The National Association of Insurance Commissioners (NAIC) held its Summer 2023 National Meeting (Summer Meeting) from August 12–16, 2023. Highlights include continued development of accounting principles and investment limitations related to certain types of bonds and structured securities, continued discussion of considerations related to private equity ownership of insurers, a proposed model bulletin addressing the use of artificial intelligence by the insurance industry, and continued development of a new consumer privacy protections model law.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.png00Stephanie H. Dobeckihttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngStephanie H. Dobecki2023-09-07 10:20:152023-09-07 10:25:16Regulatory Update: National Association of Insurance Commissioners Summer 2023 National Meeting
Globally, the rapid advancement of artificial intelligence (AI) and machine learning (ML) raises fundamental questions about how the technology can be used. Drug approval authorities are now also taking part in this discussion, resulting in emerging and evolving guidelines and principles for drug companies.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.png00Francesca Blythehttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngFrancesca Blythe2023-09-06 12:18:282024-11-15 14:23:35EU, U.S., and UK Regulatory Developments on the Use of Artificial Intelligence in the Drug Lifecycle
On 4 July 2023, the EU Commission proposed a new Regulation for procedural rules to standardize and streamline cooperation between EU Member State Data Protection Authorities (DPAs) when enforcing the EU General Data Protection Regulation (GDPR) in cross-border cases (GDPR Procedural Regulation). The GDPR adopts a decentralized enforcement model. National EU Member State DPAs are competent to enforce the GDPR on their respective territories. However, in cases with cross-border elements, the GDPR requires all concerned DPAs to cooperate in accordance with the GDPR’s “one-stop-shop” through cooperation and consistency mechanisms. Although these mechanisms establish key principles of cooperation and provide the basis for consistent application of the GDPR throughout the EU, the EU Commission determined more legislative action was needed to increase efficiency and harmonization of cross-border GDPR enforcement action.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/10/MN-18359_Data-Matters_833x606-22.jpg607834William RM Longhttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngWilliam RM Long2023-08-22 12:16:572023-10-04 15:21:28EU Commission Adopts New Rules for GDPR Enforcement: the Beginning of a Centralized Enforcement Model?
On July 18, 2023, Oregon joined the growing league of states that have passed a comprehensive data privacy framework. Signed into law by Gov. Tina Kotek, the Oregon Consumer Privacy Act (the Act), or SB 619, is the product of a multi-year effort by the state Consumer Privacy Task Force formed by Oregon Attorney General Ellen F. Rosenblum, comprising 150 consumer privacy experts from various industries. The Act will take effect on July 1, 2024, except for some provisions that will not take effect until January 1, 2026.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.png00Colleen T. Brownhttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngColleen T. Brown2023-08-18 09:34:142026-01-23 12:30:22Oregon Enacts Comprehensive Consumer Data Privacy Law
Following the EU’s increased focus on generative AI with the inclusion of foundation and generative AI in the latest text of the EU AI Act (see our post here), the UK now also follows suit, with the UK’s Information Commissioner’s Office (“ICO”) communicating on 15 June 2023 its intention to “review key businesses’ use of generative AI.” The ICO warned businesses not to be “blind to AI risks” especially in a “rush to see opportunity” with generative AI. Generative AI is capable of generating content e.g., complex text, images, audio or video, etc. and is viewed as involving more risk than other AI models because of its ability to be used across different sectors (e.g., law enforcement, immigration, employment, insurance and health), and so have a greater impact across society – including in relation to vulnerable groups.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/10/MN-18359_Data-Matters_833x606-12.jpg607834William RM Longhttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngWilliam RM Long2023-08-17 15:11:532024-01-19 13:59:12UK ICO Scrutinizes Use of Generative AI
Artificial intelligence (AI) has the capacity to disrupt entire industries, with implications for corporate strategy and risk, stakeholder relationships, and compliance that require the attention of the board of directors.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.png00Holly J. Gregoryhttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngHolly J. Gregory2023-08-11 09:04:012023-09-06 15:00:22AI and the Role of the Board of Directors
On July 26, 2023, the U.S. Securities and Exchange Commission (SEC or Commission) proposed new rules for broker-dealers (Proposed Rule 15(1)-2) and investment advisers (Proposed Rule 211(h)(2)-4) on the use of predictive data analytics (PDA) and PDA-like technologies in any interactions with investors.1 However, as discussed below, the scope of a “covered technology” subject to the rules is much broader than what most observers would consider to constitute predictive data analytics. The proposal would require that anytime a broker-dealer or investment adviser uses a “covered technology” in connection with engaging or communicating with an investor (including exercising investment discretion on behalf of an investor), the broker-dealer or investment adviser must evaluate that technology for conflicts of interest and eliminate or neutralize those conflicts of interest. The proposed rules would apply even if the interaction with the investor does not rise to the level of a “recommendation.”
