Payment Pending: CFPB Proposes to Regulate Digital Wallets

Kevin Malecha, MJLST Staffer

Federal regulators are increasingly concerned about digital wallets and person-to-person payment (P2P) apps like Apply Pay, Google Pay, Cash App, and Venmo, and how such services might impact the rights of financial consumers. As many as three-quarters of American adults use digital wallets or payment apps and, in 2022, the total value of transactions was estimated at $893 billion, expected to increase to $1.6 trillion by 2027.[1] In November of 2023, the Consumer Financial Protection Bureau proposed a rule that would expand its supervisory powers to cover certain nonbank providers of these services. The CFPB, an independent federal agency within the broader Federal Reserve System, was created by the Dodd-Frank Act in response to the 2007-2008 financial crisis and subsequent recession. The Bureau is tasked with protecting consumers in the financial space by promulgating and enforcing rules governing a wide variety of financial activities like mortgage lending, debt collection, and electronic payments.[2]

The CFPB has identified digital wallets and payment apps as products that threaten consumer financial rights and well-being.[3] First, because these services collect mass amounts of transaction and financial data, they pose a substantial risk to consumer data privacy.[4] Second, if the provider ceases operations or faces a “bank” run, any funds held in digital accounts may be lost because Federal Deposit Insurance Corporation (FDIC) protection, which insures deposits up to $250,000 in traditional banking institutions, is often unavailable for digital wallets.[5]

Enforcement and Supervision

The CFPB holds dual enforcement and supervisory roles. As one of the federal agencies charged with “implementing the Federal consumer financial laws,”[6] the enforcement powers of the CFPB are broad, but enforcement actions are relatively uncommon. In 2022, the Bureau brought twenty enforcement actions.[7] By contrast, the Commodity Futures Trading Commission (CFTC), which is also tasked in part with protecting financial consumers, brought eighty-two enforcement actions in the same period.[8] In contrast to the limited and reactionary nature of enforcement actions, the CFPB’s supervisory authority requires regulated entities to disclose certain documents and data, such as internal policies and audit reports, and allows CFPB examiners to proactively review their actions to ensure compliance.[9] The Bureau describes its supervisory process as a tool for identifying issues and addressing them before violations become systemic or cause significant harm to consumers.[10]

The CFPB already holds enforcement authority over all digital wallet and payment app services via its broad power to adjudicate violations of financial laws wherever they occur.[11] However, the Bureau has so far enjoyed only limited supervisory authority over the industry.[12] Currently, the CFPB only supervises digital wallets and payment apps when those services are provided by banks or when the provider falls under another CFPB supervision rule.[13] As tech companies like Apple and Google – which do not fall under other CFPB supervision rules – have increasingly entered the market, they have gone unsupervised.

Proposed Rule

Under the organic statute, CFPB’s existing supervisory authority covers nonbank persons that offer certain financial services including real estate and mortgage loans, private education loans, and payday loans.[14] In addition, the statute allows the Bureau to promulgate rules to cover other entities that are “larger participant[s] of a market for other consumer financial products or services.”[15] The proposed rule takes advantage of the power to define “larger participants” and expands the definition to include providers of “general-use digital consumer applications,” which the Bureau defines as funds transfer or wallet functionality through a digital application that the consumer uses to make payments for personal, household, or family purposes.[16] An entity is a “larger participant” if it (1) provides general-use digital consumer payment applications with an annual volume of at least five million transactions and (2) is not a small business as defined by the Small Business Administration.[17] The Bureau will make determinations on an individualized basis and may request documents and information from the entity to determine if it satisfies the requirements, which the entity can then dispute.

Implications for Digital Wallet and Payment App Providers

Major companies like Apple and Google can easily foresee that the CFPB intends to supervise them under the new rule. The Director of the CFPB recently compared the two American companies to Chinese tech companies Alibaba and WeChat that offer similar products and that, in the Director’s view, pose a similar risk to consumer data privacy and financial security.[18] For smaller firms, predicting the Bureau’s intentions is challenging, but existing regulations indicate that the Bureau will issue a written communication to initiate supervision.[19] The entity will then have forty-five days to dispute the finding that they meet the regulatory definition of a “larger participant.”[20] In their response, entities may include a statement of the reason for their objection and records, documents, or other information. Then the Assistant Director of the CFPB will review the response and make a determination. The regulation gives the Assistant Director the ability to request records and documents from the entity prior to the initial notification of intended supervision and throughout the determination process.[21] The Assistant Director also may extend the timeframe for determination beyond the forty-five-day window.[22]

If an entity becomes supervised, the Bureau will contact it for an initial conference.[23] The examiners will then determine the scope of future supervision, taking into consideration the responses at the conference, any records requested prior to or during the conference, and a review of the entity’s compliance management program.[24] The Bureau prioritizes its supervisory activities based on entity size, volume of transactions, size and risk of the relevant market, state oversight, and other market information to which the Bureau has access.[25] Ongoing supervision is likely to vary based on these factors, as well, but may include on-site or remote examination, review of documents and records, testing accounts and transactions for compliance with federal statutes and regulations, and continued review of the compliance management system.[26] The Bureau may then issue a confidential report or letter stating the examiner’s opinion that the entity has violated or is at risk of violating a statute or regulation.[27] While these findings are not final determinations, they do outline specific steps for the entity to regain or ensure compliance and should be taken seriously.[28] Supervisory reports or letters are distinct from enforcement actions and generally do not result in an enforcement action.[29] However, violations may be referred to the Bureau’s Office of Enforcement, which would then launch its own investigation.[30]

The likelihood of the proposed rule resulting in an enforcement action is, therefore, relatively low, but the exposure for regulated entities is difficult to measure because the penalties in enforcement actions vary widely. From October 2022 to October 2023, amounts paid by regulated entities ranged from $730,000 paid by a remittance provider that violated Electronic Funds Transfer rules,[31] to $3.7 billion in penalties and redress paid by Wells Fargo for headline-making violations of the Consumer Financial Protection Act.[32]

Notes

[1] Analysis of Deposit Insurance Coverage on Funds Stored Through Payment Apps, Consumer Fin. Prot. Bureau (Jun. 1, 2023), https://www.consumerfinance.gov/data-research/research-reports/issue-spotlight-analysis-of-deposit-insurance-coverage-on-funds-stored-through-payment-apps/full-report.

[2] Final Rules, Consumer Fin. Prot. Bureau, https://www.consumerfinance.gov/rules-policy/final-rules (last visited Nov. 16, 2023).

[3] CFPB Proposes New Federal Oversight of Big Tech Companies and Other Providers of Digital Wallets and Payment Apps, Consumer Fin. Prot. Bureau (Nov. 7, 2023), https://www.consumerfinance.gov/about-us/newsroom/cfpb-proposes-new-federal-oversight-of-big-tech-companies-and-other-providers-of-digital-wallets-and-payment-apps.

[4] Id.

[5] Id.

[6] 12 U.S.C. § 5492.

[7] Enforcement by the numbers, Consumer Fin. Prot. Bureau (Nov. 8, 2023), https://www.consumerfinance.gov/enforcement/enforcement-by-the-numbers.

[8] CFTC Releases Annual Enforcement Results, Commodity Futures Trading Comm’n (Oct. 20, 2022), https://www.cftc.gov/PressRoom/PressReleases/8613-22.

[9] CFPB Supervision and Examination Manual, Consumer Fin. Prot. Bureau at Overview 10 (Mar. 2017), https://files.consumerfinance.gov/f/documents/cfpb_supervision-and-examination-manual_2023-09.pdf.

[10] An Introduction to CFPB’s Exams of Financial Companies, Consumer Fin. Prot. Bureau 4 (Jan. 9, 2023), https://files.consumerfinance.gov/f/documents/cfpb_an-introduction-to-cfpbs-exams-of-financial-companies_2023-01.pdf.

[11] 12 U.S.C. §5563(a).

[12] CFPB Proposes New Federal Oversight of Big Tech Companies and Other Providers of Digital Wallets and Payment Apps, Consumer Fin. Prot. Bureau (Nov. 7, 2023), https://www.consumerfinance.gov/about-us/newsroom/cfpb-proposes-new-federal-oversight-of-big-tech-companies-and-other-providers-of-digital-wallets-and-payment-apps.

[13] Id.

[14] 12 U.S.C. § 5514.

[15] Id.

[16] Defining Larger Participants of a Market for General-Use Digital Consumer Payment, Consumer Fin. Prot. Bureau 3 (Nov. 7, 2023), https://files.consumerfinance.gov/f/documents/cfpb_nprm-digital-payment-apps-lp-rule_2023-11.pdf.

[17] Id. at 4.

[18] Rohit Chopra, Prepared Remarks of CFPB Director Rohit Chopra at the Brookings Institution Event on Payments in a Digital Century, Consumer Fin. Prot. Bureau (Oct. 6, 2023), https://www.consumerfinance.gov/about-us/newsroom/prepared-remarks-of-cfpb-director-rohit-chopra-at-the-brookings-institution-event-on-payments-in-a-digital-century.

[19] 12 CFR § 1090.103(a).

[20] 12 CFR § 1090.103(b).

[21] 12 CFR § 1090.103(c).

[22] 12 CFR § 1090.103(d).

[23] Defining Larger Participants of a Market for General-Use Digital Consumer Payment, Consumer Fin. Prot. Bureau 6 (Nov. 7, 2023), https://files.consumerfinance.gov/f/documents/cfpb_nprm-digital-payment-apps-lp-rule_2023-11.pdf.

[24] Id.

[25] Id. at 5.

[26] Id. at 6.

[27] An Introduction to CFPB’s Exams of Financial Companies, Consumer Fin. Prot. Bureau 3 (Jan. 9, 2023), https://files.consumerfinance.gov/f/documents/cfpb_an-introduction-to-cfpbs-exams-of-financial-companies_2023-01.pdf.

[28] Id.

[29] Id.

[30] Id.

[31] CFPB Orders Servicio UniTeller to Refund Fees and Pay Penalty for Failing to Follow Remittance, Consumer Fin. Prot. Bureau (Dec. 22, 2022), https://www.consumerfinance.gov/enforcement/actions/servicio-uniteller-inc.

[32] CFPB Orders Wells Fargo to Pay $3.7 Billion for Widespread Mismanagement of Auto Loans, Mortgages, and Deposit Accounts, Consumer Fin. Prot. Bureau (Dec. 20, 2022), https://www.consumerfinance.gov/enforcement/actions/wells-fargo-bank-na-2022.


