On January 24, 2024, the U.S. National Science Foundation (“NSF”) announced the launch of the National Artificial Intelligence Research Resource (“NAIRR”) pilot, a two-year initiative to develop a shared national research infrastructure for responsible AI discovery and innovation. The launch makes progress on a goal in President Biden’s recent Executive Order on AI safety and security that directs the NSF to launch a NAIRR pilot within 90 days.

The NAIRR pilot will broadly support AI-related research with an initial focus on the application of AI to societal challenges, including human health and environment and infrastructure sustainability.  To support researchers and educators, the NAIRR pilot also will compile AI resources such as pre-trained models, responsible AI toolkits, and industry-specific training data sets that are aligned with the NAIRR pilot goals. The NSF will partner with 10 other federal agencies as well as 25 private sector, nonprofit, and philanthropic organizations to implement the NAIRR pilot and improve its ecosystem over time.

The NSF has stated that it welcomes additional partners and will release a broader call for proposals from the research community in spring 2024.

On January 24, the EU Commission released a communication announcing the European Economic Security Package (EESP) – as trailed in our previous blog. The Communication, which implements the EU’s Strategy (published in June 2023), is aimed at strengthening the EU’s economic security in a number of areas:

  • improved screening of foreign investment into the EU;
  • greater export controls coordination;
  • identification of outbound investments risk;
  • enhanced support for research and development involving dual-use technologies;
  • upgraded research security.

The EESP comprises five measures – a legislative proposal; three white papers; and a Proposal for a Council Recommendation.

Proposed revision of the Regulation on the screening of Foreign Direct Investment

The proposed revisions to the screening framework would broaden the scope of the existing FDI Screening Regulation by:

  • extending screening to cover indirect foreign investment, including acquisitions by EU investors ultimately controlled by a non-EU country;
  • bringing certain greenfield investments within the scope of screening regimes;
  • ensuring all Member States have a screening mechanism in place, with better harmonised national rules (there are currently five Member States without complete foreign investment screening legislation); and
  • identifying minimum sectoral scope where Member States must screen foreign investments.

Notably, the proposed minimum scope for Member States’ screening regimes would encompass military, dual-use and medical sectors; projects identified as sensitive or as being of ‘Union interest’; and certain ‘critical technology’ sectors including- advanced semiconductors, artificial intelligence, biotechnologies, and quantum technologies.

The Commission also proposed requirements for greater coordination in the submission of foreign investment review filings across the EU, which could significantly impact transaction timelines. These proposals will be covered in more detail in a blog post on our Covington Competition blog.

White Paper on Outbound Investment

The non-binding nature of the White Paper reflects both the limited information available to substantiate perceptions that potential security risks could arise from EU outbound investment, that would not be addressed by existing tools and the tensions between the Commission and Member States’ positions on this issue (whilst the Commission stressed the need to scrutinize outbound EU investments to protect the EU’s security interests by preventing technology and know-how leakage, Member States feared the loss of sovereignty).

As a compromise, the White Paper proposes a detailed analysis of outbound investment; a three-month stakeholder consultation; and a 12-month monitoring and assessment of outbound investments at national level. The White Paper initially proposes that the monitoring phase focuses on the four ‘critical technology areas’ mentioned above. The assessment period will conclude with a joint risk assessment report, expected in Autumn 2025, which will enable the Commission to decide whether a more concrete policy response is required.

The Commission’s consideration of outbound investment screening follows similar moves by other countries to review or make enhancements to their capacity to intervene in such transactions – including the United States and the United Kingdom (where the Government has been undertaking engagement with industry stakeholders to understand and assess potential risks).

White Paper on Export Controls

The White Paper proposes the creation of a political coordination forum to help Member States reach common positions on export control matters, and proposes bringing forward the evaluation of the recast Dual-Use Regulation to the first quarter of 2025.

While the modernization of the EU export control regime effected by the adoption of the recast Dual-Use Regulation in 2021 is still relatively recent, the White Paper contemplates a need for further changes prompted by current geopolitical tensions, the continued pace of technological change, and the increased use of trade restrictions for foreign policy purposes by the EU and its partners.

