Building Trust in AI: The Certification Approach

“AI represents the future, and trust is the bridge that will take us there.”

— K.L.

Trustworthy AI

Upon the unveiling of ENVIDA’s Q1 2024 financial report, the leading luminary in the AI-chip manufacturing and service sector, the public has enthusiastically lauded the company’s exceptional performance. This accomplishment serves to reinforce the current and projected robust growth of the AI ecosystem.

Concurrently, the global landscape of AI is witnessing a dynamic evolution in terms of regulation and policy. The EU’s AI ACT has established a nuanced legal architecture, and an array of frameworks, guidelines, statutes, and regulations are emerging across various jurisdictions. These developments are poised to undergo continuous transformation, exerting a profound and enduring influence on industries, communities, and societal structures.

As AI progresses on its trajectory of expansion and advancement, professionals from legal, social, and ethical spheres are demonstrating a heightened interest in critical issues. These include ensuring safety, upholding ethical standards, enforcing accountability, guaranteeing trustworthiness, and protecting privacy, among others.

Google’s CEO Sundar Pichai offered seven objectives for AI applications that became core beliefs for the entire company.

  • Be socially beneficial.
  • Avoid creating or reinforcing unfair bias
  • Be built and tested for safety
  • Be accountable to people
  • Incorporate privacy design principles
  • Uphold high standards for scientific excellence
  • Be made available for uses that accord with these principles

Building trust in the AI era

The chasm between theoretical principles and tangible application is a pivotal subject that demands attention. To address this, Alan Winfield of the University of Bristol and Marina Jirotka from Oxford University propose a comprehensive, four-layer governance framework for AI systems, which could effectively narrow this divide.

This governance framework encompasses the following elements:

(1) reliable systems based on sound software engineering practice;

(2) safety culture through proven business management strategies;

(3) trustworthy certification by independent oversight, and

(4) regulation by government agencies.

Central to the concept of independent oversight is the reinforcement of legal, moral, and ethical tenets that underpin human or organizational accountability and liability for their products and services. Nonetheless, the notion of responsibility is inherently intricate, with subtleties and complexities that are especially pronounced in the face of rapid technological progression and the concurrent evolution of regulatory frameworks.

To navigate these complexities, it is imperative to adopt a dynamic governance approach that not only reflects the current technological landscape but also anticipates future developments. This involves continuous dialogue among technologists, ethicists, legal experts, and policymakers to ensure that AI systems are governed responsibly and ethically, aligning with societal values and expectations.

From privacy trust to AI trust

Certifications, as outlined in Articles 42 and 43 of the General Data Protection Regulation (GDPR), have been acknowledged and incorporated as integral components of compliance mechanisms.

Certain marks and seals have garnered official recognition from European supervisory authorities, exemplified by the likes of EuroPrise and Europrivacy.

Beyond these, entities such as Trustarc are proactively delivering independent assurance and compliance verification services, which are pivotal in substantiating an organization’s adherence to regulatory standards.

The question arises whether the successful establishment of privacy trust can be analogously applied to the realm of AI trust. The affirmative response is warranted, given that the majority of AI operations are fundamentally predicated on data.

While we don’t need to reinvent the wheel, it is crucial to leverage the accumulated experience and successful outcomes from the domain of data protection and privacy governance.

By building upon the established frameworks and practices, we can effectively extend these principles to AI governance, ensuring that AI systems are developed and deployed with a strong foundation of trust, compliance, and ethical considerations.

In April, Trustarc announced the first client to be certified under the newly launched TRUSTe Responsible AI Certification. “This certification marks an important step for the industry towards greater accountability and trust in the technologies shaping our future.” Noël Luke, Chief Assurance Officer at TrustArc said.

Manage Cross Border Data Flow Risks Out of China: China Data Cybersecurity Assessment

Doing the business in China in the times of geopolitical tension and post covid, you are required to meet China increasing data compliance regulatory challenges and meanwhile keep your company and your client data in secure.

2023 China further raises bars on data export from China

With the effectiveness of the Measures on the Standard Contract for the Cross-Border Transfer of Personal Information on 1 June 2023, China’s legislature on data export from China further raises the bar. Together with 2017 Cybersecurity Law, 2022 cross border Data Transfer Guidelines and 2021 Personal Information Protection Law and 2021 Data Security Law constitutes current China data export legislature (the “China Data Export Laws”).

According to China Data Export Laws, unlike GDPR enacts adequacy principle adopted between country or region with the EU, the data export mechanism of China will be authority which is local Cybersecurity Administration of China (the “CAC) on a case-by-case basis cybersecurity assessment or standard contract filing in accordance with China Data Export Laws. No matter which approvals categories your entity subject to, China’s methodology toward data export mechanism means that the burden of getting the respective approval from CAC will be assumed by the entity individually.

