This quarterly update summarizes key legislative and regulatory developments in the first quarter of 2023 related to Artificial Intelligence (“AI”), the Internet of Things (“IoT”), connected and autonomous vehicles (“CAVs”), and data privacy and cybersecurity.
The first quarter of 2023 saw an array of proposed legislation, regulation, and informal guidance relating to AI. At the federal level, some members of Congress have noted concerns with the rapid uptake of AI technologies. For example, Representative Ted Lieu (D-CA-36) introduced a house resolution (H. Res. 66) that urges Congress to focus on AI and would resolve that the House of Representatives supports focusing on AI to ensure development of AI is done in a way that “is safe, ethical, and respects the rights and privacy of all Americans” and widely distributes AI benefits while minimizing risks. There were a number of other AI legislative proposals introduced this quarter focused on AI in particular contexts, including the use of AI for water quality (H.R. 873), AI for telehealth (H.R. 207), and AI for drug prescriptions (H.R. 206), and the Department of Defense’s ability to procure AI-based endpoint security tools to improve cybersecurity defense. (H.R. 1718).
There have also been several federal agency and regulatory developments on AI. In January, the National Institute of Standards and Technology (NIST) released its Artificial Intelligence Management Framework to provide a resource to organizations “designing, developing, deploying, or using AI systems to help manage the many risks of AI and promote trustworthy and responsible development and use of AI systems.” A detailed summary of this update can be found here. Additionally, in February, the White House released an Executive Order, which directs federal agencies to “ensure that their own use of artificial intelligence and automated systems  advances equity,” and to “focus their civil rights authorities and offices on emerging threats, such as algorithmic discrimination in automated technology,” among other items. Under the Executive Order, agencies must investigate and address any algorithmic discrimination in technology services, improve accessibility for people with disabilities, and improve language access services.
At the state level, there have been multiple bills introduced with the aim of regulating AI. For example, in Massachusetts S. 31 would regulate generative AI models and require companies operating large-scale generative AI models (i.e., a machine learning model with a capacity of at least one billion parameters that generates text or other forms of output) to register with the Attorney General and adhere to specific standards, like programming text with a watermark and not engaging in bias. Meanwhile in California, A.B. 331 would regulate automated decision tools by requiring, among other things, “deployers” (defined as a person, partnership, state or local government agency, or corporation that uses an automated decision tool to make a decision that has a legal, material, or similar significant effect on an individual’s life) to perform impact assessments for any automated decision tool, notify persons about the use of the tool, and prohibit using a tool that contributes to algorithmic discrimination.
Internet of Things
Federal legislators in both the House and Senate introduced a number of pieces of legislation related to the Internet of Things (IoT). For example, Representative Anna Eshoo’s (D-CA-16) bill, H.R. 1123, the Understanding Cybersecurity of Mobile Networks Act, was introduced in and passed the House. The bill directs the National Telecommunications and Information Administration (NTIA) to report to Congress on the cybersecurity and vulnerability of mobile service networks and devices to cyberattacks and surveillance. Additionally, Representative John Curtis’s (R-UT-3) bill, H.R. 538, the Informing Consumers about Smart Devices Act, also passed the House. It requires the disclosure of cameras or other recording abilities on certain internet-connected devices where such functionalities would be non-obvious to the user.
Federal legislators also introduced a group of bills pertaining to precision agriculture. Senator Deb Fischer (R-NE) introduced S. 720, the PRECISE Act, which provides incentives to adopt precision agriculture equipment and technology. Precision agriculture technology includes IoT technology used in crop and livestock production. Rep. Ashley Hinson (R-IA-2) introduced the House companion to the PRECISE Act, H.R. 1459. Another bill, S. 734, the Promoting Precision Agriculture Act of 2023, was introduced by Senator John Thune (R-SD) and Senator Raphael Warnock (D-GA). It would require the Secretary of Agriculture and NIST to develop and assess interconnectivity standards for precision agriculture.
