Our lawyers are well known for thought leadership across many platforms, and that tradition continues over the coming weeks. Please join us at these upcoming events to hear the latest trends, updates and insights within the global Data Privacy realm. For more information, contact the presenters or your relationship attorney.

“Best Practices to Leading Post-Cyber Incident Forensic Investigations and Understanding Litigation Implications Surrounding Forensic Reports”
Thursday, March 28 | 2:30 pm – 4:40 pm ET | Webinar

Given the proliferation of litigation stemming from cybersecurity incidents, organizations need to understand how legal teams direct forensic investigations in order must ensure forensic reports align with anticipated litigation scenarios. A forensic report is normally prepared by a cybersecurity firm following a thorough investigation into the nature and scope of a company’s cybersecurity incident. A report will generally identify areas in which a company’s IT infrastructure was not compliant with best practices, regulations and/or industry standards, or whether a third-party vendor is responsible for the gap in a company’s IT infrastructure – all evidence that could substantiate future legal claims, either if a company wants to go on the offensive or if the company must defend itself.

Join Colin Jennings, Katy Spicer and Meghan Quinn for this free CLE accredited webinar to better understand how to effectively lead a post-cyber incident forensic investigation and related discovery implications.

Register for free by using the promotional code “SquirePattonBoggs24”.

Continue Reading Squire Patton Boggs Lawyers to Present on Several Upcoming Webinars and Events

On January 15, 2024, the American Arbitration Association (“AAA”) introduced updates to its Mass Arbitration Supplementary Rules and its fee schedules, including for consumer mass arbitrations (collectively referred to as the “Updates”). The Updates consist of a flat initiation fee to lower the cost of initiating arbitrations, the new requirement of counsel to affirm that the information they provide is not frivolous when initiating the arbitrations and an increased and expansive role of a Process Arbitrator to ensure fair and consistent administrative procedures. A more detailed overview of these revisions can be found below.

Although the Updates may mitigate some of the more abusive practices common to mass arbitrations, they do not fully eliminate the risks posed by mass arbitrations recently brought by the privacy plaintiff’s bar. As such, businesses identifying the AAA as the third-party arbitrator in their consumer agreements should review the Updates and consider their impact.

Signed Affirmation Requirement

Mass arbitration claims must now “include an affirmation that the information provided for each individual case is true and correct to the best of the [counsel’s] knowledge.”  See Mass Arbitration Supplementary Rules, MA-2. Particularly, this revised rule addresses the issue of counsel filing cases that are fictitious, duplicative, or inaccurate—it now allows arbitrators to conclude that counsel do not knowingly file false or unverified claims. A similar requirement extends to responses, counterclaims, and amended Demands for Arbitration. As such, the court may impose Rule 11-type sanctions if those types of claims are filed.

Changes to Mediation Procedures

Further, the Updates include an expanded mediation requirement. Under the prior rules, mediation had to take place within 120 days of the deadline for answers to the Demands for Arbitration, following resolution of any threshold challenges, and that is still the case. As it remains in place the option that any party may unilaterally opt out of the mediation. However, with the new revision in place, even if a party opts out of mediation, the AAA can still, sua sponte, try to resolve the dispute by appointing a mediator to facilitate the discussions between the parties.

Updated Fee Schedule

The Updates also include a new fee schedule, which affects Process Arbitrator fees, arbitrator appointment fees, Merits Arbitrator’s compensation, and hearing fees as summarized below.

Initiation Fee

The Updates introduce a new fee schedule that significantly lowers the costs of initiating an arbitration by introducing a flat initiation fee, which minimizes the up-front costs that businesses must pay at the forefront of the case when there are a large number of claimants. This flat fee covers the costs of an administrative review of the filing, an administrative conference call with the AAA, and the appointment of a Process Arbitrator/Global Mediator (the role of these arbitrators will be explained further below).

Before:

  • Individuals paid $75 or 125 per case.
  • Businesses paid $100, $175, $250, or $325 per case.

Now:

  • Individuals pay a flat initiation fee of $3,125 for all cases.
  • Businesses pay a flat initiation fee of $8,125 for all cases.

