What could put the brakes on gen AI? Data privacy laws

Even as pressure mounts to leverage generative AI, businesses must factor in an increasingly strict regulatory environment.

In the news

The insatiable appetite of generative AI models for data, including personally identifiable information, has added urgency to the ongoing debate about privacy in a hyper-technological age.

You needn’t look far to learn plenty about both the risks and the steps various parties are taking to address them. This column notes a US Federal Trade Commission complaint against Rite-Aid, a drugstore chain whose “reckless use of [AI-fueled] facial surveillance systems left its customers facing humiliation and other harms,” according to an FTC official. More commonly, businesses are taking fire for their poor data privacy practices.

In this rapidly changing environment that seems to feature new regulations weekly, even businesses with the best intentions may run afoul of laws—not to mention lawmakers. And the explosive growth of AI in general, and generative AI especially, is not simplifying matters.

The European Union's General Data Protection Regulation (GDPR) is considered the world’s gold standard for privacy regulation; it provides extensive protections and imposes strict obligations on data controllers and processors. China’s Personal Information Protection Law (PIPL) is often compared to the GDPR. The US lacks a federal counterpart to the GDPR (though pressure is mounting to enact one), but there are privacy laws in specific areas such as healthcare and the protection of minors. California’s Consumer Privacy Act (CCPA) is the most robust state privacy law (of 13, but that number is growing rapidly). Today, few nations lack some sort of personal information protection law.

Business leaders may understandably feel whipsawed by rapidly changing and multiplying regulations, the constant threat of embarrassing gaffes and the pressure to do something, anything, to leverage AI. Move quickly but prudently, the advice goes. Easy for you to say.

The Cognizant take

The global landscape of AI and data privacy is “a complex tapestry woven with evolving legal frameworks, technological advancements and ethical considerations,” says Tahir Latif, Cognizant’s Global Practice Lead for Data Privacy and Responsible AI. While the GDPR and the CCPA have set rigorous standards, “it's the fines and their implications that capture the attention of businesses.” An example is WhatsApp’s $244 million penalty for a 2021 GDPR violation, which serves as a stark reminder of the stakes involved.

The evolving legal landscape signals an unmistakable shift toward more stringent data privacy norms, Latif says, underscoring a growing global consensus on the importance of safeguarding personal data. 

Ethical deployment brings different challenges to different industries, Latif says. “In healthcare, AI's potential in diagnostics must be balanced against privacy concerns, underscoring the need for robust anonymization techniques and ethical guidelines.” Meanwhile, the financial sector grapples with balancing AI-driven personalization against customers' rights to data privacy and explanation as mandated by privacy laws. Latif points to that industry’s embrace of such privacy-enhancing technologies as homomorphic encryption as evidence of innovative approaches being explored to reconcile these challenges—and stay on the right side of regulations. 

Good governance is often cited as the proactive key to regulatory compliance, and Latif notes the growing prominence of the US National Institute for Standards and Technology’s AI Risk Management Framework and similar data privacy guideposts. “Such frameworks are vital for managing AI risks and ensuring AI systems are not only compliant but also ethically sound,” he says. They reflect “a deeper understanding of the complexities involved and the need for comprehensive strategies that go beyond mere compliance.” 

Little about the near- to middle-term outlook is certain, Latif notes—but continuing evolution is a sure bet. “Emerging technologies like quantum computing will further redefine the landscape,” he says. “And the ongoing global dialog on data privacy and AI laws will continue to shape organizational strategies.”

Such a dynamic environment presents a unique opportunity for organizations to not merely adapt but lead in the development of responsible and ethical AI practices, Latif believes. “The focus should be on harnessing AI’s potential responsibly and ensuring technological advancements align with the protection of individual rights and societal values.”