Our thinking

AI Watch: Global regulatory tracker

What's inside

Keeping track of AI regulatory developments around the world.

The global dash to regulate AI

Artificial intelligence (AI) has made enormous strides in recent years and has increasingly moved into the public consciousness.

Explore Trendscape

Our take on the interconnected global trends that are shaping the business climate for our clients.

Read more

Increases in computational power, coupled with advances in machine learning, have fueled the rapid rise of AI. This has brought enormous opportunities, as new AI applications have given rise to new ways of doing business. It has also brought potential risks, from unintended impacts on individuals (e.g., AI errors harming an individual's credit score or public reputation) to the risk of misuse of AI by malicious third parties (e.g., by manipulating AI systems to produce inaccurate or misleading output, or by using AI to create deepfakes).

Governments and regulatory bodies around the world have had to act quickly to try to ensure that their regulatory frameworks do not become obsolete. In addition, international organizations such as the G7, the UN, the Council of Europe and the OECD have responded to this technological shift by issuing their own AI frameworks. But they are all scrambling to stay abreast of technological developments, and already there are signs that emerging efforts to regulate AI will struggle to keep pace. In an effort to introduce some degree of international consensus, the UK government organized the first global AI Safety Summit in November 2023, with the aim of encouraging the safe and responsible development of AI around the world. 

Most jurisdictions have sought to strike a balance between encouraging AI innovation and investment, while at the same time attempting to create rules to protect against possible harms. However, jurisdictions around the world have taken substantially different approaches to achieving these goals, which has in turn increased the risk that businesses face from a fragmented and inconsistent AI regulatory environment. Nevertheless, certain trends are becoming clearer at this stage:

  1. "AI" means different things in different jurisdictions: One of the foundational challenges that any international business faces when designing an AI regulatory compliance strategy is figuring out what constitutes "AI." Unfortunately, the definition of AI varies from one jurisdiction to the next. For example, the EU AI Act adopts a definition of "AI systems" that is based on (but is not identical to) the OECD's definition, and which leaves room for substantial doubt due to its uncertain wording. Canada has proposed a similar, though more concise, definition. Various US states have proposed their own definitions, which differ from one another. And many jurisdictions (e.g., the UK, Israel, China, and Japan) do not currently provide a comprehensive definition of AI. Because several of the proposed AI regulations have extraterritorial effect (meaning more than one AI regulation may apply simultaneously), international businesses may be forced to adopt a "highest common denominator" approach to identifying AI based on the strictest applicable standard.
  2. Emerging AI regulations come in different forms: The various emerging AI regulations have no consistent legal form – some are statutes, some are executive orders, some are expansions of existing regulatory frameworks, and so on. The EU AI Act is a "Regulation" (which means that most of it will apply directly in all EU Member States, without the need for national implementation in most cases). The UK has taken a different approach, declining to legislate at this early stage in the development of AI, and instead choosing to task existing UK regulators with the responsibility of interpreting and applying five AI principles in their respective spheres. In the US, there is a mix of White House Executive Orders, federal and state initiatives, and actions by existing regulatory agencies, such as the Federal Trade Commission. As a result, the types of compliance obligations that international businesses face are likely to be materially different from one jurisdiction to the next. Many other jurisdictions have yet to decide whether they will issue sector-specific or generally applicable rules and have yet to decide between creating new regulators or expanding the roles of existing regulators, making it challenging for businesses to anticipate what form their AI regulatory relationships will take in the long term.
  3. Emerging AI regulations have different conceptual approaches: The next difficulty is the lack of a consistent conceptual approach among emerging AI regulations around the world – some are legally binding while others are not, some are sector-specific while others apply across all sectors, some will be enforced by regulators while others are merely guidelines or recommendations, and so on. As noted above, the UK approach is to use existing regulators to implement five AI principles, but with no new explicit legal obligations. This has the advantage of meaning that businesses will deal with AI regulators with whom they are already familiar but has the disadvantage that different UK regulators may interpret these principles differently in their respective spheres. The EU AI Act is cross-sectoral and creates new regulatory and enforcement powers for existing bodies, including the European Commission, and also creates entirely new bodies such as the AI Board and the AI Office, while leaving EU Member States to appoint their own AI regulators tasked with enforcing the EU AI Act. In the US, the Federal Trade Commission, Equal Employment Opportunity Commission, Consumer Financial Protection Bureau, and Department of Justice issued a joint statement clarifying that their existing authority covers AI, while various state regulators are also likely to have competence to regulate AI. International organizations including the OECD, the UN, and the G7 have issued AI principles, but these impose no legal obligations on businesses. In principle, these initiatives encourage consistency across members of each organization, but in practice this does not seem to have worked.
  4. Flexibility is a double-edged sword: In an effort to create AI regulations that can adapt to technological advances that have not yet been anticipated, many jurisdictions have sought to include substantial flexibility in those regulations, either by using deliberately high-level wording and policies, or by allowing for future interpretation and application by courts and regulators. This has the obvious advantage of prolonging the lifespan of such regulations by allowing them to be adapted to future technologies. However, it also creates the disadvantage of uncertainty because it leaves businesses uncertain of how their compliance obligations will be interpreted in the future. This is likely to mean that it is harder for businesses to know whether their planned implementations of AI will be lawful in the medium-to-long term and may make it harder to attract long-term AI investment in those jurisdictions.
  5. The overlap between AI regulation and other areas of law is complex: A substantial number of laws that are not directly focused on AI nevertheless apply to AI by association within their respective spheres, meaning that any use of AI will often trigger compliance issues and legal challenges even where there is not (yet) any enforceable AI-specific law. These areas of overlap include: IP (e.g., IP infringement issues with respect to AI model training data, and questions about copyright and patentability of AI-assisted inventions); antitrust; data protection (which adds restrictions to processing of personal data, and in some cases imposes special compliance obligations for processing carried out by automated means, including by AI); M&A (where AI innovation is driving dealmaking in many markets); financial regulation (where financial regulatory requirements may limit the ways in which AI can lawfully be deployed); litigation; digital infrastructure; securities; global trade; foreign direct investment; mining & metals; and so on. This overlap will mean that many businesses need to understand not just AI regulations in general, but also any rules that affect the use of AI in the context of the relevant sector or business activity.

