This quarterly update summarizes key legislative and regulatory developments in the fourth quarter of 2022 related to Artificial Intelligence (“AI”), the Internet of Things (“IoT”), connected and autonomous vehicles (“CAVs”), and data privacy and cybersecurity.

Artificial Intelligence

In the last quarter of 2022, the annual National Defense Authorization Act (“NDAA”), which contained AI-related provisions, was enacted into law.  The NDAA creates a pilot program to demonstrate use cases for AI in government. Specifically, the Director of the Office of Management and Budget (“Director of OMB”) must identify four new use cases for the application of AI-enabled systems to support modernization initiatives that require “linking multiple siloed internal and external data sources.” The pilot program is also meant to enable agencies to demonstrate the circumstances under which AI can be used to modernize agency operations and “leverage commercially available artificial intelligence technologies that (i) operate in secure cloud environments that can deploy rapidly without the need to replace operating systems; and (ii) do not require extensive staff or training to build.” Finally, the pilot program prioritizes use cases where AI can drive “agency productivity in predictive supply chain and logistics,” such as predictive food demand and optimized supply, predictive medical supplies and equipment demand, predictive logistics for disaster recovery, preparedness and response.

At the state level, in late 2022, there were also efforts to advance requirements for AI used to make certain types of decisions under comprehensive privacy frameworks.  The Colorado Privacy Act draft rules were updated to clarify the circumstances that require controllers to provide an opt-out right for the use of automated decision-making and requirements for assessments of profiling decisions.  In California, although the California Consumer Privacy Act draft regulations do not yet cover automated decision-making, the California Privacy Protection Agency rules subcommittee provided a sample list of related questions concerning this during its December 16, 2022 board meeting.

Internet of Things

Federal laws and regulations continued to address IoT policy issues in the last quarter of 2022.  Notably, on November 17, 2022, Senator Ted Cruz (R-TX) and Chair of the Senate Commerce, Science, and Transportation Committee Senator Maria Cantwell (D-WA) introduced the Informing Consumers about Smart Devices Act (S. 5127).  The bill, which is substantially similar to H.R. 4081 (which passed the House of Representatives on September 29, 2022), would require manufacturers of connected devices equipped with a camera or microphone to clearly and conspicuously disclose to consumers that a camera or microphone is part of the device prior to purchase.  The disclosure requirement does not apply to mobile phones, laptops, or other devices that consumers would reasonably expect to include a camera or microphone. Notably, Senator Cantwell remains the Chair of the Senate Commerce Committee and Senator Cruz has now become its Ranking Member, meaning that this piece of legislation deserves attention this Congress.

Federal regulatory efforts this quarter relating to IoT centered around cybersecurity.  The National Cybersecurity Center of Excellence (“NCCoE”) at the National Institute of Standards and Technology (“NIST”) continued to advance its private-public partnership on trusted IoT device network-layer onboarding and lifecycle management through the publication of a fact sheet and a preliminary draft of a Cybersecurity Practice Guide that will ultimately be published by NIST.  The public comment period for the draft practice guide is open until February 3, 2023.  In addition, the Government Accountability Office (“GAO”) on December 1, 2022, published a report on the increasing cybersecurity threats faced by the United States’ 16 critical infrastructure sectors that rely on internet-connected devices and systems.  The report provides recommendations to federal agencies for developing metrics to measure cybersecurity risks and the effectiveness of efforts to manage these risks.  Addressing the implementation of the Internet of Things Cybersecurity Improvement Act of 2020 — which generally prohibits agencies, in the absence of a waiver, from procuring or using an IoT device after December 4, 2022, if that device is considered non-compliant with NIST-developed standards — the GAO report recommends that the Office of Management and Budget take steps to establish a standardized waiver process, as mandated by the Act.

