歐盟和美國(guó)在人工智能監(jiān)管問(wèn)題上存在分歧：跨大西洋比較和協(xié)調(diào)步驟 The EU and U.S. diverge on AI regulation A transatlantic comparison and steps to alignment 2023

TheEUandU.S.divergeonAI

regulation:Atransatlanticcomparisonandstepstoalignment

EXECUTIVESUMMARY

TheEUandtheU.S.arejointlypivotaltothefutureofglobalAIgovernance.EnsuringthatEUandU.S.approachestoAIriskmanagementaregenerallyalignedwillfacilitatebilateraltrade,improveregulatoryoversight,andenablebroadertransatlanticcooperation.

TheU.S.approachtoAIriskmanagementishighlydistributedacrossfederalagencies,manyadaptingtoAIwithoutnewlegalauthorities.Meanwhile,theU.S.hasinvestedinnon-regulatoryinfrastructure,suchasanewAIriskmanagementframework,evaluationsoffacialrecognitionsoftware,andextensivefundingofAIresearch.TheEUapproachtoAIriskmanagementischaracterizedbyamorecomprehensiverangeoflegislationtailoredtospecificdigitalenvironments.TheEUplanstoplacenewrequirementsonhigh-riskAIinsocioeconomicprocesses,thegovernmentuseofAI,andregulatedconsumerproductswithAIsystems.OtherEUlegislationenablesmorepublictransparencyandinfluenceoverthedesignofAIsystemsinsocialmediaande-commerce.

TheEUandU.S.strategiesshareaconceptualalignmentonarisk-basedapproach,agreeonkeyprinciplesoftrustworthyAI,andendorseanimportantroleforinternationalstandards.However,thespecificsoftheseAIriskmanagementregimeshavemoredifferencesthansimilarities.RegardingmanyspecificAIapplications,especiallythoserelatedtosocioeconomicprocessesandonlineplatforms,theEUandU.S.areonapathtosignificantmisalignment.

TheEU-U.S.TradeandTechnologyCouncilhasdemonstratedearlysuccessworkingonAI,especiallyonaprojecttodevelopacommonunderstandingofmetricsandmethodologiesfortrustworthyAI.Throughthesenegotiations,theEUandU.S.havealsoagreedtoworkcollaborativelyoninternationalAIstandards,whilealsojointlystudyingemergingrisksofAIandapplicationsofnewAItechnologies.

MorecanbedonetofurthertheEU-U.S.alignment,whilealsoimprovingeachcountry’sAIgovernanceregime.Specifically:

oTheU.S.shouldexecuteonfederalagencyAIregulatoryplansanduse

thesefordesigningstrategicAIgovernancewithaneyetowardsEU-U.S.alignment.

oTheEUshouldcreatemoreflexibilityinthesectoralimplementationof

theEUAIAct,improvingthelawandenablingfutureEU-U.S.cooperation.

oTheU.S.needstoimplementalegalframeworkforonlineplatform

governance,butuntilthen,theEUandU.S.shouldworkonshareddocumentationofrecommendersystemsandnetworkalgorithms,aswellasperformcollaborativeresearchononlineplatforms.

oTheU.S.andEUshoulddeepenknowledgesharingonanumberoflevels,

includingonstandardsdevelopment;AIsandboxes;largepublicAIresearchprojectsandopen-sourcetools;regulator-to-regulatorexchanges;anddevelopinganAIassuranceecosystem.

MorecollaborationbetweentheEUandtheU.S.willbecrucial,asthesegovernmentsareimplementingpoliciesthatwillbefoundationaltothe

democraticgovernanceofAI.

INTRODUCTION

Approachestoartificialintelligence(AI)riskmanagement—shapedbyemerginglegislation,regulatoryoversight,civilliability,softlaw,andindustrystandards—arebecomingkeyfacetsofinternationaldiplomacyandtradepolicy.Inadditiontoencouragingintegratedtechnologymarkets,amoreunifiedinternationalapproachtoAIgovernancecanstrengthenregulatoryoversight,guideresearchtowardssharedchallenges,promotetheexchangeofbestpractices,andenabletheinteroperabilityoftoolsfortrustworthyAIdevelopment.

