This quarterly update summarizes key legislative and regulatory developments in the fourth quarter of 2022 related to Artificial Intelligence (“AI”), the Internet of Things (“IoT”), connected and autonomous vehicles (“CAVs”), and data privacy and cybersecurity.
In the last quarter of 2022, the annual National Defense Authorization Act (“NDAA”), which contained AI-related provisions, was enacted into law. The NDAA creates a pilot program to demonstrate use cases for AI in government. Specifically, the Director of the Office of Management and Budget (“Director of OMB”) must identify four new use cases for the application of AI-enabled systems to support modernization initiatives that require “linking multiple siloed internal and external data sources.” The pilot program is also meant to enable agencies to demonstrate the circumstances under which AI can be used to modernize agency operations and “leverage commercially available artificial intelligence technologies that (i) operate in secure cloud environments that can deploy rapidly without the need to replace operating systems; and (ii) do not require extensive staff or training to build.” Finally, the pilot program prioritizes use cases where AI can drive “agency productivity in predictive supply chain and logistics,” such as predictive food demand and optimized supply, predictive medical supplies and equipment demand, predictive logistics for disaster recovery, preparedness and response.
At the state level, in late 2022, there were also efforts to advance requirements for AI used to make certain types of decisions under comprehensive privacy frameworks. The Colorado Privacy Act draft rules were updated to clarify the circumstances that require controllers to provide an opt-out right for the use of automated decision-making and requirements for assessments of profiling decisions. In California, although the California Consumer Privacy Act draft regulations do not yet cover automated decision-making, the California Privacy Protection Agency rules subcommittee provided a sample list of related questions concerning this during its December 16, 2022 board meeting.
Internet of Things
Federal laws and regulations continued to address IoT policy issues in the last quarter of 2022. Notably, on November 17, 2022, Senator Ted Cruz (R-TX) and Chair of the Senate Commerce, Science, and Transportation Committee Senator Maria Cantwell (D-WA) introduced the Informing Consumers about Smart Devices Act (S. 5127). The bill, which is substantially similar to H.R. 4081 (which passed the House of Representatives on September 29, 2022), would require manufacturers of connected devices equipped with a camera or microphone to clearly and conspicuously disclose to consumers that a camera or microphone is part of the device prior to purchase. The disclosure requirement does not apply to mobile phones, laptops, or other devices that consumers would reasonably expect to include a camera or microphone. Notably, Senator Cantwell remains the Chair of the Senate Commerce Committee and Senator Cruz has now become its Ranking Member, meaning that this piece of legislation deserves attention this Congress.
Federal regulatory efforts this quarter relating to IoT centered around cybersecurity. The National Cybersecurity Center of Excellence (“NCCoE”) at the National Institute of Standards and Technology (“NIST”) continued to advance its private-public partnership on trusted IoT device network-layer onboarding and lifecycle management through the publication of a fact sheet and a preliminary draft of a Cybersecurity Practice Guide that will ultimately be published by NIST. The public comment period for the draft practice guide is open until February 3, 2023. In addition, the Government Accountability Office (“GAO”) on December 1, 2022, published a report on the increasing cybersecurity threats faced by the United States’ 16 critical infrastructure sectors that rely on internet-connected devices and systems. The report provides recommendations to federal agencies for developing metrics to measure cybersecurity risks and the effectiveness of efforts to manage these risks. Addressing the implementation of the Internet of Things Cybersecurity Improvement Act of 2020 — which generally prohibits agencies, in the absence of a waiver, from procuring or using an IoT device after December 4, 2022, if that device is considered non-compliant with NIST-developed standards — the GAO report recommends that the Office of Management and Budget take steps to establish a standardized waiver process, as mandated by the Act.
Connected and Autonomous Vehicles (“CAVs”)
Federal developments were slow in the last quarter of 2022, but states continued advancing the deployment of CAVs. In November 2022, the California Public Utilities Commission (“CPUC”) authorized Waymo LLC to participate in California’s pilot program to provide “driverless” AV passenger service to the public. Waymo joins Cruise, LLC as the second participant in CPUC’s Driverless Pilot program. With this authorization, Waymo may offer driverless passenger service throughout San Francisco and portions of Daly City, as well as in portions of the cities of Los Altos, Los Altos Hills, Mountain View, Palo Alto, and Sunnyvale. Waymo’s driverless test AVs may operate on public roadways with posted speed limits up to 65 miles per hour, at all times of day or night. The CPUC’s press release stated that the driverless pilot program is “intended to allow AV companies to develop their technologies on a test basis, while providing for public safety and consumer protection in services offered by commercial operators within the CPUC’s jurisdiction.” The CPUC intends to collect program data to monitor the safety, accessibility, equity, and environmental benefits of CAVs.
Data Privacy & Cybersecurity
Congress advanced a number of legislative proposals focused on establishing cybersecurity standards for government devices and networks. For example, the NDAA included provisions to reform the Federal Risk and Authorization Program’s (“FedRAMP”) cybersecurity authorization process for cloud vendors—allowing federal agencies to use FedRAMP-authorized tools to authorize the use of cloud service providers, and conduct security assessments without further checks or additional oversight. The FedRAMP certification is a certification that cloud service providers must receive prior to working with the U.S. government. Additionally, Congress passed the Quantum Computing Cybersecurity Preparedness Act, discussed further here, that requires the Director of OMB to provide agencies with guidance to inventory technology used by the agency that is vulnerable to decryption by quantum computers and will require agencies to migrate those technologies to post-quantum computing standards following new guidance from NIST.
Although Congress did not pass federal privacy legislation in the last quarter of 2022, there were multiple attempts to include privacy provisions in larger legislative packages, such as the NDAA or the omnibus spending bill in the lame duck sessions. Specifically, Senators Markey (D-MA), Blumenthal (D-CT), Cassidy (R-LA) and Lummis (R-WY) sought to include Senator Markey’s Children’s Online Privacy Protection Act (“COPPA”) legislation into the omnibus spending package. Additionally, Senators Blumenthal and Blackburn (R-TN) also sought to include the Kids Online Safety Act (“KOSA”) within an end-of-year legislative vehicle. Despite having broad bipartisan support, both efforts were inevitably left out of the larger legislative packages. There was also an effort attach the American Data Privacy Protection Act (“ADPPA”), though this effort was not ultimately successful.