On March 1, 2024, Singapore’s Ministry of Communications and Information announced[1] that a study would be launched to introduce a new piece of legislation, the Digital Infrastructure Act (DIA), to boost the resilience and security of key digital infrastructure and services in Singapore.
Continue Reading Singapore to Pass New Law to Boost Digital ResiliencePrivacy World Week in Review
In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.
Biden Budget Proposal Advances AI Priorities | Privacy World
In Narrow Vote California Moves Next Generation Privacy Regs Forward | Privacy World
Biden Budget Proposal Advances AI Priorities
Originally posted on Squire Patton Boggs’ Capital Thinking blog by David Stewart, Ludmilla Kasulke and Dominic Braithwaite.
On March 11, 2024, US President Joe Biden released his Fiscal Year (FY) 2025 budget request, which included proposals on U.S. Artificial Intelligence (AI) development and efforts to implement the Biden Administration’s Executive Order (EO) on AI. The budget identifies the National Science Foundation (NSF) as central to U.S. leadership in AI, requesting $10.2 billion in funding for the agency. $2 billion of that total would be dedicated to research and development (R&D) in accordance with CHIPS Act priorities, including AI, and $30 million would support the National AI Research Resource pilot program. The budget also requests $65 million for the Commerce Department “to safeguard, regulate, and promote AI, including protecting the American public against its societal risks.” This funding would include directing the National Institute of Standards and Technology (NIST) to establish the U.S. AI Safety Institute. The institute would be responsible for operationalizing “NIST’s AI Risk Management Framework by creating guidelines, tools, benchmarks, and best practices for evaluating and mitigating dangerous capabilities and conducting evaluations including red-teaming to identify and mitigate AI risk.” Further, the Department of Energy (DOE) Office of Science, which is responsible for implementing aspects of both the CHIPS Act and the AI EO, would receive $8.6 billion under the President’s proposed budget.
Continue Reading Biden Budget Proposal Advances AI PrioritiesUS Regulators Lift the Curtain on Data Practices With Assessment, Reporting and Audit Requirements
Following the lead of Europe, four US states currently require businesses to conduct and document assessments to evaluate and mitigate risks in connection with new and ongoing personal data processing activities, and at least eight additional states will do so between now and the end of 2025. California, which applies its requirements beyond traditional consumers to human resources and business-to-business contexts, requires regulatory filings of assessments (which may end up being in abridged form). On March 8, draft California assessment regulations were moved forward toward preparation for public comment, as detailed here. All of the states give regulators the ability to inspect assessments, which must be retained for that purpose. These new obligations will raise the curtain on companies’ info governance practices for regulators, and thereby necessitate robust data protection programs that are more than “window dressing.” Regulators have been clear about their plans to move to more aggressive enforcement of new state privacy laws, as discussed here and here, and assessments will give them a roadmap to do so.
Continue Reading US Regulators Lift the Curtain on Data Practices With Assessment, Reporting and Audit RequirementsJapan’s New Draft Guidelines on AI and Copyright: Is It Really OK to Train AI Using Pirated Materials?
On January 23, 2024, the Japan Agency for Cultural Affairs (ACA) released its draft “Approach to AI and Copyright” for public comment, to clarify how ingestion and output of copyrighted materials in Japan should be considered. On February 29, 2024, after considering nearly 25,000 comments, additional changes were made. This document, created by an ACA committee, will likely be adopted by the ACA in the next few weeks. This article provides a summary of the key points of the draft itself and as modified.
By way of background, on January 1, 2019, Japan’s revised Copyright Act came into effect, making Japan one of the world’s most AI-friendly countries. Article 30-4 was implemented, allowing broad rights to ingest and use copyrighted works for any type of information analysis, including for the purpose of training AI models.
