May 17, 2022

Volume XII, Number 137

Advertisement
Advertisement

May 16, 2022

Subscribe to Latest Legal News and Analysis

Federal Lawmakers in House and Senate Introduce Algorithmic Accountability Act of 2022

Data privacy and AI continues to be a top-of-mind issue in 2022.  Consistent with this broader trend, the Algorithmic Accountability Act of 2022 was introduced in the U.S. Senate as S. 3572 and in the U.S. House of Representatives as HR 6580 on February 3, 2022.  This bill proposes to direct the Federal Trade Commission (“FTC”) to promulgate regulations that require any “covered entity” to perform impact assessments and meet other requirements regarding automated decision-making processes and in particular those that implicate an “augmented critical decision process”— essentially, that result in any legal or other material effects — on a consumer.

  1. Applies to “Covered Entities”

If enacted, the Act would apply to “covered entities,” which are persons, partnerships, or corporations over which the FTC has jurisdiction under section 5(a)(2) of the FTC Act.  (Sec. 2(7)).  Businesses are covered entities if they:

  1. Deploy augmented critical decision processes; and

    1. Had greater than $50,000,000 in average annual gross receipts or is deemed to have greater than $250,000,000 in equity value for the 3-taxable-year period preceding the most recent fiscal year; or

    2. Possess, manage, modify or otherwise uses the identifying information of more than 1,000,000 consumers, households, or consumer devices to develop or deploy any automated decision system or augmented critical decision process; or

    3. Is substantially owned, operated, or controlled by an entity qualifying for the above.

  2. That had, among others, greater than $5,000,000 in average annual gross receipts or is deemed to have greater than $25,000,000 USD in equity value for the prior 3-taxable year period.

(Id.).

Most of the proposed required regulation topics would seem to exclude the provision of services to government agencies.  However, one of the required regulations to promulgate will be to “require each covered entity to attempt to eliminate or mitigate, in a timely manner, any impact made by an augmented critical decision process that demonstrates a likely material negative impact that has legal or significant effects on a consumer’s life.”  This provision is quite vague and could be construed to more broadly apply to a business’s activities with respect to government agency customers—creating potentially significant consequences across industries.

  1. Applies to “Augmented Critical Decision Processes”

As used in the bill, an “augmented critical decision process” is a process, procedure, or other activity that deploys automated decision systems to make a critical decision.  (Section 2(1)).  An “automated decision system,” by comparison, is any system, software or process (including one derived from machine learning and artificial intelligence techniques) that uses computation, the result of which serves as a basis for decision or judgment.  (Section 2(2)).  The bill contains additional provisions for a “critical decision,” which means a decision or judgment that has any legal, material or similarly significant effect on a consumer’s life relating to or the cost, terms, or availability of, among others, legal services, or any other service, program, or opportunity decisions about which have a comparably legal, material or similarly significant effect on a consumer’s life.  (Section 2(8)).

  1.  Requires FTC Regulations to Require Covered Entities to Perform Impact Assessments

The bill, as currently drafted, requires the FTC to promulgate regulations that require any “covered entity” to perform impact assessments and meet other requirements regarding automated decision-making processes.  (Section 3(3)).  Subject to rulemaking, covered entities would be required to perform an impact assessment of (1) any deployed automated decision systems developed for implementation or use, or that the covered entity reasonably expects to be implemented or used, in an augmented critical decision process by any person, partnership or corporation; and (2) augmented critical decision process, both prior to and after deployment.  (Section 3(b)(1)(A)).

Additionally, covered entities would also be required to, among others:

  • Maintain documentation of any impact assessments performed. (Section 3(b)(1)(B));

  • Submit annual reports to the FTC summary reports of any ongoing impact assessments of any deployed automated decision systems or augmented critical decision processes. (Section 3(b)(1)(D));

  • Submit initial summary reports to the FTC of any new automated decision system or augmented critical decision process prior to deployment. (Section 3(b)(1)(E)); and

  • Attempt to eliminate or mitigate, in a timely manner, any impact made by an augmented critical decision process that demonstrates a likely material negative impact that has legal or similarly significant effects on a consumer’s life. (Section 3(b)(1)(H)).

The bill has extensive requirements for impact assessments, including that the impact assessment must include, among others, information regarding the outcome of ongoing testing and evaluation and historical performance of the automated decision system or augmented critical decision process pertaining to “any differential performance associated with consumers’ race, color, sex, gender, age, disability . . . and any other characteristics the [FTC] deems appropriate . . .”  (Section 4(a)(4)(E)).

  1. Enforceable by the FTC, State Attorneys General and Other Authorized State Officers

Additionally, the bill as currently drafted creates potential risk of enforcement by the FTC pursuant to Section 18 of the FTC Act (unfair or deceptive act or practice), state attorneys general of a State whose residents suffer harm, and any other authorized officer of a State whose residents suffer harm.  (Section 9).  Companies would also be at risk of facing parallel actions for violation of the regulations in federal and state courts given that state enforcement authorities may bring actions in federal court (parens patriae) as well as in state court for civil or criminal violations of state laws.  (Id.).

  1. Conclusion

Given provisions around timing, it is likely that these regulations that are required to be passed, if the bill passes, will not be effective for a minimum of three to four years.  If enacted, this bill as currently drafted would require the FTC to promulgate regulations that would either directly regulate business activities involving qualifying automated decision systems or augmented critical decision processes.  In particular, there is the potential for future regulations to be issued that would require covered entities to “eliminate or mitigate” any material negative impact that results from its covered business activities.

In light of the high volume of federal privacy bills proposed last year, this one may be a harbinger of more to come in 2022.

© Copyright 2022 Squire Patton Boggs (US) LLPNational Law Review, Volume XII, Number 42
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Kristin L. Bryan Litigation Attorney Squire Patton Boggs Cleveland, OH & New York, NY
Senior Associate

Kristin Bryan is a litigator experienced in the efficient resolution of contract, commercial and complex business disputes, including multidistrict litigation and putative class actions, in courts nationwide.

She has successfully represented Fortune 15 clients in high-stakes cases involving a wide range of subject matters.

As a natural extension of her experience litigating data privacy disputes, Kristin is also experienced in providing business-oriented privacy advice to a wide range of clients, with a particular focus on companies handling customers’ personal data. In this...

216-479-8070
Kyle R. Fath Cybersecurity Attorney Squire Patton Boggs New York Los Angeles
Of Counsel

Kyle Fath is counsel in the Data Privacy & Cybersecurity Practice. He offers clients a unique blend of deep experience in counselling companies through compliance with data privacy laws, drafting and negotiating technology agreements, and advising on the privacy, IT, and IP implications of mergers & acquisitions and other corporate transactions. His practice has a particular focus on the the ingestion and sharing of data by way of strategic data transactions, data brokers, and vendor relationships, the implications of digital advertising (as companies look toward...

212-872-9863
Gicel Tomimbang Los Angeles California Associate Attorney Data Privacy Cybersecurity Squire Patton Boggs LLP
Associate

Gicel Tomimbang is an associate in the Data Privacy, Cybersecurity & Digital Assets Practice.

A significant portion of Gicel’s practice focuses on the intersection of healthcare with privacy. Clients frequently turn to her for advice and counsel on complex issues that arise under the Health Insurance Portability and Accountability Act (HIPAA), the Confidentiality of Medical Information Act (CMIA), the California Consumer Privacy Act (CCPA), the FTC Act and the FTC Health Breach Notification Rule.

Gicel previously...

213-689-6543
Advertisement
Advertisement
Advertisement