In a notable departure from the EU’s previous position, the Commission will make a proposal to introduce controls at an EU level for items that ‘would have been adopted’ by multilateral regimes (such as Wassenaar Arrangement and the Missile Technology Control Regime) but have not been so-adopted because members of those regimes have blocked such revisions. 

The Commission will also adopt a Recommendation to encourage coordination within the EU on any new national control lists.  Particularly relevant for advanced and emerging technologies, these measures are designed to avoid divergence between Member States’ national controls, and to aid the EU in responding to third countries outside the EU that impose new controls unilaterally. However, the possibility that EU-level lists could further fragment the enforcement of multilateral regimes and undermine their implementation and effectiveness will remain controversial with industry and a consideration for Member States.

White Paper on enhancing support for research and development involving technologies with dual-use potential

The White Paper opens a consultation with public authorities, civil society, industry, and academia on options for strategic support for dual-use technology development aimed at maintaining a competitive edge in critical and emerging dual-use technologies.

The Paper also reviews the R & D support offered under current EU funding programs and identifies three potential options for the future:

  • no change to existing regimes;
  • removing the exclusive focus on civil applications in selected parts of the successor program to Horizon Europe; or
  • creating a dedicated instrument with a specific focus on dual-use R&D.

Proposal for a Council Recommendation on enhancing Research Security

The Commission recognizes that international tensions, combined with the increasing geopolitical relevance of research and innovation, mean that European researchers and academics are increasingly confronted with risks when cooperating internationally.  These risks may mean that research and innovation is targeted and used in ways that threaten EU security and facilitate undesirable transfer of critical technology.

The Proposal sets out a number of EU-level cooperation and coordination principles that should underpin all research security policies, such as academic freedom, institutional autonomy, and non-discrimination. The Proposal includes practical safeguarding measures that can be taken by the Member States and suggests the establishment of a European Centre of Expertise on Research Security as well as encouraging Member States to establish a policy framework for research security, including by incentivizing research centers to appoint research security advisers.

Comment

The EESP is another plank in the EU’s policy of Strategic Autonomy.  It gives legislative weight to the Commission President’s speeches in March and April 2023 (which focused on re-balancing the trading relationship with China) and the European Economic Security Strategy of June 2023 (aimed at creating a framework for assessing and addressing risks to EU economic security, while ensuring that the EU remained an open and attractive destination for business and investment).

The EESP brings the EU into line with the US approach of a more national security-focused approach to foreign investment – an approach which appears reciprocated in China. Whether this approach to economic security will continue depends to a large extent on the outcome of the European elections in June, which will shape not only the new Parliament, but also the Commission.

Covington’s international teams of policy and regulatory experts are well-placed to help and advise companies caught in the middle of this geopolitical and policy tussle, grappling with the competing demands of de-risking inward and outward Chinese investment without de-coupling trade. 

In December 2023, the Dutch SA fined a credit card company €150,000 for failure to perform a proper data protection impact assessment (“DPIA”) in accordance with Art. 35 GDPR for its “identification and verification process”.

First, the Dutch SA decided that the company was required to perform a DPIA because the processing met two of the nine conditions set out in the EDPB Guidelines on DPIAs.  In particular, the processing was large scale (1.5 million customers) and involved personal data that was sensitive or of a “very personal nature” (name, date of birth, place of birth, e-mail address, telephone number, gender, Netherlands government ID Number, number of the ID document and photo).

Second, the SA decided that the company’s impact assessment of its identification and verification process (which the company called a “Change Risk Assessment”) was not a valid DPIA because it was too focused on financial services regulations and did not sufficiently take into account data protection requirements, such as the necessity and proportionality of the processing.  The DPO was also not sufficiently involved in the assessment.


Covington’s Data Privacy and Cybersecurity team regularly advises companies on all aspects of their privacy compliance programs, including on data protection impact assessments.

This quarterly update highlights key legislative, regulatory, and litigation developments in the fourth quarter of 2023 and early January 2024 related to technology issues.  These included developments related to artificial intelligence (“AI”), connected and automated vehicles (“CAVs”), data privacy, and cybersecurity.  As noted below, some of these developments provide companies with the opportunity for participation and comment.