Businesses in almost all sectors need to keep a close eye on these developments to ensure that they are aware of the AI regulations and forthcoming trends, in order to identify new opportunities and new potential business risks. But even at this early stage, the inconsistent approaches each jurisdiction has taken to the core questions of how to regulate AI is clear. As a result, it appears that international businesses may face substantially different AI regulatory compliance challenges in different parts of the world. To that end, this AI Tracker is designed to provide businesses with an understanding of the state of play of AI regulations in the core markets in which they operate. It provides analysis of the approach that each jurisdiction has taken to AI regulation and provides helpful commentary on the likely direction of travel.

Because global AI regulations remain in a constant state of flux, this AI Tracker will develop over time, adding updates and new jurisdictions when appropriate. Stay tuned, as we continue to provide insights to help businesses navigate these ever-evolving issues.

Articles

African Union

The African Union's Continental AI Strategy sets the stage for a unified approach to AI governance across the continent.

Read 10 min. article
Africa Union

Australia

Voluntary AI Ethics Principles guide responsible AI development in Australia, with potential reforms under consideration.

Read 11 min. article
Australia

Brazil

The enactment of Brazil's proposed AI Regulation remains uncertain with compliance requirements pending review.

Read 8 min. article
Sao Paulo

Canada

AIDA expected to regulate AI at the federal level in Canada but provincial legislatures have yet to be introduced.

Read 15 min. article
Canada

China

The Interim AI Measures is China's first specific, administrative regulation on the management of generative AI services.

Read 11 min. article
China

Council of Europe

The Council of Europe is developing a new Convention on AI to safeguard human rights, democracy, and the rule of law in the digital space covering governance, accountability and risk assessment.

Read 7 min. article
European Union

Czech Republic

The successful implementation of the EU AI Act into national law is the primary focus for the Czech Republic, with its National AI Strategy being the main policy document.

Read 6 min. article
Czech Republic

European Union

The EU introduces the pioneering EU AI Act, aiming to become a global hub for human-centric, trustworthy AI.

 

Read 13 min. article
European Union

France

France actively participates in international efforts and proposes sector-specific laws.

Read 10 min. article
Paris

G7

The G7's AI regulations mandate Member States' compliance with international human rights law and relevant international frameworks.

Read 11 min. article
G7 flags

Germany

Germany evaluates AI-specific legislation needs and actively engages in international initiatives.

Read 8 min. article
Germany

India

National frameworks inform India’s approach to AI regulation, with sector-specific initiatives in finance and health sectors.

Read 5 min. article
India

Israel

Israel promotes responsible AI innovation through policy and sector-specific guidelines to address core issues and ethical principles.

Read 9 min. article
Israel

Italy

Italy engages in political discussions for future laws.

Read 6 min. article
Milan

Japan

Japan adopts a soft law approach to AI governance but lawmakers advance proposal for a hard law approach for certain harms.

Read 9 min. article
Tokyo

Kenya

Kenya's National AI Strategy and Code of Practice expected to set foundation of AI regulation once finalized.

Read 6 min. article
Kenya
Kenya

Nigeria

Nigeria's draft National AI Policy underway and will pave the way for a comprehensive national AI strategy.

Read 6 min. article
Nigeria
Nigeria

Norway

Position paper informs Norwegian approach to AI, with sector-specific legislative amendments to regulate developments in AI.

Read 9 min. article
Norway

OECD

The OECD's AI recommendations encourage Member States to uphold principles of trustworthy AI.

Read 9 min. article
country flags

Saudi Arabia

Saudi Arabia is yet to enact AI Regulations, relying on guidelines to establish practice standards and general principles.

Read 6 min. article
Riyadh_Hero_1600x600 Saudi Arabia

Singapore

Singapore's AI frameworks guide AI ethical and governance principles, with existing sector-specific regulations addressing AI risks.

Read 7 min. article
Singapore

South Africa

South Africa is yet to announce any AI regulation proposals but is in the process of obtaining inputs for a draft National AI plan.

Read 6 min. article
Johannesburg

South Korea

South Korea's AI Act to act as a consolidated body of law governing AI once approved by the National Assembly.

Read 6 min. article
Korea

Spain

Spain creates Europe's first AI supervisory agency and actively participates in EU AI Act negotiations.

Read 10 min. article
Madrid

Switzerland

Switzerland's National AI Strategy sets out guidelines for the use of AI, and aims to finalize an AI regulatory proposal in 2025.

Read 8 min. article
Switzerland

Taiwan

Draft laws and guidelines are under consideration in Taiwan, with sector-specific initiatives already in place.

Read 6 min. article
Taiwan city

Turkey

Turkey has published multiple guidelines on the use of AI in various sectors, with a bill for AI regulation now in the legislative process.

Read 11 min. article
Türkiye

United Arab Emirates

Mainland UAE has published an array of decrees and guidelines regarding regulation of AI, while the ADGM and DIFC free zones each rely on amendments to existing data protection laws to regulate AI.

Read 15 min. article
UAE

United Kingdom

The UK prioritizes a flexible framework over comprehensive regulation and emphasizes sector-specific laws.

Read 12 min. article
London hero image

United Nations

The UN's new draft resolution on AI encourages Member States to implement national regulatory and governance approaches for a global consensus on safe, secure and trustworthy AI systems.

Read 7 min. article
United Nations

United States

The US relies on existing federal laws and guidelines to regulate AI but aims to introduce AI legislation and a federal regulation authority.

Read 19 min. article
New York city photo

Contacts

Tim Hickman
Tim Hickman
Partner
London
Erin Hanson
Erin Hanson
Partner
New York
Dr. Sylvia Lorenz
Dr. Sylvia Lorenz
Partner
Berlin

Service areas

Australia

AI Watch: Global regulatory tracker - Australia

Voluntary AI Ethics Principles guide responsible AI development in Australia, with potential reforms under consideration.