Filing Fee

After the initiation of the arbitration, the new rules still use a “per case” basis for filing fees and remain mostly unchanged. However, the Updates raised the filing fee by $25 for claimants: 

Number of Cases1-500501-1,5001,501-3,0003000+
Individual (Claimant) Filing Fee:$125$75$75$75
Business Filing Fee:$325$250$175$100

Further, once cases are ready for Merits Arbitrator selection, the AAA will levy an arbitrator appointment fee for each case. This new fee replaces the previous case management fee of $1,400 and is now split between claimants and businesses. For consumer cases, if the AAA appoints an arbitrator directly, the business pays $450 and each claimant pays $50, but if the AAA uses the list and rank process, the business pays $600 and the individual claimants each pay $75.

When it comes to the compensation that Merits Arbitrators are paid for consumer cases, whereas they used to get paid on a flat fee basis—$2,500 per case per day for virtual or in-person hearings and $1,500 for desk arbitrations—Merit Arbitrators now receive $300 per hour across the board. Following this, the former hearing fee—incurred when the arbitrator schedules the evidentiary hearing—is now called the “Final Fee” and is set at $600 per case for consumer cases. Noteworthy mention is that the Updates provide that virtual hearings are the preferred method of evidentiary hearings for new cases filed, leveraging technology for increased efficiency and accessibility.

Introduction of Process Arbitrator

As discussed above, the flat initiation fee covers the costs of a Process Arbitrator. Under the Updates, the Process Arbitrator may decide threshold administrative issues pertaining to the filings. For example, the Process Arbitrator can hear challenges to the propriety of filings to determine compliance with the AAA’s filing requirements or whether the filing requirements of the parties’ contracts have been met. Below, you will see more administrative matters that the Process Arbitrator may decide:

  • Which rules apply;
  • Which cases should be excluded from the mass arbitration;
  • The determination of payment of administrative fees, arbitrator compensation, and expenses;
  • The selection process for Merit Arbitrators;
  • For cases under the Consumer Arbitration Rules:
    • Whether the cases should be closed and proceed in a small claims court; and,
    • Whether the Merit Arbitrator(s) must proceed by documents or whether to hold hearings;
  • The type and location of the Merit Arbitrator’s hearings;
  • Whether any previously issued rulings by the Process Arbitrator are binding on subsequent cases.

Conclusion

Moving forward, these Updates enhance protections for businesses confronting the risk of mass arbitrations. Particularly, the Updates reduce the fees to begin the arbitration process, lower the risk of counsel’s filing frivolous arbitrations with duplicative or fictitious claims, and it allows the Process Arbitrator to ensure the consistency and uniformity of AAA administrative procedures.

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Never Beyond the Law – the Spanish AEPD’s Position on the Processing of Whistleblower Data | Privacy World

Singapore to Pass New Law to Boost Digital Resilience | Privacy World

Biden Budget Proposal Advances AI Priorities | Privacy World

US Regulators Lift the Curtain on Data Practices With Assessment, Reporting and Audit Requirements | Privacy World

Japan’s New Draft Guidelines on AI and Copyright: Is It Really OK to Train AI Using Pirated Materials? | Privacy World

In Narrow Vote California Moves Next Generation Privacy Regs Forward | Privacy World

EDPB Versus Ireland? Does the Opinion on “Main Establishments” Mean the End of the GDPR “One-stop Shop” Mechanism? | Privacy World

Everything, Everywhere, All the Time: How Digital Data Regulations Affect Everything from Cross-Border Investigations, Disputes, Data Breach Response and AI | Privacy World

In February 2023, Spain implemented Directive (EU) 2019/1937 (although it did not become fully applicable until December of that year) by means of Law 2/2023, of February 20, 2023, regulating the protection of persons who report regulatory violations and the fight against corruption (the “Law”). The Law, which requires all public and private organizations (with more than 50 employees or simply operating in certain sectors, even if they have fewer employees) to implement a whistleblowing system, has raised some doubts from a data protection perspective.

Continue Reading Never Beyond the Law – the Spanish AEPD’s Position on the Processing of Whistleblower Data

On March 1, 2024, Singapore’s Ministry of Communications and Information announced[1] that a study would be launched to introduce a new piece of legislation, the Digital Infrastructure Act (DIA), to boost the resilience and security of key digital infrastructure and services in Singapore.

