Section 4 Flashcards
(52 cards)
1
Q
What does FIPs stand for?
A
Fair Information Practices
FIPs are principles designed to guide the collection and use of personal data.
2
Q
What is the principle of ‘Purpose specification’ in FIPs?
A
Data should be collected for specified, legitimate purposes and not further processed in a manner incompatible with those purposes.
3
Q
Define ‘Data minimization’ as per FIPs.
A
Only collect data that is necessary for the specified business purpose.
4
Q
What are the ‘7 privacy by design principles’?
A
- Respect for users
- Proactive, preventative, not reactive
- Default setting
- Embedded into design
- Positive sum
- End-to-end security
- Transparency
5
Q
What is ‘Privacy by default’?
A
Ensures the highest level of protection is automatically applied to personal data.
6
Q
Name four privacy laws to know.
A
- GDPR
- California Consumer Privacy Act
- California Privacy Rights Act
- Biometric Information Privacy Act
7
Q
What are the ‘Seven GDPR Principles’?
A
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
8
Q
What does GDPR Article 22 address?
A
General prohibition on automated decision-making with serious effects on data subjects.
9
Q
What rights do data subjects have under GDPR?
A
- Right to accurate data
- Right to correction
- Right to erasure/deletion
10
Q
Fill in the blank: Consent in automated decision-making under GDPR requires _______.
A
explicit and voluntary consent
11
Q
What is the definition of ‘Anonymized data’?
A
Data that cannot be used to identify an individual.
12
Q
What is ‘Pseudonymized data’?
A
Data that has been de-identified but is still considered personal information.
13
Q
List the six legal bases for collecting personal data.
A
- Consent
- Contract
- Vital interest
- Legal claim or requirement
- Public interest
- Legitimate interest
14
Q
What is ‘Bayesian improved surname geocoding’ used for?
A
Creating proxies for special categories of data.
15
Q
What are the requirements for third-party data processors (5)?
A
- Assess risk
- Ensure compliance with privacy laws
- Conduct vendor due-diligence
- Ensure adequacy of contractual agreements
- Provide notice and consent
16
Q
What is the purpose of a Data Protection Impact Assessment?
A
To identify, assess, and mitigate privacy risks associated with a system or project.
17
Q
What does Title VII of the Civil Rights Act of 1964 prohibit?
A
Employment discrimination based on protected characteristics.
18
Q
What is fair use in copyright law?
A
Allows copyrighted works to be used without permission in specific cases.
19
Q
What are the four factors of fair use defense?
A
- Purpose and character of use
- Nature of copyrighted work
- Amount and substantiality of the portion used
- Effects on potential market value
20
Q
What are the three types of patents?
A
- Utility
- Design
- Plant
21
Q
What does ‘Indemnification’ refer to?
A
Contractual obligation to pay for a loss incurred by another.
22
Q
What is the FTC’s role regarding unfair acts?
A
To regulate acts that cause substantial injury to consumers without offsetting benefits.
23
Q
What are the four guiding principles of SR 11-7?
A
- Effective challenge of models
- Critical analysis by informed parties
- Identify model limitations
- Change model as needed
24
Q
What defines an AI software as a medical device?
A
If it is intended to treat, diagnose, cure, mitigate, or prevent disease.
25
What does the 21st Century Cures Act aim to improve?
Access and transparency of health data.
26
What is the purpose of the California AI Transparency Act?
Requires organizations that create, code, or produce GenAI, and have over 1M monthly users to provide free AI detection tools and disclose AI systems and label AI-generated content
27
What does the Colorado AI Act mandate?
○ Reasonable care to prevent algorithmic discrimination
○ Implementation of risk management frameworks
○ Documentation and transparency requirements
○ Impact assessments
28
What does the EU AI Act apply to?
* Providers and users in the EU
* Providers outside the EU with products in the EU
* Operators outside the EU producing outputs for use in the EU
29
What forms of AI are considered to have unacceptable risk (7)?
○ Social credit scoring
○ Manipulating behavior
○ Emotion recognition used in education or workplace
○ Predictive policing
○ Exploitative
○ Untargeted scraping of facial images
○ Biometric categorization (using sensitive characteristics) and identification (by law enforcement in public)
30
What are the Annex III high-risk use cases under the EU AI Act (8)?
○ Biometric identification and categorization of natural persons
○ Critical infrastructure
○ Migration
○ Education
○ Employment
○ Essential private, public services and benefits
○ Administration of justice or other democratic processes
○ Law enforcement
31
What are the requirements for high-risk AI providers under the EU AI Act?
○ Risk Management
○ Data and data governance
○ Technical documentation
○ Recordkeeping
○ Transparency
○ Human oversight
○ Accuracy, robustness, cybersecurity
○ Quality-management systems
○ Document keeping
○ Logs
○ Corrective actions/duty of information
○ Cooperation with competent authorities
○ Authorized representatives
32
What is required for recordkeeping in high-risk AI systems?
* Secure repository for documentation
* Retained for 10 years
33
What is the significance of 'substantial modification' in the EU context?
A post-market change impacting compliance with the Act.
34
What does the term 'GPAI provider obligations' refer to?
Obligations for General Purpose AI providers regarding documentation and compliance.
