Acknowledgement Note:
This project was carried out as part of the “Carreras con Impacto” program during the 14-week mentorship phase. You can find more information about the program in this entry.
Problem Context
Artificial intelligence (AI) presents enormous potential in various areas, but it also poses significant risks, especially concerning the manipulation of personal data. In response to these challenges, regions such as the United States, the European Union, and China have begun implementing regulatory frameworks aimed at mitigating these risks, each with a different approach.
In the United States, Executive Order No. 14110 of 2023 promotes the responsible use of AI, highlighting the need to balance security, privacy, and technological innovation. However, public concern about the impact of AI on daily life remains evident, as seen in a 2023 Ipsos survey, which reported that 52% of respondents expressed anxiety about these technologies, representing a 13-percentage point increase compared to the 2022 survey.
Similarly, the European Union has adopted a pioneering approach to privacy protection with the enactment of the General Data Protection Regulation (GDPR), which protects privacy as a fundamental right among citizens. This is complemented by the recent Regulation (EU) 2024/1689, also known as the "Artificial Intelligence Act," which classifies AI systems based on their level of risk (unacceptable, high, limited, minimal), while also regulating their use to protect privacy, fundamental rights, and citizens' safety.
In China, the regulatory approach is more restrictive, focusing on the protection of state secrets and cybersecurity. The Chinese government maintains strict control over the development and use of AI, reflecting a conservative stance compared to other regions, as highlighted in the 2023 "Interim Measures for the Management of Generative AI Services."
Despite the regulatory efforts in these nations, significant challenges remain in the legal management of AI. A clear example is the use of AI-generated romantic chatbots (such as Crushon AI), which, according to experts like Josep Curto and the Mozilla Foundation, pose at least four major privacy risks for users:
In the case of Latin America, the region still lacks a solid legal framework regulating the use of AI and protecting personal data. Although countries like Argentina, Brazil, Chile, and Peru have established preliminary guidelines for AI governance and promoted solutions at the United Nations General Assembly, there is currently no robust legal framework to regulate AI use in Latin America. Furthermore, the lack of international treaties and the limited application of human rights in the region show that Latin America is still in the early stages of AI governance. To date, the Inter-American Court of Human Rights has not explicitly recognized the right to personal data protection under Article 11 of the American Convention on Human Rights, although there are indications that it may broaden the protection of the right to privacy in the wake of the COVID-19 pandemic (Contreras, 2024).
In this context, the regulatory frameworks of the United States, the European Union, and China can serve as models for Latin American countries, which still lack strong legislation on the matter. The implementation of specific regulations on AI management is urgent, not only to ensure the protection of citizens' privacy but also to prevent risks related to espionage, identity theft, and the misuse of personal data.
Therefore, this research aims to understand and compare the regulatory frameworks of the United States, the European Union, and China focused on the manipulation of personal data through the use of artificial intelligence. Based on this analysis, the goal is to develop a series of recommendations applicable to the regulatory framework of Latin America to prevent such risks and protect individuals' rights, ensuring transparency and accountability in the use of this technology.
Objectives
1.- General Objective:
Analyze and compare the regulatory frameworks associated with the management of AI technologies used for personal data handling in the U.S., the European Union, and China, with the aim of developing proposals applicable to the regulatory framework of Latin America.
2.- Specific Objectives:
Methodology
This research project was developed using a multidimensional and geopolitical approach, with the objective of comparing the regulatory frameworks of China, the United States, and the European Union regarding the protection of personal data in the use of AI.
The study began with an extensive literature review, which included an analysis of the type of government in each selected region to understand how these political structures influence the regulation of artificial intelligence and its use in personal data protection.
Subsequently, an analysis of the regulations in force up until July 31, 2024, was conducted. The regulations were obtained from the official government websites of each region. This process included a detailed review of the regulatory framework, identifying those regulations related to the management of the development and use of artificial intelligence, as well as the entities responsible for its regulation.
A comparative analysis of the specific regulatory framework for personal data protection in each region was then carried out, identifying similarities and differences in regulatory approaches. The comparison focused on identifying the personal data protected in each region and their form of government, in order to understand their strategy and make recommendation proposals for the governments of Latin America.
Finally, the information obtained from the literature review allowed the development of a series of recommendations applicable to those governments in the early stages of regulating the use and development of AI-based technologies and user data protection, as is the case for most countries in Latin America.
As part of the information search and filtering process, relevant keywords for the research were used, including “personal data protection,” “privacy,” “artificial intelligence,” and “manipulation.”
Analysis of Governmental Characteristics and Their Implication in the Management of AI Use for Personal Data Protection
Given that understanding the political regime of the countries under study facilitates comprehension of how AI use regulation concerning personal data protection is approached, the comparative analysis began with a review of the political particularities associated with the systems of government in these world powers (Table 1).
Table 1. Comparison of Political Regimes by Region. Comparative table of the types of political regimes of world powers in the development and use of AI.
Region | Political Regime |
United States | Federal Constitutional Republic |
China | Socialism with Chinese Characteristics |
European Union | Representative Democracy |
First, the United States, according to its Constitution, is a Federal Constitutional Republic, with a presidential system and a structure based on the separation of powers. This model grants each state the autonomy to enact its own laws, including those related to personal data protection in the use of AI.
China, on the other hand, follows the model of "socialism with Chinese characteristics" under the principle of "one country, two systems." This political orientation places a strong emphasis on preserving socialist values and limits any threats to these principles, which may present a series of challenges regarding the integration and regulation of advanced technologies, such as generative artificial intelligence.
In contrast, the European Union operates under a system of representative democracy, which seeks to foster a highly competitive social market economy with the goal of promoting balanced and sustainable economic and social development among all its member countries. This approach is reflected in the region's efforts to enact regulations focused on emerging technologies like AI to facilitate its use and ongoing development.
Analysis of the Regulatory Frameworks Associated with AI Use in the U.S., European Union, and China, and Their Focus on Personal Data Protection
After understanding the different political regimes and their impact on data protection in AI use, the next step was to identify the main regulations regarding artificial intelligence in the countries under study, with a particular focus on determining whether these regulations aim to protect users' personal data.
Table 2. Comparison of Existing Regulations Related to AI Use and Personal Data Protection by Region. This table provides an overview of the main AI regulations in the United States, the European Union, and China, highlighting the provisions related to personal data protection and their management of manipulation risks.
Region | Regulation | Data protection | Personal Data protected | Risk of Manipulation by AI | Measures for Data Protection |
United States | AI Risk Management Framework (2023) - Federal - Voluntary | Yes | Unauthorized use, disclosure, or anonymization of biometric, health, location, or other personally identifiable information or confidential data. | Yes | Governance, content provenance, pre-implementation testing, and incident disclosure. |
Executive Order No. 14110 (2023) Development and Safe, Reliable, and Secure Use of Artificial Intelligence - Federal | Yes | Identities, locations, habits, and desires of individuals | Yes | Participation of the whole society, including the government, private sector, academia, and civil society. Agencies will use available technical and policy tools, including Privacy-Enhancing Technologies (PET), as appropriate, to protect privacy and address large-scale legal and social risks, including the collection and misuse of personal data. | |
Executive Order No. 13859 (2019) Maintaining American Leadership in Artificial Intelligence - Federal | Yes | Not specified | No | AI research agencies and users will identify improvements in the access and quality of AI data and models, while protecting user privacy. | |
National Security Commission on Artificial Intelligence (NSCAI) - 2021 Report | Yes | Robust anonymity, whereabouts, and behavioral patterns of an individual | Yes | Evaluate and mitigate risks in the design, development, and testing of AI systems. Elements of the IC, DHS, and FBI must implement measures to mitigate these risks and document any remaining risks. | |
Generative AI Copyright Disclosure Act of 2024 | Yes | Copyright | Yes | Specify the copyrighted works used in this process. | |
SB-1047 Bill, Safe Innovation Act for Frontier Artificial Intelligence Models - California (09/03/2024)
| Yes | Preservation of an uncensored copy of the security protocol for the developer and protection for as long as the covered model is available for commercial, public, or foreseeably public use, plus an additional period of 5 years, including records and dates corresponding to any updates or revisions. | Yes | The current law requires the secretary to assess the impact of the proliferation of deepfakes, defined as audio or video content generated or manipulated by artificial intelligence. | |
European Union | Regulation (EU) 2024/1689 - AI Act | Yes | Biometric data, material distortion of behavior through manipulation techniques, social behavior, or personal or personality characteristics. | Yes | High-risk AI systems will be subject to strict obligations prior to commercialization. Additionally, any AI-generated text published with the purpose of informing the public on matters of general interest must be labeled as artificially generated content. |
China | Interim Measures for the Management of Generative Artificial Intelligence Services - Entered into Force on August 15, 2023 | Yes | State and trade secrets, personal privacy, and personal information acquired in the performance of their duties in accordance with the law. | No | Conduct security assessments in accordance with national regulations. Providers must explain the source, scale, type, labeling rules, algorithmic mechanism, and any relevant information regarding the training data as necessary. |
Artificial Intelligence Law of the People's Republic of China (Draft) | Yes | Personal behavioral habits, interests, economic, health, or credit information | Yes | AI developers and providers will not collect unnecessary personal information, nor will they unlawfully retain input data or usage records that could identify users.
