Author: National Law Forum

A group of in-house attorneys developed the National Law Review on-line edition to create an easy to use resource to capture legal trends and news as they first start to emerge. We were looking for a better way to organize, vet and easily retrieve all the updates that were being sent to us on a daily basis.In the process, we’ve become one of the highest volume business law websites in the U.S. Today, the National Law Review’s seasoned editors screen and classify breaking news and analysis authored by recognized legal professionals and our own journalists. There is no log in to access the database and new articles are added hourly. The National Law Review revolutionized legal publication in 1888 and this cutting-edge tradition continues today.

The FTC Announces First Health Breach Notification Rule Enforcement Action

On February 1, the Federal Trade Commission (“FTC”) announced enforcement action for the first time under its Health Breach Notification Rule[1]. The complaint against telehealth and prescription drug discount provider GoodRx Holdings Inc. (“GoodRx”), alleges its failure to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to Facebook, Google and other companies.

In a first-of-its-kind proposed order, filed by the Department of Justice on behalf of the FTC, GoodRx will be prohibited from sharing user health data with applicable third parties for advertising purposes, and has agreed to pay a $1.5 million civil penalty for violating the rule. The proposed order must be approved by the federal court to go into effect. The Health Breach Notification Rule requires vendors of personal health records and related entities, which are not covered by the Health Insurance Portability and Accountability Act (HIPAA), to notify consumers and the FTC of unauthorized disclosures. In a September 2021 policy statement, the FTC warned health apps and connected devices that they must comply with the rule.

According to the FTC’s complaint, for years GoodRx violated the FTC Act by sharing sensitive personal health information with advertising companies and platforms—contrary to its privacy promises—and failed to report these unauthorized disclosures as required by the Health Breach Notification Rule. Specifically, the FTC claims GoodRx shared personal health information with Facebook, Google, Criteo and others. According to the FTC, since at least 2017, GoodRx deceptively promised its users that it would never share personal health information with advertisers or other third parties. GoodRx repeatedly violated this promise by sharing sensitive personal health information—such as including its users’ prescription medications and personal health conditions.

The FTC also alleges GoodRx monetized its users’ personal health information, and used data it shared with Facebook to target GoodRx’s own users with personalized health and medication-specific advertisements on Facebook and Instagram.

The FTC further alleges that GoodRx:

Failed to Limit Third-Party Use of Personal Health Information: GoodRx allowed third parties it shared data with to use that information for their own internal purposes, including for research and development or to improve advertising.
Misrepresented its HIPAA Compliance: GoodRx displayed a seal at the bottom of its telehealth services homepage falsely suggesting to consumers that it complied with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a law that sets forth privacy and information security protections for health data.
Failed to Implement Policies to Protect Personal Health Information: GoodRx failed to maintain sufficient policies or procedures to protect its users’ personal health information. Until a consumer watchdog publicly revealed GoodRx’s actions in February 2020, GoodRx had no sufficient formal, written, or standard privacy or data sharing policies or compliance programs in place.

In addition to the $1.5 million penalty for violating the rule, the proposed federal court order also prohibits GoodRx from engaging in the deceptive practices outlined in the complaint and requires the company to comply with the Health Breach Notification Rule. To remedy the FTC’s numerous allegations, other provisions of the proposed order against GoodRx also:

Prohibit the sharing of health data for advertising: GoodRx will be permanently prohibited from disclosing user health information with applicable third parties for advertising purposes.
Require user consent for any other sharing: GoodRx must obtain users’ affirmative express consent before disclosing user health information with applicable third parties for other purposes. The order requires the company to clearly and conspicuously detail the categories of health information that it will disclose to third parties. It also prohibits the company from using manipulative designs, known as dark patterns, to obtain users’ consent to share the information.
Require the company to seek deletion of data: GoodRx must direct third parties to delete the consumer health data that was shared with them and inform consumers about the breaches and the FTC’s enforcement action against the company.
Limit Retention of Data: GoodRx will be required to limit how long it can retain personal and health information according to a data retention schedule. It also must publicly post a retention schedule and detail the information it collects and why such data collection is necessary.
Implement a Mandated Privacy Program: GoodRx must put in place a comprehensive privacy program that includes strong safeguards to protect consumer data.

For more Cybersecurity and Privacy Legal News, click here to visit the National Law Review

FOOTNOTES

[1] 16 CFR Part 318

FDA’s Digital Health High Notes from 2022

There has been a lot of discussion lately of the Food and Drug Omnibus Reform Act of 2022 (FDORA), which was enacted on December 29, 2022 as part of the larger Consolidated Appropriations Act for 2023 (you can find our blog post on it here). As important as these kinds of future reforms are to medical product developers, we should also take a moment to review last year’s actions and policy updates on digital health from the Food and Drug Administration (FDA) and to reflect on the transformations that have been taking place at the agency as a result of the rapid pace of innovation in the field. The year 2022 marked the conclusion of the five-year Software Precertification Pilot Program and the release of the final Clinical Decision Support Software guidance, among other things, although FDA’s digital health policies generally remained consistent. In this post, we summarize the agency’s key actions in the digital health space in 2022.

