Regulatory

On 15 January 2025, the European Commission recommended that EU Member States review outbound investment in three critical technologies—semiconductors, AI, and quantum—with the aim of potentially creating an EUwide regime to regulate such investment. EU Member States should report to the Commission on their findings and risk assessment within 18 months. These findings would inform a future policy proposal, so any introduction of outbound investment rules in the EU is likely to be several years away.

How did we get here?

Outbound investment mechanisms aim to regulate domestic companies making outward investments of capital, expertise, and knowledge that could contribute to the ‘leakage’ of critical and sensitive  technologies to third countries. Outbound investments typically take the form of EU firms purchasing equity in non-EU entities (e.g.  through joint ventures, greenfield investments), but can also take place through less structured arrangements such as R&D cooperation or transfer of employees.

The focus on outbound investment screening has its roots in transatlantic cooperation on China policy, and specifically the desire to minimize Western technology leakage to China. In particular, the U.S. Treasury Department issued new regulation prohibiting or otherwise requiring disclosure of outbound investment—in semiconductors, AI, and quantum—in Chinese entities as well as entities in other jurisdictions that hold certain interests in Chinese companies. The regulations entered into force on 2 January 2025.

Within the EU, outbound investment control was put on agenda with the European Economic Security Strategy and a subsequent white paper on outbound investment. Before then, only a few EU countries, such as Austria and Spain would screen outbound investment, and there had been no EU-wide approach on this topic.

What does it mean?

EU Member States are requested to monitor outbound investments in three critical technologies: semiconductors, AI, and quantum. The original white paper proposal also named biotechnologies amongst suggested critical technologies to be covered by the review, but this has been dropped in the new recommendation. The recommended scope of the monitoring exercise is as follows:Continue Reading Toward EU Outbound Investment Regulation

On January 20, 2025, the Trump Administration released a memorandum, “Regulatory Freeze Pending Review,” to halt agency rulemaking processes (the “EO”).

The EO orders all executive departments and agencies to “not propose or issue any rule in any manner, including by sending a rule to the Office of the Federal

Continue Reading Trump Administration Releases “Regulatory Freeze Pending Review” Executive Order

Yesterday, the FAR Council issued a proposed rule that would update the U.S. Government’s approach to organizational conflicts of interest (OCIs).  While the proposed rule is not finalized and may change in response to forthcoming comments from interested parties, the proposed rule contemplates major changes to the FAR’s existing framework in this area.  In this post, we summarize the background leading up to the proposed rule and highlight key areas of proposed change.

Background

The proposed rule is the latest installment in a years-long effort by Congress, GAO, and the FAR Council to update the OCI guidance in the FAR.  Many years ago, in 2011, the FAR Council issued a proposed rule to amend the FAR’s guidance on OCIs with a particular focus on OCIs related to unequal access to nonpublic information.  The 2011 proposed rule was motivated in part by a GAO report recommending that the FAR Council provide additional protections for contractors accessing sensitive information.  

The 2011 proposed rule was never finalized and was ultimately withdrawn in 2021.  Many of the key changes in the most recent proposed rule, however, were foreshadowed by the 2011 proposed rule.  For example, the 2011 proposed rule would have moved OCI guidance to FAR Part 3, allowed agencies to determine that a risk is acceptable in the context of impaired objectivity OCIs (without requiring a formal waiver), and provided standard solicitation provisions and contract clauses.

As previously discussed on this blog, in December 2022 Congress passed the ‘‘Preventing Organizational Conflicts of Interest in Federal Acquisition Act” (the Act), which directed the FAR Council to issue new rules for OCIs.  The Act itself did not establish any new OCI standards but directed the FAR Council to: (1) provide definitions of the different types of OCIs; (2) provide illustrative examples of OCIs, including in situations where contractors’ other clients may have interests that potentially conflict with those of the contracting agency; and (3) provide solicitation provisions and contract clauses, but allow executive agencies to tailor them.  The proposed rule gives effect to each of these three mandates, and makes other significant changes as well.Continue Reading The Proposed FAR Rule on OCIs: Big Changes May Be Coming

Introduction

On December 27, 2024, the U.S. Department of Justice (“DOJ”) issued the Final Rule implementing President Biden’s February 28, 2024 Executive Order on “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (the “EO”). The Final Rule solidifies a new national security regulatory regime focused on protecting bulk U.S. sensitive personal data and government-related data from countries of concern, including the People’s Republic of China (“PRC” or “China”), and represents the latest step in the U.S. government’s whole-of-government effort to “de-risk” with respect to China. The Final Rule marks the first time that U.S. persons will be categorically prohibited from engaging in certain transactions that may result in foreign access to bulk U.S. sensitive personal data and government-related data. It also provides that certain other transactions will be “restricted,” meaning they are prohibited unless the U.S. business first implements a range of security requirements, which in some cases will be onerous or costly. The Final Rule accordingly could have wide-ranging implications for U.S. companies across various industries. The Final Rule takes effect 90 days after publication in the Federal Register, which is set for January 8, 2025, although certain compliance requirements will not take effect until 270 days following publication.

