On November 15, 2021, the Infrastructure Investment and Jobs Act (“IIJA”) became law, authorizing $65 billion in federal broadband investments with the goal of connecting all Americans to reliable, high speed, and affordable broadband.  The IIJA directed the National Telecommunications and Information Administration (“NTIA”) to oversee the distribution of $48.2 billion in infrastructure grants to states, Tribal governments, and companies through four programs: the Broadband Equity, Access, and Deployment (“BEAD”) Program ($42.45 billion), Tribal Broadband Connectivity Program ($2 billion), Digital Equity Act Programs ($2.75 billion), and Enabling Middle Mile Broadband Infrastructure Program ($1 billion).

NTIA has already held two of its five planned virtual listening sessions designed to solicit information from interested stakeholders, and the third session – billed as a “deep dive” on the $42.5 billion BEAD program – is scheduled for January 26.  NTIA also recently announced a Request for Comment (“RFC”) on the implementation of the following broadband programs of the Infrastructure Investment and Jobs Act (“IIJA”):

  • Broadband Equity, Access, and Deployment Program;
  • State Digital Equity Planning Grant Program; and
  • Enabling Middle Mile Broadband Infrastructure Program.

The RFC seeks comment on how NTIA should generally administer IIJA funds as well as “program design, policy issues, and implementation considerations” of each initiative listed above.  Comments are due by 5 p.m. EST on February 4, 2022.

NTIA has explained that it will use the comments submitted in response to the RFC, along with other sources of public input (such as the virtual listening sessions), to “improve the number and quality of ideas under consideration” as the agency develops the Notice of Funding Opportunity (“NOFO”) that will be issued for each program.  However, it bears emphasis that NTIA’s operational and grant-funding decisions are explicitly excluded from Administrative Procedure Act challenges, so this stakeholder input process is strictly advisory.

The RFC’s 36 questions are divided into four sections: an initial section with questions about general IIJA administration and then one section for each of the IIJA programs listed above.

  • On general IIJA administration issues, NTIA appears to be interested in what methods, data collection processes, and standards NTIA should use to support IIJA’s broader goal of connecting all Americans to broadband. NTIA also requests comment on the structure and format of the state subgrant award process, as well as workforce shortages and supply chain issues and their effect the IIJA’s goal of ensuring broadband infrastructure is made and installed by U.S. workers.
  • The BEAD Program questions focus on technical requirements for project service speeds, security, reliability, and sustainable service, as well as criteria for connecting unserved and underserved communities. NTIA also requests comment from stakeholders on what speeds, throughput, and latencies will be required to connect all Americans over the next five, ten, and twenty years.  Other BEAD Program questions cover the interaction between how to assess “served” areas vis-à-vis unfinished broadband projects, the definitions of “high-cost area” and “eligible subscriber,” and whether NTIA should define a baseline standard so providers are not required to offer disparate plans in each state, and what additional factors NTIA should adopt to drive affordability beyond the low-cost option.
  • Regarding the State Digital Equity Planning Grant Program, the RFC asked about how NTIA should advise states as they produce their plans for the program, particularly how programs can achieve the goals of the IIJA and ensure states consult with historically marginalized communities.
  • The RFC’s questions on the Enabling Middle Mile Broadband Infrastructure Program center around how NTIA should ensure middle-mile investments are targeted in areas where middle-mile service is non-existent or expensive, as well as prioritization and scalability of projects.

As 2021 comes to a close, we will be sharing the key legislative and regulatory updates for artificial intelligence (“AI”), the Internet of Things (“IoT”), connected and automated vehicles (“CAVs”), and privacy this month.  Lawmakers introduced a range of proposals to regulate AI, IoT, CAVs, and privacy as well as appropriate funds to study developments in these emerging spaces.  In addition, from developing a consumer labeling program for IoT devices to requiring the manufacturers and operators of CAVs to report crashes, federal agencies have promulgated new rules and issued guidance to promote consumer awareness and safety.  We are providing this year-end round up in four parts.  In this post, we detail IoT updates in Congress, the states, and federal agencies.

Continue Reading U.S. AI and IoT Legislative Update – Year-End 2021

As 2021 comes to a close, we will be sharing the key legislative and regulatory updates for artificial intelligence (“AI”), the Internet of Things (“IoT”), connected and automated vehicles (“CAVs”), and privacy this month.  Lawmakers introduced a range of proposals to regulate AI, IoT, CAVs, and privacy as well as appropriate funds to study developments in these emerging spaces.  In addition, from developing a consumer labeling program for IoT devices to requiring the manufacturers and operators of CAVs to report crashes, federal agencies have promulgated new rules and issued guidance to promote consumer awareness and safety.  We are providing this year-end round up in four parts.  In this post, we detail CAV updates in Congress and federal agencies.