Unlike the UK and the EU, which allow the ingestion of copyrighted works only for non-commercial purposes, Japan allows it also for commercial use, purposes other than production and apparently including the ingestion of illegally obtained content, such as pirated copyright material. According to reports, in a committee meeting, Japan’s Minister of Education, Culture, Sports, Science and Technology, Keiko Nagoaka indicated AI companies in Japan can use “whatever they want” for AI training “regardless of whether it is for non-profit or commercial purposes, whether it is an act other than reproduction, or whether it is content obtained from illegal sites or otherwise.” This position led to Japan being called a “machine learning paradise.” The only exceptions imposed under the law are when such ingestion was for the “enjoyment” of the thoughts or sentiments expressed in a work in a way that “unjustly harms” the interests of the copyright holder. The law, however, provides little detail as to how this exception was to be interpreted by courts.
Why Japan Passed the 2019 Provisions and Why the Clarification Now
So, why would Japan, generally a legally conservative country, implement the 2019 provisions, which allow for far broader uses of copyrighted materials in “information analysis” than the provisions of many other countries? Some suggest it is because AI is generally seen in Japan as a potential solution to a swiftly aging population. In addition, there are currently no real local Japanese AI providers, so to quickly develop AI capabilities, Japan implemented a flexible AI approach. Furthermore, Japan has long been a bastion for robot development, and AI can be a critical piece to improving their functionality.
However, especially given the dramatic improvement in the output of new generative AI tools like ChatGPT, there has been increasing pushback by Japan-based content creators, such as the developers of manga (comics) and anime (animation), movies/TV shows and music, as well as a broad range of international content creators, who voiced concern over the lack of protection they were receiving under the law. For this reason, the ACA assembled a committee to address the concerns, clarify the limitations of the law and highlight the areas that yet need to be determined. After six months of study, they released the January 23 draft “Approach to AI and Copyright Report,” which is now expected to be formalized in the next few weeks.
What Is New in the “Approach to AI and Copyright”?
After an exhaustive review of the rationale for implementing Article 30-4 and summarizing the concerns of AI developers, users and copyright holders, the ACA summarizes its position over the main issues.
Use Over the Learning/Development Stage
The committee essentially embraced Article 30-4 allowing the ingestion and analysis of copyrighted materials for AI learning to promote creative innovations in AI. It removes the need of acquiring consent from copyright holders, as long as it would not have a “material impact on the relevant markets” and that the AI usage does not “violate the interests of the copyright holders.”
The Enjoyment Prong
In teasing out this apparent dichotomy, the committee first focuses on distinguishing between digesting copyrighted content for “information analysis” (which is allowed) versus the use for a “purpose of enjoyment of the thoughts and or sentiments expressed in the copyrighted work” (which is not allowed). The committee’s report states that “enjoyment” consists of satisfying the intellectual and mental needs of the individual through the viewing/experiencing the works. By contrast, information analysis might include a scholarly assessment of movie themes across various genres, while “enjoyment” would likely include the ability to play and view all or a significant part of the individual movie.
Thus, the legality of the ingestion of copyrighted material essentially appears to be tied to its intended generative AI output. Thus, if the AI creator uses the copyrights material solely for training the data base and doing pure data analytics, Article 30-4 allows such use without consent of the copyright owner. However, where the AI creator has a joint purpose of non-enjoyment (such as the above pure data analysis) and enjoyment (such as outputting creative expressions of creative works), such use without the consent of the copyright holder is not allowed under Article 30-4.
Accordingly, the focus is that ingestion of copyrighted material is prohibited if the intention is to output products that can be perceived as creative expressions of copyrighted works, including mimicking the style of specific creators. The committee notes that an AI service provider could also help remove this concern by taking “practical and technological measures” to prevent the generation of infringing works.
The committee notes the fact that a single or infrequent generative AI output violates copyright is not determinative that its intended use is for enjoyment but concedes that frequent violations might be. However, it also states that if such frequent cases are due to the AI user’s input/instructions requesting such material, it cannot be presumed the AI service provider intended a use for enjoyment.
The Unjust Harm Prong
The committee then analyzed what it means to unjustly harm the interest of the copyright holder, finding this occurs when the AI output “conflicts with the copyright holder’s market or inhibits potential marketing channels for such copyrighted works in the future”. The committee explored various aspects of databases used for data analysis, generally finding that such use is allowed under Japan’s Copyright Act, but noted there may be exceptions, such as where the database owner applies technical protection measures to prohibit AI crawlers to ingest their work. Such exceptions would need to be determined on a case-by-case basis.