Conflicts of Interest and Conflicting Interests: The SEC’s Controversial Proposed Rule

Shaadie Ali, MJLST Staffer

A controversial proposed rule from the SEC on AI and conflicts of interest is generating significant pushback from brokers and investment advisers. The proposed rule, dubbed “Reg PDA” by industry commentators in reference to its focus on “predictive data analytics,” was issued on July 26, 2023.[1] Critics claim that, as written, Reg PDA would require broker-dealers and investment managers to effectively eliminate the use of almost all technology when advising clients.[2] The SEC claims the proposed rule is intended to address the potential for AI to hurt more investors more quickly than ever before, but some critics argue that the SEC’s proposed rule would reach far beyond generative AI, covering nearly all technology. Critics also highlight the requirement that conflicts of interest be eliminated or neutralized as nearly impossible to meet and a departure from traditional principles of informed consent in financial advising.[3]

The SEC’s 2-page fact sheet on Reg PDA describes the 239-page proposal as requiring broker-dealers and investment managers to “eliminate or neutralize the effect of conflicts of interest associated with the firm’s use of covered technologies in investor interactions that place the firm’s or its associated person’s interest ahead of investors’ interests.”[4] The proposal defines covered technology as “an analytical, technological, or computational function, algorithm, model, correlation matrix, or similar method or process that optimizes for, predicts, guides, forecasts, or directs investment-related behaviors or outcomes in an investor interaction.”[5] Critics have described this definition of “covered technology” as overly broad, with some going so far as to suggest that a calculator may be “covered technology.”[6] Despite commentators’ insistence, this particular contention is implausible – in its Notice of Proposed Rulemaking, the SEC stated directly that “[t]he proposed definition…would not include technologies that are designed purely to inform investors.”[7] More broadly, though, the SEC touts the proposal’s broadness as a strength, noting it “is designed to be sufficiently broad and principles-based to continue to be applicable as technology develops and to provide firms with flexibility to develop approaches to their use of technology consistent with their business model.”[8]

This move by the SEC comes amidst concerns raised by SEC chair Gary Gensler and the Biden administration about the potential for the concentration of power in artificial intelligence platforms to cause financial instability.[9] On October 30, 2023, President Biden signed an Executive Order that established new standards for AI safety and directed the issuance of guidance for agencies’ use of AI.[10] When questioned about Reg PDA at an event in early November, Gensler defended the proposed regulation by arguing that it was intended to protect online investors from receiving skewed recommendations.[11] Elsewhere, Gensler warned that it would be “nearly unavoidable” that AI would trigger a financial crisis within the next decade unless regulators intervened soon.[12]

Gensler’s explanatory comments have done little to curb criticism by industry groups, who have continued to submit comments via the SEC’s notice and comment process long after the SEC’s October 10 deadline.[13] In addition to highlighting the potential impacts of Reg PDA on brokers and investment advisers, many commenters questioned whether the SEC had the authority to issue such a rule. The American Free Enterprise Chamber of Commerce (“AmFree”) argued that the SEC exceeded its authority under both its organic statutes and the Administrative Procedures Act (APA) in issuing a blanket prohibition on conflicts of interest.[14] In their public comment, AmFree argued the proposed rule was arbitrary and capricious, pointing to the SEC’s alleged failure to adequately consider the costs associated with the proposal.[15] AmFree also invoked the major questions doctrine to question the SEC’s authority to promulgate the rule, arguing “[i]f Congress had meant to grant the SEC blanket authority to ban conflicts and conflicted communications generally, it would have spoken more clearly.”[16] In his scathing public comment, Robinhood Chief Legal and Corporate Affairs Officer Daniel M. Gallagher alluded to similar APA concerns, calling the proposal “arbitrary and capricious” on the grounds that “[t]he SEC has not demonstrated a need for placing unprecedented regulatory burdens on firms’ use of technology.”[17] Gallagher went on to condemn the proposal’s apparent “contempt for the ordinary person, who under the SEC’s apparent world view [sic] is incapable of thinking for himself or herself.”[18]

Although investor and broker industry groups have harshly criticized Reg PDA, some consumer protection groups have expressed support through public comment. The Consumer Federation of America (CFA) endorsed the proposal as “correctly recogniz[ing] that technology-driven conflicts of interest are too complex and evolve too quickly for the vast majority of investors to understand and protect themselves against, there is significant likelihood of widespread investor harm resulting from technology-driven conflicts of interest, and that disclosure would not effectively address these concerns.”[19] The CFA further argued that the final rule should go even further, citing loopholes in the existing proposal for affiliated entities that control or are controlled by a firm.[20]

More generally, commentators have observed that the SEC’s new prescriptive rule that firms eliminate or neutralize potential conflicts of interest marks a departure from traditional securities laws, wherein disclosure of potential conflicts of interest has historically been sufficient.[21] Historically, conflicts of interest stemming from AI and technology have been regulated the same as any other conflict of interest – while brokers are required to disclose their conflicts, their conduct is primarily regulated through their fiduciary duty to clients. In turn, some commentators have suggested that the legal basis for the proposed regulations is well-grounded in the investment adviser’s fiduciary duty to always act in the best interest of its clients.[22] Some analysts note that “neutralizing” the effects of a conflict of interest from such technology does not necessarily require advisers to discard that technology, but changing the way that firm-favorable information is analyzed or weighed, but it still marks a significant departure from the disclosure regime. Given the widespread and persistent opposition to the rule both through the note and comment process and elsewhere by commentators and analysts, it is unclear whether the SEC will make significant revisions to a final rule. While the SEC could conceivably narrow definitions of “covered technology,” “investor interaction,” and “conflicts of interest,” it is difficult to imagine how the SEC could modify the “eliminate or neutralize” requirement in a way that would bring it into line with the existing disclosure-based regime.

For its part, the SEC under Gensler is likely to continue pursuing regulations on AI regardless of the outcome of Reg PDA. Gensler has long expressed his concerns about the impacts of AI on market stability. In a 2020 paper analyzing regulatory gaps in the use of generative AI in financial markets, Gensler warned, “[e]xisting financial sector regulatory regimes – built in an earlier era of data analytics technology – are likely to fall short in addressing the risks posed by deep learning.”[23] Regardless of how the SEC decides to finalize its approach to AI in conflict of interest issues, it is clear that brokers and advisers are likely to resist broad-based bans on AI in their work going forward.

Notes

[1] Press Release, Sec. and Exch. Comm’n., SEC Proposes New Requirements to Address Risks to Investors From Conflicts of Interest Associated With the Use of Predictive Data Analytics by Broker-Dealers and Investment Advisers (Jul. 26, 2023).

[2] Id.

[3] Jennifer Hughes, SEC faces fierce pushback on plan to police AI investment advice, Financial Times (Nov. 8, 2023), https://www.ft.com/content/766fdb7c-a0b4-40d1-bfbc-35111cdd3436.

[4] Sec. Exch. Comm’n., Fact Sheet: Conflicts of Interest and Predictive Data Analytics (2023).

[5] Conflicts of Interest Associated with the Use of Predictive Data Analytics by Broker-Dealers and Investment Advisers,  88 Fed. Reg. 53960 (Proposed Jul. 26, 2021) (to be codified at 17 C.F.R. pts. 240, 275) [hereinafter Proposed Rule].

[6] Hughes, supra note 3.

[7] Proposed Rule, supra note 5.

[8] Id.

[9] Stefania Palma and Patrick Jenkins, Gary Gensler urges regulators to tame AI risks to financial stability, Financial Times (Oct. 14, 2023), https://www.ft.com/content/8227636f-e819-443a-aeba-c8237f0ec1ac.

[10] Fact Sheet, White House, President Biden Issues Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence (Oct. 30, 2023).

[11] Hughes, supra note 3.

[12] Palma, supra note 9.

[13] See Sec. Exch. Comm’n., Comments on Conflicts of Interest Associated with the Use of Predictive Data Analytics by Broker-Dealers and Investment Advisers (last visited Nov. 13, 2023), https://www.sec.gov/comments/s7-12-23/s71223.htm (listing multiple comments submitted after October 10, 2023).

[14] Am. Free Enter. Chamber of Com., Comment Letter on Proposed Rule regarding Conflicts of Interest Associated With the Use of Predictive Data Analytics by Broker-Dealers and Investment Advisers (Oct. 10, 2023), https://www.sec.gov/comments/s7-12-23/s71223-270180-652582.pdf.

[15] Id. at 14-19.

[16] Id. at 9.

[17] Daniel M. Gallagher, Comment Letter on Proposed Rule regarding Conflicts of Interest Associated With the Use of Predictive Data Analytics by Broker-Dealers and Investment Advisers (Oct. 10, 2023), https://www.sec.gov/comments/s7-12-23/s71223-271299-654022.pdf.

[18] Id. at 43.

[19] Consumer Fed’n. of Am., Comment Letter on Proposed Rule regarding Conflicts of Interest Associated With the Use of Predictive Data Analytics by Broker-Dealers and Investment Advisers (Oct. 10, 2023), https://www.sec.gov/comments/s7-12-23/s71223-270400-652982.pdf.

[20] Id.

[21] Ken D. Kumayama et al., SEC Proposes New Conflicts of Interest Rule for Use of AI by Broker-Dealers and Investment Advisers, Skadden (Aug. 10, 2023), https://www.skadden.com/insights/publications/2023/08/sec-proposes-new-conflicts.

[22] Colin Caleb, ANALYSIS: Proposed SEC Regs Won’t Allow Advisers to Sidestep AI, Bloomberg Law (Aug. 10, 2023), https://news.bloomberglaw.com/bloomberg-law-analysis/analysis-proposed-sec-regs-wont-allow-advisers-to-sidestep-ai.

[23] Gary Gensler and Lily Bailey, Deep Learning and Financial Stability (MIT Artificial Intel. Glob. Pol’y F., Working Paper 2020) (in which Gensler identifies several potential systemic risks to the financial system, including overreliance and uniformity in financial modeling, overreliance on concentrated centralized datasets, and the potential of regulators to create incentives for less-regulated entities to take on increasingly complex functions in the financial system).


Floating Fans in the Ocean: Recognizing the Significance of Maine’s Recent Bill Regarding Offshore Wind Development Projects

Peter Lyon, MJLST Staffer

Recent efforts in Maine have continued the push for developing sustainable energy sources, specifically including offshore wind energy projects in the Gulf of Maine. Offshore wind projects have captured other coastal states’ and the federal government’s interest for quite some time, though the industry is not well developed due to several practical setbacks and pushback from different stakeholders. Maine has the potential to be a leader in this area, as a bill it passed in July lays more of the groundwork for developing offshore wind energy projects, calls attention to the development of innovative technology, and implements means to adequately address the interests of relevant stakeholders.

“An Act Regarding the Procurement of Energy from Offshore Wind Resources

Maine Governor Janet Mills signed a bill in July to further the development of offshore wind energy projects in the Gulf of Maine, making several amendments to a previous bill and enacting six additional sections.[1] One of the major changes includes declaring a new wind energy goal of three gigawatts of installed capacity by December 2040. This could meet approximately fifty percent of Maine’s anticipated electricity needs at that time.[2] This goal is different from Maine’s unmet 2009 goal of two gigawatts of installed capacity by 2015 and is likely attributable to supply chain issues, higher interest rates, and the rising prices of materials.[3]

To facilitate its three gigawatts by 2040 goal, the bill establishes a process for competitive contracting by requiring the solicitation process and project proposals to be consistent with the Maine Offshore Wind Roadmap issued in 2023,[4] which emphasizes five key topics.[5] It also includes sections pertaining to offshore wind power transmission, supporting the development of port infrastructure and innovative technologies. This may include technologies such as floating or bobbing platforms because the Gulf of Maine is too deep for fixed-structure turbines[6] and storage capacity technology such as large batteries, which would maximize the amount of energy that can be used as it is needed.[7]

The bill also expands the minimum number of advisory board members of the Offshore Wind Research Consortium – a collaborative research initiative created by the bill – from seven to twelve members to reach a wider stakeholder audience. The new advisory board member requirements include adding the “Commissioner of Inland and Wildlife” (or the commissioner’s designee), “at least one individual who is a member of a federally recognized Indian tribe” in Maine, “two individuals with expertise in marine and wildlife habitats,” and “at least one individual with experience in commercial offshore wind power development.”[8] The bill also requires the opportunity for public comment during the project solicitation process.

