Co-Rapporteurs Circulate Latest AI Act Compromises
The proposed Artificial Intelligence Act offered a new set of compromise texts concerning a range of disputed topics in the EU proposal. Updates were offered on provisions for prohibited practices, high-risk AI obligations, regulatory sandboxes and the role of a dedicated AI enforcement office. The new proposals were a product of feedback from a recent political meeting among members of the European Parliament aimed at finalizing their position on the draft.
ICO Publishes ‘SME Data Essentials Pilot’ Report
The U.K. Information Commissioner’s Office published a final report on the findings of its “SME Data Essentials Pilot” program. “The purpose of piloting is to test feasibility, learn how to operationalize a policy, how to overcome implementation barriers, and how to improve processes and outcomes,” the ICO said. Further adding that it achieved “much success” toward that goal and “revealed a range of learnings around design and implementation, all of which will prove significantly valuable for considerations.”
EU Council Releases Cyber Resilience Act Compromise Text
The Swedish Presidency of the EU Council circulated new compromise text of the Cyber Resilience Act, detailing its interplay with the Artificial Intelligence Act, enforcement and penalties. The text clarifies that AI systems considered high risk will comply with the AI Act’s cybersecurity measures if they meet requirements within the Cyber Resilience Act. The new text also mandates EU countries implement an appeal procedure of external audits required of certain products.
White House Announces National Cybersecurity Strategy
U.S. President Joe Biden announced the National Cybersecurity Strategy, which aims to “secure the full benefits of a safe and secure digital ecosystem for all Americans.” Notably, the Biden administration’s strategy seeks to rebalance the responsibility to defend cyberspace” and place obligations on the organizations that are most capable and best-positioned to reduce risks for all of us. Privacy and data security are mentioned under the strategy’s intended approach to shape market forces to drive security and resilience, like including calls for legislation establishing liability for software products and services that are sold with little regard for security, implementing a more active role by cloud providers, and more.
ChatGPT’s Rise Brings New Debate on Proposed AI Act
ChatGPT’s increased use and popularity is causing strain in EU negotiations for the proposed Artificial Intelligence Act. The sudden rise of generative AI systems spurred EU institutions to reconsider their positions on proposed legislation, but European Parliament remains undecided on how to move forward. Officials received pushback regarding a proposal to characterize systems like ChatGPT as high-risk due to their potential to disperse disinformation at mass.
Iowa Senate Unanimously Approves Comprehensive Privacy Bill
The Iowa Senate voted 47-0 to advance Senate File 262, an act relating to consumer data protection, to House consideration. The bill covers companies holding data on more than 100,000 individuals or deriving 50% of annual revenue from data belonging to more than 25,000 consumers. Additionally, the bill does not require data protection impact assessments or the explicit right for users to opt out of targeted advertising, while providing covered entities a 90-day cure period. SF 262’s effective date is Jan. 1, 2025.
India to Propose Open Transfer Regime in Draft Data Protection Bill
India’s government plans to amend draft provisions on data transfers in the proposed Digital Personal Protection Bill. The data transfer language under Clause 17 of the bill will reportedly be reworked to allow for data to flow freely across borders. A senior government official labeled the framework as an “allowed-by-default model.” The official added, “If the government does not want data to be transferred to a particular region, it will mention that region in its blacklist.”
UK Introduces Draft Data Protection Reform
On Wednesday, the U.K. released a draft data protection reform of its General Data Protection Regulation. U.K. Secretary of State for Science, Innovation and Technology Michelle Donelan introduced the Data Protection and Digital Information (No. 2) Bill to Parliament. “Co-designed with business from the start,” Donelan said, “this new bill ensures that a vitally important data protection regime is tailored to the U.K.’s own needs and our customs.” In line with last summer’s draft bill, the new proposal will increase fines for nuisance calls and texts up to either 4% of global turnover or 17.5 million GBP, whichever is greater. Additionally, the bill would reduce the amount of consent pop-ups on websites, the government stated in a press release. The reform bill will also reorganize the Information Commissioner’s Office to include a statutory board with a chair and chief executive. Notably, this bill would require businesses to conduct records of processing only when it is high-risk data, such as, for example, someone’s health data. It would also clarify that profiling is subject to the same set of rules as automated decision-making when a “significant decision is taken about a person with no meaningful human involvement.”