In parallel with the release of the Final Rule, on January 3, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”), which is part of the U.S. Department of Homeland Security (“DHS”), released the final security requirements (the “Security Requirements”). The Security Requirements set forth the measures that U.S. persons must satisfy in order to engage in restricted transactions, and are incorporated by reference into the Final Rule.

Importantly, as we discussed in our analysis of the Advance Notice of Proposed Rulemaking (“ANPRM”) and our analysis of the Notice of Proposed Rulemaking (“NPRM”), the Final Rule is a national security regulation designed to address identified risks to U.S. national security—not a privacy regulation designed to protect privacy or other individual interests. Consequently, while the Final Rule regulates transactions involving personal data, many of the concepts and definitions diverge materially from those in existing privacy regimes. The Final Rule stems from the U.S. government’s increasing unwillingness to tolerate foreign adversary access to U.S. personal data. As DOJ explained in the preamble to the Final Rule, “[t]his rule will prevent . . . foreign adversaries from legally obtaining [bulk U.S. sensitive personal data or government-related data] through commercial transactions with U.S. persons, thereby stemming data flows and directly addressing the national security risks identified in the [EO].” DOJ cited examples such as (1) the ability of journalists to track the movements of U.S. President Joe Biden, U.S. Vice President Kamala Harris, and now President-Elect Donald Trump through their bodyguards’ use of a fitness app; and (2) the ability to track U.S. government personnel movement through the purchase of location information and digital advertising data—that demonstrate the U.S. national security risks associated with foreign adversary access to commercially available data. Finally, DOJ made a particular point of explaining that certain data that is anonymized or depersonalized presents U.S. national security risks, especially with respect to the ability of adversaries to use “bulk human genomic data[] to enhance military capabilities that include facilitating the development of bioweapons.”Continue Reading Department of Justice Issues Final Rule to Implement Bulk U.S. Sensitive Personal Data and Government-Related Data Executive Order

On December 24, 2024, New York Governor Kathy Hochul signed into law an amendment to New York General Business Law § 899-aa modifying the state’s data breach notification requirements.  The amended law, which is effective immediately, imposes new requirements businesses must follow when providing notifications following a data breach

Continue Reading New York Adopts Amendment to the State Data Breach Notification Law

On December 12, 2024, the U.S. Department of Transportation’s National Highway Traffic Safety Administration (“NHTSA”) announced the publication of a final rule formalizing its whistleblower program. The Final Rule was officially published in the Federal Register on December 17, fulfilling an obligation established by Congress in 2015 under the Motor Vehicle Safety Whistleblower Act (“MVSWA”). 

The program provides for awards to current and former industry employees and contractors who report “original information” that leads to a successful resolution in which the federal government collects sanctions from automotive companies exceeding $1 million. Whistleblower awards can range from 10% to 30% of the collected sanctions. See 49 U.S.C. § 30172. 

Whistleblower awards are limited to recoveries for certain types of monetary sanctions. Notably, the relevant action must be brought by the “Secretary [of the Department of Transportation], NHTSA, or the U.S. Attorney General” under 49 U.S.C. Chapter 301, the part of the Motor Vehicle Safety Act (“MVSA”) containing defect and noncompliance reporting and recall provisions. 89 Fed. Reg. 101,952, 101,955 (Dec. 17, 2024) (to be codified at 49 C.F.R. § 513). Recoveries for other types of civil or criminal violations are excluded, “even if [they] involve vehicle safety issues and/or are based on facts common to an action taken under 49 U.S.C. Chapter 301.” 89 Fed. Reg. at 101,956. Actions brought by “other agencies” or “by the U.S. Department of Justice under any statute other [than] 49 U.S.C. Chapter 301” are, therefore, not covered. Although Chapter 301’s requirements are substantial, this limitation is likely to have significant implications. Companies that are involved in parallel-track or sequential enforcement actions will not face a potential NHTSA whistleblower award based on other types of alleged violations and enforcement actions. For example, any recoveries by the DOJ based on allegations of conspiracy, fraud, fraudulent statements or related violations, even if they “are based on” facts in common with a Chapter 301 violation, will not provide the basis for a MVSWA whistleblower award. 

The Final Rule’s publication follows NHTSA’s earlier publication of a Notice of Proposed Rulemaking (“NPRM”) in April 2023. NHTSA noted in the Final Rule that it “adopted the proposed rule without significant changes,” despite numerous comments on the NPRM. 

A number of the Final Rule’s features merit consideration by automotive companies. Of particular interest are (1) the Final Rule’s definition of “independent knowledge;” (2) NHTSA’s decision not to expand the internal reporting prerequisite; (3) NHTSA’s decision not to exclude directors, officers, and compliance function employees from whistleblower eligibility; (4) NHTSA’s decision not to render persons convicted of a related crime by a foreign tribunal ineligible as whistleblowers; and (5) NHTSA’s decision not to exclude information obtained by unlawful conduct subject to civil liability.Continue Reading NHTSA Publishes Whistleblower Program Final Rule

On 1 December 2024 the 2025-2029 College of Commissioners took office, led by President Ursula von der Leyen in her second term. This blog explores what companies can expect from the new Commission regarding the EU Foreign Subsidies Regulation (“FSR”).

The FSR was adopted in December 2022 to address distortions caused in the EU by foreign subsidies. It introduced two notification tools for prior clearance of concentrations and public procurement procedures – effective since 12 October 2023 – and an ex officio tool for investigations by the Commission into suspicious foreign subsidies – effective since 12 July 2023. For a detailed overview of the FSR, see our previous blog post.

Key takeaways

  • The first year of FSR enforcement has seen a higher number of FSR notifications than the Commission anticipated in its 2021 Impact Assessment, in terms of both transactions and public procurement procedures. The Commission has initiated four in-depth investigations. By contrast, the ex officio tool has rarely been used with only two investigations launched.
  • For its 2025-2029 mandate, the Commission is aiming to vigorously enforce the FSR, especially as regards concentrations.
  • The Commission appears willing to discuss possible amendments to the FSR (in particular, to the public procurement notification thresholds).

The first year of FSR enforcement

The first year of FSR enforcement has seen a higher number of FSR notifications than the Commission anticipated in its 2021 Impact Assessment. Based on data disclosed by officials at conferences: (i) DG COMP, responsible for the enforcement of the FSR in relation to concentrations, received more than 100 transaction notifications (with 98 cases closed), compared to the 30 initially anticipated; and (ii) DG GROW, responsible for the enforcement of the public procurement tool, received approximately 140 notifications, compared to the 36 initially anticipated.Continue Reading The EU Foreign Subsidies Regulation – Outlook for the European Commission’s 2025-2029 Mandate

On November 20, 2024, the Federal Communications Commission (the “Commission”) issued a Second Report and Order in which it adopted rules (“the Order”) to facilitate the transition to from Dedicated Short Range Communications (“DSRC”) technology to Cellular-Vehicle-to-Everything (“C-V2X”) technology for the Intelligent Transportation System (“ITS” also referred to as the

Continue Reading FCC Adopts Rules Facilitating the Transition to C-V2X Technology for the Connected Vehicle Ecosystem

This quarterly update highlights key legislative, regulatory, and litigation developments in the third quarter of 2024 related to artificial intelligence (“AI”) and connected and automated vehicles (“CAVs”).  As noted below, some of these developments provide industry with the opportunity for participation and comment.

I.      Artificial Intelligence

Federal Legislative Developments

There continued to be strong bipartisan interest in passing federal legislation related to AI.  While it has been challenging to pass legislation through this Congress, there remains the possibility that one or more of the more targeted bills that have bipartisan support and Committee approval could advance during the lame duck period.

