The Burges Salmon AI Law, Regulation and Policy Glossary is a selection of key AI terms and their definitions (with links to sources), identifying where they are found in anticipated UK and EU laws and/or regulations, regulatory guidance and UK AI policy.
This glossary is a useful guide to private companies, public organisations, regulators and legislators – in particular those working in the areas of Financial Services, Healthcare and Transport Technology – who: • want a reference guide for AI terms; • are interested in how and where terms relevant to AI are being used in law, regulation and policy; and/or • are preparing to comply with the various current and future regulations that will affect how they build, buy and govern AI systems. What can we learn from this? The glossary draws out four key themes about the application of AI terms in law, regulation and policy: • We may not be talking the same language. Shared understanding of terms is essential when determining how and when laws and regulations apply. But whilst certain terms may be commonly used in industry they can lack or vary in legal definition and risk differing interpretations and application. There are various geographical and industry standards setting organisations working towards common AI terminologies. Those are useful and have been how shared terminology has been developed previously in other industries. However, they may vary between themselves and may not be how legislators, regulators or courts apply terms in practice. • That is, partly, because context matters. Definitions vary depending on the context in which they are used e.g. the type of legislation or guidance, the industry to which they relate, and the geography in which they apply. For example, the types of ‘damage’ which regulations try to protect against can vary; damage potentially caused by automated vehicles (property) is different to the types of damage AI systems can cause which other laws are typically more concerned about (e.g. the EU’s focus on fundamental rights). • We are still at an early stage. There is still relatively limited application of AI terms in statute, case law and regulation. This may mean those applying AI terms in practice – whether industry, courts or regulators – have to turn to other sources to try to understand what a term does (or does not) mean. That will include industry and technical definitions (which are voluminous, varied, at differing levels of maturity and which we do not include here). However, as AI regulations progress globally, we can expect further debate, guidance and clarification as to what terms mean in practice. • Common definitions do occur but should not be presumed. For example, a number of ‘data’ related terms are consistent in England and Wales and in the EU as a result of the GDPR. The EU’s proposed AI laws intend to produce a similar ‘gold standard’ of legislation, which would include seeing terms being used consistently in different jurisdictions. However, regulators may intentionally choose not to do this. For example, the EU AI Act defines AI, whereas the UK policy position is that AI should remain undefined.
Why did we choose these sources? Those looking to build or buy AI systems will be subject to various laws and regulations. They may also look to guidance which indicates how terms are understood and may be applied. Which ones apply, and the weight they should be given (if any), needs to be considered in each case. This document is not legal advice. However, we think the sources used for this glossary (listed at the end) are some that are likely to have to be considered, or are useful to compare and contrast to help determine the meaning of a term. Information is correct as at the first publication date of this version.
Key and notes • E&W Law = statute, case law, Law Commission reports, court procedural rules of England and Wales. • E&W Guidance = regulatory guidance in England and Wales including from ICO, FCA, CMA, MHRA. • EU includes proposed EU AI Act and updated Product Liability Directive. • We include a few international examples of case law where potentially useful or noted by legal commentators – e.g. from Canada and Singapore. • Every definition has a linked source. For a list of sources, click here. • Quotations are ‘italicised and in apostrophes’. • Summaries of definitions are in normal text. We have only done this where the full definition (in the source link) is too lengthy for the glossary. • Cross-references to other definitions are italicised and underlined e.g. ‘See AI System’. • E&W case law may include decisions in the High Courts, Court of Appeal and Supreme Court. It does not include decisions from the following courts: Employment Tribunal; Immigration; County Courts; or Magistrate Courts. • We include drafting notes where helpful but otherwise have only included terms where they are defined and relevant in an AI-context; laws and regulations may have explained themes or concepts analogous to glossary terms, but we have not included those here. There has been debate about a number of terms, their meaning and application. Again, we do not include that here. • AI terms may have technical meanings, too, but these are not included here. • We will continue to develop the glossary as laws and regulations evolve. All comments and suggestions are welcome.