| |
Provisions on Deep Synthesis - 10/01/2023 | Yes | Not specified | Yes | Visible labels on synthetically generated content | |
Regulation on the Management of Algorithmic Recommendations for Internet Information Services | Yes | Not specified | Yes | Algorithm providers will periodically review the mechanisms, models, data, and outcomes of the application of the algorithms, and will not distribute models that lead users to addiction, excessive consumption, or other behaviors that violate laws, regulations, or ethical principles. |
As can be seen in Table 2, Europe leads in the development of regulations with the official publication of a regulatory framework for artificial intelligence. China, in turn, has planned a similar process with the publication of a draft law to regulate this technology, while the United States has been consistent with the issuance of public policies on the matter, with the constant challenge of fostering technological innovation alongside the regulation of emerging technologies.
It is important to note that the main regulations presented in Table 2 indeed aim to protect users' personal data in the use of AI technologies. The United States shows a greater number of regulations in this area, although many of them are bills that had not been passed as of the date of this research. In China, the priority is placed on protecting government data, an uncommon focus for most countries. Additionally, each regulation presents specific measures to safeguard users' personal data from AI use, with the European Union's process standing out. In the EU, AI systems that compromise personal data will be considered high-risk, and as part of the prevention process, these systems will be subject to strict obligations before they can be commercialized.
Regarding data protection measures, the United States stands out with Executive Order No. 14110 of 2023, titled “Development and Safe, Reliable, and Secure Use of Artificial Intelligence”. This order includes the use of Privacy-Enhancing Technologies (PET), when relevant, to protect privacy and mitigate legal and social risks such as the collection and misuse of personal data. It is important to emphasize that the use of this resource (PET) is based on a set of standards issued by the United Kingdom, demonstrating how major powers can use the regulations of other countries as a reference under the principle of reciprocity.
In the case of the United States, there are independent regulations at both federal and state levels. This system has been the subject of heated discussions, such as those arising from the recent SB-1047 Bill, or the “Safe Innovation Act for Frontier Artificial Intelligence Models of California”. Nancy Pelosi, the Democratic senator for California in Washington (2024), expressed her opposition to this, arguing that the law threatens to impose punitive measures on developers in a field that requires innovation. Similarly, the company OpenAI (2024) voiced its concern about a potential talent exodus from the United States and Silicon Valley, advocating for federal-level AI legislation, rather than a fragmented approach in which each of the 50 states has its own regulations. On the other hand, Scott Wiener, a Democratic state senator, supported the bill, considering it to balance innovation with safety in the development of these technologies. The final decision lies with California Governor Gavin Newsom, who has until September 30, 2024, to sign or veto the law.
From the analysis of current regulatory frameworks, we can conclude that although the approaches to regulating artificial intelligence in the United States, China, and Europe vary in their priorities and methods, they all share the common goal of seeking a balance between promoting technological innovation and protecting human rights and fundamental values, particularly the right to privacy (Perez, 2024).
Table 3. Characteristics Associated with AI Regulatory Entities by Region. This table provides a comparison of the main entities responsible for AI regulation in the United States, China, and the European Union, along with their specific approaches.
Characteristics | United States | China | European Union |
| Number of Entities | 2 | 3 | 2 |
| Name of the Entity | - Federal Trade Commission (FTC) - National Institute of Standards and Technology (NIST) | - Cyberspace Administration of China - National Development and Reform Commission - Ministry of Science and Technology | - European Artificial Intelligence Office - European Data Protection Supervisor |
| Approach | Federal Trade Commission (FTC): The sole federal agency responsible for consumer protection and competition enforcement through the application of the law.
National Institute of Standards and Technology (NIST): Development of standards and frameworks for AI. | Cyberspace Administration of China: Planning and coordinating the management and supervision of generative AI at the national level, in accordance with its respective responsibilities and laws.
National Development and Reform Commission: Strengthening the management of generative AI services at the national level, in accordance with its respective responsibilities and laws.
Ministry of Science and Technology: Formulating public policies and overseeing the implementation of AI at the national level. | European Artificial Intelligence Office: Monitoring, supervision, and governance of AI across the EU.
