A monthly roundup of federal data privacy and security policy and regulatory news
Welcome back to Holland & Knight's monthly data privacy and security news update that includes the latest in policy, regulatory updates and other significant developments. If you see anything in this report that you would like additional information on, please reach out to authors or members of Holland & Knight's Data Strategy, Security & Privacy Team.
EXECUTIVE AND DEPARTMENTAL UPDATES
White House Issues EO on AI
President Joe Biden on Oct. 30, 2023, issued a wide-ranging Executive Order (EO) governing federal agencies and their use of artificial intelligence (AI), and Holland & Knight published a summary of the EO. According to the White House, the EO establishes new standards for AI safety and security, protects Americans' privacy, seeks to advance equity and civil rights, promotes innovation and competition, advances American leadership around the world, amongst other goals. In the EO, President Biden also called on Congress to pass various bipartisan proposals that protect Americans', particularly children, data privacy. Here is a high-level summary of the EO regarding privacy and data security:
- In accordance with the Defense Production Act, the EO requires that developers of powerful AI systems share their safety testing results and other critical information with the government.
- The National Institute of Standards and Technology (NIST) will set standards for extensive redteam testing to ensure safety in the development stage while the government establishes standards, tools and tests to ensure AI systems are safe, secure and trustworthy.
- The EO directs federal agencies that fund life-science projects to establish standards that protect against the risks of using AI as a condition of federal funding.
- The U.S. Department of Commerce will develop guidance for content authentication and watermarking to clearly label AI-generated content.
- The EO directs federal support for accelerating the development and use of privacy-preserving techniques, including ones that use cutting-edge AI and let AI systems be trained while preserving the privacy of the training data.
- The EO directs agencies to evaluate how they collect and use commercially available information – including information they procure from data brokers – and strengthen privacy guidance for federal agencies to account for AI risks.
The Biden Administration has already taken action on several items related to the EO. For example, NIST has issued a call for Letters of Interest from private and public sector stakeholders to be part of an Artificial Intelligence Safety Consortium. The Consortium aims to create a lasting joint research and development effort, which will inform NIST's AI standards. Consortium members will be expected to contribute technical expertise in one or more areas, including but not limited to AI safety, red teaming, explainability and workforce skills. Interested parties must submit a Letter of Interest to NIST by Dec. 2, 2023.
In addition, on Nov. 2, 2023, the U.S. Department of Defense (DoD) released its strategy to accelerate the adoption of advanced AI capabilities "to ensure U.S. warfighters maintain decision superiority on the battlefield for years to come." This strategy is a must-read for private sector companies engaging with the DoD on AI or AI-enabled procurement.
Lastly, the Office of Management and Budget (OMB) released implementation guidance on the EO on Nov. 1, 2023. This guidance includes a proposed memorandum for the heads of executive departments and agencies on advancing governance, innovation and risk management for agency use of AI. Public comment on the proposed guidance is due on Dec. 5, 2023.
CFPB Issues Proposed Personal Finance Data Rule
The Consumer Financial Protection Bureau (CFPB) on Oct. 18, 2023, released a notice of proposed rulemaking (NPRM) restricting how financial institutions handle consumer data. The "Personal Finance Data Rule" would give consumers the right to control their data, including allowing consumers to more easily switch providers and more conveniently manage accounts from multiple providers. CFPB anticipates that the rule will accelerate a shift toward open banking, where consumers would have control over data about their financial lives and would gain new protections against companies misusing their data. Comments on the proposed rule are due by Dec. 29, 2023.
The proposed rule is the first proposal to implement Section 1033 of the Consumer Financial Protection Act, which charged the CFPB with implementing personal financial data sharing standards and protections. CFPB has indicated that more rulemakings to cover additional products and services are forthcoming, in line with an outline the agency released in September 2023 of proposals and alternatives under consideration to guide the Bureau's process to regulate data brokers and consumer data collection more broadly. CFPB first announced in August 2023 its intent to propose a rule that would apply the 1970 Fair Credit Reporting Act (FCRA) to companies that track, harvest and sell individuals' data. The FCRA places specific legal obligations on consumer reporting agencies and gives consumers a number of rights over the information in their credit reporting files. The rule would clarify how sensitive information is purchased by data brokers and would also ban covered companies from selling consumer data for purposes of targeted advertising and training artificial intelligence (AI) models.
