AI Regulations: A Status Update

Dear Reader,

Sometimes it is a little disorienting to think that it has been only 18 months since the public release of ChatGPT. The unprecedented hype it unleashed about AI’s earth shattering possibilities has not dimmed one bit. In fact, given the rapid technological and application changes that have taken place since then, the hype-train has only become longer and more crowded. There are now more AI startups, more AI funding, and more AI governance programs than at any other point of time. This is also therefore an opportune moment to take stock of the AI wave over the last year and a half, and understand what has truly changed and what has not. Over the course of the next few months, Digital Republic will dive deep into the various facets of this issue, particularly in the Indian context. 

To begin with, in today’s article, we will look at how AI regulations have developed since November 2022, and because this is such a new area of policymaking, what is now widely settled and what issues are likely to dominate the discourse going forward. This also becomes important as India is now actively looking at a separate legislation to govern AI systems. To help us with this endeavour, we are joined in today’s edition by our good friend Dibyojyoti Mainak who has seen up close the ins and outs of India’s emerging tech startup ecosystem in a manner that very few other people would have.

What is Settled?

At the outset, the most fundamental aspect of AI regulations that seems to be settled globally is the very need for such regulations. Most major jurisdictions have in some form or another indicated that there must be some baseline regulations to govern commercial use of AI. There is of course a spectrum of regulations inherent here, from soft principles (like the UK) to hard law (the EU’s AI Act), but the important fact is that these now exist. In fact a growing number of countries seem to be alright with also developing an international baseline of regulations that would theoretically be applicable across borders. Recent developments like the Seoul Declaration underline this. Therefore, AI regulations, in whatever shape or form will be an accepted fact of life if they aren’t already.

One of the most contentious philosophical and legal questions - that of defining the term ‘AI’ - also appears to be settled at least for now. The EU AI Act’s definition of AI, “as a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments,” is likely to become the most commonly adopted definition across the world, irrespective of its specific merits, particularly because of the moral regulatory weight that the EU carries and the fact that its definition is nearly the same as the OECD’s. Very few countries now are likely to deviate significantly from this definition, as it provides a ready baseline they can work from without reinventing the wheel. Global consensus on defining AI therefore has appeared faster than anyone expected. 

Important Current Issues

What remains largely and fundamentally unsettled, however, is the extent to which traditional legal frameworks will have to be revised in order to balance legitimate interests that are at odds with each other — something that the law typically aims to achieve and GenAI (considering the way in which the technology is being presently built) stands to disturb and disrupt. In this regard, there are three main questions that currently lay before policymakers — First, who should be entitled to exercise proprietary interest and control over the data that is “ingested” or used as input for training the AI models underlying GenAI tools such as ChatGPT, and how should they go about enforcing such rights? Second, who owns the rights to data that is outputted from GenAI tools? Third, and more generally, how should liability be allocated in cases surrounding the involvement of AI? 

The first two questions fall primarily within the domain of Intellectual Property and Copyright laws. The very first question for example is fundamentally an issue of copyright law. While copyright protection is normally given to an expression and not simply the idea, unauthorised use of copyrighted work is legally protected so long as it constitutes ‘fair use.’ The flurry of lawsuits being filed against GenAI providers in the United States as of late pertain to exactly this — for example, text-based GenAI tools such as ChatGPT utilise Large Language Models (LLMs) that are trained on very large publicly accessible datasets and online sources including copyrighted works scraped from the web without any authorisation. As per OpenAI’s own submission, ChatGPT’s training process involved the downloading and copying of copyrighted work. 

While the lawsuits in question challenge this ‘unauthorised’ use (both at the training stage and output generation), GenAI providers as well as many legal experts are of the view that such use is protected under the fair use exemption (See: here, here, and here). Others still argue that this defence could encounter problems considering the detrimental and substitutive impact GenAI tools could have on the market of copyright holders. Copyright litigation on these issues in the US, however, is in very early stages, and it could be years before there is any legal certainty on the matter. Taking a different route, the EU has chosen to clearly provide this certainty by introducing explicit exceptions to infringement for training models on copyrighted material for non-commercial uses and also reserving a copyright holder’s right to “opt-out” of commercial uses. Some however argue that the ‘opt-out’ option could disproportionately stifle Machine Learning (ML) innovation. Evidently, the answer to this question will be far from straightforward. 

At first blush, the answer to the second question is informed by the terms of service laid down by the GenAI provider for its tool, and at present, most GenAI tools do specify that their users own the content they generate. However, the question really goes to whether such output is protected under intellectual property laws to begin with. The default position of IP laws traditionally is to require human authorship or inventorship to be granted protection, raising questions about their applicability to AI-generated work. The US Copyright Office explicitly allows registration of works “created by a human being,” and has rejected applications that claim protection for works that have been autonomously created by AI models. IP claims have also been rejected on the grounds of lack of sufficient creative control by a human when using GenAI to create works. For example, in the case of Author Kristina Kashtanova who sought copyright protection for a graphic novel that included AI-generated images, the Copyright Office refused to grant her copyright over the images citing that humans do not generally exercise ultimate creative control over the outcome of GenAI works. However, at the same time, the Office has clarified that Gen-AI works could receive copyright protection under specific conditions upon providing “sufficient human authorship,” but has provided no guidance or examples on the same. 

Finally, the question of allocating liability of course is particularly important as AI systems display more emergent behaviour or bad actors several steps removed from the original developers either prompt or re-engineer the system to operate in a manner that might not have been originally intended. There are many different potential liability frameworks ranging from strict liability to that of a principal-agent relationship. Each of these frameworks involves specific trade-offs between different claims to equity, particularly when balancing the rights of the end-users and primary developers. There is however no correct answer at this point, and whether we like it or not it will take several years of trial and error by each jurisdiction before any finality is reached. In India’s case too, it is unclear at this point how the government will approach this issue though the likely outcome will be the path of least resistance, with the original developers / owners / deployers of the models in question being saddled with the ultimate responsibility. 

Underlining the specific legal questions mentioned above is the more foundational question of how AI should be regulated. Is it really necessary to have a brand new targeted legislation like the EU AI Act? Or would existing regulations in other connected domains work just as well or even better? Existing Data Protection and Consumer Protection regulations for example, are two regulatory frameworks that could theoretically offer most of the necessary substantial protections without a new legislation. However the answer to this question is more likely to be driven by political considerations than legal requirements. 

Fundamentally, the primary questions in AI regulation now are practical, technical and legal issues. The major philosophical questions, while still important, will take a backseat in regulatory discourse. As India begins preparing its own AI governance paradigm, it must begin thinking through the questions discussed above if the proposed governance structures are to be effective and forward-looking.

Thank you for reading. Have a great weekend. And as always, for any questions or suggestions, please write to us at digitalrepublic@evamlp.com.

Best,

Dibyojyoti, Shashank & Shruti

We thank Aprameya Sheshadri (1st year, B.A.LLB, NLSIU, Bengaluru) for his research assistance.