President Joseph Biden issued an executive order on October 30 designed to protect against the risks of artificial intelligence (AI) while encouraging the global growth and expansion of AI development and use.
Although the executive order (EO), titled Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence, EO 14110, 88 Fed. Reg. 75191-75226 (Nov. 1, 2023), is largely not self-effectuating and thus does not have a practical impact at this time, it provides a robust roadmap of the Biden administration’s anticipated policy, regulatory, legal, and practical changes that will affect a broad range of industries—not only those that develop AI, but also those that use AI. Of particular import is the focus on technology and healthcare, privacy, immigration, and accessibility—all areas of significant ongoing attention from the Biden administration.
The EO requires, at least, the following:
The EO may provide significant support to developers and customers of AI, reduce barriers to the employment of highly skilled foreign national talent in the United States, and pave the way for additional government funding (whether through grants or government contracts), but under strict constraints of federal procurement and criminal sanctions, which carry heavy potential penalties for both businesses and individuals.
If implemented, industry, academia, individuals, researchers, and global allies can expect to see additional administrative bureaucracy through US government working groups, advisory committees, and outreach, but also an attempt to bring to bear all the US government’s regulatory authority to manage, if not control, the use and application of AI.
The EO relies on agency rulemaking under the Administrative Procedures Act (APA) for implementation and assertively presses Congress to enact a comprehensive privacy law, while leaving in place a patchwork of potentially conflicting state laws. This is in contrast to broader and more prescriptive actions taken by the European Union.
However, pragmatically speaking, several areas of the EO highlight the Biden administration’s continued focus on consolidation of regulatory authority, consistency where needed, and broad multilateral engagement. It invokes both the Defense Production Act of 1950 (DPA), 50 USC §§ 4501, et seq., and the International Emergency Economic Powers Act, 17 USC §§ 1701, et seq., as its underlying authority—two statutes that maximize the president’s flexibility when it comes to announcing policy and directing agencies to implement that policy through regulatory constructs.
The DPA was used extensively during the COVID-19 pandemic and allows the president to regulate and compel the means and manner of industrial production in furtherance of national defense and security. While first conceived during the Cold War, the law remains relevant and was most recently the lynchpin of vaccine and other production during the initial stages of the pandemic. It remains a key tool of administrations in the technology industry, where the DPA has been invoked to declare critical materials and issue rated orders to support national security requirements.
Similarly, the president’s invocation of the International Emergency Economic Powers Act (IEEPA), 50 USC §§ 1701, et seq., emphasizes the importance the administration places on its ability to declare a national emergency and take immediate and potentially unilateral actions. Under this provision, even with the existence of the Export Control Reform Act of 2018 (ECRA), we anticipate additional export controls on AI writ large—whether on the software, hardware, technology, equipment, or materials side.
However, the EO is necessarily heavily dependent on agency rulemaking and implementation. Rulemaking may be constrained by the US Supreme Court’s recent resurrection of the Major Questions Doctrine and action the Court may take with respect to Chevron deference in the current term. Congress also wields influence through its ability to legislate, limit funding, develop funding constraints, or condition funding upon completion of other actions.
Moreover, because AI risks are transnational and not readily stopped at a physical border, enforcement of many of the proposed efforts remains uncertain. Absent multilateral consensus, partners, and allies, as well as other countries, may determine alternative paths for addressing AI governance. Deviations or diversions from a common focus will likely limit the effectiveness and reliability of any proposed US efforts.
While that may not discourage the US from proceeding down a particular path, it will create challenges for companies, researchers, academics, and others who will need to balance varying objectives by jurisdiction. Increased regulation may also result in AI companies choosing to develop their capabilities in less regulated countries. An upcoming meeting of the G-7 nations could serve as an indicator for how this EO is perceived among key allies.
Although the EO creates broad sweeping policies, its focus can be distilled to at least the following areas:
At the same time, the EO also embeds what appears to be primary responsibility in the US Department of Commerce, an agency already overburdened with export controls, supply chain, CHIPS Act, tariffs, Information and Communications Technology and Services Supply Chain regulation, and foreign direct investment (inbound and outbound through the Bureau of Economic Analysis (BEA) processes).
While the EO tasks other agencies—such as the Departments of Energy, Defense, and Health and Human Services and the Office of Science and Technology Policy—with responsibilities, the Department of Commerce seems to be the coordinating and lead agency across a number of areas, in part perhaps because Commerce includes the National Institute of Standards and Technology (NIST), National Telecommunications and Information Administration (NITA), and the US Patent and Trademark Office (USPTO). How this coordination will ultimately play out remains an open question.
Federal contractors can expect a review and study of new regulatory requirements. Government contractors that use AI or provide AI to the government can expect to feel the effects of the EO through new contract terms and potential regulatory clauses. By requiring agencies to take certain steps regarding the AI that they use, the administration is implicitly requiring agencies to pass those restrictions along to their contractors, as necessary. In that vein, the EO directs myriad changes that will impact agencies’ administration of government contracts. Contractors may be affected by proscriptions ranging from privacy and security standards to red-teaming and watermarking requirements.
As noted above, the EO also includes an express requirement that agencies provide clear guidance to federal contractors to keep AI algorithms from being used to exacerbate discrimination. In addition to those regulatory requirements, the EO’s requirements may create new contract opportunities as agencies work to find tools that will help them advance fraud detection and authentication efforts and meet other EO mandates.
Industries, academics, researchers, and global partners can expect some export controls related to AI development, design, and application. The EO highlights the diligence requirements when working with third parties and the need for companies and others to remain vigilant regarding how third parties use certain AI-specific technologies and products. While a “know your customer” approach exists across a number of regulatory constructs, it has been particularly challenging within the export controls regulations, as those have expanded and imposed additional obligations on industry to assess how they manage exchanges with unrelated parties.
AI overall is not expressly controlled as a separate category by either the Department of Commerce or State, although many aspects of AI (as defined in Section 3 of the EO) are embedded within both the Export Administration Regulations and the International Traffic in Arms Regulations.
Both Commerce and State would need to update the control lists under each regime to clarify the covered AI and then establish policies for how exports of those controlled items are managed. As the EO notes, the president directed Commerce and State to engage in these types of reviews, and we expect regulations in this area.
The EO recognizes the constraints on the president’s authority and calls on Congress to enact comprehensive national privacy legislation addressing AI. Legislative proposals to expand or enhance existing authorities have existed for several years and none have proceeded beyond the proposal stage despite widespread support. In large measure, difficulties in finding common ground on definitions, scope of application, and the extent to which preemption applies, have resulted in stalemates on most legislative proposals.
In addition, because there is no agreement on the extent to which federal law would preempt state law privacy provisions, regulate private industry, or integrate with privacy regimes in other jurisdictions, most notably the European Union as well as the United Kingdom and the European Economic Area, additional obstacles create challenges to legislative progress.
The EO imposes numerous agency deadlines for actions, including rulemaking. Morgan Lewis will monitor those deadlines and provide updates as the details of this whole-of-government approach become apparent.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following: