从原则到实践：动态监管环境中的负责任AI Principles to Practice Responsible AI in a Dynamic Regulatory Environment

PrinciplestoPractice:

ResponsibleAIinaDynamicRegulatoryEnvironment

ThepermanentandofficiallocationfortheAIGovernanceandComplianceWorkingGroupis

/research/working-groups/ai-governance-compliance

©2024CloudSecurityAlliance–AllRightsReserved.Youmaydownload,store,displayonyour

computer,view,print,andlinktotheCloudSecurityAllianceat

subjectto

thefollowing:(a)thedraftmaybeusedsolelyforyourpersonal,informational,noncommercialuse;(b)thedraftmaynotbemodifiedoralteredinanyway;(c)thedraftmaynotberedistributed;and(d)thetrademark,copyrightorothernoticesmaynotberemoved.Youmayquoteportionsofthedraftas

permittedbytheFairUseprovisionsoftheUnitedStatesCopyrightAct,providedthatyouattributetheportionstotheCloudSecurityAlliance.

©Copyright2024,CloudSecurityAlliance.Allrightsreserved.2

Acknowledgments

LeadAuthors

MariaSchwengerLouisPinault

Contributors

ArpithaKaushik

BhuvaneswariSelvaduraiJosephMartella

Reviewers

AlanCurranMSc

UdithWickramasuriyaPiradeepanNagarajanRakeshSharma

GaetanoBisazHongtaoHao

JanGerst

AshishVashishthaGauravSingh

KenHuang

FrederickHänigDirceHernandez

TolgayKizilelma,PhDSauravBhattacharya

MichaelRoza

GabrielNwajiakuVaniMittal

MeghanaParwateDesmondFoo

LarsRuddigkeitMadhaviNajana

CSAGlobalStaff

RyanGifford

StephenLumpe

©Copyright2024,CloudSecurityAlliance.Allrightsreserved.3

TableofContents

Acknowledgments 3

TableofContents 4

SafeHarborStatement 6

Forward-FocusedStatementsandtheEvolvingLandscapeofArtificialIntelligence 6

DocumentSummary 7

ExecutiveSummary 8

Introduction 8

ScopeandApplicability 9

KeyAreasofLegalandRegulatoryFocusforGenerativeAI 10

DataPrivacyandSecurity 10

GeneralDataProtectionRegulation(GDPR)(EU) 10

1.Lawfulandtransparentdatacollectionandprocessing 11

2.Datasecurityandaccountability 11

3.Individualrightsandcontrol 12

CaliforniaConsumerPrivacyAct/CaliforniaPrivacyRightsAct(CCPA/CPRA) 13

1.Datacollection,storage,use,anddisclosureunderCCPA/CPRA 14

2.ConsumerRights 14

3.Compliance&Enforcement 15

4.DraftAutomatedDecision-MakingTechnology(ADMT)Regulations 15

5.CaliforniaExecutiveOrderonGenerativeAI 16

EuropeanUnionAIAct(EUAIAct/EIAA) 16

EUAIAComplianceforGenerativeAI 18

1.Requirements,ObligationsandProvisions 18

2.PromotingInnovation(Article57,58,59,60,61,62,63) 21

3.ProhibitionsoncertainAIpractices 23

HealthInsurancePortabilityandAccountabilityAct(HIPAA) 24

HIPAAComplianceforGenAI 25

AddressingtheImpactofGenAI’sHallucinationsonDataPrivacy,Security,andEthics 27

DHSPolicyStatement139-07ImpactonGenAI 28

FederalTradeCommissionPolicyAdvocacy&ResearchGuidance: 28

AI(andother)Companies:QuietlyChangingYourTermsofServiceCouldBeUnfairor

Deceptive 28

AICompanies:UpholdYourPrivacyandConfidentialityCommitments 28

OMBPolicytoAdvanceGovernance,Innovation,andRiskManagementinFederalAgencies’Use

ofArtificialIntelligence 29

PresidentBiden'sExecutiveOrderontheSafe,Secure,andTrustworthyDevelopmentandUseof

ArtificialIntelligence 30

Non-discriminationandFairness 31

1.SomeExistingAnti-discriminationLawsandRegulations 31

©Copyright2024,CloudSecurityAlliance.Allrightsreserved.4

