On May 22 the Federal Trade Commission (“FTC”) announced a $6 million settlement with Edmodo, an ed tech provider, for violations of the COPPA Rule and Section 5 of the FTC Act.  The FTC described this settlement as the first FTC order that will prohibit an ed tech provider from requiring students to provide more personal data than necessary to participate in online activities.  The settlement is consistent with the FTC’s policy statement on ed tech issued last May (see our summary of the policy statement here).

The complaint alleges that Edmodo violated COPPA by failing to provide notice and obtain verifiable parental consent before collecting personal information from children under the age of 13.  Specifically, the complaint alleges that Edmodo’s reliance on schools and teachers to provide verifiable parental consent as agents of parents was not permissible because (1) Edmodo did not provide the required direct notice of its practices as to the collection, use, or disclosure of personal information from children and (2) Edmodo’s used student’s personal information for contextual advertising which exceeds the limited educational context for which school and teachers may provide consent.  The complaint also alleges that Edmodo failed to inform teachers and sole of its reliance on them as intermediaries to provide notice and obtain authorization from parents and failed to make reasonable efforts to ensure parents received notice and provided authorization.

In addition to violating COPPA’s notice and consent provisions, the complaint alleges Edmodo collected more personal information from children than necessary to participate in educational activities and retained children’s personal information longer than reasonably necessary.

Beyond COPPA, the complaint includes allegations that Edmodo violated Section 5 by telling schools and teachers that they were “solely” responsible for COPPA compliance while providing allegedly “confusing and inaccurate information” about obtaining consent under COPPA, thus unfairly burdening teachers and schools with Edmodo’s own COPPA compliance responsibilities.  According to the FTC’s press release, this is the first time the FTC has used Section 5 to allege an unfair trade practice in the context of an ed tech operator’s interaction with schools.

The proposed order includes the following relief:

  • Edmodo is prohibited from (1) relying on schools to act as intermediaries to obtain verifiable parental consent on behalf of Edmodo, or (2) relying on school authorization for collecting personal information from children unless Edmodo enters into a written agreement with the school that includes the following: limits use of personal information to educational purposes only, describes all personal information collected from students and how it will be used and disclosed, provides the school a link to the online notice and recommends the school make it available on the school’s website, requires a school representative to acknowledge and agree that they have the authority to provide consent, and states that any personal information collected by Edmodo is under the direct control of the school with regard to use and maintenance.
  • Edmodo may not collect more personal information than reasonably necessary for the child to participate in the online service.
  • Edmodo must destroy all personal information collected prior to the entry of the order for which Edmodo does not receive verifiable parental consent or school authorization within 60 days.
  • Edmodo must maintain and adhere to a data retention schedule with a maximum retention period of one year.
  • Edmodo must destroy any models or algorithms developed in whole or in part using personal information collected from children without verifiable parental consent.

The order also defines an “educational purpose” to be “any use related to a child’s education including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents.”  Notably, the definition of an educational purpose does not include “commercial purposes unrelated to the provision of the online service requested by the school such as advertising or building user profiles.”

On May 23, 2023, the White House announced that it took the following steps to further advance responsible Artificial Intelligence (“AI”) practices in the U.S.:

  • the Office of Science and Technology Policy (“OSTP”) released an updated strategic plan that focuses on federal investments in AI research and development (“R&D”);
  • OSTP issued a new request for information (“RFI”) on critical AI issues; and
  • the Department of Education issued a new report on risks and opportunities related to AI in education.

These announcements build on other recent actions by the Administration in connection with AI, such as the announcement earlier this month regarding new National Science Foundation funding for AI research institutions and meetings with AI providers.

This post briefly summarizes the actions taken in the White House’s most recent announcement.

Updated OSTP Strategic Plan

The updated OSTP strategic plan defines major research challenges in AI to coordinate and focus federal R&D investments.  The plan aims to ensure continued U.S. leadership in the development and use of trustworthy AI systems, prepare the current and future U.S. workforce for the integration of AI systems across all sectors, and coordinate ongoing AI activities across agencies.

The plan as updated identifies nine strategies:

Continue Reading White House Announces New Efforts to Advance Responsible AI Practices

On 11 May 2023, members of the European Parliament’s internal market (IMCO) and civil liberties (LIBE) committees agreed their final text on the EU’s proposed AI Act. After MEPs formalize their position through a plenary vote (expected this summer), the AI Act will enter the last stage of the legislative process: “trilogue” negotiations with the European Commission, Parliament and the Council, which adopted its own amendments in late 2022 (see our blog post here for further details). European lawmakers hope to adopt the final AI Act before the end of 2023, ahead of the European Parliament elections in 2024.

In perhaps the most significant change from the Commission and Council draft, under MEPs’ proposals, providers of foundation models – a term defined as an AI model that is “trained on broad data at scale, is designed for generality of output, and can be adapted to a wide range of distinctive tasks” (Article 3(1c)) – would be subject to a series of obligations. For example, providers would be under a duty to “demonstrate through appropriate design, testing and analysis that the identification, the reduction and mitigation of reasonably foreseeable risks to health, safety, fundamental rights, the environment and democracy and the rule of law prior and throughout development” (Article 28b(2)(a)), as well as to draw up “extensive technical documentation and intelligible instructions for use” to help those that build AI systems using the foundation model (Article 28b(2)(e)).

Providers of foundation models would be further required to meet obligations around data governance, including examining the suitability of data sources and possible biases (Article 28b(2)(b)); ensuring “appropriate levels” of performance, predictability, safety and cybersecurity (Article 28b(2)(c)); and conforming to a range of sustainability standards (Article 28b(2)(d)). They would also need to register their foundation model in an EU-wide database prior to making it available or putting it into use in the EU (Article 28b(2)(g)).

The MEP amendments also introduce specific obligations for providers of foundation models used in “generative AI” systems – defined as “AI systems specifically intended to generate with varying levels of autonomy, content such as complex text, images, audio or video” (Article 28b(4)). These include making publicly available “a sufficiently detailed summary of the use of training data protected under copyright law” (Article 28b(4)(c)).

Beyond proposing amendments relating to foundation models, the MEPs also suggested extending the list of AI uses that would be prohibited under the AI Act (Article 5) (as previously discussed in our blog post here). They also proposed amendments to criteria for “high-risk” AI systems – the systems would have to “pose a significant risk of harm to the health, safety, or fundamental rights” of individuals to be categorized in this way (Article 6(2)). Providers would be obliged to notify regulators if they did not think their systems pose a “significant risk”, with the potential for penalties to be issued if systems are put into use but are subsequently found to have been misclassified (Article 6(2a)).

The Covington team continues to monitor developments on the AI Act, and we regularly advise the world’s top technology companies on their most challenging regulatory and compliance issues in the EU and other major markets. If you have questions about the AI Act, or other tech regulatory matters, we are happy to assist with any queries.

May 23, 2023, Covington Alert

The U.S. Department of the Treasury (“Treasury”), in its capacity as chair of the Committee on Foreign Investment in the United States (“CFIUS” or the “Committee”), recently posted two new frequently asked questions (“FAQs”) to CFIUS’s website that have important implications for parties planning transactions subject to the Committee’s jurisdiction.

First, CFIUS confirmed its recent practice of requiring detailed information on all direct or indirect foreign ownership involved in a transaction, including disclosure of all limited partners (or “LPs”) of an investment fund, without regard to any pre-existing agreements between the fund sponsor and investor regarding disclosure.

Second, CFIUS offered guidance regarding the meaning of “completion date” for purposes of when a mandatory filing must be submitted for a multi-stage transaction. The guidance could have broad implications, especially for some venture financing transactions, as it introduces uncertainty regarding the ability of investors to use a staged transaction to acquire an initial, passive equity interest prior to submitting a mandatory CFIUS filing with respect to a subsequent acquisition of control or certain non-passive rights. The new guidance seems at odds with language that appears in the preamble to the regulations implementing the Foreign Investment Risk Review Modernization Act of 2018 (“FIRRMA”), and the practice of transaction parties for the last several years. CFIUS did not provide any explanation for this change, which raises questions as to why the Committee has issued the guidance now.