European Data Protection Supervisor: AI market surveillance authority. |
Following the identification of existing regulations regarding AI use (Table 2), the next step was to identify the regulatory entities responsible for enforcing these regulations in each region (Table 3). At the federal level, there are two main entities in the United States: the Federal Trade Commission (FTC) and the National Institute of Standards and Technology (NIST). The FTC, in particular, is responsible for protecting consumers from any violation of their rights, including their privacy.
In the case of the People's Republic of China, there are more than three key entities for AI regulation: the Cyberspace Administration of China, the National Development and Reform Commission, and the Ministry of Science and Technology. As can be seen, the Chinese government has not delegated AI regulation to new entities but has directly assumed supervision and the creation of public policies by the government.
As for the European Union, its regulatory structure resembles that of the United States, with two main entities in charge of AI regulation. The European Artificial Intelligence Office is responsible for supervision at the Union level, covering all 27 member states.
Identification of the Legal Framework Related to Data Protection in the U.S., European Union, and China and its Focus on AI Algorithms
The second focus of the analysis of the existing regulations in the countries under study was based on the identification and comparison of different data protection regulations, with a particular emphasis on determining whether these regulations take into account the risks associated with the use of AI algorithms.
Table 4. Comparison of Existing Regulations Related to Personal Data Protection and AI Use by Region. This table provides an overview of the main data protection regulations in the United States, the European Union, and China, highlighting the provisions related to AI use and its management.
Región | Regulación | Datos personales protegidos | Riesgo de manipulación por parte de la IA | Responsabilidad legal (Sanciones) |
United States | California Consumer Privacy Act (CCPA) | Identifiers such as real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol (IP) address, email address, account name, Social Security number, driver's license number, passport number, biometric information, browsing history, and geolocation data. | The risk of manipulation is addressed, but it does not specify whether it is by AI. | Administrative fines or civil penalties |
European Union | Regulation (EU) 2016/679 - General Data Protection Regulation (GDPR) | Numerus apertus | Yes | Administrative fines |
| Regulation (EU) 2022/2065 - Digital Services Act (DSA) | Protection of minors online, mitigation of systemic risks such as manipulation or disinformation | Yes | Administrative fines | |
China | Cybersecurity Law of the People's Republic of China | Numerus apertus | No | Administrative fines |
Data Security Law of the People's Republic of China | Data processing, including collection, storage, use, processing, transmission, provision, disclosure, etc. | No | Administrative fines | |
Personal Information Protection Law of the People's Republic of China | Sensitive personal information | Yes | Confiscation and administrative fines |
From the comparison of the regulatory framework related to data protection in the analyzed countries (Table 4), a legal responsibility based on the application of administrative fines is highlighted, with an additional confiscation of assets in the case of China. These administrative fines are applied directly to the provider that has not taken the necessary precautions or followed the guidelines established by each country, with fines reaching up to 7% of their total annual turnover.
The European Union stands out in this analysis thanks to the General Data Protection Regulation (GDPR), a community law that regulates the protection of individuals with respect to the processing of their personal data and the free movement of such data within the European Union and the European Economic Area. It is worth noting that this Regulation explicitly mentions the possible adoption of its principles by non-EU countries.
Table 5. Technical Methods for Data Protection Indicated in the United Kingdom’s Privacy-Enhancing Technologies (PET). This table provides an overview of the technical methods used for privacy protection within the regulatory framework of the United Kingdom, in relation to Privacy-Enhancing Technologies (PETs).
Privacy-Enhancing Technologies (PETs):
They incorporate fundamental data protection principles by minimizing the use of personal information and maximizing data security. | Technical Methods for Protection Against Privacy Risks | |
Homomorphic Encryption (HE) | It allows computations to be performed on encrypted data without the need to decrypt it beforehand. | |
Secure Multi-Party Computation (SMPC) | A protocol that allows at least two different parties to jointly process combined data, without any party having to share all of their data with the others. | |
Federated Learning | A technique that allows multiple parties to train AI models using their own data. They then combine some of the patterns identified by the models into a single, accurate 'global' model, without the need to share training data with each other. | |
Trusted Execution Environments (TEEs) | They allow code to be executed and data to be accessed in isolation from the rest of the system. | |
Zero-Knowledge Proofs (ZKP) | They provide data minimization by allowing an individual to prove private information about themselves without revealing what it actually is. | |
Differential Privacy | A technique that allows the collection and analysis of information from large groups of people, ensuring privacy protection at the individual level. | |
Use of Synthetic Data | Generation of "artificial" data produced through data synthesis algorithms, which replicate the patterns and statistical properties of real data, with the possibility of including personal data. | |
According to the European Union Agency for Cybersecurity (ENISA), Privacy-Enhancing Technologies (PETs) are described as "software and hardware solutions that encompass processes, methods, or technical knowledge designed to fulfill a specific privacy or data protection function, or to protect individuals from privacy risks." These technologies have become a key tool for professionals working with personal data, especially in sensitive sectors, by minimizing the risks associated with handling personal information.
