Privacy

Updated August 8, 2023.  Originally posted May 1, 2023.

Last week, comment deadlines were announced for a Federal Communications Commission (“FCC”) Order and Notice of Proposed Rulemaking (“NPRM”) that could have significant compliance implications for all holders of international Section 214 authority (i.e., authorization to provide telecommunications services from points in the U.S. to points abroad).  The rule changes on which the FCC seeks comment are far-reaching and, if adopted as written, could result in significant future compliance burdens, both for entities holding international Section 214 authority, as well as the parties holding ownership interests in these entities.  Comments on these rule changes are due Thursday, August 31, with reply comments due October 2.

Adopted in April, the FCC’s item proposing the new rules also includes an Order requiring all holders of international Section 214 authority to respond to a one-time information request concerning their foreign ownership. Although last week’s Federal Register publication sets a comment deadline for the proposed rules, the reporting deadline for the one-time information request has not yet been established.  However, because the FCC has fulfilled its statutory obligations regarding the new information collection presented by the one-time reporting requirement, carriers — as well as entities holding an ownership interest in these carriers — should prepare for the announcement of the reporting deadline.

The FCC’s latest actions underscore the agency’s ongoing desire to closely scrutinize foreign ownership and involvement in telecommunications carriers serving the U.S. market, as well as to play a more active role in cybersecurity policy. These developments should be of interest to any carrier that serves the U.S. market and any financial or strategic investor focused on the telecommunications space, as well as other parties interested in national security developments affecting telecommunications infrastructure.

Proposed Rule Changes for International Section 214 Authority

The FCC’s proposed changes to its regulation of international Section 214 authorizations generally concern additional compliance, disclosure, and reporting requirements. The FCC’s proposed rule changes are far-reaching, but the most notable of the proposals concern the following:

Continue Reading Comments Due August 31 on FCC’s Proposal to Step Up Review of Foreign Ownership in Telecom Carriers and Establish Cybersecurity Requirements

On July 18, 2023, Federal Communications Commission (FCC) Chairwoman Jessica Rosenworcel announced that she has circulated a proposal to the FCC’s commissioners to create “a voluntary cybersecurity labeling program that would provide consumers with clear information about the security of their Internet-enabled devices.”

According to the text of her announcement (the proposal itself is not

This quarterly update summarizes key legislative and regulatory developments in the second quarter of 2023 related to key technologies and related topics, including Artificial Intelligence (“AI”), the Internet of Things (“IoT”), connected and automated vehicles (“CAVs”), data privacy and cybersecurity, and online teen safety.

Artificial Intelligence

AI continued to be an area of significant interest of both lawmakers and regulators throughout the second quarter of 2023.  Members of Congress continue to grapple with ways to address risks posed by AI and have held hearings, made public statements, and introduced legislation to regulate AI.  Notably, Senator Chuck Schumer (D-NY) revealed his “SAFE Innovation framework” for AI legislation.  The framework reflects five principles for AI – security, accountability, foundations, explainability, and innovation – and is summarized here.  There were also a number of AI legislative proposals introduced this quarter.  Some proposals, like the National AI Commission Act (H.R. 4223) and Digital Platform Commission Act (S. 1671), propose the creation of an agency or commission to review and regulate AI tools and systems.  Other proposals focus on mandating disclosures of AI systems.  For example, the AI Disclosure Act of 2023 (H.R. 3831) would require generative AI systems to include a specific disclaimer on any outputs generated, and the REAL Political Advertisements Act (S. 1596) would require political advertisements to include a statement within the contents of the advertisement if generative AI was used to generate any image or video footage.  Additionally, Congress convened hearings to explore AI regulation this quarter, including a Senate Judiciary Committee Hearing in May titled “Oversight of A.I.: Rules for Artificial Intelligence.”

There also were several federal Executive Branch and regulatory developments focused on AI in the second quarter of 2023, including, for example:

  • White House:  The White House issued a number of updates on AI this quarter, including the Office of Science and Technology Policy’s strategic plan focused on federal AI research and development, discussed in greater detail here.  The White House also requested comments on the use of automated tools in the workplace, including a request for feedback on tools to surveil, monitor, evaluate, and manage workers, described here.
  • CFPB:  The Consumer Financial Protection Bureau (“CFPB”) issued a spotlight on the adoption and use of chatbots by financial institutions.
  • FTC:  The Federal Trade Commission (“FTC”) continued to issue guidance on AI, such as guidance expressing the FTC’s view that dark patterns extend to AI, that generative AI poses competition concerns, and that tools claiming to spot AI-generated content must make accurate disclosures of their abilities and limitations.
  • HHS Office of National Coordinator for Health IT:  This quarter, the Department of Health and Human Services (“HHS”) released a proposed rule related to certified health IT that enables or interfaces with “predictive decision support interventions” (“DSIs”) that incorporate AI and machine learning technologies.  The proposed rule would require the disclosure of certain information about predictive DSIs to enable users to evaluate DSI quality and whether and how to rely on the DSI recommendations, including a description of the development and validation of the DSI.  Developers of certified health IT would also be required to implement risk management practices for predictive DSIs and make summary information about these practices publicly available.