I. Artificial Intelligence

Federal Executive Developments on AI

The Executive Branch and U.S. federal agencies had an active quarter, which included the White House’s October 2023 release of the Executive Order (“EO”) on Safe, Secure, and Trustworthy Artificial Intelligence.  The EO declares a host of new actions for federal agencies designed to set standards for AI safety and security; protect Americans’ privacy; advance equity and civil rights; protect vulnerable groups such as consumers, patients, and students; support workers; promote innovation and competition; advance American leadership abroad; and effectively regulate the use of AI in government.  The EO builds on the White House’s prior work surrounding the development of responsible AI.  Concerning privacy, the EO sets forth a number of requirements for the use of personal data for AI systems, including the prioritization of federal support for privacy-preserving techniques and strengthening privacy-preserving research and technologies (e.g., cryptographic tools).  Regarding equity and civil rights, the EO calls for clear guidance to landlords, Federal benefits programs, and Federal contractors to keep AI systems from being used to exacerbate discrimination.  The EO also sets out requirements for developers of AI systems, including requiring companies developing any foundation model “that poses a serious risk to national security, national economic security, or national public health and safety” to notify the federal government when training the model and provide results of all red-team safety tests to the government.

Federal Legislative Activity on AI

Congress continued to evaluate AI legislation and proposed a number of AI bills, though none of these bills are expected to progress in the immediate future.  For example, members of Congress continued to hold meetings on AI and introduced bills related to deepfakes, AI research, and transparency for foundational models.

  • Deepfakes and Inauthentic Content:  In October 2023, a group of bipartisan senators released a discussion draft of the NO FAKES Act, which would prohibit persons or companies from producing an unauthorized digital replica of an individual in a performance or hosting unauthorized digital replicas if the platform has knowledge that the replica was not authorized by the individual depicted. 
  • Research:  In November 2023, Senator Thune (R-SD), along with five bipartisan co-sponsors, introduced the Artificial Intelligence Research, Innovation, and Accountability Act (S. 3312), which would require covered internet platforms that operate generative AI systems to provide their users with clear and conspicuous notice that the covered internet platform uses generative AI. 
  • Transparency for Foundational Models:  In December 2023, Representative Beyer (D-VA-8) introduced the AI Foundation Model Act (H.R. 6881), which would direct the Federal Trade Commission (“FTC”) to establish transparency standards for foundation model deployers in consultation with other agencies.  The standards would require companies to provide consumers and the FTC with information on a model’s training data and mechanisms, as well as information regarding whether user data is collected in inference.
  • Bipartisan Senate Forums:  Senator Schumer’s (D-NY) AI Insight Forums, which are a part of his SAFE Innovation Framework, continued to take place this quarter.  As part of these forums, bipartisan groups of senators met multiple times to learn more about key issues in AI policy, including privacy and liability, long-term risks of AI, and national security.
Continue Reading U.S. Tech Legislative, Regulatory & Litigation Update – Fourth Quarter 2023

On December 5, 2023, the Spanish presidency of the Council of the EU issued a declaration to strengthen collaboration with Member States and the European Commission to develop a leading quantum technology ecosystem in Europe.

The declaration acknowledges the revolutionary potential of quantum computing, which uses quantum mechanics principles and quantum bits known as “qubits” to solve complex mathematical problems exponentially faster than classical computers.

The declaration was launched with eight Member State signatories (Denmark, Finland, Germany, Greece, Hungary, Italy, Slovenia, and Sweden), and invites other Member States to sign. By doing so, they agree to recognize the “strategic importance of quantum technologies for the scientific and industrial competitiveness of the EU” and commit to collaborating to make Europe the “’quantum valley’ of the world, the leading region globally for quantum excellence and innovation.

EU strategy on quantum computing

The declaration builds upon existing efforts to build quantum technology infrastructure in the EU, such as the Quantum Technologies Flagship that brings together research institutions, industry and public funders to develop commercial applications for quantum research, and the European High Performance Computing Joint Undertaking (EuroHPC JU) initiative to build state-of-the-art pilot quantum computers, both of which were launched in 2018.

Potential Impacts

The potential applications of quantum computing are wide-ranging and industry-agnostic. For instance, they could be used to enhance the analysis of large data sets, optimize supply-chain processes, and accelerate the development of machine-learning algorithms. While the technology is still nascent, its potential commercial impact is hard to overstate: a recent estimate by McKinsey suggests that the life sciences, chemicals, automotive and financial services industries alone stand to gain up to $1.3 trillion in value from quantum computing by 2035.

