0
Image of computer circuitry in a harsh red tint.

The Risks of LLMs and Generative AI

AI & Algorithms, CCPA, Children, EEA & UK, GDPR
[Modified version originally published as International Insights Article: Privacy implications for organizations using generative AI, by Lily Li, on OneTrust DataGuidance, June 2023.] Well, the cat is out of the bag – or at least the chat is. Generative AI and large language models (“LLMs”) are here to stay. From philosophical conversations between the dead to Murakami-inspired artworks for downtown LA, the possibilities of user-friendly AI are limitless. Regulators are scrambling to enforce existing legislation and enact new legislation to contain this trend. But, like all enforcement, it will take time. As a result, many companies are moving quickly to adopt and deploy these tools, testing the legal and ethical boundaries of AI. To stay competitive, companies should not wait for data protection regulators to play cat-and-mouse games with these nascent technologies. Instead, companies need to be proactive and adopt strategies to implement transparent and trustworthy AI – not just to avoid lawsuits and regulatory fines – but to protect their data and their brands. Companies also need to be able to account for the data they input into their generative AI or LLM algorithms, or else risk destruction of these algorithms altogether. In this article, we’ll discuss the latest privacy and security risks from generative AI and LLMs, a few of the existing privacy laws that apply to these technologies, and the potential for algorithmic disgorgement or deletion in response to privacy violations.   Social Engineering and Identity Verification Generative AI has clearly passed the Turing test. From all outward appearances, companies and their employees cannot tell the difference between human-generated and AI-generated text. This makes it easier for traditional phishing emails and other scams to look legitimate to readers — making it far more likely for employees to click on malicious links and download malware. Going one step further, generative AI can create realistic identities. From resumes to cover letters, online social media profiles to sample work product, these tools can improve a threat actor’s ability to pass itself off as a well-rounded individual, bypassing normal screening tools and even HR processes. In this era of remote work, it is easy to imagine malicious actors getting onboarded and hired due to their made-up “skills” and turning into insider threats once they gain access to company systems. This risk increases for companies that rely on virtual assistants and employees, where there are even fewer external validations of identity. While companies often rely on phishing training and cyber insurance to mitigate traditional cyber-attacks, this is not enough going forward. Many cyber insurance policies exclude social engineering attacks, exclude activities involving managers or other high-level employees, or confine social engineering and phishing attacks to technological attacks and not traditional identity theft, crime, and fraud. Consequently, companies should consider AI-based email filtering systems and EDR/MDR systems to combat sophisticated phishing attacks. Security awareness training should extend beyond phishing training and include identification verification and reporting of suspicious activity across the organization. Companies should also consider HR and other vendor onboarding policies to include in-person vetting or other external validation for recruiting and outsourcing.   Privacy and DSAR Risks
  • Is Processing of Personal Data for Generative AI Lawful?
Large language models, and similar machine learning tools, have a privacy problem. All these systems rely on processing vast quantities of public and sometimes proprietary data to generate responses and analysis. Absent further safeguards, these inputs will likely contain personal data. Which then begs the question, where does this data come from and is the processing lawful? This question came to a head recently in Italy, where data protection authorities issued a temporary ban on ChatGPT,[1] citing OpenAI’s failure to provide transparent notices regarding how it processes the personal data of users and data subjects (required under Articles 12, 13, and 14 of the GDPR). More importantly, the authorities found no legal basis under Article 6 of the GDPR for the collection and processing of personal data to train OpenAI’s algorithms. Impacted data subjects did not consent to the processing and, reading between the lines, OpenAI’s legitimate interest was an insufficient basis for processing given the: (i) failure to provide notice; (ii) inability to correct and delete data; and (iii) heightened privacy risks for children due to the lack of age verification techniques. OpenAI subsequently addressed Italy’s concerns in sufficient detail to resume services,[2] but it remains unclear whether other data protection regulators in the EU will also confront OpenAI over the GDPR’s transparency and lawful bases requirements. If businesses utilize generative AI and LLMs, they should be prepared to provide compliant privacy notices to data subjects, and either obtain their explicit consent or conduct a legitimate interest analysis prior to submitting any personal data to AI or LLM platforms. These data privacy risks also exist in the United States. The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (“CPRA”), also requires businesses to provide transparent privacy notices and privacy rights to individuals. In addition, CPRA has imported the GDPR concepts of data minimization and proportionality. Personal data processing needs to be “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected.”[3] Consequently, companies should be wary of taking existing datasets containing personal information and running them through generative AI systems, if this use runs contrary to the expectations of data subjects when they originally submitted the data. Companies may need to re-evaluate their privacy notices and provide further notices regarding AI processing. Furthermore, both GDPR and the CPRA (and similar US state laws) require covered organizations to give individuals the right to opt out of automated processing or automated decision-making, including profiling.[4] While California lawmakers have yet to issue regulations concerning automated decision-making, it will likely align with GDPR concepts. This means that individuals will have the right to opt-out of AIs making decisions that have legal effects, such as those surrounding employment, housing, or access to services and benefits. So, for those who are wondering, you can’t have chatbots all the way down — eventually, there needs to be a human decisionmaker at the end of the line.  
  • Who Owns the Data? Privacy Rights to Correct and Delete
Generative AI and LLMs also call into question the ownership and control of personal data. GDPR, CCPA, HIPAA, and GLBA, among other regulations, require covered entities to obtain contractual commitments with vendors that process personal data, PHI, or NPI on their behalf.[5] By giving company personal data to an AI system absent formal review, companies may be in violating these laws, trading away the privacy of their customers, and giving up valuable IP to third parties. To combat this problem, companies should always read the terms and privacy policies of any new AI and LLM tools to confirm, as an initial step:
  • The company owns all content provided to the AI system and any output generated by the AI
  • The AI provider will provide appropriate technical and organizational measures to protect personal data
  • The AI provider will maintain the confidentiality of data and limit use of the data to those purposes disclosed by the AI provider (and similarly, disclosed by the company to the relevant data subjects)
  • The AI provider will assist the company in responding to privacy requests, including those that require correct and deletion of personal data
  • The AI provider has appropriate data transfer mechanisms in place if personal data will cross borders
Assuming the generative AI or LLM terms and privacy policies cover the items above, the company may need to negotiate additional clauses under GDPR, CCPA, HIPAA, and GLBA depending on whether regulated data is provided to these platforms. If these contractual commitments do not exist, then companies should consider policies prohibiting the disclosure of personal or proprietary data — or else risk unauthorized access or even public disclosure of this information. Even if the terms and privacy policies guarantee the confidentiality of data, companies should still validate whether the generative AI or LLM model appropriately de-identifies or anonymizes personal data or proprietary data when it improves its language models. One of the most concerning issues with generative AI is its inexplicability — often the programmers creating the model do not even understand how the AI is generating its output. Thus, even if a data subject submits a deletion or correction request, it is unclear whether this request will be propagated through the model to remove/amend information that was previously fed into the model. Consequently, companies should test any generative AI or LLM model to confirm whether identifiable data is output from the model, based on test inputs. Finally, even if a company does not input personal information into a generative AI or LLM platform, employees may be tempted to use these platforms to research or create media about a known individual. Unfortunately, generative AI regularly creates false information about individuals. At best, this may trigger notification to data subjects under Article 14 of the GDPR “from which source the personal data originate, and if applicable, whether it came from publicly accessible sources” — so they are aware of the processing and can exercise any privacy rights. At worst, publication of this personal data may be grounds for a defamation lawsuit. Once again, companies need to implement robust identity verification and external validation of AI output concerning personal data.  
  • Children’s Privacy
The impact of generative AI and LLM products on children will be tremendous, given the ease and accessibility of chatbots, and the vast potential for personalized education, gaming, and social services. Companies operating in this space should pay close attention to children’s privacy rules that may impact their use or provision of generative AI and LLM products and services. California’s Age-Appropriate Design Code, modeled after the UK’s Age appropriate design code, for instance, requires data protection impact assessment and a “high level” of privacy for online providers of services, products, or features that are “likely to be accessed by children.”[6] This law covers children under the age of 18. In addition, COPPA – a US federal privacy law – requires clear and conspicuous privacy notices and affirmative consent by parents prior to collection of personal information from children under 13. Companies that offer products and services that may be attractive to children will need to implement these heightened privacy requirements, or in the alternative, implement robust age-gating techniques.   Regulatory Enforcement and Algorithmic Disgorgement Once an AI system is trained on bad data, can it be saved? According to the U.S. Federal Trade Commission (FTC) – perhaps not. While there is currently no comprehensive federal legislation in the United States governing privacy or AI, the FTC does have the ability to regulate “unfair and deceptive acts or practices in or affecting commerce.”[7] The FTC has interpreted its enforcement power to include unfair and misleading practices regarding the collection and use of personal data – including, for example, actions against Cambridge Analytica for harvesting of Facebook user data, and against GoodRx Holdings for its unauthorized disclosures of consumers’ personal health information to Facebook, Google, and other companies.[8] The FTC’s scrutiny of privacy and security practices extends to AI. In January 2021, the FTC entered a settlement order with photo storage service, Everalbum, over allegations that it deceived consumers about its use of facial recognition technology.[9]  While Everalbum allegedly represented that it would not apply facial recognition to users’ content unless they opted-in, it applied facial recognition technology by default for most users without any ability to turn this feature off. As part of the settlement order, the FTC required Everalbum to delete all facial recognition models or algorithms developed with Everalbum users’ photos or videos. More recently, the FTC required algorithmic destruction in an action against WW International, Inc., formerly known as Weight Watchers, and a subsidiary called Kurbo, Inc.[10] According to FTC Chair Lina Khan, “Weight Watchers and Kurbo marketed weight management services for use by children as young as eight, and then illegally harvested their personal and sensitive health information….Our order against these companies requires them to delete their ill-gotten data, destroy any algorithms derived from it, and pay a penalty for their lawbreaking.” Thus, AI companies face potential deletion or disgorgement of their algorithms if they collect personal data in an unfair or deceptive manner. While it may be tempting to amass larger and larger datasets to build the best algorithms, companies that rely on improper collection of data may find themselves bereft of their most valuable intellectual property.   Move Deliberately and Create Things Generative AI and LLMs do not operate in a vacuum. They derive from the voices, both inspired and insipid, from all corners of the world wide web. And they create fabulous and fabulously weird content. We encourage companies to take advantage of generative AI and LLMs to create the next generation of personalized education, medicine, and creative exploration. At the same time, we encourage companies to be mindful of the existing rules that protect our privacy, so that transparent and trustworthy AI can be the foundation of these new creations.  
[1] https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9870847 [2] https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9881490#english [3] Cal. Civ. Code Section 1798.100(c) [4] GDPR, Article 22; Cal. Civ. Code Section 1798.185(a)(16) [5] See, e.g., GDPR, Article 28; Cal. Civ. Code Section 1798.140(ag)(1); 45 CFR Section 164.504(e)(Business Associate requirements under HIPAA) [6] Cal. Civ. Code Section 1798.99.31(a) [7] 15 U.S.C. Sec. 45(a)(1) [8] See https://www.ftc.gov/news-events/topics/protecting-consumer-privacy-security/privacy-security-enforcement for a list of FTC enforcement actions concerning privacy and cybersecurity [9] https://www.ftc.gov/news-events/news/press-releases/2021/01/california-company-settles-ftc-allegations-it-deceived-consumers-about-use-facial-recognition-photo [10] https://www.ftc.gov/news-events/news/press-releases/2022/03/ftc-takes-action-against-company-formerly-known-weight-watchers-illegally-collecting-kids-sensitive
0
An image of the flag of Europe, which consists of twelve golden stars forming a circle on a blue field.