Each of these developments is discussed in more detail below.

1. CFIUS may require detailed information regarding all foreign persons involved directly or indirectly in a transaction, including limited partners in an investment fund.

Treasury published the following FAQ on May 11:

Does CFIUS require information on all foreign persons, such as limited partners in an investment fund, that would hold an interest in a U.S. business, whether directly or indirectly, as part of the transaction?

Continue Reading CFIUS Issues Guidance On Disclosure of Information About Limited Partner Investors and Application of Mandatory Filing Rules to Multi-stage Transactions

May 18, 2023, Covington Alert

Today, the Supreme Court issued its opinion in Gonzalez v. Google LLC, a case about whether Section 230 of the Communications Decency Act (47 U.S.C. § 230) protected YouTube’s recommendation algorithms from a claim of secondary liability under the Anti-Terrorism Act (ATA). In a short, three-page per curiam opinion, the Court avoided addressing the Section 230 issue entirely. Instead, the Court held that much of the plaintiffs’ ATA complaint would fail to state a claim for relief under the Court’s separate decision in Twitter v. Taamneh (also handed down today), given that plaintiffs’ counsel in Gonzalez conceded that the allegations in the Gonzalez complaint were materially identical to the Twitter complaint. The Court also relied on the fact that plaintiffs did not seek review of a separate part of the Ninth Circuit’s opinion that addressed ATA claims related to revenue-sharing. Because the Court found that the underlying ATA claim would likely fail on the merits, it found it unnecessary to reach the interpretation of Section 230 immunity. This result was foreshadowed at the oral argument, where the Justices appeared to be concerned with line-drawing and potential unintended consequences of applying Section 230 to the algorithms at issue. The Court found a way out of deciding the Section 230 question in Gonzalez, but it remains to be seen whether the Court will look for a different vehicle to address the scope of Section 230 immunity in the future.

If you have any questions concerning the material discussed in this client alert, please contact the members of our Technology and Communications Regulation and Appellate and Supreme Court practices.

This week’s report by the World Meteorological Organisation makes for alarming reading.  The report warns there is a 66% likelihood of exceeding the 1.5°C threshold in at least one year between 2023 and 2027 and notes that such a rapid change in global temperatures will take the world into ‘uncharted territory’, with an anticipated El Nino weather system likely to push already high temperatures even higher this year.  Since we have already seen the impact of a 1.1°C rise, the conclusions of the WMO report are deeply uncomfortable.

This blog looks at some of the data which give context to the Report’s conclusions.

Gas

Russia is the world’s largest natural gas exporter; the second-largest exporter of crude oil; and the third-largest producer of crude oil.  The Russian invasion of Ukraine spooked global gas markets and pushed prices to record highs – the TTF European gas price peaked at a record €343/MWh in August (equivalent in oil terms to more than $500 a barrel).  But as world gas markets have adjusted, the price has fallen – €75 per megawatt hour at the end of December and under €50/MWh by the end of April 2023.

Like global markets, the EU has demonstrated remarkable agility in its response to Russia’s invasion. In 2020, Russia supplied nearly 43% of all EU energy imports. The EU set itself the target of reducing Russian gas imports to 55 bcm/year by March 2023 (down from 158 bcm in 2021).   At the time, this seemed ambitious, but in the event, the EU easily exceeded that target and, by October 2022, the EU’s Russian gas imports had fallen to 38 bcm (12 % of the EU’s energy consumption).

Last spring, the EU required that Member States’ winter storage be 90% full by the end of autumn.  Again, at the time, that seemed a tough ask in the face of global constraints on alternative supplies. But in any event, the EU easily exceed the target, reaching 96% by the beginning of November 2022.

