Privacy and Data Protection Alert – November 2024

Draft Regulations of the Artificial Intelligence Law

On November 19, the draft Regulation of Law No. 31814, Artificial Intelligence Law, was published for public comment. These will be received from November 25 until December 6, 2024.

The following provisions are highlighted:

• Criteria for classifying artificial intelligence-based systems into those of unacceptable risk and high risk are detailed:
  • Unacceptable risk: that system that aims to substantially alter the behavior of a person or a specific population group and/or that system that classifies the reliability of a natural person or collective through the quantification of their social behavior.
  • High risk: that system that biometrically identifies natural persons; evaluates and selects users for access to educational centers, jobs, health services and credit granting; supports judicial decision making and crime risk assessment; among others.

As a reminder, the Artificial Intelligence Law adopted the risk-based approach for the management of artificial intelligence-based technologies, by virtue of which they are classified into unacceptable risk, high risk, medium risk and low risk systems.

• Those using high-risk systems must comply with a series of obligations, including the identification and assessment of risks; the implementation of risk management measures; the registration of the use of the applications; the preparation of reports; among others.
• Those using artificial intelligence software shall implement security measures, including data encryption, anomaly detection, model robustness, privacy by design, security audits, and education and awareness.
• The Presidency of the Council of Ministers, through the National Digital Security Center of the Secretariat of Government and Digital Transformation, may perform oversight actions, including internal risk controls, penetration testing, continuous monitoring and coordination with digital security incident response teams.

According to the Artificial Intelligence Law, such entity is the technical-regulatory authority responsible for directing, evaluating and supervising the use and promotion of the development of artificial intelligence.

It should be noted that the use of systems based on artificial intelligence must comply with the legislation on personal data protection.

For further information, please contact José Govea (jgovea@estudiorodrigo.com) and/or Francisco Baldeón (fbaldeon@estudiorodrigo.com).