Transparency Coalition report urges updating privacy laws to counter harms of Generative AI
A new position paper by TCAI legal advisor Leigh Wickell argues for a new and expanded understanding of privacy harms in the age of Artificial Intelligence.
A report published today by the Transparency Coalition.AI (TCAI) highlights the widespread privacy harms that result from today’s most powerful Generative AI systems, and suggests proactive steps to protect individuals and society.
Many of today’s most powerful artificial intelligence (AI) systems process personal data in ways that do not comply with U.S. privacy laws, resulting in widespread privacy harms.
Recent examples of AI-produced hallucinations include a living man being informed of his own death; a mayoral candidate being falsely told he was part of a criminal scheme; and a radio host falsely accused of fraud and embezzlement. Researchers have found that AI systems like DALL-E and Stable Diffusion are able to memorize and regenerate the data—sometimes the private personal data—on which they were trained.
In addition, recent research has shown that AI models can regurgitate personal data included in the model’s training data, and can re-identify personal data that had previously been de-identified for privacy protection.
In the United States, current regulatory systems and judicial rulings are failing to deter these privacy harms.
In U.S. courts, current legal concepts around privacy are based in a 60-year-old framework that must expand to encompass the privacy harms perpetrated in the internet and AI age.
Click on image for full report.
Time to update the legal definition of privacy harms
In “Privacy Harms in the AI Age: Time for a System Upgrade,” author Leigh Wickell, a data privacy attorney and TCAI legal advisor, argues that both policymakers and judicial leaders must expand the legal definition of privacy harm to bring it up to date with the reality of today’s tech-driven and AI-influenced world.
“In order to properly compensate individuals whose personal data has been processed inappropriately and to deter unfair practices by technology companies,” Wickell writes, “an updated legal conception of privacy harms is needed.”
Stuck in a 1960-era framework
For the past 60 years the American legal understanding of privacy has been tied to the work of legal scholar William Prosser, who described four types of personal harms resulting from violations of a person’s right to privacy. Those are known as intrusion, public disclosure, false light, and appropriation harms. Wickell suggests updating and expanding those types to include five more, first proposed in 2022 by Danielle Keats Citron and Daniel J. Solove, that have arisen in the internet and AI era. Those are physical, economic, reputational, psychological, and autonomy harms.
Using that updated understanding of privacy harms, Wickell urges regulators and enforcement agencies to step up enforcement of existing privacy laws as they apply to artificial intelligence development and deployment.
Once seen by an AI model, personal data cannot be unseen
This is especially urgent in today’s fast-moving AI environment. Per the report:
“Simply deleting a set of personal information from the larger training dataset does not erase it from the AI model that was trained on that data. Short of retraining the entire AI model — at a cost of tens of millions of dollars — accomplishing that task may be impossible.
Upon being trained on a dataset, an AI model cannot be programmed to "forget" a specific portion of data. Once seen, it cannot be unseen.”
Take steps now
In addition, the paper argues policymakers must create an appropriate framework for direct state and federal oversight of the AI industry. This should include standardized and comprehensive documentation of the training data that enables regulatory review of new and existing AI models
Wickell also urges industry and government to adopt a standard data card, which would then be a required component of any AI model or system. Such a data card—also known as a data declaration—would contain information such as the source and owner of the datasets on which the AI model was trained; how that data was collected; and whether the datasets contained personal information.
“Finally,” the author concludes, “in order to ensure that personal information is protected from unauthorized use by the developers of AI models, the U.S. must invest in its regulatory capacity. Because AI involves a groundbreaking, wide-sweeping set of technologies, an entirely new and robust regulatory system may be needed. The Federal Trade Commission cannot regulate AI alone.”
Read and download the full report: Privacy Harms in the AI Age.