On April 12, 2024, the UK Information Commissioner’s Office (“ICO”) launched the third installment in its consultation series examining how data protection law applies to the development and use of generative AI. This installment focuses on how the data protection principle of accuracy applies to the outputs of generative AI models, and the impact that accurate training data has on the output. The two previous installments discussed the lawful basis for web scraping to train generative AI models, and purpose limitation in the generative AI lifecycle.  The latest installment considers the ..read more

On March 27, 2024, the National Telecommunications and Information Administration (“NTIA”) issued its AI Accountability Report, and, on March 28, 2024, the White House announced the Office of Budget and Management’s (“OMB’s”) government-wide policy on AI risk management. These provide new guidance in the wake of the Biden Administration’s recent Executive Order (“EO”) on AI. The EO requires agencies to generate various types of guidance and rules, and to take actions on staggered timelines. The OMB policy represents one such action at the 150-day mark of the EO. The NTIA’s AI Accountability Re ..read more

On March 27, 2024, the Kentucky legislature passed a comprehensive data privacy bill (“H.B. 15”), which was delivered to the Governor for signature.  If H.B. 15 is enacted, Kentucky will join the growing list of states with comprehensive data privacy laws.   Applicability H.B. 15 applies to persons that “conduct business” in Kentucky or produce products or services that are targeted to Kentucky residents and, during a calendar year, either control or process personal data of at least: (1) one hundred thousand (100,000) consumers; or (2) twenty-five thousand (25,000) consumers and der ..read more

On April 3, 2024, the UK Information Commissioner’s Office (“UK ICO”) published its 2024-2025 priorities for protecting children’s personal data online, titled the “Children’s Code Strategy” (the “Strategy”).  The Strategy builds on the UK ICO Children’s Code, introduced in 2021, and sets forth priority areas of improvement for social media and video-sharing platforms, and indicates how the UK ICO will continue to enforce and drive conformance with the Children’s Code.  The UK ICO, through the Strategy, will focus on the following with respect to social media and video-sharing platfo ..read more

On March 25, 2024, Florida Governor Ron DeSantis signed into law a bill prohibiting minors under the age of 14 from having accounts on social media platforms. The bill, known as House Bill 3 (“HB 3” or the “Bill”), comes after courts temporarily blocked similar legislation in Arkansas, California and Ohio, and officials in Utah announced that the state is “likely to repeal and replace” a comparable law that is currently subject to a lawsuit launched by an industry group. HB 3 prohibits social media companies from allowing Florida children younger than 14 from creating an account on their platf ..read more

On April 1, 2024, the U.S. and UK signed a Memorandum of Understanding (“MOU”) that details how the U.S. and UK will work together to develop tests for advanced AI models. The MOU follows through on commitments made by the countries at the AI Safety Summit in November 2023. The partnership, which is intended to align scientific approaches and allow for the countries to share information about capabilities and risks associated with AI models and systems, will take effect immediately and allow the U.S. and UK AI Safety Institutes to work together seamlessly. According to the statement, “both gov ..read more

On March 29, 2024, the Federal Trade Commission announced its decision to deny, without prejudice, an application from the Entertainment Software Rating Board (“ESRB”), Yoti and Kids Web Services for approval of a “Privacy-Protective Facial Age Estimation” mechanism for obtaining parental consent under the FTC’s Children’s Online Privacy Protection Rule (“COPPA Rule”). The groups had initially submitted their application in June of 2023 pursuant to part 312.12 of the COPPA Rule, which permits parties to seek Commission approval for new parental consent mechanisms not currently set forth in the ..read more

On March 27, 2024, the U.S. Cybersecurity and Infrastructure Agency (“CISA”) released an unpublished version of a Notice of Proposed Rulemaking (“NPRM”), as required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). The NPRM will be officially published on April 4, 2024, and comments are due by June 3, 2024. Pursuant to the proposed rules, “covered entities” would be required to report (1) “qualifying cyber incidents,” (2) ransom payments made in response to a ransomware attack, and (3) any substantially new or different information discovered related to a pre ..read more

On March 26, 2024, the French data protection authority (the “CNIL”) published the 2024 edition of its Practice Guide for the Security of Personal Data (the “Guide”). The Guide is intended to support organizations in their efforts to implement adequate security measures in compliance with their obligations under Article 32 of the EU General Data Protection Regulation. In particular, the Guide targets DPOs, CISOs, computer scientists and privacy lawyers. The Guide is divided into the following five parts, each addressing key security themes: 1) users; 2) information technology and equipment; 3 ..read more

Hunton Andrews Kurth released a client alert on the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) settlement with EFG International AG. On March 14, 2024, OFAC announced a settlement (the “Settlement”) with EFG International AG, a global private banking group based in Switzerland with many global subsidiaries (collectively, the “Manager”) regarding violations of OFAC rules alleged to have occurred as a result of the Manager’s buying, selling and, in many cases, merely holding, U.S. securities on behalf of persons sanctioned by OFAC.  The Bottom Line ..read more