Top 10 Considerations for In-House Counsel on Privacy and Data Protection Concerns with AI:

1. Know your legal role: Privacy laws vary among jurisdictions, and your obligations using AI and personal information will change based on your legal role, for example in Europe whether as a processor or controller or California as a Covered Business or Service Provider.  
2. Be transparent: Privacy policies/notices should be updated frequently with required disclosures to communicate key aspects of your organization’s AI use, especially concerning automated-decision making. 
3. Know the source of your training data: Regulators have required destruction of AI/ML models that were built on improperly obtained data.  
4. Understand that AI can transform non-personal information into personal information: Collective non-personal information used in AI processing could produce an output that would be considered personal information, attaching potential legal obligations. 
5. Maintaining AI models is a continuing action: Hallucinations and/or biased outputs originating from incomplete training data or poorly designed modeling may be alleged as an unfair or deceptive business practice.  
6. Expectations of “reasonable” security are evolving: Regulators are hiring technologists to assess and modernize duties of “reasonable” care that may evolve quicker than your product design cycle.  
7. Implement an AI governance program: Properly conducted privacy/data protection impact assessments, subject to regulators’ guidance, are going to be the new normal prior to product/feature development.  
8. Honor individual privacy rights: Laws will continue to provide individuals with rights such as a right to opt-out, correct or delete that may be challenging to honor given AI model constraints.  
9. Know how to work with vendors: Depending your role in the AI ecosystem, jurisdictions may impose specific data protection obligations on you, and a software bill of materials may become a new requirement (especially if contracting with the government). 
10. Develop internal controls and employee training: Employees/contactors may be the biggest risk to security of an AI system or the catalyst for inadvertent leakage of confidential information.