On September 12, 2022, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) published a Request for Information, seeking public comment on how to structure implementing regulations for reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). Written comments are requested on or before November 14, 2022 and may be submitted through the Federal eRulemaking Portal: http://www.regulations.gov.Continue Reading CISA Requests Public Comment on Implementing Regulations for the Cyber Incident Reporting for Critical Infrastructure Act
With the growing use of AI systems and the increasing complexity of the legal framework relating to such use, the need for appropriate methods and tools to audit AI systems is becoming more pressing both for professionals and for regulators. The French Supervisory Authority (“CNIL”) has recently tested tools that could potentially help its auditors understand the functioning of an AI system.
Overview of the tools tested by the CNIL
The CNIL tested two different tools, IBEX and Algocate. While IBEX aims at explaining an AI system, Algocate seeks to justify the decisions made by a AI system by checking the decision against specific standards. Both tools enable “black box” audits, meaning that they focus on the ins and outs of an AI system rather than on its internal functioning. The tools also rely on local explanatory methods, which provide an explanation for a decision related to a particular data input in the system; not on global explanatory methods which would attempt to explain all possible decisions simultaneously.
Test and conclusions
The CNIL asked some of its agents to use these tools in a theoretical scenario and consider the following questions:
- Were the explanations provided by the tool helpful to understand the functioning of the AI system?
- Were such explanations understandable by the participants?
- Would these tools facilitate the work of the CNIL’s auditors?
The CNIL agents noted some challenges for each tool, in particular in relation to real-life use and the complexity of the tools. The CNIL’s experiment also showed that some users would have preferred an explanation of the generic functioning of the system rather than local analyses.
It therefore seems the tools will require some further improvement before they can be effectively used by regulators. Other French public initiatives are looking into different audit models relying, for example, on global explicative methods (e.g., Pôle d’expertise de la régulation numérique’s study on methodologies for auditing content recommendation algorithms – available in French here).
We will keep monitoring this topic moving forward, and relay any updates from the CNIL relating to auditing tools for AI systems.
Last week, the FTC announced its release of a staff report discussing key topics from the April 29, 2021 workshop addressing dark patterns. The report states that the FTC will take action when companies employ dark patterns that violate existing laws, including the FTC Act, ROSCA, the TSR, TILA, CAN-SPAM, COPPA, ECOA, or other statutes and regulations enforced by the FTC. The report highlights examples of cases in which the FTC used its authority under these laws and regulations to bring enforcement actions against companies that allegedly used dark patterns. Accordingly, the report builds upon the FTC’s historical approach of using its existing authority to bring enforcement actions in this context.Continue Reading New FTC Report on Dark Patterns
On September 15, 2022, the European Commission published a draft regulation that sets out cybersecurity requirements for “products with digital elements” (PDEs) placed on the EU market — the Cyber Resilience Act (CRA). The Commission has identified that cyberattacks are increasing in the EU, with an estimated global annual cost of €5.5 trillion. The CRA aims to strengthen the security of PDEs and imposes obligations that cover:
- the planning, design, development, production, delivery and maintenance of PDEs;
- the prevention and handling of cyber vulnerabilities; and
- the provision of cybersecurity information to users of PDEs.
The CRA also imposes obligations to report any actively exploited vulnerability as well as any incident that impacts the security of a PDE to ENISA within 24 hours of becoming aware of it.
The obligations apply primarily to manufacturers of PDEs, which include entities that develop or manufacture PDEs as well as entities that outsource the design, development and manufacturing to a third party. Importers and distributors of PDEs also need to ensure that the products comply with CRA’s requirements.
