Federal Lawmakers in House and Senate Introduce Algorithmic Accountability Act of 2022
Friday, February 11, 2022

Data privacy and AI continues to be a top-of-mind issue in 2022.  Consistent with this broader trend, the Algorithmic Accountability Act of 2022 was introduced in the U.S. Senate as S. 3572 and in the U.S. House of Representatives as HR 6580 on February 3, 2022.  This bill proposes to direct the Federal Trade Commission (“FTC”) to promulgate regulations that require any “covered entity” to perform impact assessments and meet other requirements regarding automated decision-making processes and in particular those that implicate an “augmented critical decision process”— essentially, that result in any legal or other material effects — on a consumer.

  1. Applies to “Covered Entities”

If enacted, the Act would apply to “covered entities,” which are persons, partnerships, or corporations over which the FTC has jurisdiction under section 5(a)(2) of the FTC Act.  (Sec. 2(7)).  Businesses are covered entities if they:

  1. Deploy augmented critical decision processes; and

    1. Had greater than $50,000,000 in average annual gross receipts or is deemed to have greater than $250,000,000 in equity value for the 3-taxable-year period preceding the most recent fiscal year; or

    2. Possess, manage, modify or otherwise uses the identifying information of more than 1,000,000 consumers, households, or consumer devices to develop or deploy any automated decision system or augmented critical decision process; or

    3. Is substantially owned, operated, or controlled by an entity qualifying for the above.

  2. That had, among others, greater than $5,000,000 in average annual gross receipts or is deemed to have greater than $25,000,000 USD in equity value for the prior 3-taxable year period.

(Id.).

Most of the proposed required regulation topics would seem to exclude the provision of services to government agencies.  However, one of the required regulations to promulgate will be to “require each covered entity to attempt to eliminate or mitigate, in a timely manner, any impact made by an augmented critical decision process that demonstrates a likely material negative impact that has legal or significant effects on a consumer’s life.”  This provision is quite vague and could be construed to more broadly apply to a business’s activities with respect to government agency customers—creating potentially significant consequences across industries.

  1. Applies to “Augmented Critical Decision Processes”

As used in the bill, an “augmented critical decision process” is a process, procedure, or other activity that deploys automated decision systems to make a critical decision.  (Section 2(1)).  An “automated decision system,” by comparison, is any system, software or process (including one derived from machine learning and artificial intelligence techniques) that uses computation, the result of which serves as a basis for decision or judgment.  (Section 2(2)).  The bill contains additional provisions for a “critical decision,” which means a decision or judgment that has any legal, material or similarly significant effect on a consumer’s life relating to or the cost, terms, or availability of, among others, legal services, or any other service, program, or opportunity decisions about which have a comparably legal, material or similarly significant effect on a consumer’s life.  (Section 2(8)).

  1.  Requires FTC Regulations to Require Covered Entities to Perform Impact Assessments

The bill, as currently drafted, requires the FTC to promulgate regulations that require any “covered entity” to perform impact assessments and meet other requirements regarding automated decision-making processes.  (Section 3(3)).  Subject to rulemaking, covered entities would be required to perform an impact assessment of (1) any deployed automated decision systems developed for implementation or use, or that the covered entity reasonably expects to be implemented or used, in an augmented critical decision process by any person, partnership or corporation; and (2) augmented critical decision process, both prior to and after deployment.  (Section 3(b)(1)(A)).

Additionally, covered entities would also be required to, among others:

  • Maintain documentation of any impact assessments performed. (Section 3(b)(1)(B));

  • Submit annual reports to the FTC summary reports of any ongoing impact assessments of any deployed automated decision systems or augmented critical decision processes. (Section 3(b)(1)(D));

  • Submit initial summary reports to the FTC of any new automated decision system or augmented critical decision process prior to deployment. (Section 3(b)(1)(E)); and

  • Attempt to eliminate or mitigate, in a timely manner, any impact made by an augmented critical decision process that demonstrates a likely material negative impact that has legal or similarly significant effects on a consumer’s life. (Section 3(b)(1)(H)).

The bill has extensive requirements for impact assessments, including that the impact assessment must include, among others, information regarding the outcome of ongoing testing and evaluation and historical performance of the automated decision system or augmented critical decision process pertaining to “any differential performance associated with consumers’ race, color, sex, gender, age, disability . . . and any other characteristics the [FTC] deems appropriate . . .”  (Section 4(a)(4)(E)).

  1. Enforceable by the FTC, State Attorneys General and Other Authorized State Officers

Additionally, the bill as currently drafted creates potential risk of enforcement by the FTC pursuant to Section 18 of the FTC Act (unfair or deceptive act or practice), state attorneys general of a State whose residents suffer harm, and any other authorized officer of a State whose residents suffer harm.  (Section 9).  Companies would also be at risk of facing parallel actions for violation of the regulations in federal and state courts given that state enforcement authorities may bring actions in federal court (parens patriae) as well as in state court for civil or criminal violations of state laws.  (Id.).

  1. Conclusion

Given provisions around timing, it is likely that these regulations that are required to be passed, if the bill passes, will not be effective for a minimum of three to four years.  If enacted, this bill as currently drafted would require the FTC to promulgate regulations that would either directly regulate business activities involving qualifying automated decision systems or augmented critical decision processes.  In particular, there is the potential for future regulations to be issued that would require covered entities to “eliminate or mitigate” any material negative impact that results from its covered business activities.

In light of the high volume of federal privacy bills proposed last year, this one may be a harbinger of more to come in 2022.

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins