This quarterly update summarizes key legislative and regulatory developments in the third quarter of 2023 related to key technologies and related topics, including Artificial Intelligence (“AI”), connected and automated vehicles (“CAVs”), and data privacy and cybersecurity.

Artificial Intelligence

Congress continued to focus on legislation regulating AI this quarter.  For example, Senators Blumenthal (D-CT) and Hawley (R-MO) announced a new bipartisan framework to regulate AI, which recommends, among other things, establishing a licensing body for certain sophisticated general purpose AI systems and clarifying that Section 230 does not apply to AI systems.  Similarly, Senator Cassidy (R-LA) released a white paper that discusses the use of AI in the health, labor, and education industries.  The paper suggests that legislation should focus on specific applications of AI and that a “sweeping, one-size-fits all approach. . .will not work and will stifle, not foster, innovation.”  

Multiple Congressional hearings also explored how Congress could regulate AI while ensuring that the U.S. is the global leader in the development of this technology.  For example, the Senate Commerce Committee convened a hearing titled “The Need for Transparency in Artificial Intelligence” on September 12, 2023, and the Senate Judiciary Committee held a hearing titled “Oversight of A.I.: Legislating on Artificial Intelligence,” also on September 12, 2023.

The Executive Branch and U.S. federal agencies have also been active in AI regulation this quarter.  Some examples include:

  • Copyright Office:  The Copyright Office published a notice of inquiry and request for comments, which seeks facts and views on a host of topics, including the use of copyrighted works in training, recordkeeping and transparency, disclosures, and the legal treatment of generative AI outputs in terms of copyrightability, infringement, and potential impersonation.  Initial written comments are due on October 18; reply comments are due November 15.
  • Federal Election Commission (“FEC”): The FEC approved a rulemaking petition to amend its regulation on fraudulent misrepresentations of campaign advertisements to clarify that the regulations apply to AI-generated political advertisements.  Comments are due by October 16. 
  • Cybersecurity & Infrastructure Security Agency (“CISA”):  CISA published a blog post that states AI is a type of software system and must be “Secure by Design.”  The post specifies that all stages of AI development (e.g., AI software design, AI software development, AI vulnerability testing, etc.) “should apply existing community-expected security practices and policies for broader software design, software development, etc.”
  • White House:  The White House announced that it had secured voluntary commitments from various AI companies to manage the risks posed by AI.  The commitments are broken down into three categories: Safety, security, and trust.  There remains broad expectation that the White House may issue an Executive Order on artificial intelligence in the fourth quarter.

Privacy & Cybersecurity

There continued to be minimal support in Congress to pass a comprehensive privacy framework in the third quarter of 2023.  However, with the end of the year approaching, focus has begun to shift to reauthorization of the Foreign Intelligence Surveillance Act (“FISA”) Section 702, which expires at the end of the year.  On September 28, 2023 the Privacy and Civil Liberties Oversight Board (“PCLOB”) released a report with 19 recommended changes to the law, which included a recommendation that Congress enact legislation to require federal law enforcement officials to get approval from the Foreign Intelligence Surveillance Court (“FISC”) to review Section 702 data about U.S. citizens and legal residents.  Nonetheless, Democrats and Republicans remain sharply divided about the necessity and extent of more oversight for the Section 702 approval process, as the PCLOB report itself showed with Democratic and Republican appointees differing on their recommendations.

The Administration continued to advance its U.S. National Cybersecurity Strategy.  On July 13, 2023, the White House released the U.S. National Cybersecurity Strategy Implementation Plan.  The NCSIP identifies 65 initiatives – to be led by 18 different departments and agencies – that are designed as a roadmap for implementing the U.S. National Cybersecurity Strategy released earlier this year.  This is the first iteration of the plan, which is intended to be an evolving document that the Administration plans to update annually.  Consistent with the Strategy, the NCSIP contemplates five broad lines of effort: (1) defending critical infrastructure; (2) disrupting and dismantling threat actors; (3) Shaping market forces to drive security and resilience; (4) investing in a resilient future; and (5) forging international partnerships to pursue shared goals. 