2.RegulatoryChallenges 33

3.RegulatoryFocusandTechniques 34

EmergingRegulatoryFrameworks,Standards,andGuidelines 36

Safety,Liability,andAccountability 38

ConsiderationsAroundGenerativeAILiabilities,Risks,andSafety 39

1.PotentialLiabilityRisksAssociatedwithGenAIFailures 39

2.LegalFrameworksforAssigningLiability 39

3.Insurance 40

HallucinationInsuranceforGenerativeAI 40

IntellectualProperty 41

1.Authorship,Inventorship,andOwnership 41

ProtectingGenAIComponents 42

2.CopyrightProtection 42

3.PatentProtection 43

4.TradeSecrets 43

5.LicensingandProtectionStrategies 43

6.Trademarks 44

7.EvolvingLandscape: 44

8.RelevantLegislation 45

TechnicalStrategies,Standards,andBestPracticesforResponsibleAI 45

FairnessandTransparency 46

SecurityandPrivacy 47

Robustness,Control,andEthicalAIPractices 47

HowOrganizationsCanLeverageTheseStandards 48

TechnicalSafeguardsforResponsibleGenAI(DataManagement) 49

Dataprocess 49

Technique 49

Description 49

CaseStudy-DemonstratingTransparencyandAccountabilityinPractice 50

OngoingMonitoringandCompliance 52

Legalvs.EthicalConsiderationsinGoverningGenerativeAI 53

Conclusion:AddressingtheGapsinAIGovernanceforaResponsibleFuture 54

©Copyright2024,CloudSecurityAlliance.Allrightsreserved.5

Thisdocumentisintendedforinformational

purposesonlyanddoesnotconstitutelegaladvice.

Thisresearchdocument,preparedfortheCloudSecurityAlliance(CSA),exploresthecurrentlandscape

ofregulatorygovernancesurroundingArtificialIntelligence(AI).Whilethedocumentaddressesvarious

legalandregulatoryframeworks,itisessentialtoemphasizethattheinformationpresentedshouldnotbeconstruedaslegalguidanceapplicabletoanyspecificsituation.

TheregulatorylandscapeofAIisrapidlyevolving,andtheinterpretationandapplicationoflawsandregulationscanvarysignificantlydependingonvariousfactors,including:

●Jurisdiction(countryorregion)

●Specificcontext(e.g.,industry,usecase)

●SpecificAItechnologyorapplication

Therefore,theCloudSecurityAllianceandtheauthorsofthisdocumentstronglyrecommendseekingindependentlegalcounselforanyquestionsorconcernsrelatedtothelegalimplicationsofAI

development,deployment,oruse.

SafeHarborStatement

Forward-FocusedStatementsandtheEvolvingLandscapeofArtificialIntelligence

Thisdocumentcontainscertainstatementsthatmaybeconsideredforward-focusedinnature.To

determinetheirapplicability,weencourageseekingguidancefromregulatorybodiesandlegalcounselsinthecorrespondingcountries.TheauthorsandCloudSecurityAlliance(CSA)havebasedthese

statementsontheircurrentknowledgeandexpectations.Itisimportanttonotethatforward-focusedstatementsaresubjecttoinherentrisks,uncertainties,andassumptionsthatmaycauseactualresultstodiffersignificantlyfromthoseprojectedorimpliedbysuchstatements.

ThefollowingaresomeimportantfactorsthatcouldaffectthefuturedevelopmentsinthefieldofArtificialIntelligence(AI)andtheassociatedregulatorylandscape,andthuspotentiallyimpacttheaccuracyoftheforward-focusedstatementsinthisdocument:

●Rapidtechnologicaladvancements:ThefieldofAIisconstantlyevolving,withnew

technologiesandapplicationsemergingrapidly.ItisdifficulttopredicttheexacttrajectoryoftheseadvancementsortheirimpactonvariousaspectsofAIregulation.

