In this edition of our regular roundup on legislative initiatives related to artificial intelligence (AI), cybersecurity, the Internet of Things (IoT), and connected and autonomous vehicles (CAVs), we focus on key developments in the European Union (EU).

There has been some policy activity in the U.S. this quarter, including the re-introduction of the SELF-DRIVE Act by Representative Bob Latta [R-OH] and the introduction of a new bipartisan resolution by Representatives Will Hurd [R-TX] and Robin Kelly [D-IL] setting forth a national AI strategy that addresses U.S. global leadership, workforce issues, research and development, national security, and ethics issues, and encourages greater harmonization with respect to AI across federal agencies. The U.S. Department of Transportation also recently launched its AV Test tracking tool. Other activity has slowed, however, as the U.S. grapples with the global pandemic, the impending national election, and related matters. Meanwhile, there continue to be significant policy developments in the EU pertaining to these technologies, with further initiatives set to be announced later this year and early next year.

Artificial Intelligence

In February this year, the European Commission launched its much anticipated digital strategy. As discussed in our previous 4-part blog posts (here, here, here, and here), this included setting out its plans for a coordinated European approach to ethical AI through a White Paper On Artificial Intelligence – A European approach to excellence and trust (the “White Paper”), and a Report on the safety and liability implications of Artificial Intelligence, the Internet of Things and robotics. In the six months that have elapsed since, the Commission has publicly consulted on its plans and is developing proposals for AI legislation, now expected in early 2021.

  • AI White Paper Consultation: over 1200 stakeholders responded to the Commission’s AI White Paper, providing feedback on the policy and regulatory options it proposes. Stakeholders were mainly concerned about the potential for AI to breach fundamental rights or lead to discriminatory outcomes. The Commission published a summary report on the consultation’s preliminary findings this summer. The results of the consultation are likely to influence the Commission’s forthcoming regulatory proposal.
  • Inception Impact Assessment for AI Legislation: on 23 July 2020, the Commission unveiled its inception impact assessment for AI legislation. While the completed impact assessment is not expected until late 2020 or early 2021, this initial roadmap defines the Commission’s scope and goals for AI legislation. Several key concerns about AI are likely to be addressed through the new AI legislation, including: (1) protecting consumers from harm caused by AI, such as accidents caused by autonomous vehicles or other AI-driven robotics; (2) protecting fundamental rights, including against risks to privacy and freedom of expression caused by facial recognition surveillance and similar monitoring systems; and (3) unlawful discrimination that may be caused by AI tools displaying bias against certain populations.
  • European Parliament votes on AI reports: three reports (here, here, and here), setting out Members of the European Parliament’s demands to the Commission on how AI should be regulated in the areas of ethics, civil liability, and intellectual property, were voted on by the European Parliament’s Legal Affairs Committee (JURI) this September. The ethics report urges the Commission to present a legal framework for the development, deployment, and use of AI that respects fundamental rights, and calls for the establishment of a “European Agency for Artificial Intelligence” and a “European certification of ethical compliance.” The liability report contains proposals for a civil liability regime with a compensation system of up to 2 million euros. The reports are set to be voted upon by the plenary in October 2020, and could influence the Commission’s forthcoming legislative proposals.
  • New Global Partnerships on AI: as summarized here, this summer it was announced that the EU, UK, US, and nine other countries were joining forces to create the Global Partnership on Artificial Intelligence (GPAI). GPAI is an international initiative, housed at the OECD, to promote responsible AI that respects human rights and democratic values. Subsequently, on 25 September 2020, the UK and US announced a further agreement on cooperation in AI research and development (R&D). Building on the US-UK Science and Technology Agreement, signed in September 2017, the new agreement seeks to advance the US and UK’s shared vision of an AI R&D ecosystem that promotes the mutual wellbeing, prosperity, and security of present and future generations.
  • Digital Services Act: Alongside these developments, the Commission is currently working on its proposals for a Digital Services Act (DSA). The DSA will be presented in December 2020, and is expected to set out ex ante prohibitions of certain behaviour (particularly relating to data related, self-preferencing and bundling/tying practices) obliging companies to do more to protect their users against illegal content and activities. The legislation is expected to impose obligations on companies identified as “gatekeepers”.


The Commission has a number of new cybersecurity initiatives expected this quarter on the back of the Cybersecurity Strategy 2020-2025 it published in July 2020.

  • The Directive on security of network and information systems (“NIS Directive”) is currently under review by the Commission. Proposed updates to the EU’s laws on cybersecurity in critical infrastructure are expected by the end of this year.
  • A Joint Cyber Unit is to be set up by the Commission to further coordinate cybersecurity operational capabilities across the EU. Meanwhile, in September 2020, EU Member States launched a new platform to coordinate crisis response and cyber defenses in the case of large-scale cyberattacks. The Cyber Crisis Liaison Organisation Network (CyCLONe) is tasked with launching “consultations on national response strategies and coordinated impact assessment on the anticipated or observed impacts of a crisis.” The EU’s Cybersecurity Agency ENISA serves as its secretariat.
  • As part of a legislative package aimed at helping to digitalize the financial sector, the Commission is also working on proposals to better ensure financial services harmonize their online defenses and keep functioning despite cyberattacks.

Internet of Things

In July 2020, the European Commission launched an antitrust competition sector inquiry into the Internet of Things as it aims to understand more about consumer-facing IoT products and services over the next two years. Announcing the inquiry, Executive Vice-President Margrethe Vestager, in charge of competition policy, said the IoT sector had already acquired characteristics that indicate the possible existence of company practices that may structurally distort competition.

The European Commission sent Requests for Information to approximately 400 companies, addressing Consumer Internet of Things Services, Voice Assistants and Smart Home Devices, responses to which are due on 15 October. The RFIs focus heavily on privacy, data, access and interoperability issues.

The European Commission is expected to publish a preliminary report in spring 2021 followed by a final report in summer 2022.

Connected and Autonomous Vehicles

This September, the Commission published a report by an independent group of experts on the ethics of connected and automated vehicles. The report sets out twenty recommendations for a safe and ethical transition towards driverless mobility, including the creation of a culture of responsibility; responding to dilemma situations; and the promotion of data, algorithm and AI literacy through public participation. The report builds on the Commission’s strategy on Connected and Automated Mobility which aims to make Europe a world leader in the development and deployment of CAVs.

Meanwhile, the German government is preparing a law on autonomous driving (Gesetz zum autonomen Fahren). The new law is intended to regulate the deployment of CAVs in specific operational areas, and will stipulate the obligations of CAV operators and their liability regime. The German government also intends to create a “mobility data room”, a cloud storage space for pooling mobility data coming from the car industry, rail and local transport companies, and private mobility providers such as car sharers or bike rental companies. The idea is for these industries to share their data for the common purpose of creating more efficient passenger and freight traffic routes, and support the development of autonomous driving initiatives in Germany.