35
What are the obligations of GPAI providers in the EU (5)?
* technical documentation
* transparency information
* comply with copyright law
* provide a summary of training data
* appointing an EU representative if non-EU..
36
What exceptions exist for GPAI providers regarding technical documentation and transparency?
Exceptions apply if models are open source, adaptable without restrictions, details about parameters, weights, model architecture, and usage are publicly available, and they do not pose systemic risk.
37
What are the mandates for systemic risk GPAI providers in the EU (4)?
* evaluate models via adversarial testing
* conduct assessments at the EU level
* track and report serious incidents.
* ensure adequate cybersecurity.
38
What are the risk tier penalties under the EU AI Act?
Fines can be up to 35M euros or 7% of global annual turnover.
Other fines include 15M euros or 3% for other risk tiers and 7.5M euros or 1% for providing misleading information.
GPAI model fines - 15M euros or 3% of global annual turnover
39
What is required for authorized representatives under the EU AI Act (6)?
○ Mandate and documentation - written mandate from provider which specifies tasks and responsibilities
○ Due diligence - veryify EU declaration of conformity, contact details
○ Compliance - register high-risk systems in EU database
○ Recorkeeping - must retain contact details, declaration of conformity, technical documentation, certificate issued by notified body
§ Certificate - evidence a system has passed conformity assessment is issued as evidence of compliance
§ Notified body - independent organization designated by EU member states to assess conformity of products pre-market
○ Reporting - when terminating a mandate, authorized representatives must notify market surveillance authority, notify the notified body, and provide reason for termination
○ Cooperating with authorities - provide documentation and logs upon request and cooperating with reasonable requests form authorities
40
What are the obligations of importers under the EU AI Act (5)?
* conduct due diligence
* ensure compliance
* retain documentation
* Reporting - notify provider, authorized representative, and market surveillance authority when a system presents risk to health, safety, or fundamental rights
* Cooperation with authorities
41
What additional requirements do distributors have compared to importers?
* Due diligence - in addition to all due diligence requirements for importers, distributors must also ensure importer is in compliance
* Compliance - in addition to importer, post-deployment the distributor must withdraw and correct sysem
* Reporting - must notify provider and importer when system presents risk to health, safety, rights; If this is post-market, they must notify the provider, importer, and competent authorities of member state
42
What due diligence is required from deployers under the EU AI Act?
○ AI literacy
○ Due diligence - not subject to distributor or importer requirements; deployers which are public authorities or EU institutions must verify the AI system is registered in database
○ Compliance and monitoring - monitor acording to provider instructions and privde feedback to provider. Impacts to health or safety must inform provider, distributor, market surveillance authority, and suspend the use of the system; then must carry out a data protection impact assessment per gdpr
○ Human oversight
○ Incident reporting - for serious incidents, immediately inform provider, importer or distributer, and market surveillance authority
○ Transparency
○ Record-keeping - 6 months or as otherwise implicated
○ Cooperation with authorities - deployers of biometric ID systems must submit an annual report to surveillane authorities and DPAs
○ Fundamental rights impact assessment - deployers determine specific uses and applies to systems Annex III high-risk systems as well public law entities, private operators of public services, and private deployers that evaluate creditworthiness, risk and pricing for life, health insurance
43
What is the purpose of a fundamental rights impact assessment?
To evaluate specific uses of AI systems and their impacts on fundamental rights.
## Footnote
This applies to high-risk systems and certain public and private entities.
44
Under what conditions can deployers become providers?
Deployers can become providers if they put their name on a system, make substantial modifications, or modify non-high-risk systems to become high-risk.
## Footnote
This applies regardless of contractual relationships.
45
What does the OECD AI classification framework include?
The framework includes categories like people and planet, economic context, data and input, AI model, and tasks and output.
## Footnote
It outlines principles for inclusive growth and human rights.
46
What are the NIST RMF characteristics of trustworthy AI?
Trustworthy AI must be valid, safe, secure, accountable, explainable, and fair.
## Footnote
It should also mitigate harmful bias.
47
What challenges does the NIST AI RMF face?
Challenges include tracking emergent risks, ensuring reliable metrics, and integrating organizational processes.
## Footnote
Issues like human baseline and prioritization also present difficulties.
48
What does ISO 42001 provide guidance on?
ISO 42001 provides high-level guidance on responsible AI use and requirements for compliance.
## Footnote
It emphasizes risk assessments and performance monitoring.
49
What are the key components of ISO 31000?
ISO 31000 provides standards for consistent vocabulary and methodology for risk assessment and management.
## Footnote
It's applicable across various sectors.
50
What does the IEEE 7000-21 standard address?
IEEE 7000-21 addresses ethical concerns in system design, ensuring management communication with stakeholders.
## Footnote
It integrates ethical values into operations.
51
What are the lifecycle stages outlined in IEEE 7000-21?
The lifecycle stages include system exploration, development, and implementation.
## Footnote
These stages focus on embedding ethical considerations.
52
What is the goal of the Human Rights, Democracy, and Rule of Law Assurance Framework (HUDERAF)?
The goal is to define and develop impact assessments that incorporate human rights with AI-centered approaches.
## Footnote
It follows a risk-based approach to assess likelihood of risk realization.
