U.S. AI and IoT Legislative Update - First Quarter 2020

U.S. AI and IoT Legislative Update - First Quarter 2020

May 7, 2020, Covington Alert

Though it seems like the distant past now, in this update we detail the notable legislative events from the first quarter of 2020 on artificial intelligence (“AI”), the Internet of Things (“IoT”), cybersecurity as it relates to AI and IoT, and connected and autonomous vehicles (“CAVs”). Prior to the slowdown in non-COVID related legislation that accompanied the pandemic during the first quarter, federal and state policymakers continued their focus on AI and IoT, including by introducing substantive bills that would regulate the use of such technology and by supporting bills aimed at further study of how such technology may impact different sectors. And it is important to note that this activity has slowed, not ceased—we will continue to update you on meaningful developments between these quarterly updates across our blogs.

Artificial Intelligence

This quarter, members of Congress have introduced a variety of legislation regulating AI—ranging from light touches to more prescriptive approaches.

• Rep. Eddie Bernice Johnson (D-TX) introduced the National Artificial Intelligence Initiative Act (“NAIIA”) of 2020 (H.R. 6216), which would establish a National Artificial Intelligence Initiative supporting a range of activities, such as support for research and development, education, and training to ensure U.S. leadership in the responsible development of AI. For example, the bill would authorize $391 million for the National Institute of Standards and Technology to develop voluntary standards for trustworthy AI systems, establish a risk assessment framework for AI systems, and develop guidance on best practices for public-private data sharing. You can learn more about NAIIA, and other recent developments in AI law and policy, in a recent article by our team.
• Sen. Kirsten Gillibrand (D-NY) introduced the Data Protection Act of 2020 (S. 3300), which would create a new federal agency tasked with, among other things, requiring impact assessments of “high-risk data practices,” including “systematic or extensive evaluation[s] of personal data that [are] based on automated processing . . . on which decisions are based that produce legal effects concerning [an] individual.” The proposed new agency also would regulate “consumer scoring” and other practices that determine consumer eligibility for rights, benefits or privileges in certain contexts like employment. You can read more about the bill in our blog post.
• Sen. Jeff Merkley (D-OR) introduced the Ethical Use of Facial Recognition Act (S. 3284), which would prohibit all federal use of facial recognition technology without a warrant until Congress enacts legislation on the topic. The bill would create a Commission to establish guidelines for the use of facial recognition technology, which would serve as the basis for Congress’ legislating.

State governments have decidedly taken a more prescriptive approach.

• On March 31, 2020, Washington state Governor Jay Inslee signed into law S.B. 6280, a bill aimed at regulating state and local government agencies’ use of facial recognition technology. Among other things, prior to deploying the technology, agencies will be required to file a notice of intent and publish an accountability report that will be subject to public review and comment. Use of facial recognition technology to make decision that produce legal or “similarly significant” effects (e.g., decisions pertaining to financial services, housing, criminal justice, or employment opportunities) will be subject to heightened requirements. For more details, visit our blogs posts.
• California Assembly Member Ed Chau introduced the Automated Decision Systems Accountability Act of 2020 (A.B. 2269), which would require any business in California that provides a person with a program or device that uses an “automated decision system” (“ADS”) to establish processes to “continually test for biases during the development and usage of the ADS” and to conduct an impact assessment on that program or device. You can read more about the bill in our blog post.

Internet of Things

At the federal and state level, lawmakers introduced a number of proposals related to internet of things (“IoT”) technologies. The focus in Congress has been on IoT devices and 5G updates for infrastructure. Key federal updates related to IoT this quarter include:

• Sen. Catherine Cortez Masto (D-NV) introduced the Smart Transportation Advancement and Transition Act (“STAT” Act) (S.3175), which would require the Secretary of Transportation to establish an advisory committee including private sector users and private sector developers of intelligent transportation system technologies, including emerging vehicle technologies.
• On January 8, 2020, the House passed by voice vote H.Res. 575, a Resolution introduced by Rep. Bill Flores (R-TX) “Expressing the sense of the House of Representatives that all stakeholders in the deployment of 5G communications infrastructure should carefully consider adherence to the recommendations of ‘The Prague Proposals’” (H.Rept. 116-368). The Prague Proposals are wireless technology recommendations that emerged from the Prague 5G Security Conference in 2019. The resolution states that the President and federal agencies should promote global trade and security policies consistent with the Prague Proposals and urge America’s allies to embrace the proposals for their 5G infrastructure.

At the state level, legislatures appear to be focused on the use of data for internet-connected devices, particularly those in the home. Key updates this quarter include:

• The Washington state legislature introduced this bill, Notifying Washington Consumers of Products that Transmit User Data (H.B. 2365), in January. If passed, it would require devices capable of transmitting user data to the manufacturer or any other business entity to bear a sticker making this clear to users.
• A California proposal shows how IoT measures reach into unlikely spheres. The state’s existing law authorizes a court to issue a protective order, generally to keep an abuser away from a victim. This proposal, A.B. 1987, would allow a court to specifically enjoin an abuser from controlling any connected devices in the victim’s home.

