Articles in this issue

Proposed EU-US Data Transfer Agreement Continues to Face Obstacles in Parliament

FTC Commissioners Say They’re Prepared to Act in AI Cases

ICO Responds to UK AI White Paper

US Feds Seek Help with Developing AI Safety Regulations

Washington Legislature Passes the “My Health My Data Act”

The Patchwork Grows: Indiana Poised to Adopt a Comprehensive Privacy Law

In addition to the AI related articles in this issue, check out our recent OnPoint titled "Artificial Intelligence: Legal and Regulatory Issues for Financial Institutions."

Proposed EU-US Data Transfer Agreement Continues to Face Obstacles in Parliament

As we reported in Issue 29 of Cyber Bits, the European Parliament Committee on Civil Liberties, Justice and Home Affairs (the “EP Committee”) released a draft opinion advising against adopting an adequacy decision for the U.S. based on the proposed EU-U.S. Data Privacy Framework (“DPF”).

The EP Committee draft opinion has now been formally adopted by a resolution on April 13, 2023. Members of the European Parliament's (“MEPs”) EP Committee urged the European Commission to make sure that the future framework can withstand legal challenges and provide legal certainty. On that basis, and for the reasons discussed in Issue 29, MEPs argued that the Commission should not grant adequacy to the DPF as it stands, but continue to work to address the identified issues even if that means re-opening negotiations with the U.S.

In a statement post-vote, rapporteur Juan Fernando López Aguilar said that while the new framework is certainly an improvement, “we are not convinced that this new framework sufficiently protects personal data of our citizens, and therefore we doubt it will survive the test of the CJEU.”

The resolution was adopted with 37 votes in favour, 0 against, and 21 abstaining.

Takeaway: Even with 21 abstentions, the complete absence of any votes against highlights the MEPs' concerns over the DPF. As previously noted, the EP Committee resolution is non-binding on the Commission, although it will be considered as part of the Commission’s deliberations over whether to adopt an adequacy decision in favour of the DPF. This further step by the EP Committee continues to make it challenging for the Commission to adopt such an adequacy decision with the DPF in its current form.

FTC Commissioners Say They’re Prepared to Act in AI Cases

In a Congressional hearing on April 18, 2023, Federal Trade Commission (“FTC”) Chair Lina Khan and Commissioners Rebecca Slaughter and Alvaro Bedoya said that the agency will pursue companies that misuse artificial intelligence (“AI”) to violate laws against discrimination or to engage in deceptive practices. The announcement comes amid growing concern and calls for regulation due to the proliferation of potentially dangerous AI systems, particularly the sudden popularity of ChatGPT in 2023. The FTC has issued warnings in recent months indicating that it is monitoring chatbots and celebrity deepfakes being used to mislead consumers.

Commissioner Bedoya also spoke at the International Association of Privacy Professionals Global Privacy Summit 2023 earlier this month, indicating that unfair and deceptive trade practices laws apply to AI and, as a result, the FTC’s authority extends to companies making, selling or using AI. Commissioner Bedoya also warned AI developers to be wary of overselling the capabilities of AI, noting that the law against deceptive practices turns on whether “regular people” (Commissioner Bedoya’s words) would be deceived, and that it is not a defense, for FTC enforcement purposes, for a company to claim their AI system developed unanticipated knowledge or skills that may have caused the alleged deception.

Takeaway: Given the recent announcements, we expect the FTC to begin targeting companies that rely heavily on AI. Companies that offer AI driven products, services and apps will need to consider their ability to explain their product, support any claims made regarding its capabilities and be able to demonstrate their compliance with privacy and consumer protection laws more generally.

ICO Responds to UK AI White Paper

On March 29, 2023, the UK Government launched an AI White Paper detailing the Government’s plans for implementing a “pro-innovation approach to AI regulation” (the “White Paper”). The White Paper is open for consultation until June 21, 2023. The UK data protection regulator, the Information Commissioner’s Office (“ICO”), published its response to the White Paper on April 11, 2023.

In a prior AI regulation policy paper, the Government had proposed non-statutory principles and implementation by existing regulators, but with a small coordination layer. Following initial feedback, the White Paper identifies a number of central support functions to be provided from within government to provide a greater level of monitoring and coordination. In its response, the ICO welcomed the Government’s proposals to convene regulators to deliver activities such as joint regulatory guidance or a sandbox. The latter would enable AI firms to collaborate with regulators and have a secure environment to explore novel technologies and introduce innovative products and services with less risk of penalties or legal responsibility. In exchange, regulatory bodies such as Ofcom, the ICO, and the Competition and Markets Authority would supervise AI companies and ascertain the best approach to regulate technology, products, and services across different regulatory domains. Going forward, the ICO seeks clarification on the roles of government and regulators in issuing guidance and advice. It also recommends that the Government prioritise research into the type of guidance and sandbox that AI developers would value.

The ICO also stresses that regulators need to interpret the White Paper AI principles in a way that is compatible with data protection principles set out in data protection law, and offers some suggested changes to the White Paper AI principles to assist with this.