EspeciallyimpactfulinthislandscapearetheEUandtheU.S.,whicharebothcurrentlyimplementingfoundationalpoliciesthatwillsetprecedentsforthefutureofAIriskmanagementwithintheirterritoriesandglobally.ThegovernanceapproachesoftheEUandU.S.touchonawiderangeofAIapplicationswithinternationalimplications,includingmoresophisticatedAIinconsumerproducts;aproliferationofAIinregulatedsocioeconomicdecisions;anexpansionofAIinawidevariety

ofonlineplatforms;andpublic-facingweb-hostedAIsystems,suchas

generativeAIandfoundationmodels

.[i]

Thispaperconsidersthebroad

approachesoftheU.S.andtheEUtoAIriskmanagement,comparespolicydevelopmentsacrosseightkeysubfields,anddiscussescollaborativestepstakensofar,especiallythroughtheEU-U.S.TradeandTechnologyCouncil.Further,thispaperidentifieskeyemergingchallengestotransatlanticAIriskmanagementandofferspolicymakingrecommendationsthatmightadvancewell-alignedandmutually

beneficialEU-U.S.AIpolicy.

THEU.S.APPROACHTOAIRISKMANAGEMENT

TheU.S.federalgovernment’sapproachtoAIriskmanagementcanbroadlybecharacterizedasrisk-based,sectorallyspecific,andhighlydistributedacrossfederalagencies.Thereareadvantagestothisapproach,howeveritalsocontributestotheunevendevelopmentofAI

policies.WhilethereareseveralguidingfederaldocumentsfromtheWhiteHouseonAIharms,theyhavenotcreatedanevenorconsistent

federalapproachtoAIrisks.

“Byandlarge,federalagencieshavestillnotdevelopedtherequiredAIregulatoryplans.”

TheFebruary2019executiveorder,MaintainingAmericanLeadershipinArtificialIntelligence(EO13859),anditsensuingOfficeofManagement

andBudget(OMB)guidance(M-21-06)presentedthefirstfederal

approachtoAIoversight

.[1]

DeliveredinNovember2020,15

monthsafterthedeadlinesetinEO13859,theOMBguidanceclearlyarticulatedarisk-basedapproach,stating“themagnitudeandnatureoftheconsequencesshouldanAItoolfail…canhelpinformthelevelandtypeofregulatoryeffortthatisappropriatetoidentifyandmitigaterisks.”ThesedocumentsalsourgedagenciestoconsiderkeyfacetsofAIriskreductionthroughregulatoryandnon-regulatoryinterventions.ThisincludesusingscientificevidencetodetermineAI’scapabilities,enforcingnon-discriminationstatutes,consideringdisclosurerequirements,andpromotingsafeAIdevelopmentanddeployment.WhilethesedocumentsreflectedtheTrumpadministration’sminimalist

regulatoryperspective,theyalsorequiredagenciestodevelopplansto

regulateAIapplications

.[2]

Byandlarge,federalagencieshavestillnotdevelopedtherequiredAIregulatoryplans.InDecember2022,StanfordUniversity’sCenterfor

Human-CenteredAIreleasedareportstatingthatonlyfiveof41major

agenciescreatedanAIplanasrequired

.[3,]

[ii]

Thisisagenerous

interpretation,asonlyonemajoragency,theDepartmentofHealthand

HumanServices(HHS),providedathoroughplaninresponse

.[4]

HHS

extensivelydocumentedtheagency’sauthorityoverAIsystems(through12differentstatutes),itsactiveinformationcollections(e.g.,onAIforgenomicsequencing),andtheemergingAIusecasesofinterest(mostlyinillnessdetection).ThethoroughnessoftheHHS’sregulatoryplanshowshowvaluablethisendeavorcouldbeforfederalagencyplanningandinformingthepublicifotheragenciesweretofollowinHHS’sfootsteps.

RatherthanfurtherimplementingEO13859,theBidenadministration

insteadrevisitedthetopicofAIrisksthroughtheBlueprintforanAIBill

ofRights(AIBoR)

.[5]

DevelopedbytheWhiteHouseOfficeofScienceand

TechnologyPolicy(OSTP),theAIBoRincludesadetailedexpositionofAIharmstoeconomicandcivilrights,fiveprinciplesformitigatingtheseharms,andanassociatedlistoffederalagencies’actions.TheAIBoR

endorsesasectorallyspecificapproachtoAIgovernance,withpolicyinterventionstailoredtoindividualsectorssuchashealth,labor,andeducation.Itsapproachisthereforequitereliantontheseassociatedfederalagencyactions,ratherthancentralizedaction,especiallybecausetheAIBoRisnonbindingguidance.

