AI Update: EU High-Level Working Group Publishes Self Assessment for Trustworthy AI

By Alexandra Scott, Sam Jungyun Choi, Marty Hansen, Anna Oberschelp de Meneses, Lisa Peets, Lee Tiedrich, Lindsey Tonsager and Kristof Van Quathem on July 21, 2020 Posted in Artificial Intelligence (AI), Data, Data Privacy, Data Security, EU Data Protection, European Union, International, Privacy and Data Security

On July 17, 2020, the High-Level Expert Group on Artificial Intelligence set up by the European Commission (“AI HLEG”) published The Assessment List for Trustworthy Artificial Intelligence (“Assessment List”). The purpose of the Assessment List is to help companies identify the risks of AI systems they develop, deploy or procure, and implement appropriate measures to mitigate those risks.

The Assessment List is not mandatory, and there isn’t yet a self-certification scheme or other formal framework built around it that would enable companies to signal their adherence to it. The AI HLEG notes that the Assessment List should be used flexibly; organizations can add or ignore elements as they see fit, taking into consideration the sector in which they operate. As we’ve discussed in our previous blog post here, the European Commission is currently developing policies and legislative proposals relating to trustworthy AI, and it is possible that the Assessment List may influence the Commission’s thinking on how organizations should operationalize requirements relating to this topic. Continue Reading

Two Years of Carpenter

By Lauren Moxley and Shane Rogers on July 7, 2020 Posted in Electronic Surveillance and Law Enforcement Access, Uncategorized

Last month marks two years since the Supreme Court held, in Carpenter v. United States, that the Fourth Amendment applies to cell phone company records that detail a cell phone user’s location and movements. Under Carpenter, police are generally required to use a warrant to obtain seven days or more of a user’s cell-site location information from phone companies.

As we previously reported, Carpenter redefined how the Fourth Amendment applies to information held by technology companies in the digital age. Prior to Carpenter, the Court applied the third-party doctrine, under which a person who voluntarily revealed information to third parties—such as telephone companies, banks, or technology companies—lacks a reasonable expectation of privacy in that information and therefore forfeits Fourth Amendment protections. In Carpenter, the Court declined to apply the third-party doctrine to cell-site location information, even though the cell phone user revealed their location information to their phone company. Despite the significance of this ruling, the Court said that its decision in Carpenter was a “narrow one” that did not “address other business records that might incidentally reveal location information” or “consider other collection techniques involving foreign affairs or national security.” Continue Reading

Supreme Court Invalidates TCPA Government-Debt Exception

By Rafael Reyneri on July 6, 2020 Posted in Litigation, TCPA

Today, the Supreme Court issued its decision in Barr v. American Association of Political Consultants, which addressed the constitutionality of the Telephone Consumer Protection Act (TCPA). Although the Court splintered in its reasoning—producing four separate opinions—the justices nevertheless coalesced around two core conclusions: (1) the TCPA’s exception for government debt collection calls is unconstitutional, and (2) the exception can be severed from the rest of the TCPA. Six justices determined that the TCPA’s government-debt exception violates the First Amendment, and seven justices concluded that the exception is severable from the rest of the statute. The end result is that the government-debt exception is invalid but the rest of the TCPA—including its general prohibition on automated calls and text messages to mobile numbers—remains intact. The narrow scope of this ruling suggests that it may have limited practical effect for most parties.

As we previously explained, the TCPA, as originally enacted in 1991, restricts the use of an automatic telephone dialing system (ATDS) to transmit calls or texts to mobile numbers without the recipient’s prior express consent (the ATDS prohibition). In 2015, Congress amended the TCPA to exempt from the ATDS prohibition calls made to collect a debt owed to the United States. The question before the Supreme Court was whether the government-debt exception violates the First Amendment and, if so, whether the proper remedy is to sever the exception—leaving intact the rest of the TCPA—or invalidate the entire ATDS prohibition. Continue Reading

Lawful Access to Encrypted Data Act Introduced

By Trisha Anderson, Alexander Berengaut, Jim Garland and Chloe Goodwin on July 6, 2020 Posted in Congress, Electronic Surveillance and Law Enforcement Access, Surveillance

Senators Lindsey Graham (R-S.C.), Tom Cotton (R-Ark.) and Marsha Blackburn (R-Tenn.) have introduced the Lawful Access to Encrypted Data Act, a bill that would require tech companies to assist law enforcement in executing search warrants that seek encrypted data. The bill would apply to law enforcement efforts to obtain data at rest as well as data in motion. It would also apply to both criminal and national security legal process. This proposal comes in the wake of the Senate Judiciary Committee’s December 2019 hearing on encryption and lawful access to data. According to its sponsors, the purpose of the bill is to “end[] the use of ‘warrant-proof’ encrypted technology . . . to conceal illicit behavior.”