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.png00W. Hardy Callcotthttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngW. Hardy Callcott2023-08-10 10:38:272023-09-06 15:00:44SEC Proposes Sweeping New Rules on Use of Data Analytics by Broker-Dealers and Investment Advisers
On July 26, 2023, the U.S. Securities and Exchange Commission finalized its rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies (the Final Rule), which will become effective 30 days following publication in the Federal Register. The Final Rule applies to all public companies subject to the reporting requirements of the Securities Exchange Act of 1934, including foreign private issuers, smaller reporting companies, and business development companies, and will require disclosure of material cybersecurity incidents on Form 8-K and Form 20-F and periodic disclosure of cybersecurity risk management, strategy, and governance in annual reports on Form 10-K and Form 20-F.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.png00Sonia Gupta Barroshttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngSonia Gupta Barros2023-07-31 14:32:332026-01-23 12:31:12U.S. SEC Public Company Cybersecurity Disclosure Regulation Finalized With Swift Effective Date
Regulatory Update: National Association of Insurance Commissioners Summer 2023 National Meeting
The National Association of Insurance Commissioners (NAIC) held its Summer 2023 National Meeting (Summer Meeting) from August 12–16, 2023. Highlights include continued development of accounting principles and investment limitations related to certain types of bonds and structured securities, continued discussion of considerations related to private equity ownership of insurers, a proposed model bulletin addressing the use of artificial intelligence by the insurance industry, and continued development of a new consumer privacy protections model law.
(more…)
Stephanie H. Dobecki
Chicago
sdobecki@sidley.com
Ellen M. Dunn
New York
edunn@sidley.com
Andrew R. Holland
New York
aholland@sidley.com
Michael L. Rosenfield
Los Angeles
mrosenfield@sidley.com
Chris H. Burusco
Los Angeles
cburusco@sidley.com
Sara N. Africano
Chicago
safricano@sidley.com
Jacob A. Grossman
Chicago
jgrossman@sidley.com
EU, U.S., and UK Regulatory Developments on the Use of Artificial Intelligence in the Drug Lifecycle
Globally, the rapid advancement of artificial intelligence (AI) and machine learning (ML) raises fundamental questions about how the technology can be used. Drug approval authorities are now also taking part in this discussion, resulting in emerging and evolving guidelines and principles for drug companies.
(more…)
Francesca Blythe
London
fblythe@sidley.com
Deeona R. Gaskin
Washington D.C.
dgaskin@sidley.com
Josefine Sommer
Brussels
jsommer@sidley.com
Atiq Chowdhury
Maria-Oraiozili Koutsoupia
George Herring
EU Commission Adopts New Rules for GDPR Enforcement: the Beginning of a Centralized Enforcement Model?
On 4 July 2023, the EU Commission proposed a new Regulation for procedural rules to standardize and streamline cooperation between EU Member State Data Protection Authorities (DPAs) when enforcing the EU General Data Protection Regulation (GDPR) in cross-border cases (GDPR Procedural Regulation). The GDPR adopts a decentralized enforcement model. National EU Member State DPAs are competent to enforce the GDPR on their respective territories. However, in cases with cross-border elements, the GDPR requires all concerned DPAs to cooperate in accordance with the GDPR’s “one-stop-shop” through cooperation and consistency mechanisms. Although these mechanisms establish key principles of cooperation and provide the basis for consistent application of the GDPR throughout the EU, the EU Commission determined more legislative action was needed to increase efficiency and harmonization of cross-border GDPR enforcement action.
(more…)
William RM Long
London
wlong@sidley.com
Maarten Meulenbelt
Brussels
mmeulenbelt@sidley.com
Lauren Cuyvers
Subhalakshmi Kumar
Oregon Enacts Comprehensive Consumer Data Privacy Law
On July 18, 2023, Oregon joined the growing league of states that have passed a comprehensive data privacy framework. Signed into law by Gov. Tina Kotek, the Oregon Consumer Privacy Act (the Act), or SB 619, is the product of a multi-year effort by the state Consumer Privacy Task Force formed by Oregon Attorney General Ellen F. Rosenblum, comprising 150 consumer privacy experts from various industries. The Act will take effect on July 1, 2024, except for some provisions that will not take effect until January 1, 2026.
