AI Regulation Reference

Insights

Provisions worth knowing about — sleeper regulations, upcoming deadlines, and high-impact requirements that compliance teams often miss.

5
sleeper
6
upcoming
1
high-impact
4
cross-domain

sleeper 5 provisions

Regulations not branded as AI-specific but that catch AI use — privacy laws, financial rules, and sector regulations with provisions that apply to automated decision-making.

Automated Decision-Making Transparency (APP 1.7/1.8)
Privacy Act 1988 — Automated Decision-Making Reforms Australia Transparency enacted
Australia's Privacy Act reforms make AI transparency mandatory through privacy law — not AI-specific legislation. Any organization using personal information in automated decisions must disclose the types of data used, the logic applied, and the most influential factors. Even "human in the loop" doesn't exempt you if the algorithm plays a substantial role. The OAIC has stated that "the algorithm decided" is not an acceptable explanation.
Data Minimisation for AI Systems
Privacy Act 1988 — Automated Decision-Making Reforms Australia Data Governance enacted
The reformed Privacy Act explicitly prohibits collecting broad datasets "in case they might be useful" for AI training. Each data input to an AI system must be demonstrably necessary for the specific purpose. This directly impacts how organizations build training datasets and deploy AI models using personal information.
Privacy Impact Assessments for AI
Privacy Act 1988 — Automated Decision-Making Reforms Australia Risk Assessment enacted
Automated Processing Definitions (Rule 2.02)
Colorado Privacy Act Rules (4 CCR 904-3) Colorado Human Oversight enforcing
These privacy-law definitions directly govern AI-driven profiling in hiring, lending, and insurance — even though the rules predate and never mention AI. The three-tier automation framework determines consent and opt-out requirements, making this one of the most consequential provisions for organizations using automated decision-making in Colorado.
Data Protection Assessments for Profiling (Rule 9.06(B))
Colorado Privacy Act Rules (4 CCR 904-3) Colorado Risk Assessment enforcing
Any organization using AI for profiling in Colorado — credit scoring, insurance underwriting, employment screening — must conduct a Data Protection Assessment under this rule, regardless of whether the AI system was the target of the regulation. This is the provision a lawyer friend called a "real sleeper" that many compliance teams miss.

upcoming 6 provisions

Provisions approaching their enforcement date. Worth tracking now to prepare for compliance.

Automated Decision-Making Transparency (APP 1.7/1.8)
Privacy Act 1988 — Automated Decision-Making Reforms Australia Transparency enacted
Australia's Privacy Act reforms make AI transparency mandatory through privacy law — not AI-specific legislation. Any organization using personal information in automated decisions must disclose the types of data used, the logic applied, and the most influential factors. Even "human in the loop" doesn't exempt you if the algorithm plays a substantial role. The OAIC has stated that "the algorithm decided" is not an acceptable explanation.
Risk-Based AI Classification
Brazil AI Bill (PL 2338/2023) Brazil Risk Assessment proposed
Transparency and Explainability
Brazil AI Bill (PL 2338/2023) Brazil Transparency proposed
Human Oversight and Contestation
Brazil AI Bill (PL 2338/2023) Brazil Human Oversight proposed
Record-Keeping & Automatic Logging (Article 12)
EU AI Act European Union Record Keeping enacted
AI Governance Principles
Artificial Intelligence Basic Act Taiwan Risk Assessment proposed

high-impact 1 provision

Provisions with significant penalties, broad scope, or sweeping requirements that affect many organizations.

Record-Keeping & Automatic Logging (Article 12)
EU AI Act European Union Record Keeping enacted

cross-domain 4 provisions

Provisions that span multiple industries. A privacy rule that affects AI in hiring, lending, and insurance simultaneously.

Automated Decision-Making Transparency (APP 1.7/1.8)
Privacy Act 1988 — Automated Decision-Making Reforms Australia Transparency enacted
Australia's Privacy Act reforms make AI transparency mandatory through privacy law — not AI-specific legislation. Any organization using personal information in automated decisions must disclose the types of data used, the logic applied, and the most influential factors. Even "human in the loop" doesn't exempt you if the algorithm plays a substantial role. The OAIC has stated that "the algorithm decided" is not an acceptable explanation.
Data Minimisation for AI Systems
Privacy Act 1988 — Automated Decision-Making Reforms Australia Data Governance enacted
The reformed Privacy Act explicitly prohibits collecting broad datasets "in case they might be useful" for AI training. Each data input to an AI system must be demonstrably necessary for the specific purpose. This directly impacts how organizations build training datasets and deploy AI models using personal information.
Automated Processing Definitions (Rule 2.02)
Colorado Privacy Act Rules (4 CCR 904-3) Colorado Human Oversight enforcing
These privacy-law definitions directly govern AI-driven profiling in hiring, lending, and insurance — even though the rules predate and never mention AI. The three-tier automation framework determines consent and opt-out requirements, making this one of the most consequential provisions for organizations using automated decision-making in Colorado.
Data Protection Assessments for Profiling (Rule 9.06(B))
Colorado Privacy Act Rules (4 CCR 904-3) Colorado Risk Assessment enforcing
Any organization using AI for profiling in Colorado — credit scoring, insurance underwriting, employment screening — must conduct a Data Protection Assessment under this rule, regardless of whether the AI system was the target of the regulation. This is the provision a lawyer friend called a "real sleeper" that many compliance teams miss.