With three months left until the end of this year’s legislative session, the California Legislature has been considering a flurry of bills regarding artificial intelligence (AI). Notable bills, described further below, impose requirements on developers and deployers of generative AI systems. The bills contain varying definitions of AI and generative AI systems. Each of these bills has been passed by one legislative chamber, but remains under consideration in the other chamber.

Continue Reading California Legislature Advances Several AI-Related Bills

On May 30, 2024, the Court of Justice of the EU (“CJEU”) handed down its rulings in several cases (C-665/22Joined Cases C‑664/22 and C‑666/22C‑663/22, and Joined Cases C‑662/22 and C‑667/22) concerning the compatibility with EU law of certain Italian measures imposing obligations on providers of online platforms and search engines.  In doing so, the CJEU upheld the so-called “country-of-origin” principle, established in the EU’s e-Commerce Directive and based on the EU Treaties principle of free movement of services.  The country-of-origin principle gives the Member State where an online service provider is established exclusive authority (“competence”) to regulate access to, and exercise of, the provider’s services and prevents other Member States from imposing additional requirements.

We provide below an overview of Court’s key findings.

Continue Reading CJEU Upholds Country-of-Origin Principle for Online Service Providers in the EU

On June 6, the Texas Attorney General published a news release announcing that the Attorney General has opened an investigation into several car manufacturers.  The news release states that the investigation was opened “after widespread reporting that [car manufacturers] have secretly been collecting mass amounts of data about drivers directly from their vehicles and then selling that data to third parties.”  Further, the release states that “car manufacturers and the third parties to whom they sold data are being instructed to produce documents relevant to their conduct. . .[and] to produce documents showing the disclosures they made to customers about the extent of their data collection practices and subsequent sale of their customers’ data.”  This announcement follows an earlier news release from the Attorney General describing the launch of a data privacy and security initiative, which will enforce Texas’s privacy protection laws, including the Texas Data Privacy and Security Act that goes into effect on July 1.

On May 31, 2024, Colorado Governor Jared Polis signed HB 1130 into law. This legislation amends the Colorado Privacy Act to add specific requirements for the processing of an individual’s biometric data. This law does not have a private right of action.

Continue Reading Colorado Privacy Act Amended To Include Biometric Data Provisions

On May 17, 2024, the Council of Europe adopted the Framework Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law (the “Convention”).  The Convention represents the first international treaty on AI that will be legally binding on the signatories.  The Convention will be open for signature on September 5, 2024. 

The Convention was drafted by representatives from the 46 Council of Europe member states, the European Union and 11 non-member states (Argentina, Australia, Canada, Costa Rica, the Holy See, Israel, Japan, Mexico, Peru, the United States of America, and Uruguay).  The Convention is not directly applicable to businesses – it requires the signatories (the “CoE signatories”) to implement laws or other legal measures to give it effect.  The Convention represents an international consensus on the key aspects of AI legislation that are likely to emerge among the CoE signatories.

Continue Reading Council of Europe Adopts International Treaty on Artificial Intelligence

On May 20, 2024, a proposal for a law on artificial intelligence (“AI”) was laid before the Italian Senate.

The proposed law sets out (1) general principles for the development and use of AI systems and models; (2) sectorial provisions, particularly in the healthcare sector and for scientific research for healthcare; (3) rules on the national strategy on AI and governance, including designating the national competent authorities in accordance with the EU AI Act; and (4) amendments to copyright law. 

We provide below an overview of the proposal’s key provisions.

Continue Reading Italy Proposes New Artificial Intelligence Law

On May 16, 2024, the CNIL launched a public consultation on all of its health data standards.  Interested stakeholders are encouraged to participate by completing a questionnaire (available in French here) by July 12, 2024.

French law has specific requirements for the processing of health data.  In particular, it generally requires that the processing either comply with one of the French Supervisory Authority’s (“CNIL”) standards (such as the méthodologies de référence or “MRs” – hereafter Health Data Standards”) or be specifically authorized by the CNIL. 

Since 2018, the CNIL has issued multiple Health Data Standards to cover a variety of processing activities, such as medical research and pharmacovigilance.  However, as technologies deployed in the health sector rapidly evolve, some of these standards have become outdated and fail to adequately meet industry practices and needs.  For instance, conducting a decentralized clinical trial is typically challenging under the current Health Data Standards, meaning that sponsors are often forced to pursue the more burdensome and time consuming CNIL authorization. 

The consultation questionnaire released by the CNIL is divided in five sections:

  • the Health Data Standards covering research activities;
  • the other Health Data Standards (e.g., on pharmacovigilance);
  • adaptation required because of the increasing use of AI;
  • specific documentation the CNIL could provide; and
  • participation to upcoming working groups – the CNIL encourages participants to identify any topics they consider as high priorities, in particular as the CNIL is considering setting up some working groups on high priorities.

The CNIL also used this opportunity to summarize its recommendations and best practices relating to three aspects of decentralized clinical trials.  These guidelines cover:

  • Electronic information notices (see here) – The CNIL highlights the importance of ensuring that the confidentiality of the data is sufficiently protected and identifies some security measures to that end.  For instance, where the notice contains direct or indirect health information about the individual, the CNIL considers that it may only be sent to a regular email address (as opposed to via a secure platform) provided that (i) the subject and text of the email do not include any sensitive data, (ii) the notice itself is shared as an encrypted attachment or via a password-protected link and (iii) the relevant encryption key or password is shared separately and via different means (e.g., by post);
  • Following-up and monitoring patients at home (see here) – The CNIL reminds sponsors how they can make such arrangements while still complying with the Health Data Standards (in particular where the sponsor relies on a third party);
  • Remote quality control (see here) – Sponsors who wish to engage in remote quality control currently cannot do so while relying on a Health Data Standard and need to obtain a specific authorization from the CNIL. However, the CNIL has compiled a list of best practices that, if complied with, would facilitate the authorization process.  Such best practices include transparency requirements, the consultation of the data protection officer, precautions concerning remote consultation and the professional secrecy of clinical research associates, and a list of security measures (including a requirement that the data be stored in the EU or an EU-adequate country).

These guidelines are only temporary, as the CNIL intends to better address these issues in the updated version of its Health Data Standards.  The consultation questionnaire thus also enables participants to comment on these guidelines.  In terms of timeline, the CNIL will analyze responses to this public consultation during Summer and Fall 2024.  Some updated Health Data Standards are expected in the course of 2025, starting with the ones identified as high priorities during the consultation. 

On May 9, 2024, the Italian data protection authority (“Garante”) published a decision identifying the safeguards that controllers must put in place when processing health data for medical research purposes, in cases where data subjects’ consent cannot be obtained for ethical or organizational reasons.

The Garante’s decision follows a recent legislative development, enacted by Law n. 56 of April 29, 2024, and effective as of May 1, 2024, which amended, among other things, Article 110 of the Italian Privacy Code.  The amendment removes the obligation to submit a research program and related data protection impact assessment (“DPIA”) for prior consultation to the Garante, in cases where it is impossible or disproportionately burdensome to contact the concerned individuals.  

We provide below an overview of the legal framework and the safeguards identified by the Garante.

Continue Reading Italian Legislator and Regulator Update Rules on Processing of Health Data for Medical Research

On May 16, the U.S. Securities and Exchange Commission (“SEC”) adopted amendments to Regulation S-P, which implements the Gramm-Leach Bliley Act (“GLBA”) for SEC-regulated entities such as broker-dealers, investment companies, registered investment advisers, and transfer agents.

Continue Reading SEC Adopts Amendments to Regulation S-P