(more…)
Colleen T. Brown
Washington, D.C.
ctbrown@sidley.com
Ernesto R. Claeyssen
Marcus J. Grey
Summer Associate
marcus.grey@sidley.com
Joyce Yeager
Knowledge Management Lawyer
jyeager@sidley.com
UK ICO Scrutinizes Use of Generative AI
Following the EU’s increased focus on generative AI with the inclusion of foundation and generative AI in the latest text of the EU AI Act (see our post here), the UK now also follows suit, with the UK’s Information Commissioner’s Office (“ICO”) communicating on 15 June 2023 its intention to “review key businesses’ use of generative AI.” The ICO warned businesses not to be “blind to AI risks” especially in a “rush to see opportunity” with generative AI. Generative AI is capable of generating content e.g., complex text, images, audio or video, etc. and is viewed as involving more risk than other AI models because of its ability to be used across different sectors (e.g., law enforcement, immigration, employment, insurance and health), and so have a greater impact across society – including in relation to vulnerable groups.
(more…)
William RM Long
London
wlong@sidley.com
Lauren Cuyvers
Subhalakshmi Kumar
AI and the Role of the Board of Directors
(more…)
Holly J. Gregory
New York
holly.gregory@sidley.com
SEC Proposes Sweeping New Rules on Use of Data Analytics by Broker-Dealers and Investment Advisers
On July 26, 2023, the U.S. Securities and Exchange Commission (SEC or Commission) proposed new rules for broker-dealers (Proposed Rule 15(1)-2) and investment advisers (Proposed Rule 211(h)(2)-4) on the use of predictive data analytics (PDA) and PDA-like technologies in any interactions with investors.1 However, as discussed below, the scope of a “covered technology” subject to the rules is much broader than what most observers would consider to constitute predictive data analytics. The proposal would require that anytime a broker-dealer or investment adviser uses a “covered technology” in connection with engaging or communicating with an investor (including exercising investment discretion on behalf of an investor), the broker-dealer or investment adviser must evaluate that technology for conflicts of interest and eliminate or neutralize those conflicts of interest. The proposed rules would apply even if the interaction with the investor does not rise to the level of a “recommendation.”
(more…)
W. Hardy Callcott
San Francisco
wcallcott@sidley.com
Jay G. Baris
New York
jbaris@sidley.com
James Brigagliano
Benson R. Cohen
New York
brcohen@sidley.com
Ranah Esmaili
Washington, D.C., New York
resmaili@sidley.com
Nathan J. Greene
New York
ngreene@sidley.com
Laurin Blumenthal Kleiman
Michael D. Wolk
Chuck Daly
New York, Boston
cdaly@sidley.com
U.S. SEC Public Company Cybersecurity Disclosure Regulation Finalized With Swift Effective Date
On July 26, 2023, the U.S. Securities and Exchange Commission finalized its rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies (the Final Rule), which will become effective 30 days following publication in the Federal Register. The Final Rule applies to all public companies subject to the reporting requirements of the Securities Exchange Act of 1934, including foreign private issuers, smaller reporting companies, and business development companies, and will require disclosure of material cybersecurity incidents on Form 8-K and Form 20-F and periodic disclosure of cybersecurity risk management, strategy, and governance in annual reports on Form 10-K and Form 20-F.
(more…)
Sonia Gupta Barros
Washington, D.C.
sbarros@sidley.com
Colleen T. Brown
Washington, D.C.
ctbrown@sidley.com
Paul L. Choi
Chicago
pchoi@sidley.com
Stephen L. Cohen
Washington, D.C., Boston, ...
scohen@sidley.com
John P. Kelsh
Chicago
jkelsh@sidley.com
David Lashway
Washington D.C.
dlashway@sidley.com
Geeta Malhotra
Chicago
gmalhotra@sidley.com
Lara Mehraban
New York
lmehraban@sidley.com
Alan Charles Raul
Washington, D.C., New York
Andrea L. Reed
Chicago
andrea.reed@sidley.com
Michele L. Aronson
Sasha Hondagneu-Messner
New York
shondagneumessner@sidley.com
Upcoming Events
Resources