Engaging with relevant stakeholders at this early stage allows the Consortium’s research to explore and mitigate risks in offshore wind development projects such as the potential negative impact on commercial fishing, species degradation, and harm to ecosystems. These kinds of concerns mirror much of the resistance to offshore wind projects, non-specific to the Gulf of Maine, and the bill emphasizes specific actions to answer them.

Addressing Stakeholder Concerns

Calls for offshore wind energy development have been met with pushback from multiple stakeholder groups, including Native American tribes, members of the commercial fishing industry, and local residents. These and other stakeholders voice concerns about environmental, economic, and social issues. For example, some people argue that installing offshore wind farms could disrupt key fishing and lobstering grounds, which generate more than $1.5 billion for Maine’s economy.[9] This disruption could happen by changing fish migration patterns, changing water temperatures by running large electrical cables onshore, and limiting fishers’ ability to access fishing grounds due to turbine structures being in the way.[10] Another concern is that animals, like the Eastern red bat and other bat species, are vulnerable to flying into wind farm structures.[11] Others simply worry that installing offshore wind farms will disrupt the environment’s natural beauty, as wind farms will be a sort of visual pollution.

In addition to seeking input from relevant stakeholders, the new bill anticipates these kinds of risks and includes specific actions to avoid or mitigate them. The Offshore Wind Research Consortium funds will now also be used to “support conservation that supports species and habitats impacted by offshore wind development,”[12] including research that aims to “avoid or minimize the impact of floating offshore wind power projects on ecosystems and existing uses of the Gulf of Maine.”[13]

Proposals for the development and construction of offshore wind projects must include a “fishing communities investment plan” which “supports innovation and adaptation in response to environmental change, shifting resource economics, and changes in fishing practices associated with offshore wind power development.”[14] Proposals given priority are those that are outside critical fishing and lobstering areas, provide employment and contracting opportunities to people from disadvantaged communities, provide financial or technical support for research regarding wildlife, fisheries, and habitats impacted by offshore wind development, or promote hiring Maine residents and affected community members.[15] Under the bill, proposals must seek to minimize an offshore wind project’s impact on the environment’s visual and scenic character.[16]

The Current State of Offshore Wind Development in the U.S.

Maine is not the only jurisdiction pursuing offshore wind development projects. Most of the locations for offshore wind projects are in federal waters, which means that they often require permits issued by the Bureau of Ocean Energy Management (BOEM), which is housed in the Department of the Interior.[17] The federal government has allocated floating wind leases and has a goal to meet fifteen gigawatts of installed capacity by 2035.[18] Projects are underway in Maine, California, and Oregon, with more in the pipeline.[19]

Maine has the potential to be a leader in offshore wind development projects as its bill passed in July demonstrates the importance of engaging relevant stakeholders, conducting research to avoid or mitigate negative environmental impacts, and prioritizing developments that show commitment to social values. It also emphasizes the role of innovative technology like floating turbines, which are especially relevant because about eighty percent of the world’s offshore wind resource capacity is in locations not well-suited for fixed structures.[20] Offshore wind projects can spur economic growth[21] and contribute to the procurement of sustainable energy while decreasing reliance on non-sustainable sources like fossil fuels. Other jurisdictions should look to Maine’s bill as a great start in the early development of an industry with enormous potential.

Notes

[1] 2023 Me. SP 766.

[2] Maria Gallucci, Maine to go all in on offshore wind, Canary Media (July 25, 2023), https://www.canarymedia.com/articles/wind/maine-to-go-all-in-on-offshore-wind.

[3] Id.

[4] Maine Offshore Wind Roadmap Advisory Committee, The Maine Offshore Wind Roadmap, State of Maine Governor’s Energy Office (February 2023), https://www.maine.gov/energy/sites/maine.gov.energy/files/inline-files/Maine_Offshore_Wind_Roadmap_February_2023.pdf.

[5] Maine’s Offshore Wind Roadmap, State of Maine Governor’s Energy Office, https://www.maine.gov/energy/initiatives/offshorewind/roadmap (last visited Nov. 6, 2023) (stating the Roadmap’s objectives include “supporting economic growth and resiliency, harnessing renewable energy, advancing Maine-based innovation, supporting Maine’s seafood industry, and protecting the Gulf of Maine’s ecosystem.”).

[6] Heather Richards, Gulf of Maine wind could power 100% of New England—Report, E&E News (Oct. 31, 2023), https://subscriber.politicopro.com/article/eenews/2023/10/31/gulf-of-maine-wind-could-give-new-england-a-power-jolt-report-00124295.

[7] Id. (“Offshore wind from the Gulf of Maine could satisfy 72% of New England’s power demand but battery storage is critical; without the right storage capacities, offshore wind could only meet approximately 37% of New England’s needs.”).

[8] 2023 Me. SP 766.

[9] Maria Gallucci, Maine to go all in on offshore wind, Canary Media (July 25, 2023), https://www.canarymedia.com/articles/wind/maine-to-go-all-in-on-offshore-wind.

[10] Bureau of Ocean Energy Management, Gulf of Maine Draft Wind Energy Area (WEA) Notice, Regulations.gov

(October 18, 2023), https://www.regulations.gov/document/BOEM-2023-0054-0001 (see public comments).

[11] Heather Richards, Gulf of Maine wind could power 100% of New England—Report, E&E News (Oct. 31, 2023), https://subscriber.politicopro.com/article/eenews/2023/10/31/gulf-of-maine-wind-could-give-new-england-a-power-jolt-report-00124295.

[12] 2023 Me. SP 766.

[13] Id.

[14] Id.

[15] Id.

[16] Id.

[17] Nicholas P. Jansen, Reducing the Headwinds: the Need for a Federal Approach to Siting Offshore Wind Interconnection Infrastructure, Despite Protective State Laws, 26 Ocean & Coastal L.J. 123 (2021).

[18] Juliana Ennes, California’s floating wind lead threatened by fast-rising Maine, Reuters (September 14, 2023, 10:57 AM), https://www.reuters.com/business/energy/californias-floating-wind-lead-threatened-by-fast-rising-maine-2023-09-14/.

[19] Maria Gallucci, Maine to go all in on offshore wind, Canary Media (July 25, 2023), https://www.canarymedia.com/articles/wind/maine-to-go-all-in-on-offshore-wind.

[20] Id.

[21] Maine Offshore Wind Roadmap Advisory Committee, The Maine Offshore Wind Roadmap, State of Maine Governor’s Energy Office (February 2023), https://www.maine.gov/energy/sites/maine.gov.energy/files/inline-files/Maine_Offshore_Wind_Roadmap_February_2023.pdf.


Cracking the Code: Navigating New SEC Rules Governing Cybersecurity Disclosure

Noah Schottenbauer, MJLST Staffer

In response to the dramatic impact cybersecurity incidents have on investors through the decline of stock value and sizeable costs to companies in rectifying breaches,  the SEC adopted new rules governing cybersecurity-related disclosures for public companies, covering both the disclosure of individual cybersecurity incidents as well as periodic disclosures of a company’s procedures to assess, identify, and manage material cybersecurity risks, management’s role in assessing and managing cybersecurity risks, and the board of directors’ oversight of cybersecurity risks.[1]

Before evaluating the specifics of the new SEC cybersecurity disclosure requirements, it is important to understand why information about cybersecurity incidents is important to investors. In recent years, data breaches have led to an average decline in stock value of 7.5% amongst publicly traded companies, with impacts being felt long after the date of the breach, as demonstrated by companies experiencing a significant data breach underperforming the NASDAQ by an average of 8.6% after one year.[2] One of the forces driving this decline in stock value is the immense costs associated with rectifying a data breach for the affected company. In 2022, the average cost of a data breach for U.S. companies was $9.44 million, drawn from ransom payments, disruptions in business operations, legal and audit fees, and other associated expenses.[3]

Summary Of Required Disclosures

  • Material Cybersecurity Incidents (Form 8-K, Item 1.05)

Amendments to Item 1.05 of Form 8-K require that reporting companies disclose any cybersecurity incident deemed to be material.[4] When making such disclosures, companies are required to “describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.”[5]

So, what is a material cybersecurity incident? The SEC defines cybersecurity incident as “an unauthorized occurrence . . . on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”[6]

The definition of material, on the other hand, lacks the same degree of clarity. Based on context offered by the SEC through the rulemaking process, material is to be used in a way that is consistent with other securities laws.[7] Under this standard, information, or, in this case, a cybersecurity incident, would be considered material if “there is a substantial likelihood that a reasonable shareholder would consider it important.”[8] This determination is made based on a “delicate assessment of the inferences a ‘reasonable shareholder’ would draw from a given set of facts and the significance of those inferences to him.”[9] Even with this added context, what characteristics of a cybersecurity incident make it material remain unclear, but considering the fact that the rules are being implemented with the intent of protecting investor interests, the safest course of action would be to disclose a cybersecurity incident when in doubt of its materiality.[10]

It is important to note that this disclosure mandate is not limited to incidents that occur within the company’s own systems. If a material cybersecurity incident happens on third-party systems that a company utilizes, that too must be disclosed.[11] However, in these situations, companies are only expected to disclose information that is readily accessible, meaning they are not required to go beyond their “regular channels of communication” to gather pertinent information.[12]

Regarding the mechanics of the disclosure, the SEC stipulates that companies must file an Item 1.05 of Form 8-K within four business days of determining that a cybersecurity incident is material.[13] However, delaying disclosure may be allowed in limited circumstances where the United States Attorney General determines that immediate disclosure may seriously threaten national security or public safety.[14]

If there are any changes in the initially-disclosed information or if new material information is discovered that was not available at the time of the first disclosure, registrants are obligated to update their disclosure by filing an amended Form 8-K, ensuring that all relevant information related to the cybersecurity incident is available to the public and stakeholders.[15]

  • Risk Management & Strategy (Regulation S-K, Item 106(b))

Under amendments to Item 106(b) of Regulation S-K, reporting companies are obligated to describe their  “processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes.”[16] When detailing these processes, companies must specifically address three primary points. First, they need to indicate how and if the cybersecurity processes described in Item 106(b) fall under the company’s overarching risk management system or procedures. Second, companies must clarify whether they involve assessors, consultants, auditors, or other third-party entities in relation to these cybersecurity processes. Third,  they must describe if they possess methods to monitor and access significant risks stemming from cybersecurity threats when availing the services of any third-party providers.[17]

In addition to the three enumerated elements under Item 106(b), companies are expected to furnish additional information to ensure a comprehensive understanding of their cybersecurity procedures for potential investors. This supplementary disclosure should encompass “whatever information is necessary, based on their facts and circumstances, for a reasonable investor to understand their cybersecurity processes.”[18] While companies are mandated to reveal if they collaborate with third-party service providers concerning their cybersecurity procedures, they are not required to disclose the specific names of these providers or offer a detailed description of the services these third-party entities provide, thus striking a balance between transparency and confidentiality and ensuring that investors have adequate information.[19]

  • Governance (Regulation S-K, Item 106(c))

Amendments to Regulation S-K, Item 106(c) require that companies: (1) describe the board’s oversight of the risks emanating from cybersecurity threats, and (2) characterize management’s role in both assessing and managing material risks arising from such threats.[20]