  • Senate Commerce, Science, and Transportation Committee: Lawmakers in the Senate Commerce, Science, and Transportation Committee moved forward with nearly a dozen AI-related bills, including legislation focused on developing voluntary technical guidelines for AI systems and establishing AI testing and risk assessment frameworks. 
    • In July, the Committee voted to advance the Validation and Evaluation for Trustworthy (VET) Artificial Intelligence Act (S.4769), which was introduced by Senators John Hickenlooper (D-CO) and Shelley Moore Capito (R-WV).  The Act would require the National Institute of Standards and Technology (“NIST”) to develop voluntary guidelines and specifications for internal and external assurances of AI systems, in collaboration with public and private sector organizations. 
    • In August, the Promoting United States Leadership in Standards Act of 2024 (S.3849) was placed on the Senate legislative calendar after advancing out of the Committee in July.  Introduced in February 2024 by Senators Mark Warner (D-VA) and Marsha Blackburn (R-TN), the Act would require NIST to support U.S. involvement in the development of AI technical standards through briefings, pilot programs, and other activities.  
    • In July, the Future of Artificial Intelligence Innovation Act of 2024 (S.4178)— introduced in April by Senators Maria Cantwell (D-CA), Todd Young (R-IN), John Hickenlooper (D-CO), and Marsha Blackburn (R-TN)—was ordered to be reported out of the Committee and gained three additional co-sponsors: Senators Roger F. Wicker (R-MS), Ben Ray Lujan (D-NM), and Kyrsten Sinema (I-AZ).  The Act would codify the AI Safety Institute, which would be required to develop voluntary guidelines and standards for promoting AI innovation through public-private partnerships and international alliances.  
    • In July, the Artificial Intelligence Research, Innovation, and Accountability Act of 2023 (S.3312), passed out of the Committee, as amended.  Introduced in November 2023 by Senators John Thune (R-SD), Amy Klobuchar (D-MN), Roger Wicker (R-MS), John Hickenlooper (D-CO), Ben Ray Lujan (D-NM), and Shelley Moore Capito (R-WV), the Act would establish a comprehensive regulatory framework for “high-impact” AI systems, including testing and evaluation standards, risk assessment requirements, and transparency report requirements.  The Act would also require NIST to develop sector-specific recommendations for agency oversight of high-impact AI, and to research and develop means for distinguishing between content created by humans and AI systems.
  • Senate Homeland Security and Governmental Affairs Committee:  In July, the Senate Homeland Security Committee voted to advance the PREPARED for AI Act (S.4495).  Introduced in June by Senators Gary Peters (D-MI) and Thomas Tillis (R-NC), the Act would establish a risk-based framework for the procurement and use of AI by federal agencies and create a Chief AI Officers Council and agency AI Governance Board to ensure that federal agencies benefit from advancements in AI.
  • National Defense Authorization Act for Fiscal Year 2025:  In August, Senators Gary Peters (D-MI) and Mike Braun (R-IN) proposed an amendment (S.Amdt.3232) to the National Defense Authorization Act for Fiscal Year 2025 (S.4638) (“NDAA”).  The amendment would add the Transparent Automated Governance Act and the AI Leadership Training Act to the NDAA.  The Transparent Automated Governance Act would require the Office of Management and Budget (“OMB”) to issue guidance to agencies to implement transparency practices relating to the use of AI and other automated systems.  The AI Leadership Training Act would require OMB to establish a training program for federal procurement officials on the operational benefits and privacy risks of AI.  The Act would also require the Office of Personnel Management (“OPM”) to establish a training program on AI for federal management officials and supervisors.   

Continue Reading U.S. Tech Legislative, Regulatory & Litigation Update – Third Quarter 2024

With U.S. President Trump returning to the White House, we expect the regulatory landscape facing technology and communications companies to shift significantly, if not uniformly. 

On the one hand, media and telecommunications companies that have long been regulated heavily by the FCC can likely expect a more deregulatory environment than they have experienced under the Biden Administration (with potential caveats).  On the other, large technology companies, which have largely avoided heavy-handed regulation, can expect to face a more active regulatory environment aimed at limiting or preventing content moderation decisions that the incoming Administration has characterized as “censorship” of conservative viewpoints.  Meanwhile, bipartisan priorities—such as the commitment to ensuring national security in the telecommunications sector—will likely continue to be a major focus of regulatory agencies.  While the assessments of regulatory risks and opportunities will continue to be refined and updated as the next Trump administration takes shape, we highlight here a few trends that are likely to influence policy and regulation at the FCC over the next four years.

Changes in Regulation:  Deregulation for Some, Greater Scrutiny for Others

FCC Commissioner Brendan Carr, who is the frontrunner to be named the next Chair of the FCC, has a long history of public statements supporting deregulation of the industries historically regulated by the FCC.  For instance, Carr has observed in the past that “rapidly evolving market conditions counsel in favor of eliminating many of the heavy-handed FCC regulations that were adopted in an era when every technology operated in a silo.”  This likely means that we can expect to see a Republican-led FCC seeking opportunities to loosen regulations on broadcasters, the pay TV industry, and internet service providers, ranging the gamut from reform of broadcast licensee ownership restrictions to repealing (or supporting the court reversal of) the Biden-era net neutrality order.

However, other industries under the FCC’s umbrella may face greater scrutiny.  In particular, we anticipate that the FCC’s interest in national security policymaking will continue to grow, as Commissioner Carr has highlighted issues such as curbing the influence of foreign nations on social media platforms and expanding the FCC’s list of providers of communications equipment and services that pose an unacceptable risk to the national security of the U.S.  This interest could expand beyond traditional telecommunications providers to other technology enterprises, such as those that offer high-powered cloud computing services to customers in China and elsewhere. Continue Reading Likely Trends in U.S. Tech and Media Regulation Under the New Trump Administration