ThattheAIBoRdoesnotdirectlycompelfederalagenciestomitigateAI

risksisclearfromthepatchworkofresponses,withsignificanteffortsin

someagenciesandnon-responseinothers

.[6]

Further,despitethefivebroadprinciplesoutlinedintheAIBoR

,[iii]

mostfederalagenciesare

onlyabletoadapttheirpre-existinglegalauthoritiestoalgorithmicsystems.ThisisbestdemonstratedbyagenciesregulatingAIusedtomakesocioeconomicdecisions.ThisincludestheFederalTradeCommission(FTC),whichcanuseitsauthoritytoprotectagainst“unfair

anddeceptive”practicestoenforcetruthinadvertisingandsomedata

privacyguaranteesinAIsystems

.[7]

TheFTCisalsoactivelyconsidering

howitsexistingauthoritiesaffectdata-drivencommercialsurveillance,includingalgorithmicdecision-making,andsomeadvocacy

organizationshavearguedtheFTCcanplacetransparencyandfairness

requirementsonsuchalgorithmicsystems

.[8]

TheEqualEmployment

OpportunityCommission(EEOC)canimposesometransparency,requireanon-AIalternativeforpeoplewithdisabilities,andenforcenon-

discriminationinAIhiring

.[9]

TheConsumerFinancialProtectionBureau

(CFPB)requiresexplanationsforcreditdenialsfromAIsystemsand

couldpotentiallyenforcenon-discriminationrequirements

.[10]

Thereare

otherexamples,however,innosectordoesanyagencyhavethelegalauthoritiesnecessarytoenforcealloftheprinciplesexpressedbytheAIBoR,northoseinEO13859.

Oftheseprinciples,theBidenadministrationhasbeenespeciallyvocalonracialequityandinFebruary2023publishedtheexecutiveorderFurtherAdvancingRacialEquityandSupportforUnderservedCommunitiesThroughtheFederalGovernment(EO14091).Thesecondexecutiveorderonthissubject,EO14091,directsfederalagenciesto

addressemergingriskstocivilrights,including“algorithmic

discriminationinautomatedtechnology.

”[11]

Itistoosoontoknowthe

impactofthisnewexecutiveorder.

Federalagencieswithregulatorypurviewoverconsumerproductsarealsomakingadjustments.OneleadingagencyistheFoodandDrugAdministration(FDA),whichhasbeenworkingtoincorporateAI,and

specificallymachinelearning,inmedicaldevicessinceatleast

2019

.[12]

TheFDAnowpublishesbestpracticesforAIinmedicaldevices,

documentscommerciallyavailableAI-enabledmedicaldevices,andhaspromisedtoperformrelevantpilotsandadvanceregulatorysciencein

itsAIactionplan

.[13]

AsidefromtheFDA,theConsumerProductsSafety

Commission(CPSC)statedin2019itsintentiontoresearchandtrackincidentsofAIharmsinconsumerproducts,aswellastoconsiderpolicy

interventionsincludingpubliceducationcampaigns,voluntary

standards,mandatorystandards,andpursuingrecalls

.[14]

In2022,CPSC

issuedadraftreportonhowtotestandevaluateconsumerproducts

whichincorporatemachinelearning

.[15]

Issuedinthefinaldaysofthe

Trumpadministration,theDepartmentofTransportation’sAutomated

VehiclesComprehensivePlansoughttoremoveregulatoryrequirements

forsemi-andfully-autonomousvehicles

.[16]

InparallelwiththeunevenstateofAIregulatorydevelopments,theU.S.iscontinuingtoinvestininfrastructureformitigatingAIrisks.MostnotableistheNationalInstituteofStandardsandTechnology’s(NIST)AI

RiskManagementFramework(RMF),firstreleasedasadraftonMarch

17,2022,withafinalreleaseonJanuary26,2023

.[17]

TheNISTAIRMFis

avoluntaryframeworkthatbuildsofftheOrganizationforEconomicCooperationandDevelopment’s(OECD)Frameworkforthe

