USA: AI CONSENT Act vorgeschlagen

Die USA haben eine Vor­lie­be für Apro­ny­me bei Geset­zes­be­zeich­nun­gen – “CLOUD” im Cloud Act steht nicht für die Cloud, son­dern für “Cla­ri­fy­ing Lawful Over­se­as Use of Data”. Ein neu­es sol­ches Apro­nym ent­hält der AI CONSENT Act, der für “Arti­fi­ci­al Intel­li­gence Con­su­mer Opt-in, Noti­fi­ca­ti­on, Stan­dards, and Ethi­cal Norms for Trai­ning Act” steht. Der AI CONSENT Act ist erst ein Vor­schlag zwei­er demo­kra­ti­scher Sena­to­ren. Er ist inter­es­san­ter­wei­se und ganz im Gegen­satz zum AI Act genui­nes Daten­schutz­recht, ange­wandt auf AI.

Der Act defi­niert u.a. AI-Syste­me und Per­so­nen­da­ten, erfasst bei letz­te­ren aber aus­drück­lich auch “uni­que per­si­stent iden­ti­fiers”. Sol­che Daten sol­len nach dem Ent­wurf für das Trai­ning einer AI nur noch ver­wend­bar sei, wenn die betrof­fe­ne Per­son aus­drück­lich, infor­miert und sepa­rat ein­ge­wil­ligt hat; dabei gilt ein Kopp­lungs­ver­bot. Für die Aus­ge­stal­tung die­ser Ein­wil­li­gung soll die FTC (die Fede­ral Trade Com­mis­si­on) detail­lier­te Vor­ga­ben – bis zur Schrift­grö­sse – ausarbeiten.

In gan­zer Länge:

LYN24164 JYS.L.C.
118TH CONGRESS
2D SESSION S. ll To requi­re com­pa­nies to recei­ve con­sent from con­su­mers to having their data used to train an arti­fi­ci­al intel­li­gence system.

IN THE SENATE OF THE UNITED STATES

Mr. WELCH (for hims­elf and Mr. LUJA´N) intro­du­ced the fol­lo­wing bill; which was read twice and refer­red to the Com­mit­tee on A BILL To requi­re com­pa­nies to recei­ve con­sent from con­su­mers to having their data used to train an arti­fi­ci­al intel­li­gence system.
Be it enac­ted by the Sena­te and Hou­se of Repre­sen­ta­ti­ves of the United Sta­tes of Ame­ri­ca in Con­gress assembled,

SECTION 1. SHORT TITLE.

This Act may be cited as the “Arti­fi­ci­al Intel­li­gence Con­su­mer Opt-in, Noti­fi­ca­ti­on, Stan­dards, and Ethi­cal Norms for Trai­ning Act” or the “AI CONSENT Act”.

SEC. 2. DEFINITIONS.

In this Act:

(1) ARTIFICIAL INTELLIGENCE SYSTEM. — The term “arti­fi­ci­al intel­li­gence system” means a machi­ne-based system that—

(A) is capa­ble of influen­cing the envi­ron­ment by pro­du­cing an out­put, inclu­ding pre­dic­tions, recom­men­da­ti­ons or decis­i­ons, for a given set of objec­ti­ves; and

(B) uses machi­ne or human-based data and inputs to—

(i) per­cei­ve real or vir­tu­al environments;
(ii) abstract the­se per­cep­ti­ons into models through ana­ly­sis in an auto­ma­ted man­ner (such as by using machi­ne lear­ning) or manu­al­ly; and
(iii) use model infe­rence to for­mu­la­te opti­ons for outcomes.

(2) COMMISSION. — The term “Com­mis­si­on” means the Fede­ral Trade Commission.

(3) COVERED DATA. — The term “cover­ed data” means infor­ma­ti­on rela­ting to an indi­vi­du­al that—

(A) is coll­ec­ted by a cover­ed enti­ty in the cour­se of the indi­vi­du­al using a pro­duct, tool, plat­form, or ser­vice offe­red by the cover­ed enti­ty; and
(B) iden­ti­fi­es or is lin­ked or rea­son­ab­ly linkable, alo­ne or in com­bi­na­ti­on with other infor­ma­ti­on, to the indi­vi­du­al or a device that iden­ti­fi­es or is lin­ked or rea­son­ab­ly linkable to the indi­vi­du­al, and shall include deri­ved data and uni­que per­si­stent identifiers.

