Bill Text: CA SB892 | 2023-2024 | Regular Session | Amended
Bill Title: Public contracts: automated decision tools: procurement standards.
Spectrum: Partisan Bill (Democrat 3-0)
Status: (Engrossed) 2024-08-07 - August 7 set for first hearing. Placed on suspense file. [SB892 Detail]
Download: California-2023-SB892-Amended.html
|
Amended
IN
Assembly
July 03, 2024 |
|
Amended
IN
Assembly
June 21, 2024 |
|
Amended
IN
Senate
April 10, 2024 |
|
Amended
IN
Senate
April 01, 2024 |
CALIFORNIA LEGISLATURE—
2023–2024 REGULAR SESSION
Senate Bill
No. 892
| Introduced by Senator Padilla (Coauthors: Senators Rubio and Smallwood-Cuevas) |
January 03, 2024 |
An act to add Section 12100.1 to the Public Contract Code, relating to public contracts.
LEGISLATIVE COUNSEL'S DIGEST
SB 892, as amended, Padilla.
Public contracts: automated decision systems: AI risk management tools: procurement standards.
Existing law requires all contracts for the acquisition of information technology goods and services related to information technology projects, as defined, to be made by or under the supervision of the Department of Technology. Existing law requires all other contracts for the acquisition of information technology goods or services to be made by or under the supervision of the Department of General Services. Under existing law, both the Department of Technology and the Department of General Services are authorized to delegate their authority to another agency, as specified.
Existing law, the California Consumer Privacy Act of 2018 (CCPA), grants to a consumer various rights with respect to personal information, as defined, that is collected
by a business, as defined, including the right to request that a business delete personal information about the consumer that the business has collected from the consumer. Existing law, the California Privacy Rights Act of 2020, an initiative measure approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA. The CCPA, as amended, establishes the California Privacy Protection Agency with full administrative power, authority, and jurisdiction to implement and enforce the CCPA.
This bill would require the Department of Technology to develop and adopt regulations to create an artificial intelligence (AI) risk management standard, as specified.
automated decision tool (ADT) procurement standard, following the adoption of specified regulations by the California Privacy Protection Agency or the enactment of comprehensive ADT legislation, whichever occurs sooner. To develop those regulations, the bill would authorize require the department to apply consider principles and industry standards addressed in specified publications regarding AI risk management. The bill would require the AI risk management
ADT procurement standard to include, among other things, a detailed risk assessment procedure for procuring automated decision systems (ADS), as defined, that analyzes specified characteristics of the ADS, ADT, methods for appropriate risk controls, as provided, and adverse incident monitoring procedures. The bill would require the department to, among other things, collaborate with specified organizations to develop the AI risk management standard. ADT procurement standard and review and update the ADT procurement standard and related
regulations, as specified.
This bill would, commencing six months after the date on which the regulations described in the paragraph above are approved and final, would prohibit a state agency from procuring an ADT, entering into a contract for an ADS, ADT, or any service that utilizes an ADS, unless the contract includes
ADT until the department has adopted regulations creating an ADT procurement standard. The bill would also require a contract for an ADT or a service that utilizes an ADT to include a clause that, among other things, provides a completed risk assessment of the relevant ADS, ADT, as specified, requires adherence to appropriate risk controls, and provides procedures for adverse incident monitoring.
Digest Key
Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NOBill Text
The people of the State of California do enact as follows:
SECTION 1.
Section 12100.1 is added to the Public Contract Code, to read:12100.1.
(a) For purposes of this section, the following definitions apply:(1) “Artificial intelligence” or “AI” means an engineered or machine-based system that, that varies in its level of autonomy and that can, for explicit or implicit objectives, infers, infer from the input it receives,
receives how to generate outputs that can influence physical or virtual environments and that may operate with varying levels of autonomy. environments.
(2)(A)“Automated decision system” or “ADS” means a computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that issues simplified output, including a score, classification, or recommendation, that is used to assist or replace human discretionary decisionmaking and materially impacts natural persons.
(B)“Automated decision system” does not mean a spam email filter, firewall, antivirus software, identity and access management tool, calculator, database, dataset, or other compilation of data.
(2) “Automated decision tool” or “ADT” means an artificial intelligence system or service that makes a consequential decision, or is a substantial factor in making a consequential decision.
(3) “Consequential decision” means a decision or
judgment that has a legal, material, or similarly significant effect on an individual’s life relating to access to government benefits or services, assignments of penalties by government, or the impact of, access to, or the cost, terms, or availability of, any of the following:
(A) Employment with respect to all of the following:
(i) Pay or promotion.
(ii) Hiring or termination.
(iii) Automated task allocation that limits, segregates, or classifies employees for the purpose of assigning or determining material terms or conditions of employment.
(B) Education and vocational training as it relates to all of the following:
(i) Assessment or placement.
(ii) Detecting student cheating or plagiarism.
(iii) Accreditation.
(iv) Certification.
(v) Admissions or enrollment.
(vi) Discipline.
(vii) Evaluation.
(viii) Financial aid or scholarships.
(C) Housing or lodging, including rental or short-term housing or lodging.
(D) All of the following essential utilities:
(i) Electricity.
(ii) Heat.
(iii) Water.
(iv) Internet or telecommunications access.
(v) Transportation.
(E) Family planning.
(F) Adoption services, reproductive services, or assessments related to child protective services.
(G) Health care or health insurance, including mental health care, dental, or vision.
(H) Financial services, including a financial service provided by a mortgage company, mortgage broker, or creditor.
(I) All of the following aspects of the criminal justice system:
(i) Risk assessments for pretrial hearings.
(ii) Sentencing.
(iii) Parole.
(J) Legal services.
(K) Private arbitration.