The requirements apply for the lifetime of a product or five years from its placement on the market, whichever is shorter. Due to the cross-border dimension of cybersecurity incidents, the CRA applies to any PDEs that are placed on the EU market—regardless of where they are manufactured—and imposes new mandatory conformity assessment requirements. The proposed regulation will now undergo review and potential approval in the Council of the EU and the European Parliament. Its provisions would apply fully within two years after entry into force, potentially in late 2026. We set out more detail and commentary below based on our initial review of the proposal.Continue Reading EU Publishes Draft Cyber Resilience Act
On September 8, 2022, the Advocate General (“AG”) of the Court of Justice of the European Union (“CJEU”) opined that data subjects should be able to lodge a complaint with a Supervisory Authority against a controller/processor for allegedly breaching the GDPR and, in parallel, lodge judicial redress proceedings against the same controller/processor for damages resulting from the alleged GDPR violation.
The case that was referred to the CJEU relates to a shareholder’s request to access audio recordings of a company meeting. The company provided the shareholder only with extracts of his/her interventions. Subsequently, the shareholder filed a complaint with the Hungarian Supervisory Authority for a breach of his/her right of access and asking the Supervisory Authority to order the company to disclose additional recordings. The Supervisory Authority rejected the complaint. As a result, the shareholder appealed the Supervisory Authority’s decision before a court and in parallel initiated separate judicial proceedings against the company asking for remedies for damages suffered.Continue Reading CJEU Advocate General Finds That Data Subjects May in Parallel Lodge a Complaint with a Supervisory Authority and Start Proceedings Before a Court
In a new post on the Inside Class Actions blog, our colleagues discuss a recent Third Circuit decision reinstating the putative class action Clemens v. ExecuPharm Inc., concluding there was sufficient risk of imminent harm after a data breach to confer standing on the named plaintiff when the information had been posted on the Dark Web.
The UK Government’s (UKG) proposals for new, sector-specific cybersecurity rules continue to take shape. Following the announcement of a Product Security and Telecommunications Infrastructure Bill and a consultation on the security of apps and app stores in the Queen’s Speech (which we briefly discuss here), the UKG issued a call for views on whether action is needed to ensure cyber security in data centres and cloud services (described here).
In recent weeks, the UKG has made two further announcements:
- On 30 August 2022, it issued a response to its public consultation on the draft Electronic Communications (Security measures) Regulations 2022 (Draft Regulations) and a draft Telecommunications Security code of practice (COP), before laying a revised version of the Draft Regulations before Parliament on 5 September.
- On 1 September 2022, it issued a call for information on the risks associated with unauthorized access to individuals’ online accounts and personal data, and measures that could be taken to limit that risk.
We set out below further detail on these latest developments.
*****Continue Reading A packed end to the UK’s cyber summer: Government moves forward with telecoms cybersecurity proposals and consults on a Cyber Duty to Protect
According to several news reports in the past month of August (for example, Heise.de), the German Government is working on a regulation that will set out the requirements for so-called “consent management services”, which are services for collecting and storing the consent of website users to the placement of cookies and similar technologies. These services would serve as an alternative to cookie banners. Among others, they may obtain consent for several websites at once. More specifically, dedicated software applications could enable users to replicate the consent provided on one website to other websites, therefore generalizing and sorting their consent by category of devices or websites. Users would be asked to review their consents every six months.Continue Reading The German Government is Drafting a Regulation on Cookie Consent Management Services
On September 7, 2022, the Brussels Market Court adopted an interim decision in a case brought by IAB Europe, the sector organization for the digital marketing industry, against the Belgian Supervisory Authority. The authority had fined IAB Europe alleging that its Transparency and Consent Framework (“TCF”) violates the GDPR and that the organization is a (joint) data controller for processing operations performed by the users of the standard, i.e., publishers and adtech vendors. Under the decision, IAB Europe was also required to present a work plan to remediate the alleged violations.Continue Reading Brussels Appeal Court Refers IAB Europe Case to CJEU
On August 31, 2022, one day before the Measures for Security Assessment of Cross-border Data Transfer (“Measures”) were scheduled to take effect, the Cyberspace Administration of China (“CAC”) released a first edition of its guidance on how organizations should complete the security assessment application (“CAC Guidance”). Covington’s previous posts on the Measures can be found here.Continue Reading China Releases Guidance on Cross-border Data Transfer Security Assessment Application