US Regulatory Fragmentation, first Privacy, now AI
Nader Henein
Gartner VP Analyst - Data Protection and AI Governance - FT 100 BAME IT Leader
Say what you want about the EU’s data regulation regime but between the GDPR and the AI Act, organizations have one set of rules allowing them to transact across 27 countries.
By contrast, doing business in the US, organizations increasingly need to juggle different regulatory requirements for the data they collect state by state.
So far, nineteen US states have passed, each their own privacy laws covering more than 50% of the population. Each of these laws are different and they continue to diverge through amendments, making for a growing burden on companies who have historically maintained homogeneous data storage and processing.
I understand why every time a credible federal privacy bill is proposed everyone gets in a tizzy. I hate to be the barer of bad news but its not going to happen.
I’m not saying that because I’m cynical - I am but that’s not it – it’s because this is not my first rodeo. Back in 2003, California passed breach disclosure legislation, 15 years later, in 2018, Alabama became the 50th state to adopt its own breach disclosure rules. Today, in 2024, we still don’t have federal breach disclosure legislation, not after Yahoo!, not after SolarWinds and not after the 124 million health records breached in the US in 2023.
We are now on the precipice of the same repeating cycle for AI regulation with Governor Polis signing Colorado’s landmark AI bill into law. All the while, the federal government is publishing non-binding codes of conduct for fear of stifling technology that has been actively deployed for the better part of two decades.
Food for thought: If global AI regulation goes the same direction as global privacy regulation, then countries (and states) will adopt “lite” variations of the AI Act. If you’re in line with the AI Act, you should be able to transact globally without having to waffle over the local details in any one jurisdiction.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management.
CEO & CoFounder, CDPSE (ISACA), Pilot - EASA CPL(A) - GDPR DPO
1moHi Nader, Thank you for your insightful article on the complexities of AI regulation in the US. It got me thinking about the competitive dynamics on a global scale. Given that non-US companies often aim to do business with US firms, do you think the fragmented AI regulatory environment in the US could create a competitive advantage or disadvantage for these non-US companies? In such a scenario, how might this regulatory fragmentation influence the overall competition and business relationships between US and non-US companies? A similar example in a different area: In privacy, I have seen non-EU companies are now experiencing competitive situations because of GDPR when trying to do business with the EU. Could a similar but more complex situation occur because of the fragmentation in AI regulations in the US? Also the picture fits the article perfectly.
Co-Founder & CEO at Mine l Privacy & Security Leader | Forbes 30 Under 30
1moThanks for sharing!
Responsible AI Advisor | 2X Author | Saved $100m+ in Tech Costs | 🔔Follow for AI Insights | Technology Industry Thought Leader | 45+ Digital Transformation Projects | IT Strategy & Governance Leader | Keynote Speaker
1moUS Department of Labor's transparency requirements for the use of AI by federal contractors will make compliance work more interesting. https://www.linkedin.com/posts/mittalabhinav_humanresources-artificialintelligence-activity-7193921230805073920-rgk9