ClassificationofAISystemsbyofferingcomprehensivesuggestionson

whenandhowriskcanbemanagedthroughouttheAIlifecycle

.[18]

NIST

isalsodevelopinganewAIRMFPlaybook,withconcreteexamplesofhowentitiescanimplementtheRMFacrossthedatacollection,

development,deployment,andoperationofAI

.[19]

TheNISTAIRMFwill

alsobeaccompaniedbyaseriesofcasestudies,eachofwhichwill

documentthestepsandinterventionstakentomitigateriskwithina

specificAIapplication

.[20]

Whileitistoosoontotellwhatdegreeof

adoptiontheNISTAIRMFwillachieve,the2014NISTCybersecurity

Frameworkhasbeenwidelyadapted(usuallyentailingpartialadoption)

byindustry

.[21]

NISTalsoplaysaroleinevaluatingandpubliclyreportingonthe

accuracyandfairnessoffacialrecognitionalgorithmsthroughits

ongoingFaceRecognitionVendorTestprogram

.[22]

Inoneanalysis,NIST

testedandcompared189commercialfacialrecognitionalgorithmsforaccuracyondifferentdemographicgroups,contributingvaluable

informationtotheAImarketplaceandimprovingpublicunderstanding

ofthesetools

.[23]

Anassortmentofotherpolicyactionsaddressessomealgorithmicharmsandcontributestofutureinstitutionalpreparednessandthuswarrantsmention,evenifAIriskisnottheprimaryorientation.LaunchedinApril2022,theNationalAIAdvisoryCommitteemayplayanexternaladvisoryroleinguidinggovernmentpolicyonmanagingAIrisksinareassuchas

lawenforcement,althoughitisprimarilyconcernedwithadvancingAIas

anationaleconomicresource

.[24]

Thefederalgovernmenthasalsorun

severalpilotsofanimprovedhiringprocess,aimedatattractingdata

sciencetalenttothecivilservice,akeyaspectofpreparednessforAI

governance

.[25]

Currently,the“datascientist”occupationalseriesisthe

mostrelevantfederalgovernmentjobforthetechnicalaspectsofAIriskmanagement.However,thisroleismoreorientedtowardsperforming

datasciencethanreviewingorauditingAImodelscreatedbyprivate

sectordatascientists

.[26]

[iv]

TheU.S.governmentfirstpublishedanationalAIResearchand

DevelopmentStrategicPlanin2016,andin2022,13federaldepartments

fundedAIresearchanddevelopment

.[27]

TheNationalScience

Foundationhasnowfunded19interdisciplinaryAIresearchinstitutes,

andtheacademicworkcomingfromsomeoftheseinstitutesis

advancingtrustworthyandethicalAImethods

.[28]

Similarly,the

DepartmentofEnergywastaskedwithdevelopingmorereliableAI

methodswhichmightinformcommercialactivity,suchasinmaterials

discovery

.[29]

Further,theBidenadministrationwillseekanadditional

$2.6billionoversixyearstofundAIinfrastructureundertheNationalAI

ResearchResource(NAIRR)project,whichstatesthatencouraging

trustworthyAIisoneofitsfourkeygoals

.[30]

Specifically,theNAIRR

couldbeusedtobetterstudytherisksofemerginglargeAImodels,manyofwhicharecurrentlydevelopedwithoutpublicscrutiny.

Inasignificantrecentdevelopment,aseriesofstateshaveintroduced

legislationtotacklealgorithmicharms,includingCalifornia,Connecticut,

andVermont

.[31]

WhilethesemightmeaningfullyimproveAIprotections,

theycouldalsopotentiallyleadtofuturepre-emptionissuesthatwouldmirrortheongoingchallengetopassingfederalprivacylegislation

(namely,howshouldthefederallegislationreplaceoraugmentvarious

statelaws)

.[32]

THEEUAPPROACHTOAIRISKMANAGEMENT

TheEU’sapproachtoAIriskmanagementiscomplexandmultifaceted,buildingonimplementedlegislation,especiallytheGeneralDataProtectionRegulation(GDPR),andspanningnewlyenactedlegislation,namelytheDigitalServicesActandDigitalMarketsAct,aswellaslegislationstillbeingactivelydebated,particularlytheAIAct,amongotherrelevantendeavors.TheEUhasconsciouslydevelopeddifferentregulatoryapproachesfordifferentdigitalenvironments,eachwitha

differentdegreeofemphasisonAI.

