Global AI Projects, Local Privacy Laws? Embrace Privacy by Design Worldwide

1. October 2020

In 2023, spending on AI systems will reach $97.9 bn, more than 250% of the value in 2019, according to IDC research. “Software is eating the world, but AI is going to eat software” is how NVIDIA CEO Jensen Huang famously put it. This ongoing AI revolution requires collecting enormous amounts of data. Across industries, from healthcare and retail to automotive and public transport, computer vision and video analytics are key techniques in AI to fuel new digital solutions. 

At the same time, there is an increasing debate around the use of AI systems based on video data. Especially the use of facial recognition technology during protests in the US and Hong Kong has sparked fierce public debates. Amidst this tension between innovation and privacy, regulators worldwide are trying to establish clearly defined rules for the digital revolution. 

A recent study by brighter AI in cooperation with the German AI Association summarizes the privacy regulations of six major markets: EU (GDPR), US (CCPA), China (CSL & PIS), Japan (APPI), South Korea (PIPA) and Brazil (LGPD). With a focus on video processing for AI and analytics, the report highlights views and best practices from industry leaders and privacy experts.

Global projects, local laws

Overall, the study shows that while data collection and AI projects are increasingly borderless, privacy laws are not. For many industries, it is not only the multinational setup with geographically dispersed expert teams that makes AI projects inherently global. Take the development of autonomous vehicles: In order to develop safe cars for international markets, neural networks need to be trained on data collected on roads worldwide.

Currently, the European GDPR is the only privacy law that includes multiple countries (27 member states). In the United States, the picture is quite the opposite and there are even different privacy laws across states. Furthermore, some regulations have a lot of additional complexity. In China for example, different guidelines with respect to data privacy exist, including mainly the Cybersecurity Law (CSL) and the Personal Information Security Specification (PIS). Only few – partially contradicting – translations exist and responsibilities are divided between different authorities, leaving international data controllers with uncertainty. 

Privacy laws on the rise

Even though these uncertainties exist, also in China, a country known for lightspeed innovation and public facial recognition systems, privacy laws are becoming stronger. Especially foreign companies that engage in video data projects have to be aware of the laws and need to anonymize personal information from datasets. 

Several countries in the Asia Pacific region are aligning more closely with GDPR and began to set up more stringent data protection laws. The adequacy decision by the European Commission towards Japan’s Act on the Protection of Personal Information (APPI) and ongoing talks between the EU and South Korea, are signs of increasing legal homogeneity. 

Despite the EU’s ruling against Privacy Shield, the introduction of the California Consumer Privacy Act makes it clear that some key principles, such as the “right for deletion”, are gradually becoming global standards. The law is even more remarkable as California is home to the digital power house Silicon Valley and the world’s fifth largest economy (if it would be a country). Due to privacy bills in other US states like Washington and to create equal rights for all Americans, there is a growing number of voices calling for country-wide privacy regulations

The introduction of Brazil’s new privacy law LGPD has been postponed due to Covid-19, but its principles and the hefty fines of up to 2% of revenues have parallels to GDPR. 

Privacy by design as a competitive advantage

To comply with privacy laws in international AI projects, it is advisable to have an understanding of each market. Here, companies should not look out for loopholes, but rather align practices to the strictest rules possible. 

Besides increasing pressure to fulfill legal requirements, insights from business, tech and privacy leaders show: Companies increasingly find value in compliance and embracing “privacy by design”. Embedding the best possible data privacy settings and technical means including, data pseudonymization and anonymization, directly into processes and products can become a significant advantage towards sustainable AI and computer vision solutions. Business partners and regulators will acknowledge this – and, most importantly, your customers.

“The members of the German AI Association are committed to ensure that artificial intelligence is used in the sense of European and democratic values. Of course, this also includes the protection of individuals when processing their personal data. We believe that AI-based innovations and data protection are not mutually exclusive.“

Daniel Abbou CEO, KI Bundesverband



Thomas Strottner
Head of Business Development