●Uncertaintiesinregulatoryframeworks:RegulatoryapproachestoAIarestillunder

development,andthespecificregulationsgoverningAIdevelopment,deployment,andusemayvarysignificantlyacrossdifferentjurisdictionsandcouldchangeovertime.

©Copyright2024,CloudSecurityAlliance.Allrightsreserved.6

●Emergingethicalconsiderations:AsAIapplicationsbecomemoresophisticated,newethicalconsiderationswilllikelyarise,potentiallyleadingtoadditionalregulationsorguidelines

surroundingresponsibledevelopmentanduseofthesetechnologies.

●Economicandsocialfactors:TheoveralleconomicclimateandsocialattitudestowardsAIcaninfluencethedevelopmentandadoptionofnewtechnologies,aswellastheregulatorylandscapesurroundingthem.

TheauthorsandtheCSAdisclaimanyresponsibilityforupdatingorrevisinganyforward-focused

statementsinthisdocumenttoreflectfutureeventsorcircumstances.Readersarecautionednotto

placeunduerelianceonthesestatements,whichreflecttheauthors'andCSA'sviewsonlyasofthedateofpublicationofthisdocument.

DocumentSummary

ThispaperprovidesanoverviewofthelegalandregulatorylandscapesurroundingAIandGenerativeAI(GenAI).IthighlightsthechallengesofnavigatingthiscomplexanddynamiclandscapebecauseofthediverseapplicationsofGenAI,differingregulatoryapproachestakenbyglobalregulators,andtheslowadaptationofexistingregulations.

Thepaperaimstoequiporganizationswiththegeneralknowledgetheyneedtofundamentally

understandtheircurrentstandingandnavigatetherapidlychangingrequirementsforresponsibleandcompliantAIuse.Itexploresaselectionofexistingregulations,andlaysoutconsiderationsandbest

practicesfordevelopinganddeployingresponsibleAIacrossregional,national,andinternationallevels.

Thisdocumentprovidesahigh-leveloverviewofthecurrentlegalandregulatorylandscapeforAI,asofthetimeofwriting,includingGenerativeAI(GenAI).Whilenotexhaustive,itisastartingpointfor

organizationstounderstandtheircurrentpositionandidentifykeyconsiderationsfornavigatingtheevolvingrequirementsofresponsibleandcompliantGenAIuse.

Duetotheongoingadvancementsinthetechnologyandtheevolvinglegalandpolicylandscape,

providingacompleteoverviewischallenging.Therefore,werecommendutilizingthisinformationasa

foundationforstayinginformedabouttheevolvingAIregulationsandauthorities.It’simportantto

considerthatAIregulationscomefromvariouslevelsofgovernmentsandjurisdictionsacrosstheglobe.Additionally,laws,suchasdataprivacyandanti-discriminationregulations,willdeterminewhereandhowAIcanbeused,eventhoughtheywerenotspecificallydesignedforthatpurpose.Forexample,intheUS,AIwillbegovernedbycity,state,andfederallaws,agencyactions,executiveorders,voluntaryindustry

agreements,andevencommonlaw.It’simportanttokeepthisinmindastheoriginsofAIregulations

aren’talwaysintuitiveandthereforeadiligentanalysisshouldbeconductedinpreparationforyourAI

projects.Thefirstfar-reachinglegalframeworkisthe

EuropeanAIAct

becauseitisguaranteeingthe

safetyandfundamentalrightsofpeopleandbusinesses.CertainAIapplicationsareforbiddenifthese

interferewith,orthreaten,citizens’rights.Regulationsareanticipatedforhigh-riskAIsystems,suchas

LargeLanguageModels(LLMs)becauseoftheirsignificantpotentialharmtohealth,safety,fundamentalrights,environment,

democracy,andtheruleoflaw.

©Copyright2024,CloudSecurityAlliance.Allrightsreserved.7

ExecutiveSummary

ArtificialIntelligence(AI)israpidlytransformingourworld,holdingimmensepotentialtoreshapetheveryfabricofoursociety.However,thistransformativepowercomeswithacriticalchallenge:thecurrentlegalandregulatorylandscapeisstrugglingtokeeppacewiththeexplosivegrowthofAI,particularly

GenerativeAI(GenAI).Thispaperaimstoprovideahigh-leveloverviewofexistinglegislationand

regulations,andtheirimpactonAIdevelopment,deployment,andusage.Ourgoalistoidentifyareas

wherelegislationlagsbehindinsearchofpracticalapproachesfordeployingresponsibleAI.Thecurrentlandscapelackswell-establishedlegislationleavingagapinaddressingpotentialrisksassociatedwith

increasinglysophisticatedAIfunctionalities.Thiscreatesasituationwhereexistingregulations,likeGDPRandCCPA/CPRA,provideafoundationfordataprivacybutdon'tofferspecificguidancefortheuniquechallengesofAIdevelopmentwithexceptionstoofewtobesufficient.Withtechnologyinnovationthatisnotexpectedtoslowdownasthebigtechgiantsplantoinvest

hundredsofbillions

intoAI,therapidpaceoftechnologicalinnovationhasoutpacedtheabilityoflegislationtoadapt.

Atroublinggapisemerging.ThewidespreaduseofGenAI,bothpersonalandprofessional,ishappeningalongsidealackofpropergovernance.MaliciousactorsarealreadywieldingGenAIforsophisticated

attacks,andcompaniesareseeingGenAIasacompetitiveadvantage,furtheracceleratingitsadoption.Thisrapidadoption,whileexciting,needstobeaccompaniedbypracticesforresponsibleAIdevelopmentthatdonotstifleinnovation.Theidealsolutionfostersaglobalenvironmentthatencouragesresponsible,transparent,andexplainableAIuse,supportedbyclearandpracticalguidelines.Tobridgethegap

betweentheboundlesspotentialofAIandtheneedforresponsibledevelopment,weneeda

three-prongedcollaborativeapproach:commitmenttoresponsibleAIfromalltechcompanies,clearguidelinesfrompolicymakers,andeffectiveregulationsfromlegislatures.

ThispaperopensacriticaldialogueonAIgovernance,focusingonlegislationandregulations.ItequipspractitionersandbusinessesventuringintoAIwithafoundationalunderstandingofthecurrentAI

governancelandscapeanditsshortcomings.Byhighlightingthesegaps,weaimtofacilitateanopendiscussiononthenecessarylegalframeworksforresponsibleAIdevelopmentandadoption.

Introduction

TherapidlyexpandingfieldofAInecessitatesnavigatingtheevolvinglegalandregulatorylandscapestoensureresponsibledevelopment,deployment,andinnovationwhilesafeguardingindividualsandsociety.

UnderstandingethicalandlegalframeworksforAIempowersorganizationstoachievethreekeyobjectives:

●Buildingtrustandbrandreputation:OrganizationscanbuildtrustwithstakeholdersandbolstertheirbrandreputationbydemonstratingtransparentandresponsibleAIpractices.

●Mitigatingrisks:Proactiveengagementwithframeworksandutilizingarisk-basedapproach,

helpsmitigatepotentiallegal,reputational,andfinancialrisksassociatedwithirresponsibleAIuse,protectingboththeorganizationandindividuals.

©Copyright2024,CloudSecurityAlliance.Allrightsreserved.8

●Fosteringresponsibleinnovation:Byadheringtobestpractices,maintainingtransparency,

accountability,andestablishingstronggovernancestructures,organizationscanfosteracultureofresponsibleandsafeAIinnovation,ensuringitspositiveimpactonsocietyalongsideits

development.ResponsibleAI,throughdiverseteams,comprehensivedocumentation,andhumanoversight,wouldenhancemodelperformancebymitigatingbias,catchingissuesearly,and

aligningwithreal-worlduse.

