STATE OF NEW YORK ________________________________________________________________________ 7543--A 2023-2024 Regular Sessions IN SENATE June 5, 2023 ___________ Introduced by Sen. GONZALEZ -- read twice and ordered printed, and when printed to be committed to the Committee on Rules -- recommitted to the Committee on Internet and Technology in accordance with Senate Rule 6, sec. 8 -- committee discharged, bill amended, ordered reprinted as amended and recommitted to said committee AN ACT to amend the state technology law, in relation to automated deci- sion-making by state agencies The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. Short title. This act shall be known and may be cited as 2 the "legislative oversight of automated decision-making in government 3 act (LOADinG Act)". 4 § 2. The state technology law is amended by adding a new article 4 to 5 read as follows: 6 ARTICLE IV 7 AUTOMATED DECISION-MAKING IN STATE GOVERNMENT 8 Section 401. Definitions. 9 402. Use of automated decision-making systems by agencies. 10 403. Impact assessments. 11 § 401. Definitions. For the purpose of this article: 12 1. "Automated decision-making system" shall mean any software that 13 uses algorithms, computational models, or artificial intelligence tech- 14 niques, or a combination thereof, to automate, support, or replace human 15 decision-making and shall include, without limitation, systems that 16 process data, and apply predefined rules or machine learning algorithms 17 to analyze such data, and generate conclusions, recommendations, 18 outcomes, assumptions, projections, or predictions without meaningful 19 human review and discretion. "Automated decision-making system" shall 20 not include any software used primarily for basic computerized proc- 21 esses, such as calculators, spellcheck tools, autocorrect functions, 22 spreadsheets, electronic communications, or any tool that relates only EXPLANATION--Matter in italics (underscored) is new; matter in brackets [ ] is old law to be omitted. LBD11734-03-4
S. 7543--A 2 1 to internal management affairs such as ordering office supplies or proc- 2 essing payments, and that do not materially affect the rights, liber- 3 ties, benefits, safety or welfare of any individual within the state. 4 2. "State agency" shall mean any department, public authority, board, 5 bureau, commission, division, office, council, committee or officer of 6 the state. Such terms shall not include the legislature or judiciary. 7 3. "Public assistance benefit" shall mean any service or program with- 8 in the control of the state, or benefit provided by the state to indi- 9 viduals or households, including but not limited to public assistance, 10 cash assistance, grants, child care assistance, housing assistance, 11 unemployment benefits, transportation benefits, education assistance, 12 domestic violence services, and any other assistance or benefit within 13 the authority of the state to grant to individuals within the state. 14 This shall not include any federal program that is administered by the 15 federal government or the state. 16 § 402. Use of automated decision-making systems by agencies. 1. Any 17 state agency, or any entity acting on behalf of such agency, shall be 18 prohibited from, directly or indirectly, utilizing or applying any auto- 19 mated decision-making system in performing any function that: (a) is 20 related to the delivery of any public assistance benefit; (b) will have 21 a material impact on the rights, civil liberties, safety or welfare of 22 any individual within the state; or (c) affects any statutorily or 23 constitutionally provided right of an individual; unless such utiliza- 24 tion or application of the automated decision-making system is specif- 25 ically authorized in law. 26 2. No state agency shall authorize any procurement, purchase or acqui- 27 sition of any service or system utilizing, or relying on, automated 28 decision-making systems prohibited in subdivision one of this section, 29 except where the use of such system is specifically authorized in law. 30 § 403. Impact assessments. 