Takeaway: The ICO’s prompt response to the White Paper demonstrates its continued focus on this area. The ICO recently has updated its own AI and data protection guidance. While it appears that the UK Government remains initially committed to a non-statutory footing (in contrast to the EU and the proposed AI Act), businesses should keep an eye on the principles and framework developed from the White Paper and associated guidance from their relevant regulators, including the ICO.

US Feds Seek Help with Developing AI Safety Regulations

On April 11, 2023, the National Telecommunications and Information Administration (“NTIA”), the President’s principal adviser on telecommunications and information policy issues, requested public comment and input on policies relating to the regulation of artificial intelligence (“AI”) systems. The request seeks input on topics including (i) what kinds of data access are necessary to conduct audits and assessments; (ii) how regulators and other actors can incentivize and support credible assurance of AI systems along with other forms of accountability; and (iii) whether different approaches are necessary in different industry sectors. The NTIA is seeking the input of stakeholders in the policy, legal, business, academic, technical and advocacy sectors. The NTIA stated that it hopes to identify, among other things, gaps and barriers to creating adequate accountability for AI systems, how supposed accountability measures might mask or minimize AI risk and ways that governmental and non-governmental actions might support and enforce AI accountability practices.

The NTIA’s request for comments comes amid growing concern and calls for regulation in response to the proliferation of AI. Comments are due June 12, 2023.

Takeaway: The Biden Administration continues to be laser-focused on risks related to AI, and we expect to see a continued push for rule-making in this space across executive agencies.

Washington Legislature Passes the “My Health My Data Act"

This month, the state of Washington adopted the My Health My Data Act (“MHMD”). The Act imposes far-reaching requirements pertaining to consumer health data that extend beyond the scope of the federal Health Information Portability and Accountability Act, as amended (“HIPAA”). While HIPAA only applies to health data collected by certain health care entities, MHMD broadly applies to any entity with a commercial nexus to the state of Washington that collects, processes, shares or sells consumer health data. “Consumer health data” is also defined broadly to encompass personal information linked or reasonably linkable to a Washington state resident or person whose data was gathered in Washington, that identifies the person’s past, present or future physical or mental health attributes.

Under MHMD, regulated entities would be subject to a number of requirements, including (i) posting a consumer health data privacy policy to their website; (ii) obtaining a consumer’s affirmative opt-in consent before collecting or sharing consumer health data; and (iii) establishing, implementing and maintaining data security practices to protect consumer health data. MHMD also provides consumers with expanded deletion rights beyond those provided by other state privacy laws. In addition to the right to know what health data a business collects about them, consumers would also have the right to access such data, and the right to withdraw their consent to have such data collected and shared.

Significantly, MHMD would be enforceable via a private right of action under the Washington Consumer Protection Act. As a result, regulated entities would be subject to both attorney general enforcement and civil suits brought by individuals.

The MHMD becomes effective on March 31, 2024 for most regulated entities and June 30, 2024 for small businesses.

Takeaway: The MHMD represents a significant development in the U.S. privacy and security law landscape and includes some of the most restrictive provisions in any existing state privacy law passed to date. It would also apply to many entities that would not - at first glance - appear to fall within the scope of its requirements. Further, MHMD’s requirements would entail considerable adjustments to existing programs for responding to data subject requests, given its bespoke specifications. Entities that could be subject to MHMD should consider taking steps now to implement policies and procedures to comply with the prospective new law.

The Patchwork Grows: Indiana Poised to Adopt a Comprehensive Privacy Law

On April 13, 2023, the Indiana legislature passed SB 5, a comprehensive privacy law. Assuming the bill is signed into law, Indiana’s requirements would largely track the Virginia Consumer Data Protection Act.

The law would apply to companies that control or process personal data of at least 100,000 Indiana consumers in a calendar year, or derive more than 50% of gross revenue from selling the data of at least 25,000 Indiana consumers in a calendar year. The scope is limited to consumers and does not extend to personal data collected and processed in the employment, commercial or B2B contexts. The law would grant Indiana consumers familiar data protection rights, including (i) the right to know whether a business is processing personal data; (ii) the right to access personal data; (iii) the right to correct inaccurate personal data; (iv) the right to delete personal data; and (v) the right to opt out of processing personal data for targeted advertising, sale of a consumer’s data or profiling. The law would also require data protection impact assessments in certain circumstances.

Once signed into law, the effective date would be January 1, 2026. The Indiana Attorney General would have exclusive authority to enforce the law and would be authorized to seek injunctions and civil penalties of up to $7,500 per violation. The law would include a 30-day cure provision.

Takeaway: This is yet another in the growing number of states that have stepped in to fill the void from the lack of any comprehensive federal privacy law by passing their own state-wide mandate. Companies subject to the Indiana law will largely be able to rely on existing U.S. state law compliance programs, provided that the rights are made available to Indiana consumers. That said, the U.S. is becoming increasingly difficult for companies to navigate as they try to comply with a patchwork of laws throughout the U.S.