The Evolution of Privacy Law in the Age of AI, and Best Practices for Using AI in Your Workplace
Insights from Privacy Law and AI Expert Daniel J. Solove
Privacy Problems with Generative AI
Renown AI and privacy expert Daniel J. Solove recently published a paper discussing Generative AI in regard to privacy concerns.1 Generative AI, while transformative, presents significant privacy challenges. Solove identified three specific areas of concern: personal data being used by AI, potentially misleading information created by AI, and AI’s ability to undermine fairness and due process. His paper made me re-think our approach to AI regulation and privacy laws.
DATA RECONSTITUTION
Most people using AI presumably understand that privacy concerns are inextricably linked with AI developments—these concerns are widely discussed, recognized, and written about. But far fewer people are aware of the subtle ways they may inadvertently share personal identifying information (PII) when using AI tools, even with supposedly 'anonymized' data. One of the primary concerns is AI’s generation of new personal data through inferences. GenAI consumes personal data, but it also produces additional data, and can link several sources of private information, often revealing sensitive details that were not initially evident, or were not evident when they were used individually but together are identifiable. I call this data reconstitution. So even if you are confident you are not sharing personal details, you might still be inadvertently sharing information that can be “reconstituted” to reveal confidential information. This blurring of lines between data collection and processing circumvents traditional privacy protections and leaves individuals with little control over the information organizations can infer about them. Even when consumers and individuals have the opportunity to opt out of data collection, there is no way for us to opt out of data inference.
FAKES AND DEEP FAKES
Another vein of privacy concern centers around GenAI’s potential for creating malevolent material. GenAI can generate misleading or harmful content, such as deepfakes or false information, which can be used to deceive and manipulate individuals. This capability exacerbates existing privacy concerns by facilitating the spread of misinformation and enabling malicious activities. For example, AI can be wrongfully used to skillfully recreate the voice of someone we recognize, spewing out hate speech, or being used for malicious political gains.
To date, there is no comprehensive federal law (or state law for that matter) that provides adequate protection to individuals against such fakes and deep fakes. Moreover, the dynamic and opaque nature of Generative AI algorithms poses significant transparency challenges. Understanding these algorithms requires access to the training data, which is often inaccessible or incomprehensible to the general public. This lack of transparency makes it difficult for regulatory bodies to oversee AI systems, and comparably difficult for individuals to trust AI systems.
DUE PROCESS AND FAIRNESS
Finally, Generative AI can undermine due process and fairness. AI-generated decisions often lack meaningful avenues for individuals to challenge them. This can lead to situations where people are subjected to decisions that significantly impact their lives without adequate recourse to seek redress or challenge the accuracy and fairness of those decisions.
This issue can have profound implications across various sectors, including criminal justice, employment, and finance. For example, in the criminal justice system, AI-powered risk assessment tools are increasingly being used to inform decisions about bail, sentencing, and parole. A notable case is the use of the COMPAS (Correctional Offender Management Profiling for Alternative Sanctions) system in several U.S. states.
In 2016, an investigative report by ProPublica found that the COMPAS system, which predicts the likelihood of a criminal reoffending, was biased against Black defendants. The system was more likely to falsely flag Black defendants as future criminals, wrongly labeling them as high risk nearly twice as often as white defendants. Conversely, white defendants were more likely to be incorrectly labeled as low risk.
This case highlights several critical issues:
Opacity: The algorithmic decision-making process was not transparent, making it difficult for defendants to understand or challenge the assessments.
Bias: The AI system appeared to perpetuate and potentially amplify existing societal biases.
Lack of due process: Defendants had limited ability to contest these AI-generated risk scores, which significantly influenced their treatment in the justice system.
Far-reaching consequences: These AI-driven decisions had profound impacts on individuals' lives, affecting their liberty and future prospects.
The COMPAS case underscores the urgent need for safeguards and oversight in AI systems, especially those used in high-stakes decision-making processes. It highlights the importance of transparency, fairness, and the right to contest AI-generated outcomes.
To address these concerns, policymakers and AI developers must work towards creating systems that are not only accurate but also fair, transparent, and accountable. This could involve regular audits of AI systems, diverse representation in AI development teams, and clear mechanisms for individuals to challenge AI-driven decisions that affect them.
Moreover, there's a growing call for "algorithmic impact assessments" - systematic evaluations of AI systems before their deployment to identify potential biases and negative impacts. Such assessments could help prevent unfair outcomes and ensure that AI systems enhance, rather than undermine, principles of due process and equal treatment under the law.2
Regulations Solove Suggests and Their Rationale
Solove emphasizes the need for comprehensive reforms in privacy law to address the unique challenges posed by Generative AI. He argues against "AI exceptionalism," suggesting that privacy issues related to AI should be tackled as part of broader privacy law reforms. This holistic approach ensures that privacy protections are robust and effective across various contexts, not just AI-specific scenarios.
