Home M3AAWG Blog The Public Policy Committee Global Update - November 2023
Posted by the M3AAWG Content Manager

The Public Policy Committee engages with government and support agencies across the globe and comments on issues that affect the industry’s ability to protect end-users. Members may subscribe to the committee mailing list on the Committee/SIGs page to stay up to date on current events and Initiatives that the committee is overseeing. All readers are encouraged to review published documents and comments on the Public Policy page which covers a broad range of policies.

Public Policy Update for the United States

  • The White House issued an Executive Order on Artificial Intelligence with ten (10) new mandates that also include pushing Congress to pass "bipartisan data privacy legislation.” The executive order is asking Congress to speed things up and is calling on Congress to ensure that Americans' privacy is protected while prominent AI players train their models and that children's privacy will be a big focus. The White House also said that it will evaluate how agencies and third-party data brokers collect and use "commercially available" information, meaning public datasets. Some "personally identifiable" data is available to the public, but that doesn't mean AI players have free rein to use this information.
  • The Pew Research Center conducted a survey on How Americans View Data Privacy and found a majority of respondents feel their data is not used responsibly by either the government or companies, but also did not understand if they had control over how it is used. Many Americans are concerned and confused about how their data is used.
  • Passkeys are back in the news again and as companies push new methods to get rid of passwords and increase consumer protection. The use of passkeys, including face scans, fingerprints or number codes to unlock a device, is growing among companies. Of course, some are weary of biometrics to some point if they are hacked and then obtained to use against users.
  • Clearview AI wins appeal of 2021 UK ICO’s 2021 7.5 million GBP fine. They did ruled that the company did engage in "data processing related to monitoring the behavior of people in the UK," however, the Information Commissioner’s Office (ICO) "did not have jurisdiction" to impose the penalty on Clearview AI because its users were primarily law enforcement agencies outside the U.K.
  • The U.S. Senate committee on Commerce, Science, and Transportation approved several Federal Trade Commission nominees that will now go to the full Senate for approval. Republican commissioner nominees Andrew Ferguson and Melissa Holyoak are first-term nominations while FTC Commissioner Rebecca Kelly Slaughter was re-nominated to the commission's Democratic majority.

Public Policy Update for Europe

The EU AI Act foresees regulation of AI systems according to their risk impact. High risk AI systems include those that could have a detrimental impact on safety or fundamental rights. They further divide into two segments: AI systems used in products subject to the EU’s product safety regulations and AI systems operating in eight specific domains, requiring registration in an EU database. All high-risk AI systems must undergo assessments both before entering the market and throughout their lifecycle.

Generative AI, like ChatGPT, must adhere to transparency requirements, such as disclosing that the content was generated by AI; designing models to prevent the generation of illegal content and publishing summaries of copyrighted data used for training. Limited risk AI systems must comply with minimal transparency requirements, enabling users to make informed decisions.

With another Trilogue date set for December, it is almost certain that the Act will not pass before the end of 2023 and hence will not come into force before the beginning of 2026.

  • EU Chat Control Trilogue – vote postponed. The vote on the EU Chat Control draft regulation has been postponed to November 13, 2023. Trilogue discussions have led to a compromise:
  • Chat control should only be applied to “particular user groups” such as subscribers of a “particular communication channel.”
  • Chat control requires a “justified suspicion” of a connection to child abuse in the particular case.
  • Independent audits.
  • The EU Chat Control Center does not necessarily have to be located at Europol
  • UK: Online Safety Act. On October 26, 2023, the UK Online Safety Bill received royal assent and became law. Critics have raised concerns about the implications for privacy. WhatsApp is among the messaging services to threaten to withdraw from the UK over the act. The new law puts the onus on firms to protect children from some legal but harmful material, with the regulator, Ofcom, being given extra enforcement powers.

The Online Safety Act introduces new rules such as requiring pornography sites to stop children viewing content by checking ages.

Platforms will also need to show they are committed to removing illegal content including:

  • child sexual abuse
  • controlling or coercive behavior
  • extreme sexual violence
  • illegal immigration and people smuggling
  • promoting or facilitating suicide
  • promoting self-harm
  • animal cruelty
  • selling illegal drugs or weapons
  • terrorism

Other new offenses have been created, including cyber-flashing - sending unsolicited sexual imagery online - and the sharing of deep fake pornography where AI is used to insert someone's likeness into pornographic material.

The act also includes measures to make it easier for bereaved parents to obtain information about their children from tech firms.

  • Germany: Updated BSI Guideline “Secure Email Transport” and new certification process. The Federal Office for Information Security (BSI) has set up a new certification process based on the updated technical guideline "Secure Email Transport" (BSI TR-03108), version 20 of which is now available. This includes a test specification called TR 03108-P. To obtain a certification, providers must, among other things, create and implement a security concept based on the specification. In addition, there are further technical requirements for the email provider's communication systems.

Public Policy Update for Canada


The views expressed in DM3Z are those of the individual authors and do not necessarily reflect M3AAWG policy.