AI to Regulate AI

Executive Summary

Data and data-driven services are having a profound impact on the economy. Most countries have long been regulating personal data protection, and the EU recently approved regulations to address the failures of data and digital service markets, such as competition, quality of system design, monitoring of high-risk AI systems, service interoperability,  or the rights of users, among others.

These ex ante regulations focus on already-familiar aspects of ICT and competition regulations. They will undeniably cause friction in the market, and likely face significant enforcement challenges. Moreover, there might be a need for more disruptive approaches to regulating data and digital markets, like paying back people for their data as proposed by Jaron Lanier some time ago, embedding Personal Information Management Systems in gatekeepers to manage personal data, or extending those data unions to act as federated regulatory watchdogs. 

To enforce AI regulations, competent authorities will need to develop and make use of federated AI/ML compliance tools to automate regulatory processes. As the Allies needed a machine – The Bombe –  to break Enigma during WWII, we will likely need AI to regulate AI.

---

AI and ML models are being massively adopted and their use is having a profound impact on businesses, processes, and the economy as a whole. Opportunities and challenges extend to all sectors, with predictions about the size of AI markets amounting to US$13 trillion globally by 2030 [1]. And data, not only but especially personal data, is a key input for those models.

Nowadays, the data economy concentrates on a limited number of firms, horizontally integrated across the value chain, which collect and exploit their data by offering services to end users. This concentration is mainly due to two factors: the peculiarities of data as an economic good, and increased network effects of AI/ML services.

First, data is an elusive commodity, a freely replicable, non-depletable asset holding a highly combinatorial and context-specific value [2], thus difficult to trade. As a result, not only do controllers have the incentive to hoard more and more (personal) data to increase their value, but they are also reluctant to share or market it, leaving most data in corporate silos.

Second, like traditional ICT services, existing users of AI/ML/data-driven services often benefit from new users joining the service (e.g., more recommendations, or more content shared). In addition, they usually introduce automatic feedback loops to collect inputs from users, an information that providers use to enrich the service and eventually increase the value users produce just by making use of the service [3]. In practice, this multiplies the network effects inherent to ICT services being used by an increasing number of users.

This situation has raised a growing concern about the abuse of indiscriminate collection of personal data, which led some years ago to data protection regulations such as the GDPR in the EU or the CCPA in the US. Leveraging those regulations, Personal Information Management Systems, aka PIMS, have appeared which aim to give users back control over their personal data being collected by digital service providers. They make it easier for users to exert their rights to erase or download their data, manage their consent to share data, track who has access to which data, etc. However, PIMS are struggling to achieve a critical mass of users to benefit from economies of scale that ensure their viability, due to the lack of awareness of end users and due to an uncertain business model, among other reasons.

Data providers and data service providers are heavily regulated. We often forget that digital service providers must comply with (sometimes very strict) sectoral regulations – a healthcare digital service provider must observe specific health-related regulations (e.g., HIPAA in the US), let alone heavy complex regulations applying to financial information (e.g., FIDA and MiFID in the EU).

In addition, data a data-driven services pose horizontal regulatory and competition challenges. To unlock the Gordian knot of locked concentrated data markets, the scope of generic data-related regulations has transcended personal data protection. Recently, the EU has embarked on a series of regulations primarily aimed at i) protecting data service users’ rights, ii) dealing with digital market dynamics, and iii) unlocking the potential of data by fostering data exchanges.

These ex ante regulations focus on already-familiar aspects of ICT Regulation. Let us give some examples.

Similar to ICT market analysis and designation of Dominant Service Players, the Digital Markets Act (DMA) defines criteria to designate and obligations for the so-called “gatekeepers”.

The Data Governance Act (DGA) contains provisions that can be found in ICT competition and economics regulations, such as the need for registering, righteous accountability and auditability, provisions to impose independence of Data Intermediation Service Providers from Data Service Providers, or clauses imposing non-discrimination on data products, access prices, or the services offered by these intermediaries to potential buyers. 

EU’s Data Act (DA) introduces technical provisions to make data services interoperable (Ch. VIII), similar to regulations dealing with telecom network interconnection, and obligations to facilitate switching data service providers (Ch. VI). Data portability between data service providers relates to number and access portability within telecom service providers (GDPR for personal data, DA Ch. VI related to data portability when switching services). Two examples of standardization initiatives to improve interoperability and move towards secure sovereign trusted data exchanges are the International Data Spaces and the Gaia-X project.

There are even cost-related issues in data regulations – like in telecom access and interconnection. DA mandates cost-based access to data due to an obligation stemming from EU laws (Art. 9) or in exceptional need (Art. 20), cost-based switching charges (Art. 29), and cost-based in-parallel data processing (Art. 34).

Even when all these regulations are still subject to development (e.g., guidelines, harmonisation standards, specifications, etc), interpretation, and discussion, an initial analysis concludes they are meant to cause significant friction in the market [4], and that data regulations will likely face significant enforcement challenges. How to identify unlawful potentially discriminating data transactions in automated data marketplaces continuously closing thousands of contracts daily? How to carry out conformity assessments of complex high-risk AI systems or data intermediation service providers? As data exchanges, AI systems, and their users become more automated, so must the regulatory tools intended to monitor data, data markets, and AI algorithms. Yet this may also require the collaboration of service providers while preserving their intellectual property and their users’ privacy, for which the concept of federated learning [5] may help, too.

Moreover, more disruptive approaches to regulating data markets have been proposed. Back in 2013, Jaron Lanier proposed that people get paid for their data as a solution to the problems of concentration of the data economy and to the reduction in employment that AI systems may cause in the long term [6]. Later, Eric Posner and Glen Weyl dared to estimate an income of up to 20k USD yearly for a family of four in the US [7]. PIMS might turn out to be the future data labor unions of this emerging data labor market, imposed on big companies to manage personal data and the consent of their users. Moreover, it makes sense that the functions of such data unions are extended to act as federated watchdogs to ensure that service providers comply with data regulations.

In conclusion, data and data-driven services are already having a significant impact on the economy. Some legislative and regulatory developments are already addressing some of the failures of data and digital service markets, addressing issues like data protection, competition, risks of AI systems and their interoperability, or the rights of users, among others. Such regulations are somewhat incremental in the sense that they resemble traditional ICT regulations, but more disruptive general regulatory approaches are yet to come. Moreover, competent authorities will need automated monitoring and regulatory tools to help in their tasks. As the Allies needed a machine – The Bombe –  to break Enigma during WWII, we will likely need AI to effectively regulate AI.

---

[1] J. Bughin, J. Seong, J. Manyika, M. Chui, and R. Joshi. Notes from the AI frontier: Modeling the impact of AI on the world economy. McKinsey Global Institute, 2018.

[2] D. Coyle, S. Diepeveen, J. Wdowin, J. Tennison, and L. Kay. The value of data – policy implications. Bennett Institute for Public Policy, Cambridge, 2020

[3] Andrei Hagiu and Julian Wright. To Get Better Customer Data, Build Feedback Loops into Your Products. Harvard Business Review. July 2023

[4] Santiago Andrés Azcoitia and Alba Ribera Martínez. Data Marketplaces and the Data Governance Act: A Business Model Perspective. Sept. 2023. Kluwer Competition Law Blog

[5] McMahan, H., et al. Communication-Efficient Learning of Deep Networks from Decentralized Data. Conf. AI And Statistics, 1273-1282 (2017).

[6] J. Lanier. Who Owns the Future? Simon & Schuster, 2013

[7] E. A. Posner and G. Weyl. Radical Markets. Uprooting Capitalism and Democracy for a Just Society. Princeton Univ. Press, 2018.