AI Public Policy Predictions for 2023

Welcome to a new year of AI regulation. This year, from a privacy perspective, I foresee further efforts to implement Privacy Shield 2.0 and policymakers providing additional guidance to facilitate the importation of personal data from EU member states.  Following the invalidation of the original Privacy Shield program to allow the transfer of personal data from European countries to the US in the European Court of Justice, the EU and the US Department of Commerce have struggled to update the Privacy Shield program to pass muster. I don’t anticipate immediate impacts from the Biden Administration’s 2022 Blueprint for an AI Bill of Rights since businesses will likely ignore it and proceed with what they would have done in its absence.  There may be a few exceptions of businesses that nod to its existence.  However, the big tech companies will likely stick to their own AI governance frameworks.  In the long run, the Blueprint may inform future legislation or regulation in specific areas assuming that the political climate permits more comprehensive oversight of AI.

At the federal level, I am agnostic about whether we will see comprehensive federal data protection legislation with algorithmic accountability components or in conjunction with separate accountability legislation.  Regarding general federal data protection legislation, the support from many in the business community, coupled with perennial efforts from privacy advocates, may come together in a successful data protection bill.  Nonetheless, I could easily see the 118th Congress as focused so much on other topics that data protection legislation may have to wait for the 119th Congress. The FTC, however, will continue to guide businesses, and its enforcement actions will continue to shape how Section 5 of the FTC impacts the development, sale, procurement, and operation of AI systems.  FTC guidance on generative AI practices is likely in the near to medium term. I will write more about FTC activity in future posts.

State and some local legislative activity will continue in 2023.  In the absence of federal data protection legislations, some states will enact new general data protection legislation. Many if not most of them will have provisions regarding automated decision making.  California will likely see new regulations on automated decision making under the CPRA.  We may also see focused legislation on specific problems of AI perceived by legislators, such as AI tools causing bias in hiring and risks involved with generative AI.

In any case, 2023 is going to see an explosion of interest among legislators and regulators in terms of governing AI. With the advent of ChatGPT and other forms of generative AI, it seems that legislators and regulators must pay attention to AI. I am sure there will be plenty of new regulatory developments in 2023 to cover in these pages.