When detailing management’s role concerning these cybersecurity threats, there are a number of issues that should be addressed. First, companies should clarify which specific management positions or committees are entrusted with the responsibility of assessing and managing these risks. Additionally, the expertise of these designated individuals or groups should be outlined in such detail as necessary to comprehensively describe the nature of their expertise. Second, a description of the processes these entities employ to stay informed about, and to monitor, the prevention, detection, mitigation, and remediation of cybersecurity incidents should be included. Third, companies should indicate if and how these individuals or committees convey information about such risks to the board of directors or potentially to a designated committee or subcommittee of the board.[21]

The disclosures required under Item 106(c) are aimed at balancing investor accessibility to information with the company’s ability to maintain autonomy in determining cybersecurity practices in the context of organizational structure; therefore, disclosures do not need to be overly detailed.[22]

  • Foreign Private Issuers (Form 6-K & Form 20-F)

The rules addressed above only apply to domestic companies, but the SEC imposed parallel cybersecurity disclosure requirements for foreign private issuers under Form 6-K (incident reporting) and Form 20-K (periodic reporting).[23]

Key Dates

The SEC’s final rules are effective as of September 5, 2023, but the Form 8-K and Regulation S-K reporting requirements have yet to take effect. The key compliance dates for each are as follows:

  • Form 8-K Item 1.05(a) Incident Reporting – December 18, 2023
  • Regulation S-K Periodic Reporting – Fiscal years ending on or after December 15, 2023

Smaller reporting companies are provided with an extra 180 days to comply with Form 8-K Item 1.05. Under this grant, small companies will be expected to begin incident reporting on June 15, 2024. No such extension was granted to smaller reporting companies with regard to Regulation S-K Periodic Reporting.[24]

Potential Impact On Cybersecurity Policy

The actual impact of the SEC’s new disclosure requirements will likely remain unclear for some time, yet the regulations compel companies to adopt a greater sense of discipline and transparency in their cybersecurity practices. Although the primary intent of these rules is investor protection, they may also influence how companies formulate their cybersecurity strategies, given the requirement to discuss such policies in their annual disclosures. This heightened level of accountability, regarding defensive measures and risk management strategies in response to cybersecurity threats, may encourage companies to implement more robust cybersecurity practices or, at the very least, ensure that cybersecurity becomes a regular topic of discussion amongst senior leadership. Consequently, the SEC’s initiative may serve as a catalyst for strengthening cybersecurity policies within corporate entities, while also providing investors with essential information for making informed decisions in the marketplace.

Further Information

The overview of the new SEC rules governing cybersecurity disclosures provided above is precisely that: an overview. For more information regarding the requirements and applicability of these rules please refer to the official rules and the SEC website.

Notes

[1] Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Exchange Act Release No. 33-11216, Exchange Act Release No. 34-97989 (July 26, 2023) [hereinafter Final Rule Release], https://www.sec.gov/files/rules/final/2023/33-11216.pdf.

[2] Keman Huang et al., The Devastating Business Impact of a Cyber Breach, Harv. Bus Rev., May 4, 2023, https://hbr.org/2023/05/the-devastating-business-impacts-of-a-cyber-breach.

[3] Id.

[4] Final Rule Release, supra note 1, at 12

[5] Id. at 49.

[6] Id. at 76.

[7] Id. at 14.

[8] TSC Indus. v. Northway, 426 U.S. 438, 449 (1976).

[9] Id. at 450.

[10] Id. at 448.

[11] Final Rule Release, supra note 1, at 30.

[12] Id. at 31.

[13] Id. at 32.

[14] Id. at 28.

[15] Id. at 50–51.

[16] Id. at 61.

[17] Id. at 63.

[18] Id.

[19] Id. at 60.

[20] Id. at 12.

[21] Id. at 70.

[22] Id.

[23] Id. at 12.

[24] Id. at 107.


The Double-Helix Dilemma: Navigating Privacy Pitfalls in Direct-to-Consumer Genetic Testing

Ethan Wold, MJLST Staffer

Introduction

On October 22, direct-to-consumer genetic testing (DTC-GT) company 23andME sent emails to a number of its customers informing them of a data breach into the company’s “DNA Relatives” feature that allows customers to compare ancestry information with other users worldwide.[1] While 23andMe and other similar DTC-GT companies offer a number of positive benefits to consumers, such as testing for health predispositions and carrier statuses of certain genes, this latest data breach is a reminder that before choosing to opt into these sorts of services one should be aware of the potential risks that they present.

Background

DTC-GT companies such as 23andMe and Ancestry.com have proliferated and blossomed in recent years. It is estimated over 100 million people have utilized some form of direct-to-consumer genetic testing.[2] Using biospecimens submitted by consumers, these companies sequence and analyze an individual’s genetic information to provide a range of services pertaining to one’s health and ancestry.[3] The October 22 data breach specifically pertained to 23andMe’s “DNA Relatives” feature.[4] The DNA Relatives feature can identify relatives on any branch of one’s family tree by taking advantage of the autosomal chromosomes, the 22 chromosomes that are passed down from your ancestors on both sides of your family, and one’s X chromosome(s).[5] Relatives are identified by comparing the customer’s submitted DNA with the DNA of other 23andMe members who are participating in the DNA Relatives feature.[6] When two people are found to have an identical DNA segment, it is likely they share a recent common ancestor.[7] The DNA Relatives feature even uses the length and number of these identical segments to attempt to predict the relationship between genetic relatives.[8] Given the sensitive nature of sharing genetic information, there are often privacy concerns regarding practices such as the DNA Relatives feature. Yet despite this, the legislation and regulations surrounding DTC-GT is somewhat limited.

Legislation

The Health Insurance Portability and Accountability Act (HIPAA) provides the baseline privacy and data security rules for the healthcare industry.[9] HIPAA’s Privacy Rule regulates the use and disclosure of a person’s “protected health information” by a “covered entity.[10] Under the Act, the type of genetic information collected by 23andMe and other DTC-GT companies does constitute “protected health information.”[11] However, because HIPAA defines a “covered entity” as a health plan, healthcare clearinghouse, or health-care provider, DTC-GT companies do not constitute covered entities and therefore are not under the umbrella of HIPAA’s Privacy Rule.[12]

Thus, the primary source of regulation for DTC-GT companies appears to be the Genetic Information Nondiscrimination Act (GINA). GINA was enacted in 2008 for the purpose of protecting the public from genetic discrimination and alleviating concerns about such discrimination and thereby encouraging individuals to take advantage of genetic testing, technologies, research, and new therapies.[13] GINA defines genetic information as information from genetic tests of an individual or family members and includes information from genetic services or genetic research.[14] Therefore, DTC-GT companies fall under GINA’s jurisdiction. However, GINA only applies to the employment and health insurance industries and thus neglects many other potential arenas where privacy concerns may present.[15] This is especially relevant for 23andMe customers, as signing up for the service serves as consent for the company to use and share your genetic information with their associated third-party providers.[16] As a case in point, in 2018 the pharmaceutical giant GlaxoSmithKline purchased a $300 million stake in 23andMe for the purpose of gaining access to the company’s trove of genetic information for use in their drug development trials.[17]

Executive Regulation

In addition to the legislation above, three different federal administrative agencies primarily regulate the DTC-GT industry: the Food and Drug Administration (FDA), the Centers of Medicare and Medicaid services (CMS), and the Federal Trade Commission (FTC). The FDA has jurisdiction over DTC-GT companies due to the genetic tests they use being labeled as “medical devices”[18] and in 2013 exercised this authority over 23andMe by sending a letter to the company resulting in the suspending of one of its health-related genetic tests.[19] However, the FDA only has jurisdiction over diagnostic tests and therefore does not regulate any of the DTC-GT services related to genealogy such as 23andMe’s DNA Relatives feature.[20] Moreover, the FDA does not have jurisdiction to regulate the other aspects of DTC-GT companies’ activities or data practices.[21] CMS has the ability to regulate DTC-GT companies through enforcement of the Clinical Laboratory Improvements Act (CLIA), which requires that genetic testing laboratories ensure the accuracy, precision, and analytical validity of their tests.[22] But, like the FDA, CMS only has jurisdiction over tests that diagnose a disease or assess health.[23]

Lastly, the FTC has broad authority to regulate unfair or deceptive business practices under the Federal Trade Commission Act (FTCA) and has levied this authority against DTC-GT companies in the past. For example, in 2014 the agency brought an action against two DTC-GT companies who were using genetic tests to match consumers to their nutritional supplements and skincare products.[24] The FTC alleged that the companies’ practices related to data security were unfair and deceptive because they failed to implement reasonable policies and procedures to protect consumers’ personal information and created unnecessary risks to the personal information of nearly 30,000 consumers.[25] This resulted in the companies entering into an agreement with the FTC whereby they agreed to establish and maintain comprehensive data security programs and submit to yearly security audits by independent auditors.[26]

Potential Harms

As the above passages illustrate, the federal government appears to recognize and has at least attempted to mitigate privacy concerns associated with DTC-GT. Additionally, a number of states have passed their own laws that limit DTC-GT in certain aspects.[27] Nevertheless, given the potential magnitude and severity of harm associated with DTC-GT it makes one question if it is enough. Data breaches involving health-related data are growing in frequency and now account for 40% of all reported data breaches.[28] These data breaches result in unauthorized access to DTC-GT consumer-submitted data and can result in a violation of an individual’s genetic privacy. Though GINA aims to prevent it, genetic discrimination in the form of increasing health insurance premiums or denial of coverage by insurance companies due to genetic predispositions remains one of the leading concerns associated with these violations. What’s more, by obtaining genetic information from DTC-GT databases, it is possible for someone to recover a consumer’s surname and combine that with other metadata such as age and state to identify the specific consumer.[29] This may in turn lead to identity theft in the form of opening accounts, taking out loans, or making purchases in your name, potentially damaging your financial well-being and credit score. Dealing with the aftermath of a genetic data breach can also be expensive. You may incur legal fees, credit monitoring costs, or other financial burdens in an attempt to mitigate the damage.

Conclusion

As it sits now, genetic information submitted to DTC-GT companies already contains a significant volume of consequential information. As technology continues to develop and research presses forward, the volume and utility of this information will only grow over time. Thus, it is crucially important to be aware of risks associated with DTC-GT services.

This discussion is not intended to discourage individuals from participating in DTC-GT. These companies and the services they offer provide a host of benefits, such as allowing consumers to access genetic testing without the healthcare system acting as a gatekeeper, thus providing more autonomy and often at a lower price.[30] Furthermore, the information provided can empower consumers to mitigate the risks of certain diseases, allow for more informed family planning, or gain a better understanding of their heritage.[31] DTC-GT has revolutionized the way individuals access and understand their genetic information. However, this accessibility and convenience comes with a host of advantages and disadvantages that must be carefully considered.