In addition, on August 4, 2023 the Securities and Exchange Commission (“SEC”) published its final rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure in the Federal Register.  The rule is designed to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies that are subject to reporting requirements of the Securities Exchange Act of 1934. 

Connected & Automated Vehicles

This quarter, Congress demonstrated a bipartisan desire to solidify American leadership in advancing the deployment of CAV technology.  On July 26, the Innovation, Data, and Commerce Subcommittee within the House Energy & Commerce Committee held a legislative hearing titled “Self-Driving Vehicle Legislative Framework: Enhancing Safety, Improving Lives and Mobility, and Beating China.”  The hearing covered the need for Congress to support broad deployment of automated vehicles in the United States.  Bipartisan leaders – as well as disability advocates, business organizations, automotive associations, and technology groups – supported the idea of Congress advancing a federal automated vehicles framework.  The hearing announcement acknowledged the risk of ceding leadership in this industry to China if Congress does not enact a comprehensive national law that establishes a pathway to safe deployment.  On September 13, the House Subcommittee on Highways and Transit held a hearing titled “The Future of Automated Commercial Motor Vehicles: Impacts on Society, the Supply Chain, and U.S. Economic Leadership.”  As with the July 26 hearing, there was broad, bipartisan consensus that America must solidify its leadership on autonomous trucking and autonomous vehicle technology more generally.  Speakers acknowledged the role of American innovation in this space in bolstering U.S. supply chain resilience and improving road safety.  These hearings suggest that a federal framework on automated vehicles could be forthcoming.

The National Highway Traffic Safety Administration (“NHTSA”) also had an active quarter.  On July 14, NHTSA issued a notice and request for comments on its intention to request approval from the Office of Management and Budget to collect information from the public as part of a study to improve NHTSA’s understanding of the differences in approaches to driver state detection and the potential safety impacts of driver monitoring systems.  The notice defines “driver monitoring systems” as in-vehicle technology that can detect driver state and interact with the driver through the user interface that connects the driver to the vehicle (e.g., the dashboard).  Tests will be conducted on alert and drowsy/distracted participants.  NHTSA plans to use the results of the study to update the current state of knowledge on driver distraction, attention management, and distraction/risk assessment.  On September 7, NHTSA issued a Notice of Proposed Rulemaking (“NPRM”) proposing to (1) require a seat belt warning system for the rear seats of passenger cars, trucks, most buses, and multipurpose passenger vehicles with a gross vehicle weight rating of 10,000 pounds or less; and (2) enhance the existing front seat belt warning requirements.  The NPRM contains a section on considerations for automated driving systems (ADS), including how to address ADS-equipped vehicles that do not have manually operated driving controls to ensure the same level of occupant protection as standard vehicles (i.e., both will be required to have seat belt warnings).  NHTSA stated it is not prepared to propose a solution for the visibility of rear seat belt warnings for ADS-equipped vehicles, but noted that future agency work related to telltales and indicators for ADS-equipped vehicles could be on the horizon.

Finally, on July 14 the National Institute of Standards and Technology (“NIST”) released for public comment the initial public draft of NIST Internal Report 8473, entitled Cybersecurity Framework Profile for Electric Vehicle Extreme Fast Charging Infrastructure (EV/XFC).  The EV/XFC Cybersecurity Framework Profile is intended to aid organizations in managing threats to systems, networks, and assets within the EV/XFC ecosystem.  This EV/XFC Cybersecurity Framework Profile was designed for four key domains within the EV/XFC ecosystem: (i) Electric Vehicles (EV); (ii) Extreme Fast Charging (XFC); (iii) XFC Cloud or Third-Party Operations; and (iv) Utility and Building Networks.

While the comment periods for these activities have closed, we expect NHTSA and NIST to now review received feedback and take actions accordingly.

We will continue to update you on meaningful developments in these quarterly updates and across our blogs.