Continue Reading U.S. AI and IoT Legislative Update – Year-End 2021

As 2021 comes to a close, we will be sharing the key legislative and regulatory updates for artificial intelligence (“AI”), the Internet of Things (“IoT”), connected and automated vehicles (“CAVs”), and privacy this month.  Lawmakers introduced a range of proposals to regulate AI, IoT, CAVs, and privacy as well as appropriate funds to study developments in these emerging spaces.  In addition, from developing a consumer labeling program for IoT devices to requiring the manufacturers and operators of CAVs to report crashes, federal agencies have promulgated new rules and issued guidance to promote consumer awareness and safety.  We are providing this year-end round up in four parts.  In this post, we detail data privacy updates in Congress and federal agencies.

Continue Reading U.S. AI and IoT Legislative Update – Year-End 2021

As 2021 comes to a close, we will be sharing the key legislative and regulatory updates for artificial intelligence (“AI”), the Internet of Things (“IoT”), connected and automated vehicles (“CAVs”), and privacy this month.  Lawmakers introduced a range of proposals to regulate AI, IoT, CAVs, and privacy as well as appropriate funds to study developments in these emerging spaces.  In addition, from developing a consumer labeling program for IoT devices to requiring the manufacturers and operators of CAVs to report crashes, federal agencies have promulgated new rules and issued guidance to promote consumer awareness and safety.  We are providing this year-end round up in four parts.  In this post, we detail AI updates in Congress, state legislatures, and federal agencies.

Continue Reading U.S. AI and IoT Legislative Update – Year-End 2021

There has been a substantial increase in the use of the Internet across the African continent, aided by ongoing investment into local digital infrastructure, reduction in the associated costs, and improved user access. This has allowed both individuals, and private and public entities, the ability to access, collect, process and/or disseminate personal data more easily, which has spurred a number of African countries to enact comprehensive data protection laws and establish data protection authorities. There is also a growing perception among African countries that there is a need to protect their citizen’s personal data, to regulate how public and private entities use personal data, and to establish data protection authorities tasked with enforcing these laws.

While countries like Kenya, Rwanda and South Africa now have comprehensive data protection laws, which share some elements found in the European Union’s General Data Protection Regulation (“GDPR”), many of the proposed data protection laws have specific rules that are different from those in other countries in Africa. Consequently, technology companies conducting business in Africa will be required to keep abreast of the evolving regulatory landscape as it relates to data protection on the continent.

Recently enacted data protection laws 

  • The Republic of Rwanda’s Law No. 058/2021 relating to the Protection of Personal Data and Privacy (“Data Protection Law”) was enacted and came into effect upon its publication in the Government’s Official Gazette on October 15, 2021. The Data Protection Law gives effect to Article 23 of the Constitution of Rwanda, which guarantees the right to privacy as a fundamental right. The Data Protection Law provides for a transitional period of 2 years from the date of its publication, to allow controllers and processors to comply with local registration procedures and to ensure that their operations and activities adequately comply with the requirements of the Data Protection Law. This is the first law of its kind for Rwanda, introducing principles related to lawfulness, fairness, transparency, purpose limitation and accuracy, as well as the designation of a data protection officer.
  • The Republic of South Africa’s Protection of Personal Information Act, 2013 (“POPIA”) became effective on July 1, 2020. POPIA gives effect to the right to privacy in section 14 of the Constitution of South Africa (Act 108 of 1996). POPIA covers all responsible parties that collect, store, process and/or disseminate personal information as part of their business activities. The Information Regulator (“IR”) is responsible for education, monitoring and enforcing compliance, handling complaints, performing research and facilitating cross-border cooperation. The IR has jurisdiction throughout South Africa. It is independent and subject only to the Constitution and to the law. The IR must be impartial and perform its functions and exercise its powers without fear, favor, or prejudice.
  • The Republic of Kenya’s Data Protection Act, 2019 (“DPA”) was enacted and came into effect on November 2019. The DPA reflects the provisions of Article 31 of the Constitution of Kenya, which provides for the fundamental right to privacy. This is the first law of its kind for Kenya, which provides a regulatory framework for data protection and guidelines on how personally identifiable data can be collected, used, stored or shared. Further, this law establishes the office of the Data Protection Commissioner.
  • In the Federal Republic of Nigeria, section 37 of the Constitution of the Federal Republic of Nigeria gives effect to the right to privacy. The Nigerian Data Protection Regulation (“NDPR”) 2019 is the main data protection statute in Nigeria. The regulatory body responsible for governing the NDPR is the National Information Technology Development Agency (“NITDA”). The NDPR makes provision for (amongst others) the rights of data subjects, obligations for data controllers and data processors, and transfer of data to a foreign territory. Even though other legislation, such as the Cybercrimes (Prohibition, Prevention, etc.) Act (2015) and the National Identity Management Commission Act, 2007 contain provisions relating to data protection,  the NDPR is the starting point for understanding Nigeria’s data protection landscape. 
  • The Republic of Uganda, passed its Data Protection and Privacy Act, 2019 (“Act”) in February 2019, which gives effect to Article 27(2) of the Ugandan Constitution, which provides for the protection of citizens’ rights to privacy.  The Act seeks to protect the privacy of Ugandan citizens’ (“data subjects”) by regulating the access, collection, processing and transfer of data. The Act also empowers data subjects whose personal data has been requested, collected, collated, processed or stored, the power to exercise control over their personal data, including consent to the collection and processing or to request the correction and deletion of personal data. The National Information Technology Authority – Uganda (“NITA-U”) is designated as the national data protection authority and maintains the Register that lists all  institutions, data subjects or public bodies that collect or process personal data.  The Act aligns with a number of international conventions including the Universal Declaration of Human Rights, where Uganda is a signatory. 
  • The Kingdom of Morocco’s Law No. 09-08 on the Protection of Individuals with Regard to the Processing of Personal Data (“Law No. 09-08”), is the data protection law that was passed in 2009. Law No. 09-08 gives expression to the constitutional right to privacy founded under Article 24 of the Constitution of Morocco. The law sets out the authorities responsible for data protection, its own territorial scope and the conditions according to which data can be transferred to third countries.
  • The Togolese Republic Law No. 2019-014 relating to the Protection of Personal Data (the “Law”), was published in the Official Gazette in October 2019. The Law regulates the collection, processing, transmission, storage, and use of personal data in Togo and gives effect to the provisions of Article 28 of the Togolese constitution, which enshrines the right of citizen’s rights to privacy, dignity, and respect as regards their image. The Law establishes the Personal Data Protection Authority, an independent administrative authority responsible for ensuring that the processing of personal data is carried out in in accordance with the Law. 
  • The Republic of Ghana’s Data Protection Act, 2012 (“Act 2012”) was passed in May 2012, and gives effect to Article 18(2), which provides for the fundamental right to privacy. Act 2012 establishes the Data Protection Commission (“DPC”), which is tasked with protecting the privacy of data subjects and  personal  The DPC also regulates the processing, collection and transfer of personal data.