(4) COVERED ENTITY. — The term “cover­ed enti­ty” means a per­son, part­ner­ship, or cor­po­ra­ti­on sub­ject to the juris­dic­tion of the Com­mis­si­on under sec­tion 5(a)(2) of the Fede­ral Trade Com­mis­si­on Act (15 U.S.C. 45(a)(2)).

(5) DE-IDENTIFIED DATA. — The term “de-iden­ti­fi­ed data” means infor­ma­ti­on that has been pro­ce­s­sed such that the infor­ma­ti­on does not iden­ti­fy and is not lin­ked or rea­son­ab­ly linkable to a distinct indi­vi­du­al or a device, regard­less of whe­ther the infor­ma­ti­on is aggre­ga­ted, and if the cover­ed enti­ty hol­ding such information—

(A) takes rea­sonable tech­ni­cal mea­su­res to ensu­re that the infor­ma­ti­on can­not, at any point, be used to re-iden­ti­fy any indi­vi­du­al or device that iden­ti­fi­es or is lin­ked or rea­son­ab­ly linkable to an individual;
(B) publicly com­mits in a clear and con­spi­cuous manner—
(i) to pro­cess and trans­fer the infor­ma­ti­on sole­ly in a de-iden­ti­fi­ed form wit­hout any rea­sonable means for re-iden­ti­fi­ca­ti­on; and
(ii) to not attempt to re-iden­ti­fy the infor­ma­ti­on with any indi­vi­du­al or device that iden­ti­fi­es or is lin­ked or rea­son­ab­ly linkable to an indi­vi­du­al; and
(C) con­trac­tual­ly obli­ga­tes any per­son or enti­ty that recei­ves the infor­ma­ti­on from the cover­ed entity—
(i) to com­ply with all of the pro­vi­si­ons of this para­graph with respect to the infor­ma­ti­on; and
(ii) to requi­re that such con­trac­tu­al obli­ga­ti­ons be inclu­ded con­trac­tual­ly in all sub­se­quent instances for which the data may be received.

(6) DERIVED DATA. — The term “deri­ved data” means cover­ed data that is crea­ted by the deri­va­ti­on of infor­ma­ti­on, data, assump­ti­ons, cor­re­la­ti­ons, infe­ren­ces, pre­dic­tions, or con­clu­si­ons from facts, evi­dence, or ano­ther source of infor­ma­ti­on or data about an indi­vi­du­al or an individual’s device.

(7) DEVICE. — The term “device” means any elec­tro­nic equip­ment capa­ble of coll­ec­ting, pro­ce­s­sing, or trans­fer­ring cover­ed data that is used by one or more individuals.

(8) TRANSFER. — The term “trans­fer” means to dis­c­lo­se, release, dis­se­mi­na­te, make available, licen­se, rent, or share cover­ed data oral­ly, in wri­ting, elec­tro­ni­cal­ly, or by any other means.

(9) UNIQUE PERSISTENT IDENTIFIER. — The term “uni­que per­si­stent iden­ti­fier”—

(A) means an iden­ti­fier to the ext­ent that such iden­ti­fier is rea­son­ab­ly linkable to an indi­vi­du­al or device that iden­ti­fi­es or is lin­ked or rea­son­ab­ly linkable to 1 or more indi­vi­du­als, inclu­ding a device iden­ti­fier, Inter­net Pro­to­col address, coo­kie, bea­con, pixel tag, mobi­le ad iden­ti­fier, or simi­lar tech­no­lo­gy, cus­to­mer num­ber, uni­que pseud­onym, user ali­as, tele­pho­ne num­ber or other form of per­si­stent or pro­ba­bi­li­stic iden­ti­fier that is lin­ked or rea­son­ab­ly linkable to an indi­vi­du­al or device; and
(B) does not include an iden­ti­fier assi­gned by a cover­ed enti­ty for the spe­ci­fic pur­po­se of giving effect to an individual’s exer­cise of express infor­med con­sent or revo­ca­ti­on of con­sent to the coll­ec­tion of cover­ed data to train an arti­fi­ci­al intel­li­gence system.