Expanding into Extended Reality

Over the past few years, FDA has started a number of initiatives to explore the use of virtual, mixed, and augmented reality (the agency typically uses the term “extended reality” to cover all types of immersive digital systems) as therapeutic devices for use by patients in clinical environments and at home. The agency granted marketing authorization to two virtual reality devices for patient use, EaseVRx for chronic pain (de novo classification) and Luminopia One for treatment of lazy eye in children, in 2021 and the CureSight system, also for lazy eye in children, in 2022. It is also conducting multiple internal research projects on medical extended reality within the Center for Devices and Radiological Health (CDRH).

In conjunction with its internal research, FDA is engaging health care professionals and the industry to learn about possible benefits, as well as the risks and limitations, of medical extended reality systems to guide future decisions about the therapeutic and clinical uses of such devices. A meeting of FDA’s Patient Engagement Advisory Committee in July 2022 provided an opportunity for the agency to hear from experts and researchers in the field of extended reality and its uses, as well as companies developing medical extended reality devices and patients who have experienced such devices. The materials from the meeting are available here.

FDA also published a list of medical extended reality devices that have received marketing authorization on its website devoted to the Digital Health Center of Excellence (DHCoE), which is part of CDRH.

Application of extended reality technology and the metaverse to medicine is an exciting area of development, and we expect FDA to continue to be active in the space and to develop formal policies and guidance on extended reality devices in the near future.

Precertification Pilot Ends with Uncertain Future

FDA’s Software Precertification Pilot Program, launched in 2017 to explore innovative methods and approaches to regulating software as a medical device (SaMD), officially ended in September 2022 (see our previous posts on the Precertification program here and here). Although FDA was able to glean some key insights from the pilot, including a better understanding of SaMD manufacturer practices throughout the product life cycle, including design, development, and management of SaMD products, the agency ultimately admitted that it had encountered significant challenges in implementing the pilot program. Such challenges included:

limited statutory authorities, which hindered FDA’s ability to gather consistent and harmonized information on manufacturer practices and SaMD performance;
focusing only on SaMD for De Novo classification, which limited the number of eligible devices and created issues for testing pilot-specific special controls; and
the small number of participants (only nine SaMD manufacturer were accepted to the pilot program).

You can read FDA’s final report from the pilot program here.

FDA may use its observations from the pilot program when developing new guidance or other policies pertaining to SaMD, but any new rules or guidances must be consistent with the agency’s current statutory authorities. It is very likely that we have seen the end of any FDA software precertification program, unless or until Congress decides to grant the agency specific authority to implement a new or different regulatory regime for SaMD.

Leadership Changes at the Digital Health Center of Excellence

The past year marked a number of watershed changes at the DHCoE, including the departure of Bakul Patel, longstanding CDRH official in many capacities and the first director of the DHCoE, and the naming of a new acting director, Brendan O’Leary. Subsequently, in January 2023, the agency named Troy Tazbaz, former senior vice president at Oracle, as the new director of DHCoE. It will be interesting to see how Mr. Tazbaz, a newcomer to the agency, will direct the DHCoE in further developing the regulatory framework for digital health devices and in building strategic partnerships with industry stakeholders.

Digital Health Guidances

FDA introduced a number of new and revised guidance documents relating to digital health technologies in 2022. The following is a list with brief descriptions of each such agency guidance:

Clinical Decision Support Software (final guidance) – After a long wait (the previous draft version was published in September 2019), FDA issued a final guidance covering clinical decision support (CDS) software devices on September 28, 2022. You can find our analysis of this critical guidance in this previous post. In addition, FDA created some helpful resources to determine the regulations that may apply to a company’s CDS software or other types of SaMD: a CDS software flowchart, and a Digital Health Policy Navigator.
Policy for Device Software Functions and Mobile Medical Applications (revised final guidance) – FDA issued an updated version of this guidance in September 2022 to implement changes consisted with the CDS final guidance.
Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions (draft guidance) – In recent years, FDA has repeatedly emphasized the importance of addressing cybersecurity in medical devices and has made great efforts in keeping its policies and guidance documents aligned with current cybersecurity recommendations. This guidance describes methods for incorporating cybersecurity into the design and development process for connected medical devices (including SaMD) and for maintaining cybersecurity as part of device quality systems throughout the product lifecycle. Once finalized, this guidance will supersede final guidance Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, issued in October 2014. It is also worth noting that FDORA grants the agency new authorities to require cybersecurity plans as part of premarket submissions for so-called “cyber devices,” which will need to be considered and incorporated into any upcoming final guidance on this topic.
Computer-Assisted Detection Devices Applied to Radiology Images and Radiology Device Data – Premarket Notification [510(k)] Submissions (final guidance) & Clinical Performance Assessment: Considerations for Computer-Assisted Detection Devices Applied to Radiology Images and Radiology Device Data in Premarket Notification (510(k)) Submissions (final guidance) – This pair of final guidances describes FDA’s expectations for information included in premarket notification submissions for CADe devices, and specifically for the design of clinical studies to support marketing authorization of such devices. Many companies have developed, or are interested in developing, software with CADe functionality to detect lesions or abnormalities in radiology images for the purpose of assisting human readers, and with the rapid risk of artificial intelligence/machine learning-based software, some manufacturers may seek to develop CADe software that replaces human readers altogether. These guidances are especially useful for companies developing CADe software and preparing for clinical testing and submission to FDA.
Electronic Submission Template for Medical Device 510(k) Submissions (final guidance) – Although this guidance does not specifically apply to digital health technologies, it represents an important development for all medical device companies, including digital health device manufacturers. FDA released this guidance in conjunction with the announcement that CDRH will accept electronic submissions of device premarket notifications from all applicants using the electronic submission template and resource (eSTAR) tool. The guidance describes the structure of the template (and helpfully cross-references other guidance documents that relate to each section of the template). FDA has designated October 1, 2023 as the date of full transition to electronic submission for premarket notifications, meaning that FDA will no longer accept eCopies of premarket notification submissions for filing and review as of that date.

