EU, U.S., and UK Regulatory Developments on the Use of Artificial Intelligence in the Drug Lifecycle
Globally, the rapid advancement of artificial intelligence (AI) and machine learning (ML) raises fundamental questions about how the technology can be used. Drug approval authorities are now also taking part in this discussion, resulting in emerging and evolving guidelines and principles for drug companies.
Oregon Enacts Comprehensive Consumer Data Privacy Law
On July 18, 2023, Oregon joined the growing league of states that have passed a comprehensive data privacy framework. Signed into law by Gov. Tina Kotek, the Oregon Consumer Privacy Act (the Act), or SB 619, is the product of a multi-year effort by the state Consumer Privacy Task Force formed by Oregon Attorney General Ellen F. Rosenblum, comprising 150 consumer privacy experts from various industries. The Act will take effect on July 1, 2024, except for some provisions that will not take effect until January 1, 2026.
UK ICO Scrutinizes Use of Generative AI
Following the EU’s increased focus on generative AI with the inclusion of foundation and generative AI in the latest text of the EU AI Act (see our post here), the UK now also follows suit, with the UK’s Information Commissioner’s Office (“ICO”) communicating on 15 June 2023 its intention to “review key businesses’ use of generative AI.” The ICO warned businesses not to be “blind to AI risks” especially in a “rush to see opportunity” with generative AI. Generative AI is capable of generating content e.g., complex text, images, audio or video, etc. and is viewed as involving more risk than other AI models because of its ability to be used across different sectors (e.g., law enforcement, immigration, employment, insurance and health), and so have a greater impact across society – including in relation to vulnerable groups.
AI and the Role of the Board of Directors
U.S. SEC Public Company Cybersecurity Disclosure Regulation Finalized With Swift Effective Date
On July 26, 2023, the U.S. Securities and Exchange Commission finalized its rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies (the Final Rule), which will become effective 30 days following publication in the Federal Register. The Final Rule applies to all public companies subject to the reporting requirements of the Securities Exchange Act of 1934, including foreign private issuers, smaller reporting companies, and business development companies, and will require disclosure of material cybersecurity incidents on Form 8-K and Form 20-F and periodic disclosure of cybersecurity risk management, strategy, and governance in annual reports on Form 10-K and Form 20-F.
U.S. Congressional Leaders Introduce Two Landmark Bills to Create a Digital Assets Regulatory Scheme
This week, two committees in the House of Representatives will mark up legislation intended to clarify the regulatory framework applicable to digital assets in the United States. Earlier this month, leaders in the U.S. Senate also introduced legislation to establish a comprehensive and unified regulatory scheme for digital assets and digital asset derivatives.1 Both the House and Senate bills seek to integrate the regulation of digital assets and digital asset derivatives into the existing U.S. regulatory framework — primarily that of the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) — rather than create a standalone framework, but both bills face significant barriers to enactment.
Webinar Recording: The Finalization of the EU-U.S. Data Privacy Framework
On July 13, Sidley and OneTrust DataGuidance hosted a webinar titled “The Finalization of the EU-U.S. Data Privacy Framework.” The discussion with key players in international data transfers included topics such as significant points and implications of the European Commission Adequacy Decision for the Data Privacy Framework, what organizations should know about the Framework’s Principles, consideration of factors and logistics for signing up for the Framework (including interplay with current Privacy Shield membership), next steps in the EU and UK processes, and other internal data transfer developments, including adequacy decision for the UK-U.S. Data Bridge.
Cybersecurity and Environmental Fraud Top Priorities of U.S. Commodity Futures Trading Commission Division of Enforcement
Just before Americans began their Fourth of July holiday, the U.S. Commodity Futures Trading Commission (CFTC) Division of Enforcement Director announced that the division has established two key task forces: the Cybersecurity and Emerging Technologies and the Environmental Fraud Task Force.1 Both task forces will be staffed with attorneys and investigators across the Division of Enforcement with the goal of serving as subject matter experts and prosecuting cases. As a result, CFTC registrants should be prepared for heightened focus on cybersecurity and environmental fraud, particularly in the derivatives and relevant spot markets.
FTC’s New Biometric Policy Statement Articulates New Governance Standards and an Expansive View of Biometric Data
On May 18, 2023, the Federal Trade Commission (“FTC”) issued its 2023 Policy Statement on Biometric Information and Section 5 of the FTC Act (the “Policy Statement”) describing the agency’s concerns about these fast-proliferating technologies and articulating a set of compliance obligations for businesses that develop or use biometric technologies. To address potential risks of bias, discrimination, and security associated with the collection or use of biometric information, the FTC wants businesses to, among other things, conduct pre-release risk assessments evaluating the potential for bias and other potential consumer harms, assess these risks on an ongoing basis, and evaluate and potentially audit third parties with access to a business’s biometric data.
EU-U.S. Adequacy Once Again
On July 10, 2023, the European Commission issued its Final Implementing Decision granting the U.S. adequacy (“Adequacy Decision”) with respect to companies that subscribe to the EU-U.S. Data Privacy Framework (“DPF”).
