Articles in this issue

• FTC Proposes New Protections to Guard Against AI Impersonations of Individuals
• Russian Order Requiring Disclosure of Telegram Decryption Keys for Anti-Terrorism Violates European Convention on Human Rights
• SEC Chair, Gary Gensler, Warns Public Companies Not to Engage in “AI-Washing”
• FTC Warns AI (and Other) Companies Against Surreptitious Changes to Their Terms of Service or Privacy Policies
• First EU Cybersecurity Certification Scheme Established
• Dechert Tidbits

FTC Proposes New Protections to Guard Against AI Impersonations of Individuals

Amidst growing concerns that emerging technology—including AI-generated deepfakes—threaten to increase the prevalence of impersonation fraud, the U.S. Federal Trade Commission (the “FTC”) is seeking public comment on a supplemental notice of proposed rulemaking that would expand an existing rule that currently bans the impersonation of businesses or government officials to cover all consumers.

Depending on the public comments the FTC receives, the proposed revised rule might also make it unlawful for a firm, such as an AI platform that creates images, video, or text, to provide goods or services that they know or have reason to know are being used to harm consumers through impersonation.

The public comment period will be open for 60 days following the date the supplemental notice is published in the Federal Register, and instructions for how to comment will be included in the notice.

Takeaway: The FTC’s proposed rulemaking demonstrates the Commission’s seriousness and intent to use its existing powers to aggressively regulate AI. AI firms and companies employing AI should, therefore, consider providing comment on the proposed rulemaking to the extent that the language may impact their business. At the same time, companies should closely monitor their AI offerings, taking steps to mitigate the risk that it could be used or co-opted to impersonate businesses, government officials, or individual consumers.

Russian Order Requiring Disclosure of Telegram Decryption Keys for Anti-Terrorism Violates European Convention on Human Rights

The European Court of Human Rights (“ECHR”) has ruled that a Russian law requiring disclosure to government authorities of decryption keys for messages of an online messaging service was a breach of the right to privacy under article 8 of the European Convention of Human Rights (the “Convention”).

The Russian order (the "Order”), dated July 12, 2017, required online messaging platform Telegram to provide Russian government authorities with decryption keys and other technical information to allow it to access the communications of six users suspected of terrorism-related activities. Telegram refused to comply with the Order, which has been subject to ongoing legal challenges since 2017.

The ECHR held that it was technically impossible to execute the Order without creating a backdoor that would enable the authorities to decrypt the communications of all users. They noted that this would breach all users’ right to a private life. In addition, the ECHR found that the Order and the legislation it was based on were not sufficiently narrowly targeted at the legitimate aims pursued to justify the interference with the right to privacy for the rest of the platform’s users.

Takeaway: Russia ceased to be a party to the Convention in September 2022. However, the judgment is a warning to governments of the 46 states that are currently signatories to the Convention that decryption backdoors to end-to-end encrypted private communications are likely to breach the right to privacy under the Convention. In particular, the judgment casts further doubt over the European Commission’s proposals for legislation to allow encryption to be circumvented for mass screening of communications for the purposes of child protection.

SEC Chair, Gary Gensler, Warns Public Companies Not to Engage in “AI-Washing”

In prepared remarks before Yale Law School, Gary Gensler, the Chair of the U.S. Securities and Exchange Commission (“SEC”) warned public companies against making hyped-up claims concerning their use of AI models and the capabilities of AI technology. Gensler warned that such practices, known as “AI washing,” could potentially violate federal securities laws.

Chair Gensler emphasized that public companies have an obligation “to be truthful about [their] use of AI and associated risk.” He further warned that companies’ use of “boilerplate language” to inform and advise investors as to the uses and risks of AI would likely prove to be insufficient. Instead, as with any material disclosures, he emphasized that “investors benefit from disclosure[s] particularized to the company,” and which clearly delineate the applicable operational, legal, and competitive risks. For instance, Chair Gensler noted that disclosure considerations may require companies to define what they mean when referring to AI (e.g., whether the AI was developed by the company itself or was supplied by others) and how and where such technology is being used within the company.

Takeaway: Chair Gensler’s comments are yet another in a long line of regulators warning about misrepresentations when it comes to AI. His comments suggest that the SEC will be laser-focused on disclosures regarding the use and development of AI. The SEC expects that disclosures will be tailored and consistent with a company’s actual practices. Chair Gensler’s commentary regarding his expectations for the specificity of disclosures on AI and his belief as to the risks inherent in “overhyping” AI provide a helpful roadmap as companies seek to incorporate more robust AI-focused disclosures into their public company filings this year.