As the preceding list highlights, digital health is an active and rapidly advancing field both in the private sector and at FDA. We will continue to monitor and report on notable developments in terms of regulatory policies affecting developers and investors in the broader field.

For more Food and Drug Legal News, click here to visit the National Law Review

Was This The Least Transparent Report In SEC History?

Professor Alexander I. Platt at the University of Kansas School of Law has just released a draft of a forthcoming paper that takes the Securities and Exchange Commission to task for the lack of transparency in its whistleblower program, Going Dark(er): The SEC Whistleblower Program’s FY 2022 Report Is The Least Transparent In Agency History. As Professor Platt notes in a footnote, I have been complaining about the whistleblower’s lack of transparency since at least 2016. See Five Propositions Concerning The SEC Whistleblower Program. Last summer, I observed that “There is certainly no dearth of irony in a federal agency dedicated to full disclosure cloaking in secrecy a billion dollar awards program”.

Professor Platt offers four possible reasons for the SEC’s lack of transparency: (1) resource constraints; (2) lack of respect for public participation and accountability; (3) data problems; and/or (4) an intent to bury something controversial or embarrassing. My concern is, and has been, that whatever the reason(s), the SEC’s lack of transparency creates an ideal substrate for fraud. Unless the SEC drops its cloak of secrecy and exposes its whistleblower program to public scrutiny, it is highly likely that the next article will be about how the whistleblower program was used and abused.

Article By Keith Paul Bishop of Allen Matkins Leck Gamble Mallory & Natsis LLP

For more SEC and securities legal news, click here to visit the National Law Review.

SUPERBOWL CIPA SUNDAY: Does Samsung’s Website Chat Feature Violate CIPA?

Happy CIPA and Super Bowl Sunday TCPA World!

So, Samsung is under the spotlight with a new CIPA case brought by a self-proclaimed “tester.” You know like Rosa Parks?? Back to that in a bit.

The California Invasion of Privacy Act (“CIPA”) prohibits both wiretapping and eavesdropping of electronic communications without the consent of all parties to the communication. The Plaintiff’s bar is zoning in to CIPA with the Javier ruling.

If you recall, Javier found that “[T]hough written in terms of wiretapping, Section 631(a) applies to Internet communications. It makes liable anyone who ‘reads, or attempts to read, or to learn the contents’ of a communication ‘without the consent of all parties to the communication.’ Javier v. Assurance IQ, LLC, 2022 WL 1744107, at *1 (9th Cir. 2022).

Here, Plaintiff Garcia claims that Defendant both wiretaps the conversations of all website visitors and allows a third party to eavesdrop on the conversations in real time during transmission. Garcia v. Samsung Electronics America, Inc.

To enable the wiretapping, Plaintiff claims that Defendant has covertly embedded software code that functions as a device and contrivance into its website that automatically intercepts, records and creates transcripts of all conversations using the website chat feature.

To enable the eavesdropping, Defendant allows at least one independent third-party vendor to secretly intercept (during transmission and in real time), eavesdrop upon, and store transcripts of Defendant’s chat communications with unsuspecting website visitors – even when such conversations are private and deeply personal.

But Plaintiff currently proceeds in an individual action but if Samsung does not take appropriate steps to fully remedy the harm caused by its wrongful conduct, then Garcia will file an amended Complaint on behalf of a class of similarly aggrieved consumers.

Now back to Civil Rights.

According to this Complaint, Garcia is like Rosa Parks, you know, the civil rights activist. Why?

Well, because “Civil rights icon Rosa Parks was acting as a “tester” when she initiated the Montgomery Bus Boycott in 1955, as she voluntarily subjected herself to an illegal practice to obtain standing to challenge the practice in Court.”

Because Wiretapping and civil rights are similar right??

Disgusted.

The Plaintiff’s bar has no problem muddying the waters to appeal to the courts.

Do better.

CIPA is some dangerous stuff. Websites use chat features to engage with consumers all the time. It seems like it is easier to communicate via chat or text than to sit on a call waiting for an agent – assuming you get an agent. But maybe not?

Stay safe out there TCPA World!

Til next time Countess!! back to the game, GO EAGLES!!! #Phillyproud

Article By Jenniffer Cabrera of Troutman Firm

For more communications, media, and internet legal news, click here to visit the National Law Review.

EU PFAS Ban Should Raise U.S. Corporate Concerns

On February 7, 2023, the European Chemical Agency (ECHA) unveiled a 200 page proposal that would ban the use of any PFAS in the EU. While the proposal was anticipated by many, the scope of the ban nonetheless drew reactions from a myriad of sectors – from environmentalists to scientists to corporations. U.S. based companies that have any industrial or business interests in the EU must absolutely pay close attention to the EU PFAS ban and consider the impact on business interests.

EU PFAS Ban Proposal

The EU PFAS ban currently proposed would take effect 18 months from the date of enactment; however, the ECHA is contemplating phased-in restrictions of up to 12 years for uses that the group considers challenging to replace in certain applications. The proposal is only the inception of the ECHA regulatory process, which next turns to a public comment period that opens on March 22, 2023 and will run for at least six months. ECHA’s scientific committees to review the proposal and provide feedback. Given the magnitude of comments expected and the likely hurdles that the ECHA will face in finalizing the proposal, it is not expected that the proposal would be finalized prior to 2025.