“TheEUhasconsciouslydevelopeddifferentregulatoryapproachesfordifferentdigitalenvironments,eachwithadifferentdegreeofemphasisonAI.”

Asidefromitsdataprivacyimplications,GPDRcontainstwoimportantarticlesrelatedtoalgorithmicdecision-making.First,GDPRstatesthat

algorithmicsystemsshouldnotbeallowedtomakesignificantdecisions

thataffectlegalrightswithoutanyhumansupervision

.[33]

Basedonthis

clause,in2021,Uberwasrequiredtoreinstatesixdriverswhowere

foundtohavebeenfiredsolelybythecompany’salgorithmic

system

.[34]

Second,GDPRguaranteesanindividual’srightto“meaningful

informationaboutthelogic”ofalgorithmicsystems,attimes

controversiallydeemeda“righttoexplanation.

”[35]

Inpractice,

companiessuchashomeinsuranceprovidershaveofferedlimited

responsestorequestsforinformationaboutalgorithmic

decisions

.[36]

Therearemanyopenquestionsaboutthisclause,including

howoftenaffectedindividualsrequestthisinformation,howvaluablethe

informationistothem,andwhathappenswhencompaniesrefuseto

providetheinformation

.[37]

TheEUAIActwillbeanespeciallycriticalcomponentoftheEU’s

approachtoAIriskmanagementinmanyareasofAIrisk

.[38]

WhiletheAI

Actisnotyetfinalized,enoughcanbeinferredfromtheEuropeanCommissionproposalfromApril2021,thefinalCounciloftheEUproposalfromDecember2022,andtheavailableinformationfromtheongoingEuropeanParliamentdiscussionsinordertoanalyzeitskeyfeatures.

Althoughitisoftenreferredtoas“horizontal,”theAIActimplementsa

tieredsystemofregulatoryobligationsforaspecificallyenumeratedlist

ofAIapplications

.[39]

SeveralAIapplications,includingdeepfakes,

chatbots,andbiometricanalysis,mustclearlydisclosethemselvestoaffectedpersons.AdifferentsetofAIsystemswith“unacceptablerisks”

wouldbebannedcompletely,potentiallyincludingAIforsocial

scoring

,[v]

AI-enabledmanipulativetechnologies,and,withseveral

importantexceptions,biometricidentificationbylawenforcementinpublicspaces.

Betweenthesetwotierssits“high-risk”AIsystems,whichisthemostinclusiveandimpactfulofthedesignationsintheEUAIAct.TwocategoriesofAIapplicationswillbedesignatedashigh-riskundertheAIAct:regulatedconsumerproductsandAIusedforimpactfulsocioeconomicdecisions.Allhigh-riskAIsystemswillhavetomeetstandardsofdataquality,accuracy,robustness,andnon-discrimination,whilealsoimplementingtechnicaldocumentation,record-keeping,ariskmanagementsystem,andhumanoversight.Entitiesthatsellordeploycoveredhigh-riskAIsystems,calledproviders,willneedtomeettheserequirementsandsubmitdocumentationthatattesttotheconformityoftheirAIsystemsorotherwisefacefinesashighas6%ofannualglobalturnover.

Thefirstcategoryofhigh-riskAIincludesconsumerproductsthatarealreadyregulatedundertheNewLegislativeFramework,theEU’ssingle-

marketregulatoryregime,whichincludesproductssuchasmedical

devices,vehicles,boats,toys,andelevators

.[40]

Generallyspeaking,this

meansthatAI-enabledconsumerproductswillstillgothroughthepre-existingregulatoryprocessunderthepertinentproductharmonizationlegislationandwillnotneedasecond,independentconformityassessmentjustfortheAIActrequirements.Therequirementsforhigh-riskAIsystemswillbeincorporatedintotheexistingproductharmonizationlegislation.Asaresult,ingoingthroughthepre-existingregulatoryprocess,businesseswillhavetopaymoreattentiontoAIsystems,reflectingthefactthatsomemodernAIsystemsmaybemoreopaque,lesspredictable,orplausiblyupdateafterthepointofsale.Notably,someEUagencieshavealreadybeguntoconsiderhowAIaffectstheirregulatoryprocesses.Oneleadingex