Insight
|
11 min read

Laws/Regulations directly regulating AI (the “AI Regulations”)

Australia has not yet enacted any specific statutes or regulations that directly regulate AI. To date, Australia's response to AI has been voluntary and includes:

  • The AI Ethics Principles published in 20191 (see "Key compliance requirements" section below) which comprise eight voluntary principles for the responsible design, development and implementation of AI, which are consistent with the OECD's Principles on AI.
  • The Voluntary AI Safety Standard2 (see "Key compliance requirements" section below) which comprise ten voluntary guardrails that cover aspects such as transparency with other organizations, accountability processes and risk management of AI. It offers practical guidance for Australian organizations to mitigate risks while leveraging the benefits of AI.

In June 2023, the Commonwealth Department of Industry, Science and Resources (the "Department") commenced a consultation into "Safe and Responsible AI in Australia" (the "Consultation")3 which focused on developing governance mechanisms to ensure the safe and responsible development and use of AI and identifying potential gaps in Australia's current regulatory frameworks.

On January 17, 2024, the Australian Government published its interim response to the Consultation (the "Interim Response"),4 which identified that current regulatory frameworks may not sufficiently prevent harms arising from the use of AI systems in legitimate but high-risk contexts. Accordingly, it appears that major reform could be expected in the medium term, where a risk-based framework will likely be adopted with an initial focus on appropriate mandatory safeguards and how best to implement them.

Following the Interim Response, the Australian Government announced the establishment of a new Artificial Intelligence Expert Group to assist the Department in developing regulations on transparency, testing and accountability, including options for mandatory AI guardrails in high-risk settings.

In August 2024, the Australian Government introduced the Voluntary AI Safety Standard and in September 2024, the Australian Government published a proposals paper introducing mandatory guardrails for AI in high-risk settings (the "Proposals Paper")5 (see "Key compliance requirements" section below) which largely mirror the Voluntary AI Safety Standard. The Proposals Paper outlines potential AI regulatory options and seeks feedback on proposed mandatory AI guardrails, as well as principles used to categorize an AI system as 'high-risk'. Proposed regulatory options to mandate guardrails include adapting existing regulatory frameworks, creating new framework legislation and amending associated existing legislation, or introducing a new AI Act.

Status of the AI Regulations

As noted above, as yet there are no specific statutes or regulations in Australia that directly regulate AI. Neither the Consultation, the Interim Response, nor the Proposals Paper provide any indicative timeline for when specific AI regulation might be expected.

Other laws affecting AI

There are various laws that do not seek to regulate AI, but that may affect the development or use of AI in Australia. A non-exhaustive list of these laws include:

  • The Online Safety Act 2021,6 which includes mechanisms to address online safety issues, extending to AI generated material
  • The Australian Consumer Law, which was applied to algorithmic decision making in a Federal Court case which ordered Trivago to pay $44.7 million in penalties for misleading consumers about room rates in the recommendations made by its algorithm7
  • The Privacy Act 19888
  • The Corporations Act 20019
  • Intellectual property laws may affect several aspects of AI development and use
  • Anti-discrimination laws, for example, where an individual is a victim of a discriminatory outcome resulting from an AI-driven process

In the Interim Response, the Australian Government acknowledged that existing laws will likely need to be strengthened to address harms posed by AI. To that end, on September 12, 2024, the Australian Government introduced the 'Communications Legislation Amendment (Combatting Misinformation and Disinformation) Bill 2024' to provide the Australian Communications and Media Authority (ACMA) with regulatory powers to combat online misinformation and disinformation, extending to content on digital platforms that are generated by AI.

Definition of “AI”

No definition of AI has been formally adopted by any statutes or regulations in Australia. In the Consultation, the Commonwealth Department adopted the following definitions:10

  • "AI" means "an engineered system that generates predictive outputs such as content, forecasts, recommendations or decisions for a given set of human-defined objectives or parameters without explicit programming. AI systems are designed to operate with varying levels of automation"
  • "Machine learning" means "the patterns derived from training data using machine learning algorithms, which can be applied to new data for prediction or decision-making purposes"
  • "Generative AI" means "models [that] generate novel content such as text, images, audio and code in response to prompts"

The definitions of AI, machine learning and algorithm are stated to be based on the International Organization for Standardization's definitions.11

The Voluntary AI Safety Standard provides a framework definition for safe and responsible AI:

  • "Safe and responsible AI" means "AI should be designed, developed, deployed and used in a way that is safe. Its use should be human-centered, trustworthy and responsible. AI systems should be developed and used in a way that provides benefits while minimizing the risk of negative impact to people, groups, and wider society."