Besides encouraging copyright owners to implement technical protection measures, the committee noted some newspaper publishers and other copyright owners are licensing their content for AI ingestion. Such steps can help resolve issues of copyright infringement and show the copyright holder has a market for such copyrighted works, which is an important element of establishing the “unjust harm” element. For example, if other AI developers/service providers fail to take a license when one is available, it is easy to prove the direct impact on the copyright holder. The committee notes that the merits of any copyright violation claim will need to be determined on a case-by-case basis.
As for AI training from pirated copyright content, the committee noted the difficulty of the AI developer/service provider knowing whether the content its AI crawlers ingest is pirated or legitimate. In the end, the committee found that if the AI developer/service provider knowingly (or should have known) that it had ingested pirated/infringing materials, it is one factor to consider them a contributory infringer, increasing the likelihood of liability. If the AI provider knowingly/should have known that it ingested pirated materials, it should take steps to prohibit infringing copyright output, which could assist in defeating a claim for contributory infringement.
The committee further encourages the ACA to continue to engage in countermeasures against piracy, perhaps without recognizing that many of these pirate sites are abroad, making it more difficult to prohibit access to the sites in Japan. In the revisions made in response to the public comments, the committee adds, “it is desirable to realize a state in which piracy is not encouraged, such as by enabling right holders to provide information on known websites carrying pirated copies to these operators and other related parties in advance to an appropriate extent, so that operators can recognize websites carrying pirated copies and exclude these websites from the collection of learning data.”
The committee notes the removal of a copyrighted work from the AI database may be ordered where there is a “high probability” that an infringing reproduction will occur in the future. However, damage claims would only be allowed where there is willful intent or negligence. Further, criminal liability should only be considered where there is willful intent.
Use in the Generation/Utilization Stages
Turning to the output phase, in order to determine whether a copyright infringement occurs, it is necessary to prove both “similarity” and a “reliance” on an existing copyrighted work. “Similarity” may be found even if only parts of the work are essential features of the output. “Reliance” is shown when the creator of the new work is aware of the prior work.
Accordingly, when the AI user requests the AI to generate a specific copyrighted work, such as referencing to it in a request prompt, reliance is established, and the AI user may be found to be the infringer. However, if the AI user is not aware of an existing copyrighted work, and an infringing output is generated, then the AI developer/service provider may be found a contributory infringer, especially if there are frequent infringements by the tool. To avoid this, AI developers/service providers are encouraged to implement technical measures to ensure that ingested copyright content is not generated. They also suggest there be measures to prevent AI user’s from requesting infringing material.
The Copyrightability of the AI Output
Under Japan’s Copyright Act, Article 2(1), a copyright-protected work is defined as a creation expressing “human thoughts and emotions.” Thus, it appears difficult for AI to become the author of its own creations under the current law. However, the committee explored that a joint work, with human input and AI generated content, may be eligible for copyright protection as a whole, based on certain factors. These include:
- The amount and content of the instructions and input prompts by the AI user
- The number of generation attempts, modifying the output for a desired result by the AI user
- The AI user selecting the work from multiple generated works
- The subsequent human modifications to the AI generated work
Differences from US, UK and EU Laws on AI Training
The US has no specific law regulating the use of copyrighted material for training of AI models, either for commercial or non-commercial purposes. Rather, in the US, the issue is currently being litigated in a number of lawsuits that pit content creators and copyright holders against the creators and operators of generative AI tools. While there are a number of novel issues raised in the various cases, the most critical issues will be determining (1) whether the collection and use of copyrighted materials to develop the generative AI tools was a “fair use” under the US Copyright Act, and (2) whether the fact that certain outputs, generated by third-party input, are (a) substantially similar to a registered copyright such that it would be a copyright infringement and (b) that the AI creator/operator is liable even though it did not input the information that generated the purportedly infringing output.