The White House’s recently released U.S. National Cybersecurity Strategy emphasized the Administration’s efforts to improve IoT cybersecurity through federal research and development, procurement, and risk management efforts, as directed in the IoT Cybersecurity Improvement Act of 2020. In addition, the Administration affirmed its efforts to continue to advance the development of IoT security labeling programs, as directed by Executive Order 14028, “Improving the Nation’s Cybersecurity.” The strategy plans that, through the expansion of IoT security labels, consumers will be able to compare the cybersecurity protections offered by different IoT products, thus creating a market incentive for greater security across the entire IoT ecosystem.
Connected and Autonomous Vehicles
The first quarter of 2023 demonstrated that Congress, federal agencies, and industry groups plan to make advancing the development and deployment of CAVs a front-burner issue this year. In early January, NIST launched an Automotive Cybersecurity Community of Interest to discuss, comment, and provide input on the work that NIST is doing which will affect the automotive industry, including cryptography, supply chain, and AI cybersecurity risk management in automated vehicles. Government, industry, and academics are encouraged to join, as contributions from these stakeholders will inform future NIST frameworks on key aspects of automotive cybersecurity. In February, the Federal Motor Carrier Safety Administration (FMCSA) issued a supplemental advance notice of proposed rulemaking requesting public comment about the factors the Agency should consider in amending the Federal Motor Carrier Safety Regulations to establish a regulatory framework for commercial motor vehicles (CMV) equipped with Level 4 and 5 automated driving systems (ADS), and we expect to see further rulemaking in this space that takes into account feedback FMCSA received during the public comment period.
Federal legislators have signaled action in the CAV space this year. In the early months of 2023, bipartisan congressional leaders acknowledged the benefits of CAVs and discussed how to solidify the U.S. as a market leader for CAVs during hearings, interviews, and public meetings. For example, on February 1, the House Committee on Energy and Commerce held a hearing entitled “Economic Danger Zone: How America Competes to Win the Future Versus China” during which both Republicans and Democrats emphasized the benefits of CAVs and the need to strengthen our position as a global leader in the development and deployment of the technology. Bipartisan members of Congress also spoke at The Hill’s second annual EV/AV summit, which explored the barriers to electric vehicle adoption, the future of CAVs, and the critical infrastructure needed to make them both a reality. This unified front could prove useful in advancing legislative and policy proposals in the CAV space, and CAV industry groups have taken steps to inform and support such proposals. In March 2023, the Autonomous Vehicle Industry Association unveiled a Federal Policy Framework outlining recommendations for Congress and the Department of Transportation for the safe and advanced deployment and commercialization of CAVs in the U.S. Recommendations include, but are not limited to, legislation and executive agency action that reforms and expands the vehicle exemption process, expands CAV testing and evaluation, and updates regulations to support CAV deployment.
Privacy & Cybersecurity
Activities in Congress suggest that there will be efforts to reintroduce the American Data Privacy Protection Act (ADPPA) in the House. Specifically, the House Committee on Energy and Commerce’s new Subcommittee on Innovation, Data and Commerce held two hearings on the importance of passing federal comprehensive privacy legislation. During these hearings, lawmakers consistently emphasized their view of the ADPPA as the preferred framework to address current regulatory shortcomings. Although there is broad bipartisan support for the ADPPA, some Senators, including Senator Ed Markey (D-MA), are urging colleagues to pass the Children and Teens’ Online Privacy and Protection Act (COPPA 2.0) prior to moving forward on comprehensive federal privacy legislation.
As mentioned above, the White House released its U.S. National Cybersecurity Strategy. The Strategy, among other things, outlines fundamental shifts to how the federal government will attempt to allocate roles, responsibilities, and resources in the cyberspace. The Strategy is built on five pillars: (i) defend critical infrastructure; (ii) disrupt and dismantle threat actors; (iii) shape market forces to drive security and resilience; (iv) invest in a resilient future; and (v) forge international partnerships to pursue shared goals. The Strategy signals a shift towards a more regulatory-focused approach to compel various businesses and industries to improve their cybersecurity, as well as the collective security of the internet.
Multiple cybersecurity bills were introduced in Congress this quarter, including: the Securing Semiconductor Supply Chains Act (S. 229); the Cyber Vulnerability Disclosure Reporting Act (H.R. 280); the Securing Open Source Software Act (S. 917); and the Strengthening Agency Management and Oversight of Software Assets Act (S. 931).