Connected and Autonomous Vehicles (“CAVs”)

Federal developments were slow in the last quarter of 2022, but states continued advancing the deployment of CAVs.  In November 2022, the California Public Utilities Commission (“CPUC”) authorized Waymo LLC to participate in California’s pilot program to provide “driverless” AV passenger service to the public.  Waymo joins Cruise, LLC as the second participant in CPUC’s Driverless Pilot program.  With this authorization, Waymo may offer driverless passenger service throughout San Francisco and portions of Daly City, as well as in portions of the cities of Los Altos, Los Altos Hills, Mountain View, Palo Alto, and Sunnyvale.  Waymo’s driverless test AVs may operate on public roadways with posted speed limits up to 65 miles per hour, at all times of day or night.  The CPUC’s press release stated that the driverless pilot program is “intended to allow AV companies to develop their technologies on a test basis, while providing for public safety and consumer protection in services offered by commercial operators within the CPUC’s jurisdiction.”  The CPUC intends to collect program data to monitor the safety, accessibility, equity, and environmental benefits of CAVs.

Data Privacy & Cybersecurity

Congress advanced a number of legislative proposals focused on establishing cybersecurity standards for government devices and networks.  For example, the NDAA included provisions to reform the Federal Risk and Authorization Program’s (“FedRAMP”) cybersecurity authorization process for cloud vendors—allowing federal agencies to use FedRAMP-authorized tools to authorize the use of cloud service providers, and conduct security assessments without further checks or additional oversight.  The FedRAMP certification is a certification that cloud service providers must receive prior to working with the U.S. government.  Additionally, Congress passed the Quantum Computing Cybersecurity Preparedness Act, discussed further here, that requires the Director of OMB to provide agencies with guidance to inventory technology used by the agency that is vulnerable to decryption by quantum computers and will require agencies to migrate those technologies to post-quantum computing standards following new guidance from NIST. 

Although Congress did not pass federal privacy legislation in the last quarter of 2022, there were multiple attempts to include privacy provisions in larger legislative packages, such as the NDAA or the omnibus spending bill in the lame duck sessions. Specifically, Senators Markey (D-MA), Blumenthal (D-CT), Cassidy (R-LA) and Lummis (R-WY) sought to include Senator Markey’s Children’s Online Privacy Protection Act (“COPPA”) legislation into the omnibus spending package.  Additionally, Senators Blumenthal and Blackburn (R-TN) also sought to include the Kids Online Safety Act (“KOSA”) within an end-of-year legislative vehicle.  Despite having broad bipartisan support, both efforts were inevitably left out of the larger legislative packages.  There was also an effort attach the American Data Privacy Protection Act (“ADPPA”), though this effort was not ultimately successful.

We will continue to update you on meaningful developments in these quarterly updates and across our blogs.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Anna Hevia Anna Hevia

Anna Hevia is an associate in the firm’s Washington, DC office, where she practices in the International Trade Practice Group and Communications and Media Industry Group. She also maintains an active pro bono practice.

As part of her international trade practice, Anna advises…

Anna Hevia is an associate in the firm’s Washington, DC office, where she practices in the International Trade Practice Group and Communications and Media Industry Group. She also maintains an active pro bono practice.

As part of her international trade practice, Anna advises clients on U.S. sanctions administered by the Treasury Department’s Office of Foreign Assets Control and export controls administered by the State Department’s Directorate of Defense Trade Controls and the Commerce Department’s Bureau of Industry and Security.

Anna’s work for the Communications and Media Industry Group involves counseling clients on accessibility compliance, broadband connectivity, technology policy, broadcast and other media, transactions, and other issues regulated by the Federal Communications Commission and other federal agencies. In these matters, Anna brings to bear her experience working for five years in the office of U.S. Representative Tony Cárdenas (CA-29), a member of the U.S. House of Representatives Committee on Energy and Commerce.

As senior policy advisor in Rep. Cárdenas’ office, Anna worked on telecommunications, technology, judiciary, and consumer protections issues, including drafting legislation, meeting with a wide variety of stakeholders, liaising with federal agencies, and preparing the Congressman for Energy and Commerce Committee hearings.