The enactment of the above laws has helped African countries align with global best practice on data protection and privacy, and represent a significant change in Africa’s regulatory landscape. Going forward, we can expect to see more African countries enacting and passing data protection laws to lend greater protections to personal data and address emerging cybersecurity threats.

The team at Covington is well placed to advise on these policy and regulatory developments. Please reach out to Witney Schneidman (WSchneidman@cov.com), Dan Cooper (DCooper@cov.com), Mosa Mkhize (MMkhize@cov.com), Sam Jungyun Choi (JChoi@cov.com) or Shivani Naidoo (SNaidoo@cov.com).

This is the seventh in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the secondthirdfourthfifth, and sixth blogs described the actions taken by various government agencies to implement the EO during June, July, August, September, and October 2021, respectively.  This blog summarizes the key actions taken to implement the Cyber EO during November 2021.

Although most of the developments in November were directed at U.S. Government agencies, the standards being developed for such agencies could be imposed upon their contractors or otherwise be adopted as industry standards for all organizations that develop or acquire software.

Continue Reading November 2021 Developments Under President Biden’s Cybersecurity Executive Order

Last week, the office of Acting FCC Chairwoman Jessica Rosenworcel released a draft Notice of Inquiry (NOI) regarding spectrum availability and requirements to support the growth of Internet of Things (IoT).  The FCC will consider this NOI, which is intended to collect information and does not propose rules, in its next Open Commission Meeting scheduled for September 30, 2021. This proposed NOI is the latest in a series of FCC actions that will affect the future deployment of IoT products and services in the United States. Continue Reading IoT Update: FCC to Open Inquiry into Spectrum Needs for Growth of the Internet of Things

NHTSA recently issued a First Amended Standing General Order requiring electronic portal submission of crash incident data for automated and semi-autonomous vehicles. As of August 12, 2021, automated motor vehicle manufacturers, motor vehicle equipment manufacturers, and operators will be required to report and upload crash incident data within 24 hours to the NHTSA Incident Report Portal. The 24 hour incident crash reporting requirement is in effect for three years from the date of issuance of the Standing General Order (“SGO”), until June 29, 2024.

The First Amended Standing General Order supersedes but does not substantively change the requirements of NHTSA’s initial SGO, which NHTSA served on 108 major OEMs, robotics, electronics, AI, rideshare, and software companies on June 29, 2021. The SGO applies to manufacturers and operators of motor vehicle equipment and motor vehicles equipped with (i) SAE Level 2 advanced driver assistance systems (“ADAS”), which includes common safety features such as adaptive cruise control and lane-keeping assistance, and (ii) SAE Levels 3-5 automated driving systems (“ADS”) (conditional to full driving automation).