SEC. 3. DISCLOSURE AND OPT-IN REQUIREMENTS FOR ENTITIES THAT USE DATA TO TRAIN ARTIFICIAL INTELLIGENCE SYSTEMS.

(a) PROHIBITION. — Not later than 1 year after the date of enact­ment of this Act, the Com­mis­si­on shall pro­mul­ga­te regu­la­ti­ons under sec­tion 553 of tit­le 5, United Sta­tes Code, to pro­hi­bit cover­ed enti­ties from using or sel­ling or trans­fer­ring to a third par­ty any cover­ed data of an indi­vi­du­al that is coll­ec­ted by the cover­ed enti­ty to train an arti­fi­ci­al intel­li­gence system except as pro­vi­ded in sub­sec­tion (b).

(b) USE OF COVERED DATA TO TRAIN ARTIFICIAL INTELLIGENCE SYSTEMS PURSUANT TO EXPRESS INFORMED CONSENT.

—The regu­la­ti­ons pro­mul­ga­ted by the Com­mis­si­on under sub­sec­tion (a) shall include the following:

(1) The regu­la­ti­ons per­mit a cover­ed enti­ty to use cover­ed data of an indi­vi­du­al to train an arti­fi­ci­al intel­li­gence system or to sell or trans­fer such data to a third par­ty for such pur­po­se if the cover­ed enti­ty first—

(A) pro­vi­des the indi­vi­du­al with a clear and con­spi­cuous dis­clo­sure of how the cover­ed enti­ty or third par­ty will use the individual’s cover­ed data; and
(B) obta­ins the express infor­med con­sent of the indi­vi­du­al for the cover­ed enti­ty or third par­ty to use the individual’s cover­ed data for such purpose.

(2) For pur­po­ses of the dis­clo­sure requi­red under para­graph (1)(A), the regu­la­ti­ons shall—

(A) pro­vi­de a stan­dard for what con­sti­tu­tes a clear and con­spi­cuous dis­clo­sure that takes into account—
(i) dif­fe­rent plat­form types, inclu­ding web­sites, mobi­le appli­ca­ti­ons, and search engines;
(ii) the size, font, color, or other visu­al affects of such a disclosure;
(iii) the bre­vi­ty, acce­s­si­bi­li­ty, and cla­ri­ty of such a dis­clo­sure such that it may be under­s­tood by a rea­sonable person;
(iv) the medi­um of such a dis­clo­sure — inclu­ding text, audio, and video com­pon­ents — and the effi­ca­cy of the­se media to ensu­re the individual’s atten­ti­on and information;
(v) the time­liness and loca­ti­on of such a dis­clo­sure; and
(vi) any other cri­te­ria deter­mi­ned appro­pria­te by the Commission;
(B) con­sider the pos­si­bi­li­ty of con­su­mer fati­gue toward such dis­clo­sures and mini­mi­ze its impact;
(C) requi­re that the dis­clo­sure cle­ar­ly explains the individual’s appli­ca­ble rights rela­ted to con­sent, inclu­ding that ser­vice shall not be con­di­tio­ned on the gran­ting of con­sent by the individual;
(D) requi­re that the dis­clo­sure sta­te how an individual’s cover­ed data may be used to train arti­fi­ci­al intel­li­gence systems by the cover­ed enti­ty or sold or trans­fer­red to third-par­ties that may do the same; and
(E) requi­re that the dis­clo­sure offer ins­truc­tions on how an indi­vi­du­al may grant or revo­ke consent.

(3) For pur­po­ses of the con­sent requi­red under para­graph (1)(B), the regu­la­ti­ons shall requi­re that—

(A) indi­vi­du­als may grant or revo­ke con­sent at any time through an acce­s­si­ble and easi­ly navigab­le mechanism;
(B) the opti­on to with­hold or revo­ke con­sent shall be at least as pro­mi­nent as the opti­on to accept and shall take the same num­ber of steps or fewer as the opti­on to accept;
(C) such con­sent is obtai­ned inde­pendent­ly from the cover­ed enti­ties’ terms of ser­vice agreement;
(D) such con­sent can­not be infer­red from an individual’s action or inac­tion, such as hove­ring over or clo­sing a win­dow or pie­ce of content;
(E) ser­vices pro­vi­ded by a cover­ed enti­ty may not be redu­ced, rest­ric­ted, or made con­di­tio­nal on whe­ther an indi­vi­du­al with­holds con­sent; and
(F) should an indi­vi­du­al revo­ke con­sent, all cover­ed data of the indi­vi­du­al shall be expun­ged from data­sets used to train an arti­fi­ci­al intel­li­gence system fol­lo­wing the revo­ca­ti­on of consent.