During law school, Anna worked as a legal intern in the office of then-FCC Commissioner (now Chairwoman) Jessica Rosenworcel.

Photo of Jayne Ponder Jayne Ponder

Jayne Ponder is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group. Jayne’s practice focuses on a broad range of privacy, data security, and technology issues. She provides ongoing privacy and data protection…

Jayne Ponder is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group. Jayne’s practice focuses on a broad range of privacy, data security, and technology issues. She provides ongoing privacy and data protection counsel to companies, including on topics related to privacy policies and data practices, the California Consumer Privacy Act, and cyber and data security incident response and preparedness.

Photo of Olivia Dworkin Olivia Dworkin

Olivia Dworkin minimizes regulatory and litigation risks for clients in the pharmaceutical, food, consumer brands, digital health, and medical device industries through strategic advice on FDA compliance issues.
Olivia defends her clients against such litigation as well, representing them through various stages of…

Olivia Dworkin minimizes regulatory and litigation risks for clients in the pharmaceutical, food, consumer brands, digital health, and medical device industries through strategic advice on FDA compliance issues.
Olivia defends her clients against such litigation as well, representing them through various stages of complex class actions and product liability matters. She maintains an active pro bono practice that focuses on gender-based violence, sexual harassment, and reproductive rights.

Prior to joining Covington, Olivia was a fellow at the University of Michigan Veterans Legal Clinic, where she gained valuable experience as the lead attorney successfully representing clients at case evaluations, mediations, and motion hearings. At Michigan Law, Olivia served as Online Editor of the Michigan Journal of Gender and Law, president of the Trial Advocacy Society, and president of the Michigan Law Mock Trial Team. She excelled in national mock trial competitions, earning two Medals for Excellence in Advocacy from the American College of Trial Lawyers and being selected as one of the top sixteen advocates in the country for an elite, invitation-only mock trial tournament.

Photo of Jennifer Johnson Jennifer Johnson

Jennifer Johnson is a partner specializing in communications, media and technology matters who serves as co-chair of Covington’s global and multi-disciplinary Internet of Things (IoT) group. She represents and advises content distributors, broadcast companies, trade associations, and other media and technology entities on…

Jennifer Johnson is a partner specializing in communications, media and technology matters who serves as co-chair of Covington’s global and multi-disciplinary Internet of Things (IoT) group. She represents and advises content distributors, broadcast companies, trade associations, and other media and technology entities on a wide range of issues. Jennifer has more than two decades of experience advising clients in the communications, media and technology sectors, and has served as a co-chair for these practices for more than 15 years. On IoT issues, she collaborates with Covington’s global, multi-disciplinary team to assist companies navigating the complex statutory and regulatory constructs surrounding this evolving area, including legal issues with respect to connected and autonomous vehicles, internet connected devices, smart ecosystems, and other IoT products and services.

Jennifer assists clients in developing and pursuing strategic business and policy objectives before the Federal Communications Commission (FCC) and Congress and through transactions and other business arrangements. She regularly advises clients on FCC regulatory matters and advocates frequently before the FCC. Jennifer has extensive experience negotiating content acquisition and distribution agreements for media and technology companies, including program distribution agreements with cable, satellite, and telco companies, network affiliation and other program rights agreements for television companies, and agreements providing for the aggregation and distribution of content on over-the-top app-based platforms. She also assists investment clients in structuring, evaluating, and pursuing potential investments in media and technology companies.

Photo of Nicholas Xenakis Nicholas Xenakis

Nick Xenakis draws on his Capitol Hill experience to provide regulatory and legislative advice to clients in a range of industries, including technology. He has particular expertise in matters involving the Judiciary Committees, such as intellectual property, antitrust, national security, immigration, and criminal…

Nick Xenakis draws on his Capitol Hill experience to provide regulatory and legislative advice to clients in a range of industries, including technology. He has particular expertise in matters involving the Judiciary Committees, such as intellectual property, antitrust, national security, immigration, and criminal justice.