Continue Reading U.S. Tech Legislative & Regulatory Update – Second Quarter 2023

In the past year, plaintiffs have filed a wave of lawsuits asserting claims under the Video Privacy Protection Act (“VPPA”) in connection with the alleged use of third-party pixels on websites that offer video content.  A recent decision establishes the limits of the VPPA’s reach and provides a well-reasoned ground for future motions to dismiss.

On June 22, 2023, the Oregon state legislature passed the Oregon Consumer Privacy Act, S.B. 619 (the “Act”).  This bill resembles the comprehensive privacy statutes in Colorado, Montana, and Connecticut, though there are some notable distinctions.  If passed, Oregon will be the twelfth state to implement a comprehensive privacy statute, joining California, Virginia, Colorado, Connecticut

Last week, FCC Chairwoman Jessica Rosenworcel announced the creation of a new Privacy and Data Protection Task Force (the “Task Force”) to demonstrate the agency’s commitment to protecting consumer data and ensuring that the telecommunications industry remains secure from threat actors.

The Task Force will be led by Enforcement Bureau Chief Loyaan Egal and include

On May 22 the Federal Trade Commission (“FTC”) announced a $6 million settlement with Edmodo, an ed tech provider, for violations of the COPPA Rule and Section 5 of the FTC Act.  The FTC described this settlement as the first FTC order that will prohibit an ed tech provider from requiring students to provide more

On February 1, the Federal Trade Commission (“FTC”) announced its first-ever enforcement action under its Health Breach Notification Rule (“HBNR”) against digital health platform GoodRx Holdings Inc. (“GoodRx”) for failing to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to third-party advertisers.  According to the proposed order, GoodRx will pay a $1.5 million civil penalty and be prohibited from sharing users’ sensitive health data with third-party advertisers in order to resolve the FTC’s complaint. 

This announcement marks the first instance in which the FTC has sought enforcement under the HBNR, which was promulgated in 2009 under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, and comes just sixteen months after the FTC published a policy statement expanding its interpretation of who is subject to the HBNR and what triggers the HBNR’s notification requirement.  Below is a discussion of the complaint and proposed order, as well as key takeaways from the case.

The Complaint

As described in the complaint, GoodRx is a digital healthcare platform that advertises, distributes, and sells health-related products and services directly to consumers.  As part of these services, GoodRx collects both personal and health information from its consumers.  According to the complaint, GoodRx “promised its users that it would share their personal information, including their personal health information, with limited third parties and only for limited purposes; that it would restrict third parties’ use of such information; and that it would never share personal health information with advertisers or other third parties.”  The complaint further alleged that GoodRx disclosed its consumers’ personal health information to various third parties, including advertisers, in violation of its own policies.  This personal health information included users’ prescription medications and personal health conditions, personal contact information, and unique advertising and persistent identifiers.

Continue Reading FTC Announces First Enforcement Action Under Health Breach Notification Rule

The Federal Energy Regulatory Commission (“FERC”) issued a final rule (Order No. 887) directing the North American Electric Reliability Corporation (“NERC”) to develop new or modified Reliability Standards that require internal network security monitoring (“INSM”) within Critical Infrastructure Protection (“CIP”) networked environments.  This Order may be of interest to entities that develop, implement, or maintain hardware or software for operational technologies associated with bulk electric systems (“BES”).

The forthcoming standards will only apply to certain high- and medium-impact BES Cyber Systems.  The final rule also requires NERC to conduct a feasibility study for implementing similar standards across all other types of BES Cyber Systems.  NERC must propose the new or modified standards within 15 months of the effective date of the final rule, which is 60 days after the date of publication in the Federal Register.  

Background

According to the FERC news release, the 2020 global supply chain attack involving the SolarWinds Orion software demonstrated how attackers can “bypass all network perimeter-based security controls traditionally used to identify malicious activity and compromise the networks of public and private organizations.”  Thus, FERC determined that current CIP Reliability Standards focus on prevention of unauthorized access at the electronic security perimeter and that CIP-networked environments are thus vulnerable to attacks that bypass perimeter-based security controls.  The new or modified Reliability Standards (“INSM Standards”) are intended to address this gap by requiring responsible entities to employ INSM in certain BES Cyber Systems.  INSM is a subset of network security monitoring that enables continuing visibility over communications between networked devices that are in the so-called “trust zone,” a term which generally describes a discrete and secure computing environment.  For purposes of the rule, the trust zone is any CIP-networked environment.  In addition to continuous visibility, INSM facilitates the detection of malicious and anomalous network activity to identify and prevent attacks in progress.  Examples provided by FERC of tools that may support INSM include anti-malware, intrusion detection systems, intrusion prevention systems, and firewalls.   

Continue Reading FERC Orders Development of New Internal Network Security Monitoring Standards