurity and civil rights are being enforced. For example, the Federal Trade Commission (FTC) is using the Unfair or Deceptive Trade Practice Act prohibition in Section 5 of the FTC Act to go after companies which they regard as having used AI unfairly or in a nontransparent manner,” says Kornbacher. The US Securities and Exchange Commission (SEC) has also issued “AI washing” fines to two investment advisory companies for making false and misleading statements about their use of AI (see our article: SEC Invents “AI Washing” with Focus on Investment Adviser Practices).

AI regulations are being issued at state and local level, including in New York, where the New York City Local Law 144 on AI bias has been introduced with the aim of combating discrimination that may arise from the use of AI when making employment decisions. There are hundreds of AI bills from dozens of states at various stages of the legislative process, focusing on a range of areas, from bias and discrimination to facial recognition and deepfakes. New Hampshire, for example, has passed a bill to require that all political advertisements disclose if they have used “synthetic media”.

China’s approach to AI regulation

“China is taking a prescriptive approach to the regulation of AI,” says Stella Cramer, head of Clifford Chance’s Tech Group in APAC. China was a first mover in terms of issuing measures in respect of specific uses of AI, such as generative AI, deep fakes and decision-making algorithms, and was the first country in the world to introduce a registration regime with AI service providers requiring government permission before using the technology for services or products that will have an impact on society or national security. “Currently, there is no national legislation regulating AI across the board, but regulators have identified areas of high focus and issued specific regulations and guidelines for service providers and users to follow,” says Jane Chen, a Senior Associate at Clifford Chance based in Beijing. “Implementing guidelines for these regulations will set out requirements for service providers and users to follow – for example, outlining measures to protect data privacy and IP rights,” she explains. Some measures have extraterritorial effect, and so need to be taken into account in projects that involve the global rollout of AI. “A group of Chinese scholars is currently drafting the Model Law on AI; whether that will become national legislation regulating AI matters is something to keep a watch on,” she adds.

Additionally, in March 2024, China relaxed its measures on cross-border data transfers. “This means that global AI users can now consider how to better use data in China and how to develop international business collaboration. We have seen a number of clients reconsidering their data governance and restructuring data flows accordingly,” says Chen.

The view from Singapore

There is a fragmented approach to AI regulation across the APAC region. “Clients here are facing issues on the ground around managing the regulation that is coming out of China, managing the extraterritorial impacts of the EU AI Act and the fragmentation of different requirements across the region, whether that is country or on a sector-by-sector basis,” says Cramer.

Singapore’s approach to AI is to drive innovation and position itself as a hub. “Singapore’s approach has become, effectively, a blueprint for many countries in the region who are supporting a pro-innovation approach but underpinned by the importance of having strong information security and cyber risk-resilient foundations. It has been quite influential and has had a real impact across the Southeast Asia region, and we are now seeing other countries take similar approaches,” she says.

At an intergovernmental level, Singapore has entered into multiple digital economy agreements with different countries to help facilitate digital trade and reinforce the importance of collaboration around the adoption of AI. There have been amendments to existing laws, such as data protection laws and the Copyright Act, to help facilitate innovation. Guidance and frameworks have been issued by financial services regulators, general data protection regulators and the Infocomm Media Development Authority (IMDA) around the responsible use of AI and risk management. “We’re seeing these frameworks now being adopted by ASEAN to support the responsible use of AI across Southeast Asia,” she says. In addition, consultation on Singapore’s model AI governance framework for generative AI has recently been completed, and there have been a number of interesting collaborations between the regulators and industry to help facilitate testing and toolkits around the transparency and risks of AI. “Singapore has set up the AI Verify Foundation – members include big tech and the regulators – and the aim is to become a significant contributor to the testing and validation of AI,” says Cramer. “It is working on a testing framework that’s aligned with international AI governance principles, testable criteria and testing processes, and allows businesses to complete a self-assessment to determine if their AI models meet these principles.”

In Singapore, and more broadly across the APAC region, a number of new laws focusing on cybersecurity and information security have either been passed or are going through the legislative process. These laws are focusing on digital information infrastructure, cloud service providers and data centres to ensure that they meet various technical standards and codes of practice. Data breach notification requirements are also being introduced across APAC.

The impact of the EU AI Act

After years of work and protracted negotiations, the EU AI Act is becoming a reality. It marks a significant step in regulating artificial intelligence, setting standards for transparency, safety, accountability and fairness in AI applications that are applicable within the European Union and beyond. “It will enter into force 20 days after it is published in the Official Journal of the EU, and then its entry into application will be sequenced,” says Dessislava Savova, head of the Continental Europe Tech Group at Clifford Chance. “Most rules start to apply 24 months after entry into force, but bans on prohibited practices, for example, apply after six months. Organisations will need to focus on identifying prohibited practices, increasing AI literacy and having a realistic and pragmatic road map for implementation.”

“Europe is a powerhouse of AI regulation globally. The GDPR was introduced five years ago, and Europe now has some of the most sophisticated data laws in the world – AI legislation is going to follow a similar trajectory,” says Kewley. “That EU AI Act will have extraterritorial application, so if you are a business in the US, for example, developing AI systems that will be deployed among consumers in Europe, you will be captured by the EU AI Act, regardless of where you are in the world. And the EU is introducing fines of 7% of global turnover for non-compliance.”

The EU AI Act does not regulate all AI in the same way. The approach taken by the EU legislator is to have proportionate programmes that apply depending on the risk raised by the AI systems at stake – from prohibited, high-risk or some specific AI systems that require particular attention in terms of transparency and information to users to possibly transversal and generic rules that apply to all AI systems. And of course, there are now also the rules for providers of general-purpose AI models.

Prohibited practices were one of the hotly debated areas of the AI Act in the months before its finalisation, and the scope was extended; so, for example, systems aiming at emotion recognition in the workplace, or social scoring, will be prohibited.

High-risk AI systems were also a key topic of debate. “Many companies can potentially be in the field of high-risk AI,” says Savova. “Perhaps an obvious example is that AI systems used in certain HR-related decisions are high-risk. But there are many more – for example, the use of AI for access to essential services or for certain insurance and credit related decisions is also considered high-risk.”

Since the European Commission’s initial proposal in April 2021, a number of significant changes have been introduced, including to expand the scope of the AI Act to cover new fundamental concepts. These changes include, for example:

• Regulating generative AI and generalpurpose models. The new rules involve a tiered system with rules for all general-purpose AI models and additional ones for general-purpose AI models with systemic risks.
• Strengthening the governance framework around enforcement of the AI Act. The multilayer enforcement framework will include an AI office that will have a key role to play, including with respect to general-purpose AI models and more generally around international cooperation.
• AI literacy requirements, which are the core of the AI Act requirements that every company and every business will need to take on board.

Companies developing or using AI in some form will have to start to educate their workforces about the related opportunities but also the risks. “This is one of the requirements that will kick in first, so companies will need to be prepared and act,” says Savova.

Kewley adds: “The message is that this work needs to start now, even though it’s a tiered timetable. I think companies would be quite surprised to learn the breadth of prohibited practices, and they may have certain of those lingering in their technology stack that they are not aware of.”