UK Publishes Cyber Governance Code of Practice for Consultation
On 23 January 2024, the UK government published its draft Cyber Governance Code of Practice (the “Code”) to help directors and other senior leadership boost their organizations’ cyber resilience. The draft Code, which forms part of the UK’s wider £2.6bn National Cyber Strategy, was developed in conjunction with several industry experts and stakeholders – including the UK National Cyber Security Centre. The UK government is seeking views from organizations on the draft Code by 19 March 2024.
New Know-Your-Customer and Reporting Rules Proposed for Cloud Providers: Five Key Takeaways
Last week, the U.S. Department of Commerce published a notice of proposed rulemaking (NPRM) implementing Executive Orders (EO) 13984 and 14110 to prevent “foreign malicious cyber actors” from accessing U.S. infrastructure as a service products1 (IaaS Rule). The IaaS Rule seeks to strengthen the U.S. government’s ability to track “foreign malicious cyber actors” who have relied on U.S. IaaS products to steal intellectual property and sensitive data, engage in espionage activities, and threaten national security by attacking critical infrastructure.
U.S. CFTC Seeks Public Input on Use of Artificial Intelligence in Commodity Markets and Simultaneously Warns of AI Scams
The staff of the Commodity Futures Trading Commission (CFTC) is seeking public comment (the Request for Comment) on the risks and benefits associated with use of artificial intelligence (AI) in the commodity derivatives markets. According to the Request for Comment, the staff “recognizes that use of AI may lead to significant benefits in derivatives markets, but such use may also pose risks relating to market safety, customer protection, governance, data privacy, mitigation of bias, and cybersecurity, among other issues.”
Unofficial Final Text of EU AI Act Released
On 22 January 2024, an unofficial version of the (presumed) final EU Artificial Intelligence Act (“AI Act”) was released. The AI Act reached political agreement early December 2023 (see our blog post here) and had undergone technical discussions to finalize the text since. It was reported that the document was shared with EU Member State Representatives on 21 January 2024, ahead of a discussion within the Telecom Working Party, a technical body of the EU Council on 24 January 2024, and that formal adoption at the EU Member State ambassador level (i.e. COREPER) will likely follow on 2 February. On Friday 26 January 2024, the Belgian Presidency of the Council officially shared the (analysis of the) final compromise text of the AI Act with Member State representatives – clearly indicating that this text will be put forward for adoption.
Preparing for the EU AI Act: Part 2
Join Sidley and OneTrust DataGuidance for a reactionary webinar on the recently published, near-final text of the EU AI Act on February 5, 2024. This discussion with industry panelists will cover initial reactions to the text of the EU AI Act following finalization by EU legislators and examine the key points in the AI Act that businesses need to understand.
EU Reaches Political Agreement on Cyber Resilience Act for Digital and Connected Products
On 30 November 2023, the EU reached political agreement on the Cyber Resilience Act (“CRA”), the first legislation globally to regulate cybersecurity for digital and connected products that are designed, developed, produced and made available on the EU market. The CRA was originally proposed by the European Commission in September 2022. Alongside the recently adopted Data Act, Digital Operational Resilience Act (“DORA”), Critical Entities Resilience Act (“CER”), Network and Information Systems Security 2 Directive (“NISD2”) and Data Governance Act, the CRA builds on the EU Data and Cyber Strategies, and complements upcoming certification schemes, such as the EU Cloud Services Scheme (“EUCS”) and the EU ICT Products Scheme (“EUCC”). It responds to an increase in cyber-attacks in the EU over the last few years – in particular the rise in software supply chain attacks which have tripled over the last year –as well as the significant rise in digital and connected products in daily life which magnifies the risk of such attacks.
Australia’s Digital Platform Regulators Release Working Papers on Risks and Harms Posed by Algorithms and Large Language Models
Australia’s Digital Platform Regulators Forum (DP-REG) has recently released two working papers relevant to developing AI policy on the global stage: Literature summary: Harms and risks of algorithms (Algorithms WP) and Examination of technology: Large language models used in generative artificial intelligence (LLM WP) (together, the Working Papers) to mark the launch of its website. The DP-REG, which comprises various prominent Australian regulators across multiple industries, was established to ensure a collaborative and cohesive approach to the regulation of digital platform technologies in Australia. The Working Papers focus on understanding the risks and harms, as well as evaluating the benefits, of algorithms and generative artificial intelligence, and provides recommendations on the Australian Federal Government’s response to AI. The Working Papers also serve as a useful resource for the Australian industry and the public as these technologies are increasingly integrated and engaged with in the Australian market. Interestingly, the recommendations set out in the Working Papers are broadly aligned with the requirements of the EU’s Artificial Intelligence Act, which reached political agreement on 8 December 2023, suggesting that Australia’s proposed approach to regulating AI may be inspired at least in part by Europe’s AI regulatory framework.
USA: An Overview of State Data Privacy Laws Part Four – Data Subject Rights and Privacy Policy Requirements
In Part Four of the OneTrust DataGuidance Insight articles on state data privacy laws, Sidley Austin lawyers Sheri Porath Rockwell and Ernesto Claeyssen discuss data subject rights and privacy policy requirements under the patchwork of 13 US states’ comprehensive data privacy laws that have been passed.
EU Reaches Historical Agreement on AI Act
On 8 December 2023 — following three days of lengthy and intensive negotiations — EU legislators reached political agreement on the world’s first stand-alone law regulating AI: the EU’s AI Act. The EU considers the AI Act as one of its key pieces of legislation and fundamental to ensuring the EU becomes the world’s leading digital economy.
‘World-First’ Agreement on AI Reached
Over one hundred representatives from across the globe convened in the UK on 1-2 November 2023 at the Global AI Safety Summit. The focus of the Summit was to discuss how best to manage the risks posed by the most recent advances in AI. However, it was the “Bletchley Declaration” –announced at the start of the Summit—which truly emphasized the significance governments are attributing to these issues. (more…)