Privacy & Data Security

In this update, we detail the key legislative developments in the second quarter of 2021 related to artificial intelligence (“AI”), the Internet of Things (“IoT”), connected and automated vehicles (“CAVs”), and federal privacy legislation.  As we recently covered on May 12,  President Biden signed an Executive Order to strengthen the federal government’s ability to respond to and prevent cybersecurity threats, including by removing obstacles to sharing threat information between private sector entities and federal agencies and modernizing federal systems.  On the hill, lawmakers have introduced a number of proposals to regulate AI, IoT, CAVs, and privacy.

Continue Reading U.S. AI, IoT, CAV, and Privacy Legislative Update – Second Quarter 2021

In Episode 12 of our Inside Privacy Audiocast, together with special guest Advocate Pansy Tlakula, Chairperson of the Information Regulator of South Africa, we discussed the Information Regulator’s mandate and the implementation of data protection legislation in South Africa.  Now, with less than a month to go before South Africa’s Protection of Personal Information Act, 2013 (“POPIA”) takes full effect on July 1, 2021, it is critical for organizations operating in South Africa to ensure that they are ready, if and when the Information Regulator comes knocking.

It is only when organizations start their POPIA journey that they realize just how wide the POPIA net is cast, and that very few businesses fall outside of its reach.  The road to POPIA compliance should be viewed as a marathon, and not a sprint.  While implementing and maintaining an effective POPIA compliance program will take continued effort and resources well beyond the July 1, 2021 go-live date, here we outline five steps to which companies subject to POPIA should give their attention in the short term.


Continue Reading Final Countdown to POPIA Compliance: Five Critical Steps to Take Before July 1st, 2021

Connected and automated vehicle (“CAV”) developments in Washington are likely to pick up speed as 2021 rolls in. Indeed, a new presidential administration, new agency leadership, and a new Congress may drive new CAV regulation while also spurring innovation in an industry that many believe can enhance road safety, mobility, and accessibility. For instance, John Porcari, a Biden-Harris campaign advisor and former U.S. Deputy Secretary of Transportation under President Barack Obama, recently indicated that transportation agencies under President Biden would prioritize innovation and technological change and adopt a federal framework for autonomous vehicles.

Lawmakers and regulators, furthermore, will have the opportunity to build on some of the initiatives that picked up speed during the fall of 2020, such as the Safely Ensuring Lives Future Deployment and Research in Vehicle Evolution Act (H.R. 8350) (“SELF DRIVE Act”), the National Highway Traffic Safety Administration’s (“NHTSA”) AV TEST tool, and NHTSA’s request for comment on its proposed framework for Automated Driving Systems (“ADS”) safety. Additionally, the Federal Communications Commission’s (“FCC”) adoption of rules to modernize the 5.9 GHz Band could spur the deployment of CAV technology, and the new administration may reinvigorate inter-agency efforts to examine consumer data privacy and security issues posed by CAVs, as well as CAV-related developments in infrastructure. This post looks down the road ahead for CAV developments in Washington.
Continue Reading IoT Update: The Road Ahead for Connected and Automated Vehicle Developments in Washington

On 11 November 2020, the European Data Protection Board (“EDPB”) issued two draft recommendations relating to the rules on how organizations may lawfully transfer personal data from the EU to countries outside the EU (“third countries”).  These draft recommendations, which are non-final and open for public consultation until 30 November 2020, follow the EU Court of Justice (“CJEU”) decision in Case C-311/18 (“Schrems II”).  (For a more in-depth summary of the CJEU decision, please see our blog post here and our audiocast here. The EDPB also published on 24 July 2020 FAQs on the Schrems II decision here).

The two recommendations adopted by the EDPB are:


Continue Reading EDPB adopts recommendations on international data transfers following Schrems II decision

FCC Chairman Pai announced today that the FCC will move forward with a rulemaking to clarify the meaning of Section 230 of the Communications Decency Act (CDA).  To date, Section 230 generally has been interpreted to mean that social media companies, ISPs, and other “online intermediaries” have not been subject to liability for their users’ actions.

