2024 -- S 2888

========

LC005742

========

     STATE OF RHODE ISLAND

IN GENERAL ASSEMBLY

JANUARY SESSION, A.D. 2024

____________

A N   A C T

RELATING TO COMMERCIAL LAW -- GENERAL REGULATORY PROVISIONS --

AUTOMATED DECISION TOOLS

     Introduced By: Senators DiPalma, Gu, Picard, Gallo, Lawson, and Bissaillon

     Date Introduced: March 22, 2024

     Referred To: Senate Judiciary

     It is enacted by the General Assembly as follows:

     SECTION 1. Title 6 of the General Laws entitled "COMMERCIAL LAW — GENERAL

REGULATORY PROVISIONS" is hereby amended by adding thereto the following chapter:

CHAPTER 60

AUTOMATED DECISION TOOLS.

     6-60-1. Short title.

     This chapter shall be known and may be cited as "Automated Decision Tools".

     6-60-2. Legislative purpose.

     It is the purpose of this chapter to require companies that develop or deploy high-risk

artificial intelligence (AI) systems to conduct impact assessments and adopt risk management

programs.

     6-60-3. Definitions.

     As used in this chapter, the following words and terms shall have the following meanings:

     (1) "Consequential decision" means a determination made by a deployer that has a legal or

similarly significant effect on an individual.

     (2) "Legal or similarly significant effect" means a decision that determines an individual's

eligibility for and results in the provision or denial of housing, employment, credit, education,

access to physical places of public accommodation, healthcare, or insurance.

     (3) "Consequential artificial intelligence decision system (CAIDS)" means machine-based

systems or services that utilize machine learning, artificial intelligence, or similar techniques that

provide outputs that are not predetermined, and have been specifically developed, or an AI system

specifically modified, with the intended purpose of making or determining consequential decisions.

     (4) "Developers" means any entity that designs, codes, or produces a CAIDS, or modifies

an AI system with the intended purpose of making a consequential decision, whether for internal

use or for use by third parties.

     (5) "Deployers" means any entity that uses a CAIDS to make consequential decisions.

     6-60-4. Deployer impact assessment requirement.

     (a) A deployer shall:

     (1) Implement and maintain a risk management program that establishes the policies,

processes, and personnel that will be used to identify, mitigate, and document risks arising from

the deployment of a CAIDS; and

     (2) Take into consideration, in implementing the risk management program:

     (i) The deployer's size and complexity;

     (ii) The nature and scope of the CAIDS, including its intended use;

     (iii) The sensitivity and volume of data processed in connection with the CAIDS; and

     (iv) Cost of implementation and maintenance of the risk management system.

     (b) A deployer shall perform an impact assessment prior to deploying a CAIDS and

annually thereafter. If the deployer makes material changes to the purpose for which a CAIDS is

used or the type of data it receives, a new impact assessment shall be conducted.

     (c) In performing an impact assessment, deployers shall maintain documentation for a

reasonable time period in light of the intended use regarding:

     (1) The purpose of the CAIDS and its intended use cases, deployment context, and benefits;

     (2) The extent to which the use of the CAIDS once it is deployed is consistent with or

varies from the developer's description of intended uses;

     (3) The potential for denials of housing, employment, credit, education, access to physical

places of public accommodation, healthcare, or insurance resulting from use of the CAIDS to

disproportionately impact people on the basis of protected characteristics, to the extent feasible,

and the steps taken to mitigate the risk of such harm occurring;

     (4) A description of data that will be processed as inputs by the CAIDS once deployed and

a description of the outputs produced by the CAIDS;

     (5) If applicable, an overview of the type of data the deployer used to retrain the CAIDS;

     (6) If applicable, metrics for evaluating the CAIDS's performance and known limitations;

     (7) If applicable, transparency measures, including information identifying to individuals

LC005742 - Page 2 of 5

when a CAIDS is in use; and

     (8) If applicable, post-deployment monitoring and user safeguards, including a description

of the oversight process in place to address issues as they arise.

     6-60-5. Developer obligations.

