The Public Policy Committee engages with government and support agencies across the globe and comments on issues that affect the industry’s ability to protect end-users. Members may subscribe to the committee mailing list on the Committee/SIGs page to stay up to date on current events and Initiatives that the committee is overseeing. All readers are encouraged to review published documents and comments on the Public Policy page which covers a broad range of policies.
Public Policy Update for the United States
- The White House issued an Executive Order on Artificial Intelligence with ten (10) new mandates that also include pushing Congress to pass "bipartisan data privacy legislation.” The executive order is asking Congress to speed things up and is calling on Congress to ensure that Americans' privacy is protected while prominent AI players train their models and that children's privacy will be a big focus. The White House also said that it will evaluate how agencies and third-party data brokers collect and use "commercially available" information, meaning public datasets. Some "personally identifiable" data is available to the public, but that doesn't mean AI players have free rein to use this information.
- The Pew Research Center conducted a survey on How Americans View Data Privacy and found a majority of respondents feel their data is not used responsibly by either the government or companies, but also did not understand if they had control over how it is used. Many Americans are concerned and confused about how their data is used.
- Passkeys are back in the news again and as companies push new methods to get rid of passwords and increase consumer protection. The use of passkeys, including face scans, fingerprints or number codes to unlock a device, is growing among companies. Of course, some are weary of biometrics to some point if they are hacked and then obtained to use against users.
- Clearview AI wins appeal of 2021 UK ICO’s 2021 7.5 million GBP fine. They did ruled that the company did engage in "data processing related to monitoring the behavior of people in the UK," however, the Information Commissioner’s Office (ICO) "did not have jurisdiction" to impose the penalty on Clearview AI because its users were primarily law enforcement agencies outside the U.K.
- The U.S. Senate committee on Commerce, Science, and Transportation approved several Federal Trade Commission nominees that will now go to the full Senate for approval. Republican commissioner nominees Andrew Ferguson and Melissa Holyoak are first-term nominations while FTC Commissioner Rebecca Kelly Slaughter was re-nominated to the commission's Democratic majority.
Public Policy Update for Europe
- European Union (EU) Artificial Intelligence (AI) Act . Proposed in April 2021, the EU AI Act is still under debate. A fourth Trilogue between Commission, Parliament and Council just ended last week, still leaving questions open. The majority of the EU Parliament advocates for strict regulation, but consumer and privacy activists are criticizing definition and procedures among many other contentious points. Many questions remain.
The EU AI Act foresees regulation of AI systems according to their risk impact. High risk AI systems include those that could have a detrimental impact on safety or fundamental rights. They further divide into two segments: AI systems used in products subject to the EU’s product safety regulations and AI systems operating in eight specific domains, requiring registration in an EU database. All high-risk AI systems must undergo assessments both before entering the market and throughout their lifecycle.
Generative AI, like ChatGPT, must adhere to transparency requirements, such as disclosing that the content was generated by AI; designing models to prevent the generation of illegal content and publishing summaries of copyrighted data used for training. Limited risk AI systems must comply with minimal transparency requirements, enabling users to make informed decisions.
With another Trilogue date set for December, it is almost certain that the Act will not pass before the end of 2023 and hence will not come into force before the beginning of 2026.
- EU Chat Control Trilogue – vote postponed. The vote on the EU Chat Control draft regulation has been postponed to November 13, 2023. Trilogue discussions have led to a compromise:
- Chat control should only be applied to “particular user groups” such as subscribers of a “particular communication channel.”
- Chat control requires a “justified suspicion” of a connection to child abuse in the particular case.
- Independent audits.
- The EU Chat Control Center does not necessarily have to be located at Europol
- EU: Digital Services Act: First “Very Large Online Platforms” presenting Transparency Reports. So far it can be concluded, e.g. from the TikTok Report, that DSA-related reports are just a small portion, often not more than one thousands, of the usual amount these platforms were dealing with before the DSA.
- Germany: Regional Court bans LinkedIn’s declaration on relevance of Do-Not-Track reports from users. The Berlin Regional Court has ruled that LinkedIn can no longer ignore its users’ ‘Do Not Track’ settings in browsers. Additionally, the default setting for new users’ visibility for LinkedIn’s partner sites cannot be set to ‘Visible.’
- UK: Online Safety Act. On October 26, 2023, the UK Online Safety Bill received royal assent and became law. Critics have raised concerns about the implications for privacy. WhatsApp is among the messaging services to threaten to withdraw from the UK over the act. The new law puts the onus on firms to protect children from some legal but harmful material, with the regulator, Ofcom, being given extra enforcement powers.
The Online Safety Act introduces new rules such as requiring pornography sites to stop children viewing content by checking ages.
Platforms will also need to show they are committed to removing illegal content including:
- child sexual abuse
- controlling or coercive behavior
- extreme sexual violence
- illegal immigration and people smuggling
- promoting or facilitating suicide
- promoting self-harm
- animal cruelty
- selling illegal drugs or weapons
Other new offenses have been created, including cyber-flashing - sending unsolicited sexual imagery online - and the sharing of deep fake pornography where AI is used to insert someone's likeness into pornographic material.
The act also includes measures to make it easier for bereaved parents to obtain information about their children from tech firms.
- Germany: Updated BSI Guideline “Secure Email Transport” and new certification process. The Federal Office for Information Security (BSI) has set up a new certification process based on the updated technical guideline "Secure Email Transport" (BSI TR-03108), version 20 of which is now available. This includes a test specification called TR 03108-P. To obtain a certification, providers must, among other things, create and implement a security concept based on the specification. In addition, there are further technical requirements for the email provider's communication systems.
Public Policy Update for Canada
- Minister Champagne launches voluntary code of conduct relating to advanced generative AI systems - Canada.ca – The Code sets voluntary commitments that industry can sign to demonstrate responsible development and management of generative artificial intelligence systems
- C-27 - An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts in active readings at the Standing Committee of Industry and Technology (INDU)
- Canadian Digital Regulators Forum established to better serve Canadians in the digital era – includes representatives from the CRTC, the Competition Bureau, and the Office of the Privacy Commissioner of Canada
- CRTC issues penalty after thorough phishing investigation aimed at protecting Canadians. The Canadian Radio-television and Telecommunications Commission (CRTC) protects consumers and businesses from the misuse of digital technology, including spam and other electronic threats.The CRTC’s Chief Compliance and Enforcement Officer published details regarding an investigation into a high-volume phishing campaign, and the issuing of a penalty of $40,000 to a resident of Quebec, for his role in the campaign.