On July 27, the Trump Administration—acting through the National Telecommunications and Information Administration—submitted a Petition for Rulemaking on Section 230, and Chairman Pai announced on August 3 that the FCC would seek public comment on the petition.  That petition asked the FCC to adopt rules to “clarify” the circumstances under which the liability shield of Section 230 applies.  Citing the FCC General Counsel’s reported position that the Commission has the legal authority to interpret Section 230, Chairman Pai today stated that a forthcoming agency rulemaking will strive to “clarify its meaning.”


Continue Reading FCC Announces Section 230 Rulemaking

Last week, the Federal Communications Commission (FCC) issued a notice of proposed rulemaking (NPRM) seeking comment on a proposal to review and potentially revise a number of existing exemptions that the FCC has adopted with respect to certain Telephone Consumer Protection Act (TCPA) requirements.  The FCC’s review could end up narrowing or eliminating some of these longstanding exemptions, imposing consent requirements or other obligations that today are not required for certain kinds of calls and texts.

Continue Reading FCC Reevaluating Certain TCPA Compliance Exemptions

On July 17, 2020, the High-Level Expert Group on Artificial Intelligence set up by the European Commission (“AI HLEG”) published The Assessment List for Trustworthy Artificial Intelligence (“Assessment List”). The purpose of the Assessment List is to help companies identify the risks of AI systems they develop, deploy or procure, and implement appropriate measures to mitigate those risks.

The Assessment List is not mandatory, and there isn’t yet a self-certification scheme or other formal framework built around it that would enable companies to signal their adherence to it.  The AI HLEG notes that the Assessment List should be used flexibly; organizations can add or ignore elements as they see fit, taking into consideration the sector in which they operate. As we’ve discussed in our previous blog post here, the European Commission is currently developing policies and legislative proposals relating to trustworthy AI, and it is possible that the Assessment List may influence the Commission’s thinking on how organizations should operationalize requirements relating to this topic.


Continue Reading AI Update: EU High-Level Working Group Publishes Self Assessment for Trustworthy AI

In this update, we detail the key legislative updates in the second quarter of 2020 related to artificial intelligence (“AI”), the Internet of Things (“IoT”), cybersecurity as it relates to AI and IoT, and connected and automated vehicles (“CAVs”). The volume of legislation on these topics has slowed but not ceased, as lawmakers increasingly focus on the pandemic and the upcoming national election. As Congress processes Appropriations bills, it continues to look to support and fund these technologies. We will continue to update you on meaningful developments between these quarterly updates across our blogs.
Continue Reading U.S. AI, IoT, and CAV Legislative Update – Second Quarter 2020

Senators Lindsey Graham (R-S.C.), Tom Cotton (R-Ark.) and Marsha Blackburn (R-Tenn.) have introduced the Lawful Access to Encrypted Data Act, a bill that would require tech companies to assist law enforcement in executing search warrants that seek encrypted data.  The bill would apply to law enforcement efforts to obtain data at rest as well as data in motion.  It would also apply to both criminal and national security legal process.  This proposal comes in the wake of the Senate Judiciary Committee’s December 2019 hearing on encryption and lawful access to data.  According to its sponsors, the purpose of the bill is to “end[] the use of ‘warrant-proof’ encrypted technology . . . to conceal illicit behavior.”
Continue Reading Lawful Access to Encrypted Data Act Introduced

On June 2, 2020, the French Supervisory Authority (“CNIL”) published a paper on algorithmic discrimination prepared by the French independent administrative authority known as “Défenseur des droits”.  The paper is divided into two parts: the first part discusses how algorithms can lead to discriminatory outcomes, and the second part includes recommendations on how to identify and minimize algorithmic biases.  This paper follows from a 2017 paper published by the CNIL on “Ethical Issues of Algorithms and Artificial Intelligence”.
Continue Reading French CNIL Publishes Paper on Algorithmic Discrimination