In the Proposals Paper, the Australian Government is seeking public consultation on whether to implement a principles-based approach or a list-based approach (as adopted in the EU and Canada) to define "high-risk AI".

Territorial scope

As noted above, there are no specific statutes or regulations in Australia that directly regulate AI. Accordingly, there is little to no guidance on any specific territorial scope at this stage.

Sectoral scope

As noted above, there are no specific statutes or regulations in Australia that directly regulate AI. Accordingly, there is little to no guidance on any specific sectoral scope at this stage. To date, the focus of the Consultation, Interim Response and Proposals Paper has not been sector-specific, and it is expected that any AI-specific regulations will apply across all sectors of the Australian economy.

Compliance roles

As noted above, there are no specific statutes or regulations in Australia that directly regulate AI.

However, AI developers and users should note that the proposed mandatory AI guardrails impose compliance requirements on Australian organizations. These requirements include: (i) establishing internal governance protocols to ensure compliance with the guardrails; (ii) maintaining records to enable third parties to assess compliance; and (iii) undertaking conformity assessments in order to certify compliance with the guardrails.

Core issues that the AI Regulations seek to address

While voluntary, the AI Ethics Principles are designed to ensure AI is "safe, secure and reliable" by: (i) achieving safer, more reliable and fairer outcomes for all Australians; (ii) reducing the risk of negative impact on those affected by AI applications; and (iii) assisting businesses and governments to practice the highest ethical standards when designing, developing and implementing AI. By implementing the AI Ethics Principles, as well as the Voluntary AI Safety Standard which seeks to address similar issues, businesses can begin to develop the practices needed for future AI regulatory environments.

The proposed mandatory guardrails set clear regulatory expectations from the Australian Government on the safe and responsible use of AI. They focus on providing Australian businesses with: (i) greater regulatory certainty over the AI landscape; (ii) mechanisms to mitigate risks and harms associated with AI; and (iii) public trust in the development and deployment of AI in Australia in high-risk settings.

Risk categorization

As noted above, there are no specific statutes or regulations in Australia that directly regulate AI.

In the Interim Response, the Australian Government indicated that it would adopt a risk-based framework to AI regulation, meaning the regulatory requirements will be commensurate to the level of risk posed by the specific use, deployment or development of AI where, for example, higher risk AI applications will likely include uses that may result in negative impacts for people that are difficult or impossible to reverse.

This risk-based framework is further reflected in the Proposals Paper, which outlines a risk-based approach for new mandatory AI guardrails enforced in Australia. In implementing mandatory AI guardrails, the Australian Government will consider: (i) the levels of risk and key attributes of identified risks; and (ii) the balance of ex ante (preventative) and ex post (remedial) regulatory measures to successfully mitigate against identified risks.

In addition, specific risk categories were identified in the Proposals Paper:

Category 1: This category relates to known or foreseeable uses of an AI system and risk is measured based on the context in which the AI system will be applied.

Category 2: This category applies to advanced AI systems with unforeseeable applications and emergent risks. Risk is assessed based on the AI system's potential use – or misuse – for purposes that may cause widescale harm. By the time these risks become foreseeable, it may be too late to apply effective preventative measures.

Key compliance requirements

As noted above, there are no specific statutes or regulations in Australia that directly regulate AI. The voluntary AI Ethics Principles identify the following broad principles for ensuring safe, secure and reliable AI:

  • Human, societal and environmental wellbeing: AI systems should benefit individuals, society and the environment
  • Human-centered values: AI systems should respect human rights, diversity, and the autonomy of individuals
  • Fairness: AI systems should be inclusive and accessible, and should not involve or result in unfair discrimination against individuals, communities or groups
  • Privacy protection and security: AI systems should respect and uphold privacy rights and data protection, and ensure the security of data
  • Reliability and safety: AI systems should reliably operate in accordance with their intended purpose
  • Transparency and explainability: There should be transparency and responsible disclosure so people can understand when they are being significantly impacted by AI, and can find out when an AI system is engaging with them
  • Contestability: When an AI system significantly impacts a person, community, group or environment, there should be a timely process to allow people to challenge the use or outcomes of the AI system
  • Accountability: People responsible for the different phases of the AI system lifecycle should be identifiable and accountable for the outcomes of the AI systems, and human oversight of AI systems should be enabled