ScopeandApplicability

NavigatingthecomplexlegallandscapeofAIand,morespecifically,GenerativeAI(GenAI)presentsasubstantialchallengebecauseofitsinherentdiversity.ThispaperdelvesintotheregulatorylandscapesurroundingAI,encompassingdiversesystems,suchasdeeplearningmodelsgeneratingrealistictextformats(code,scripts,articles),computervisionapplicationsmanipulatingvisualcontent(facial

recognition,

deepfake

),stablediffusion(text-to-imagemodel),andreinforcementlearningalgorithmsemployedinautonomoussystems(self-drivingcars,robots).Broadercategorieslikegenerative

adversarialnetworks(GANs)andlargelanguagemodels(LLMs)underpinnumerousGenAIapplications,necessitatingtheirinclusioninregulatoryconsiderations.Governingthisvastspectrumofrapidlyevolvingsystemsnecessitatesanuancedapproach,ascurrentlegislationfaceschallengesadaptingtothis

dynamiclandscape.Thiscreatesacriticalsituationwherearapidlyevolvingtechnologypermeatesourlivesandbusinesspracticesbecauseofcompetitivepressures,yetiscoupledwithinadequateand

slow-to-adaptlegalframeworks.Thispaperexplores:

●HowthemostpopularexistingregulationsattempttoaddressspecificareasofGenAI

●Somechallengesandopportunitiessurroundingthedevelopmentofnewlegislation

●High-levelrecommendationsandbestpracticesfordevelopingresponsibleAIprinciplesusingexplainableAItechniques

ThispaperutilizesastagedapproachtoanalyzethegovernanceofAI,focusingonthefollowingareas.

CurrentDocument

FutureConsiderations

Top-LevelGovernment/FederalLegislation:

●USA:

○ExecutiveOrders(e.g.,

MaintainingAmericanLeadershipinArtificialIntelligence,andtheExecutiveOrderontheSafe,

Secure,andTrustworthy

DevelopmentandDeploymentofArtificialIntelligence),and

○CongressionalBills(e.g.,

AlgorithmicAccountabilityActof2023)(Proposed)

NationalLevel:

●SomeregulationsfromAPAC:China

(enacted)(MinistryofScienceand

Technology),Japan(CabinetOffice),

SouthKorea(MinistryofScienceand

ICT),Singapore,India'snationalpolicy"AIforAll"(NITIAayog)

●OtherswithemergingAIpolicies(

Canada

,

UK

,

Australia

)

InternationalOrganizations:Exploringframeworksfrom

©Copyright2024,CloudSecurityAlliance.Allrightsreserved.9

●EU:

○EuropeanCommissionPolicy

Papers(e.g.,EthicsGuidelinesforTrustworthyAI)

○Regulations(e.g.,ArtificialIntelligenceAct)

MajorRegionalRegulations:

●CaliforniaConsumerPrivacyAct(CCPA),amendedbytheCaliforniaPrivacyRightAct(CPRA)

●GeneralDataProtectionRegulation(GDPR)

●OECD(RecommendationsonAI)

●UNESCO(RecommendationontheEthicsofAI).

●

TheGlobalPartnershiponArtificial

Intelligence(GPAI)

expertisefrom

science,industry,civilsociety,

governments,internationalorganizationsandacademiatofosterinternational

cooperation

●ISO/IEC42001:2023(AIMS)

●

OWASPTop10forLargeLanguage

ModelApplications

Table1:ScopeofGovernanceAreas

FormoreinformationregardingAIGovernanceinspecificindustries,pleaseseeCSA’s

AIResilience:A

RevolutionaryBenchmarkingModelforAISafety

document.

KeyAreasofLegalandRegulatoryFocusforGenerativeAI

DataPrivacyandSecurity

GenerativeAIpresentsuniquechallengesintherealmofdataprivacyandsecurity.Itsabilitytolearnfromvastamountsofdataraisesconcernsabouthowpersonalinformationiscollected,stored,used,shared,andtransferredthroughouttheAIdevelopmentanddeploymentlifecycle.Severalexistinglawsand

regulations,includingtheGeneralDataProtectionRegulation(GDPR),CaliforniaConsumerPrivacyAct(CCPA),theCaliforniaPrivacyRightAct(CPRA),andHealthInsurancePortabilityandAccountabilityAct(HIPAA),aimtoprotectindividualprivacyanddatasecurityasfollows.