In both the EU and the UK, the laws allow for the harvesting/scraping of data for purposes of training an AI model only for noncommercial use, in general. Some jurisdictions recognize the right to use it for commercial purposes in very specific instances. For example, the German Copyright Act (Sections 44b and 60d) allows the reproduction of lawfully accessible works in order to carry out text and data mining even in commercial situations in the absence of a reservation of such use by the right owner or for scientific research purposes. My colleagues Sandra Mueller and Julia Jacobson (with hyperlinks to their profiles) have noted a recent case in the Hamburg District Court by photographer Robert Kneschke against LAION E.V. regarding the use of his photograph in training AI image generators and claiming copyright infringement. According to the photographer’s legal representatives, one of the main claims the defendant relies upon relates to the above provisions. The oral hearing in this case is reportedly scheduled for 25 April 2024.
In Singapore, as reported by our colleague there, Charmian Aw, Singapore has released its proposed Model AI Governance for Generative AI guidelines identifying data as a core element of model development, significantly impacting the quality of the model output. This makes it necessary to ensure data quality, such as through the use of trusted data sources. Where the use of data for model training is potentially contentious, such as personal data and copyright material, they state it is “important to give business clarity, ensure fair treatment, and to do so in a pragmatic way.”
As to the copyright issues, the Singapore guidelines suggest doing so through (1) creating an open dialogue with all stakeholders, (2) encouraging AI developers to “undertake data quality control measures” using “data analysis tools to facilitate data cleaning,” (3) more globally expanding the available pool of trusted data sets and (4) governments “working with their local communities to curate a repository of representative training data sets for their specific context (e.g. in low resource languages).”
Conclusions
The ACA committee concludes that the relationship between AI and copyright will need to be determined on a case-by-case basis, including precedents and judicial decisions against the backdrop of the unpredictable and fast-moving development of technology, and the progress of studies in other countries. For this report, the committee focused on the exceptions for acquiring consent of the copyright owner under Article 30-4 of the Copyright Act. In the future, the committee indicates that it will need to consider the impact of an author’s moral rights and neighboring rights that are personal to the author and protected under Japanese law.
What can be gleaned by this detailed study, is that Japan wants to aggressively support the development of AI tools and the market for AI solutions by allowing broad rights to ingest copyrighted works. However, it is struggling to do so in a way that properly rewards content-holders for their creations. As AI tools continue to improve, this will certainly to be an interesting effort to watch, especially against the backdrop of the various approaches to the issue by the US, the EU, the UK and other countries across the globe.
If you have questions, please feel free to reach out your favorite firm contact or one of our AI team contacts.
Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.
Privacy World Week in Review
In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.
In Narrow Vote California Moves Next Generation Privacy Regs Forward | Privacy World
More Detail on U.S. Data Processing Assessment Requirements | Privacy World
Protecting Kids Online – Part II | Privacy World
Protecting Kids Online: Changes in California, Connecticut and Congress – Part I | Privacy World
Federal Children’s Privacy Requirements to Be Updated and Expanded | Privacy World
EU Digital Services Act in Full Force | Privacy World
Deep Fake of CFO on Videocall Used to Defraud Company of US$25M | Privacy World
Address Cyber-risks From Quantum Computing | Privacy World
FCC Clarifies and Codifies TCPA Consent Revocation Rules | Privacy World
In Narrow Vote California Moves Next Generation Privacy Regs Forward
The staff and board of the California Privacy Protection Agency (“CPPA”) have been working for nearly two years on a new set of proposed rulemaking under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”). A year ago the current CCPA regulations were finalized, but several complex issues where reserved for further consideration and some proposals were pulled back to ease initial implementation. Their enforcement was initially enjoined and delayed by a trial court, but a California appeals court reversed that order, including any delay on the effectiveness of future regulations. New draft regulations were proposed by the CPPA staff and considered but not approved by the CPPA board in Q4 of 2023. In February 2024 further revised draft regulations were released and considered on March 8 by the CCPA board, which voted 5 to 0 to move forward amendments to the existing regulations and, after a spirited debate, 3 (Urban, Le and Worthe for) to 2 (de la Torre and Mactaggert against) to also move forward with new draft regulations on data risk assessments and data driven technologies, with a direction to staff to add to the requirements for filing abridged assessments with the CPPA a discussion on what safeguards were employed to mitigate risks (with an exception for when disclosure would be a security risk). In each case the staff was authorized to prepare the materials necessary under administrative procedures laws and regulations to publish a notice of prepared rulemaking, the publication which will be subject to a further Board vote after reviewing the rule making package. The staff was also authorized to make further edits to the draft regulations to clarify text or conform with law. Although the motions did not set a firm date for staff to complete that work, the discussions contemplate that it would be done by the July 2024 Board meeting at the latest. That could result in effective regulations in Q3, though given the complexity and lack of Board consensus year-end is optimistic.