A combination of factors means the outlook for the EU is more positive than expected:

  • A mild winter meant the EU emerged with record high gas inventories (EU storage was 56% full);
  • The success of demand-side efficiencies (the Commission set a cross-EU efficiency target of 15% reduction in demand: the EU reduced demand by an average 19%);
  • Global gas markets have been nimble in responding to EU demand for non-Russian gas.  New and alternative supplies flowed in from Norway, Qatar, the US and (importantly) Algeria through existing, but under-used pipelines and new LNG capacity;
  • The EU has built new LNG infrastructure at record speed – with Germany opening its first LNG jetty in November 2022.
Continue Reading The Climate Crisis

This is the twenty-fourth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through March 2023.  This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during April 2023. 

CISA Requests Comment on Secure Software Self-Attestation Common Form

On April 27, 2023, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) released a 60-day Request for Comment on a draft secure software self-attestation common form.  Comments will be accepted through June 26, 2023 and may be submitted through Regulations.gov.  The draft common form, developed in close consultation with the U.S. Office of Management and Budget (“OMB”), is a key step in implementation of OMB Memorandum M-22-18, which was issued pursuant to Section 4 of the Cyber EO and directs agencies to only use software that complies with Government-specified secure software development practices (the “OMB Memorandum”).  Specifically, and among other requirements, the OMB Memorandum directs that software providers self-attest that the software developer follows the secure development processes described by NIST Secure Software Development Framework (SP 800-218) and the NIST Software Supply Chain Security Guidance.  The key provisions of the OMB Memorandum are discussed in more detail in our prior blog

Scope.  The OMB Memorandum applies to all software (other than agency-developed software) developed or experiencing major version changes to be operated “on the agency’s information systems or otherwise affecting the agency’s information.”  CISA’s draft common form further specifies that the “following software requires self-attestation:

  1. Software developed after September 14, 2022;
  2. Existing software that is modified by major version changes […] after September 14, 2022; and
  3. Software to which the producer delivers continuous changes to the software code (such as software-as-a-service products or other products using continuous delivery/continuous deployment).”
Continue Reading April 2023 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity Strategy

On May 16, 2023, FDA released a draft compliance policy guide (“draft CPG”) for major food allergen labeling and cross-contact, which updates the 2005 CPG Sec 555.250 Statement of Policy for Labeling and Preventing Cross-contact of Common Food Allergens. CPGs are intended to advise FDA staff, including investigators, of the agency’s strategy for assessing and enforcing industry compliance. The draft CPG contains FDA’s current policies on major food allergen labeling requirements, allergen cross-contact, voluntary allergen information (e.g., advisory label statements), thresholds, and regulatory actions. The draft CPG is more comprehensive than the 2005 CPG and is intended to create a uniform standard and minimize the possibility that individual FDA staff will follow differing regulatory approaches.    

The draft CPG details the allergen labeling requirements of the Federal Food, Drug, and Cosmetic Act. We do not discuss those requirements here, but instead focus on the policies the draft CPG discusses that are not addressed, in detail, in other FDA allergen documents, such as the recent draft guidance, Questions and Answers Regarding Food Allergens, Including the Food Allergen Labeling Requirements of the Federal Food, Drug, and Cosmetic Act.

I. Allergen Cross-Contact

Allergen cross-contact is the unintentional incorporation of a food allergen into a food that does not contain that allergen as an ingredient. The draft CPG notes that the likelihood an allergen will be present due to cross-contact can be impacted by factors such as the characteristics of the food, the distribution of the allergen within a food (homogeneous versus particulate), the type of manufacturing process, the equipment used, and the cleaning procedures applied (e.g., dry cleaning versus wet cleaning). While FDA acknowledges these factors, the agency states that cross-contact may occur due to practices such as the failure to clean shared equipment adequately or segregate allergens properly, improper rework addition, or improper production scheduling. The draft CPG does not explicitly acknowledge that even with adequate CGMPs, sanitation, and preventive controls, cross-contact can still occur.