FTC Finalizes Amendment to Safeguards Rule
The Federal Trade Commission (FTC) on Oct. 27, 2023, finalized an amendment to the Safeguards rule that would require non-banking institutions to report data breaches and other security-related events to the agency by a 3-0 Commission vote. The Safeguards Rule requires non-banking financial institutions to develop, implement and maintain a comprehensive security program to keep their customers' information safe. The FTC first proposed the reporting requirement as an amendment to the Safeguards Rule in 2021. The amendment requires financial institutions to notify the FTC as soon as possible and no later than 30 days after discovery of a security breach involving the information of at least 500 consumers. The requirement will become effective 180 days after publication of the rule in the Federal Register. For more information, see Holland & Knight's previous alert, "A New General Notice Requirement for Financial Institutions," Nov. 1, 2023.
United States-United Kingdom Data Bridge Goes Into Effect
United States-United Kingdom Data Bridge went into effect on Oct. 12, 2023, following the U.K. publishing its Data Protection (Adequacy) (United States of America) Regulations 2023. As reported in the Data Privacy and Security Report: June 2023, President Joe Biden signed an Executive Order in October 2022 to implement the EU-U.S. Data Privacy Framework after he and European Commission President Ursula Gertrud von der Leyer first announced the deal in March 2022. The U.S. implemented further safeguards for intelligence activities, mandated requirements for personal information, required the U.S. Intelligence Community to update their policies and procedures to reflect the new privacy and civil liberties safeguards, created a multilayer mechanism for individuals from qualifying states and regional economic integration organizations to obtain independent and binding review and redress, and worked with other federal agencies, including the Privacy and Civil Liberties Oversight Board (PCLOB), to review various policies and procedures. After resolving the remaining issues regarding the U.S. Department of Justice's (DOJ) establishment of a Data Protection Review Court, the European Parliament adopted a resolution implementing the Framework.
The U.S.-U.K. Data Bridge is an extension of the EU-U.S. Data Privacy Framework. The U.K.'s regulations declare that the U.S. provides an adequate level of personal data protection for certain transfers. Specifically, when personal data is transferred to entities in the U.S. that are part of the U.K. extension to the EU-U.S. Data Privacy Framework and follow its principles, additional approval is not needed. The FTC and the U.S. Department of Transportation (DOT) have been assigned as the independent supervisory authorities for the U.K. Extension to the EU-U.S. Data Privacy Framework.
New Speaker of the House Elected: Rep. Mike Johnson
Republicans on Oct. 25, 2023, unanimously elected Rep. Mike Johnson (R-La.) as Speaker of the U.S. House of Representatives after several weeks of paralysis following the ousting of former Speaker Kevin McCarthy (R-Calif.). During that time, Majority Leader Steve Scalise (R-La.), Majority Whip Tom Emmer (R-Minn.) and Judiciary Chair Jim Jordan (R-Ohio) failed to clinch the gavel. Mike Johnson was first elected to serve in the House in 2016 and served as vice chair of the House Republican Conference before his election as speaker. For more about the new speaker, see Holland and Knight's previous alert, "A New House Speaker: Who Is Michael Johnson?," Oct. 26, 2023.
Fourth Quarter Outlook
After electing a new speaker, the House is back to regular order with just under two weeks until government funding expires on Nov. 17, 2023. Congress averted a government shutdown in September 2023 by signing into law a continuing resolution (CR) to keep the government open for 45 days. The government again runs the risk of a shutdown unless an appropriations package or additional CR is signed into law.