1. No state agency shall utilize or apply 31 any automated decision-making system unless the state agency, or an 32 entity acting on behalf of such state agency, shall have conducted an 33 impact assessment for the application and use of such automated deci- 34 sion-making system. Following the first impact assessment, an impact 35 assessment shall be conducted at least once every two years. An impact 36 assessment shall be conducted prior to any material change to the auto- 37 mated decision-making system that may change the outcome or effect of 38 such system. Such impact assessments shall include: 39 (a) a description of the objectives of the automated decision-making 40 system; 41 (b) an evaluation of the ability of the automated decision-making 42 system to achieve its stated objectives; 43 (c) a description and evaluation of the objectives and development of 44 the automated decision-making including: 45 (i) a summary of the underlying algorithms, computational modes, and 46 artificial intelligence tools that are used within the automated deci- 47 sion-making system; and 48 (ii) the design and training data used to develop the automated deci- 49 sion-making system process; 50 (d) testing for: 51 (i) accuracy, fairness, bias and discrimination, and an assessment of 52 whether the use of the automated decision-making system produces discri- 53 minatory results on the basis of a consumer's or a class of consumers' 54 actual or perceived race, color, ethnicity, religion, national origin, 55 sex, gender, gender identity, sexual orientation, familial status, biom- 56 etric information, lawful source of income, or disability and outlines
S. 7543--A 3 1 mitigations for any identified performance differences in outcomes 2 across relevant groups impacted by such use; 3 (ii) any cybersecurity vulnerabilities and privacy risks resulting 4 from the deployment and use of the automated decision-making system, and 5 the development or existence of safeguards to mitigate the risks; 6 (iii) any public health or safety risks resulting from the deployment 7 and use of the automated decision-making system; 8 (iv) any reasonably foreseeable misuse of the automated decision-mak- 9 ing system and the development or existence of safeguards against such 10 misuse; 11 (e) the extent to which the deployment and use of the automated deci- 12 sion-making system requires input of sensitive and personal data, how 13 that data is used and stored, and any control users may have over their 14 data; and 15 (f) the notification mechanism or procedure, if any, by which individ- 16 uals impacted by the utilization of the automated decision-making system 17 may be notified of the use of such automated decision-making system and 18 of the individual's personal data, and informed of their rights and 19 options relating to such use. 20 2. Notwithstanding the provisions of this article or any other law, if 21 an impact assessment finds that the automated decision-making system 22 produces discriminatory or biased outcomes, the state agency shall cease 23 any utilization, application, or function of such automated decision- 24 making system, and of any information produced using such system. 25 3. Any impact assessment conducted pursuant to this subdivision shall 26 be submitted to the governor, the temporary president of the senate, and 27 the speaker of the assembly at least thirty days prior to the implemen- 28 tation of the automated decision-making system that is the subject of 29 such assessment. The impact statement of an automated decision-making 30 system that is approved and utilized, shall be published on the website 31 of the relevant agency. If the state agency makes a determination that 32 the disclosure of any information required in the impact assessment 33 would result in a substantial negative impact on health or safety of the 34 public, infringe upon the privacy rights of individuals, or significant- 35 ly impair the state agency's ability to protect its information technol- 36 ogy or operational assets, it may redact such information, provided that 37 an explanatory statement on the process by which the state agency made 38 such determination is published along with the redacted impact assess- 39 ment. 40 § 3. Disclosure of existing automated decision-making systems. Any 41 state agency, that directly or indirectly, utilizes an automated deci- 42 sion-making system, as defined in section 401 of the state technology 43 law, shall submit to the legislature a disclosure on the use of such 44 system, no later than one year after the effective date of this section. 45 Such disclosure shall include: 46 (a) a description of the automated decision-making system utilized by 47 such agency; 48 (b) a list of any software vendors related to such automated deci- 49 sion-making system; 50 (c) the date that the use of such system began; 51 (d) a summary of the purpose and use of such system, including a 52 description of human decision-making and discretion supported or 53 replaced by the automated decision-making system; 54 (e) whether any impact assessments for the automated decision-making 55 system were conducted and the dates and summaries of the results of such 56 assessments where applicable; and
S. 7543--A 4 1 (f) any other information deemed relevant by the agency. 2 § 4. This act shall take effect immediately, provided that section two 3 of this act shall take effect one year after it shall have become a law.