Nick joined the firm’s Public Policy practice after serving most recently as Chief Counsel for Senator Dianne Feinstein (C-DA) and Staff Director of the Senate Judiciary Committee’s Human Rights and the Law Subcommittee, where he was responsible for managing the subcommittee and Senator Feinstein’s Judiciary staff. He also advised the Senator on all nominations, legislation, and oversight matters before the committee.

Previously, Nick was the General Counsel for the Senate Judiciary Committee, where he managed committee staff and directed legislative and policy efforts on all issues in the Committee’s jurisdiction. He also participated in key judicial and Cabinet confirmations, including of an Attorney General and two Supreme Court Justices. Nick was also responsible for managing a broad range of committee equities in larger legislation, including appropriations, COVID-relief packages, and the National Defense Authorization Act.

Before his time on Capitol Hill, Nick served as an attorney with the Federal Public Defender’s Office for the Eastern District of Virginia. There he represented indigent clients charged with misdemeanor, felony, and capital offenses in federal court throughout all stages of litigation, including trial and appeal. He also coordinated district-wide habeas litigation following the Supreme Court’s decision in Johnson v. United States (invalidating the residual clause of the Armed Career Criminal Act).

Hensey A. Fenton III

Hensey Fenton specializes in providing advice and guidance to clients on legislative and regulatory strategies. Hensey counsels clients on a myriad of issues in the policy and regulatory space, including issues involving cybersecurity, financial services, artificial intelligence, digital assets, international trade and development…

Hensey Fenton specializes in providing advice and guidance to clients on legislative and regulatory strategies. Hensey counsels clients on a myriad of issues in the policy and regulatory space, including issues involving cybersecurity, financial services, artificial intelligence, digital assets, international trade and development, and tax.

Another facet of Hensey’s practice involves cutting-edge legal issues in the cybersecurity space. Having published scholarly work in the areas of cybersecurity and cyberwarfare, Hensey keeps his finger on the pulse of this fast-developing legal field. His Duke Journal of Comparative & International Law article, “Proportionality and its Applicability in the Realm of Cyber Attacks,” was highlighted by the Rutgers Computer and Technology Law Journal as one of the most important and timely articles on cyber, technology and the law. Hensey counsels clients on preparing for and responding to cyber-based attacks. He regularly engages with government and military leaders to develop national and global strategies for complex cyber issues and policy challenges.

Hensey’s practice also includes advising international clients on various policy, legal and regulatory challenges, especially those challenges facing developing nations in the Middle East. Armed with a distinct expertise in Middle Eastern foreign policy and the Arabic language, Hensey brings a multi-faceted approach to his practice, recognizing the specific policy and regulatory concerns facing clients in the region.

Hensey is also at the forefront of important issues involving Diversity, Equity and Inclusion (DEI). He assists companies in developing inclusive and sustainable DEI strategies that align with and incorporate core company values and business goals.

Prior to joining Covington, Hensey served as a Judicial Law Clerk for the Honorable Judge Johnnie B. Rawlinson, United States Court of Appeals for the Ninth Circuit. He also served as a Diplomatic Fellow in the Kurdistan Regional Government’s Representation (i.e. Embassy) in Washington, DC.

Photo of Madeline Salinas Madeline Salinas

Madeline Salinas is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and Communications and Media Practice Groups.

Photo of Jorge Ortiz Jorge Ortiz

Jorge Ortiz is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and the Technology and Communications Regulation Practice Groups.

Jorge advises clients on a broad range of privacy and cybersecurity issues, including topics related…

Jorge Ortiz is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and the Technology and Communications Regulation Practice Groups.

Jorge advises clients on a broad range of privacy and cybersecurity issues, including topics related to privacy policies and compliance obligations under U.S. state privacy regulations like the California Consumer Privacy Act.