AI / Artificial Intelligence Also see AI System E&W ‘Artificial intelligence’ means technology enabling the programming or training of a device or software to — i) perceive environments through the use of data; ii) interpret data using automated processing designed to approximate cognitive abilities; and iii) make recommendations, predictions or decisions; with a view to achieving a specific objective’. (Source: National Security and Investment Act 2021 (Notifiable Acquisition) (Specification of Qualifying Entities) Regulations 2021/1264 Schedule 3, Paragraph 1 - Link) Guidance ‘What is AI? AI is an umbrella term for a range of technologies and approaches that often attempt to mimic human thought to solve complex tasks. Things that humans have traditionally done by thinking and reasoning are increasingly being done by, or with the help of, AI.’ (Source: ICO, Explaining decisions made with Artificial Intelligence, Part 1 The basics of explaining AI, Definitions – Link) UK Policy is currently to ‘set out the core characteristics of AI to inform the scope of the AI regulatory framework but allow regulators to set out and evolve more detailed definitions of AI according to their specific domains or sectors. This is in line with the government’s view that we should regulate the use of AI rather than the technology itself - and a detailed universally applicable definition is therefore not needed. Rather, by setting out these core characteristics, developers and users can have greater certainty about scope and the nature of UK regulatory concerns while still enabling flexibility - recognising that AI may take forms we cannot easily define today - while still supporting coordination and coherence.’ (Source: UK Policy: Establishing a pro-innovation approach to regulating AI – Link) EU See AI System Canada ‘Information technology that performs tasks that would ordinarily require biological brainpower to accomplish, such as making sense of spoken language, learning behaviours, or solving problems.’ (Source: Canadian Directive on Automated Decision-Making – Link)
AI System (Artificial Intelligence System) E&W See AI Guidance Each AI system ‘involves the creation of an algorithm that uses data to model some aspect of the world, and then applies this model to new data in order to make predictions about it’. (Source: ICO, Explaining decisions made with Artificial Intelligence, Part 1 The basics of explaining AI, Definitions - Link) EU ‘artificial intelligence system’ (AI system) means a system that is designed to operate with elements of autonomy and that, based on machine and/ or human-provided data and inputs, infers how to achieve a given set of objectives using machine learning and/or logic- and knowledge based approaches, and produces system-generated outputs such as content (generative AI systems), predictions, recommendations or decisions, influencing the environments with which the AI system interacts (Source: EU AI Act, Article 3(1) - Link) Canada ‘artificial intelligence system means a technological system that, autonomously or partly autonomously, processes data related to human activities through the use of a genetic algorithm, a neural network, machine learning or another technique in order to generate content or make decisions, recommendations or predictions.’ (Source: Canada’s proposed C-27 bill ‘to enact the Artificial Intelligence and Data Act’ – Link) 3 Algorithm E&W A finite sequence of instructions, typically used to solve a class of specific problems or to perform a computation. (Source: Law Commission DAO Consultation – Link) Guidance ‘An algorithm is a sequence of instructions or set of rules designed to complete a task or solve a problem. Profiling uses algorithms to find correlations between separate databases. These algorithms can then be used to make a wide range of decisions, for example to predict behaviour or to control access to a service’. (Source: ICO, Guide to the General Data Protection Regulation (GDPR), Automated decision-making and profiling - Link) EU [Note: algorithm is referred to in the EU AI Act but not defined] 4 Algorithmic Processing Guidance Algorithmic processing is ‘the processing of data (both personal and non-personal) by automated systems. This includes artificial intelligence (AI) applications, such as those powered by machine learning (ML) techniques, but also simpler statistical models […] Algorithmic processing can be used both to produce an output (for example video or text content) and to make or inform decisions that have a direct bearing on individuals.’ (Source: Digital Regulation Cooperation Forum (DRCF), The benefits and harms of algorithms: a shared perspective from the four digital regulators - Link)
Algorithmic System Guidance Algorithmic System’ is ‘a convenient shorthand to refer more widely to automated systems, a larger intersection of the algorithm, data, models, processes, objectives, and how people interact and use these systems’. (Source: CMA, Algorithms: How they can reduce competition and harm consumers - Link) 6 Algorithmic Trading Guidance Algorithmic Trading is defined as ‘trading in financial instruments where a computer algorithm automatically determines individual parameters of orders such as whether to initiate the order, the timing, price or quantity of the order or how to manage the order after its submission, and there is limited or no human intervention; but does not include any system that is only used for the purpose of routing orders to one or more trading venues or for the processing of orders involving no determination of any trading parameters or for the confirmation of orders or the post-trade processing of executed transactions’ (Source: FCA Glossary - Link) EU See MiFID II, Article 4(1)(39) which uses near-identical language to the FCA Glossary - Link 7 Authorised representative EU ‘Authorised representative’ means any natural or legal person established within the Union who has received a written mandate from a manufacturer to act on its