OnPolicy | May 2023

Welcome to Onfido’s Policy Corner, your regular briefing on key global policy updates from the world of digital identity, AI, and data privacy.  Looking across all regions, it's clear that AI is top of mind for policymakers and we should expect to see action in that space continue.

UK

AI: The UK Government has published a white paper titled “A pro-innovation approach to AI regulation.” It sets out a new “flexible” approach to regulating artificial intelligence which is intended to build public trust in AI and make it easier for businesses to grow and create jobs. It builds on the approach previously laid out in the “National AI Strategy” and the “Pro-innovation approach to regulating AI.” Meanwhile, the Information Commissioner’s Office (ICO) published a response to the white paper. While the ICO is broadly supportive of the Government’s intended approach, the response highlights the need to ensure that the strategy does not contradict privacy laws and aligns with existing rules.

Age verification. The ICO updated guidance on the “likely to be accessed by a child” test which is used to determine whether a service is in scope of the Age-Appropriate Design Code (AADC). The AADC came into force in September 2022 and aims to protect the handling of children’s data by requiring services to follow specific codes and guidelines. The first step towards compliance is for services to determine whether they are “likely to be accessed by children.”  The updated ICO guidance clarifies that services designed for “adults only” with strict terms and conditions denying access to under-18s may fall in scope if they are “likely to be used by under-18s.” It is not explicitly clear whether the “likely to be accessed by a child test” in the AADC will be the same as the “likely to be accessed by a child test” in the Online Safety Bill. However, the ICO and Ofcom are likely to coordinate and streamline compliance between the two regulatory regimes. 

EU

AI: Members of the European Parliament in the internal market and civil liberties committees passed their final text of the AI Act. MEPs adopted all amendment batches put forward by the text’s co-rapporteurs, and a plenary vote in the European Parliament is expected in June. Negotiations between MEPs, member countries, and Commission officials are likely to start under the Spanish Presidency of the Council, which kicks off in July. 

US

Data privacy: With the passage of Indiana, Tennessee, and Montana, the number of states with a data privacy law will reach 9 - and state legislative session season isn’t over yet.  Other states to keep an eye on over the next month or so include Florida, Texas, and Oklahoma.  Meanwhile on Capitol Hill, the House Energy and Commerce Committee kicked off its focus on data privacy this Congress with a hearing on April 27 and it's likely we could see action in this space before the August recess.  

Renewed focus on AI regulation: With ChatGPT and generative AI getting everyone’s attention, policymakers in the US have a renewed focus on AI.  Senate Majority Leader Chuck Schumer (D-N.Y.) has indicated he wants to lead on AI legislation and is taking feedback from stakeholders around four guardrails (identification of who trained the algorithm and who its intended audience is; disclosure of its data source; an explanation for how it arrives at its responses; and transparent and strong ethical boundaries).  In the House, Speaker Kevin McCarthy and Minority Leader Hakeem Jefferies convened a bipartisan briefing on AI by MIT professors.  In addition, the National Telecommunications and Information Administration released a request for information on their AI Accountability Policy.  They are seeking feedback on what policies can support the development of AI audits, assessments, certifications, and other mechanisms to create earned trust in AI systems.  Assistant Commerce Secretary Alan Davidson has said that this rulemaking could inform several administrative actions, such as mandating audits as part of its procurement standards or offering prizes or bounties to those who find bias within algorithms. 

Digital identity: On March 29, CRO Terry Denzer represented Onfido at TechNet’s lobby day highlighting the organization’s new focus on digital identity policy issues.  That same day, the Senate Homeland Security and Government Affairs Committee approved S. 884, Improving Digital Identity Act of 2023.  This legislation would take the first step towards improving America’s digital identity infrastructure by establishing a task force of key stakeholders to recommend needed steps.  Now that the legislation has been approved by the committee, it needs to be approved by the Senate and the House in order to become law.  

NIST roadmap: The National Institute of Standards and Technology (NIST) is soliciting comments on a draft roadmap on activities in the identity and access management space, with a focus on privacy/security, equity, usability/accessibility, interoperability, and transparency.  The research agenda proposes efforts to accelerate mDLs, enhance biometrics and identity measurement programs, enable government attribute validation services, secure and equitable identity proofing, and interoperability of identity solutions. This draft roadmap is a comprehensive look into NIST’s efforts in the digital identity space over the several years and the agency is looking for stakeholder feedback to determine how best to prioritize projects.