Given the potential applications, quantum computing could, in particular, have a significant impact on companies in the life sciences sector. To provide a few examples in the pharmaceutical R&D space, quantum computing could be potentially used to improve:

  • Drug discovery, by improving molecular design, predicting molecular interactions, and running molecular dynamic simulations.
  • Clinical development, by designing clinical trials, analyzing trial data and predicting adverse event reactions.
  • Diagnostics, by improving image analysis and reconstruction.
  • Therapy, by developing and optimizing treatment plans.
  • Manufacturing and supply chain processes, by optimizing them through risk modelling and data analysis.

However, the benefits are not without risks. Most significantly, there is a concern that in the future, quantum technologies may have the ability to solve the complex mathematical problems that underpin currently-used cryptography methods, posing a threat to modern encryption technology and cybersecurity.

It remains to be seen how the field of quantum computing will develop, and how its potential impacts will be seen and felt. Crucially, regulation will likely play a big role in managing its impact, both in the EU and beyond.

Covington is monitoring developments in this fast-growing area. Please reach out to a member of the team with any inquiries.

January 10, 2024

Latin America

Executive Summary

  • President Lula da Silva concluded his first year successfully delivering on economic and social policies, and with good economic growth and job creation results.
  • In contrast, he achieved mixed results in foreign policy and made little progress in his goal to curb what he perceives as threats to Brazilian democracy by the far right.
  • The large, pro-business conservative majority in Congress continued to deliver both so-called “structural reforms” and new or improved sector-specific legal frameworks.
  • 2024 will be an electoral year, but President Lula and Congress have a busy policy agenda.
  • Companies doing business in Brazil should pay attention to the implementation of the 2023 tax reform, which will be crucial to deliver on the reform’s promises to simplify the tax system and reduce compliance costs for companies.  They should also pay attention to further tax-related proposals to reform income and payroll taxes and potential legal frameworks on AI, cybersecurity, space activities, bioinputs, carbon market, offshore wind power, and green hydrogen, among others.

Analysis

President Luiz Inácio Lula da Silva’s main goal of 2023 was to reignite economic growth and job creation with a particular focus on promoting gender equality, social inclusion, and environmental sustainability (details here).

Growth and Job Creation

Market players begun 2023 expecting Brazil to grow 0.78% and improved their expectation up to 2.92% by December.  While the official GDP growth rate will only be published later in 2024, the improved expectation points to a reasonably stable economic policy and a successful year for the administration.

In January 2023, players also expected annual inflation to reach 5.36%, but reduced it to 4.46% by December, a signal that monetary policy conducted by an independent Central Bank has yielded a positive result.  The benchmark interest rate (SELIC), set at 13.75% since August 2022, was steadily reduced to 11.75%.

Continue Reading Brazil Under Lula: The First Year

In previous blogs, we have written about the EU-China relationship and how the EU was increasingly focused on delivering its policy of Strategic Autonomy. We are beginning to see the concrete implementation of this strategic intent, with the EU Commission approving a €902 million German State aid measure to support the construction of an electric vehicle battery production plant.  As Margrethe Vestager, EVP for Competition Policy noted, this is the first individual aid to have been approved under the Temporary Crisis and Transition Framework since March 2023 and its approval will keep the battery plant in the EU, rather than it moving to the US.

And the EU is planning to take further measures to enhance and protect its economic security in pursuit of the goal of strategic autonomy. On December 10, the Commission unveiled its Agenda outlining for items to be addressed in early 2024. Of note is the European Economic Security Package (EESP), due for discussion on 24 January.

It had been planned to adopt the EESP by the end of 2023.  However, its adoption faced delays due to Member States’ concerns about ceding authority to Brussels in an area traditionally reserved for national competence. For its part, the Commission argues that a “Europeanization” of the EU trade rules was required to ensure consistency across the bloc following decisions by various Member States to issue their own trade measures (for example, on export controls).

Although full details of the EESP have not yet been released, key components of the EESP will include a revision of the Foreign Direct Investment Screening Regulation and an initiative regulating outbound investments. The Agenda for 24 January also includes a non-binding Communication restricting export of dual-use items.

