More and more, artificial intelligence and other automated systems make decisions affecting our lives and economy. These systems are not broadly regulated in the United States-although that will change next year in several states.
Earlier this month, President Biden unveiled a blueprint for an "AI Bill of Rights," motivated by concerns about potential harms from automated decision-making. Arising from an initiative the White House Office of Science and Technology Policy (OSTP) launched last fall, the AI Bill of Rights lays out five principles to foster policies and practices-and automated systems-that protect civil rights and promote democratic values.
For now, at least, adherence to these principles (and the steps recommended for observing them) remains voluntary-the blueprint is a guidance document with no enforcement authority attached to it. Notably, at inception, OSTP was unsure how the AI Bill of Rights might be enforced:
Possibilities include the federal government refusing to buy software or technology products that fail to respect these rights, requiring federal contractors to use technologies that adhere to this "bill of rights" or adopting new laws and regulations to fill gaps. States might choose to adopt similar practices.
The Administration decided to publish a nonbinding white paper, potentially recognizing the difficulty of shepherding legislation through any potential 118th Congress. Indeed, the document's first page proclaims that it "is non-binding and does not constitute US government policy." Nor does it "constitute binding guidance for the public or federal agencies and therefore does not require compliance with the principles described herein."
Notwithstanding this disclaimer, the blueprint provides a clear indication of the Administration's AI regulatory policy goals. Executive Branch and also independent agencies are likely to follow this lead in their respective domains.
Issues of Definition
In the debate over the EU's pending Artificial Intelligence Act, the definition of "artificial intelligence" has attracted much discussion. OSTP sidesteps this issue in the blueprint by addressing "automated systems," which are defined as "any system, software or process that uses computation as whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with individuals and/or communities." OSTP adds, "Automated systems include, but are not limited to, systems derived from machine learning, statistics or other data processing or artificial intelligence techniques, and exclude passive computing infrastructure," which OSTP also defines.
The blueprint's coverage of "automated systems" instead of "artificial intelligence" offers business a mixed bag. On the one hand, the broader scope aligns with the regulation of automated decision-making under California, Colorado, Connecticut, and Virginia privacy laws and New York City's law on automated employment decision tools, all taking effect next year, as well as Article 22 of the EU/UK General Data Protection Regulation. On the other hand, it potentially threatens international harmonization of regulations based on the seemingly narrower scopes of the UNESCO Recommendation on the Ethics of Artificial Intelligence and the OECD AI Principles (also shared by the G20).
Much of the blueprint concerns protection of "rights, opportunities or access." OSTP explains this phrase as "the set of: civil rights, civil liberties and privacy, including":
- "freedom of speech, voting, and protections from discrimination, excessive punishment, unlawful surveillance, and violations of privacy and other freedoms in both public and private sector contexts";
- "equal opportunities, including equitable access to education, housing, credit, employment, and other programs"; or
- "access to critical resources or services, such as healthcare, financial services, safety, social services, non-deceptive information about goods and services, and government benefits."
This explanation's expansiveness underscores the Biden Administration's stated intent that the blueprint apply to automated systems affecting any facet of society or the economy.
The blueprint outlines five principles for all automated systems with the potential to "meaningfully impact individuals' or communities' exercise of rights, opportunities or access":
- Safe and Effective Systems: Automated systems should be safe and effective. They should be evaluated independently and monitored regularly to identify and mitigate risks to safety and effectiveness. Results of evaluations, including how potential harms are being mitigated, should be "made public whenever possible."
- Algorithmic Discrimination Protections: Automated systems should not "contribute to unjustified different treatment" or impacts that disfavor members of protected classes. Designers, developers and deployers should include proactive equity assessments in their design processes, use representative data sets, watch for proxies for protected characteristics, ensure accessibility for people with disabilities, and test for and mitigate disparities throughout the system's life cycle.
- Data Privacy: Individuals should be protected from abusive data practices and have control over their data. Privacy engineering should be used to ensure automated systems include privacy by default. Automated systems' design, development and use should respect individuals' expectations about their data and the principle of data minimization, collecting only data strictly necessary for the specific context. OSTP stresses that consent should be only used where it can be appropriately and meaningfully provided, limited to specific use contexts and unconstrained by dark patterns; moreover, notice and requests for consent should be brief and understandable in plain language. Certain sensitive data (including data related to work, home, education, health, and finance) should be subject to additional privacy protection, including ethical review and use prohibitions.
- Notice and Explanation: Operators of automated systems should inform people affected by their outputs when, how and why the system affected them. This principle applies even "when the automated system is not the sole input determining the outcome." Notices and explanations should be clear and timely and use plain language.
- Human Alternatives, Consideration and Fallback: People should be able to opt out of decision-making by automated systems in favor of a human alternative, where appropriate. Automated decisions should be appealable to humans.
The blueprint also includes a "Technical Companion" that details "concrete steps" for building these five principles into "policy, practice or the technological design process." Organizations developing, procuring and deploying AI and other automated systems will find these concrete steps to be generally consistent with other guidance on best practices.
What Next from the United States Government?
Having drawn up the blueprint, the Administration is ready to build out its AI policies through guidance, rulemaking and enforcement. This work is already underway.