The bill has three main provisions: Continue Reading

China Issued the Draft Data Security Law

By Yan Luo and Zhijing Yu on July 3, 2020 Posted in China, Data, Data Security, International

On July 2, 2020, the Standing Committee of the National People’s Congress of China (“NPC”) released the draft Data Security Law (“Draft Law”) for public comment. The release of the Draft Law marks a step forward in establishing a regulatory framework for the protection of broadly defined “data security” in China, with a particular focus on the governance of “important data,” defined as “data that, if leaked, may directly affect China’s national security, economic security, social stability, or public health and security.” Many provisions of the Draft Law remain vague and lack guidance on how they might be implemented in practice.

FCC Issues Two TCPA Declaratory Rulings, One Clarifying Autodialer Definition

By Rafael Reyneri on July 1, 2020 Posted in Federal Communications Commission, TCPA

Earlier this week, the Federal Communications Commission’s (FCC’s) Consumer and Government Affairs Bureau released a Declaratory Ruling clarifying the agency’s interpretation of the “Automatic Telephone Dialing System” (an “autodialer” or “ATDS”) definition in the Telephone Consumer Protection (TCPA). The Ruling clarified that, in the context of a call or text message platform, the definition does not turn on whether the platform is used by others to transmit a large volume of calls or text messages; instead, the relevant inquiry is whether, in this context, the platform is capable of transmitting calls or text messages without a user manually dialing each such call or text message.

The Declaratory Ruling was issued in response to a Petition filed by the P2P Alliance seeking confirmation that its text messaging platform is not an autodialer and therefore not subject to the TCPA’s ATDS-related consent requirements. These requirements generally prohibit using an ATDS to call or text a mobile number without the recipient’s consent. The Petition stated that the text messaging platform at issue required users of the platform “to actively and affirmatively manually dial each recipient’s number and transmit each message one at a time.” The Petition also stated that recipients generally would provide their consent to receive such messages by providing their mobile numbers to the platform’s users. Continue Reading

FERC Requests Comments on Grid Cybersecurity Initiatives

By Inside Privacy on July 1, 2020 Posted in Cybersecurity

In a new post on the Covington Energy & Environment Blog, our colleagues discuss the Federal Energy Regulatory Commission’s Notice of Inquiry on updating reliability standards related to cybersecurity, especially given the threat of a coordinated cyberattack targeting geographically distributed generation resources. The Commission also issued a staff paper that suggests a framework for providing incentives in transmission rates for cybersecurity investments. To read the post, please click here.

PACT Act Would Deny Section 230 Immunity in Certain Instances and Impose Greater Transparency, Process, and Enforcement Mandates

By Calvin Cohen on June 29, 2020 Posted in Congress, Social Media, United States

Continuing the flood of recent proposals to amend the scope of Section 230 of the 1996 Communications Decency Act, a bipartisan group of Senators unveiled the Platform Accountability and Consumer Transparency Act (“PACT Act”) last week. Proposed by Senators Brian Schatz (D-HI) and John Thune (R-SD), the PACT Act comes on the heels of legislative proposals from Senate Republicans, a Department of Justice report with proposed amendments to the law—both of which we analyzed here—and the Trump Administration’s executive order on Section 230.

The PACT Act would amend Section 230 to include an “intermediary liability standard.” Under this standard, Section 230’s immunity protections would no longer apply to any interactive computer service provider that “has knowledge” of any illegal content or illegal activity occurring on their service and that “does not remove the illegal content or stop the illegal activity within 24 hours of acquiring that knowledge.” “Knowledge” of the illegal content requires notification in writing that identifies the illegal content or activity with “information reasonably sufficient to permit the provider to locate” it, as well as a copy of the Federal or State court order determining such content violated Federal law or State defamation law. Continue Reading