The draft CPG also confirms FDA’s position that “[m]ajor food allergens unintentionally incorporated into a food are not to be declared in the ingredient list or the ‘Contains’ statement.”

Continue Reading FDA Issues Draft Compliance Policy Guide for Major Food Allergen Labeling and Cross-Contact

Congressional scrutiny of the U.S. relationship with China marched forward this week as Representatives Rosa DeLauro (D-CT), Bill Pascrell (D-NJ), and Brian Fitzpatrick (R-PA) reintroduced a new and expanded version of the National Critical Capabilities Defense Act (NCCDA)—legislation to create a national security review process for “outbound” transactions by U.S. companies investing overseas.

The bill adds both breadth and specificity to legislation introduced last June.  While our colleagues have detailed the major provisions of the previous version, the new NCCDA differs in several important respects.

First, the bill expands the list of U.S. industries deemed “critical sectors” subject to the notification and review process to include “active pharmaceutical ingredients” and “automobile manufacturing,” and gives the executive branch authority to expand the list further.  The new bill, however, does not add any additional definitions for these terms, nor does it further define the critical sectors that appeared in the 2022 version, including semiconductor manufacturing and advanced packaging, large capacity batteries, critical minerals and materials, artificial intelligence, and quantum information science and technology.

Second, the bill creates a judicial review procedure for actions taken by the executive branch under the NCCDA, allowing aggrieved parties to bring suit directly in the U.S. Court of Appeals for the District of Columbia Circuit.

Finally, the legislation would increase the President’s role over outbound investment reviews by making the White House itself the lead on the new outbound investment review committee—the Committee for National Critical Capabilities.  Previous versions had placed the U.S. Trade Representative in the lead role.

Last year’s NCCDA drew broad stakeholder opposition and did not progress.  The fate of this year’s version is uncertain, but it is clear that the bill is part of a larger story on how the Congress and the Administration are grappling with economic and national security concerns related to China.  We expect a plethora of additional related bills and administration actions, including the anticipated Biden Administration executive order on outbound investment reviews and Senate Majority Leader Chuck Schumer’s (D-NY) announcement that comprehensive, bipartisan legislation addressing the U.S. relationship with China is forthcoming this year. 

Various national competition authorities (“NCAs”) are continuing to consider sustainability arguments in competition cases. However, NCAs are increasingly diverging in their approach as to whether, and to what extent, they are willing to allow sustainability considerations in the competition law framework. This blogpost highlights a few recent developments in jurisdictions on both sides of the Atlantic.

Belgian approval of an initiative in the banana sector

On 30 March 2023, the Belgian Competition Authority (“BCA”) approved a sustainability initiative concerning living wages in the banana industry. This marks the first initiative based on sustainability grounds  approved by the Belgian NCA.

The IDH Sustainable Trade Initiative, a social enterprise working with various entities towards facilitating sustainable trade in global supply chains, and five Belgian supermarkets proposed a collaboration scheme aimed at closing the gap between actual wages and living wages in the banana sector. The collaboration will consist of meetings and discussions where the companies’ internal conduct will be assessed and further developed with the aim to better support living wages for workers in the participants’ banana supply chains.

The collaboration will involve the exchange of certain data and information which the BCA did not consider anticompetitive. The participants have committed to not set mandatory or recommended minimum prices and to not communicate any changes in costs relating to their supply chains. IDH will supervise the collaboration and any data shared will be verified by an independent third party.

Similar initiatives concerning the banana sector  have been proposed in Germanythe Netherlands and the UK. The German NCA has already approved the proposed initiative. Neither the Belgian nor the German NCA considered the initiatives in question to infringe competition law. There is, however, a fine line between such agreements falling in or outside the scope of competition law, and potentially amounting to an infringement. For example, clauses which lead to non-negligible price increases for end-consumers could raise questions and potentially be considered to have anticompetitive effect. It can therefore be expected that that NCAs will periodically monitor the implementation of such initiatives.

Continue Reading Sustainability Agreements: Potential Divergence between Authorities