The First Amended SGO and SGO are early demonstrations of NHTSA’s more aggressive regulatory and enforcement oversight of automated and semi-autonomous vehicles under Biden administration leadership. For the first time, NHTSA has imposed reporting obligations solely through regulatory action rather than as a result of a Congressional mandate. The 24 hour timeline for reporting is also a swifter timeline than Part 573 safety defect and noncompliance reporting under the Motor Vehicle Safety Act, and the monthly reporting requirement (even in the absence of crash incident data), is a swifter timeline than quarterly early warning reporting requirements under the TREAD Act. NHTSA also determines through the Orders that ADS and ADAS constitute “motor vehicle equipment” subject to regulation under the Motor Vehicle Safety Act.

The SGO also provides three limited exceptions to public disclosure of the incident reports based on confidentiality claims under Part 512. The Order’s guidance signals a greater transparency approach to public safety information.

Who is Responsible for Reporting?

The SGO requires vehicle and equipment manufacturers and operators to report certain crashes that occur while the ADS or Level 2 ADAS is engaged, or immediately after it is in use, and to provide sufficient information for NHTSA to identify crashes warranting further follow-up. As with other reporting requirements, the SGO does not prioritize reports between manufacturers and other reporting entities. The SGO’s imposition of reporting requirements on operators as well as vehicle manufacturers, and its determination that ADS and Level 2 ADAS constitute “motor vehicle equipment” reflects a more expansive assertion of NHTSA authority over technology companies that supply automated systems to vehicle manufacturers.

Which Crashes Trigger Reporting?

Each incident that meets the following criteria requires submission of an incident report by a manufacturer and operator within one day of each entity learning of a crash, and an updated report within ten days:

  • The crash occurred on a publicly accessible road in the United States;
  • The ADS or ADAS was engaged at any time during the 30 seconds immediately prior to the crash through the conclusion of the crash; and
  • The crash results in a hospital-treated injury, a fatality, a vehicle tow-away, an air bag deployment, or involved a vulnerable road user (e.g., pedestrian, cyclist, etc.).

Additionally, every month, companies must report all other crashes of an ADS or Level 2 ADAS-equipped vehicle that involve injury or property damage. If no crashes occur in any given month, reporting entities must submit a monthly incident report confirming the lack of any reportable information.

What Information is Collected and Disseminated?

The initial reports must include information on the reporting entity, vehicle, incident (date, time, scene, and crash severity details), and post-crash activities and data availability. NHTSA plans to review the reports to identify crashes for further follow-up, including potential Special Crash Investigations or requests for further information, such as Event Data Recorder data. NHTSA may also open defect investigations, as warranted.

The Order preemptively identifies the limited scope of information to be afforded confidential treatment, including: (1) the version of the ADAS/ADS with which a vehicle is equipped; (2) whether the vehicle was within its operational design domain at the time of the incident; and (3) the defect narrative.

If you have any questions concerning the material discussed in this blog post, please contact the following members of our Connected and Autonomous Vehicles practice:

Sarah Wilson                                     +1 202 662 5397                    swilson@cov.com
Jennifer Johnson                              +1 202 662 5552                    jjohnson@cov.com
Rebecca Yergin                                 +1 202 662 5935                    ryergin@cov.com
Olivia Dworkin                                  +1 424 332 4817                    odworkin@cov.com
Nira Pandya                                       +1 650 632 4724                    npandya@cov.com

 

This post is a part of Covington’s CAV blog series, which covers CAV developments across the world. To access prior CAV blog posts and webinars and to learn more about our team and our work, please visit Covington’s CAV website.

This information is not intended as legal advice. Readers should seek specific legal advice before acting with regard to the subjects mentioned herein.

Covington & Burling LLP, an international law firm, provides corporate, litigation and regulatory expertise to enable clients to achieve their goals. This communication is intended to bring relevant developments to our clients and other interested colleagues. Please send an email to unsubscribe@cov.com if you do not wish to receive future emails or electronic alerts.

In this update, we detail the key legislative developments in the second quarter of 2021 related to artificial intelligence (“AI”), the Internet of Things (“IoT”), connected and automated vehicles (“CAVs”), and federal privacy legislation.  As we recently covered on May 12,  President Biden signed an Executive Order to strengthen the federal government’s ability to respond to and prevent cybersecurity threats, including by removing obstacles to sharing threat information between private sector entities and federal agencies and modernizing federal systems.  On the hill, lawmakers have introduced a number of proposals to regulate AI, IoT, CAVs, and privacy.

Continue Reading U.S. AI, IoT, CAV, and Privacy Legislative Update – Second Quarter 2021