Each chamber has advanced respective appropriations bills, but neither chamber has completed all 12 appropriations bills. The House has passed eight of the 12 appropriations bills and is expected to vote on another two – the Transportation-HUD and Financial Services-General Government spending bills – this week. Just before he was elected speaker, Rep. Mike Johnson (R-La.) circulated a Dear Colleague letter that outlines an aggressive agenda for the coming months, including passing appropriations bills and a potential supplemental appropriations bill providing national security aid for Israel, Ukraine, Taiwan and the U.S. border. For more on foreign assistance, see Holland & Knight Defense Situation Report: October 2023. Meanwhile, on Nov. 3, 2023, the U.S. Senate passed a three-bill spending "minibus" (H.R. 4366), which is a combination of the Senate's fiscal year (FY) 2024 Military Construction-VA, Agriculture and Transportation-HUD appropriations bills. The Senate may consider the nine remaining bills in minibuses in the coming weeks.
Despite this progress, passing the remaining bills and reconciling the differences in each chamber's bills will likely take significant time and effort, especially considering the large gap between the House and Senate's proposed spending levels. Speaker Johnson has floated another CR until mid-January as Congress barrels towards Nov. 17. Beyond spending, the remainder of the year will also revolve around consideration of the National Defense Authorization Act (NDAA), Federal Aviation Administration (FAA) reauthorization and potentially a Farm Bill reauthorization.
House Hearing on AI: Push for National Data Privacy Standard
The House Committee on Energy and Commerce's Subcommittee on Innovation, Data, and Commerce held a hearing on Oct. 18, 2023, "Safeguarding Data and Innovation: Setting the Foundation for the Use of AI." This was the first in a series of committee hearings that will explore the role of artificial intelligence (AI) across every sector of the economy, including healthcare, telecommunications, emerging technologies and energy. Members such as Chair Cathy McMorris Rodgers (R-Wash.) used the hearing as an opportunity to advocate for a national privacy standard. Rodgers and Subcommittee Chair Gus Bilirakis (R-Fla.) released the following joint statement: "Data is the engine that powers artificial intelligence. We know that AI depends on collecting and inputting vast amounts of information, including personal information on Americans. The best way to ensure these systems are using data responsibly is with one national privacy standard. This will establish a foundation of data privacy and security safeguards and give people control over their information – how it is collected, used, and stored." A considerable uptick in AI-related hearings is expected in the House and Senate over the next year. Following the announcement of the AI Executive Order, Chair McMorris Rodgers stated, "I agree with President Biden that the best way to do this is by enacting a comprehensive data privacy and security law, which should be the first step towards cementing America's leadership in AI."
More AI Legislation Introduced in Both Chambers
Sens. Chris Coons (D-Del.), Thom Tillis (R-N.C.), Marsha Blackburn (R-Tenn.) and Amy Klobuchar (DMinn.) released a discussion draft bill that would protect the voice and visual likeness of all individuals from unauthorized recreations from generative artificial intelligence (AI). The bill would address the nonconsensual digital replications of audiovisual works or sound recordings by holding individuals or companies liable for producing an unauthorized digital replica or by knowingly using a unauthorized digital replica.
Additionally, Reps. Brittany Pettersen (D-Colo.) and Mike Flood (R-Neb.) introduced bipartisan legislation aiming to address the growing threat of AI scams in the financial services sector. The bill would create a task force to examine the technology's potential benefits for and uses in financial institutions, as well as the risks it poses to consumers. The task force would consult with industry stakeholders and receive public comments in crafting the report.
Parents Take to the Hill to Advocate for KOSA
A group of parent advocates met with Senate leaders, such as Senate Majority Leader Chuck Schumer (D-N.Y.), Minority Leader Mitch McConnell (R-Ky.), Commerce Chair Maria Cantwell (D-Wash.) and Commerce Ranking Member Ted Cruz (R-Texas), to encourage them to bring the Kids Online Safety Act (KOSA) to the floor for a vote. KOSA would impose a duty of care for digital services to prevent harming younger users. The advocates also delivered a letter spelling out the reasons KOSA is urgently needed. The Senate Committee on Commerce favorably reported the bill in July 2023 during a markup. However, it made it out of committee last year before ultimately failing to secure floor time for a vote. The group also met with House Committee on Energy and Commerce Chair Cathy McMorris Rodgers (R-Wash.) and Ranking Member Frank Pallone (D-N.J.). Last year, Rodgers favored taking up comprehensive privacy legislation rather than child-specific protections like KOSA.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.