iPhone | iPad
Android
Huawei
Move comes 4 years after the brand was banned from India as a part a wider crackdown on some Chinese apps following border conflicts
KT APPDOWNLOAD
DIFC’s amended data protection regulations ensure responsible development of artificial intelligence systems
Regulation also places transparency and openness at its core
In September 2023, the DIFC published an amended version of its Data Protection Regulations. — KT file
The UAE aims to become one of the leading nations in artificial intelligence (AI) by 2031, in alignment with the UAE Centennial 2071. AI as a sector is poised to create new economic, educational, and social opportunities for citizens, governments and businesses. This is projected to generate up to Dh335 billion in extra growth.
AI systems rely heavily on data that they are trained on, and data prompts that users input. So, it is no surprise that data protection and privacy go hand in glove with the development of AI Systems. Mindful of this, in September 2023, the Dubai International Financial Centre (DIFC) published an amended version of its Data Protection Regulations. While, the Regulations had some important amendments dealing with inadvertently obtained personal data, and the use of personal data for marketing and communications, the provision which that sparked considerable interest is the newly introduced Regulation 10 of the Data Protection Regulations.
Regulation 10 is the first enacted regulation in the Middle East, Africa and Southern Asia (MEASA) region on the processing of personal data via autonomous and semi-autonomous systems. The rather dry phrase “autonomous and semi-autonomous systems” encompasses such modern marvels as AI and generative, machine learning technology. At the risk of over-simplification, we will use the term AI Systems in place of “autonomous and semi-autonomous systems” across this op-ed.
Key features of the regulation
It may well be asked why AI Systems need to be mentioned in regulations that are meant to address the issue of data protection. The simple answer is that AI Systems will be processors of large amounts of personal data. As stated above, this could be training data, or prompt inputs. Personal data is any information about an identified or identifiable natural person (for example, you).
In this regard, Regulation 10 provides a framework for the responsible use of AI Systems by defining concepts and laying down compliance obligations.
Regulation 10 defines important concepts such as an AI System, Deployer of an AI System, Operator of an AI System and Provider of an AI System. An AI System is any machine-based system operating in an autonomous or semiautonomous manner that can process personal data for human-defined purposes or purposes that the AI system itself defines, or both and can also generate an output on the basis of such processing. Chat GPT and Midjourney are two prominent examples of AI Systems.
Vivek Prasad is a Senior Associate at KARM Legal Consultants
A Deployer is the person or legal entity such as a firm or company, who has authority over an AI System’s operation, and benefits from its operations, even if they are not directly involved in the operations. An Operator is the person or legal entity that operates or oversees an AI System on behalf of the Deployer, even if they don’t have control over personal data processing by the AI System. A Provider, is a person or legal entity responsible for developing an AI System for commercialisation or use.
One might, at this stage, give in to the temptation of conjuring up dystopian scenarios of AI systems taking over the world and enslaving mankind. To address exactly this concern, Regulation 10 emphatically prohibits use of an AI System unless the AI System is capable of processing personal data only for purposes that are human-defined or human approved, or are defined by the AI System itself, but solely on the basis of human-defined principles and solely within the limits of human-defined constraints. This essentially places a restriction on the autonomy of autonomous systems.
Regulation 10 also prescribes certain principles, which AI Systems must be designed on. These include unbiased algorithmic decisions, fairness, transparency, security and accountability. These core principles are intended to ensure that AI systems do not discriminate among individuals, clearly explain how they process personal data, protect personal data and have mechanisms in place to ensure responsibility and accountability for the outcomes produced by the AI System.
Regulation 10 imposes certain obligations on Deployers and Operators of AI Systems. For example, processing of personal data by AI Systems must be in compliance with general data protection requirements as articulated in the DIFC Data Protection Law. These include, among others, processing only that much personal data as is relevant for the purpose, and keeping the personal data secure.
A Deployer or Operator is also required to provide a notice containing certain information to the users. This information includes, among other details, the human-defined purpose for data processing undertaken, human-defined principles and limits employed by the AI System to autonomously define additional purposes for data processing, output generated by the AI System through this processing and how it is utilized. They are also required to furnish evidence, upon request by relevant parties, of the AI System’s compliance with audit and certifications standards, algorithms governing fairness concerns and seeking human intervention in certain situations.
Significance of the Regulation
Regulation 10 provides for a permissive, certification-based regime for the use of AI Systems to process personal data, rather than requiring that any licenses or registrations be made or obtained. Specific certification related requirements may be issued by the DIFC in future. This approach is significant because it does not encumber Deployers and Operators.
The Regulation also places transparency and openness at its core, by requiring Deployers and Operators of AI Systems to provide notice of their activities and furnish evidence of their compliance with legal and regulatory requirements.
Additionally, the emphasis on AI Systems being required to function under human-defined purposes is indicative of the strong regulatory intent to ensure that AI Systems develop in an orderly and responsible manner.
Conclusion
Regulation 10 of the DIFC’s Data Protection Regulations is a significant building block towards actualising the UAE’s vision to take a leadership position in AI. The provisions on protection of personal data during its processing by AI Systems is expected to address the concerns of individuals and increase people’s confidence in AI Systems. This will translate into increased willingness to provide consent for one’s personal data being processed by AI Systems, thereby enhancing DIFC’s appeal as a jurisdiction of choice for AI enabled businesses.
The writer is a Senior Associate at KARM Legal Consultants
More news from Business
Whether an activity is ancillary or not would depend on case-to-case basis and would primarily depend on the main activity
The deal will help BitOasis strengthen its position in the region and enhance its services.
Successful innovation efforts focus on supporting sustainability initiatives and uplifting marginalized communities
Lakshmi Narayanan honoured as Freeman of the City of London at Global Wealth Conference 2024
Russian economy weathers sanctions; the revenue accounts for a third of Russian budget proceedings
Higher supply from Nigeria and Iran offset the impact of voluntary supply cuts by other members and the wider Opec+ alliance
Investors await minutes of the Fed's last policy meeting for further cues on the central bank's interest rate cut path