One of Solove's key recommendations is to reduce the burden on individuals to manage their privacy. Currently it feels to me like the entire burden of protecting my personal information rests squarely on my shoulders, and I am responsible for protecting my information, with very little power or control, and without knowing the rules. A standout example of this is Meta’s decision to use all of our personal photos, images, and content on Instagram and Facebook for training their AI models. For those under the egis of the GDPR they can opt out. It is unnecessarily difficult, but at least there is a possibility of an option. With those not covered by the GDPR, such as myself and all people living in the United States and many others, we have no option to opt out. And it is not clear at all how these images and information will be used. Solove critiques this traditional model of privacy self-management, where individuals are expected to make informed decisions about their data. Instead, he advocates for placing more responsibility on organizations, mandating significant obligations to mitigate risks and ensure accountability. This makes a great deal of sense to me, since those very companies are the ones best placed and most incentivized to exploit my information. It would also put us in better alignment with the GDPR laws and regulations.
Critics worry that this will have a chilling effect on technological innovation. However, Solove also supports adopting a harm and risk-based approach to AI regulation. This involves identifying and addressing potential harms and risks associated with AI, both before and after AI tools are deployed. By balancing preventive (ex-ante) and reactive (ex-post) regulatory measures, policymakers can protect privacy without stifling innovation.
Transparency and accountability are crucial elements of Solove's regulatory framework. He calls for improved mechanisms to ensure that organizations provide clear and accessible information about their AI systems and maintain robust internal and external accountability measures. This helps build trust and ensures compliance with privacy laws.
Involving diverse stakeholders in the development and regulation of AI is another important recommendation. Solove emphasizes the need to include voices from underrepresented and marginalized communities to ensure that AI systems are fair and equitable. This inclusive approach helps address biases and ensures that the concerns of all affected parties are considered.
At present, we cannot make our own sweeping changes to privacy laws, or lack of privacy laws. We can, however, be certain to use best practices when dealing with PII or any sensitive data.
Best Practices for Using AI in the Workplace
As lawyers and legal professionals using Generative AI we can follow several best practices to mitigate privacy risks and ensure responsible use of the technology, including the following:
1. Transparency and Disclosure: Provide clear and accessible information about AI systems, including data sources, training data, and decision-making processes to those in our firm, and to our clients. Transparency builds trust and helps individuals understand how their data is being used.
2. Minimize Data Collection and Use. Practice data minimization by collecting only the necessary data for specific purposes. Implement purpose limitations to ensure data is used only for stated objectives and avoid excessive data collection. For example, if you need a client’s annual income, but you ask for and receive a copy of their entire form 1040 tax return, you are collecting far more personal information than needed.
3. Obtain Genuine Consent: Ensure informed consent by providing clear, understandable privacy notices to our potential clients. Individuals should be aware of and agree to how their data will be used, including for AI applications. Therefore, before we even undertake representation of clients, we should inform them of how, why, and when their information will be used, and what we are doing to actively protect their data.
4. Incorporate Privacy by Design. Integrate privacy considerations into the development and deployment of AI systems that we use in our offices, and all other cloud-based technology that we use in our firms, since AI systems are no more vulnerable than any other cloud-based system. Accordingly, we should use privacy-enhancing technologies and practices, such as anonymization, encryption, and secure data storage.
5. Implement Accountability Measures: Establish strong internal and external accountability mechanisms. Have an AI use policy—more on that in my next article. Conduct regular audits, assessments, and impact analyses to identify and mitigate privacy risks. Be prepared to demonstrate compliance with privacy laws to your clients, your insurance carrier, and potentially to a judge or other decision-making body.
6. Address Bias and Discrimination: Proactively identify and mitigate biases in AI systems. Bias is implicit in generative AI tools because they are a reflection of the data used to train them, and that data contains various biases. We need to be uncompromising and unapologetic for our monitoring of discriminatory output, and also discriminatory input. AI can save us as lawyers a great deal of time, but that is only beneficial if we make the effort to regularly test for discriminatory outcomes and implement corrective measures to avoid perpetuating or amplifying existing inequalities and biases.
8. Enhance Due Process and Remedies: Provide clear avenues for individuals to challenge AI decisions and seek redress for privacy harms. Ensure that individuals' rights are protected and that they have meaningful ways to contest AI-generated outcomes.
By following these best practices, our law firms can responsibly harness the power of Generative AI while safeguarding privacy and building trust with our clients, and with the courts. Since so much is dependent on our reputations, responsible use of AI is a baseline action, not an added measure, to ensure we maintain the highest standards of professional integrity and client trust.
We as a society are impatiently waiting for comprehensive laws to guide GenAI use, and data privacy. Until those laws are implemented, these measures aligns with Solove's broader recommendations for comprehensive privacy law reforms and effective regulatory frameworks to manage the complexities of AI.
Id.