Cybersecurity – Relating to AI and IoT

In January, Rep. Frank Lucas (R-OK) introduced the Securing American Leadership in Science and Technology Act of 2020 (“SALTA”) (H.R. 5685) with several of his Republican colleagues. The bill is expansive and focuses broadly on “invest[ing] in basic scientific research and support technology innovation for the economic and national security.” This bill would require the Secretary of Energy to support AI development, including by:

• expanding the National Institute of Standards and Technology’s (NIST) capabilities;
• implementing rigorous scientific testing to support the development of trustworthy and safe artificial intelligence and data systems;
• developing machine learning and other artificial intelligence applications to support measurement science research programs and taking steps to modernize NIST’s research infrastructure; and
• developing and publishing new cybersecurity tools, encryption methods, and best practices for artificial intelligence and data science.

Similarly, with regard to IoT, this bill would require the Secretary of Energy to conduct research with respect to and support the expanded connectivity, interoperability, and interconnected systems and other aspects of IoT, including by:

• developing new tools and methodologies for cybersecurity of the internet of things;
• developing technologies to address network congestion and device interference;
• convening experts in the public and private sectors to develop recommendations for accelerating the adoption of sound interoperability standards, guidelines, and best practices for the internet of things; and
• developing and publishing new cybersecurity tools, encryption methods, and best practices for internet of things security.

Aside from SALTA, Congress advanced a few familiar energy and infrastructure cybersecurity bills from 2019, prior to the impact of COV-ID 19, including the (i) 21st Century Power Grid Act (H.R.5527), which was forwarded to the House Committee on Energy and Commerce after consideration and mark-up by the Subcommittee on Energy, (ii) Grid Modernization Research and Development Act of 2019 (H.R.5428), which was ordered to be reported as amended from the House Committee on Science, Space, and Technology, (iii) Cybersecurity Vulnerability Identification and Notification Act of 2019 (S.3045), which was ordered to be reported from the Senate Committee on Homeland Security and Governmental Affairs, and (iv) Protecting Resources On The Electric grid with Cybersecurity Technology (“PROTECT”) Act of 2019 (S.2556), for which Senate Energy & Natural Resources Committee Chairwoman Murkowski (R-AK) filed a written report.

At the state level, three states have introduced bills addressing connected cybersecurity devices: Georgia (H.B. 862), Massachusetts (2019 MA S.B. 2056 (NS)), and Virginia (H.B. 954). However, there has been no notable movement on these bills since their introduction.

Looking ahead, with the rise of cybersecurity threats connected to COV-ID 19, it is possible that lawmakers may pursue additional cybersecurity legislation when legislative sessions return to more normal operations.

Connected and Automated Vehicles

Lawmakers and regulators continued to drive efforts focused on connected and automated vehicles (“CAVs”) in the first quarter of the 2020. On Capitol Hill, efforts to introduce a bipartisan, bicameral bill that comprehensively regulates CAVs continued from 2019. In early February, a House panel heard testimony from safety advocates and industry groups to gather input for such a bill. The hearing discussed the promise of CAVs—to improve safety and mobility options for consumers across the country—but also demonstrated significant disagreement over who should face liability in the event of accidents. Later in the month, lawmakers sent out draft sections of AV legislation to stakeholders, requesting their input. The draft sections indicate continued debates over arbitration, cybersecurity, and consumer education. These sections follow previous portions of the draft, released in October, which covered exemptions, testing and evaluation, and an automated vehicles advisory council.

Federal regulators also accelerated certain CAV-related activities, including:

• The U.S. Department of Transportation (“DOT”). DOT kicked off 2020 with a request for information for its inclusive design challenge. DOT designed the challenge to incentivize the creation of innovative, inclusive design solutions to enable access to CAVs for persons with disabilities. In January, DOT also released AV 4.0, which we previously discussed. AV 4.0 provides in great detail the various efforts of 38 federal departments and agencies geared toward promoting, supporting, and providing accountability for users and communities with respect to autonomous mobility.
• The National Highway Transportation Safety Association (“NHTSA”). In February, NHTSA granted a temporary exemption from its Federal Motor Vehicles Safety Standards (“FMVSS”) for the company Nuro to deploy its low-speed driverless delivery vehicles. Later in the quarter, NHTSA issued a Notice of Proposed Rulemaking (“NPRM”), seeking to adapt FMVSS to vehicles with automated driving systems (“ADS”) that lack traditional manual controls. For more information, visit our blog post.
• Federal Communications Commission (“FCC”). The FCC continues to consider reallocation of the 5.9 GHz band for unlicensed operations and Cellular Vehicle to Everything (“C-V2X”) technologies, while potentially preserving portions of the band for existing dedicated short-range communications (“DSRC”) technologies. Initial comments on the FCC’s NPRM concerning reallocation of the 5.9 GHz were due in the first quarter of 2020. As noted in previous posts, the FCC’s action in the 5.9 GHz docket could have a significant impact on the deployment of CAVs that rely on unlicensed operations or C-V2X technologies, as well as the IoT ecosystem more generally.
• At the state level, the Washington legislature enacted HB 2676, which establishes minimum requirements for the testing of autonomous vehicles. The bill, which will go into effect on June 11, 2020, requires companies testing AVs in Washington to report certain data regarding those tests to the state’s Department of Licensing and to carry $5 million minimum in umbrella liability insurance. 
• Some CAV efforts appear to have slowed, with the federal government and states focused on stemming the COVID-19 pandemic. At the same time, CAVs and CAV-related technologies may prove to be part of the solution moving forward, including as autonomous shuttles that deliver tests and autonomous robots that assist in hospitals.

Visit Covington’s Artificial Intelligence Toolkit and Connected and Autonomous Vehicle Toolkit for additional information.

If you have any questions concerning the material discussed in this client alert, please contact the following members of our Artificial Intelligence and Internet of Things practices.