Notes

[1] https://www.reuters.com/world/us/23andme-notifies-customers-data-breach-into-its-dna-relatives-feature-2023-10-24/#:~:text=%22There%20was%20unauthorized%20access%20to,exposed%20to%20the%20threat%20actor.%22

[2] https://www.ama-assn.org/delivering-care/patient-support-advocacy/protect-sensitive-individual-data-risk-dtc-genetic-tests#:~:text=Use%20of%20direct%2Dto%2Dconsumer,November%202021%20AMA%20Special%20Meeting

[3] https://go-gale-com.ezp3.lib.umn.edu/ps/i.do?p=OVIC&u=umn_wilson&id=GALE%7CA609260695&v=2.1&it=r&sid=primo&aty=ip

[4] https://www.reuters.com/world/us/23andme-notifies-customers-data-breach-into-its-dna-relatives-feature-2023-10-24/#:~:text=%22There%20was%20unauthorized%20access%20to,exposed%20to%20the%20threat%20actor.%22

[5] https://customercare.23andme.com/hc/en-us/articles/115004659068-DNA-Relatives-The-Genetic-Relative-Basics

[6] Id.

[7] Id.

[8] Id.

[9] https://go-gale-com.ezp2.lib.umn.edu/ps/i.do?p=OVIC&u=umn_wilson&id=GALE%7CA609260695&v=2.1&it=r&sid=primo&aty=ip

[10] https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf

[11] Id.

[12] Id; https://go-gale-com.ezp2.lib.umn.edu/ps/i.do?p=OVIC&u=umn_wilson&id=GALE%7CA609260695&v=2.1&it=r&sid=primo&aty=ip

[13] https://www.eeoc.gov/statutes/genetic-information-nondiscrimination-act-2008

[14] Id.

[15] https://europepmc.org/backend/ptpmcrender.fcgi?accid=PMC3035561&blobtype=pdf

[16] https://go-gale-com.ezp2.lib.umn.edu/ps/i.do?p=OVIC&u=umn_wilson&id=GALE%7CA609260695&v=2.1&it=r&sid=primo&aty=ip

[17] https://news.yahoo.com/news/major-drug-company-now-access-194758309.html

[18] https://uscode.house.gov/view.xhtml?req=(title:21%20section:321%20edition:prelim)

[19] https://core.ac.uk/download/pdf/33135586.pdf

[20] https://go-gale-com.ezp2.lib.umn.edu/ps/i.do?p=OVIC&u=umn_wilson&id=GALE%7CA609260695&v=2.1&it=r&sid=primo&aty=ip

[21] Id.

[22] https://www.law.cornell.edu/cfr/text/42/493.1253

[23] https://go-gale-com.ezp2.lib.umn.edu/ps/i.do?p=OVIC&u=umn_wilson&id=GALE%7CA609260695&v=2.1&it=r&sid=primo&aty=ip

[24] https://www.ftc.gov/system/files/documents/cases/140512genelinkcmpt.pdf

[25] Id.

[26] Id.

[27] https://go-gale-com.ezp2.lib.umn.edu/ps/i.do?p=OVIC&u=umn_wilson&id=GALE%7CA609260695&v=2.1&it=r&sid=primo&aty=ip

[28] Id.

[29] https://go-gale-com.ezp2.lib.umn.edu/ps/i.do?p=OVIC&u=umn_wilson&id=GALE%7CA609260695&v=2.1&it=r&sid=primo&aty=ip

[30] Id.

[31] Id.


A Nation of Misinformation? the Attack on the Government’s Efforts to Stop Social Media Misinformation

Alex Mastorides, MJLST Staffer

Whether and how misinformation on social media can be curtailed has long been the subject of public debate. This debate has increasingly gained momentum since the beginning of the COVID-19 pandemic, at a time when uncertainty was the norm and people across the nation scrambled for information to help them stay safe. Misinformation regarding things like the origin of the pandemic, the treatment that should be administered to COVID-positive people, and the safety of the vaccine has been widely disseminated via social media platforms like TikTok, Facebook, Instagram, and X (formerly known as Twitter). The federal government under the Biden Administration has sought to curtail this wave of misinformation, characterizing it as a threat to public health. However, many have accused it of unconstitutional acts of censorship in violation of the First Amendment.

The government cannot directly interfere with the content posted on social media platforms; this right is held by the private companies that own the platforms. Instead, the government’s approach has been to communicate with social media companies, encouraging them to address misinformation that is promulgated on their sites. Per the Biden Administration: “The President’s view is that the major platforms have a responsibility related to the health and safety of all Americans to stop amplifying untrustworthy content, disinformation, and misinformation, especially related to COVID-19, vaccinations, and elections.”[1]

Lower Courts have Ruled that the Government May Not Communicate with Social Media Companies for Purposes of Curtailing Online Misinformation

The case of Murthy v. Missouri may result in further clarity from the Supreme Court regarding the powers of the federal government to combat misinformation on social media platforms. The case began in the United States District Court for the Western District of Louisiana when two states–Missouri and Louisiana–along with several private parties filed suit against numerous federal government entities, including the White House and agencies such as the Federal Bureau of Investigation, the Centers for Disease Control & Prevention, and the Cybersecurity & Infrastructure Security Agency.[2] These entities have repeatedly communicated with social media companies, allegedly encouraging them to remove or censor the plaintiffs’ online content due to misinformation about the COVID-19 pandemic (including content discussing “the COVID-19 lab-leak theory, pandemic lockdowns, vaccine side-effects, election fraud, and the Hunter Biden laptop story.”)[3] The plaintiffs allege that these government entities “‘coerced, threatened, and pressured [the] social-media platforms to censor [them]’ through private communications and legal threats” in violation of the plaintiffs’ First Amendment rights.[4]

The District Court agreed with the plaintiffs, issuing a preliminary injunction on July 4, 2023 to greatly restrict the entities’ ability to contact social media companies (especially with regard to misinformation).[5] This approach was predicated on the idea that government communications with social media companies about misinformation on their platforms is essentially coercive, forcing the companies to censor speech at the government’s demand. The injunction was appealed to the Fifth Circuit, which narrowed the injunction’s scope to just the White House, the Surgeon General’s office, and the FBI.[6]

Following the Fifth Circuit’s ruling on the preliminary injunction, the government parties to the Murthy case applied for a stay of the injunction with the United States Supreme Court.[7] The government further requested that the Court grant certiorari with regard to the questions presented by the injunction. The government attacked the injunction on three grounds. The first is that the plaintiffs did not have standing to sue under Article III because they did not show that the censoring effect on their posts was “fairly traceable” to the government or “redressable by injunctive relief.”[8]

The second argument is that the conduct at issue does not constitute a First Amendment free speech violation.[9] This claim is based on the state action doctrine, which outlines the circumstances in which the decisions of private entities are considered to be “state action.” If a private social media company’s decisions to moderate content are sufficiently “coerced” by the government, the law treats those decisions as if they were made by the government directly.[10] In that situation, the First Amendment would apply.[11] The Supreme Court has advocated for a strict evaluation of what kind of conduct might be considered “coercive” under this doctrine in an effort to avoid infringing upon the rights of private companies to modulate speech on their platforms.[12] The government’s Application for Stay argues that the Fifth Circuit’s decision is an overly broad application of the doctrine in light of the government’s conduct.[13]

Third, the government maintains that the preliminary injunction is overly broad because it “covers the government’s communications with all social-media platforms (not just those used by respondents) regarding all posts by any person (not just respondents) on all topics.”[14]

The Supreme Court Granted the Requested Stay and Granted Certiorari Regarding Three Key Questions

The Supreme Court granted the government’s request for a stay on the preliminary injunction. The Court simultaneously granted certiorari with respect to the questions posed in the government’s Application for Stay: “(1) Whether respondents have Article III standing; (2) Whether the government’s challenged conduct transformed private social-media companies’ content-moderation decisions into state action and violated respondents’ First Amendment rights; and (3) Whether the terms and breadth of the preliminary injunction are proper.”[15]

The Court gave no explanation for its grant of the request for stay or for its grant of certiorari. However, Justice Alito, joined by Justice Thomas and Justice Gorsuch, issued a dissent from the grant of application for stay, arguing that the government has not shown a likelihood that denial of a stay will result in irreparable harm.[16] He contends that the government’s argument about irreparable harm comes from hypotheticals rather than from actual “concrete” proof that harm is imminent.[17] The dissent further displays a disapproving attitude of the government’s actions toward social media misinformation: “At this time in the history of our country, what the Court has done, I fear, will be seen by some as giving the Government a green light to use heavy-handed tactics to skew the presentation of views on the medium that increasingly dominates the dissemination of news. That is most unfortunate.”[18]

Justice Alito noted in his dissent that the completion of the Court’s review of the case may not come until spring of next year.[19] The stay on the preliminary injunction will hold until that time.

Notes

[1] Press Briefing by Press Secretary Jen Psaki and Secretary of Agriculture Tom Vilsack, The White House (May 5, 2021), https://www.whitehouse.gov/briefing-room/press-briefings/2021/05/05/press-briefing-by-press-secretary-jen-psaki-and-secretary-of-agriculture-tom-vilsack-may-5-2021/.

[2] State v. Biden, 83 F.4th 350, 359 (5th Cir. 2023).

[3] Id. at 359.

[4] Id. at 359-60.

[5] Id. at 360.

[6] Id.

[7] Application for Stay, Murthy v. Missouri, No. 23A243 (23-411) (2023).

[8] Id. at 2.

[9] Id. at 3.

[10] Id. at 10.

[11] Id.

[12] Id. at 4 (citing Manhattan Cmty. Access Corp. v. Halleck, 139 S. Ct. 1921, 1933 (2019)).

[13] Application for Stay, Murthy v. Missouri, No. 23A243 (23-411) (2023).

[14] Id. at 5.

[15] Press Briefing by Press Secretary Jen Psaki and Secretary of Agriculture Tom Vilsack, The White House (May 5, 2021), https://www.whitehouse.gov/briefing-room/press-briefings/2021/05/05/press-briefing-by-press-secretary-jen-psaki-and-secretary-of-agriculture-tom-vilsack-may-5-2021/.

[16] On Application for Stay at 3, Murthy v. Missouri, No. 23A243 (23-411) (October 20, 2023) (Alito, J. dissenting) (citing Hollingsworth v. Perry, 558 U.S. 183, 190 (2010)).

[17] Id. at 3-4.

[18] Id. at 5.

[19] Id. at 2.


NC Gives Medicaid Expansion a Foothold in the Southeast While Giving Many North Carolinians a Helping Hand

Matt Buechner, MJLST Staffer

North Carolina is set to take a step to address structural racism in communities across the state when it begins Medicaid expansion implementation on December 1. Governor Roy Cooper championed expansion in his state and signed a bipartisan Medicaid expansion bill in March. This signaled the state’s intention to expand the government-sponsored health insurance program for low-income people to roughly 600,000 additional North Carolinians.[1] However, the bill required the legislature to pass a separate state budget law to appropriate funds and implement the plan.[2] The Republican-controlled state legislature passed a delayed two-year budget deal on September 22, which went into effect October 3 after Cooper declined to veto the bill.[3]

Implementation of Medicaid expansion should help North Carolina see the reduction of uninsurance rates that other expansion states have seen since passage of the ACA.[4] A recent study found that while Medicaid expansion helps populations across a state, the eligibility expansion disproportionately helps residents of formerly redlined[5] neighborhoods gain access to coverage.[6] Coverage is essential, as greater access to health insurance leads to medical care, including preventive care and management of chronic illness.[7]

Meanwhile, recent analyses of health disparities and access to health insurance have shown that health disparities in the United States may be less tied to race itself, but rather to structural racism levied against non-white Americans.[8] One recent study showed that states with policies that reflect and reinforce structural racism also see significantly higher rates of premature death among their populations.[9] While these findings may not be surprising, policymakers and advocates can use this evidence to target investments and interventions, while working to disentangle the tapestry of discrimination at the state level.

