Artificial Intelligence Systems, Profiling, and the New U.S. State Privacy Laws

Posted on September 21, 2023 by Christopher Dodson

The rapid spread of Artificial Intelligence (AI) systems in recent years has overlapped with the enactment of comprehensive privacy laws by multiple U.S. states.  Aside from being generally applicable to AI systems in the same way as they are to any online service, several of the comprehensive state privacy laws have provisions that specifically address certain uses of AI systems, in particular use in profiling.  This article surveys those provisions and assumes the reader is already familiar with basic concepts in the comprehensive privacy laws, such as controllership and applicability thresholds.

The new comprehensive privacy laws of Iowa and Utah have no specific provisions on the use of AI for profiling or otherwise.  The laws of Connecticut, Delaware, Indiana, Montana, Tennessee, Texas, and Virginia are largely the same.  California, Colorado, Florida, and Oregon have some significant differences.

Read more ›
Tagged with: , , , , ,
Posted in Artificial Intelligence, Legislation, Privacy, Regulations

Final Interagency Guidance on Managing Risks Associated with Third-Party Relationships

Posted on June 27, 2023 by Benjamin Mishkin, Robert W. Rubenstein

On June 6, 2023, the Board of Governors of the Federal Reserve System, Office of the Comptroller of the Currency and Federal Deposit Insurance Corp. (collectively, the “Agencies”) issued final interagency guidance that provides granular recommendations for how banks and other regulated financial institutions should manage risks associated with third-party relationships (the “Guidance”). The Guidance replaces prior guidelines that were released by the Agencies on July 19, 2021.

Read more ›
Tagged with: , , ,
Posted in Policies and Procedures, Risk Management, Standards

The Biden Administration’s Blueprint for an AI Bill of Rights

Posted on May 15, 2023 by Christopher Dodson

As the use of artificial intelligence (AI) rapidly expands throughout the private sector and government, the Biden administration has published a report titled A Blueprint for an AI Bill of Rights. A summary is available at https://www.whitehouse.gov/ostp/ai-bill-of-rights/ and the full document is available at https://www.whitehouse.gov/wp-content/uploads/2022/10/Blueprint-for-an-AI-Bill-of-Rights.pdf.

The report cites a myriad of issues with AI systems, including uses in hiring and credit decisions that have been found to reproduce existing inequities or create new harmful bias, uses in patient care that proved to be unsafe or ineffective, and increased collection or use of data that threatens people’s opportunities or undermines their privacy.  The report argues these harmful outcomes are not inevitable and that the AI tools have the potential to revolutionize many industries and benefit all parts of society.

The report sets out 5 basic rights of people that should be respected in connection with AI systems.

Read more ›
Tagged with: , , ,
Posted in Artificial Intelligence

NIST Issues New Artificial Intelligence Risk Management Framework

Posted on May 3, 2023 by Christopher Dodson

The National Institute of Standards and Technology (NIST) recently released version 1.0 of its Artificial Intelligence Risk Management Framework. The framework is available at https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.100-1.pdf, and a full set of supporting documents is available at https://www.nist.gov/itl/ai-risk-management-framework

There is an emerging consensus that AI systems present a significantly different risk profile than conventional information technology systems.  While there is currently no legal requirement to use a risk management framework when developing AI systems, there are a growing number of proposals that would require the use of a risk management framework or offer a safe harbor from certain types of liability if one is used.

The framework identifies 6 factors for mitigating risk and evaluating the trustworthiness of an artificial intelligence (AI) system.

Read more ›
Tagged with: , , , ,
Posted in Artificial Intelligence

AI: What You Need to Know

Posted on May 01, 2023 by Andrew Baer, Christopher Dodson, Benjamin Mishkin, Matthew Klahre

Andy Baer is joined by three of his Cozen O’Connor colleagues for a panel discussion exploring the evolving law of artificial intelligence in the U.S. and Europe, including legal risks associated with ChatGPT and other AI tools, the current state of regulation, and how providers and users of AI tools can manage risk going forward.

Download this episode.

Read more ›
Posted in Cyber Law Monitor Podcast

You’ve Been Breached – Who Do You Call?

Posted on January 30, 2023 by Andrew Baer, Matthew Klahre

Host Andrew Baer is joined by Matthew Klahre from Cozen O’Connor’s Technology, Privacy, & Data Security practice group for a discussion, with practical tips, on how to manage internal and external communications following a data breach.

Download this episode.

Read more ›
Posted in Cyber Law Monitor Podcast

Update on EU-US Personal Data Transfers

Posted on November 14, 2022 by Andrew Baer, Christopher Dodson

Andy Baer is joined by Christopher Dodson of Cozen O’Connor to discuss EU-US personal data transfers after Schrems II, including the latest on the EU-US Data Privacy Framework.

Download this episode.

