Regulating AI in a fragmented world: Asia, Europe, the United States, with Florence G’Sell

You have just returned from a trip to Asia. What are your takeaways from the Asian approach to AI regulation?

What struck me was an approach that is far more pragmatic than ours. The Asian countries I was able to visit rely less on ambitious legislation like the European AI Act, but they are much more concerned about risks than the Americans are. In Silicon Valley, what I hear is: “We invest, we invest, we invest, it is a race.” In Asia, I found a truly practical reflection on risks.

However, China must be distinguished from other Asian countries. China has adopted legislative texts almost every year since 2020-2021 with a focus on algorithms and generative tools. But when we look closely at this arsenal, the concerns are really centered on information control: the production of content and the dissemination of information deemed incompatible with what the Chinese government wishes and what they call “socialists’ values”. They draw up lists of banned key words, monitor what users enter into their prompts… This follows the logic of a surveillance state, rather than the traditional concerns of AI Safety.

You mention China and its model – are there any aspects that specifically caught your attention?

Yes, one point strikes me as particularly noteworthy: the Chinese are the only ones who are genuinely concerned about the issue of addiction. They have a piece of legislation that refers to the need to minimize the risks of addiction, especially for children. This is something the Americans completely reject. In Europe, this is addressed within the framework of the General Data Protection Regulation (GDPR) and child protection laws, but without provisions that are as explicit.

Furthermore, beyond the mandatory provisions related to surveillance, the Chinese model is quite flexible. There are guides, non-binding guidelines, and a highly iterative process, with extensive dialogue between AI companies and the regulator.

And what about the other Asian countries?

Japan, South Korea, and Taiwan take a different approach. They start from the assumption that they will not be developing large foundation models themselves, as this will be done in the United States or China. Instead, they will take these models, in fact, often Chinese open-source models and build applications on top of them. This is what their regulators are focused on.

South Korea is the only country to have adopted a real law, the AI Basic Act, even if it remains very basic: a few provisions on the riskiest AI systems, along with transparency measures. It is far less restrictive than our own regulations. Taiwan is drafting a similar law, with a minimalist approach focused on the most acute risks.

In the United States, Trump’s arrival has strongly altered the situation. What exactly is happening?

Trump does not want to hear anything about AI regulation. He has rescinded Biden’s executive order (which was already minimalist) and his main concern is preventing states from passing laws. There was an initial attempt with the “Big Beautiful Bill,” which called for a ten-year moratorium on state regulation of AI. It did not pass, but instead, an executive order has just been issued that aims to achieve the same goal.

The problem is that this executive order raises serious constitutional issues: in principle, the President cannot prevent states from exercising their legislative powers. The California authorities have already made it clear that they have no intention of being intimidated. This is likely to end up in the courts.

Why is Trump launching this offensive?

Because the big tech executives are complaining about the myriads of laws passed by various U.S. states. There are hundreds of them! Texas, Colorado, California… It is very hard to keep track of. Jensen Huang, the CEO of Nvidia, even made a provocative statement in the Financial Times, saying, “The Chinese are going to win the AI race because in the United States, we now have 51 different regulations.”

Is this American fragmentation not an argument in favor of the European approach?

Absolutely! When I am in Silicon Valley, that is my go-to argument. I tell them, “Look, here in Europe, we did not want to end up with 27 different laws on AI. The European authorities took the initiative precisely to avoid a situation where France would legislate on its own side, Italy on its own, and Germany on its own.” It is not that Europe is trying to regulate the whole world; it is that it wanted to avoid this fragmentation.

Yet the European AI Act seems to be under strain today…

That is what worries me. The Draghi Report specifically singled out the AI Act and the heavy burden of European bureaucracy. This report has repercussions for the AI Act, its scope and its applicability. Furthermore, with Trump doing everything in his power to dismantle European regulations, the “Brussels effect” is not going to materialize for the AI Act, unlike what happened with the GDPR.

There are many controversies surrounding the risks associated with AI. Where do you stand on this issue?

