Privacy & Information Security Law Blog

On June 12, 2023, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted a response to the U.S. National Telecommunications and Information Administration’s (“NTIA’s”) Request for Comments (“RFC”) on Artificial Intelligence (“AI”) Accountability. The NTIA’s RFC solicited comments on AI accountability measures and policies that can demonstrate trustworthiness of AI systems.

In its response to the NTIA, CIPL highlighted how organizational accountability mechanisms are essential to effective digital policy and regulation, including for responsible and trustworthy AI development and deployment. Specifically, accountability mechanisms allow organizations to demonstrate to their boards, customers, the public and regulators that a product or service meets specific criteria and is trustworthy. They also enable organizations to implement principle- and outcome-based legal requirements through measurable and demonstrable concrete steps and controls. There also is evidence that accountability mechanisms play an important role in providing legal certainty and business confidence, including in business-to-business contexts.

Further, CIPL highlighted the benefits of taking a risk-based and outcomes-based approach to AI governance, including through potential federal AI and privacy laws. This approach should be backed by innovative regulatory oversight and co-regulatory instruments that:

• Rely on impact assessments performed by organizations to trigger the application of the law. The assessments should consider the context and impact of a proposed AI use, rather than the sector it is utilized in or its type. The regulatory framework would provide illustrations of rebuttable presumptions of high-risk, rather than rigid pre-defined classifications. Organizations would assess the overall output and impact of the AI application, including its benefits and potential reticence risk, rather than focusing on risk only.
• Foster innovation through accountable practices of organizations. Rather than imposing prescriptive and indiscriminate requirements, the regulatory approach should set forth risk-based accountability requirements and outcomes that organizations should achieve through concrete, demonstrable and verifiable risk-based accountability measures.
• Enable consistent and modern approaches to regulatory oversight. This approach should be complemented by a consistent scheme of voluntary, but enforceable, codes of conduct, certification and labelling, which should be designed through consultation with stakeholders. Regulatory sandboxes and policy prototyping can be useful for enabling regulatory iteration in response to technological innovations.

Read CIPL’s full response to the NTIA RC on AI Accountability.

CIPL has worked on accountable AI since 2018 and has published various reports and white papers on topics at the intersection of data protection and artificial intelligence. In 2023, CIPL launched a project to research organizations’ experiences using CIPL and other accountability frameworks to guide their AI accountability programs, to collect best practices, promote their wider adoption and support future co-regulatory mechanisms. CIPL intends to publish this research later in 2023.