Photo of Jennifer Johnson Jennifer Johnson

Jennifer Johnson is a partner specializing in communications, media and technology matters who serves as Co-Chair of Covington’s Technology Industry Group and its global and multi-disciplinary Artificial Intelligence (AI) and Internet of Things (IoT) Groups. She represents and advises technology companies, content distributors…

Jennifer Johnson is a partner specializing in communications, media and technology matters who serves as Co-Chair of Covington’s Technology Industry Group and its global and multi-disciplinary Artificial Intelligence (AI) and Internet of Things (IoT) Groups. She represents and advises technology companies, content distributors, television companies, trade associations, and other entities on a wide range of media and technology matters. Jennifer has almost three decades of experience advising clients in the communications, media and technology sectors, and has held leadership roles in these practices for almost twenty years. On technology issues, she collaborates with Covington’s global, multi-disciplinary team to assist companies navigating the complex statutory and regulatory constructs surrounding this evolving area, including product counseling and technology transactions related to connected and autonomous vehicles, internet connected devices, artificial intelligence, smart ecosystems, and other IoT products and services. Jennifer serves on the Board of Editors of The Journal of Robotics, Artificial Intelligence & Law.

Jennifer assists clients in developing and pursuing strategic business and policy objectives before the Federal Communications Commission (FCC) and Congress and through transactions and other business arrangements. She regularly advises clients on FCC regulatory matters and advocates frequently before the FCC. Jennifer has extensive experience negotiating content acquisition and distribution agreements for media and technology companies, including program distribution agreements, network affiliation and other program rights agreements, and agreements providing for the aggregation and distribution of content on over-the-top app-based platforms. She also assists investment clients in structuring, evaluating, and pursuing potential investments in media and technology companies.

Photo of Nicholas Xenakis Nicholas Xenakis

Nick Xenakis draws on his Capitol Hill experience to provide regulatory and legislative advice to clients in a range of industries, including technology. He has particular expertise in matters involving the Judiciary Committees, such as intellectual property, antitrust, national security, immigration, and criminal…

Nick Xenakis draws on his Capitol Hill experience to provide regulatory and legislative advice to clients in a range of industries, including technology. He has particular expertise in matters involving the Judiciary Committees, such as intellectual property, antitrust, national security, immigration, and criminal justice.

Nick joined the firm’s Public Policy practice after serving most recently as Chief Counsel for Senator Dianne Feinstein (D-CA) and Staff Director of the Senate Judiciary Committee’s Human Rights and the Law Subcommittee, where he was responsible for managing the subcommittee and Senator Feinstein’s Judiciary staff. He also advised the Senator on all nominations, legislation, and oversight matters before the committee.

Previously, Nick was the General Counsel for the Senate Judiciary Committee, where he managed committee staff and directed legislative and policy efforts on all issues in the Committee’s jurisdiction. He also participated in key judicial and Cabinet confirmations, including of an Attorney General and two Supreme Court Justices. Nick was also responsible for managing a broad range of committee equities in larger legislation, including appropriations, COVID-relief packages, and the National Defense Authorization Act.

Before his time on Capitol Hill, Nick served as an attorney with the Federal Public Defender’s Office for the Eastern District of Virginia. There he represented indigent clients charged with misdemeanor, felony, and capital offenses in federal court throughout all stages of litigation, including trial and appeal. He also coordinated district-wide habeas litigation following the Supreme Court’s decision in Johnson v. United States (invalidating the residual clause of the Armed Career Criminal Act).

Photo of Jayne Ponder Jayne Ponder

Jayne Ponder counsels national and multinational companies across industries on data privacy, cybersecurity, and emerging technologies, including Artificial Intelligence and Internet of Things.

In particular, Jayne advises clients on compliance with federal, state, and global privacy frameworks, and counsels clients on navigating the…

Jayne Ponder counsels national and multinational companies across industries on data privacy, cybersecurity, and emerging technologies, including Artificial Intelligence and Internet of Things.

In particular, Jayne advises clients on compliance with federal, state, and global privacy frameworks, and counsels clients on navigating the rapidly evolving legal landscape. Her practice includes partnering with clients on the design of new products and services, drafting and negotiating privacy terms with vendors and third parties, developing privacy notices and consent forms, and helping clients design governance programs for the development and deployment of Artificial Intelligence and Internet of Things technologies.

Jayne routinely represents clients in privacy and consumer protection enforcement actions brought by the Federal Trade Commission and state attorneys general, including related to data privacy and advertising topics. She also helps clients articulate their perspectives through the rulemaking processes led by state regulators and privacy agencies.