Continue Reading Singapore to Pass New Law to Boost Digital Resilience

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Biden Budget Proposal Advances AI Priorities | Privacy World

US Regulators Lift the Curtain on Data Practices With Assessment, Reporting and Audit Requirements | Privacy World

Japan’s New Draft Guidelines on AI and Copyright: Is It Really OK to Train AI Using Pirated Materials? | Privacy World

In Narrow Vote California Moves Next Generation Privacy Regs Forward | Privacy World

EDPB Versus Ireland? Does the Opinion on “Main Establishments” Mean the End of the GDPR “One-stop Shop” Mechanism? | Privacy World

Everything, Everywhere, All the Time: How Digital Data Regulations Affect Everything from Cross-Border Investigations, Disputes, Data Breach Response and AI | Privacy World

California Considers Restricting Broad Swath of Content Personalization and Online Advertising Activities | Privacy World

Executive Order on Maritime Cybersecurity Illuminates Path Forward for All Critical Infrastructure Operators | Privacy World

Originally posted on Squire Patton Boggs’ Capital Thinking blog by David StewartLudmilla Kasulke and Dominic Braithwaite.


On March 11, 2024, US President Joe Biden released his Fiscal Year (FY) 2025 budget request, which included proposals on U.S. Artificial Intelligence (AI) development and efforts to implement the Biden Administration’s Executive Order (EO) on AI. The budget identifies the National Science Foundation (NSF) as central to U.S. leadership in AI, requesting $10.2 billion in funding for the agency. $2 billion of that total would be dedicated to research and development (R&D) in accordance with CHIPS Act priorities, including AI, and $30 million would support the National AI Research Resource pilot program. The budget also requests $65 million for the Commerce Department “to safeguard, regulate, and promote AI, including protecting the American public against its societal risks.” This funding would include directing the National Institute of Standards and Technology (NIST) to establish the U.S. AI Safety Institute. The institute would be responsible for operationalizing “NIST’s AI Risk Management Framework by creating guidelines, tools, benchmarks, and best practices for evaluating and mitigating dangerous capabilities and conducting evaluations including red-teaming to identify and mitigate AI risk.” Further, the Department of Energy (DOE) Office of Science, which is responsible for implementing aspects of both the CHIPS Act and the AI EO, would receive $8.6 billion under the President’s proposed budget.

Continue Reading Biden Budget Proposal Advances AI Priorities

Following the lead of Europe, four US states currently require businesses to conduct and document assessments to evaluate and mitigate risks in connection with new and ongoing personal data processing activities, and at least eight additional states will do so between now and the end of 2025. California, which applies its requirements beyond traditional consumers to human resources and business-to-business contexts, requires regulatory filings of assessments (which may end up being in abridged form). On March 8, draft California assessment regulations were moved forward toward preparation for public comment, as detailed here. All of the states give regulators the ability to inspect assessments, which must be retained for that purpose. These new obligations will raise the curtain on companies’ info governance practices for regulators, and thereby necessitate robust data protection programs that are more than “window dressing.” Regulators have been clear about their plans to move to more aggressive enforcement of new state privacy laws, as discussed here and here, and assessments will give them a roadmap to do so.

Continue Reading US Regulators Lift the Curtain on Data Practices With Assessment, Reporting and Audit Requirements

On January 23, 2024, the Japan Agency for Cultural Affairs (ACA) released its draft “Approach to AI and Copyright” for public comment, to clarify how ingestion and output of copyrighted materials in Japan should be considered. On February 29, 2024, after considering nearly 25,000 comments, additional changes were made. This document, created by an ACA committee, will likely be adopted by the ACA in the next few weeks. This article provides a summary of the key points of the draft itself and as modified.

By way of background, on January 1, 2019, Japan’s revised Copyright Act came into effect, making Japan one of the world’s most AI-friendly countries. Article 30-4 was implemented, allowing broad rights to ingest and use copyrighted works for any type of information analysis, including for the purpose of training AI models. 