It’s an extremely controversial topic. When I published my report on the regulation of generative artificial intelligence, the chapter on risks was the hardest to write.

First, there is the debate between the “doomers” and the “accelerationists.” The accelerationists favor total deregulation in order to give companies a free rein. The doomers, for their part, focus on the risk that AI could turn against humans and destroy humanity. Personally, I think we go pretty far into the realm of futurism.

Then there are the so-called “catastrophic” risks, for example, if AI were to gain control over the military domain, essential energy resources and all of this were to fall into the wrong hands or if AI were to become truly autonomous…

The most recent tests involving the creation of a biological weapon using AI are somewhat concerning in this regard. In the past, it took highly specialized researchers to achieve this. Now, AI makes it accessible to people without advanced skills.

Aren’t safeguards enough?

That is the whole problem: every time we put a safeguard in place, people manage to develop techniques to get around it. The most striking example is the creation of child pornographic images. Developers of image-generation tools tell me they are overwhelmed by users who will stop at nothing to create such content. They put safeguards in place, they block certain prompts, but users always find workarounds. We are seeing a growing improvement of these “prompt injection” techniques, which involve finding a series of instructions to bypass restrictions. The ingenuity of malicious users knows no bounds and that applies to just about everything.

You advocate for a different approach to liability

Yes. My guiding principle, especially in the American environment where ex ante regulation is not on the agenda, is to say: “Very well, you do not want European-style prior obligations with compliance checks? But be aware that at some point, your liability will be called into question”.

There are currently some very significant lawsuits. Seven complaints were filed at once against OpenAI in California concerning young people who took their own lives after interacting with ChatGPT. These are horrific stories, in which the chatbot explicitly encouraged users to act on their impulses.

How can these situations be addressed from a legal standpoint?

It is very difficult to look at the outputs of an AI tool and say whether it is “defective” in the legal sense of the term, since it interacts with the user and its responses depend on the prompts. I think we need to look upstream: how was the model developed, brought to market, tested and verified?

For example, we are seeing updates being released that are sloppy. There was, for instance, a ChatGPT update that made it completely “sycophantic”, that is, excessive in the way it flattered the user. The result was that the system, always wanting to go along with the user, encouraged people to stop their medical treatments. You cannot have updates released like that, with no oversight whatsoever.

That is why I strongly advocate for independent audits prior to market release. This cannot be left to the people who develop these systems.

Can Europe become a third way in the development of AI?

I’m more of a regulatory than an industrial policy expert, but my impression is that we have fewer advantages. We lack the most fundamental resources, such as advanced semiconductors and the cloud. We have fallen behind and it takes time to catch up.

Mistral, for example, is a great success story. What we need above all is more alliances and projects on a European scale. Despite the European Union being founded on the idea of a single market, we remain in a fragmented market with highly nationalized activities and a cumbersome European bureaucracy that undermines our attractiveness. If companies truly manage to operate on a European scale, they will become strong.

What worries you the most?

What scares me the most is the idea of millions of people connected to an AI, pouring out their lives to a machine. For example, OpenAI says it keeps the data for 30 days and then deletes it, but with exceptions that are not specified. Who is going to verify that?

You are currently working on issues related to insurance and AI. Why this topic?

Because I think that is the crux of the matter. The United States and Europe may disagree on the obligations to be imposed on developers, but ultimately, it is in the areas of liability and insurance that things will play out.

If an insurer tells a company, “I will not cover your model unless it is been tested by an independent audit,” the company will have no choice, whether it is required by law or not.

The major AI developers have such enormous financial cloud that they do not need conventional insurance. But smaller developers, SMEs building applications on top of large models, need to protect themselves. And with agent-based AI on the horizon, serious companies implementing autonomous agents cannot afford to do so without solid guaranties.

One question that fascinates me is the insurability of AI-specific risks. Take hallucinations: some insurers say it is entirely uninsurable that the data does not allow for reliable predictions of a model’s future behavior. Others, bolder, want to explore this avenue. I am at the early stages of this research, but I am convinced it will prove fruitful.