Accessing Medicaid for Newly Eligible North Carolinians

The Medicaid program currently covers about 2.9 million North Carolinians.[10] But like most states that have yet to expand their Medicaid program, the maximum income requirements for North Carolina Medicaid eligibility for adults is quite low.[11] Adult caregivers of children or adult family members may earn a household modified adjusted gross income (MAGI)[12] up to 37 percent of the federal poverty level (FPL) to maintain North Carolina Medicaid eligibility, while non-caregiver adults do not qualify for Medicaid at all.[13] Medicaid expansion will increase the maximum household MAGI threshold to 138 percent[14] FPL to qualify for Medicaid coverage, regardless of whether an adult cares for an additional family member.[15]

North Carolina currently provides reproductive health care benefits for residents who earn up to 195 percent FPL through their Medicaid Family Planning Program (BE SMART).[16] Nearly half of the expected 600,000 new Medicaid-eligible North Carolinians are currently enrolled in BE SMART and have a qualifying-income under the new 138 percent FPL Medicaid eligibility threshold. These people will automatically be enrolled in full Medicaid coverage.[17] Newly qualifying individuals who do not take part in the BE SMART program must apply (online, in person, by telephone, or by mail) and await determination, which is set to take up to 45 days.[18]

Making Sense of the Federal Dollars at Play

State Medicaid programs are traditionally paid for through a partnership with the federal government. While the state administers the program, the federal government provides the state matching funding, without limit.[19] Matching funds are provided based on an algorithm that measures a state’s ability to pay for the program using the state’s per capita income compared to the per capita income of the nation. This rate is called the Federal Medical Assistance Percentage (FMAP).[20] A state’s FMAP is set by statute to be at least 50 percent, but not more than 83 percent.[21] Using FMAP allows a state with a theoretically lower tax base (relative to the size of their state population) to receive additional federal funding to offset the burden of providing for its residents.

To help states with the burden of paying for an increase in their Medicaid population after expansion, Congress established an enhanced FMAP calculation for a state’s Medicaid expansion population. Beginning with the implementation of expansion in 2014, the federal government provided states with a 100 percent FMAP for the expansion population, followed by a phased down approach.[22] The current FMAP for the expansion population is 90 percent.[23]

To help encourage remaining states to expand their Medicaid program, Congress included a 5 percent FMAP bump for two years post-expansion in the American Rescue Plan—not for the expansion population, but for the traditional Medicaid population.[24] This is particularly enticing for states, because this includes all Medicaid recipients, including children, seniors, people with disabilities, and all other non-expansion groups. On average, these populations account for nearly 80 percent of all Medicaid costs in expansion states, making this benefit likely more lucrative than a 100 percent FMAP rate for expansion populations.[25]

Looking at Health Equity Beyond Expansion

While North Carolina looks to expand its Medicaid population in the coming months, states across the country are purging Medicaid beneficiaries from their programs following the expiration of a federal disenrollment prohibition to qualify for a Covid-era enhanced FMAP.[26] Recent reports estimate that nearly 9 million people across the country have been disenrolled from Medicaid so far, including more than 120,000 North Carolinians–more than 20 percent of North Carolina’s current Medicaid population.[27]

While North Carolina has one of the lowest rates of churn among states across the nation, 87 percent of disenrolled North Carolinians lost coverage for procedural concerns–not eligibility concerns.[28] This means that North Carolina Medicaid beneficiaries are losing their health insurance coverage largely because they did not fill out a form properly or the state had an incorrect address on file.

Few states publicly report the racial and ethnic demographics of their Medicaid disenrollees. For those that do, most seem to be disenrolling Medicaid recipients at even rates based on race and ethnicity.[29] As disenrollment continues and North Carolina moves into expansion of their Medicaid program, policymakers, advocates, and observers will keep a keen eye on the state as it navigates its population’s fluctuating access to Medicaid. This expansion is but one step to ensure that people have equitable access to essential coverage and care.

Notes

[1] Gary D. Robertson, Medicaid Expansion to Begin Soon in North Carolina as Governor Decides to Let Budget Bill Become Law, Associated Press, Sept. 22, 2023, https://apnews.com/article/north-carolina-medicaid-expansion-governor-legislature-330ea1adef37a323b31a9cfe0d470a58.

[2] Id.

[3] In some states, inaction by a governor can lead to a pocket veto, however in others, inaction by a governor leads to passage of the bill. In North Carolina, a bill can become a law following inaction by a governor for ten days. Aimee Wall, The Governor’s Role in the Legislative Process, Coates’ Canons NC Gov’t Law (Jan. 11, 2017), https://canons.sog.unc.edu/2017/01/governors-role-legislative-process/.; Governor Roy Cooper, a Democrat, allowed the two-year budget bill to become law without action. See House Bill 259 / SL 2023-134, N.C. General Assembly, https://www.ncleg.gov/BillLookup/2023/H259 (last visited Oct. 15, 2023).

[4] The Far-Reaching Benefits of the Affordable Care Act’s Medicaid Expansion, Ctr. on Budget and Pol’y Priorities, https://www.cbpp.org/research/health/chart-book-the-far-reaching-benefits-of-the-affordable-care-acts-medicaid-expansion (last visited Oct. 15, 2023).

[5] Redlining occurred, beginning in the 1930s, when the federal government’s Home Owners’ Loan Corporation (HOLC) began the process of rating the investment desirability of various neighborhoods. The rating system used neighborhood racial demography to determine the grades, with the lowest grade reserved for neighborhoods that were “infiltrated with undesirable populations such as Jewish, Asian, Mexican, and Black families.” In turn, banks often refused to grant credit to prospective homeowners looking to purchase homes in those communities, or extended credit with excessive interest rates. Redlining was outlawed by the Fair Housing Act in 1968, but the impact on communities is still seen today. See Jason Semprini et al., Medicaid Expansion Lowered Uninsurance Rates Among Nonelderly Adults in the Most Heavily Redlined Areas, 42 Health Aff. 1439 (2023).

[6] Id.

[7] The Far-Reaching Benefits of the Affordable Care Act’s Medicaid Expansion, Ctr. on Budget and Pol’y Priorities, https://www.cbpp.org/research/health/chart-book-the-far-reaching-benefits-of-the-affordable-care-acts-medicaid-expansion (last visited Oct. 15, 2023).

[8] See Jason Semprini et al., Medicaid Expansion Lowered Uninsurance Rates Among Nonelderly Adults in the Most Heavily Redlined Areas, 42 Health Aff. 1439 (2023); Jaquelyn L. Jahn et al., Legislating Inequity: Structural Racism in Groups of State Laws and Associations with Premature Mortality Rates, 42 Health Aff. 1325 (2023).

[9] Jaquelyn L. Jahn et al., Legislating Inequity: Structural Racism in Groups of State Laws and Associations with Premature Mortality Rates, 42 Health Aff. 1325 (2023).

[10] Gary D. Robertson, N. Carolina Governor Signs Medicaid Expansion Bill into Law, Associated Press, March 27, 2023, https://apnews.com/article/north-carolina-medicaid-expansion-roy-cooper-legislature-f00242e5883bccf816a679a76584a5f9.

[11] The median maximum income limit for adults with family member caregiving responsibilities is 37 percent FPL in states that have not expanded Medicaid and childless adults remain ineligible in all of these states (except Wisconsin), regardless of income. Robin Rudowitz et al., How Many Uninsured Are in the Coverage Gap and How Many Could be Eligible if All States Adopted the Medicaid Expansion? Henry J. Kaiser Family Foundation. (Mar. 31, 2023), https://www.kff.org/medicaid/issue-brief/how-many-uninsured-are-in-the-coverage-gap-and-how-many-could-be-eligible-if-all-states-adopted-the-medicaid-expansion/.

[12] MAGI, as used to determine health care benefit eligibility, uses a different methodology than MAGI as used for tax purposes. For health benefit purposes, MAGI is adjusted gross income plus untaxed foreign income, non-taxable Social Security Benefits, and tax-exempt interest. Modified Adjusted Gross Income (MAGI), HealthCare.gov,  https://www.healthcare.gov/glossary/modified-adjusted-gross-income-magi/#:~:text=MAGI%20is%20adjusted%20gross%20income,%2C%20and%20tax%2Dexempt%20interest (last visited Oct. 15, 2023).

[13] Medicaid Income Eligibility Limits for Adults as a Percent of the Federal Poverty Level, Henry J. Kaiser Family Foundation. (Jan. 1, 2023), https://www.kff.org/health-reform/state-indicator/medicaid-income-eligibility-limits-for-adults-as-a-percent-of-the-federal-poverty-level/?currentTimeframe=0&sortModel=%7B%22colId%22:%22Location%22,%22sort%22:%22asc%22%7D.

[14] The Affordable Care Act established a 5 percent income disregard in determining eligibility for Medicaid and CHIP. The percent thresholds used in this blog post include the built-in income disregard used to establish Medicaid eligibility determinations. CMS Answers to Frequently Asked Questions: Telephonic Applications, Medicaid and CHIP Eligibility Policy and 75/25 Federal Matching Rate, Medicaid.gov. (Aug. 9, 2013),  https://www.medicaid.gov/faq/respect-magi-conversion-how-will-5-disregard-be-applied/index.html.

[15] Questions and Answers about Medicaid Expansion, NC Medicaid Div. of Health Benefits. https://medicaid.ncdhhs.gov/questions-and-answers-about-medicaid-expansion#:~:text=Quick%20Facts%20about%20North%20Carolina%27s,%2Fyear)%20may%20be%20eligible (last visited Oct. 15, 2023).

[16] Facts About the Medicaid Family Planning “BE SMART” Program, N.C. Dept. of Health and Human Svcs. Div. of Med. Assistance and Div. of Public Health. (Sept. 16, 2016), https://files.nc.gov/ncdma/BeSmart_Fact_Sheet-Beneficiaries_2016_09_15.pdf.

[17] Questions and Answers about Medicaid Expansion, NC Medicaid Div. of Health Benefits. https://medicaid.ncdhhs.gov/questions-and-answers-about-medicaid-expansion#:~:text=Quick%20Facts%20about%20North%20Carolina%27s,%2Fyear)%20may%20be%20eligible (last visited Oct. 15, 2023).

[18] Elizabeth Williams et al., Medicaid Financing: The Basics, Henry J. Kaiser Family Foundation, April 13, 2023, https://www.kff.org/medicaid/issue-brief/medicaid-financing-the-basics/.

[19] Elizabeth Williams et al., Medicaid Financing: The Basics, Henry J. Kaiser Family Foundation, April 13, 2023, https://www.kff.org/medicaid/issue-brief/medicaid-financing-the-basics/.

[20] Id.

[21] The District of Columbia and territories have statutorily set FMAPs and the territories each have a statutorily set per capita Medicaid funding cap. Elizabeth Williams et al., Medicaid Financing: The Basics, Henry J. Kaiser Family Foundation, April 13, 2023, https://www.kff.org/medicaid/issue-brief/medicaid-financing-the-basics/.

[22] Elizabeth Williams et al., Medicaid Financing: The Basics, Henry J. Kaiser Family Foundation, April 13, 2023, https://www.kff.org/medicaid/issue-brief/medicaid-financing-the-basics.

[23] Id.