As part of her practice, Jayne advises companies on cybersecurity incident preparedness and response, including by drafting, revising, and testing incident response plans, conducting cybersecurity gap assessments, engaging vendors, and analyzing obligations under breach notification laws following an incident.

Photo of Jorge Ortiz Jorge Ortiz

Jorge Ortiz is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and the Technology and Communications Regulation Practice Groups.

Jorge advises clients on a broad range of privacy and cybersecurity issues, including topics related to…

Jorge Ortiz is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and the Technology and Communications Regulation Practice Groups.

Jorge advises clients on a broad range of privacy and cybersecurity issues, including topics related to privacy policies and compliance obligations under U.S. state privacy regulations like the California Consumer Privacy Act.

Photo of Shayan Karbassi Shayan Karbassi

Shayan Karbassi is an associate in the firm’s Washington, DC office. He represents and advises clients on a range of cybersecurity and national security issues. As a part of his cybersecurity practice, Shayan assists clients with cyber and data security incident response and…

Shayan Karbassi is an associate in the firm’s Washington, DC office. He represents and advises clients on a range of cybersecurity and national security issues. As a part of his cybersecurity practice, Shayan assists clients with cyber and data security incident response and preparedness, government and internal investigations, and regulatory compliance. He also regularly advises clients with respect to risks stemming from U.S. criminal and civil anti-terrorism laws and other national security issues, to include investigating allegations of terrorism-financing and litigating Anti-Terrorism Act claims.

Shayan maintains an active pro bono litigation practice with a focus on human rights, freedom of information, and free media issues.

Prior to joining the firm, Shayan worked in the U.S. national security community.

Photo of Olivia Dworkin Olivia Dworkin

Olivia Dworkin minimizes regulatory and litigation risks for clients in the medical device, pharmaceutical, biotechnology, eCommerce, and digital health industries through strategic advice on complex FDA issues, helping to bring innovative products to market while ensuring regulatory compliance.

With a focus on cutting-edge…

Olivia Dworkin minimizes regulatory and litigation risks for clients in the medical device, pharmaceutical, biotechnology, eCommerce, and digital health industries through strategic advice on complex FDA issues, helping to bring innovative products to market while ensuring regulatory compliance.

With a focus on cutting-edge medical technologies and digital health products and services, Olivia regularly helps new and established companies navigate a variety of state and federal regulatory, legislative, and compliance matters throughout the total product lifecycle. She has experience counseling clients on the development, FDA regulatory classification, and commercialization of digital health tools, including clinical decision support software, mobile medical applications, general wellness products, medical device data systems, administrative support software, and products that incorporate artificial intelligence, machine learning, and other emerging technologies.

Olivia also assists clients in advocating for legislative and regulatory policies that will support innovation and the safe deployment of digital health tools, including by drafting comments on proposed legislation, frameworks, whitepapers, and guidance documents. Olivia keeps close to the evolving regulatory landscape and is a frequent contributor to Covington’s Digital Health blog. Her work also has been featured in the Journal of Robotics, Artificial Intelligence & Law, Law360, and the Michigan Journal of Law and Mobility.

Prior to joining Covington, Olivia was a fellow at the University of Michigan Veterans Legal Clinic, where she gained valuable experience as the lead attorney successfully representing clients at case evaluations, mediations, and motion hearings. At Michigan Law, Olivia served as Online Editor of the Michigan Journal of Gender and Law, president of the Trial Advocacy Society, and president of the Michigan Law Mock Trial Team. She excelled in national mock trial competitions, earning two Medals for Excellence in Advocacy from the American College of Trial Lawyers and being selected as one of the top sixteen advocates in the country for an elite, invitation-only mock trial tournament.

Photo of Jemie Fofanah Jemie Fofanah

Jemie Fofanah is an associate in the firm’s Washington, DC office. She is a member of the Privacy and Cybersecurity Practice Group and the Technology and Communication Regulatory Practice Group. She also maintains an active pro bono practice with a focus on criminal…

Jemie Fofanah is an associate in the firm’s Washington, DC office. She is a member of the Privacy and Cybersecurity Practice Group and the Technology and Communication Regulatory Practice Group. She also maintains an active pro bono practice with a focus on criminal defense and family law.