Continue Reading In Narrow Vote California Moves Next Generation Privacy Regs ForwardEDPB Versus Ireland? Does the Opinion on “Main Establishments” Mean the End of the GDPR “One-stop Shop” Mechanism?
On February 13, 2024, the European Data Protection Board (EDPB) released its opinion on the notion of the main establishment of a controller in the EU under article 4(16)(a) GDPR and the criteria for the application of the “one-stop shop” mechanism, in particular, regarding the notion of a controller’s “place of central administration” (PoCA) in the EU.
The EDPB concluded that (1) the controller’s place of central administration in the EU can be considered as a main establishment under Article 4(16)(a) GDPR only if it takes the decisions on the purposes and means of the processing of personal data and it has the power to implement these decisions; and (2) the “one-stop shop” mechanism can only apply if there is evidence that one of the establishments of the controller in the EU takes the decisions on the purposes and means of the relevant processing operations and has the power to implement these decisions. If the decisions on the purposes and means and the power are exercised outside the EU, there should be no main establishment under Article 4 (16)(a) GDPR and the “one-stop shop” mechanism cannot apply.
Background
The “one-stop shop” is a mechanism for organizations that are engaged in cross-border EU data processing, allowing them to deal with a single lead supervisory authority (LSA) for their data protection compliance obligations. Under GDPR, the supervisory authority (SA) of the EU member state where that organization’s main EU establishment is located would often be its LSA. The LSA acts as a single point of contact for, and cooperates with, other SAs in relation to cross-border data processing activities.
This mechanism intends to enhance consistency and uniformity in the application of data protection legislation and increase legal certainty. It also aims to facilitate central enforcement by a single decision of one LSA, as well as to reduce the administrative burden for controllers and processors, as they can navigate regulatory requirements more easily with this centralized point of contact.
The EDPB reiterates that GDPR does not permit “forum shopping” in the identification of the main establishment, as it must be determined by objective criteria. Therefore, before assessing who is the LSA of an organization, first it must be objectively concluded where its main establishment is.
Main Findings
Concerning the determination of the main establishment, the EDPB has indicated that, where an organization has several establishments in the EU, the main one will be the organization’s PoCA. That also implies that the establishment must be the one that takes the decisions on the purposes and means of the processing of personal data and that has the power to effectively implement these decisions.
With respect to the “one-stop shop” mechanism, the EDPB considers that it can only apply if there is evidence that it is the controller’s main establishment in the EU who takes the decisions on the purposes and means of the relevant processing and has the power to implement these decisions.
The EDPB’s opinion concludes that when decisions and the power are exercised outside the EU, there is no main establishment and, therefore, the “one-stop shop” mechanism cannot apply.
The EDPB’s opinion confirms that the burden of proof lies on controllers, as they have a duty to cooperate with the SAs. In this context, various elements such as recording processing activities and privacy policies are suggested by the data protection body – but as importantly is the ability to demonstrate that one has the actual power to control implementation of decisions taken. Compliance cannot be a paper trail.
Why Is This important?
The EDPB’s recent opinion implies that non-EU organizations with cross-border operations in several EU countries that cannot have a main establishment in the EU (i.e., their decisions are being taken outside of the EU/they do not have the powers to implement decisions) will not be able to benefit from the “one-stop shop” mechanism.
