New AI scorecard can assess strength of state, federal legislation
The nonprofit research organization Electronic Privacy Information Center on Tuesday published a document that can be used to assess the strength of state and federal artificial intelligence legislation.
EPIC’s AI Legislation Scorecard, which the group said includes minimum standards for the responsible use of commercial AI and automated decision-making systems, lays out the legal aspects effective AI legislation should contain. This list includes strong legal definitions, data minimization requirements, obligations for conducting impact assessments and tests and complete prohibitions on particularly harmful AI uses.
The group’s leaders said the scorecard is intended to be used by lawmakers, journalists, advocates and academics to evaluate the strength of AI bills, but advised that AI legislation should only complement current laws, not preempt ones that offer more protections.
While the scorecard was developed with comprehensive regulatory AI bills in mind — like the law enacted in Colorado last month — it can also be used to evaluate the strength of the dozens of federal AI proposals introduced over the past year, such as those that create of task forces or regulate narrow and sector-specific uses of artificial intelligence.
Along with strict requirements on data minimization, the practice of only collecting necessary information, a key part of EPIC’s legal recommendations include robust enforcement mechanisms. These include limited cure periods, giving attorneys general or relevant agencies investigative and enforcement authority, and a private right of action, which allows individuals to bring civil suits against organizations found using, storing or sharing data improperly.
Private rights of action are sometimes found in comprehensive privacy bills, but pro-business interests typically oppose their inclusion. Vermont Gov. Phil Scott this month vetoed what would have become one of the strongest data privacy laws in the nation, arguing it would have created hostility from businesses that wished to operate in the state.
Many data privacy experts consider private rights of action to be the most effective violation deterrence. EPIC suggested that AI and privacy regulation should work together: “Enacting strong privacy laws is a key step in mitigating many of the worst AI risks today.”
EPIC’s leaders said the scorecard can be referred to by AI developers and organizations deploying AI as supplemental guardrails to protect the rights and safety of the public. It can also serve as a guide on potential AI-fueled harms, like civil rights violations or consumer fraud.
According to the group’s announcement, the scorecard relied on bill analysis, policy research and federal AI proposals and frameworks, including the National Institute of Standards and Technology’s AI Risk Management Framework, the Biden administration’s AI ‘Bill of Rights’ and the Online Civil Rights Act from Lawyers’ Committee for Civil Rights Under Law.
“The current lack of strong AI regulations on the state or federal level allows AI and automated decision-making technologies to be used in unsafe and discriminatory ways,” Kara Williams, an EPIC law fellow and author of the scorecard, said in a news release. “Our AI Legislation Scorecard lays out clear guardrails that legislators can put in place to ensure AI is used safely and responsibly.”