The EU PFAS ban seeks to prohibit the use of over 10,000 PFAS types, excluding only a sub-class of PFAS that have been deemed “fully degradable.” The proposal indicates: “…the restriction proposal is tailored to address the manufacture, placing on the market, as well as the use of PFASs as such and as constituents in other substances, in mixtures and in articles above a certain concentration. All uses of PFASs are covered by this restriction proposal, regardless of whether they have been specifically assessed by the Dossier Submitters and/or are mentioned in this report or not, unless a specific derogation has been formulated.” (emphasis added) Several specific types of uses and consumer product applicability would be included in the first phase of the proposed ban, including cosmetics, food packaging, clothing and cookware. This first phase of the ban implementation would include uses where alternatives are known, but not yet widely available, which is the reason why the first phase would take effect within 5 years. The second phase of the ban anticipates a 12 year period of time for ban implementation and encompasses uses where alternatives to PFAS are not currently known. Significantly for U.S. business, the proposed ban includes imported goods.

Impact On U.S. Companies

In 2022, U.S. companies exported just shy of $350 billion in goods to the EU. In many instances, companies do not deliberately, intentionally, or knowingly add or utilize PFAS in finished products that are sent to the EU. However, PFAS may be used in manufacturing processes that inadvertently contaminate goods with PFAS. In addition, many U.S. companies rely on overseas companies for supply chain sourcing. Quite commonly, supply chain sources outside of the U.S. do not voluntarily provide chemical composition information for components or goods that they supply. Inquiring of those companies for such information, or certifications that the good contain no PFAS, can be extremely difficult. Getting overseas companies to provide such information often proves impossible and even when certifications are made, the devil may be in the details in terms of what is actually being certified. For example, certifying that goods contain “no hazardous substances” or “no hazardous PFAS” sound reassuring, but by what measure of “hazardous” is the statement being made? Under what country’s regulations? Using which scientific definition? The result of all of these complexities may be that many U.S. based companies need to test their products themselves, which not only increases time to market issues and financial costs associated with production, but also risks to the companies doing business in the U.S. that they may open themselves up to environmental pollution or personal injury lawsuits by conducting such testing. In addition, alternatives may not be as cost effective as PFAS, which impacts businesses and has the potential trickle-down impact of passing some of the costs on to consumers.

While debate continues in the U.S. as to the scientific validity of the “whole class” approach to regulating PFAS (of which there are over 12,000 types according to the EPA), the EU PFAS ban leapfrogs the U.S. debate stage and goes directly to proposing a regulation that would embrace such a “whole class” regulatory scheme. Without a doubt, chemical manufacturers, industrial and manufacturing companies, and some in the science community are expected to strenuously oppose such an approach to regulations for PFAS. The underlying arguments will follow ones advanced and debated already in the U.S. – i.e., not all chemicals act identically, nor have the vast majority of PFAS been shown to date to present health concerns. Proper scientific method does not permit sweeping attributions of testing on legacy PFAS like PFOA and PFOS to be extrapolated and applied to all PFAS. The EU’s response to this via their proposal is that the costs of remediating PFAS from the environment are significant enough that it warrants regulating PFAS as a class to avoid costly, decades-long, and potentially repetitive remediation work in the EU.

Conclusions

It is of the utmost importance for businesses to evaluate their PFAS risk. Public health and environmental groups urge legislators to regulate these compounds in the U.S. and abroad. One major point of contention among members of various industries is whether to regulate PFAS as a class or as individual compounds. While each PFAS compound has a unique chemical makeup and impacts the environment and the human body in different ways, some groups argue PFAS should be regulated together as a class because they interact with each other in the body, thereby resulting in a collective impact. Other groups argue that the individual compounds are too diverse and that regulating them as a class would be over restrictive for some chemicals and not restrictive enough for others.

Companies should remain informed so they do not get caught off guard. States are increasingly passing PFAS product bills that differ in scope. For any manufacturers, especially those who sell goods overseas, it is important to understand how the various standards among countries will impact them, whether PFAS is regulated as individual compounds or as a class. Conducting regular self-audits for possible exposure to PFAS risk and potential regulatory violations can result in long term savings for companies and should be commonplace in their own risk assessment.

For more Environmental Law news, click here to visit the National Law Review

Breaking News – Hermès Makes History With First NFT Trademark Trial Victory

A New York City jury just returned a verdict in favor of Hermès in a historic dispute between the luxury fashion house and digital artist Mason Rothschild over Hermès’ alleged trademark rights relating to Hermès’ famous Birkin handbag. The jury awarded Hermès $133,000 in total damages for trademark infringement, dilution, and cybersquatting.

The jury finding that the First Amendment did not shield Rothschild from liability in connection with his MetaBirkins NFTs project is significant, particularly as this matter involved the first trial by jury to consider the interplay of free speech and trademark protection in the context of NFTs. This decision, which may be appealed, provides guidance for artists, brands, and others seeking ingress into metaverse, including to what extent “real world” intellectual property rights apply to and may be enforced in virtual worlds.