Meta fined US $1.3 billion for data transfer violations

Data Transfers, EEA & UK, GDPR, United States
The decade-long case on Meta’s transfer of EU personal data to the United States ended on May 22, 2023, with a € 1.2 billion (US $1.3 billion) GDPR fine against Meta.[1] In addition, the Irish Data Protection Commission (DPC) exercised the following corrective powers against Meta:
  • An order, pursuant to Article 58(2)(j) of the GDPR, requiring Meta Ireland to suspend any future transfer of personal data to the US within five months.
  • An order, pursuant to Article 58(2)(d) of the GDPR, requiring Meta Ireland to bring its processing operations into compliance with Chapter V of the GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EEA users transferred in violation of the GDPR, within six months.[2]
The fine and corrective orders came after the Irish DPC found that Meta violated the GDPR by failing to protect EU Facebook users’ data from US surveillance practices and spy agencies. “We are happy to see this decision after ten years of litigation,” said the Austrian privacy activist Max Schrems.[3] “The fine could have been much higher, given that the maximum fine is more than 4 billion and Meta has knowingly broken the law to make a profit for ten years. Unless US surveillance laws get fixed, Meta will have to fundamentally restructure its systems.” The US Surveillance Problem In its decision, the Irish DPC recognized that US intelligence authorities have seemingly unrestricted access to EU data flowing into the US, including data from Meta’s data transfers. This access is based on Section 702 FISA and on Executive Order 12333.[4] Section 702 FISA permits, following FISC approval, the surveillance of individuals who are not US citizens located outside of the US to obtain “foreign intelligence information.” Executive Order 12333 allows the NSA to access data “in transit” to the US, by accessing underwater cables on the Atlantic floor. When Meta transferred EU personal information to the US for processing, Section 702 FISA and Executive Order 12333 allowed US intelligence authorities to access that data for broad surveillance activities. This access threatens the fundamental rights and freedoms of EU data subjects. To protect EU data subjects from this threat, Meta relied on the Standard Contractual Clauses (SCCs) to provide a level of protection to EU data subjects that is essentially equivalent to that provided by EU law.[5] However, as this decision demonstrates, the SCCs fail to provide Meta’s EU users with an equivalent level of protection as provided by EU law. The SCCs & the Ongoing EU-US Data Transfer Issues The Irish DPC’s decision continues the decade-long struggle for the EU and US to establish a valid data transfer mechanism. In 2000, the US and EU developed the International Safe Harbor Privacy Principles to prevent private organizations within either country from accidentally losing or disclosing personal information. The European Commission decided that these principles complied with the EU Data Protection Directive, thereby allowing the flow of data between countries. However, the European Court of Justice declared in October 2015 that the Safe Harbor decision was invalid. Subsequently, in 2016, the US and EU developed the EU-US Privacy Shield, a legal framework for regulating and enabling transatlantic exchanges of personal data between the countries. Yet, as with Safe Harbor, the European Court of Justice declared Privacy Shield invalid in July 2020. This left companies to rely on contractual mechanisms, known as the SCCs, to transfer data between the countries without violating the GDPR. However, as the Irish DPC decision demonstrates, even though Meta relied on the SCCs, the SCCs failed to provide the protection necessary to ensure the transfer protected EU data subjects in accordance with the GDPR. Leaders within the US and EU announced in 2022 that a new data transfer framework called the Trans-Atlantic Data Privacy Framework (TADPF) had been agreed upon, but it is uncertain whether this framework will survive scrutiny from the European Court of Justice. The TADPF attempts to address the US surveillance problem by, in part, restricting access to EU personal information by US intelligence agencies to that which is “necessary and proportionate to protect national security.”[6] However, prominent privacy activists have expressed skepticism over how US surveillance can be “necessary and proportionate” under EU law.[7] In the meantime, without an international data transfer framework and with the sufficiency of the SCCs in question, companies will need to be cautious in how and when they transfer EU personal information from the EEA to the US. Meta to Appeal In response to the decision, Meta announced that it will appeal the ruling and the “unjustified and unnecessary fine.”[8] However, given the breadth of the decision, it seems unlikely that Meta will win on appeal. In the meantime, Meta announced that there would be “no immediate disruption” to Facebook in Europe, as the decision provides Meta with an implementation period. If that implementation periods runs out and Meta still lacks a valid legal mechanism by which to transfer data from the EEA to the US, then Meta may have to fragment their organization to ensure that EEA personal information largely remains stored in EEA databases.
[1] https://edpb.europa.eu/system/files/2023-05/final_for_issue_ov_transfers_decision_12-05-23.pdf [2] https://noyb.eu/sites/default/files/2023-05/DPC%20Press%20Release.pdf [3] https://noyb.eu/en/edpb-decision-facebooks-eu-us-data-transfers-stop-transfers-fine-and-repatriation [4] https://edpb.europa.eu/system/files/2023-05/final_for_issue_ov_transfers_decision_12-05-23.pdf, at 7.51. [5] https://www.metaverse.law/2020/11/30/eu-us-data-transfers-after-schrems-ii-european-commission-publishes-new-draft-standard-contractual-clauses/ [6] https://ec.europa.eu/commission/presscorner/detail/en/ip_22_7631 [7] https://noyb.eu/en/open-letter-future-eu-us-data-transfers [8] https://about.fb.com/news/2023/05/our-response-to-the-decision-on-facebooks-eu-us-data-transfers/
0
Logo for the European Commission.