Read more ›
Posted in Cyber Law Monitor Podcast

Incoming State Privacy Laws in 2023

Posted on November 01, 2022 by Andrew Baer, Benjamin Mishkin

Introducing the Cyber Law Monitor Podcast, a podcast from Cozen O’Connor’s Technology, Privacy & Data Security practice group with discussions and perspectives on emerging trends, developments and best practices. In the inaugural episode, host Andrew Baer is joined by his Cozen O’Connor colleague, Benjamin Mishkin, for a discussion about the new state privacy laws in the United States, which will go into effect in 2023.

Download this episode.

Read more ›
Posted in Cyber Law Monitor Podcast

Federal Privacy Law Passage in Doubt?

Posted on August 29, 2022 by Andrew Baer

A few months ago it seemed like the American Data Privacy and Protection Act (ADPPA) was gaining momentum in Congress and represented the best hope in years for passage of a federal data privacy law that would preempt the five overlapping (but not totally consistent) state comprehensive privacy laws and offer businesses a uniform national framework. However, California’s attorney-general Rob Bonta and nine other state attorneys-general are now opposing the ADPPA in its current form, claiming that there should be no preemption and any federal privacy law should establish a “floor not a ceiling.” Of course, this would be the worst possible outcome for many businesses, which would face an additional compliance regime overlaid on the existing ones as well as a private right of action substantially broader than California’s. Please check out the following article published by Meghan Stoppel of Cozen O’Connor’s State Attorneys General group, which examines the state AGs’ position and evaluates the ADPPA’s chances of passage. 

Posted in Uncategorized

The New Standard Contractual Clauses Deadline is Approaching

Posted on August 15, 2022 by Andrew Baer, Robert W. Rubenstein

On June 4, 2021, the European Commission introduced the new set of Standard Contractual Clauses (“SCCs”), a primary mechanism for lawfully transferring personal data from Europe to the United States under the European Union’s General Data Protection Regulation. These new SCCs replace the three sets of SCCs that were adopted under the previous Data Protection Directive 95/46. For those entities that entered into a transfer agreement based on the previous SCCs before September 27, 2021, a transition period has been granted until December 27, 2022 to switch to the new SCCs, provided that the processing operations that are the subject matter of the contract remain unchanged. Thus, all new and existing contracts must be transitioned to the new SCCs by December 27, 2022. Below is an overview of key updates in the new SCCs, and recommendations for ensuring compliance prior to the December 27, 2022 deadline.

Important Updates for the New SCCS

Modular Approach

The new SCCs are divided into four modules to address four different cross-border transfer scenarios: (i) Module One: controller to controller; (ii) Module Two: controller to processor; (iii) Module Three: processor to processor; and (iv) Module Four: processor to controller. This is different from the previous SCCs, which only contemplated cross-border transfer scenarios involving two controllers, and a controller to a processor. Under the new SCCs, the parties can tailor the clauses for their specific transfer scenario, reflecting the complexity of modern processing chains.

Transfer Impact Assessment

The new SCCs impose an obligation on the parties in all modules to conduct and record a transfer impact assessment. At the time of entering into the new SCCs, the parties must warrant that they have no reason to believe that the laws and practices applicable to the data importer are not in line with the requirements under the new SCCs. In conducting the transfer impact assessment, the parties must also account for the circumstances of the intended transfer, define the parameters of the transfer (i.e. length of processing chain), define the safeguards that are implemented, and assess the risk posed by the laws and practices of the third country of destination.

Docking Clause

While the previous SCCs did not permit additional parties to join directly, the new SCCs contain a clause that allow additional data exporters or importers to accede to the new SCCs throughout the lifecycle of the contract. The acceding party will have the rights and obligations arising under the new SCCs from the point of entering into the new SCCs.

Recommendations

In addition to using the new SCCs in any future contracts that involve data transfers from the European Union, entities should develop strategies to prioritize and update existing contracts that involve  personal data transfers from Europe to the U.S. Entities need to determine if the new SCCs are needed for cross-border transfer scenarios involving a processor to a controller or a processor to a processor, as the previous SCCs were not required for these scenarios. It is critical that entities identify all existing contracts that will need to be amended to include the new SCCs before the deadline of December 27, 2022.

Tagged with: , , , , ,
Posted in GDPR, Regulations, Standards
About Cyber Law Monitor
In the new digital world, individuals and businesses are almost entirely dependent on computer technology and electronic communications to function on a daily basis. Although the power of modern technology is a source of opportunity and inspiration—it also poses huge challenges, from protecting privacy and securing proprietary data to adhering to fast-changing statutory and regulatory requirements. The Cyber Law Monitor blog covers privacy, data security, technology, and cyber space. It tracks major legal and policy developments and provides analysis of current events.
Subscribe For Updates

cyberlawmonitor

Cozen O’Connor Blogs