Under what’s scenario your entity will subject to CAC Cybersecurity Assessment Approval

According to China Data Export Laws, a CAC security assessment is required for cross-border data transfers in ANY of the following circumstances:

  1. Cross-border transfers of “important data”
  2. Cross-border transfers of personal data by critical information infrastructure (CII) operators
  3. Cross-border transfers by data exporter processing the personal data of 1 million or more individuals
  4. Any transfer (in aggregate) of the personal data of more than 100,000 individuals or the sensitive personal data of more than 10,000 individuals that has occurred since 1 January of the preceding year
  5. Other situations requiring security assessment in accordance with PRC laws and regulations

Under what’s scenario your entity will subject to CAC Standard Contract Filing Approval

According to China Data Export Laws, if your entity needs transfer personal information cross border and not reach the cybersecurity assessment bar, is required to get the standard contract filing approval.

For example:

  1. Non-CII operator
  2. Annually processed personal information no more than 1 million individuals
  3. From 1 January last year to date, cross border transfer personal information out of China no more than 100,000 individuals
  4. From 1 January last year to date, cross border transfer personal sensitive information out of China no more than 10,000 individuals

The data exporter shall not split the cross border transfer measures avoiding get the prior  standard contract filing approval.

However, what highlights in this approval is the entity is required to take data privacy impact assessment first as this assessment will be one of important documents supporting your entity to apply this approval.

Legal Consequences if NOT Complying with Data Export Laws

Before we move to legal consequences toward either of cybersecurity assessment approval or standard contract filing approval, two points should make clear.

  1. The approvals not regulate foreign invested companies in China but also Chinese local business owners which has overseas data flow requirements; and
  2. CAC has the right to reject your application for approval until your entity meets the CAC requirements case by case

To date, we only see no more than 10 approval cases for either approval category.

However, your entity will face the severe legal consequences if not meeting Data Export Laws of China.

For example:

  1. Ban your system/App from using
  2. Fine no more than 5% of your entity annual revenue or no more than 50 million RMB
  3. Ban your entity’s operation or deregister your entity from business registration

Your Actions Required Even NOT Required to Get Approvals

Even your entity not required to achieve the approvals from CAC, you are still required to meet the basics regulated in accordance with Data Export Laws of China when you need cross border flow for your financial or HR information in managing your business in China.

Some basics you need to know when planning your export data out of China:

  1. Data Inventory Check

The purpose is to know the current data inventory whether there is “important data”  in the business operation or volumes of data cross border flow reaching the approval bar

  • Building up Internal Data Processing Guidelines

The purpose of doing this is to draw the “red line” for your Chinese employees when handling financial or HR data flow. It is the specific procedures to define and urge your Chinese employees to follow when dealing with HR data or business data cross border transfer.

  • Add China chapter to your privacy policy or cookie policy for your website or system

Although there are some similarity between Data Export Laws of China and GDPR, there are significant differences between two legislature system.

To avoid any conflict, we suggest your website or APP has special sector when regulating export data from China mainland.

  • IT Risk Assessments for Wechat platform or Your Chinese website

If your entity using Wechat platform to promote the business or Chinese website, we suggest you do the regular IT risks assessment to protect your client data and your company data in secure.

  • Considering Outsourcing Data Protection Officer Services

Hire a local data expert to deal with daily China data utilization issues will be time and cost saving in the context that China is strengthening data export control.

  • Considering Data Localization and Segregate Your Chinese System/Platform Strategy

We understand that deploy a separate system, server or Chinese version platform will be a burden and costly to your entity.

However, in the long run, if your entity has a vision to treat its Chinese subsidiary as an isolated external entity for the system wise, it may finally contribute the data you collect within China mainland territory.

We can assist client to deploy data localization and system segregate strategy to prepare and balance the challenges of cross border data transfer concerns.

  1. Our Team

Our team delivers only the best professional services in data security and privacy protection.

  • We are experts in regulatory understanding and built-in regulatory requirements for your products and services.
  • We are familiar with major technical security tools and apply the technology tools to multiple data compliance frameworks.
  • We are cross-border experts that have both legal and technical backgrounds and understand technical terminology and product design logic.
  • We have multinational knowledge and certifications that cover ASEAN, Europe, India, and North America. We are qualified and certified compliance professionals with CEPE L CIPP/E, CIPP/A, HITRUST CCSFP, CDPSE and CISO.
  • Our team has an ongoing interest and passion to dedicate our time and resources to research and follow up on the newest developments in data security and privacy protection regulatory changes. In addition, all our professionals have trans fields knowledge and practice backgrounds.

If you have further inquiries, please contact grace.chen@1compliance.group