The EU’s Digital Markets Act: Who it regulates, how to comply, and next steps

EEA & UK, GDPR, Resource
On October 12, 2022, the Digital Markets Act (DMA) was published in the Official Journal of the EU, thereby creating a new framework for regulating the European Union’s digital market.[1] The DMA seeks to prohibit certain unfair business practices by establishing rules and obligations for entities known as “gatekeepers,” which are large online platforms whose services have a significant impact on the EU internal market.[2] The DMA works in conjunction with its sibling law, the Digital Services Act (DSA), to create an online environment designed to protect the fundamental rights of users and to establish a level playing field for economic growth. However, the DMA — like the DSA and the General Data Protection Regulation (GDPR) — can apply internationally to companies based outside of the EU, so all large online platforms should be aware of what the DMA could mean for businesses that qualify as gatekeepers. Background On December 15, 2020, the DMA was proposed by the European Commission to the European Parliament and to the Council of the EU, alongside the DSA.[3] The DMA and the DSA seek to actualize Ursula von der Leyen’s call to regulate the EU’s digital market, thereby upgrading the liability, safety, and fairness of digital platforms.[4] On March 24, 2022 — after years of negotiations — the Parliament, the Council, and the Commission reached a consensus on key provisions, including the interoperability provisions for large messaging platforms and noncompliance penalties.[5] The text of the DMA was then made public on May 22, 2022.[6] From there, the DMA moved swiftly through the legislative process: on July 5, Parliament formally adopted it;[7] on July 19, the Council formally adopted it;[8] on September 14, the DMA was signed into law;[9] and on October 12, the adopted text was published in the Official Journal of the European Union, thereby setting it to come into force twenty days later.[10] To whom does the DMA apply? The DMA applies to “gatekeepers” that provide or offer “core platform services” to users in the Union, irrespective of whether the gatekeeper is located or established in the EU. A “core platform service” is broadly defined to include a wide range of Internet infrastructure and services, including:
  • Online search engines;
  • Online social networking services;
  • Video-sharing platform services;
  • Operating systems;
  • Web browsers;
  • Cloud computer services;
  • Online advertising services;
  • And more.
Given how broadly the DMA defines core platform services, the core question for most entities is whether their services reach enough EU individuals to establish them as a gatekeeper under the law. A “gatekeeper” is an entity that meets all of the following:
Statutory criteria: Presumed satisfied if:
  1. Has a significant impact on the EU internal market.
  1. Achieves an annual EU turnover of at least EUR 7.5 billion in each of the previous financial years, or have an average market capitalization or fair market value of at least EU 75 billion in the last financial year; and
 
  1. Provides the same core platform service in at least three Member States.
  1. Provides a core platform service that is an important gateway for business users to reach end users
  1. Provides a core platform service that in the last financial year has at least 45 million monthly active end users in the EU; and
 
  1. Has at least 10,000 yearly active business users established in the EU.
  1. Currently enjoys, or will foreseeably enjoy in the near future, an entrenched and durable position, in its operations.
  1. In each of the last three financial years:
    1. has provided a core platform service that has at least 45 million monthly active end users in the EU; and
    2. has at least 10,000 yearly active business users established in the EU.
The DMA puts the onus on companies and other entities to determine for themselves whether they satisfy the above requirements to be labeled a gatekeeper under the law. If an entity makes such a determination, they must notify the European Commission within two months after the thresholds are met. However, even if an entity fails to make such a notification, the Commission can determine for itself whether an entity is a gatekeeper. Can the Digital Markets Act apply to entities outside of the EU? Yes. The DMA applies to any gatekeeper that provides or offers core platform services to users in the Union, irrespective of whether the gatekeeper is located or established in the EU. However, providing or offering a core platform service is not sufficient in itself to establish an online platform as a covered gatekeeper. The online platform must satisfy all three of the bullet points above. And as the explanatory presumptions for each bullet demonstrate, the online platform must have a substantial number of EU users (e.g., 45 million monthly active end users in the EU). Thus, online platforms must be vigilant in monitoring the number of monthly users in the EU, because qualifying as a gatekeeper appears to hinge on the platform’s userbase reach. Of course, tracking this data must be done appropriately and with careful consideration, given that the online platform would also have to comply with the GDPR’s data minimization and purpose principles. Does the DMA treat all gatekeepers equally? No. The DMA prescribes a number of prohibitive and mandatory actions on all gatekeepers. These include:
  • Not combining personal data from the core platform service with personal data from any other core platform services, any other services provided by the gatekeeper, or with personal data from third-party services (Art. 5(2)(b)).
  • Not requiring users to sign in to other services in order to combine personal data (Art. 5(2)(d)).
  • Allowing business users, free of charge, to promote their offers and conclude contracts with customers outside the gatekeeper’s platform (Art. 5(4)).
  • Providing companies advertising on the platform with the daily information, free of charge, concerning each advertisement placed on the core platform (Art. 5(9)-(10)).
However, per Article 8, some obligations are subject to specification. The Commission, either on its own initiative or based on a submission by a gatekeeper, can open a procedure that will lead to the Commission specifying some measures that the gatekeeper must adopt in order to effectively comply with the DMA. The provisions subject to specification are found in Articles 6 and 7, and they include:
  • Allowing third parties to interoperate with the gatekeeper’s own services in certain situations (Art. 6(7)).
  • Allowing business users to access the data they generate in their use of the gatekeeper’s platform (Art. 6(10)).
  • Providing companies advertising on the platform with the tools necessary for advertisers and publishers to carry out their own independent verification of advertisements hosted by the gatekeeper (Art. 6(8)).
  • Not preventing users from uninstalling any pre-installed software or app, if they wish to (Art. 6(3)).
  • Not treating services and products offered by the gatekeeper itself more favorably in ranking than similar services or products offered by third parties on the gatekeeper’s platform (Art. 6(5)).
  • Not preventing consumers from linking up to businesses outside their platforms (Art. 6(6)).
This means that, while all gatekeepers must adhere with the DMA’s obligations, some gatekeepers may have specific instructions on how to satisfy the requirements within the context of that gatekeeper’s unique situation. Are the enforcement penalties harsher than the GDPR? Yes. Under the DMA, if the gatekeeper intentionally or negligently fails to comply with certain requirements, the Commission may impose a fine of up to 10% of the gatekeeper’s worldwide turnover in the preceding financial year. By contrast, GDPR violations can result in a fine of up to EUR 20 million or 4% of a company’s worldwide annual revenue from the preceding financial year, whichever is higher. And it’s worth recalling that gatekeepers are, by definition, extremely large companies serving multi-millions of users, so the company’s annual worldwide turnover would presumably be large as well. What are the next steps for the DMA? Within two months of May 2023, companies providing core platform services must notify the Commission and provide all relevant information for determining whether the company qualifies as a gatekeeper. The Commission will then have two months to decide whether to make such a designation. If a company is deemed a gatekeeper, the company will have six months to comply with the DMA’s rules and obligations.
[1] https://www.skadden.com/insights/publications/2022/10/eu-digital-markets-act-enters-into-force [2] https://commission.europa.eu/strategy-and-policy/priorities-2019-2024/europe-fit-digital-age/digital-markets-act-ensuring-fair-and-open-digital-markets_en [3] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020PC0842 [4] https://digital-strategy.ec.europa.eu/en/policies/digital-services-act-package [5] https://www.engadget.com/europe-digital-markets-act-005742387.html [6] https://www.consilium.europa.eu/en/press/press-releases/2022/03/25/council-and-european-parliament-reach-agreement-on-the-digital-markets-act/ [7] https://www.europarl.europa.eu/news/en/press-room/20220701IPR34364/digital-services-landmark-rules-adopted-for-a-safer-open-online-environment [8] https://www.consilium.europa.eu/en/press/press-releases/2022/07/18/dma-council-gives-final-approval-to-new-rules-for-fair-competition-online/ [9] https://twitter.com/EP_SingleMarket/status/1570062248961363969 [10] https://www.consumerprivacyworld.com/2022/10/dma-eu-publishes-the-new-digital-markets-act/
0
Logo for the European Commission.