(L) Mediation.
(M) Voting.
(3)
(4) “Department” means the Department of Technology.
(4)“High-risk automated decision system” or “high-risk ADS” means an automated decision system that is used to assist or replace human discretionary decisions that have a legal or similarly significant effect, including decisions that materially impact access to, or approval for, free speech, housing or accommodations, education, employment, credit, health care, child welfare, immigration, and criminal justice.
(5) “Substantial factor” means an element of a decisionmaking process that is capable of altering the outcome of the process.
(b) The Following the adoption of regulations by the California Privacy Protection Agency pursuant to paragraph (16) of subdivision (a) of Section 1798.185 of the Civil Code, or following the enactment of similarly comprehensive statewide legislation that establishes a regulatory framework governing the
development and deployment of ADTs, whichever occurs sooner, the department shall develop and adopt regulations to create an AI risk management ADT procurement standard.
(1) To develop regulations related to the AI risk management ADT procurement standard, the department may apply shall consider principles and industry standards
addressed in relevant publications, including, but not limited to, any all of the following:
(A) The Blueprint for an AI Bill of Rights: Making Automated Systems Work for the American People, published by the White House Office of Science and Technology Policy in October 2022.
(B) The Artificial Intelligence Risk Management Framework (AI RMF 1.0), released by the National Institute of Standards and Technology (NIST) in January 2023.
(C) The Risk Management Framework for the Procurement of Artificial Intelligence (RMF PAIS 1.0), authored by the AI Procurement
Lab and the Center for Inclusive Change in 2024.
(D) The Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence Memorandum, published by the Executive Office of the President, Office of Management and Budget, dated March 28, 2024.
(2) The AI risk management ADT procurement standard shall include all of the following:
(A) A detailed risk assessment procedure for procuring ADS that analyzes all of the following:
(i) Organizational and supply chain governance associated with the ADS. ADT.
(ii) The purpose and use of the ADS. ADT.
(iii) Any known potential misuses or abuses of the ADS. ADT.
(iv) An assessment of the legality, traceability, and provenance of the data the ADS ADT uses and the legality of the output of the ADS. ADT.
(v) The robustness, accuracy, and reliability of the ADS. ADT.
(vi) The interpretability and explainability of the ADS.
ADT.
(B) Methods for appropriate risk controls between the state agency and ADS ADT vendor, including, but not limited to, reducing the risk through various mitigation strategies, eliminating the risk, or sharing the risk.
(C) Adverse incident monitoring procedures.
(D) Identification and classification of prohibited use cases and applications of ADS ADT
that the state shall not procure.
(E) A detailed equity assessment that analyzes, at a minimum, all of the following:
(i) The individuals and communities that will interact with the high-risk ADS.
ADT.
(ii) How the information or decisions generated by the ADS ADT will impact an individual’s rights, freedoms, economic status, health, health care, or well-being.
(iii) Any issues that may arise if the ADS ADT is inaccurate.
(iv) How users of
with diverse abilities will interact with the user interface of the ADS ADT and whether the ADS ADT integrates and interacts with commonly used assistive technologies.
(F) An assessment that analyzes the level of human oversight associated with the use of ADS. ADT.
(G) Adherence to data minimization standards, including that an AI or ADS ADT vendor shall only use information provided by or obtained from an agency to provide the specific service authorized by the agency. Further, the data collected may not be used for training of proprietary vendor or third-party systems.
(3) To develop the AI
risk management In developing the ADT procurement standard, the department shall comply with do all of the following:
(A) Collaborate with organizations that represent state and local government employees and industry experts, including, but not limited to, public trust and safety experts, community-based organizations, civil society groups, academic researchers, and research institutions focused on responsible AI ADT
procurement, design, and deployment.
(B) Consult with the California Privacy Protection Agency.
(C) Solicit public comment on the risk management ADT procurement standard.
(4)The department
(4) (A) Subject to subparagraph (B), the department shall adopt regulations pursuant to this subdivision in accordance with the provisions of Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code.
(B) Regulations adopted by the department pursuant to subparagraph (A) shall be consistent with both of the following:
(i) Regulations adopted by the California Privacy Protection Agency pursuant to paragraph (16) of subdivision (a) of Section 1798.185 of the Civil Code.
(ii) Statewide legislation that establishes a regulatory framework governing the development and deployment of ADTs.
(5) Starting January 1, 2026, and annually thereafter, the department shall review and update both of the following:
(A) The ADT procurement standard.
(B) Regulations adopted pursuant to this subdivision.
(c) A state agency shall not procure an ADT, enter into a contract for an ADT, or enter into a contract for any service that utilizes an ADT, prior to the adoption of regulations by the department pursuant to subdivision (b).
(c)Commencing six months after the date on which the regulations described in subdivision (b) are approved and final, a
(d) A state agency shall not may enter into a contract for an automated decision system, or any ADT, or a service that utilizes an automated decision system, unless ADT only after the department has adopted regulations pursuant to subdivision (b) and only if
the contract includes a clause that does all of the following:
(1) Provides a completed risk assessment of the relevant ADS ADT that analyzes the items included in subparagraph (A) of paragraph (2) of subdivision (b).
(2) Requires the state agency or the ADS ADT vendor, or both, to adhere to appropriate risk controls.
procurement standards.
(3) Provides procedures for adverse incident monitoring.
(4) Requires authorization from the state agency before deployment of ADS ADT upgrades and enhancements.
(5) Requires the state agency or the ADS ADT
vendor, or both, to provide notice to individuals that would likely be affected by the decisions or outcomes of the ADS, ADT, and information about how to appeal or opt-out of ADS ADT decisions or outcomes.
(6) Provides a termination right in the event of a significant breach of responsibility or violation by the vendor.
