AI Regulation Must Lean on Privacy Laws, PLI Panelists Say

“We shouldn't understand AI as this dramatic new revolution that comes out of nowhere and need[s] something completely different to regulate it,” said George Washington University law professor Daniel Solove. “We already have a lot of privacy law,” and if reformed, “it can deal with this task.”

Solove compared the emergence of AI to “the early days of cyberspace,” where each area of law intersects with its usage, he added. “AI is not something so exceptional that it should be treated differently than a lot of other things, and the problems that we're facing with AI are actually problems … that we've had for a very long time,” especially in privacy.

John Verdi, senior director of global privacy at PayPal, agreed. “Lawmakers and regulators are pursuing more narrow approaches to regulating AI and more targeted approaches to regulating AI this year than they have in the past couple of years” but “their state privacy laws and the rule makings associated and the guidance promulgated around with those around those state privacy laws are increasingly impactful and important when it comes to AI regulation,” he said.

Verdi added that the use of existing or proposed laws or rulemaking around privacy to guide AI deployment will likely continue.

Harry Valetk, a data protection lawyer at Buchanan Ingersoll, flagged the guidance aspect as important. “Sometimes lawmakers are not going to sit and wait for those new requirements,” he said. “They're going to say, ‘Look, there are existing rules against certain activities that we're going to then now look at in the context of your use cases, which could include AI.’”

Anne Josephine Flanagan, co-founder of Boyd Strategy Group, said that “policymakers cannot possibly think of everything” and that's where existing laws are useful. “There's less of an appetite for wait and see, I would say, than there was previously.”

University of Ottawa law professor Karen Eltis noted that “we're moving away from compliance and ... toward safety," since "with AI, there's a loss of control.” Understanding this shift, and how transparency plays into it, can help when thinking about how AI should be regulated, she said.

Solove agreed. “The takeaway … from all this is that AI shows us exactly why the privacy laws and the approach that we've taken to privacy law in most laws is flawed,” he said. “That's the direction we should be looking in. We should be looking at how do we recognize that privacy laws aren't working -- and AI is a great example of why they're not working -- and then how do we fix them?”

Solove added that it would be a mistake “to just give up on privacy law and try to do something omnibus about AI" and think that will address privacy. "It won't."

Flanagan said looking at who owns the technology can signal where regulation is headed. “There's a temptation to look at user privacy and a temptation to just look at data protection issues and to sort of not see the headwinds by looking further along,” said the consultant.

Instead, thinking about “Who owns the data centers? Where are the chips coming from? How does that affect regulation?” These themes have "impacted how the EU is now looking at future legislation in this space.”

Additionally, Flanagan said enforcement actions under the EU AI Act and other national AI regulations in Europe will signal what might happen in the U.S.

In addition, Japan is a country to watch, agreed Flanagan and Eltis. “They strike a bit of a different chord,” Eltis said, in that “the focus is safety.”

Valetk, however, said he still recommends keeping an eye on U.S. states. Attorneys general and other "consumer protection authorities are very mindful of broader consumer effects and are going to look for ways to apply and … really rely on existing law to protect their residents and their community."