PETs offer a set of innovative tools that allow organizations to manage large volumes of personal data securely and in compliance with current regulations (Table 5). Among the most notable solutions are homomorphic encryption, which protects data even during calculations, and secure multi-party computation, which enables collaborative processing without revealing sensitive information between parties. Additionally, techniques such as federated learning, zero-knowledge proofs, and synthetic data allow extracting value from data without compromising individuals' privacy, strengthening trust in organizations and promoting innovation.
Adopting PETs allows organizations to ensure compliance with fundamental data protection principles, such as data minimization and purpose limitation, while enabling new forms of analysis that do not compromise privacy. This not only protects individuals' privacy but also fosters trust in organizations and facilitates the development of data-driven innovations.
However, the use of PETs is not without risks. Although these technologies represent significant advances, they should not be considered foolproof solutions. Their implementation must be carried out legally, fairly, and transparently, carefully evaluating their impact, purpose, and regulatory compliance. Some PETs, still under development, present limitations in terms of scalability and resistance to attacks, which may compromise their effectiveness. Additionally, a lack of adequate technical expertise can lead to configuration errors that affect the balance between privacy and utility.
Finally, it is essential to consider that gaps between theory and practice can increase risks. Therefore, it is crucial to monitor vulnerabilities and have strong organizational and legal measures in place to ensure that PETs are effective and do not compromise individuals' rights.
Proposals for Recommendations and Identification of Opportunities Associated with Personal Data Protection in Latin American Countries.
As is the case in most developing regions, Latin America has not developed a comprehensive regulatory framework for artificial intelligence at the international treaty level, as it lacks both a general AI treaty and a unified regulatory framework for personal data protection and cybersecurity. Although there are soft law initiatives, the application of international human rights treaties, such as the American Convention, has been limited. Thus, despite the Inter-American Court expressing interest in expanding privacy protection rights, no clear precedents have yet been set regarding the technological challenges posed by AI (Contreras, 2024).
Currently, countries like Argentina, Brazil, Chile, Colombia, Mexico, and Uruguay are leading the development of regulatory frameworks around AI, prioritizing ethical development, promoting citizen participation, and seeking to ensure that this technology provides societal benefits. However, despite the development of national strategies and plans, a significant gap persists between the formulation of public policies and their effective implementation. Challenges such as a lack of inter-institutional coordination and insufficient allocation of adequate resources continue to be major obstacles to establishing a solid and effective regulatory framework in the region (Perez, 2024).
Thus, a series of proposals were developed regarding personal data management and AI use in the region, based on an analysis of the regulatory frameworks of the U.S., the European Union, and China. These recommendations are listed below:
Latin America can learn from the experiences of the U.S., the EU, and China to develop its own regulatory framework that integrates the positive aspects of each model, adapting them to its own needs and realities. It is essential that the region's governments collaborate with the private sector and other entities to build a future where AI is a driving force for development and societal well-being.
Perspectives
Long-term Influence in the Region
Adaptation Based on Technological Advances and New Needs
Potential Challenges in Implementation or Expansion
Opportunities for Future Alliances
Limitations
Time and Availability:
The development of the project was constrained by the time allocated for mentorship and limited personal availability due to parallel responsibilities. This restriction affected the ability to conduct an exhaustive analysis of all the areas originally planned.
Areas Not Addressed:
Due to the aforementioned restrictions, the project did not cover several important aspects, including:
Access to Resources and Specific Information:
Methods and Tools Used:
Personal Skills:
Despite the challenges faced, such as time and resource limitations, the project succeeded in establishing a solid foundation for analysis and comparison of AI regulations for personal data protection between the United States, the European Union, and China. The results also enabled the proposal of recommendations applicable to the regulatory framework in Latin America and developing regions to prevent these types of risks.
References
Executive summary: This research analyzes and compares AI regulatory frameworks for personal data protection in the US, EU, and China to develop recommendations for Latin America, highlighting the need for balanced regulation that protects privacy while fostering innovation.
Key points:
This comment was auto-generated by the EA Forum Team. Feel free to point out issues with this summary by replying to the comment, and contact us if you have feedback.