GeneralDataProtectionRegulation(GDPR)(EU)

●Applicability:TheGDPRappliestoorganizationsprocessingthepersonaldataofindividualsintheEuropeanEconomicArea(EEA),regardlessoftheorganization'slocation.

●KeyProvisions:

○Lawfulbasisforprocessing,fairness,andtransparency:Organizationsmusthavealawfulbasisforprocessingpersonaldata(e.g.,userconsent,legitimateinterest,etc.).Itrequiresclearandspecificinformationaboutdatacollectionandprocessingpurposestobeprovidedtoindividuals.

©Copyright2024,CloudSecurityAlliance.Allrightsreserved.10

○Dataminimization:Limitsthecollectionandretentionofpersonaldatatowhatisstrictlynecessaryforthestatedpurpose.

○Datasubjectrights:Grantsindividualsvariousrightsovertheirpersonaldata,includingtherighttoaccess,rectification,erasure,andrestrictionofprocessing.

○Securitymeasures:Requiresappropriatetechnicalandorganizationalmeasurestoprotectpersonaldatafromunauthorizedaccess,disclosure,alteration,ordestruction.

○Automatedindividualdecision-making,includingprofiling:Thedatasubject’sexplicitconsentisrequiredforautomateddecision-making,includingprofiling(

GDPR,

article22

).

●GDPRComplianceforGenerativeAI:TheEUGDPRrequiresthatindividualsprovideconsentforprocessingtheirpersonaldata,includingdatausedinAIsystems.Inaddition,theData

ProtectionrequirementsimplythatsystemsmustcomplywithGDPRprinciplessuchas

lawfulness,fairness,transparency,purposelimitation,dataminimization,accuracy,storagelimitation,integrity,andconfidentiality.

1.Lawfulandtransparentdatacollectionandprocessing

●Limitationsontrainingandpromptdata:TheGDPRoutlineskeyprinciplesforhandlingdataasfollows:

○Purposelimitation:Datacanonlybecollectedandusedforspecific,clearlydefinedorcompatiblepurposes.

○Necessity:Onlythepersonaldataessentialforachievingthosepurposescanbecollectedandused.

○Dataminimization:Theamountofpersonaldatacollectedandusedshouldbekepttoaminimum,onlycollectingwhatisabsolutelynecessary.

○Storagetimelimitation:Personaldatamustbestoredasshortaspossible,andtimelimitsforstoragemustbeestablishedandreviewedregularly.

Inthecontextoftrainingdata(aswellaspromptdata,whichalsomightbecome“trainingdata”),thismeanscollectingandusingdataonlytotheextentit'strulyneededforthe

specifictrainingobjective.

●Informedconsent:GDPRrequiresexplicituserconsentforcollectingandprocessingpersonaldatausedtotrainGenerativeAImodels.Thisensuresindividualsunderstandhowtheirdatawillbeused(e.g.,formodeltrainingorfine-tuning)andhavetherighttorefuse.AIdevelopersmustfacilitateexercisingtheserightsbyindividualswhosedataisprocessedbyAI/MLsystems.

●Transparency:TheEUindividualshaverightsconcerningtheirpersonaldata,suchastherighttoaccess,rectify,erase,restrictprocessing,anddataportability.OrganizationsmustbetransparentabouthowtheyusepersonaldatainAIandML,includingthe

purpose,legalbasis,anddataretentionperiod.Usersshouldbeabletounderstandhowtheirdatacontributestothegeneratedoutputs.

