The prominence of data privacy and customer data at the World Bank & IMF Annual Meetings indicates a drastic shift in thinking for technology across the world. Historically, technology has been perceived and governed as a vehicle within sectors rather than a stand-alone entity requiring their own oversight. Data is today’s digital world has become so pervasive that we are just now beginning to understand the global over-allocation of risk.
Data and artificial intelligence while closely intertwined, present their own challenges and risks from a policy and governance perspective which will be addressed independently. The data itself presents incredible risks within cybersecurity, third party exploitation, and antitrust violations on the US domestic and international scale. Australia and the EU are leading the pack internationally through policy implementations of GDPR in attempts to control data privacy and enhance consumer protection, but the governance and regulatory framework speak to larger gaps from a US domestic perspective. While it sets the standards for data privacy, the EU also has Data Processing Agreements (DPAs), like technology and financial service industry Service Level Agreements (SLAs), that ensure the demonstrated compliance with applicable GDPR. These artifacts can be used to defend or enforce violations with the legislation with the European Data Protection Board (EDPB), which is the oversight authority within the EU for GDPR. Both the policy and enforcement agencies are major gaps in the United States that make simple adoption of GDPR infeasible for our current regulatory framework and architecture.
The twin peak model of the United States regulatory architecture would require a federated approach to GDPR implementation that would apply the principles within specific sectors. Additionally, the oversight authority would need to be relegated to existing oversight agencies, while also establishing an independent oversight authority and it remains unclear to whether that is politically feasible in the US. With China being the second largest economy next to the United States and also a major owner of US sovereign debt, the United States’ is in a precarious position which makes remaining the technology leader of the world ever more important and potentially disincentivizing their desire for robust oversight of technology practices or companies. While Japan becoming the majority owner of US sovereign debt in 2020 helps to reduce the threat for the US from foreign manipulation, (Japan and China owning 18.67% and 15.88%, respectively), the sovereign debt crisis of the United States presents the potential for competing priorities to technology regulation with technology, accounting for a significant portion of our economic activity. As the largest tech market in the world representing 32% of the total, the United States’ responsibility and exposure creates hurdles for data privacy and technology governance that the world is requiring us to solve.
The DOJ Antitrust Investigation of Competition in Digital Markets1 for ‘big tech’ (Facebook, Google, Amazon, and Apple) exemplifies the US challenges and their understanding of the gaps in regulatory purview and oversight authority. While the report speaks to violations of antitrust law, the more alarming aspects of the report appear on pages 51 to 57 regarding technology conglomerates sweeping market abuse through the lack of data privacy and protection. It remains a topic of debate whether competition will improve the consolidation of power and how the legislation would be designed to achieve that. For example, if data destruction on mobile location data was proposed as a way to give other firms a way to compete with the power of the big 4 and improve market incentives to protect the customer, the functionality of artificial intelligence which is improves through the power of supervised and unsupervised aspects of machine learning would only further exacerbate big tech’s consolidated power. The policy design challenges presented for data privacy and protection and fair competition are independent of the ethical hurdles associated with best practices and governance of artificial intelligence.
Domestically, the same oversight and enforcement gaps persist for artificial intelligence, but the actors are not holistically the same. While AI is a primary driver behind big tech for their tech advertising and monopoly, the regulatory culprit sits within third party abuse and data consumption though not explicitly within AI ethics and governance. There are several applications of AI in the United States which pose as more alarming examples to AI requiring its own governance and policies, such as COMPAS risk assessments that determine criminal sentencing in Ohio that further compound racial and gender bias2, and the AI technology behind facial recognition that has considerable disparity in accuracy between race and gender that is used in primary search engines3. In the United States, these tools are too heavily prevalent within law enforcement which is much different than the major consumers of technology data seen in the private sector.
The specifics for effective policy design within this topic are much too broad across sectors and application to address in a few pages, but in short there will need to be agreement minimally between the G8 for domestic and international governance on data privacy and artificial intelligence. Each present their own challenges in multilateral negotiations. While the US may be less willing to hurt big technology companies through data, China will not want to give up their privacy infringements through facial recognition software. Where the regulatory perimeter lies and how willing each country is to adopt legislation remains unseen. On a global scale, there is almost vacuum of legislation within this space which is only compounded by domestic policy gaps. Each country will need to have domestic policy and enforcement vehicles to ensure one location does not become an escape from another, and there will need to be an international agreement on practices and acceptable behavior for this area to improve. While we (the United States and globally), have begun to give this proper attention, we are years away from domestic and international policy that effectively governs data privacy and artificial intelligence.