Thus far, guidance-both for ethical best practices and compliance with existing laws-has been most common. For instance:
- NIST AI Risk Management Framework: The National Institute of Standards and Technology (NIST) is developing an AI Risk Management Framework. The voluntary framework, which was mandated by Congress, seeks to increase incorporation of "trustworthiness considerations into the design, development, use, and evaluation of AI products, services and systems." NIST released a second draft of the framework in August 2022. NIST also released a partial initial draft of a Playbook for implementing the framework. Public comments on the Playbook may be submitted at any time. Based on these comments and a recent workshop with government, industry, civil society, and academic stakeholders, NIST expects to complete the framework and Playbook and publish them in January 2023.
- Department of Energy AI Advancement Council: In May 2022, the Department of Energy established the AI Advancement Council to oversee coordination, advise on AI strategy and address issues on the ethical use and development of AI systems.
- Algorithmic Discrimination in Hiring: In May 2022, the Equal Employment Opportunity Commission (EEOC) and the Department of Justice released a technical assistance document that explains how employers' use of algorithmic decision-making may violate the Americans with Disabilities Act (ADA). For additional details, please see our previous Advisory on avoiding ADA violations when using AI employment technology. EEOC's guidance is a part of its larger initiative to ensure that AI and "other emerging tools used in hiring and other employment decisions comply with federal civil rights laws that the agency enforces."
- Consumer Protection: In May 2021, the Federal Trade Commission's (FTC) published a blog post providing tips for responsible use of AI in compliance with Section 5 of the Federal Trade Commission Act, the Fair Credit Reporting Act and the Equal Credit Opportunity Act. We discussed this guidance more fully in an earlier Advisory.
Increasingly, however, Executive Branch and independent agencies have been shifting to rulemaking and enforcement:
- Broad AI Regulation: In August 2022, FTC opened its "commercial surveillance" proceeding, which could lead to a wide range of rules on AI and other automated systems (as well as privacy and data security). As we have discussed, FTC's Advance Notice of Proposed Rulemaking asks a number of questions about algorithmic accuracy, validity, reliability, and error; algorithmic discrimination against traditionally protected classes and "other underserved groups;" and whether AI and other automated systems yield unfair methods of competition or unfair or deceptive acts or practices that violate Section 5 of the FTC Act.
- Workplace Protections: The Department of Labor (DOL) is ramping up enforcement of required surveillance reporting to protect worker organizing. DOL also released a blog post titled What the Blueprint for an AI Bill of Rights Means for Workers.
- Algorithmic Healthcare Discrimination: The Department of Health and Human Services (HHS) issued a proposed rule in August 2022 that, in relevant part, would prohibit algorithmic discrimination in clinical decision-making by covered health program and activities. For a discussion of the proposed rule, please see our previous Advisory. HHS will also release an evidence-based examination of healthcare algorithms and racial and ethnic disparities by late 2022.
- Algorithmic Housing Discrimination: In June 2022, Meta (formerly, Facebook) settled a Justice Department Fair Housing Act suit (following a Department of Housing and Urban Development investigation). The government alleged that Meta had used algorithms in determining which Facebook users received housing ads and that those algorithms relied, in part, on characteristics protected under the FHA. As part of the settlement, Meta agreed to change its targeted advertising practices and to pay the maximum civil penalty of $115,054.
- Algorithmic Credit Discrimination: In March 2022, the Interagency Task Force on Property Appraisal and Valuation Equity released an Action Plan to Advance Property Appraisal and Valuation Equity that includes a commitment from regulators to include a nondiscrimination standard in proposed rules for automated valuation models. Also that month, as discussed in a previous Advisory, the Consumer Financial Protection Bureau revised its Supervision and Examination Manual to focus on algorithmic discrimination as a prohibited unfair, deceptive or abusive acts or practice.
Businesses should expect the blueprint to inform all such agency actions going forward. It is likely that these agencies will expand their AI initiatives while other agencies will become active addressing AI and other automated systems within their ambits.
The Chamber of Commerce's Concerns
Following the blueprint's release, the US Chamber of Commerce (the Chamber) wrote OSTP Director Dr. Arati Prabhakar, highlighting a number of concerns:
- Lack of Stakeholder Engagement: OSTP received insufficient stakeholder input in formulating the blueprint, having sought comments only on biometric-identification systems.
- Poor Definitions: The blueprint supplies definitions of key terms, including "Automated System," which lack precision and could undercut international harmonization of AI policies and standards.
- Independent Evaluations: The current lack of "concrete" auditing standards and metrics for AI systems makes it "pointless" to allow journalists, third-party auditors and other independent evaluators "unfiltered access" to AI systems-as called for in the blueprint.
- Conflation of Data Privacy and Artificial Intelligence: Data privacy and artificial intelligence raise "distinctly different" "nuances and complexities," so the two issues should not be conflated.
The Chamber's "unexpectedly forceful pushback" (to quote Politico's Brendan Bordelon) to a supposedly nonbinding guidance document reflects the blueprint's potential influence. In an interview, a representative said the Chamber expects dozens of federal agencies to incorporate the guidance into regulatory mandates and fears "copycats at the state and local level." A patchwork of differing requirements could impose a substantial burden on businesses.
Having released the Blueprint for an AI Bill of Rights with great fanfare, the Biden Administration is unlikely to withdraw it in response to the Chamber's critique. However, the critique probably does foreshadow coming battles in rulemaking dockets and legislative chambers around the country.
AI regulation is arriving swiftly. Businesses should monitor these changes and prepare their compliance programs. Companies with particular concerns may wish to raise them early in legislative and rulemaking processes while proposals remain fluid.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.