On September 12, 2022, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) published a Request for Information, seeking public comment on how to structure implementing regulations for reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). Written comments are requested on or before November 14, 2022 and may be submitted through the Federal eRulemaking Portal: http://www.regulations.gov.
U.S. AI, IoT, CAV, and Data Privacy Legislative and Regulatory Update – Second Quarter 2022
This quarterly update summarizes key federal legislative and regulatory developments in the second quarter of 2022 related to artificial intelligence (“AI”), the Internet of Things, connected and automated vehicles (“CAVs”), and data privacy, and highlights a few particularly notable developments in U.S. state legislatures. To summarize, in the second quarter of 2022, Congress and the Administration focused on addressing algorithmic bias and other AI-related risks and introduced a bipartisan federal privacy bill.
Robotics Spotlight: Global Regulatory Trends Affecting Robotics
On April 28, 2022, Covington convened experts across our practice groups for the Covington Robotics Forum, which explored recent developments and forecasts relevant to industries affected by robotics. Sam Jungyun Choi, Associate in Covington’s Technology Regulatory Group, and Anna Oberschelp, Associate in Covington’s Data Privacy & Cybersecurity Practice Group, discussed global regulatory trends that
Tech Regulation in Africa: Recently Enacted Data Protection Laws
There has been a substantial increase in the use of the Internet across the African continent, aided by ongoing investment into local digital infrastructure, reduction in the associated costs, and improved user access. This has allowed both individuals, and private and public entities, the ability to access, collect, process and/or disseminate personal data more easily,
U.S. AI, IoT, CAV, and Privacy Legislative Update – Second Quarter 2021
In this update, we detail the key legislative developments in the second quarter of 2021 related to artificial intelligence (“AI”), the Internet of Things (“IoT”), connected and automated vehicles (“CAVs”), and federal privacy legislation. As we recently covered on May 12, President Biden signed an Executive Order to strengthen the federal government’s ability to respond to and prevent cybersecurity threats, including by removing obstacles to sharing threat information between private sector entities and federal agencies and modernizing federal systems. On the hill, lawmakers have introduced a number of proposals to regulate AI, IoT, CAVs, and privacy.
Continue Reading U.S. AI, IoT, CAV, and Privacy Legislative Update – Second Quarter 2021
Final Countdown to POPIA Compliance: Five Critical Steps to Take Before July 1st, 2021
In Episode 12 of our Inside Privacy Audiocast, together with special guest Advocate Pansy Tlakula, Chairperson of the Information Regulator of South Africa, we discussed the Information Regulator’s mandate and the implementation of data protection legislation in South Africa. Now, with less than a month to go before South Africa’s Protection of Personal Information Act, 2013 (“POPIA”) takes full effect on July 1, 2021, it is critical for organizations operating in South Africa to ensure that they are ready, if and when the Information Regulator comes knocking.
It is only when organizations start their POPIA journey that they realize just how wide the POPIA net is cast, and that very few businesses fall outside of its reach. The road to POPIA compliance should be viewed as a marathon, and not a sprint. While implementing and maintaining an effective POPIA compliance program will take continued effort and resources well beyond the July 1, 2021 go-live date, here we outline five steps to which companies subject to POPIA should give their attention in the short term.
IoT Update: The Road Ahead for Connected and Automated Vehicle Developments in Washington
Connected and automated vehicle (“CAV”) developments in Washington are likely to pick up speed as 2021 rolls in. Indeed, a new presidential administration, new agency leadership, and a new Congress may drive new CAV regulation while also spurring innovation in an industry that many believe can enhance road safety, mobility, and accessibility. For instance, John Porcari, a Biden-Harris campaign advisor and former U.S. Deputy Secretary of Transportation under President Barack Obama, recently indicated that transportation agencies under President Biden would prioritize innovation and technological change and adopt a federal framework for autonomous vehicles.
Lawmakers and regulators, furthermore, will have the opportunity to build on some of the initiatives that picked up speed during the fall of 2020, such as the Safely Ensuring Lives Future Deployment and Research in Vehicle Evolution Act (H.R. 8350) (“SELF DRIVE Act”), the National Highway Traffic Safety Administration’s (“NHTSA”) AV TEST tool, and NHTSA’s request for comment on its proposed framework for Automated Driving Systems (“ADS”) safety. Additionally, the Federal Communications Commission’s (“FCC”) adoption of rules to modernize the 5.9 GHz Band could spur the deployment of CAV technology, and the new administration may reinvigorate inter-agency efforts to examine consumer data privacy and security issues posed by CAVs, as well as CAV-related developments in infrastructure. This post looks down the road ahead for CAV developments in Washington.
Continue Reading IoT Update: The Road Ahead for Connected and Automated Vehicle Developments in Washington
EDPB adopts recommendations on international data transfers following Schrems II decision
On 11 November 2020, the European Data Protection Board (“EDPB”) issued two draft recommendations relating to the rules on how organizations may lawfully transfer personal data from the EU to countries outside the EU (“third countries”). These draft recommendations, which are non-final and open for public consultation until 30 November 2020, follow the EU Court of Justice (“CJEU”) decision in Case C-311/18 (“Schrems II”). (For a more in-depth summary of the CJEU decision, please see our blog post here and our audiocast here. The EDPB also published on 24 July 2020 FAQs on the Schrems II decision here).
The two recommendations adopted by the EDPB are:
- Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (“Draft Recommendations on Supplementary Measures”); and
- Recommendations 02/2020 on the European Essential Guarantees for surveillance measures (“Recommendations on EEG”).
FCC Announces Section 230 Rulemaking
FCC Chairman Pai announced today that the FCC will move forward with a rulemaking to clarify the meaning of Section 230 of the Communications Decency Act (CDA). To date, Section 230 generally has been interpreted to mean that social media companies, ISPs, and other “online intermediaries” have not been subject to liability for their users’ actions.
On July 27, the Trump Administration—acting through the National Telecommunications and Information Administration—submitted a Petition for Rulemaking on Section 230, and Chairman Pai announced on August 3 that the FCC would seek public comment on the petition. That petition asked the FCC to adopt rules to “clarify” the circumstances under which the liability shield of Section 230 applies. Citing the FCC General Counsel’s reported position that the Commission has the legal authority to interpret Section 230, Chairman Pai today stated that a forthcoming agency rulemaking will strive to “clarify its meaning.”
AI Update: EU High-Level Working Group Publishes Self Assessment for Trustworthy AI
On July 17, 2020, the High-Level Expert Group on Artificial Intelligence set up by the European Commission (“AI HLEG”) published The Assessment List for Trustworthy Artificial Intelligence (“Assessment List”). The purpose of the Assessment List is to help companies identify the risks of AI systems they develop, deploy or procure, and implement appropriate measures to mitigate those risks.
The Assessment List is not mandatory, and there isn’t yet a self-certification scheme or other formal framework built around it that would enable companies to signal their adherence to it. The AI HLEG notes that the Assessment List should be used flexibly; organizations can add or ignore elements as they see fit, taking into consideration the sector in which they operate. As we’ve discussed in our previous blog post here, the European Commission is currently developing policies and legislative proposals relating to trustworthy AI, and it is possible that the Assessment List may influence the Commission’s thinking on how organizations should operationalize requirements relating to this topic.
Continue Reading AI Update: EU High-Level Working Group Publishes Self Assessment for Trustworthy AI