behalf in relation to specified tasks). (Source: EU EU Proposed Product Liability Directive, Article 4(12) - Link). ‘Authorised representative means any natural or legal person physically present or established in the Union who has received and accepted a written mandate from a provider of an AI system to, respectively, perform and carry out on its behalf the obligations and procedures established by this Regulation’ (Source: EU AI Act, Article 3(5) - Link) 8 Automated DecisionMaking (ADM) (or Automated Decision System) Guidance ‘Automated decision-making is the process of making a decision by automated means without any human involvement. These decisions can be based on factual data, as well as on digitally created profiles or inferred data. Examples of this include: an online decision to award a loan; and an aptitude test used for recruitment which uses pre-programmed algorithms and criteria. Automated decision-making often involves profiling, but it does not have to.’ (Source: ICO, Guide to the General Data Protection Regulation (GDPR), Automated decision-making and profiling - Link) Canada Automated Decision System ‘Includes any technology that either assists or replaces the judgement of human decision-makers. These systems draw from fields like statistics, linguistics, and computer science, and use techniques such as rules-based systems, regression, predictive analytics, machine learning, deep learning, and neural nets’. (Source: Canadian Directive on Automated Decision-Making – Link) ‘automated decision system means any technology that assists or replaces the judgment of human decision-makers through the use of a rules-based system, regression analysis, predictive analytics, machine learning, deep learning, a neural network or other technique’. (Source: Canada’s proposed C-27 bill ‘to enact the Artificial Intelligence and Data Act’ – Link)
Automated Facial Recognition (AFR) E&W ‘AFR is a way of assessing whether two facial images depict the same person. A digital photograph of a person’s face is taken and processed to extract biometric data (i.e. measurements of the facial features). That data is then compared with facial biometric data from images contained in a database. […] The technical operation of AFR comprises the following six stages: (1) Compiling/using an existing database of images […] (2) Facial image acquisition […] (3) Face detection […] (4) Feature extraction […] (5) Face comparison […] (6) Matching […]’ (Source: R (Bridges) v CC South Wales, Paragraphs 8-9 – Link) 10 Biometric Data E&W ‘Biometric data means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of an individual, which allows or confirms the unique identification of that individual, such as facial images or dactyloscopic data’. (Source: Data Protection Act 2018, Part 7, 205(1) - Link) ‘The use of AFR technology involves the collection, processing and storage of a wide range of information, including (1) facial images; (2) facial features (i.e. biometric data); … AFR entails the processing of biometric data in the form of facial biometric. The term “biometrics” is described in the Home Office “Biometrics Strategy – Better Public Services Maintaining Public Trust” …as “the recognition of people based on measurement and analysis of their biological characteristic or behavioural data”’. (Source: R (Bridges) v CC South Wales, Paragraph 21 – Link) Guidance The ICO uses the same definition as Data Protection Act 2018 Part 7, section 205 (Source: Link) EU ‘Biometric data means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, such as facial images or dactyloscopic data’ (Source: EU AI Act, Article 3(33) - Link) [Dactyloscopic is fingerprint analysis.] See also other types of ‘data’ under the EU AI Act in Data 9 Burges Salmon Artificial Intelligence (AI) Law, Regulation and Policy Glossary Return to contents Term Definition 11 Black box Also see Transparency Guidance ‘Black box – A system, device or object that can be viewed in terms of its inputs and outputs, without any knowledge of its internal workings’. (Source: ICO, Guidance on AI and data protection, Glossary - Link) ‘Some of the most powerful machine learning models, by their very nature, lack a defined structure. They are described as ‘black boxes’ because we can observe the inputs (the data) and see the output (the prediction or decision) but may not be able to explain completely the mechanism that connects one to the other’ (Source: FCA, Explaining why the computer says ‘no’ - Link) MHRA have a ‘Project Glass Box’ to address the problem: ‘Current medical device requirements do not take into account adequate consideration of human interpretability and its consequence for safety and effectiveness for AIaMD [AI as a medical device].’ (Source: MHRA Software and AI as a Medical Device Change Programme – Roadmap – Link) 12 Component EU ‘Component’ means any item, whether tangible or intangible, or any related service, that is integrated into, or inter-connected with, a product by the manufacturer of that product or within that manufacturer’s control’. (Source: Proposed EU Product Liability Directive Article 4(3) - Link) 13 (Data) Controller E&W ‘(1) the competent authority which, alone or jointly with others: a) determines the purposes and means of the processing of personal data, or b) is the controller by virtue of subsection (2) (2) Where personal data is processed only— (a) for purposes for which it is required by an enactment to be processed, and (b) by means by which it is required by an enactment to be processed, the competent authority on which the obligation to process the data is imposed by the enactment (or, if different, one of the enactments) is the controller’ (Source: Data Protection Act section 32 – Link) Guidance ‘Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.’ (Source: ICO, Guide to the General Data Protection Regulation, Controllers and processors/ What are ‘controllers’ and ‘processors’ - Link) EU ‘controller’ means ‘the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law’ (Source: EU GDPR Regulation (EU) 2016/679 Article 4(7) - Link) 10 Burges Salmon Artificial Intelligence (AI) Law, Regulation and Policy Glossary Return to contents Term Definition 14 Damage (or harm) E&W In the context of autonomous vehicles, specifically liability of insurers, damage means ‘death or personal injury, and any damage to property other than— (a) the automated vehicle, (b) goods carried for hire or reward in or on that vehicle or in or on any trailer (whether or not coupled) drawn by it, or (c) property in the custody, or under the control, of (i)the insured person (where subsection (1) applies), or (ii)the person in charge of the automated vehicle at the time of the accident’ (Source: Automated and Electric Vehicles Act 2018 section 2(3) – Link) EU Damage means ‘material losses resulting from: (a) death or personal injury, including medically recognised harm to psychological health; (b) harm to, or destruction of, any property except: (i) the defective product itself; (ii) a product damaged by a defective component of that product; (iii) property used exclusively for professional purposes; (c) loss or corruption of data that is not used exclusively for professional purposes.’ (Source: EU Product Liability Directive, Article 4(6) - Link) EU [Note: EU AI Act seeks to protect EU citizens’ fundamental rights. Also, article 62 concerns reporting of serious incidents and of malfunctioning. ‘Serious incidents’ includes any incident that directly or indirectly leads, might have led or might lead to any of the following: (a) the death of a person or serious damage to a person’s health, to property or the environment, (b) a serious and irreversible disruption of the management and operation of critical infrastructure. (c) breach of obligations under Union law intended to protect fundamental rights; (d) serious damage to property or the environment.] Canada harm means (a) physical or psychological harm to an individual; (b) damage to an individual’s property; or (c) economic loss to an individual. (Source: Canada’s proposed C-27 bill ‘to enact the Artificial Intelligence and Data Act’ – Link) 11 Burges Salmon Artificial Intelligence (AI) Law, Regulation and Policy Glossary Return to contents Term Definition 15 Data, including Training data, Validation data, Testing data and Input data E&W Information which is recorded electronically or manually; not verbal communications (unless recorded). (Note: regarding the Data Protection Act 1998 section 1 since repealed by the Data Protection Act 2018. Source: Scott v LGBT Foundation Ltd [2020] EWHC 483 (QB), paragraph 61 - Link; citing Durant v Financial Services Authority [2003] EWCA Civ 1746 - Link) EU ‘‘Data’ means data as defined in Article 2, point (1), of Regulation (EU) 2022/868 of the European Parliament and of the Council [i.e.] ‘data’ means any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audiovisual recording; (Source: EU EU Proposed Product Liability Directive, Article 4(7) - Link, and EU Regulation (EU) 2022/868 Article 2(1) - Link) EU AI Act also includes: (29) ‘training data’ means ‘data used for training an AI system through fitting its learnable parameters, including the weights of a neural network’ (30) ‘validation data’ means ‘data used for providing an evaluation of the trained AI system and for tuning its non-learnable parameters and its learning process, among other things, in order to prevent overfitting; whereas the validation dataset can be a separate dataset or part of the training dataset, either as a fixed or variable split; (31) ‘testing data’ means ‘data used for providing an independent evaluation of the trained and validated AI system in order to confirm the expected performance of that system before its placing on the market or putting into service’ (see Placing on the Market and Putting into Service) (32) ‘input data’ means ‘data provided to or directly acquired by an AI system on the basis of which the system produces an output’ (Source: EU AI Act, Article 3(33) - Link) 16 Data Subject E&W Data subject means ‘the identified or identifiable living individual to whom personal data relates’. (Source: Data Protection Act 2018, section 3(5) - Link) Guidance ‘Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (Source: ICO, Guide to the General Data Protection Regulation (GDPR) What is Personal data? - Link) EU ‘‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’ (Source: EU GDPR Regulation (EU) 2016/679 Article 4(7) - Link) 12 Burges Salmon Artificial Intelligence (AI) Law, Regulation and Policy Glossary Return to contents Term Definition 17 Defectiveness EU ‘A product shall be considered defective when it does not provide the safety which the public at large is entitled to expect, taking all circumstances into account, including the following: (a) the presentation of the product, including the instructions for installation, use and maintenance; (b) the reasonably foreseeable use and misuse of the product; (c) the effect on the product of any ability to continue to learn after deployment; (d) the effect on the product of other products that can reasonably be expected to be used together with the product; (e) the moment in time when the product was placed on the market or put into service or, where the manufacturer retains control over the product after that moment, the moment in time when the product left the control of the manufacturer; (f) product safety requirements, including safety-relevant cybersecurity requirements; (g) any intervention by a regulatory authority or by an economic operator referred to in Article 7 relating to product safety; (h) the specific expectations of the end-users for whom the product is intended. 