This quarterly update summarizes key legislative and regulatory developments in the third quarter of 2023 related to key technologies and related topics, including Artificial Intelligence (“AI”), connected and automated vehicles (“CAVs”), and data privacy and cybersecurity.
Congress continued to focus on legislation regulating AI this quarter. For example, Senators Blumenthal (D-CT) and Hawley (R-MO) announced a new bipartisan framework to regulate AI, which recommends, among other things, establishing a licensing body for certain sophisticated general purpose AI systems and clarifying that Section 230 does not apply to AI systems. Similarly, Senator Cassidy (R-LA) released a white paper that discusses the use of AI in the health, labor, and education industries. The paper suggests that legislation should focus on specific applications of AI and that a “sweeping, one-size-fits all approach. . .will not work and will stifle, not foster, innovation.”
Multiple Congressional hearings also explored how Congress could regulate AI while ensuring that the U.S. is the global leader in the development of this technology. For example, the Senate Commerce Committee convened a hearing titled “The Need for Transparency in Artificial Intelligence” on September 12, 2023, and the Senate Judiciary Committee held a hearing titled “Oversight of A.I.: Legislating on Artificial Intelligence,” also on September 12, 2023.
The Executive Branch and U.S. federal agencies have also been active in AI regulation this quarter. Some examples include:
- Copyright Office: The Copyright Office published a notice of inquiry and request for comments, which seeks facts and views on a host of topics, including the use of copyrighted works in training, recordkeeping and transparency, disclosures, and the legal treatment of generative AI outputs in terms of copyrightability, infringement, and potential impersonation. Initial written comments are due on October 18; reply comments are due November 15.
- Federal Election Commission (“FEC”): The FEC approved a rulemaking petition to amend its regulation on fraudulent misrepresentations of campaign advertisements to clarify that the regulations apply to AI-generated political advertisements. Comments are due by October 16.
- Cybersecurity & Infrastructure Security Agency (“CISA”): CISA published a blog post that states AI is a type of software system and must be “Secure by Design.” The post specifies that all stages of AI development (e.g., AI software design, AI software development, AI vulnerability testing, etc.) “should apply existing community-expected security practices and policies for broader software design, software development, etc.”
- White House: The White House announced that it had secured voluntary commitments from various AI companies to manage the risks posed by AI. The commitments are broken down into three categories: Safety, security, and trust. There remains broad expectation that the White House may issue an Executive Order on artificial intelligence in the fourth quarter.
Privacy & Cybersecurity
There continued to be minimal support in Congress to pass a comprehensive privacy framework in the third quarter of 2023. However, with the end of the year approaching, focus has begun to shift to reauthorization of the Foreign Intelligence Surveillance Act (“FISA”) Section 702, which expires at the end of the year. On September 28, 2023 the Privacy and Civil Liberties Oversight Board (“PCLOB”) released a report with 19 recommended changes to the law, which included a recommendation that Congress enact legislation to require federal law enforcement officials to get approval from the Foreign Intelligence Surveillance Court (“FISC”) to review Section 702 data about U.S. citizens and legal residents. Nonetheless, Democrats and Republicans remain sharply divided about the necessity and extent of more oversight for the Section 702 approval process, as the PCLOB report itself showed with Democratic and Republican appointees differing on their recommendations.
The Administration continued to advance its U.S. National Cybersecurity Strategy. On July 13, 2023, the White House released the U.S. National Cybersecurity Strategy Implementation Plan. The NCSIP identifies 65 initiatives – to be led by 18 different departments and agencies – that are designed as a roadmap for implementing the U.S. National Cybersecurity Strategy released earlier this year. This is the first iteration of the plan, which is intended to be an evolving document that the Administration plans to update annually. Consistent with the Strategy, the NCSIP contemplates five broad lines of effort: (1) defending critical infrastructure; (2) disrupting and dismantling threat actors; (3) Shaping market forces to drive security and resilience; (4) investing in a resilient future; and (5) forging international partnerships to pursue shared goals.
In addition, on August 4, 2023 the Securities and Exchange Commission (“SEC”) published its final rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure in the Federal Register. The rule is designed to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies that are subject to reporting requirements of the Securities Exchange Act of 1934.
Connected & Automated Vehicles
This quarter, Congress demonstrated a bipartisan desire to solidify American leadership in advancing the deployment of CAV technology. On July 26, the Innovation, Data, and Commerce Subcommittee within the House Energy & Commerce Committee held a legislative hearing titled “Self-Driving Vehicle Legislative Framework: Enhancing Safety, Improving Lives and Mobility, and Beating China.” The hearing covered the need for Congress to support broad deployment of automated vehicles in the United States. Bipartisan leaders – as well as disability advocates, business organizations, automotive associations, and technology groups – supported the idea of Congress advancing a federal automated vehicles framework. The hearing announcement acknowledged the risk of ceding leadership in this industry to China if Congress does not enact a comprehensive national law that establishes a pathway to safe deployment. On September 13, the House Subcommittee on Highways and Transit held a hearing titled “The Future of Automated Commercial Motor Vehicles: Impacts on Society, the Supply Chain, and U.S. Economic Leadership.” As with the July 26 hearing, there was broad, bipartisan consensus that America must solidify its leadership on autonomous trucking and autonomous vehicle technology more generally. Speakers acknowledged the role of American innovation in this space in bolstering U.S. supply chain resilience and improving road safety. These hearings suggest that a federal framework on automated vehicles could be forthcoming.
The National Highway Traffic Safety Administration (“NHTSA”) also had an active quarter. On July 14, NHTSA issued a notice and request for comments on its intention to request approval from the Office of Management and Budget to collect information from the public as part of a study to improve NHTSA’s understanding of the differences in approaches to driver state detection and the potential safety impacts of driver monitoring systems. The notice defines “driver monitoring systems” as in-vehicle technology that can detect driver state and interact with the driver through the user interface that connects the driver to the vehicle (e.g., the dashboard). Tests will be conducted on alert and drowsy/distracted participants. NHTSA plans to use the results of the study to update the current state of knowledge on driver distraction, attention management, and distraction/risk assessment. On September 7, NHTSA issued a Notice of Proposed Rulemaking (“NPRM”) proposing to (1) require a seat belt warning system for the rear seats of passenger cars, trucks, most buses, and multipurpose passenger vehicles with a gross vehicle weight rating of 10,000 pounds or less; and (2) enhance the existing front seat belt warning requirements. The NPRM contains a section on considerations for automated driving systems (ADS), including how to address ADS-equipped vehicles that do not have manually operated driving controls to ensure the same level of occupant protection as standard vehicles (i.e., both will be required to have seat belt warnings). NHTSA stated it is not prepared to propose a solution for the visibility of rear seat belt warnings for ADS-equipped vehicles, but noted that future agency work related to telltales and indicators for ADS-equipped vehicles could be on the horizon.
Finally, on July 14 the National Institute of Standards and Technology (“NIST”) released for public comment the initial public draft of NIST Internal Report 8473, entitled Cybersecurity Framework Profile for Electric Vehicle Extreme Fast Charging Infrastructure (EV/XFC). The EV/XFC Cybersecurity Framework Profile is intended to aid organizations in managing threats to systems, networks, and assets within the EV/XFC ecosystem. This EV/XFC Cybersecurity Framework Profile was designed for four key domains within the EV/XFC ecosystem: (i) Electric Vehicles (EV); (ii) Extreme Fast Charging (XFC); (iii) XFC Cloud or Third-Party Operations; and (iv) Utility and Building Networks.
While the comment periods for these activities have closed, we expect NHTSA and NIST to now review received feedback and take actions accordingly.