2.Datasecurityandaccountability

©Copyright2024,CloudSecurityAlliance.Allrightsreserved.11

●Datasecurity:

Article25ofGDPR

statesorganizationsmustadopt“dataprotectionbydesignandbydefault”andimplementappropriatetechnicalandorganizationalmeasurestoensurethesecurityofpersonaldatausedinthefoundationalmodels,including

encryption,accesscontrols,anddatabreachnotificationprocedures.Additionally,sinceLLMsarepartoftheoverallsupplychain,theirsecurityrequiresheightenedattentiontomalicioustechniqueslikeadversarialattacks,datapoisoning,andmodelbias.

●Accountability:Organizationsareaccountableforusingpersonaldatawithin

GenAI-enabledsystemsandmustdemonstratecompliancewithGDPR.Thisincludesconductingdataprotectionimpactassessmentsandmaintainingappropriaterecords.

●Dataanonymizationandpseudonymization:Whileanonymizationand

pseudonymizationcanhelpmitigateprivacyrisks,theymaynotalwaysbesufficientinthecontextofGenAI,whereevenlimitedinformationcanbeusedtoinferidentities.

●ThepotentialharmofGenAIoutputs:WhiletheGDPRappearstoonlyimpactthe

datausedtotrainmodels,theregulationalsoappliestomodeloutputs.Thisincludes

addressingunintendedgeneratedoutputsandthemalicioususeofdeepfake,whichcandamageindividualreputationsandviolateethicalprinciples.EstablishingclearguidelinesandsafeguardsisessentialtoensureresponsibledevelopmentanduseofGenAI,

mitigatingrisksandprotectingindividualsfrompotentialharm.

3.Individualrightsandcontrol

●Righttoaccessandrectification:IndividualshavetherighttounderstandandaccesstheirpersonaldatausedinGenAIandrequestrectificationifitisinaccurateor

incomplete.ThisincludesinformationtheydirectlyprovidedordatageneratedthroughtheirinteractionswithGenAI.However,unliketraditionaldatabases,implementing

rectificationforAItrainingdataposeschallengesbecauseofthelargesizeand

interconnectednatureofthedata,potentiallyrequiringretrainingtheentiremodelandcausingunintendedconsequences.Todate,thefeasibilityofrectificationofinaccurateinformationalreadyingestedtoanAImodel’strainingdataisunclear.Whileresearchondatalabelingandprivacy-preservingtechniquesisongoing,ensuringthe"rightto

rectification"remainsanopenchallengeandtheresearchonhowtofacilitatethisrequirementshouldbemonitored.

●Righttoerasure(righttobeforgotten):Individualshavetherighttorequestthe

erasureoftheirpersonaldata,whichmayaffecthowAI/MLmodelsaretrainedandused.Implementingthisrightpresentsauniquechallengeforthesemodels,aspersonaldatacanbecomedeeplyembeddedwithintheircomplexinternalrepresentationsafter

training.Currently,thetechnicalfeasibilityandethicalimplicationsofremovingspecificdatapointsfromtrainedmodelsremainunclear.Currently,thereisalackofreliable

processesandestablishedguidanceonhandlingsuchrequests,raisingcriticalquestionsaboutbalancingindividualprivacywiththemodel'soverallfunctionalityandsocietal

benefits.

●Righttoobject:Individualshavetherighttoobjecttoprocessingtheirpersonaldataforspecificpurposes,includinginthecontextofGenAI.However,exercisingthisrightinthecontextofGenAIpresentsuniquechallenges.Currently,thereisnoreliableand

standardizedprocesstoremovepersonaldatafromatrainingsetoncethemodelhasbeentrainedonit.

©Copyright2024,CloudSecurityAlliance.Allrightsreserved.12

Additionally,therighttoobjectmightonlyapplytospecificdataelementsand/orfor

specificpurposes,notnecessarilytoalloftheinformationusedtotrainthemodel,

potentiallylimitingthescopeofanindividual'sobjection.Thishighlightstheneedfor

ongoingdevelopmentoftransparentandaccountablepracticesforGenAIsystemsthatrespectindividualprivacyrights.

●Compliance:TheGDPRrequiresDataPrivacyImpactAssessments(DPIA)tobe

performedfordataprocessingactivities.ThisextendstothedataprocessingbyAI

systems