AI Applications and Regulation: Mapping the Regulatory Strata

Abstract

Many accounts suggest that artificial intelligence (AI) law is still in its infancy with few statutes and other regulatory instruments regulating AI development and use. In this paper, we argue that such accounts are misguided. AI applications exist in a rich regulatory landscape, subject to multiple rules. To demonstrate our claim, we conduct two semi-fictional case studies under Finnish law. In the first case study, we chart the rules that currently would govern and impact AI tool use in recruitment. In the second case study, we map the legal framework for the Finnish COVID-19 contact tracing app. The article makes three contributions to the literature. First, the case studies provide ample evidence that the prevailing orthodoxy misstates the state of AI law. There is AI law on the books and existing laws have a profound impact on AI application design. Second, the mappings provide building material for developing a grounded theory framework for categorizing AI law and its types and modalities, allowing us to formulate a heuristic for understanding AI regulation. We argue that developers and AI application stakeholders should construe AI law as a complex stratigraphy consisting of five layers: data rules that regulate data use, application-specific AI rules that target specific AI applications or application domains, general AI rules that apply to a wide range of AI applications, application-specific non-AI rules that apply to specific activities but not to AI specifically and general non-AI rules that apply generically and across domains. Third, we provide guidance for practitioners for structuring AI compliance processes. We argue that practitioners should keep in mind that the rules and standards differ in their scopes, targets, certainty, and regulatory modalities. Consequently, understanding the AI regulatory landscape requires developing an understanding of multiple rule complexes, their dynamics, and regulatory modalities.