The Matrix

Since the arrival of AI programs like OpenAI’s ChatGPT, Google’s Bard, and other similar technologies (“Generative AI”) in late 2022, more programs have been introduced and several existing programs have been upgraded or enhanced, including ChatGPT’s upgrade to ChatGPT-4. Our previous posts have identified the features and functionality of Generative AI programs and outlined the emerging regulatory compliance requirements related to such programs. This post discusses how regulatory agencies worldwide have begun to address these issues.

Since late 2022, terms like “large language models,” “chat-bots,” and “natural language processing models” increasingly have been used to describe artificial intelligence (AI) programs that collect data and respond to questions in a human-like fashion, including Bard and ChatGPT. Large language models collect data from a wide range of online sources, including books, articles, social media accounts, blog posts, databases, websites, and other general online content. They then provide logical and organized feedback in response to questions or instructions posed by users. The technology is capable of improving its performance and otherwise building its knowledge base through its internal analysis of user interactions, including the questions that users ask and the responses provided. These AI programs have a variety of applications and benefits, but businesses should be aware of potential privacy and other risks when adopting the technology.

As part of a larger trend of legal developments with respect to cybersecurity throughout the United States, the SEC recently proposed certain rules intended to increase and standardize a public company’s reporting and disclosure requirements regarding cybersecurity incidents and risk management (the “Proposed Rules”). Generally, the Proposed Rules require the disclosure of information related to a company’s: (i) material cybersecurity incidents; (ii) cybersecurity risk management and strategy; (iii) cybersecurity governance; and (iv) board member and management cybersecurity expertise. Specifically, and as more fully set forth in the discussion below, the Proposed Rules seek to amend Forms 6-K, 8-K, 10-K, 10-Q, 20-F, and Items 106 and 407 of Regulation S-K. Below, we have provided a brief summary of each of the Proposed Rules and the impact the reporting and disclosure requirements under such Rules would have on a public company.

On March 24, 2022, Utah joined California, Virginia and Colorado to become the fourth state to enact a comprehensive consumer privacy law. The Utah Consumer Privacy Act (the “UCPA”) has similarities to the existing privacy laws enacted by California (the “CCPA”), Virginia (the “VCDPA”) and Colorado (the “CPA”). Certain aspects of the UCPA’s approach, however, are distinct from those other privacy laws. Generally, the UCPA applies to a more narrow scope of businesses, and more categories of data fall outside of the UCPA’s definition of “personal data” -- thereby imposing less of a burden on businesses. Below we’ve provided a high-level summary of the UCPA’s general requirements and certain of its differences and similarities to consumer privacy laws enacted by other states.

On March 25, 2022, the United States and the European Union announced they agreed in principle to a new data privacy framework for cross-border data transfers. Although specific details of this new data privacy framework have not yet been provided, the new framework is meant to replace the former EU-U.S. Privacy Shield (the “Privacy Shield”), an arrangement that allowed companies to transfer the personal data of European data subjects to the United States. The Privacy Shield was invalidated in July of 2020 by the Court of Justice of the European Union on the basis that the Privacy Shield did not protect European data from U.S. surveillance.