SEC. 4. FTC STUDY ON DATA DE-IDENTIFICATION METHODS.

Not later than 1 year after the date of enact­ment of this Act, the Com­mis­si­on shall sub­mit to the Com­mit­tee on Com­mer­ce, Sci­ence, and Tech­no­lo­gy of the Sena­te and the Com­mit­tee on Ener­gy and Com­mer­ce of the Hou­se of Repre­sen­ta­ti­ves a report on methods used by cover­ed enti­ties to con­vert cover­ed data into de-iden­ti­fi­ed data.
Such report shall include an eva­lua­ti­on of whe­ther, given advance­ments in arti­fi­ci­al intel­li­gence tech­no­lo­gy, the­re are any rea­sonable tech­ni­cal mea­su­res cover­ed enti­ties could take, in addi­ti­on to tho­se mea­su­res curr­ent­ly used by cover­ed enti­ties, to ensu­re that cover­ed data that has been con­ver­ted to de-iden­ti­fi­ed data can­not at any point be used to re-iden­ti­fy an indi­vi­du­al or their device.

SEC. 5. ENFORCEMENT.

(a) UNFAIR AND DECEPTIVE ACTS OR PRACTICES.—

A vio­la­ti­on of a regu­la­ti­on pro­mul­ga­ted under this Act shall be trea­ted as a vio­la­ti­on of a rule defi­ning an unfair or decep­ti­ve act or prac­ti­ce pre­scri­bed under sec­tion 18(a)(1)(B) of the Fede­ral Trade Com­mis­si­on Act (15 U.S.C. 57a(a)(1)(B)).

(b) POWERS OF THE COMMISSION.—

(1) IN GENERAL. — The Com­mis­si­on shall enforce regu­la­ti­ons pro­mul­ga­ted under this Act in the same man­ner, by the same means, and with the same juris­dic­tion, powers, and duties as though all appli­ca­ble terms and pro­vi­si­ons of the Fede­ral Trade Com­mis­si­on Act (15 U.S.C. 41 et seq.) were incor­po­ra­ted into and made a part of such regulations.

(2) PRIVILEGES AND IMMUNITIES. — Any per­son that vio­la­tes a regu­la­ti­on pro­mul­ga­ted under this Act shall be sub­ject to the pen­al­ties, and entit­led to the pri­vi­le­ges and immu­ni­ties, pro­vi­ded in the Fede­ral Trade Com­mis­si­on Act (15 U.S.C. 41 et seq.).

(3) REGULATIONS. — The Com­mis­si­on shall, pur­su­ant to sec­tion 553 of tit­le 5, United Sta­tes Code, pro­mul­ga­te such regu­la­ti­ons as the Com­mis­si­on deter­mi­nes neces­sa­ry to car­ry out the pro­vi­si­ons of this Act.

(4) AUTHORITY PRESERVED. — Not­hing in this Act shall be con­strued to limit the aut­ho­ri­ty of the Com­mis­si­on under any other pro­vi­si­on of law.

SEC. 6. PREEMPTION.

(a) IN GENERAL. — Not­hing in this Act shall be con­strued to pre­empt the law of any Sta­te that pro­vi­des grea­ter pro­tec­tions to users of the ser­vices pro­vi­ded by cover­ed enti­ties and indi­vi­du­als gene­ral­ly than the pro­tec­tions pro­vi­ded by the regu­la­ti­ons pro­mul­ga­ted under this Act.

(b) DEFINITION OF STATE. — In this sec­tion, the term
Sta­te” means any of the 50 sta­tes, the District of Colum­bia, the Com­mon­wealth of Puer­to Rico, the Vir­gin Islands of the United Sta­tes, Guam, Ame­ri­can Samoa, or the Com­mon­wealth of the Nor­t­hern Maria­na Islands.

Behörde

Gebiet

Themen

Ähnliche Beiträge

Newsletter