2. A product shall not be considered defective for the sole reason that a better product, including updates or upgrades to a product, is already or subsequently placed on the market or put into service’ (Source: EU EU Proposed Product Liability Directive, Article 6 - Link) 18 Deterministic algorithm Singapore Deterministic algorithms ‘do and only do what they have been programmed to do. They have no mind of their own. They operate when called upon to do so in the pre-ordained manner. They do not know why they are doing something or what the external events are that cause them to operate in the way that they do. They are, in effect, mere machines carrying out actions which in another age would have been carried out by a suitably trained human. They are no different to a robot assembling a car rather than a worker on the factory floor or a kitchen blender relieving a cook of the manual act of mixing ingredients. All of these are machines operating as they have been programmed to operate once activated.’. (Source: B2C2 Ltd v Quoine Pte Ltd [2019] SGHC(I) 03, Paragraphs 208 and 209 - Link) ‘…the Trading Contracts had been entered into pursuant to deterministic algorithmic programs that had acted exactly as they had been programmed to act…’ (Source: Quoine Pte Ltd v B2C2 Ltd [2020] SGCA(I) 02, paragraph 114 - Link) 13 Burges Salmon Artificial Intelligence (AI) Law, Regulation and Policy Glossary Return to contents Term Definition 19 Distributor EU ‘Distributor’ means any natural or legal person in the supply chain, other than the manufacturer or the importer, who makes a product available on the market’. (Source: EU EU Proposed Product Liability Directive, Article 4(15) - Link) ‘Distributor means any natural or legal person in the supply chain, other than the provider or the importer, that makes an AI system available on the Union market’ (Source: EU AI Act, Article 3(7) - Link) ‘distributor’ means any natural or legal person in the supply chain, other than the manufacturer or the importer, that makes a device available on the market, up until the point of putting into service’ (Source: Medical Device Directive Regulation (EU) 2017/745 Article 2(34) - Link) 20 Expert System Guidance ‘There are several ways to build AI systems. Each involves the creation of an algorithm that uses data to model some aspect of the world, and then applies this model to new data in order to make predictions about it. Historically, the creation of these models required incorporating considerable amounts of hand-coded expert input. These “expert systems” applied large numbers of rules, which were taken from domain specialists, to draw inferences from that knowledge base’. (Source: ICO, Guide to Data Protection, Explaining Decisions made with Artificial Intelligence Definitions - Link) 21 Importer EU ‘Importer means any natural or legal person established within the Union who places a product from a third country on the Union market’. (Source: EU Proposed Product Liability Directive, Article 4(13) - Link) ‘Importer means any natural or legal person physically present or established in the Union that places on the market an AI system that bears the name or trademark of a natural or legal person established outside the Union’ (Source: EU AI Act, Article 3(6) - Link) 22 Inaccurate Personal Data E&W ‘Inaccurate, in relation to personal data, means incorrect or misleading as to any matter of fact’. (Source: Data Protection Act 2018, Part 7, 205(1) - Link) Guidance ‘If information seeming relating to a particular individual is inaccurate (i.e. it is factually incorrect or it is information about a different individual), the information is still personal data, as it relates to that individual’. (Source: ICO, Guide to the General Data Protection Regulation (GDPR), What is personal data? What is the meaning of relates to? - Link) 14 Burges Salmon Artificial Intelligence (AI) Law, Regulation and Policy Glossary Return to contents Term Definition 23 Interoperability Guidance ‘Interoperability allows different systems to share information and resources. An ‘interoperable format’ is a type of format that allows data to be exchanged between different systems and be understandable to both. At the same time, you are not expected to maintain systems that are technically compatible with those of other organisations. Data portability is intended to produce interoperable systems, not compatible ones.’ (Source: ICO Guide to the General Data Protection Regulations Individual Rights, Right to Data Portability – Link) EU ‘the ability of two or more devices, including software, from the same manufacturer or from different manufacturers, to: (a)exchange information and use the information that has been exchanged for the correct execution of a specified function without changing the content of the data, and/or (b)communicate with each other, and/or (c)work together as intended.’ (Source: Medical Device Directive Regulation (EU) 2017/745 Article 2(26) - Link) 24 (Data) Joint Controller E&W ‘Where two or more competent authorities jointly determine the purposes and means of processing personal data, they are joint controllers for the purposes of this Part.’ (Source: Data Protection Act 2018 section 58 but also see section 104 regarding intelligence services - Link) EU ‘Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers.’ (Source: EU GDPR Regulation (EU) 2016/679 Article 26 - Link) 25 Machine Learning (ML) Guidance ‘One prominent area of AI is “machine learning” (ML), which is the use of computational techniques to create (often complex) statistical models using (typically) large quantities of data. Those models can be used to make classifications or predictions about new data points’. (Source: ICO, Guide to Data Protection, Guidance on AI and data protection - Link) ‘ML is a methodology whereby computer programmes built a model to fit a set of data that can be utilised to make predictions, recommendations, or decisions without being explicitly programmed to do so, instead learning from sample data or experience’. (Source: Joint Bank of England and FCA report, ‘Machine Learning in UK financial Services - Link) EU ‘Machine learning approaches focus on the development of systems capable of learning and inferring from data to solve an application problem without being explicitly programmed with a set of step-by-step instructions from input to output. Learning refers to the computational process of optimizing from data the parameters of the model, which is a mathematical construct generating an output based on input data’ (Source: EU AI Act, Section Introductory remarks 6(a) - Link) 15 Burges Salmon Artificial Intelligence (AI) Law, Regulation and Policy Glossary Return to contents Term Definition 26 Making available on the market See Placing on the Market EU ‘Making available on the market’ means any supply of a product for distribution, consumption or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge. (Source: EU EU Proposed Product Liability Directive, Article 4(9) - Link) ‘Making available on the market means any supply of AI system for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge’ (Source: EU AI Act, Article 3(10) - Link) ‘making available on the market’ means ‘any supply of a device, other than an investigational device, for distribution, consumption or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge’ (Source: Medical Device Directive Regulation (EU) 2017/745 Article 2(27) - Link) 27 Manufacturer Also see Manufacturer’s control EU ‘Manufacturer means any natural or legal person who develops, manufactures or produces a product or has a product designed or manufactured, or who markets that product under its name or trademark or who develops, manufactures or produces a product for its own use’. (Source: EU Proposed Product Liability Directive, Article 4(11) - Link) EU AI Act defines ‘product manufacturer’ as having the meaning given in any of the legislation listed in Annex II [note: including directives concerning: medical devices: in vitro diagnostic medical devices; machinery, safety of toys, equipment and protective systems, personal protective equipment] 28 Manufacturer’s control Also see Manufacturer EU ‘‘Manufacturer’s control’ means that the manufacturer of a product authorises a) the integration, inter-connection or supply by a third party of a component including software updates or upgrades, or b) the modification of the product’ (Source: EU EU Proposed Product Liability Directive Article 4(5) - Link) 16 Burges Salmon Artificial Intelligence (AI) Law, Regulation and Policy Glossary Return to contents Term Definition 29 Matching Also see Automated Facial Recognition (AFR) E&W ‘When facial features from two images are compared, the AFR software generates a “similarity score”. This is a numerical value indicating the likelihood that the faces match, with a higher number indicating a greater likelihood of a positive match between the two faces. A threshold value is fixed to determine when the software will indicate that a match has occurred. Fixing this value too low or too high can, respectively, create risks of a high “false alarm rate” (i.e. the percentage of incorrect matches identified by the software) or a high “false reject rate” (i.e. the percentage of true matches that are not in fact matched by the software). The threshold value is generally suggested by the manufacturer, and depends on the intended use of the AFR system. Most AFR systems, however, allow the end user to change the threshold value to whatever they choose.’ (Source: R (Bridges) v CC South Wales, Paragraph 9 – Link) 30 Metadata E&W In disclosure context, ‘means data about data. In the case of an electronic document, metadata is typically embedded information about the document which is not readily accessible once the native electronic document has been converted into an electronic image or paper document. It may include for example the date and time of creation or modification of a word-processing file, or the author and the date and time of sending an e-mail. Metadata may be created automatically by a computer system or manually by a user’. (Source: Practice Direction 57AD, Disclosure in the Business and Property Courts, Appendix 1 paragraph 1.11 – Link) 31 Model Guidance ‘A model is defined as a quantitative method that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into output (Source: Bank of England, PRA, Appendices to CP6/22 – Model risk management principles for banks’ - Link) ‘Whereas traditional financial models are usually rules-based with explicit fixed parameterisation, AI models are able to learn the rules and alter model parameterisation iteratively. The use of AI models also represents a step change for three other reasons: firstly, the speed and frequency at which the models update; secondly, the scale in terms of the volume of data needed to train the models and the number of features that are used as inputs; and thirdly, the complexity of certain techniques, such as convolutional neural networks, which can make them more opaque (the so-called ‘black-box problem’) (Source: PRA, DP5/22 – Artificial Intelligence and Machine Learning - Link) 32 Open Source / OpenSource EU This is software, ‘including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable’. (Source: EU Proposed Product Liability Directive, Introduction Paragraph 13 – Link) [Note: Open source software is referred to but not defined in the EU AI Act] 33 Performance EU ‘performance’ means ‘the ability of a device to achieve its intended purpose as stated by the manufacturer’ (Source: Medical Device Directive Regulation (EU) 2017/745 Article 2(22d) - Link) 17 Burges Salmon Artificial Intelligence (AI) Law, Regulation and Policy Glossary Return to contents Term Definition 34 Personal data E&W ‘Personal data” means ‘any information relating to an identified or identifiable living individual’ (Source: Data Protection Act 2018 section 3(2) – Link) Guidance ‘Personal data is information that relates to an identified or identifiable individual. What identifies an individual could be as simple as a name or a number or could include other identifiers such as an IP address or a cookie identifier, or other factors’. (Source: ICO, Guide to the General Data Protection Regulation (GDPR), What is personal