***Haute*-ly Contested NFTs**

Throughout the dispute over this past year, the parties have contested each other’s characterization of the MetaBirkins NFTs. To Hermès, the MetaBirkins NFTs are merely the instruments of a “digital speculator” looking to exploit one of its most exclusive assets via NFTs. In contrast, Rothschild argues that the MetaBirkins NFTs project, a series of 100 NFT images that depict a range of reimagined Hermès Birkin bags featuring a variety of colorful fur, is digital art and a commentary on the famed BIRKIN bag, consumerism, and animal cruelty within the fashion industry. As a result, he argues that the MetaBirkins NFTs are artistic works that should be shielded from liability under the free speech principles of the First Amendment of the Constitution. The nine-member jury disagreed, finding that the MetaBirkins NFTs were more like commodities that are subject to trademark and other laws, rather than artwork. A factor that may have influenced the jury’s decision was evidence suggesting that Rothschild may have seen the MetaBirkins NFTs as a “cash cow.” This may have cast doubt on the authenticity of his characterization of the MetaBirkins NFTs as an art project.

The Test is Yet to Come

Although the jury found the MetaBirkins NFTs to be infringing, the final disposition of this dispute remains pending with the possibility of appeal. Given the importance of the issues at stake, the outcome of this case is bound to be subject to debate regardless of any appeal.

Moreover, while no NFT-specific legal test appears to have emerged from this case and the legal landscape for IP in the Metaverse (and beyond) continues to lack clear guidance, this case has nonetheless provided insight on how courts (and juries) may view the interplay of IP and NFTs. The ultimate outcome of this landmark case is likely to form the basis of the emerging law involving IP rights and NFTs.

For more Intellectual Property Legal News, click here to visit the National Law Review

Available Options for Completing Form I-9 in Remote-Work Scenarios

The American Immigration Lawyer’s Association (AILA), through its Verification and Documentation Liaison Committee (“Verification Committee”) recently issued an FAQ compiling updated information related to employment verification (I-9) compliance requirements during the COVID-19 Pandemic.

The FAQ addresses the viable options for completing the Form I-9 in remote-work scenarios and the most current developments in each type of process. Below are the main takeaways:

Process 1: In-person New Employee and HR/Admin Document Review: HR/Admin timely reviews the employee’s identity and employment authorization documents in the employee’s physical presence. Where employers have fully returned to in-office operations, or where they are no longer maintaining COVID-19 precautions, they must complete an in-person review of Form I-9.

Process 2: “Remote Hire” In-Person New Employee & Employer Authorized Representative Document Review: This is the so-called “Remote Hire” process, typically used in situations of on-boarding and new remote employee. Note that this is still an in-person document review conducted by a third party designated by the employer who acts as the agent. Also note that this process is not restricted only to employees based at remote locations but can also be used in any situation. Since the employer bears the liability for the agent’s errors it is best practice for the employer to train and/or provide instructions to the agents as well as perform a detailed review upon receipt of the completed Form I-9.

Process 3: Limited Temporary Option: HR/Adm’s Electronic Document Review: The virtual review option was first implemented March 20, 2020, and has been extended multiple times. The current extension expires July 31, 2023. With this process, HR/Adm timely reviews the employee’s identity and employment authorization documents electronically, not in the employee’s physical presence, but via video link, fax, email, etc.

Who can benefit from this option? The U.S. Immigration and Custom Enforcement (ICE) confirmed to the Verification Committee the general rule in applying this option:

Before April 1, 2021, the temporary I-9 option was available if a business was operating 100% remotely as a result of the pandemic. If it was not, the in-person verification for Form I-9 was required. ICE acknowledged, however, that the Agency will handle audits and future enforcement on a case-by-case basis. Employers do not need to have 100% of their workforce working remotely to take advantage of the virtual option if the employer has a record supporting that the virtual review option was necessitated by the pandemic.
On or after April 1, 2021, the temporary virtual document review option is available, but only where the remote employment is a result of COVID-19-related precautions. Employers hiring “true remote” employees should conduct in-person reviews as they would have prior to the COVID-19 virtual review option being offered.

While virtual review provides a practical alternative to the in-person review, there are additional requirements in this process in order to maintain compliance:

Create and retain a written document that captures the remote onboarding and telework policy in place when this option is used for any Form I-9 created under this process;
Retain copies of the documents presented, as per the original guidance issued by ICE Note that security of sensitive personal information must be maintained, and the company should work with its information-security team regarding the transmission and/or capture of personal information in these situations;
Add “COVID-19” in the Additional Information field/box on Section 2 of the Form I-9;
Tell the employee that no later than three business days of cessation of this temporary electronic document review option or once the employee commences non-remote employment on a regular, consistent, or predictable basis (whichever is earlier), an in-person meeting and physical inspection of the document(s) will occur;
Within three business days of such a date, coordinate the in-person meeting and physical inspection of the document(s); and,
Add “documents physically examined,” date and initial in Section 2 Additional Information field/box, or to Section 3 of Form I-9, as appropriate.

Importantly, the virtual review process requires the employer to “perfect” the Form I-9 with an in-person meeting at a future date.

The Department of Homeland Security (DHS) is currently reviewing the regulatory framework for document review in considering making virtual review a permanent option for I-9 compliance. DHS published a Notice of Proposed Rulemaking in the Federal Register and, since November 2022, has been reviewing comments. Simultaneously, ICE has ramped up audits and investigations as the pandemic has waned. Therefore, employers should maintain a fluid line of communication with their attorneys and employees to avoid any compliance issues.

Article By Caterina Cappellari of Greenberg Traurig, LLP

For more immigration legal news, click here to visit the National Law Review.

EEOC Announces Enforcement Priorities for 2023-2027

On Tuesday January 10, 2023, the Equal Employment Opportunity Commission (“EEOC”) publicly released its Draft Strategic Enforcement Plan (“SEP”) for fiscal years 2023-2027. The SEP describes the EEOC’s top enforcement priorities, making it critical information for employers around the country.

The Draft SEP sets out the EEOC’s six subject matter priorities for fiscal years 2023-2027:

Eliminating Barriers in Recruitment and Hiring;
Protecting Vulnerable Workers and Persons From Underserved Communities From Employment Discrimination;
Addressing Emerging and Developing Issues;
Enforcing Equal Pay Laws;
Preserving Access to the Legal System; and
Preventing Harassment Through Systemic Enforcement and Targeted Outreach.

With respect to the first category, “Eliminating Barriers in Recruitment and Hiring,” the Draft SEP states the EEOC will focus on “the use of automatic systems, including artificial intelligence or machine learning, to target advertisements, recruit applicants, or make or assist in hiring decisions where such systems intentionally exclude or adversely impact protected groups.” The Draft SEP also expressly emphasizes the “lack of diversity” in both the construction and tech industries, noting the EEOC’s priority will typically involve systemic cases, though claims by an individual or small group may qualify for enforcement focus if it raises a policy, practice, or pattern of discrimination. Employers should note the EEOC’s decision to focus on AI and the tech industry demonstrates a heightened priority on remedying and preventing discrimination from automated and electronic screening tools used in hiring practices and employment decisions.

On January 31, 2023, the EEOC held a public hearing titled “Navigating Employment Discrimination in AI and Automated Systems: A New Civil Rights Frontier” where higher education professors, nonprofit organization representatives, attorneys, and workforce consultants prepared statements regarding the EEOC’s new focus.

The Draft SEP includes specific details regarding the types of hiring practices and policies that the agency seeks to scrutinize. For example, the EEOC aims to prevent employers from isolating and separating workers in certain jobs or job duties based on membership in a protected class. The EEOC plans to achieve this goal by identifying vulnerable workers for more focused attention. In addition, the EEOC will scrutinize practices which limit access to work opportunities, such as (1) job postings which either exclude or discourage some protected groups from applying, and (2) denying training, internships, or apprenticeships based on protected status. The Draft SEP also prioritizes preventing employers from denying opportunities to move from temporary to permanent roles.

As for the second category, “Protecting Vulnerable Workers and Persons From Underserved Communities From Employment Discrimination,” the Draft SEP expands the ”vulnerable worker priority” to include categories of workers who, according to the EEOC, “may be unaware of their rights . . . or reluctant or unable to exercise their legally protected rights.” These categories include workers with intellectual and developmental disabilities, individuals with arrest or conviction records, LGBTQI+ individuals, pregnant workers, individuals with pregnancy-related medical conditions, temporary workers, older workers, individuals employed in low-wage jobs, and persons with limited literacy or English proficiency. The Draft SEP proposes that district EEOC offices and the agency’s federal sector program will identify vulnerable workers and underserved communities in their districts or within the federal sector for focused attention. Employers should be aware that the “vulnerable workers” focused on under this category may vary based on location.

The Draft SEP’s third category, “Addressing Emerging and Developing Issues,” includes a focus on (1) qualification standards and inflexible policies or practices that discriminate against individuals with disabilities, (2) protecting individuals affected by pregnancy, childbirth, and related medical conditions under the Pregnancy Discrimination Act, the Americans with Disabilities Act, and the newly enacted Pregnant Workers Fairness Act, (3) employment issues relating to backlash in response to local, national, or global events, and (4) “employment discrimination associated with the COVID-19 pandemic.” The priorities for the EEOC’s COVID-19-related enforcement in this category include:

pandemic related harassment, particularly against individuals of Asian descent;
unlawful denials of accommodations to individuals with disabilities;
unlawful medical inquiries, improper direct threat determinations, or other discrimination related to disabilities that arose during or were exacerbated by the pandemic; and
discrimination against persons who have an actual disability or are regarded as having a disability related to COVID–19, including individuals with long COVID, and pandemic-related caregiver discrimination based on a protected characteristic

With respect to the fourth category, “Enforcing Equal Pay Laws,” the Draft SEP sets out a focus on pay discrimination based on any protected category. The Draft SEP also states the EEOC may use “Commissioner Charges and directed investigations” to enforce equal pay. Notably, the EEOC has been hesitant to use Commissioner Charges in the past, as they comprise of less than 1% of annual charge volume since 2015. However, Commissioner Charges may become necessary to identify and remedy discrimination based on artificial intelligence or machine learning, as outlined in the first category.

The fifth and sixth categories remain largely unchanged from prior EEOC SEPs. The focus for the fifth category, preserving access to the legal system, will continue to identify and target (1) overly broad waivers, releases, non-disclosure and non-disparagement agreements; (2) improper mandatory arbitration provisions; (3) employers failure to keep proper records; and (4) improper retaliatory practices. As for the final category, the EEOC will continue to focus on promoting comprehensive anti-harassment programs and practices.

The EEOC will vote on a final version of the SEP following the public notice and comment period, which concludes on February 9, 2023.

Article By Dan Syed of Sheppard, Mullin, Richter & Hampton LLP

For more labor and employment legal news, click here to visit the National Law Review.

With the US Copyright Office (USCO) continuing their stance that protection only extends to human authorship, what will this mean for artificial intelligence (AI)-generated works — and artists — in the future?

Almost overnight, the limited field of Machine Learning and AI has become nearly as accessible to use as a search engine. Apps like Midjourney, Open AI, ChatGPT, and DALL-E 2, allow users to input a prompt into these systems and a bot will generate virtually whatever the user asks for. Microsoft recently announced its decision to make a multibillion-dollar investment in OpenAI, betting on the hottest technology in the industry to transform internet as we know it.^[1]

However, with accessibility of this technology growing, questions of authorship and copyright ownership are rising as well. There remain multiple open questions, such as: who is the author of the work — the user, the bot, or the software that produces it? And where is this new generative technology pulling information from?

AI and Contested Copyrights

As groundbreaking as these products are, there has been ample backlash regarding copyright infringement and artistic expression. The stock image company, Getty Images, is suing Stability AI, an artificial intelligence art tool behind Stable Diffusion. Getty Images alleges that Stability AI did not seek out a license from Getty Images to train its system. Although the founder of Stability AI argues that art makes up 0.1% of the dataset and is only created when called by the user’s prompt. In contrast, Shutterstock, one of Getty Images largest competitors, has taken an alternative approach and instead partnered with Open AI with plans to compensate artists for their contributions.

Artists and image suppliers are not the only ones unhappy about the popularity of machine learning. Creators of open-source code have targeted Microsoft and its subsidiary GitHub, along with OpenAI, in a proposed class-action lawsuit. The lawsuit alleges that the creation of AI-powered coding assistant GitHub Copilot is relying on software piracy on an enormous scale. Further, the complaint claims that GitHub relies on copyrighted code with no attribution and no licenses. This could be the first class-action lawsuit challenging the training and output of AI systems. Whether artists, image companies, and open-source coders choose to embrace or fight the wave of machine learning, the question of authorship and ownership is still up for debate.

The USCO made clear last year that the copyright act only applies to human authorship; however they have recently signaled that in 2023 the office will focus on the legal grey areas surrounding the copyrightability of works generated in conjunction with AI. The USCO denied multiple applications to protect AI authored works previously, stating that the “human authorship” element was lacking. In pointing to previous decisions, such as the 2018 decision that a monkey taking a selfie could not sue for copyright infringement, the USCO reiterated that “non-human expression is ineligible for copyright protection.” While the agency is standing by its conclusion that works cannot be registered if it is exclusively created by an AI, the office is considering the issue of copyright registration for works co-created by humans and AI.

Patent Complexities

The US Patent and Trademark Office (USPTO) will have to rethink fundamental patent policies with the rise of sophisticated AI systems as well. As the USPTO has yet to speak on the issue, experts are speculating alternative routes that the office could choose to take: declaring AI inventions unpatentable, which could lead to disputes and hinder the incentive to promote innovation, or concluding that the use of AI should not render otherwise patentable inventions unpatentable, but would lead to complex questions of inventorship. The latter route would require the USPTO to rethink their existing framework of determining inventorship by who conceived the invention.

Takeaway

The degree of human involvement will likely determine whether an AI work can be protected by copyright, and potentially patents. Before incorporating this type of machine learning into your business practices, companies should carefully consider the extent of human input in the AI creation and whether the final work product will be protectable. For example:

An apparel company that uses generative AI to create a design for new fabric may not have a protectable copyright in the resulting fabric design.
An advertising agency that uses generative AI to develop advertising slogans and a pitch deck for a client may not be able to protect the client from freely utilizing the AI-created work product.
A game studio that uses generative AI to create scenes in a video game may not be able to prevent its unlicensed distribution.
A logo created for a business endeavor may not be protected unless there are substantial human alterations and input.
Code that is edited or created by AI may be able to be freely copied and replicated.

Although the philosophical debate is only beginning regarding what “makes” an artist, 2023 may be a uniquely litigious year defining the extent in which AI artwork is protectable under existing intellectual property laws.

FOOTNOTES

^[1]https://www.cnn.com/2023/01/23/tech/microsoft-invests-chatgpt-openai/index.html; https://www.nytimes.com/2023/01/12/technology/microsoft-openai-chatgpt.html

Article By Anthony V. Lupo and Dan Jasnow of ArentFox Schiff LLP

For more intellectual property legal news, click here to visit the National Law Review.

What’s New in 5G – February 2023

The next-generation of wireless technologies – known as 5G – is expected to revolutionize business and consumer connectivity, offering network speeds that are up to 100 times faster than 4G LTE, reducing latency to nearly zero, and allowing networks to handle 100 times the number of connected devices, enabling the “Internet of Things.” Leading policymakers – federal regulators and legislators – are making it a top priority to ensure that the wireless industry has the tools it needs to maintain U.S. leadership in commercial 5G deployments. This blog provides monthly updates on FCC actions and Congressional efforts to win the race to 5G.

Regulatory Actions and Initiatives

Spectrum

The FCC grants relief to a 600 MHz licensee serving Tribal Nations, giving it more time to complete and deploy its wireless network.
- On January 4, 2023, the FCC’s Wireless Telecommunications Bureau (“WTB”) released an Order granting a third request by Pine Cellular Phones, Inc. (“Pine Cellular”) to extend its construction deadline for one of its 600 MHz licenses by one year from January 9, 2023 to January 9, 2024. In 2019, Pine Cellular was a winning bidder in the Broadcast Incentive Auction (Auction No. 1002) of two 600 MHz licenses. After the licenses were awarded, the FCC prohibited the use of funding from the Universal Service Fund for equipment and services deemed to pose a national security risk. Pine Cellular planned to rely on that now-prohibited equipment to meet its construction requirement, but it has since been unable to acquire and install compliant equipment due, in part, to global supply chain issues. The WTB granted Pine Cellular’s request because it recognized that the only way for Pine Cellular to fulfill its construction requirement is to remove and replace all prohibited equipment in its network and that termination of the license would not facilitate the provision of wireless broadband service, particularly to the Choctaw Nation, which is covered by Pine Cellular’s license.
The FCC grants additional licenses for spectrum in the 2.5 GHz band for commercial wireless services.
- The WTB released a Public Notice on January 5, 2023, announcing the grant of four additional licenses for spectrum in the 2.5 GHz band, the auction for which concluded on August 29, 2022. A list of the licenses, sorted by licensee, is available here. And list of the same licenses, sorted by market, is available here.
The FCC takes further action to enable commercial operations through spectrum sharing in the 3.5 GHz band.
- On January 10, 2023, the WTB and Office of Engineering and Technology (“OET”) released a Public Notice approving the new Environmental Sensing Capability (“ESC”) sensor deployment and coverage plans of Federated Wireless in the 3.5 GHz band. Federated Wireless is now authorized to operate its ESC sensors to protect federal incumbents in Alaska and must, among other things, operate in conjunction with at least one Spectrum Access System (“SAS”), which manages non-federal access to the 3.5 GHz band, that has been approved for commercial deployment.
- In addition, the WTB and OET released a Public Notice on January 12, 2023, certifying that the SAS operated by RED Technologies SAS (“RED”) has satisfied the FCC’s testing requirements and been approved to begin its initial commercial deployment (“ICD”), subject to certain conditions. After RED operates its ICD, it is required to submit a report, and assuming that the report is satisfactory, RED will then receive authorization to operate for a five-year term.
The FCC revises its framework for making public safety spectrum in the 4.9 GHz band available for commercial wireless services.
- On January 18, 2023, the FCC released an Order and Further Notice of Proposed Rulemaking establishing rules that provide for a nationwide Band Manager for public safety operations in the 4940-4990 MHz (“4.9 GHz”) band. The Order replaces the previous framework for the 4.9 GHz band, which allowed states to lease the spectrum to third parties, including commercial entities, through a designated statewide lessor. The new framework will allow the Band Manager to coordinate all use of the spectrum nationwide, including by making it available for secondary, non-public safety use – such as commercial 5G wireless services – by allowing non-public safety entities to lease unused 4.9 GHz band spectrum. The Further Notice seeks comment on implementing the new leasing framework and selecting the Band Manager. Comments and reply comments on the Further Notice will be due 30 days and 60 days, respectively, after publication in the Federal Register.

Other Agency Actions

The Federal Aviation Administration proposes requirements to help foster coexistence between 5G operations in the C-band and aircraft relying on radio altimeters.
- On January 22, 2023, a Notice of Proposed Rulemaking issued by the Federal Aviation Administration (“FAA”) was published in the Federal Register. The Notice proposes to update the FAA’s existing Airworthiness Directive (“AD”) regarding the coexistence of licensees of spectrum in the 3.7-4.2 GHz band (“C-band”) and radio altimeters. Specifically, the FAA proposes interference tolerance requirements for radio altimeters and requirements that all aircraft operating under its rules meet power spectral density requirements to operate in the contiguous U.S. after February 2, 2024. The FAA has determined that radio altimeter tolerant airplanes will not experience unsafe conditions at any airport identified by the FAA as a 5G market. It has also determined that any 5G C-band provider that maintains the mitigated actions, which are based on the power levels to which Verizon and AT&T previously agreed, will not have an effect on the safety of transport and commuter airplanes with radio altimeters that meet the interference tolerance requirements. The FAA will assess changes in the agreed-upon power levels. Comments on the FAA’s proposals are due February 10, 2023.
The Department of Defense seeks comment on developing a spectrum roadmap.
- On January 4, 2023, the Department of Defense (“DoD”) released a Request for Information seeking input to support the development of a Next-Generation Electromagnetic Spectrum Strategic Roadmap, which Congress requested of DoD in a June 2022 letter. Among other things, DoD requests input on its ability to use commercial systems for its operations and spectrum sharing. The deadline for providing input is February 10, 2023 at 2:00 pm ET.

5G Networks and Equipment

The FCC reminds rip-and-replace funding recipients of their reporting obligations.
- On January 11, 2023, the FCC’s Wireline Competition Bureau released a Public Notice reminding parties that receive funding from the FCC’s Reimbursement Program to remove and replace equipment that poses a national security risk of their obligation to file their Reimbursement Program spending reports. The spending reports, which, among other things, must include a detailed accounting of the covered equipment and services that have been removed and replaced, are due by February 10, 2023.

Article By Angela Y. Kung and Christen B’anca Glenn of Mintz

For more data privacy and cybersecurity legal news, click here to visit the National Law Review.

Author: National Law Forum

The FTC Announces First Health Breach Notification Rule Enforcement Action

Like this: