On June 6, 2023, the Board of Governors of the Federal Reserve System, Office of the Comptroller of the Currency and Federal Deposit Insurance Corp. (collectively, the “Agencies”) issued final interagency guidance that provides granular recommendations for how banks and other regulated financial institutions should manage risks associated with third-party relationships (the “Guidance”). The Guidance replaces prior guidelines that were released by the Agencies on July 19, 2021.
Read more ›
As the use of artificial intelligence (AI) rapidly expands throughout the private sector and government, the Biden administration has published a report titled A Blueprint for an AI Bill of Rights. A summary is available at https://www.whitehouse.gov/ostp/ai-bill-of-rights/ and the full document is available at https://www.whitehouse.gov/wp-content/uploads/2022/10/Blueprint-for-an-AI-Bill-of-Rights.pdf.
The report cites a myriad of issues with AI systems, including uses in hiring and credit decisions that have been found to reproduce existing inequities or create new harmful bias, uses in patient care that proved to be unsafe or ineffective, and increased collection or use of data that threatens people’s opportunities or undermines their privacy. The report argues these harmful outcomes are not inevitable and that the AI tools have the potential to revolutionize many industries and benefit all parts of society.
The report sets out 5 basic rights of people that should be respected in connection with AI systems.
Read more ›
The National Institute of Standards and Technology (NIST) recently released version 1.0 of its Artificial Intelligence Risk Management Framework. The framework is available at https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.100-1.pdf, and a full set of supporting documents is available at https://www.nist.gov/itl/ai-risk-management-framework.
There is an emerging consensus that AI systems present a significantly different risk profile than conventional information technology systems. While there is currently no legal requirement to use a risk management framework when developing AI systems, there are a growing number of proposals that would require the use of a risk management framework or offer a safe harbor from certain types of liability if one is used.
The framework identifies 6 factors for mitigating risk and evaluating the trustworthiness of an artificial intelligence (AI) system.
Read more ›
Andy Baer is joined by three of his Cozen O’Connor colleagues for a panel discussion exploring the evolving law of artificial intelligence in the U.S. and Europe, including legal risks associated with ChatGPT and other AI tools, the current state of regulation, and how providers and users of AI tools can manage risk going forward.
Read more ›
Host Andrew Baer is joined by Matthew Klahre from Cozen O’Connor’s Technology, Privacy, & Data Security practice group for a discussion, with practical tips, on how to manage internal and external communications following a data breach.
Read more ›
Andy Baer is joined by Christopher Dodson of Cozen O’Connor to discuss EU-US personal data transfers after Schrems II, including the latest on the EU-US Data Privacy Framework.
Read more ›
Introducing the Cyber Law Monitor Podcast, a podcast from Cozen O’Connor’s Technology, Privacy & Data Security practice group with discussions and perspectives on emerging trends, developments and best practices. In the inaugural episode, host Andrew Baer is joined by his Cozen O’Connor colleague, Benjamin Mishkin, for a discussion about the new state privacy laws in the United States, which will go into effect in 2023.
Read more ›A few months ago it seemed like the American Data Privacy and Protection Act (ADPPA) was gaining momentum in Congress and represented the best hope in years for passage of a federal data privacy law that would preempt the five overlapping (but not totally consistent) state comprehensive privacy laws and offer businesses a uniform national framework. However, California’s attorney-general Rob Bonta and nine other state attorneys-general are now opposing the ADPPA in its current form, claiming that there should be no preemption and any federal privacy law should establish a “floor not a ceiling.” Of course, this would be the worst possible outcome for many businesses, which would face an additional compliance regime overlaid on the existing ones as well as a private right of action substantially broader than California’s. Please check out the following article published by Meghan Stoppel of Cozen O’Connor’s State Attorneys General group, which examines the state AGs’ position and evaluates the ADPPA’s chances of passage.
On June 4, 2021, the European Commission introduced the new set of Standard Contractual Clauses (“SCCs”), a primary mechanism for lawfully transferring personal data from Europe to the United States under the European Union’s General Data Protection Regulation. These new SCCs replace the three sets of SCCs that were adopted under the previous Data Protection Directive 95/46. For those entities that entered into a transfer agreement based on the previous SCCs before September 27, 2021, a transition period has been granted until December 27, 2022 to switch to the new SCCs, provided that the processing operations that are the subject matter of the contract remain unchanged. Thus, all new and existing contracts must be transitioned to the new SCCs by December 27, 2022. Below is an overview of key updates in the new SCCs, and recommendations for ensuring compliance prior to the December 27, 2022 deadline.
Important Updates for the New SCCS
Modular Approach
The new SCCs are divided into four modules to address four different cross-border transfer scenarios: (i) Module One: controller to controller; (ii) Module Two: controller to processor; (iii) Module Three: processor to processor; and (iv) Module Four: processor to controller. This is different from the previous SCCs, which only contemplated cross-border transfer scenarios involving two controllers, and a controller to a processor. Under the new SCCs, the parties can tailor the clauses for their specific transfer scenario, reflecting the complexity of modern processing chains.
Transfer Impact Assessment
The new SCCs impose an obligation on the parties in all modules to conduct and record a transfer impact assessment. At the time of entering into the new SCCs, the parties must warrant that they have no reason to believe that the laws and practices applicable to the data importer are not in line with the requirements under the new SCCs. In conducting the transfer impact assessment, the parties must also account for the circumstances of the intended transfer, define the parameters of the transfer (i.e. length of processing chain), define the safeguards that are implemented, and assess the risk posed by the laws and practices of the third country of destination.
Docking Clause
While the previous SCCs did not permit additional parties to join directly, the new SCCs contain a clause that allow additional data exporters or importers to accede to the new SCCs throughout the lifecycle of the contract. The acceding party will have the rights and obligations arising under the new SCCs from the point of entering into the new SCCs.
Recommendations
In addition to using the new SCCs in any future contracts that involve data transfers from the European Union, entities should develop strategies to prioritize and update existing contracts that involve personal data transfers from Europe to the U.S. Entities need to determine if the new SCCs are needed for cross-border transfer scenarios involving a processor to a controller or a processor to a processor, as the previous SCCs were not required for these scenarios. It is critical that entities identify all existing contracts that will need to be amended to include the new SCCs before the deadline of December 27, 2022.
Meghan Stoppel, who spent over a decade serving as an Assistant Attorney General, and later a Consumer Protection Chief, to both Democratic and Republican state attorneys generals, talks to Andy Baer, Chair of Cozen O’Connor’s Technology, Privacy and Data Security practice, about how state AGs are weighing in on both policy and enforcement with respect to privacy.
Andy: Meghan, the state privacy legislation landscape is evolving rapidly, as you discussed in your recent article in WestLaw. What other “hot” topics in privacy drew the state AGs’ attention in 2021? How might that affect their priorities in 2022? Are there any takeaways for the business community?
Meghan: No doubt, 2021 was a revealing year. We saw state AGs publicly express concern, in multiple forums, about algorithms and the potential for bias-based discrimination in automated decision-making. A number of AGs called for both cooperation and increased transparency from the business community, while the D.C. Attorney General introduced his own legislation in late 2021 to ban “algorithmic discrimination.” And although the AGs did not announce any formal enforcement actions in this area in 2021, I would not be surprised if investigations are already underway. Businesses that rely on algorithms to make automated decisions should be aware of increased AG attention in this area, especially with respect to essential products and services such as housing and financial products (e.g. credit).
Read more ›