data? - Link) ‘If you hold information about individuals either on computer or in certain types of filing system you may be holding ‘personal data’. Broadly speaking the DPA covers four types of information (referred to as ‘data’ in the Act): (i) information processed, or intended to be processed, wholly or partly by automatic means (that is, information in electronic form usually on computer); (ii) information processed in a non-automated manner which forms part of, or is intended to form part of, a ‘filing system’ (that is usually paper records in a filing system); (iii) information that forms part of an ‘accessible record’ (that is, certain health records, educational records and certain local authority housing or social services records, regardless of whether the information is processed automatically or is held in a relevant filing system); and (iv) information held by a public authority (referred to as ‘category ‘e’ data’ as it falls within paragraph (e) of section 1(1) of the DPA)’. (Source: ICO, What is personal data? – A quick reference Guide – Link) EU ‘Personal data means data as defined in point (1) of Article 4 of Regulation (EU) 2016/679) … [i.e.] ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’ (Source: EU AI Act, Article 3(47) - Link; and see EU GDPR Regulation (EU) 2016/679 Article 4(1) - Link) 35 Placing on the Market Also see Making Available on the market EU ‘Placing on the market’ means the first making available of a product on the Union market. (Source: EU Proposed Product Liability Directive, Article 4(8) - Link) ‘Placing on the market means the first making available of an AI system on the Union market (Source: EU AI Act, Article 3(9) - Link) 18 Burges Salmon Artificial Intelligence (AI) Law, Regulation and Policy Glossary Return to contents Term Definition 36 Privacy Enhancing Technologies (PETs) Guidance ‘PETs are technologies that embody fundamental data protection principles by minimising personal data use, maximising data security, and/or empowering individuals’. (Source: ICO, Draft anonymisation, pseudonymisation and privacy enhancing technologies guidance – Link) EU [Note: EU AI Act also refers to but does not define ‘privacy-preserving techniques’ and ‘privacy-preserving measures’ such as pseudonymisation, anonymisation, and encryption] 37 (Data) Processing E&W ‘Processing, in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as (a) collection, recording, organisation, structuring or storage, (b) adaptation or alteration, (c) retrieval, consultation or use, (d) disclosure by transmission, dissemination or otherwise making available, (e) alignment or combination, or (f) restriction, erasure or destruction’ (Source: Data Protection Act 2018, Part 1, 3(4) - Link) Guidance ‘Processing in relation to personal data, means any operation or set of operations which is performed on personal data or on sets of personal data (whether or not by automated means, such as collection, recording, organisation, structuring, storage, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure or destruction’. (Source: ICO, For organisations, Data Protection fee, Legal definitions fees - Link) EU ‘processing’ means ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction’ (Source: EU GDPR Regulation (EU) 2016/679 Article 4(2) - Link) 38 (Data) Processor E&W ‘Processor means any person who processes personal data on behalf of the controller (other than a person who is an employee of the controller’. (Source: The definition depends upon which part of the Act is being considered. The above example is Data Protection Act section 32, but also see sections 5, 6 and 82- Link) Guidance ‘A person, public authority, agency or other body which processes personal data on behalf of the controller’ (Source: ICO, For organisations, Data Protection fee, Legal definitions fees - Link) EU ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; (Source: EU GDPR Regulation (EU) 2016/679 Article 4(7) - Link) 19 Burges Salmon Artificial Intelligence (AI) Law, Regulation and Policy Glossary Return to contents Term Definition 39 Product EU ‘Product’ means all movables, even if integrated into another movable or into an immovable. ‘Product’ includes electricity, digital manufacturing files and software. (Source: EU Proposed Product Liability Directive, Article 4(1) - Link) 40 Profiling E&W ‘Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual’s performance at work, economics situation, health, personal preferences, interests, reliability, behaviour, location or movements’. (Source: Data Protection Act 2018, section 33(4) - Link) Guidance ‘Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements’, Article 4(4) GDPR. (Source: ICO, Guide to the General Data Protection Regulation (GDPR), Automated decision-making and profiling - Link) EU ‘profiling’ means ‘any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements’ EU GDPR Regulation (EU) 2016/679 Article 4(4) - Link) 41 Putting into service EU ‘Putting into service’ means ‘the first use of a product in the Union in the course of a commercial activity, whether in return for payment or free of charge, in circumstances in which the product has not been placed on the market prior to its first use’ (Source: EU EU Proposed Product Liability Directive, Article 4(10) - Link). ‘Putting into service’ means ‘the supply of an AI system for first use directly to the user or for own use in the Union for its intended purpose’ (Source: EU AI Act, Article 3(11) - Link) 20 Burges Salmon Artificial Intelligence (AI) Law, Regulation and Policy Glossary Return to contents Term Definition 42 Real-time E&W ‘Facial image acquisition. A CCTV camera takes digital pictures of facial images in real time. This case is concerned with the situation where a moving image is captured when a person passes into the camera’s field of view, using a live feed.’ (Source: R (Bridges) v CC South Wales, Paragraphs 9(2) – Link) EU ‘“real-time” remote biometric identification system’ means a remote biometric identification system whereby the capturing of biometric data, the comparison and the identification all occur instantaneously or near instantaneously’ (Source EU AI Act Article 3(37) - Link) 43 Risk EU ‘risk’ means ‘the combination of the probability of occurrence of harm and the severity of that harm (Source: Medical Device Directive Regulation (EU) 2017/745 Article 2(23) - Link) 44 Sensitive Processing E&W Sensitive processing means the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, the processing of genetic data, biometric data, data concerning health, data concerning an individual’s sex life or sexual orientation, processing of personal data as to alleged commission of an offence or an offence committed by an individual. (Source: Data Protection Act 2018, section 86(7) - Link) Guidance The ICO uses the same definition as of that of the DPA section 86(7). (Source: ICO, Guide to Data Protection, Intelligence services processing, Scope and key definitions - Link) EU [Note: separate from commercially/competitively sensitive information, which the EU Data Governance Act says ‘typically includes information on customer data, future prices, production costs, quantities, turnovers, sales or capacities.’ Recital (37) – Link] 45 Special Category Data E&W The following categories of data which require specific conditions to be met, including explicit consent, for processing: Racial or ethnic origin; Political opinions; Religious and philosophical beliefs; Trade union membership; Genetic data; Biometric data for the purpose of uniquely identifying a natural person; Data concerning health; Sex life and sexual orientation. (Source: Data Protection Act 2018 section10(1) – Link) EU Subject to exceptions, ‘Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.’ (Source: EU GDPR Regulation (EU) 2016/679 Article 9 - Link) 21 Burges Salmon Artificial Intelligence (AI) Law, Regulation and Policy Glossary Return to contents Term Definition 46 Supervised Learning Guidance ‘Supervised learning models are trained on a dataset which contains labelled data. ‘Learning’ occurs in these models when numerous examples are used to train an algorithm to map input variables (often called features) onto desired outputs (also called target variables or labels). On the basis of these examples, the ML model is able to identify patterns that link inputs to outputs. ML models are then able to reproduce these patterns by employing the rules honed during training to transform new inputs received into classifications or predictions’. (Source: ICO, Guide to Data Protection, Explaining Decisions made with Artificial Intelligence – Link) 47 Synthetic Data Guidance ‘Synthetic data is ‘artificial’ data generated by data synthesis algorithms, which replicate patterns and the statistical properties of real data (which may be personal data). It is generated from real data using a model trained to reproduce the characteristics and structure of that data. This means that when you analyse the synthetic data, the analysis should produce very similar results to analysis carried out on the original real data’. (Source: ICO, Draft anonymisation, pseudonymisation and privacy enhancing technologies Guidance – Link) EU [Note: EU AI Act refers to synthetic data in the context of processing certain types of data for AI regulatory sandboxes but does not define synthetic data] 48 Transparency Guidance ‘Transparency is fundamentally linked to fairness. Transparent processing is about being clear, open and honest with people from the start about who you are, and how and why you use their personal data’. (Source: ICO Guidance, Guide to the General Data Protection Regulation, Principle (a): Lawfulness, fairness and transparency – Link) EU See article 13 for transparency obligations, including requirements that High-Risk AI Systems are accompanied by instructions for use in appropriate detail including: (a) identify and contact details of the provider; (b) characteristics, capabilities and limitations of the system’s performance including its intended purpose, its level of accuracy, any known or foreseeable circumstance which may lead to risks to health and safety or fundamental rights; (when appropriate) its behaviour regarding specific persons or groups on which the system is intended to be used, (when appropriate) specifications for input data or other information regarding training, validating and testing data, and (when appropriate) description of the expected output of the system (c) changes to the system and its performance which have been per-determined by the provider (d) the human oversight measures and technical measures put in place to facilitation interpretation of the system outputs by the users (e) computational and hardware resources needed, expected lifetime of the system and maintenance requirements; (f) description of the system’s mechanism to collect, store and interpret logs. (Source: EU AI Act, Article 13 - Link) [Note: EU AI Act defines high-risk AI systems. Canada proposes to do the same through future regulations (see Canada’s proposed C-27 bill ‘to enact the Artificial Intelligence and Data Act’ – Link) 22 Burges Salmon Artificial Intelligence (AI) Law, Regulation and Policy Glossary Return to contents Term Definition 49 Unsupervised Learning Guidance ‘Unsupervised learning models are trained on a dataset without explicit instructions or labelled data. These models identify patterns and structures by measuring the densities of data points in the data set’ (Source: ICO, Guide to Data Protection, Explaining Decisions made with Artificial Intelligence – Link) 50 (AI System) User EU ‘user’ means ‘any natural or legal person, including a public authority, agency or other body, under whose authority the system is used’ (Source: EU AI Act, Article 3(4) - Link) ‘user’ means ‘any natural or legal person, including a public authority, agency or other body, under whose authority the system is used’ (Source: Medical Device Directive Regulation (EU) 2017/745 Article 2(37) - Link)