Continue Reading The European Economic Security Package

Technology companies are grappling with unprecedented changes that promise to accelerate exponentially in the challenging period ahead. We invite you to join Covington experts and invited presenters from around the world to explore the key issues faced by businesses developing or deploying cutting-edge technologies. These highly concentrated sessions are packed with immediately actionable advice. Each day closes with an industry spotlight, providing insights from leading tech authorities. This year’s industry spotlights will feature:

  • Dennis Garcia, Assistant General Counsel, Microsoft – Emerging Trends for AI in Latin America
  • Janel Thamkul, Deputy General Counsel, Anthropic – The Frontier Model Landscape
  • Eric Sprink, CEO, Coastal Community Bank – Developments in the Regulatory Landscape

For more information and to register, click here.

Virtual Conference

January 23, 24, & 25, 2024

10:00 a.m. – 11:30 a.m. PT

1:00 p.m. – 2:30 p.m. ET

CA and NY CLE credit will be offered.

(This event is closed to the press.)

The Federal Trade Commission’s (“FTC”) Office of Technology announced that it will hold a half-day virtual “FTC Tech Summit” on January 25, 2024 to address key developments in the field of artificial intelligence (“AI”).

The FTC’s event website notes that the Summit will “bring together a diverse set of perspectives across academia, industry, civil society organizations, and government agencies for a series of conversations on AI across the layers of the technology stack—from chips and cloud infrastructure to data and models to consumer applications.”  The Summit will feature remarks by Chair Khan and Commissioners Slaughter and Bedoya, and it also will include panels on “AI & Chips and Cloud,” “AI & Data and Models,” and “AI & Consumer Applications.”  Panelists and additional event speakers are expected to be announced shortly.

In late December 2023, the Federal Communications Commission (“FCC”) published a Report and Order (“Order”) expanding the scope of the data breach notification rules (“Rules”) applicable to telecommunications carriers and interconnected VoIP (“iVoIP”) providers.  The Order makes several notable changes to the prior rules, including broadening the definitions of a reportable “breach” and “covered data,” requiring covered entities to notify the FCC in addition to federal law enforcement of breaches, and modifying certain customer notification requirements.  The Rules are expected to become effective sometime in 2024, after they are reviewed by the Office of Management and Budget and the FCC’s Wireline Competition Bureau (“Bureau”) announces the effective dates by subsequent public notice.

Changes to Definitions

The Order materially expands the definitions of “breach” and “covered data.”  It defines “breach” to include any access to, use, or disclosure of “covered data” that is not authorized or that exceeds authorization.  The Order states that this definition covers not only malicious activity, but also inadvertent unauthorized access to, use, or disclosure of covered data.  However, this expansion is paired with an important limitation.  A “breach” does not include good faith acquisition of covered data by an employee or agent of a carrier or service provider, as long as the information is not further disclosed or improperly used.  This is consistent with most U.S. state data breach notification laws, which have a similar good faith exceptions.

The definition of “covered data” for purposes of a “breach” also is intentionally broad and includes various categories of personally identifiable information (“PII”) received from or about a customer, or in connection with the customer relationship.  While the Rules previously covered only “Customer Proprietary Network Information” (“CPNI”), the Order states that the Rules now also apply to a broader set of PII, defined as “information that can be used to distinguish or trace an individual’s identity either alone or when combined with other information that is linked or reasonably linkable to a specific individual.” 

The Order specifies that the following information qualifies as PII:  (1) a first name or first initial, and last name, in combination with any government-issued identification numbers (or information issued on a government document used to verify identify of an individual) or other unique identification number used for authentication purposes; (2) username and email address in combination with a password or security answer, or any other authentication method for accessing an account; and (3) unique biometric, genetic, or medical data. 

The Order provides examples of these PII elements, citing to state law definitions of personal information, including, but not limited to, social security numbers, driver’s license numbers, financial account numbers, student identification numbers, medical identification numbers, private authentication keys, certain data that would permit access to a financial account, fingerprints, DNA profiles, and medical records.  The Order also states that dissociated data that could be linked with other data to reveal PII would be considered PII if the dissociated data and the means to link the dissociated data were accessed.  Finally, the Order states that PII could include any one of the discrete data elements listed, or any combination thereof, if those data elements could be used to commit identity theft or fraud against an individual.  The Order exempts from its definition of PII publicly available information lawfully made available to the general public from government records or widely distributed media.  The Order states that its definition of covered data is intended to harmonize the Order with U.S. state data breach notification laws.