[24] Katie Keith, Final Coverage Provisions in the American Rescue Plan and What Comes Next, Health Aff: Forefront (Mar. 11, 2021), https://www.healthaffairs.org/content/forefront/final-coverage-provisions-american-rescue-plan-and-comes-next.

[25] Id.

[26] Jennifer Tolbert & Meghana Ammula, 10 Things to Know About the Unwinding of the Medicaid Continuous Enrollment Provision, Henry J. Kaiser Family Foundation, June 9, 2023, https://www.kff.org/medicaid/issue-brief/10-things-to-know-about-the-unwinding-of-the-medicaid-continuous-enrollment-provision/#one.

[27] Medicaid Enrollment and Unwinding Tracker, Henry J. Kaiser Family Foundation, Oct. 11, 2023, https://www.kff.org/medicaid/issue-brief/medicaid-enrollment-and-unwinding-tracker/.

[28] Id.

[29] Sophia Moreno et al., What Do Medicaid Unwinding Data by Race and Ethnicity Show? Henry J. Kaiser Family Foundation, Sept. 28, 2023, https://www.kff.org/policy-watch/what-do-medicaid-unwinding-data-by-race-and-ethnicity-show/.


Will Moody v. NetChoice, LLC End Social Media?

Aidan Vogelson, MJLST Staffer

At first, the concept that social media’s days may be numbered seems outlandish. Billions of people utilize social media every day and, historically, social media companies and other internet services have enjoyed virtually unfettered editorial control over how they manage their services. This freedom stems from 47 U.S.C. § 230.[1] § 230 withholds liability for “any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected…”[2]  In other words, if someone makes an obscene post on Facebook and Facebook removes the post, Facebook cannot be held liable for any violation of protected speech. § 230 has long allowed social media companies to self-regulate by removing posts that violate their terms of service, but on September 29, the Supreme Court granted a writ of certiorari in Moody v. NetChoice, LLC, a case that may fundamentally change how social media companies operate by allowing the government at the state or federal level to regulate around their § 230 protections.

At issue in Moody is whether the methods social media companies use to moderate their content are permissible under the First Amendment and whether social media companies may be classified as common carriers.[3] Common carriers are services which hold themselves open to the public and transport people or goods.[4] While the term “common carrier” once referred only to public transportation services like railroads and airlines, the definition now encompasses communications services such as radio and telephone companies.[5] Common carriers are subjected to greater regulations, including anti-discrimination regulations, due to their market domination of a necessary public service.[6]  For example, given our reliance on airlines and telephone companies in performing necessary services, common carrier regulations ensure that an airline cannot decline to sell tickets to passengers because of their religious beliefs and a cellular network cannot bar service to customers because it disapproves of the content of their phone conversations. If social media companies are held to be common carriers, the federal government and the state governments could impose regulations on what content those companies restrict.

Moody stems from state efforts to do just that. The Florida legislature passed State Bill 7072 to curtail what it saw as social media censorship of conservative voices.[7] The Florida law allows for significant fines against social media companies that demonstrate “unfair censorship” or “deplatform” political candidates, like X (formerly Twitter) did when it removed former President Trump from its platform for falsely claiming that the 2020 election was stolen.[8] Florida is not the only state to pursue a common carrier designation for social media. Texas passed a similar law in 2021 (which is currently enjoined by NetChoice, LLC  v. Paxton and will be addressed alongside Moody) and the attorney general of Ohio has sued Google, seeking for the court to declare that Google is a common carrier to prevent the company from prioritizing its own products in search results.[9] Ohio v. Google LLC is ongoing, and while the judge partially granted Google’s motion to dismiss, he found that Ohio’s claim that Google is a common carrier is cognizable.[10] Given the increasing propensity with which states are attempting to regulate social media, the Supreme Court’s ruling is necessary to settle this vital issue.

Supporters of classifying social media companies as common carriers argue that social media is simply the most recent advancement in communication and should accordingly be designated a common carrier, just as telephone operators and cellular networks are. They explain that designating social media companies as common carriers is actually consistent with the broad protections of § 230, as regulating speech on a social media site regulates the speech of users, not the speech of the company.[11]

However, they ignore that social media companies rely on First Amendment and § 230 protections when they curate the content on their sites. Without the ability to promote or suppress posts and users, these companies would not be able to provide the personalized content that attracts users, and social media would likely become an even greater hotbed of misinformation and hate speech than it already is. The purpose of § 230 is to encourage the development of a thriving online community, which is why Congress chose to shield internet services from liability for content. Treating social media companies as common carriers would stifle that aim.

It is unclear how the Court will rule. In his concurrence in Biden v. Knight First Amend. Inst., Justice Thomas indicated he may be willing to consider social media companies as common carriers.[12] The other justices have yet to write or comment on this issue, but whatever their decision may be, the ramifications of this case will be significant. The conservative politicians behind the Florida and Texas laws have specifically decried what they argue is partisan censorship of conservative views about the Covid-19 pandemic and the 2020 election, yet these very complaints demonstrate the need for social media companies to exercise editorial control over their content. Covid-19 misinformation unquestionably led to unnecessary deaths from the Covid-19 pandemic.[13] Misinformation about the 2020 election led to a violent attempted overthrow of our government. These threats of violence and dangerous misinformation are the harms that Congress created § 230 to avoid. Without the ability for social media companies to curate content, social media will assuredly contain more racism, misinformation, and calls for violence. Few would argue given the omnipresence of social media in our modern world, our reliance on it for communication, and the misinformation it spreads that social media does not need some form of regulation, but if the Court allows the Florida and Texas laws implicated in Moody and NetChoice to stand, they will be paving the way for a patchwork quilt of laws in every state which may render social media unworkable

Notes

[1] See 47 U.S.C. § 230.

[2] 47 U.S.C. §230(c)(2)(A).

[3] Moody v. Netchoice, LLC, SCOTUSblog, https://www.scotusblog.com/case-files/cases/moody-v-netchoice-llc/.

[4] Alison Frankel, Are Internet Companies ‘Common Carriers’ of Content? Courts Diverge on Key Question, REUTERS, (May 31, 2022, 5:52 PM), https://www.reuters.com/legal/transactional/are-internet-companies-common-carriers-content-courts-diverge-key-question-2022-05-31/.

[5] Id.

[6] Id.

[7] David Savage, Supreme Court Will Decide if Texas and Florida Can Regulate Social Media to Protect ‘Conservative Speech’, LA TIMES (Sept. 29, 2023, 8:33 AM), https://www.msn.com/en-us/news/us/supreme-court-will-decide-if-texas-and-florida-can-regulate-social-media-to-protect-conservative-speech/ar-AA1hrE2s.

[8] Id.

[9] AG Yost Files Landmark Lawsuit to Declare Google a Public Utility, OHIO ATTORNEY GENERAL’S OFFICE (June 8, 2021), https://www.ohioattorneygeneral.gov/Media/News-Releases/June-2021/AG-Yost-Files-Landmark-Lawsuit-to-Declare-Google-a.

[10] Ohio v. Google LLC, No. 21-CV-H-06-0274 (Ohio Misc. 2022), https://fingfx.thomsonreuters.com/gfx/legaldocs/gdpzyeakzvw/frankel-socialmediacommoncarrier–ohioruling.pdf.

[11] John Villasenor, Social Media Companies and Common Carrier Status: A Primer, BROOKINGS INST. (Oct. 27, 2022), https://www.brookings.edu/articles/social-media-companies-and-common-carrier-status-a-primer/.

[12] Biden v. Knight First Amend. Inst., 141 S. Ct. 1220 (2021),  https://www.law.cornell.edu/supremecourt/text/20-197.

[13] Alistair Coleman, ’Hundreds Dead’ Because of Covid-19 Misinformation, BBC (Aug. 12, 2020), https://www.bbc.com/news/world-53755067.


Brushstroke Battles: Unraveling Copyright Challenges With AI Artistry

Sara Seid, MJLST Staffer

Introduction

Imagine this: after a long day of thinking and participating in society, you decided to curl up on the couch with your phone and crack open a new fanfiction to decompress.  Fanfiction, a fictional work of writing based on another fictional work, has increased in popularity due to the expansion and increased use of the internet. Many creators publish their works to websites like Archive of Our Own (AO3), or Tumblr. These websites are free and provide a community for creative minds to share their creative works. While the legality of fanfiction in general is debated, the real concern among creators is regarding AI-generated works. Original characters and works are being used for profit to “create” works through the use of Artificial Intelligence. Profits can be generated from fanfiction through the use of paid AI text generators to create written works, or through advertisements on platforms. What was once a celebration of favorite works has become tarnished through the theft of fanfiction by AI programs.

First Case to Address the Issue

Thaler v. Perlmutter is a new and instructive case on the issue of copyright and AI-generated creative works – namely artwork.[1] The action was brought by Stephen Thaler against the Copyright Office for denying his application for copyright due to the lack of human authorship.[2]  The D.C. Circuit court was the first to rule on whether AI-generated art can have copyright protections.[3] The court held that AI-created artwork could not be copyrighted.[4] In considering the plaintiff’s copyright registration application for “A Recent Entrance to Paradise,” the Register concluded that this particular work would not support a claim to copyright because the work “lacked human authorship and thus no copyright existed in the first instance.”[5] The plaintiff’s primary contention was that the artwork was produced by the computer program he created, and, through its AI capabilities, the product was his.[6]

The court went on to opine that copyright is designed to adapt with the times.[7] Underlying that adaptability, however, has been a “consistent understanding that human creativity is the sine qua non at the core of copyrightability,” even as that human creativity is channeled through new tools or into new media.[8] Therefore, despite the plaintiff’s creation of the computer program, the painting was not produced by a human, and not eligible for copyright. This opinion, while relevant and clear, still leaves unanswered questions regarding the extent to which humans are involved in AI-generated work.[9] What level of human involvement is necessary for an AI creation to qualify for copyright?[10] Is there a percentage to meet? Does the AI program require multiple humans to work on it as a prerequisite? Adaptability with the times, while essential, also means that there are new, developing questions about the right ways to address new technology and its capabilities.

Implications of the Case for Fanfiction

Artificial Intelligence is a new concern among scholars. While its accessibility and convenience create endless new possibilities for a multitude of careers, it also directly threatens creative professions and creative outlets. Without the consent of or authority from creators, AI can use algorithms that process artwork and fictional literary works created by fans to create its own “original” work. AI has the ability to be used to replace professional and amateur creative writers. Additionally, as AI technological capacity increases, it can mimic and reproduce art that resembles or belongs to a human artist.[11]

However, the main concern for artists is wondering what AI will do to creative human industries in general.[12] Additionally, legal scholars are equally as concerned about what AI means for copyright law.[13] The main type of AI that fanfiction writers are concerned about is Generative AI.[14] Essentially, huge datasets are scraped together to train the AI, and through a technical process the AI is able to devise new content that resembles the training data but isn’t identical.[15] Creators are outraged at what they consider to be theft of their artistic creations.[16] Artwork, such as illustrations for articles, books, or album covers may soon face competition from AI, undermining a thriving area of commercial art as well.[17]

Currently, fanfiction is protected under the doctrine of fair use, which allows creators to add new elements, criticism, or commentary to an already existing work, in a way that transforms it.[18] The next question likely to stem from Thaler will be whether AI creations are subject to the same protections that fan created works are.