The Digital Services Act: EU’s new gold standard for regulating online services and search engines

EEA & UK, GDPR, Resource, Social Media
On October 19, 2022, the Digital Services Act (DSA) was published in the Official Journal of the European Union, thereby triggering its entry into force.[1] The DSA creates a first-of-its-kind regulatory framework that, like the General Data Protection Regulation (GDPR), could set an international benchmark for regulating intermediary services such as search engines, e-commerce platforms, hosting services, and more. [2] To achieve these regulatory goals, the DSA creates a pyramid-like, category-based approach to applying obligations to intermediary services, with those at the bottom of the pyramid having the least obligations. If an intermediary service falls into a higher category, then the service has stricter obligations in addition to those services in the lower category. Given that the DSA could apply internationally and introduces a plethora of onerous obligations, it is important to review its scope, requirements, and what these could mean for businesses around the world. Background On March 1, 2018, the European Commission published the non-binding Commission Recommendation 2018/314, calling for the need to address “illegal online content” and its “serious negative consequences for users.”[3] On July 16, 2019, Ursula von der Leyen, then-candidate for President of the European Commission, announced her political guidelines for the 2019-2024 Commission, in which she called for a “new Digital Services Act” to upgrade liability and safety rules for digital platforms, services, and products.[4] To this end, the Commission launched a public consultation process to gather comments and evidence regarding how online platforms should be regulated.[5] Then, the Commission published the proposal for the Digital Services Act on December 15, 2020, alongside an evidence-based impact assessment.[6] On April 22, 2022, European policymakers in Brussels reached an agreement after 16 hours of negotiations,[7] and a few months later the European Parliament approved the DSA along with the Digital Markets Act.[8] And finally, four years after its conception by Ursula von der Leyen, the DSA was published in the Official Journal of the European Union on October 19, 2022, thereby marking its entry into force. To whom does the DSA apply? The DSA applies to any intermediary service offered to natural or legal persons that have their place of establishment or are located in the EU, irrespective of whether the provider of that intermediary service is established in the EU. The DSA broadly defines “intermediary service” to include a number of service categories, including:
  • Mere conduits of transmissions, such as top-level domain name registries, DNS services and resolvers, certificate authorities that issue digital certificates, and more.
  • Caching services, such as the provision of content delivery networks and reverse proxies.
  • Hosting services, such as cloud computing, web hosting, file storage, and more.
  • Online platforms, which is a subcategory of hosting services:
    • Online platforms are hosting services that are primarily used, at the request of a recipient of the service, to store and disseminate information to the public, such as e-commerce marketplaces, app stores, social media platforms, and more.
  • Search engines, such as Google, Bing, and other online services that allow users to input queries to perform searches.
  • Very large online platforms and search engines, which is a special designation given to online platforms or search engines that reach at least 45 million recipients in the EU.
Recital 29 of the DSA states that whether a specific intermediary service constitutes a mere conduit, a caching service, or a hosting service — which is the first question a business should consider — depends solely on the service’s technical functionalities and should be assessed on a case-by-case basis. And this analysis is important, because the category in which a service lands will determine the number of obligations required under the law. And there are many obligations. Can the DSA apply to companies outside of the EU? Yes. The DSA applies to any intermediary service offered to natural or legal persons that have their place of establishment or are located in the EU, irrespective of whether the intermediary service is established in the EU. However, while this scope may appear overly broad, the law clarifies in Article 3 and Recitals 7 – 8 that the intermediary service must have a “substantial connection to the Union” to be covered. Such a substantial connection results from:
  1. Having an establishment in the EU; or
  2. Having a significant number of recipients of the service in a Member State; or
  3. Targeting activities toward a Member State, which can result from:
    1. the use of a Member State’s language or currency;
    2. the possibility of EU recipients ordering products or services;
    3. the use of a relevant top-level domain;
    4. the availability of an app in a relevant national app store;
    5. advertising in a Member State or in a language used by a Member State;
    6. providing customer services in a language generally used in a Member State.
While the law requires a substantial connection, the possibility of falling into the extraterritorial scope, much like the GDPR, requires companies to take care in considering how they advertise or offer their intermediary service and whether such advertising or offerings could place them squarely in the scope of the law. Does the DSA treat all online intermediary services equally? No. The DSA uses a tiered, pyramid-like approach to impose cumulative obligations on the various categories of intermediary services.