Broader Agency Notification Requirements

Previously, the Rules required notifying only the Federal Bureau of Investigation (“FBI”) and the U.S. Secret Service (“USSS”) of a breach.  Under the Order, telecommunications carriers, iVoIP providers, and telecommunications relay service (“TRS”) providers will be required to also notify the FCC of a breach pursuant to specified affected-customer and risk-of-harm thresholds.  First, regardless of potential harm arising from a breach, covered entities must file individual, per-breach notifications for any breaches affecting 500 or more customers (or an indeterminable number of customers).  Notice must be provided within seven business days after reasonable determination of a breach.  Second, for breaches affecting fewer than 500 customers, the timing of notification depends on the risk of harm.  Notification must be provided within the same seven-business-day timeframe unless the covered entity can reasonably determine that no harm to customers is reasonably likely.  If they do make that determination, covered entities only have to report breaches affecting fewer than 500 customers in an annual summary report delivered by February 1 of the following calendar year.  To avoid duplication, covered entities can still submit breach reports at cpnireporting.gov, and the FCC will also link to the reporting portal at http://www.fcc.gov/eb/cpni or a successor URL established by the Bureau.  The Rules also require maintaining and retaining for two years a record of any discovered breach and notifications made to agencies and customers.

The required content for agency notifications is virtually unchanged.  However, the Order removes a field that previously asked covered entities whether there was an “extraordinarily urgent need” to notify affected customers before seven business days have passed, because that seven-day “waiting period” has now been eliminated.  Covered entities must still, at a minimum, report their address and contact information, a description of the breach incident, the method of compromise, the date range of the incident, the approximate number of customers affected, an estimate of the financial loss to the carrier and customers, and the types of data breached.  Given that TRS providers may have access to particularly sensitive customer information, such as call audio and transcripts, the Order further specifies that TRS providers must include a description of the customer information that was affected, including whether the content of conversations were compromised.

Changes to Customer Notification Requirements

For breach notifications to customers, the Order adopts a “harm-based trigger,” which creates a rebuttable presumption of harm that covered entities must overcome to avoid notifications.  Essentially, covered entities do not need to notify customers if they can reasonably determine that the breach is unlikely to cause harm to customers or where the breach only involved encrypted data and the covered entities have “definitive evidence” that the encryption key was not also accessed, used, or disclosed.  

The Order directs covered entities to consider the following factors when assessing the likelihood of harm to customers: (1) the sensitivity of the information breached; (2) the nature and duration of the breach; (3) whether the information was encrypted; (4) what mitigation measures the covered entity took; and (5) whether the breach was intentional.  The Order identifies a range of harms that could require notification, including financial or physical harm, identity theft, theft of services, potential for blackmail or spam, and other similar types of dangers.  In addition, the Order notes that where call content hosted by a TRS provider has been compromised, the provider cannot overcome the presumption of harm and must notify customers due to the particular sensitivity of such data.

The Order also amends customer notification timelines and provides guidance on the content of required customer notifications.  Specifically, the Order requires covered entities to notify customers without unreasonable delay after notifying federal agencies and in no case later than thirty days after reasonable determination of a breach, eliminating the Rules’ previous seven-day waiting period before customers could be notified.  While the Order is not prescriptive regarding the content of a customer notice or the method of delivery, notices must at a minimum convey when a breach occurred and that the breach may have affected the customer’s data.  However, the Order does adopt as recommendations specific categories of information that may be included in a notice: (1) the estimated date of the breach; (2) a description of the customer information affected; (3) information about how customers can contact the carrier about the breach; (4) information about how to contact the FCC, Federal Trade Commission, and any relevant state regulatory agencies; (5) information about how to guard against identity theft if relevant; and (6) any other steps customers should take to mitigate risk from the breach.  For TRS providers, the FCC recommends that the notice also include whether the breach compromised contents of conversations.

This Order follows recent activity from the FCC’s Privacy and Data Protection Task Force, including the announcement last month of a partnership between the FCC and state attorneys general on data privacy enforcement.