US Chamber of Commerce Publishes AI Commission Report
The U.S. Chamber of Commerce released its Artificial Intelligence Commission Report, highlighting opportunities the technology presents while calling for a risk-based regulatory approach. Without “appropriate” and “reasonable protections,” AI could “adversely affect privacy,” the Chamber said. “Policy leaders must undertake initiatives to develop thoughtful laws and rules for the development of responsible AI and its ethical deployment,” a press release said, noting regulation should be technology neutral, flexible, balanced and proportionate.
FTC Proposes Increased Budget, Seeks Additional Privacy Resources
The U.S. Federal Trade Commission requested a 37% budget increase, approximately $160 million, from U.S. Congress for the fiscal year 2024. In a report outlining its needs, the FTC said it wants to hire 310 full-time employees, including 62 dedicated to consumer protection, with an eye toward helping the agency “investigate and litigate more and increasingly complex matters.” The commission said the additional personnel will help it properly tackle children’s and health data privacy, among other sectoral issues facing consumers.
European Parliament Approves Proposed Data Act Position
European Parliament voted 500-23 with 110 abstentions to adopt its position on the proposed Data Act. Parliament touted the proposal for establishing “common rules governing the sharing of data generated by the use of connected products or related services … to ensure fairness in data sharing contracts.” Lawmakers also mentioned how artificial intelligence-based products will be better supported and enabled by the proposal. The proposal now awaits further negotiations between EU institutions.
Colorado Privacy Act Regulations Finalized
The Colorado attorney general’s office announced the finalization of the Colorado Privacy Act regulations. The office highlighted rules implemented on the topics of universal opt-out mechanisms, data protection impact assessments, user profiling and transparency. The rules were formulated based on feedback from 137 written comments. “Attorneys in my office thoughtfully incorporated feedback throughout the rulemaking to carefully craft rules to both protect consumers and ensure businesses have reasonable direction as they manage Coloradans’ information,” Colorado Attorney General Phil Weiser said.
Iowa Legislature Approves Comprehensive Privacy Bill
Iowa is on the verge of becoming the sixth U.S. state to pass comprehensive privacy legislation. Both chambers of the Iowa Legislature unanimously voted to approve Senate File 262, including final approval from the Iowa House on a 97-0 vote Wednesday, and potential enactment could come shortly after transmission to the governor. Senate File 262 falls into the patchwork of existing state privacy legislation, carrying notable similarities and differences.
EU Member States Reach Agreement on Data Act
EU member states reached a common position on the proposed Data Act, enabling negotiations on the final version of the proposed legislation to begin among the Council of the European Union and European Parliament. Swedish Minister for Public Administration Erik Slottner said the Data Act “will contribute to creating a single market to allow data to flow freely within the EU and across sectors for the benefit of businesses, researchers, public administrations, and society at large.”
Executive Order Prohibits US Government Use of Spyware Posing Security Risks
U.S. President Joe Biden issued an executive order prohibiting government use of commercial spyware that poses national security risks. “The growing exploitation of Americans’ sensitive data and improper use of surveillance technology, including commercial spyware,” threatens the development of an international technology ecosystem that “enables and promotes the free flow of data and ideas with trust” and “protects our security, privacy, and human rights,” the order said. The link below has the official White House statement.
UK Releases White Paper on AI Regulatory Framework
The U.K. Department for Science, Innovation and Technology published a white paper with its approach to regulating artificial intelligence technologies. The regulatory framework seeks to “build public trust in cutting-edge technologies and make it easier for businesses to innovate, grow and create jobs.” The approach consists of five AI principles: safety, transparency, fairness, accountability and governance, and redress. U.K. regulators will roll out guidance within the next 12 months to help organizations implement new rules.
First CPRA Regulations Finalized Following OAL Review
The California Privacy Protection Agency announced the first California Privacy Rights Act rulemaking package was approved by the California Office of Administrative Law following a review. The regulations bring updates and clarification to existing requirements under the California Consumer Privacy Act while also bringing new CCPA requirements brought forth by the CPRA. The finalized rules, which come ahead of the CPRA’s 1 July enforcement, contain no substantive changes to the final draft submitted by the CPPA to the OAL in February.