     (a) A developer shall provide the deployer with the technical capability to access or

otherwise make available to a deployer the information reasonably necessary for the deployer to

comply with its requirement to perform an impact assessment, including documentation regarding

a CAIDS's capabilities, known limitations, and guidelines for intended use. Nothing in this chapter

shall require the disclosure of trade secrets or other confidential information.

     (b)(1) A developer shall implement and maintain a risk management program that

establishes the policies, processes, training procedures, and personnel that will be used to identify,

mitigate, and document risks arising from the development of a CAIDS, including conducting a

design evaluation pursuant to subsection (c) of this section.

     (2) In implementing the risk management program, a developer shall take the following

into consideration:

     (i) Its size and complexity;

     (ii) The nature and scope of the CAIDS, including its intended end use;

     (iii) The sensitivity and volume of data used to train the CAIDS; and

     (iv) Cost of implementation and maintenance of the risk management system.

     (c)(1) A developer shall conduct a design evaluation for a CAIDS. The design evaluation

shall consider information relevant to the potential for unlawful bias in connection with the

intended end use of the CAIDS.

     (2) Developers shall, as appropriate given their role in the development of the CAIDS,

maintain documentation for a reasonable time period in light of the intended use regarding:

     (i) The purpose of the CAIDS and its intended end use cases, features, and benefits;

     (ii) The potential for denials of housing, employment, credit, education, access to physical

places of public accommodation, healthcare, or insurance resulting from use of the CAIDS to

disproportionately impact people on the basis of protected characteristics, to the extent feasible,

and the steps taken to mitigate the risk of such harm occurring;

     (iii) Known limitations of the CAIDS, including factors affecting performance;

     (iv) An overview of the type of data used to train the CAIDS and how the data was collected

and processed; and

     (v) Metrics for how the CAIDS's performance was evaluated prior to sale.

     6-60-6. Enforcement.

LC005742 - Page 3 of 5

     (a) Developers and deployers shall publicly self-certify that they are in compliance with

their obligations under this chapter. Developers and deployers may use an impact assessment or

design evaluation conducted in accordance with other laws or regulations if such assessment or

evaluation is reasonably similar in scope.

     (b) The attorney general may issue a subpoena in the course of an investigation that requires

the deployer or developer to disclose to the attorney general the contents of a relevant impact

assessment or design evaluation, subject to § 6-60-4(a).

     (c) Impact assessments and design evaluations shall be confidential and exempt from

public inspection and copying under chapter 2 of title 38 ("public records"). The disclosure of an

impact assessment or design evaluation pursuant to a request from the attorney general shall not

constitute a waiver of attorney-client privilege or work product protection with respect to the

assessment or evaluation and any information contained therein.

     SECTION 2. This act shall take effect on January 1, 2026.

========

LC005742

========

LC005742 - Page 4 of 5

EXPLANATION

BY THE LEGISLATIVE COUNCIL

OF

A N   A C T

RELATING TO COMMERCIAL LAW -- GENERAL REGULATORY PROVISIONS --

AUTOMATED DECISION TOOLS

***

     This act would require companies that develop or deploy high-risk AI systems to conduct

impact assessments and adopt risk management programs, would apply to both developers and

deployers of AI systems and would require obligations of these different types of companies based

on their role in the AI ecosystem.

     This act would also require deployers of high-risk AI systems to perform an impact

assessment prior to deploying an AI system and annually thereafter. If the deployer makes material

changes to the purpose for which an AI system is used or the type of data it receives, a new impact

assessment will be conducted. In performing an impact assessment, deployers of high-risk AI

systems shall maintain documentation for a reasonable time period in light of the intended use.

     This act would further require developers of high-risk AI systems to make available to a

deployer the information reasonably necessary for the deployer to comply with its requirement to

perform an impact assessment, including documentation regarding an AI system's capabilities,

known limitations, and guidelines for intended use.

     This act would also require developers and deployers to implement a risk management

program that establishes the policies, processes, and personnel that will be used to identify,

mitigate, and document risks arising from the AI system.

     Lastly, this act would require companies to self-certify that they have satisfied the impact

assessment obligations and implemented risk management programs. The attorney general could

subpoena the impact assessments in the course of an investigation.

     This act would take effect on January 1, 2026.

========

LC005742

========

LC005742 - Page 5 of 5