The Voluntary AI Safety Standard identifies the following principles for ensuring safe, secure and reliable AI:

  • Accountability: Establish, implement and publish an accountability process that outlines governance polices and regulatory compliance strategies
  • Risk Management: Establish and implement risk management processes to identify and mitigate risks that are known or foreseeable
  • Data Governance: Protect AI systems by implementing data governance, privacy and cybersecurity measures to manage security vulnerabilities such as data quality and data access
  • Model Testing: Test AI models and evaluate performance before placing high-risk AI systems on the market, as well as continuously monitor the system once deployed
  • Human Oversight: Enable human control and intervention across AI systems to achieve meaningful human oversight
  • User Information: Inform end-users on how AI is being used, particularly around AI-enabled decisions, AI interactions and AI-generated content
  • Complaints Mechanism: Establish processes for people negatively impacted by high-risk AI systems to contest AI-enabled decisions or make complaints about their experience
  • Transparency: Be transparent with other organizations across the AI supply chain by sharing information about data, models, and systems to effectively mitigate risks
  • Record Keeping: Keep and maintain records, including technical documentation, to allow third parties to assess compliance with guardrails
  • Engage stakeholders: Engage stakeholders and evaluate their needs and circumstances, with a focus on safety, diversity, inclusion and fairness

The Proposals Paper suggests transitioning from the current voluntary AI guardrails, as outlined in the Voluntary AI Safety Standard, to mandatory guardrails. Consequently, organizations developing or deploying high-risk AI systems would be required to adhere to the first nine voluntary guardrails listed above.

The tenth proposed mandatory guardrail (Conformity Assessments) differs from the tenth voluntary guiderail, which emphasizes ongoing stakeholder engagement to evaluate stakeholders' needs and circumstances based on safety, diversity, inclusion and fairness.

The Proposal Paper and its mandatory guardrails have been developed based on AI regulations enforced in Canada and Europe, specifically the Artificial Intelligence and Data Act in Canada and the EU AI Act in Europe.

Regulators

There is currently no AI specific regulator in Australia.

However, it is expected that sector-specific regulators such as the Australian Competition and Consumer Commission, the ACMA, the Office of the Australian Information Commissioner and the e-Safety Commissioner will be involved in the Australian Government's approach to the regulation of AI in Australia. As noted above, we can expect that the ACMA will be given certain regulatory powers to combat online misinformation on digital platforms that are generated by AI.

Enforcement powers and penalties

As noted above, there are no specific statutes or regulations in Australia that directly regulate AI. The use, deployment or development of AI may be subject to enforcement and penalties if it breaches other, non-AI specific statutes and regulations.

1 The AI Ethics Principles (2019) is available here.
2 The Voluntary AI Safety Standard is available here.
3 The Consultation paper is available here.
4 The Interim Response is available here.
5 The Proposals paper is available here.
6 The Online Safety Act 2021 (Cth) is available here.
7 See Australian Competition and Consumer Commission v Trivago N.V. [2020] FCA 16 here.
8 The Privacy Act 1988 (Cth) is available here.
9 The Corporations Act 2001 (Cth) is available here.
10 See the Consultation at page 5.
11 See ISO/IEC 22989: Artificial intelligence concepts and terminology here.

White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2024 White & Case LLP

Contacts

Stefanie Benson
Stefanie Benson
Partner|Sydney
Services
Antitrust/Competition, Energy, Technology, Consumer & Retail
Sarah Lee
Sarah Lee
Associate|London
Services
Intellectual Property, Data, Privacy & Cybersecurity, Life Sciences and Healthcare
Rachael Stowasser
Rachael Stowasser
Associate|Sydney
Services
Antitrust/Competition

Service areas

Top