Obligations for all providers of intermediary services

The bottom of this pyramid-like framework includes all providers of intermediary services. The DSA imposes on this category a substantial list of due diligence and transparency obligations. These include:
  1. Designating a single point of contact for communicating with Member State authorities (Article 11).
  2. Designating a single point of contact for communicating with recipients of the service (Article 12).
  3. Providing information in the terms and conditions about any policies, procedures, measures, and tools used for content moderation, algorithmic decision-making, and the handling of internal complaints (Article 14).
  4. Making publicly available a yearly content moderation report (Article 15).
  5. And for providers which do not have an establishment in the EU yet fall within the law’s extraterritorial scope: designate a legal representative in a Member State and ensure the representative can be held liable for non-compliance with obligations under the DSA (Article 13).

Additional obligations for hosting services and the subcategory of online platforms

In addition to the above obligations, providers of hosting services and providers of online platforms must satisfy the following obligations:
  1. Creating a mechanism through which any individual or entity can notify the provider about the presence of information on the service that the individual or entity considers illegal (Article 16).
  2. Providing a clear and specific statement of reasons to recipients affected by restrictions imposed on the basis of information provided by the recipient is illegal or incompatible with the provider’s terms and conditions (Article 17).
  3. Notifying law enforcement or judicial authorities if the provider becomes aware of information giving rise to certain legally-prescribed criminal offenses (Article 18).

Additional obligations just for providers of online platforms

In addition to the two lists of obligations above, providers of online platforms — the subcategory of hosting services — must also satisfy the following obligations:
  1. Creating an internal complaint-handling system through which recipients can, free of charge, lodge complaints against the provider, and provide recipients with access to the system for at least six months following certain decisions that may affect the recipient (Article 20).
  2. Allowing recipients to select any out-of-court dispute settlement body certified under the DSA to resolve disputes relating to Article 20 decisions (Article 21).
  3. Implementing technical and organizational measures to ensure notices submitted by trusted flaggers — that is, entities awarded this role by a Member State’s Digital Services Coordinator — are prioritized, processed, and decided upon without undue delay (Article 22).
  4. Suspending recipients that frequently provide manifestly illegal content (Article 23).
  5. Making publicly available a yearly content moderation report that, in addition to the Article 15 requirements, shall detail the number of disputes submitted to out-of-court dispute settlement bodies pursuant to Article 21 and the number of recipients suspended pursuant to Article 23 (Article 24).
  6. Designing, organizing, and operating the online platform’s interfaces in a way that does not deceive or manipulate recipients so as to materially distort or impair their ability to make free and informed decisions (Article 25).
  7. Ensuring that each advertisement presented to recipients via the online platform’s interface contains certain legally-prescribed disclosures (Article 26).
  8. Implementing measures to ensure a high level of privacy, safety, and security for minors, if the online platform is accessible to minors (Article 28).
It is important to note that most of these obligations do not apply to providers of online platforms that qualify as micro or small enterprises. A micro enterprise is one that employs fewer than 10 people and whose annual turnover and/or annual balance sheet total does not exceed EUR 2 million. A small enterprise is one that employs fewer than 50 people and whose annual turnover and/or annual balance sheet does not exceed EUR 10 million.

Additional obligations for very large online platforms and online search engines

The DSA imposes even more obligations on providers of “very large” online platforms or search engines. To be given this designation, the online platform or search engine must have at least 45 million monthly active EU recipients and been recognized as “very large” by the European Commission. Once given such a designation, the very large online platform or search engine has four months before the following obligations apply:
  1. Conducting yearly risk assessments of its service and systems, including algorithmic systems (Article 34).
  2. Implementing mitigation measures tailored to the specific risks identified by the yearly risk assessment (Article 35).
  3. Taking actions specified by the European Commission in response to a crisis (Article 36).
  4. Paying for independent audits on a yearly basis to ensure compliance with the DSA (Article 37).
  5. Creating a searchable repository of legally-specified information relating to advertisements on the online platform or search engine (Article 39).
  6. Providing the European Commission or the Digital Services Coordinator with information necessary to monitor and assess compliance with the DSA (Article 40).
  7. Establishing a compliance function, giving it sufficient authority, statute, resources, and access to management to monitor compliance with the DSA (Article 41).
  8. Making publicly available the Article 15 content moderation report every six months (Article 42).
  9. Paying an annual supervisory fee for their designation as “very large” (Article 43).
Are the enforcement penalties harsher than the GDPR? Yes. The DSA requires Member States to lay down rules on penalties for infringements of the law by providers of intermediary services. The DSA requires Member States to ensure that the maximum amount of fines that may be imposed for a failure to comply with any obligation under the DSA shall be 6% of the annual worldwide turnover of the provider’s preceding financial year. However, less serious infringements under the DSA, such as supplying misleading information or failing to submit to an inspection, shall result in a fine of up to 1% of the provider’s annual income or worldwide turnover in the preceding financial year. By contrast, GDPR violations could result in a fine of up to EUR 20 million or 4% of a company’s worldwide annual revenue from the preceding financial year, whichever is higher. What are the next steps for the DSA? The bulk of the DSA’s obligations shall apply starting February 17, 2024. However, by February 17, 2023 and at least once every six months thereafter, all providers of intermediary services must publish information on the service’s average monthly active recipients in the Union.
[1] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022R2065&qid=1666966938325 [2] https://www.euractiv.com/section/digital/news/digital-agenda-autumn-winter-policy-briefing/ [3] https://eur-lex.europa.eu/eli/reco/2018/334/oj/eng [4] https://op.europa.eu/en/publication-detail/-/publication/43a17056-ebf1-11e9-9c4e-01aa75ed71a1 [5] https://techcrunch.com/2020/06/02/europe-asks-for-views-on-platform-governance-and-competition-tools/ [6] https://digital-strategy.ec.europa.eu/en/library/impact-assessment-digital-services-act [7] https://www.nytimes.com/2022/04/22/technology/european-union-social-media-law.html [8] https://www.europarl.europa.eu/news/en/press-room/20220701IPR34364/digital-services-landmark-rules-adopted-for-a-safer-open-online-environment
0
Picture of the word "AI" surrounded by stars.

What the EU’s Artificial Intelligence Act will mean for the global AI industry

AI & Algorithms, EEA & UK, GDPR
On April 21, 2021, the European Commission proposed the Artificial Intelligence Act (AIA), a regulatory and legal framework for artificial intelligence systems.[1] On December 5, 2022, the Council of the European Union adopted its general approach to the AIA, which incorporated changes to the regulation.[2][3] Germany announced support for the AIA, but “sees some need for improvements.”[4] In similar fashion, the Federal Trade Commission (FTC) published an article on April 19, 2021, calling for the integration of truth, fairness, and equity into the use of AI.[5] Later that year, the FTC announced its consideration to initiate rulemaking to, in part, ensure that algorithmic decision-making does not result in unlawful discrimination.[6] Given this growing international interest in regulating AI systems, it is important to note that the AIA was drafted to have an extraterritorial effect much like the EU’s General Data Protection Regulation (GDPR). The GDPR became a global model for data protection laws across the world, including the California Consumer Privacy Act (CCPA), and the AIA could similarly establish a worldwide standard for AI regulation – especially if the FTC is considering initiating rulemaking for algorithmic systems. So, while the draft AIA will likely see more changes, the proposed regulation appears sufficiently settled for analysis of its requirements and potential global effects. This article provides an overview of the major legal takeaways from the AIA, including which AI systems are outright prohibited and which are less regulated. Background As early as 2017, the European Council called for a “sense of urgency to address emerging trends,” including “issues such as artificial intelligence . . ., while at the same time ensuring a high level of data protection, digital rights and ethical standards.”[7] On July 16, 2019, Ursula von der Leyen, then-candidate for President of the European Commission, announced her political guidelines for the 2019-2024 Commission, in which she called for legislation for a coordinated EU approach on the human and ethical implications of AI. [8] Following this announcement, the Commission published a white paper on AI, “A European approach to excellence and trust.”[9] This paper sets out policy options for how to achieve the goal of promoting AI adoption while also addressing the risks associated with certain uses of AI. The AIA draft proposed on April 21, 2021, delivers on now-President von der Leyen’s political commitments announced in 2019 and the white paper’s stated objectives. The result is a legal framework presenting a balanced, proportionate regulatory approach that seeks to address the risks and problems with AI, without unduly constraining or hindering AI development on the market. To whom does the AIA apply? Like the GDPR’s territorial scope in Article 3, the AIA’s scope in Article 2 covers providers that place AI systems on the EU market, or put them into service in the EU, irrespective of whether those providers are established within the EU. A “provider” is any natural or legal person, public authority, agency, or other body that develops an AI system or that has an AI system developed. An AI is “put into service” by a provider when the provider supplies an AI system for first use directly to a user or for the provider’s own use on the EU market. An AI is placed “on the market” by a provider when the AI is distributed or used on the EU market in the course of a commercial activity, whether in return for payment or free of charge. Taken together, this means that the AIA does not apply to private, non-professional use, but anyone supplying, using, or distributing, AI systems on the EU market to users or for their own purposes may fall within the regulation’s scope. Can the EU’s proposed AI regulation apply to AI creators and companies outside of the EU? Yes. The AIA applies to AI systems used by natural or legal persons, including public authorities, agencies, or other bodies, who are physically present or established within the Union. However, the regulation’s reach extends beyond the EU’s borders. The AIA covers natural or legal persons, including public authorities, agencies, or other bodies, who are physically present or established “in a third country, where the output produced by the system is used in the Union.” The AIA also applies to any natural or legal person that makes an AI system available on the EU market. This extraterritorial scope, like the GDPR’s, means companies outside of the EU should take care in considering how and where their AI systems are used. Does the EU’s proposed AI regulation provide data subjects with additional rights? No. The AIA does not provide additional rights to data subjects. Instead, as a piece of product regulation, the AIA takes aim at the AI systems themselves, by either prohibiting a particular AI system or requiring it to conform to a list of obligations. That said, the AIA recognizes the need for new AI technologies to be “developed and functioning according to Union values, fundamental rights, and principles.” This includes rights provided under the GDPR, such as an individual’s right to restrict processing (Article 18) and the right of deletion / erasure (Article 17). Furthermore, a controller using an AIA-covered AI system must satisfy their GDPR notice obligations to data subjects (Articles 12 – 14). Does the EU’s proposed AI regulation cover all algorithm-based systems? No. The AIA draft proposed on April 21, 2021, defined “AI system” so broadly that it seemed to encompass most software, which prompted EU Member States to propose a narrower definition.[10] The version adopted by the Council of the EU on December 5, 2022, recognizes the need to more narrowly define “AI system” to “provide sufficiently clear criteria for distinguishing AI from more classical software systems.” Thus, the current AIA draft defines “AI system” to target systems developed through machine learning and logic- and knowledge-based approaches. In addition, an AI system using one of these approaches must operate with elements of autonomy and, based on machine and/or human-provided data and inputs, infer how to achieve a given set of objectives. This definition is recognized by the Council as a “compromise” between those calling for a broader definition and those calling for a narrower one, and as such, it remains subject to change. Does the proposed AI regulation treat all covered AI systems equally? No. The regulation uses a risk-based approach to separate covered AI systems into four categories: Unacceptable Risk The AIA contains a limited list of particularly harmful AI systems found to contravene EU values. Because the risk of harm is unacceptably high, these AI systems are prohibited under the regulation. This list includes:
  1. An AI system that subliminally manipulates a person, thereby materially distorting the person’s behavior in a manner that causes or is reasonably likely to cause physical or psychological harm.
  2. An AI system that exploits the vulnerabilities of individuals due to age, disability, or socioeconomic status, resulting in physical or psychological harm.
  3. An AI system that analyzes individuals to create a social score, which leads to detrimental or unfavorable treatment unrelated to the contexts in which the data was originally generated or collected.
  4. Some uses of remote biometric identification for law enforcement purposes in publicly accessible spaces (e.g., facial recognition technology).
A full list of prohibited AI systems can be found in Article 5 of the AIA. High-Risk Most of the AIA’s legal obligations and burdens fall on AI systems deemed to be “high-risk” under the regulation. An AI system is considered “high-risk” under the AIA if the AI system is itself a product or is intended to be used as a safety component of a product, and the product is subject to an existing third-party conformity assessment (e.g., medical devices, machinery, engine-powered vehicles, certain stand-alone AI systems in employment, education, and immigration, etc.). A high-risk AI system can only be used in the EU or put on the EU market if the AI system complies with the AIA’s legal obligations. This includes:
  1. A risk management system (Article 9).
  2. Adherence of training, validation, and testing data to quality criteria (Article 10).
  3. Technical documentation describing how the AI system complies with applicable rules, including law enforcement purposes (Article 11).
  4. Record-keeping requirements to ensure traceability of the AI system’s functions (Article 12).
  5. Transparency requirements to enable users to understand the system’s output and use (Article 13).
  6. Providing adequate human oversight of the AI system’s operations (Article 14).
  7. Ensuring the AI system achieves appropriate levels of accuracy, robustness, and cybersecurity (Article 15).
The AIA provides further obligations on AI system developers, which include:
  1. Maintaining a quality management system (Article 17).
  2. Ensuring the system undergoes a conformity assessment procedure (Article 19).
  3. Maintaining automatically generated logs (Article 20).
  4. Taking corrective actions if the system is found not to conform with the AIA (Article 21).
  5. A duty to notify serious incidents or malfunctions to national competent authorities (Article 22).
Limited Risk Title IV of the AIA creates new transparency obligations for certain AI systems. For example, users of emotion recognition systems or biometric categorization systems must be informed of the operation of the system. In addition, users of an AI system that generates deep fake images or content must be informed that the content has been artificially generated or manipulated. Similar to the GDPR, these disclosures must be provided to the user in a clear and distinguishable manner no later than the user’s first interaction or exposure to the AI system. Minimal / No Risk If an AI system does not fall into one of the above categories, then it can be developed and used in the EU subject to existing regulation without any additional legal obligations under the AIA. That said, the Council encourages developers of AI systems in this category to “create codes of conduct intended to foster the voluntary application of the requirements applicable to high-risk AI systems, adapted in light of the intended purpose of the systems and the lower risk involved.”[11] Are the enforcement penalties harsher than the GDPR? Yes. Non-compliance with the AIA’s list of prohibited AI systems in Article 5 could be subject to an administrative fine of up to €30 million or, if the offender is a company, up to 6% of its worldwide annual turnover for the preceding financial year, whichever is higher. By contrast, serious GDPR violations can result in a fine of up to €20 million or 4% of a company’s worldwide annual revenue from the preceding financial year, whichever is higher. For less serious infringements under the AIA, the offender could be subject to administrative fines of up to €20 million or, if the offender is a company, up to 4% of its total worldwide annual turnover for the preceding financial year, whichever is higher. This too is higher than the GDPR’s fines for less severe infringements. What are the next steps for the AIA? The Parliament is scheduled to vote on the current draft of the AIA by the end of March 2023. After this, Member States, the Parliament, and the European Commission will begin discussions of the AIA in April 2023. This timeline could lead to an adoption of the AIA by the end of 2023.
[1] https://artificialintelligenceact.eu/wp-content/uploads/2022/05/AIA-COM-Proposal-21-April-21.pdf [2] https://www.consilium.europa.eu/en/press/press-releases/2022/12/06/artificial-intelligence-act-council-calls-for-promoting-safe-ai-that-respects-fundamental-rights/ [3] https://data.consilium.europa.eu/doc/document/ST-14954-2022-INIT/en/pdf [4] https://data.consilium.europa.eu/doc/document/ST-14954-2022-ADD-1/en/pdf [5] https://www.ftc.gov/business-guidance/blog/2021/04/aiming-truth-fairness-equity-your-companys-use-ai [6] https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202210&RIN=3084-AB69 [7] https://www.consilium.europa.eu/media/21620/19-euco-final-conclusions-en.pdf [8] https://op.europa.eu/en/publication-detail/-/publication/43a17056-ebf1-11e9-9c4e-01aa75ed71a1 [9] https://commission.europa.eu/publications/white-paper-artificial-intelligence-european-approach-excellence-and-trust_en [10] https://www.wired.com/story/artificial-intelligence-regulation-european-union [11] https://artificialintelligenceact.eu/wp-content/uploads/2022/05/AIA-COM-Proposal-21-April-21.pdf
1 2 3 4 6