FTC Warns AI (and Other) Companies Against Surreptitious Changes to Their Terms of Service or Privacy Policies

Recently, the U.S. Federal Trade Commission (the “FTC”) issued a warning to companies that it may be unfair or deceptive for a company to adopt more permissive data practices—for example, to begin using data collected for a different purpose to train AI—while only informing consumers of such data use changes through “a surreptitious, retroactive amendment” to applicable terms of service or privacy policies.

In a February 13, 2024, blog post, the FTC acknowledged that companies increasingly face the challenging task of maximizing data usage to improve their services or business while simultaneously upholding their current commitments to consumers regarding privacy. The FTC explained that while companies may be tempted to change their terms of service or privacy policies to adopt more permissive data practices, they should be wary of doing so in a manner that is not transparent and “risks running afoul of the law.” The FTC noted actions it had taken against companies that it alleged violated the law when they retroactively changed their relevant privacy policies and data sharing practices to allow for new types of data sharing without first notifying consumers or getting their consent.

Takeaway: Companies need to make sure they update their privacy policies and terms before engaging in new information sharing practices or otherwise processing consumer personal information in a way that is materially different from what is set out in their privacy policy and other relevant consumer-facing statements. The FTC has made clear that merely updating a policy and posting a new effective date will not be sufficient to alert consumers to material changes that apply retroactively to data already collected. Instead, companies will need to craft transparent disclosures that provide notice to, and obtain the consent of, consumers to the new practices. While this requirement is not new, the FTC has indicated a clear commitment to enforcing it.

First EU Cybersecurity Certification Scheme Established

The European Commission adopted an implementing regulation (the “Regulation”) establishing the European Common Criteria-based cybersecurity certification scheme (“EUCC”). This is the first certification scheme under the EU Cybersecurity Act, adopted in 2019 with the aim of strengthening ENISA, the EU agency for cybersecurity, and introducing European cybersecurity certification schemes.

The EUCC is a voluntary scheme for information and communications technology (“ICT”) products. The aim of the scheme is to (i) increase trust in the security of ICT products, (ii) encourage manufacturers of such products to implement measures at the earliest design and development stages in a “security by design” approach, and (iii) enable providers of such products to easily demonstrate their cybersecurity risk levels. Suppliers of certified products will be entitled to market their products as certified under EUCC and purchasers will benefit from certification providing a level of assurance when selecting products.

The Regulation, which came into force on February 27, 2024, outlines the roles, rules, obligations, and structure of the EUCC to ensure that certification under the scheme represents a valuable assurance as to the quality of a certified product’s cybersecurity. The scheme is based on the Common Criteria and Common Evaluation Methodology in ISO/IEC 15408 and ISO/IEC 18045.

Takeaway: By providing a single certification that is recognized across the EU, the EUCC aims to make it easier for ICT providers to offer products across EU borders. For businesses acquiring ICT products, using certified products will provide comfort regarding cybersecurity risk and, where the product is used in relation to personal data, will help to demonstrate compliance with security obligations under the GDPR and other privacy legislation.

Dechert Tidbits

International Efforts Disrupt the LockBit Ransomware Group

The US Department of Justice, alongside UK and other London-based international law enforcement partners, announced the disruption of the LockBit ransomware group (“LockBit”) on February 20, 2024. These partners and the U.S. Federal Bureau of Investigations seized websites and servers used by LockBit and issued indictments for several LockBit affiliates. Law enforcement actors are in the process of providing a remedy to LockBit’s victims by decrypting systems that had been targeted by its ransomware attacks. The investigation is ongoing, and additional releases are expected in the following days.

California Appeals Court Rules that CCPA Regulations Are Now Enforceable

On February 9, 2024, California’s Third District Court of Appeal overturned a lower court’s decision staying the California Privacy Protection Agency’s (the “Agency”) enforcement of its first set of California Consumer Privacy Act regulations. While the lower court’s decision had delayed enforcement of certain parts of such regulations until at least March 29, 2024, under the appellate court’s decision the Agency may now immediately enforce its first set of voluminous regulations, which were finalized in March 2023, in full.

EU Digital Services Act Comes Fully into Effect

On February 17, 2024, the EU Digital Services Act came fully into effect. The Act establishes a variety of rules designed to protect users of digital services. Previously the Act applied only to very large online platforms, but now applies to a much broader range of online intermediaries and platforms established in the EU or offering services in the EU. See our OnPoint for further information about the Act.

U.S. Patent and Trademark Office Publishes Guidance on Patentability of AI-Generated Inventions

The U.S. Patent and Trademark Office has published proposed guidance on its approach to patent applications for inventions made using AI. The guidance re-iterates the Office’s position that, in line with many other jurisdictions, under U.S. patent law only humans can qualify as inventors (see our recent OnPoint). Importantly, in order for an AI-generated invention to be patentable, a human must have made a “significant contribution” to the claimed invention. Inventions made autonomously by AI will therefore not qualify for a patent. The draft guidance is open to comment until May 13, 2024.