The lack of a “one-stop shop” poses significant challenges for those organizations: without a central point of contact, it may be difficult for them to navigate the various regulatory requirements across the EU member states. This could result in increased bureaucracy and higher compliance costs, and issues might be amplified in a crisis scenario such as a cyber incident, where timing is critical. Moreover, the affected entities might suffer from a lack of consistency in the application and enforcement of the rules. This could create legal uncertainty and might diminish their ability to execute their cross-border activities, having to interpret and comply with different requirements across multiple jurisdictions.
As determined by the EDPB, it is not enough with a company appointing an LSA, but SAs retain the ability to challenge the controller’s claim, requesting further information based on an objective examination of the relevant facts. In that sense, organizations claiming an SA as their LSA must have evidence to prove that, indeed, the PoCA is the one taking the decisions on the purposes and means of the processing and with the actual power to implement these decisions. Substance is key, also in privacy.
Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.
Everything, Everywhere, All the Time: How Digital Data Regulations Affect Everything from Cross-Border Investigations, Disputes, Data Breach Response and AI
Scott Warren, a Partner in our Japan and China offices, will chair and speak at the Thailand & SE Asia 5th International Arbitration & Corporate Crime Summit on March 14, 2024 at the Rembrandt Hotel & Suites in Bangkok.
Scott’s presentation is entitled Everything, Everywhere, All the Time: How Digital Data Regulations Affect Everything from Cross-Border Investigations, Disputes, Data Breach Response and AI, discussing how the increasing regulations governing the use of digital data affects it use.
As countries increasingly limit the transfer of personal data across border, doing so for investigations, disputes and cyber matters has significantly become complex. For example, China’s data privacy laws restrict personal data export for such matters unless it is approved by the Chinese government. And in the US, President Biden’s latest Executive Order may affect the ability to export certain US personal information to places like China and other ‘countries of concern’. There are also some practical cross-cultural issues that often arise in handling digital data when conducting cross-border investigations matter involving digital data. In the meantime, there are rising concerns over data privacy issues in the use and output generated in AI platforms. These and other related topics are slated for discussion.
Complimentary seating is available for in-house and general counsel. If you are interested in attending this in-person event, please see: Thailand & SE Asia: 5th International Arbitration & Corporate Crime Summit – Legal Plus Asia (legalplus-asia.com).
California Considers Restricting Broad Swath of Content Personalization and Online Advertising Activities
On March 8, 2024, the California Privacy Protection Agency (“CPPA” or “Agency”) Board (“Board”) will consider draft regulations that set forth how automated decisionmaking technology (“ADMT”) and profiling will be regulated under the California Consumer Privacy Act (“CCPA”). The proposal includes the regulation of a new concept of “behavioral advertising” that is deemed “extensive profiling” and thus a form of “automated decisionmaking” that has a significant impact on consumers, justifying both a complex, advanced notice and ability for consumers to opt-out. These would overlap with similar notice and opt-out requirements already in place for “sharing” of personal information for “cross-context behavioral advertising”, which involves use of personal information from more than one party (e.g., cross-site/app/service browsing information, or combinations of first- and third-party data). The proposal would make cross-context behavioral advertising a subset of the newly defined behavioral advertising, and bring within the scope of these proposed regulations any practice that involves the use of personal information, even exclusively first-party data, for advertising or marketing communications (with limited exceptions, such as where the communication is based solely on a current interaction). So, presenting a contextual ad or other content about cigars when a site user is reading an article about cigars would seemingly not be behavioral advertising, but remembering that the user is interested in cigars, to later recommend cigar-related products (think e-commerce site recommendations), would be.
In an op ed article published by Law360, we break down how this diverges from the approach of 12 newer state privacy laws, conflicts with current CCPA provisions (e.g., the current exception from “share” restrictions when the data is made available pursuant to a consumer’s direction) and creates CA-specific burdens for businesses that do not create offsetting benefits for California consumers that would justify the approach.
We will keep you informed on the Agency’s and the Board’s ongoing consideration of this issue and their other CCPA rulemaking activities. For more information, contact the authors.
Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only and is not intended to constitute or be relied upon as legal advice.