Unlike the UK and the EU, which allow the ingestion of copyrighted works only for non-commercial purposes, Japan allows it also for commercial use, purposes other than production and apparently including the ingestion of illegally obtained content, such as pirated copyright material. According to reports, in a committee meeting, Japan’s Minister of Education, Culture, Sports, Science and Technology, Keiko Nagoaka indicated AI companies in Japan can use “whatever they want” for AI training “regardless of whether it is for non-profit or commercial purposes, whether it is an act other than reproduction, or whether it is content obtained from illegal sites or otherwise.” This position led to Japan being called a “machine learning paradise.” The only exceptions imposed under the law are when such ingestion was for the “enjoyment” of the thoughts or sentiments expressed in a work in a way that “unjustly harms” the interests of the copyright holder. The law, however, provides little detail as to how this exception was to be interpreted by courts. 

Why Japan Passed the 2019 Provisions and Why the Clarification Now

So, why would Japan, generally a legally conservative country, implement the 2019 provisions, which allow for far broader uses of copyrighted materials in “information analysis” than the provisions of many other countries? Some suggest it is because AI is generally seen in Japan as a potential solution to a swiftly aging population. In addition, there are currently no real local Japanese AI providers, so to quickly develop AI capabilities, Japan implemented a flexible AI approach. Furthermore, Japan has long been a bastion for robot development, and AI can be a critical piece to improving their functionality. 

However, especially given the dramatic improvement in the output of new generative AI tools like ChatGPT, there has been increasing pushback by Japan-based content creators, such as the developers of manga (comics) and anime (animation), movies/TV shows and music, as well as a broad range of international content creators, who voiced concern over the lack of protection they were receiving under the law. For this reason, the ACA assembled a committee to address the concerns, clarify the limitations of the law and highlight the areas that yet need to be determined. After six months of study, they released the January 23 draft Approach to AI and Copyright Report,” which is now expected to be formalized in the next few weeks. 

What Is New in the “Approach to AI and Copyright”?

After an exhaustive review of the rationale for implementing Article 30-4 and summarizing the concerns of AI developers, users and copyright holders, the ACA summarizes its position over the main issues. 

Use Over the Learning/Development Stage

The committee essentially embraced Article 30-4 allowing the ingestion and analysis of copyrighted materials for AI learning to promote creative innovations in AI. It removes the need of acquiring consent from copyright holders, as long as it would not have a “material impact on the relevant markets” and that the AI usage does not “violate the interests of the copyright holders.” 

The Enjoyment Prong

In teasing out this apparent dichotomy, the committee first focuses on distinguishing between digesting copyrighted content for “information analysis” (which is allowed) versus the use for a “purpose of enjoyment of the thoughts and or sentiments expressed in the copyrighted work” (which is not allowed). The committee’s report states that “enjoyment” consists of satisfying the intellectual and mental needs of the individual through the viewing/experiencing the works. By contrast, information analysis might include a scholarly assessment of movie themes across various genres, while “enjoyment” would likely include the ability to play and view all or a significant part of the individual movie.

Thus, the legality of the ingestion of copyrighted material essentially appears to be tied to its intended generative AI output. Thus, if the AI creator uses the copyrights material solely for training the data base and doing pure data analytics, Article 30-4 allows such use without consent of the copyright owner. However, where the AI creator has a joint purpose of non-enjoyment (such as the above pure data analysis) and enjoyment (such as outputting creative expressions of creative works), such use without the consent of the copyright holder is not allowed under Article 30-4.  

Accordingly, the focus is that ingestion of copyrighted material is prohibited if the intention is to output products that can be perceived as creative expressions of copyrighted works, including mimicking the style of specific creators. The committee notes that an AI service provider could also help remove this concern by taking “practical and technological measures” to prevent the generation of infringing works. 

The committee notes the fact that a single or infrequent generative AI output violates copyright is not determinative that its intended use is for enjoyment but concedes that frequent violations might be. However, it also states that if such frequent cases are due to the AI user’s input/instructions requesting such material, it cannot be presumed the AI service provider intended a use for enjoyment. 

The Unjust Harm Prong

The committee then analyzed what it means to unjustly harm the interest of the copyright holder, finding this occurs when the AI output “conflicts with the copyright holder’s market or inhibits potential marketing channels for such copyrighted works in the future”. The committee explored various aspects of databases used for data analysis, generally finding that such use is allowed under Japan’s Copyright Act, but noted there may be exceptions, such as where the database owner applies technical protection measures to prohibit AI crawlers to ingest their work. Such exceptions would need to be determined on a case-by-case basis. 

Besides encouraging copyright owners to implement technical protection measures, the committee noted some newspaper publishers and other copyright owners are licensing their content for AI ingestion. Such steps can help resolve issues of copyright infringement and show the copyright holder has a market for such copyrighted works, which is an important element of establishing the “unjust harm” element. For example, if other AI developers/service providers fail to take a license when one is available, it is easy to prove the direct impact on the copyright holder. The committee notes that the merits of any copyright violation claim will need to be determined on a case-by-case basis.   

As for AI training from pirated copyright content, the committee noted the difficulty of the AI developer/service provider knowing whether the content its AI crawlers ingest is pirated or legitimate. In the end, the committee found that if the AI developer/service provider knowingly (or should have known) that it had ingested pirated/infringing materials, it is one factor to consider them a contributory infringer, increasing the likelihood of liability. If the AI provider knowingly/should have known that it ingested pirated materials, it should take steps to prohibit infringing copyright output, which could assist in defeating a claim for contributory infringement. 

The committee further encourages the ACA to continue to engage in countermeasures against piracy, perhaps without recognizing that many of these pirate sites are abroad, making it more difficult to prohibit access to the sites in Japan. In the revisions made in response to the public comments, the committee adds, “it is desirable to realize a state in which piracy is not encouraged, such as by enabling right holders to provide information on known websites carrying pirated copies to these operators and other related parties in advance to an appropriate extent, so that operators can recognize websites carrying pirated copies and exclude these websites from the collection of learning data.”

The committee notes the removal of a copyrighted work from the AI database may be ordered where there is a “high probability” that an infringing reproduction will occur in the future. However, damage claims would only be allowed where there is willful intent or negligence. Further, criminal liability should only be considered where there is willful intent. 

Use in the Generation/Utilization Stages  

Turning to the output phase, in order to determine whether a copyright infringement occurs, it is necessary to prove both “similarity” and a “reliance” on an existing copyrighted work. “Similarity” may be found even if only parts of the work are essential features of the output. “Reliance” is shown when the creator of the new work is aware of the prior work. 

Accordingly, when the AI user requests the AI to generate a specific copyrighted work, such as referencing to it in a request prompt, reliance is established, and the AI user may be found to be the infringer. However, if the AI user is not aware of an existing copyrighted work, and an infringing output is generated, then the AI developer/service provider may be found a contributory infringer, especially if there are frequent infringements by the tool. To avoid this, AI developers/service providers are encouraged to implement technical measures to ensure that ingested copyright content is not generated. They also suggest there be measures to prevent AI user’s from requesting infringing material. 

The Copyrightability of the AI Output

Under Japan’s Copyright Act, Article 2(1), a copyright-protected work is defined as a creation expressing “human thoughts and emotions.” Thus, it appears difficult for AI to become the author of its own creations under the current law. However, the committee explored that a joint work, with human input and AI generated content, may be eligible for copyright protection as a whole, based on certain factors. These include:

  • The amount and content of the instructions and input prompts by the AI user
  • The number of generation attempts, modifying the output for a desired result by the AI user
  • The AI user selecting the work from multiple generated works
  • The subsequent human modifications to the AI generated work

Differences from US, UK and EU Laws on AI Training

The US has no specific law regulating the use of copyrighted material for training of AI models, either for commercial or non-commercial purposes. Rather, in the US, the issue is currently being litigated in a number of lawsuits that pit content creators and copyright holders against the creators and operators of generative AI tools. While there are a number of novel issues raised in the various cases, the most critical issues will be determining (1) whether the collection and use of copyrighted materials to develop the generative AI tools was a “fair use” under the US Copyright Act, and (2) whether the fact that certain outputs, generated by third-party input, are (a) substantially similar to a registered copyright such that it would be a copyright infringement and (b) that the AI creator/operator is liable even though it did not input the information that generated the purportedly infringing output.

In both the EU and the UK, the laws allow for the harvesting/scraping of data for purposes of training an AI model only for noncommercial use, in general. Some jurisdictions recognize the right to use it for commercial purposes in very specific instances. For example, the German Copyright Act (Sections 44b and 60d) allows the reproduction of lawfully accessible works in order to carry out text and data mining even in commercial situations in the absence of a reservation of such use by the right owner or for scientific research purposes. My colleagues Sandra Mueller and Julia Jacobson (with hyperlinks to their profiles) have noted a recent case in the Hamburg District Court by photographer Robert Kneschke against LAION E.V. regarding the use of his photograph in training AI image generators and claiming copyright infringement. According to the photographer’s legal representatives, one of the main claims the defendant relies upon relates to the above provisions. The oral hearing in this case is reportedly scheduled for 25 April 2024.

In Singapore, as reported by our colleague there, Charmian Aw, Singapore has released its proposed Model AI Governance for Generative AI guidelines identifying data as a core element of model development, significantly impacting the quality of the model output. This makes it necessary to ensure data quality, such as through the use of trusted data sources. Where the use of data for model training is potentially contentious, such as personal data and copyright material, they state it is “important to give business clarity, ensure fair treatment, and to do so in a pragmatic way.”

As to the copyright issues, the Singapore guidelines suggest doing so through (1) creating an open dialogue with all stakeholders, (2) encouraging AI developers to “undertake data quality control measures” using “data analysis tools to facilitate data cleaning,” (3) more globally expanding the available pool of trusted data sets and (4) governments “working with their local communities to curate a repository of representative training data sets for their specific context (e.g. in low resource languages).”

Conclusions

The ACA committee concludes that the relationship between AI and copyright will need to be determined on a case-by-case basis, including precedents and judicial decisions against the backdrop of the unpredictable and fast-moving development of technology, and the progress of studies in other countries. For this report, the committee focused on the exceptions for acquiring consent of the copyright owner under Article 30-4 of the Copyright Act. In the future, the committee indicates that it will need to consider the impact of an author’s moral rights and neighboring rights that are personal to the author and protected under Japanese law. 

What can be gleaned by this detailed study, is that Japan wants to aggressively support the development of AI tools and the market for AI solutions by allowing broad rights to ingest copyrighted works. However, it is struggling to do so in a way that properly rewards content-holders for their creations. As AI tools continue to improve, this will certainly to be an interesting effort to watch, especially against the backdrop of the various approaches to the issue by the US, the EU, the UK and other countries across the globe.  

If you have questions, please feel free to reach out your favorite firm contact or one of our AI team contacts.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

In Narrow Vote California Moves Next Generation Privacy Regs Forward | Privacy World

EDPB Versus Ireland? Does the Opinion on “Main Establishments” Mean the End of the GDPR “One-stop Shop” Mechanism? | Privacy World

Everything, Everywhere, All the Time: How Digital Data Regulations Affect Everything from Cross-Border Investigations, Disputes, Data Breach Response and AI | Privacy World

California Considers Restricting Broad Swath of Content Personalization and Online Advertising Activities | Privacy World

Executive Order on Maritime Cybersecurity Illuminates Path Forward for All Critical Infrastructure Operators | Privacy World

More Detail on U.S. Data Processing Assessment Requirements | Privacy World

Protecting Kids Online – Part II | Privacy World

Protecting Kids Online: Changes in California, Connecticut and Congress – Part I | Privacy World

Federal Children’s Privacy Requirements to Be Updated and Expanded | Privacy World

EU Digital Services Act in Full Force | Privacy World

Deep Fake of CFO on Videocall Used to Defraud Company of US$25M | Privacy World

Address Cyber-risks From Quantum Computing | Privacy World

FCC Clarifies and Codifies TCPA Consent Revocation Rules | Privacy World

Asia Data Privacy/Cybersecurity and Digital Assets Partners to speak at the Global Legal ConfEx in Singapore, 20 February 2024 | Privacy World