The fear of the possible consequences of AI can be slightly assuaged through the reality that AI cannot accurately and genuinely capture human memory, thoughts, and emotional expression. These human skills will continue to make creators necessary for their connections to humanity and the ability to express that connection. How a fan resonates with a novel or T.V. show, and then produces a piece of work based on that feeling, is uniquely theirs. The decision in Thaler reaffirms this notion. AI does not offer the human creative element that is required to both receive copyright and also connect with viewers in a meaningful way.[19]

Furthermore, the difficulty with new technology like AI is that it’s impossible to immediately understand and can cause feelings of frustration or a sense of threat. Change is uncomfortable. However, with knowledge and experience, AI might be a useful tool for fanfiction creators.

The element of creative projects that make them so meaningful to people is the way that they can provide a true insight and experience that is relatable and distinctly human.[20] The alternative to banning AI or completing rendering human artists obsolete is to find a middle ground that protects both sides. The interests of technological innovation should not supersede the concerns of artists and creators.

Ultimately, as stated in Thaler, AI artwork that has no human authorship does not get copyright.[21] However, this still leaves unanswered questions that future cases will likely present before the courts. Are there protections that can be made for online creators’ artwork and fictional writings to prevent their use or presence in AI databases? The Copyright Act exists to be malleable and adaptable with time.[22] Human involvement and creative control will have to be assessed as AI becomes more prominent in personal and professional settings.

Notes

[1] Thaler v. Perlmutter, 2023 U.S. Dist. LEXIS 145823, *1.

[2] Id.

[3] Id.

[4] Id.

[5] Id.

[6] Id. at *3.

[7] Id. at *10.

[8] Id.

[9] https://www.natlawreview.com/article/judge-rules-content-generated-solely-ai-ineligible-copyright-ai-washington-report.

[10] Id.

[11] https://www.theguardian.com/artanddesign/2023/jan/23/its-the-opposite-of-art-why-illustrators-are-furious-about-ai#:~:text=AI%20doesn%27t%20do%20the,what%20AI%20art%20is%20doing.%E2%80%9D.

[12] https://www.theguardian.com/technology/2022/nov/12/when-ai-can-make-art-what-does-it-mean-for-creativity-dall-e-midjourney.

[13] https://www.reuters.com/legal/ai-generated-art-cannot-receive-copyrights-us-court-says-2023-08-21.

[14] https://www.theguardian.com/technology/2022/nov/12/when-ai-can-make-art-what-does-it-mean-for-creativity-dall-e-midjourney.

[15] Id.

[16] Id.

[17] Id.

[18] https://novelpad.co/blog/is-fanfiction-legal# (citing Campbell v. Acuff Rose Music, 510 U.S. 569 (1994).

[19] https://www.reuters.com/default/humans-vs-machines-fight-copyright-ai-art-2023-04-01/.

[20] https://news.harvard.edu/gazette/story/2023/08/is-art-generated-by-artificial-intelligence-real-art/.

[21] Thaler v. Perlmutter, 2023 U.S. Dist. LEXIS 145823, *1.

[22] Id. at *10.


Hello! My Name Is…Erie? Personhood for the Great Lakes

Eric Gross, MJLST Staffer

As the climate change crisis worsens and environmental protection laws continue to fall short of their stated goals, the movement to give natural entities such as lakes, rivers, and forests legal rights associated with personhood has expanded. Legislation driven by the “environmental personhood” movement has recently begun to appear around the world and in the United States as communities make efforts to protect their natural areas from harmful activity.[1] The idea of entities that aren’t people having personhood status is not without precedent. Consider corporations, which have been defined as persons for limited legal purposes.[2] Given the judicial rights already possessed by non-human entities like corporations, legal personhood has become a more attractive tool for those seeking to protect natural entities such as the Great Lakes. However, broad attempts to give natural entities personhood have run into legal challenges.

Lake Erie Bill of Rights Struck Down

In August 2014, the City of Toledo issued a drinking water warning to citizens not to drink the water; agricultural runoff and pollution into Lake Erie had caused a toxic algal bloom.[3] The water remained undrinkable and even unusable for three days.[4] Frustration with years of state government inaction on pollution boiled over, and in February 2019, the City of Toledo voted to establish a bill of rights for Lake Erie.[5] Known as the Lake Erie Bill of Rights (“LEBOR”), the bill was the product of a multi-year effort by Toledo citizens to protect Lake Erie from pollution.[6]

LEBOR essentially gave personhood status to Lake Erie, including legal standing. It established “irrevocable rights for the Lake Erie Ecosystem to exist, flourish and naturally evolve, a right to a healthy environment for the residents of Toledo, and which elevates the rights of the community and its natural environment over powers claimed by certain corporations.”[7] LEBOR declared that “Lake Erie, and the Lake Erie watershed, possess the right to exist, flourish, and naturally evolve” and granted the people of Toledo “the right to a clean and healthy environment.”[8] Under the statute, the City of Toledo, or any of its residents, held the right to sue on behalf of Lake Erie.[9] The law also made governments and corporations strictly liable for violating the rights of Lake Erie “from any jurisdiction” and declared invalid any state laws or rules that conflicted with LEBOR.[10]

Drewes Farms Partnership, an agricultural company that grows crops in four counties near Toledo, brought a lawsuit against the City of Toledo the day after the initiative passed, with the state of Ohio joining as an intervenor soon after.[11] Drewes Farms and Ohio sought to have LEBOR declared invalid. The U.S. District Court for the Northern District of Ohio sided with the corporation and state, holding LEBOR to be unconstitutionally vague and exceeding the power of municipal authority in Ohio.[12] While recognizing the “well-intentioned goal” of the drafters, the court held that LEBOR was impermissibly vague in violation of the 14th Amendment.[13] “LEBOR’s authors failed to make hard choices regarding the appropriate balance between environmental protection and economic activity. Instead, they employed language that sounds powerful but has no practical meaning.”[14] This language, according to the court, could “trap the innocent [agricultural companies] by not providing fair warning” and invited arbitrary enforcement by prosecutors, judges and juries.[15]

Additionally, the court held that LEBOR preempted state law and exceeded municipal authority. “LEBOR’s attempt to invalidate Ohio law in the name of environmental protection is a textbook example of what municipal government cannot do. Lake Erie is not a pond in Toledo. It is one of the five Great Lakes and one of the largest lakes on Earth, bordering dozens of cities, four states, and two countries…Consequently, municipal laws enacted to protect Lake Erie are generally void if they conflict with Ohio law.”[16] The court did note that “with careful drafting, Toledo probably could enact valid legislation to reduce water pollution,” citing a Wisconsin ordinance restricting the use of phosphorus-containing fertilizers in Madison city limits.[17]

Other Options Exist to Protect the Great Lakes

The striking down of LEBOR indicates that while a municipality may enact ordinances to limit water pollution, such ordinances will likely have to remain limited in nature to survive a court’s scrutiny. Broader legislation to protect ecosystems like the Great Lakes will likely have to come through a state’s legislature, at the bare minimum. However, there are other options available to help protect the Great Lakes as a whole.

The public trust doctrine is a legally established method for individuals to protect natural resources that otherwise wouldn’t be able to protect themselves. Cited most frequently with bodies of water, the public trust doctrine establishes that the government maintains certain natural and cultural resources that are “owned” by the public.[18] Recently, the Michigan Attorney General’s 2019 lawsuit to shut down an oil pipeline crossing the Straits of Mackinac cited the public trust doctrine, claiming the lease allowing the pipeline to operate violates the state’s obligation to “protect and preserve the waters of the Great Lakes and the lands beneath them for the public.”[19] Additionally, a 2021 resolution passed by the Metropolitan Water Reclamation District of Greater Chicago recognized that the water of the Great Lakes will remain in the public trust.[20] This resolution from the water district of the largest metropolitan area in the Great Lakes region is another example of a step in the right direction for protecting the Great Lakes and equal access to clean water.

Notably, New York state assemblyman Patrick Burke has introduced legislation to create a more expansive Great Lakes Bill of Rights.[21] Burke’s proposal would create a Great Lakes bill of rights that declares the right of the Great Lakes to exist, flourish and naturally evolve, giving the state and affected localities to sue on the Lakes’ behalf.[22] The proposed legislation is remarkably similar to the struck-down Toledo law, and, if it becomes law, is likely to face similar legal challenges. While such a law would easily overcome the municipal overreach issue from Toledo, a proposed Great Lakes bill of rights statute is still likely to face the same vagueness issue that helped bring down LEBOR. However, in the face of continued pollution and disregard for our environment, laws like this represent the next logical step for protecting our lakes, rivers, and forests, and could finally give the Great Lakes the protection they deserve.

Notes

[1] Nicole Pallotta, Federal Judge Strikes Down ‘Lake Erie Bill of Rights,’ Animal Legal Defense Fund (May 4, 2020), https://aldf.org/article/federal-judge-strikes-down-lake-erie-bill-of-rights/#:~:text=The%20bill%20of%20rights%20established,powers%20claimed%20by%20certain%20corporations.

[2] Nina Totenberg, When Did Companies Become People? Excavating the Legal Evolution, NPR (July 28, 2014), https://www.npr.org/2014/07/28/335288388/when-did-companies-become-people-excavating-the-legal-evolution.

[3] Michael Wines, Behind Toledo’s Water Crisis, a Long-Troubled Lake Erie, N.Y. Times (Aug. 4, 2014), https://www.nytimes.com/2014/08/04/us/toledo-faces-second-day-of-water-ban.html.

[4] Id.

[5] Claire Brown, How Ohio’s Chamber of Commerce Killed an Anti-Pollution Bill of Rights, The Intercept (Aug. 29, 2019), https://theintercept.com/2019/08/29/lake-erie-bill-of-rights-ohio/.

[6] Id.

[7] Lake Erie Bill of Rights, Beyond Pesticides (last visited Oct. 7, 2023), https://www.beyondpesticides.org/assets/media/documents/LakeErieBillofRights.pdf.

[8] Id.

[9] Id.

[10] Id.

[11] Drewes Farms P’ship v. City of Toledo, 441 F.Supp.3d 551 (N.D. Ohio 2020).

[12] Id. at 558.

[13] Id. at 557.

[14] Id. at 556.

[15] Id.

[16] Id. at 557.

[17] Id.

[18] Public trust doctrine, Cornell Law School (last visited Oct. 8, 2023), https://www.law.cornell.edu/wex/public_trust_doctrine#:~:text=Public%20trust%20doctrine%20is%20a,waters%2C%20wildlife%2C%20or%20land.

[19] Jim Malewitz, Michigan AG Dana Nessel files lawsuit to shut down Line 5 in Mackinac Straits, Bridge MI (June 27, 2019), https://www.bridgemi.com/michigan-environment-watch/michigan-ag-dana-nessel-files-lawsuit-shut-down-line-5-mackinac-straits.

[20] Allison Fore, MWRD Board of Commissioners passes resolution that affirms water is a basic human right, Metropolitan Water Reclamation District of Greater Chi. (June 3, 2021), https://mwrd.org/sites/default/files/2021-06/Water%20Equity.pdf.

[21] NYS Assemblyman Patrick Burke Introduces Great Lakes Bill of Rights, N.Y. State Assembly (Mar. 2, 2022), https://nyassembly.gov/mem/Patrick-Burke/story/100976#:~:text=The%20Great%20Lakes%20Bill%20of,and%20the%20Great%20Lakes%20ecosystem.%E2%80%9D.

[22] Id.