Digital regulation and strategy

1. Cyber gets serious

As reliance on digital infrastructure increases and data becomes more voluminous, valuable and vulnerable, we expect to see a rise in cyber incidents and attacks. "Cyber wars" between nations are predicted to be major threats to critical national infrastructure and services, as well as targeted ransomware attacks. With a flurry of new and revamped legislation impacting cybersecurity and operational resilience, regulatory requirements are becoming more numerous and stringent, often with formidable associated enforcement regimes.

What's next?

More sophisticated attacks: Deployment of artificial intelligence (AI) and machine learning technologies will become an increasingly critical component of the arms race between company security teams and cyberattack perpetrators. This increased automation of the security and attack process could see organisations fending off countless hyper-speed attacks each day. The next generation of cyberattacks will move from opportunistic to targeted, and deepfakes and natural language chat bots could move phishing attacks to the next level.

Incident management navigation: The management of cyber incidents will become increasingly complex as more laws come into force, existing laws are revised, and the trend of multiple regulators investigating cyber incidents continues. Increasingly, companies are subject to legal requirements to have incident response plans. Even where not legally required, companies are relying on such plans to navigate the various incident management and reporting requirements under a patchwork of laws governing cybersecurity and resilience, ransomware payments, privacy and, often, sector-specific requirements and regulators.

Supply chain risk: Management of cyber and operational resilience risk in the extended supply chain will be crucial across sectors. Supplier due diligence, audit and robust contractual terms will be key tools in managing risk exposure and securing crucial rights and recourse in the event of an incident or failure of a supplier. In certain sectors, this risk management will be required by law. Beyond these sectors, supply chain risk management will be in the spotlight due to increasing client requirements and growing risk awareness. This will impact supplier engagement as well as due diligence for M&A activity.

Connected devices: With the EU's proposed Cyber Resilience Act seeking to raise the cybersecurity standards for connected hardware and software placed on the EU market, in 2023 we will see manufacturers, importers and distributors of a vast range of digital products and applications engaging with, and preparing for, this regulation as it makes its way through the EU legislative process and is expected to influence manufacturing, import and distribution standards globally.

For more, see our briefings on EU NIS 2 Directive, EU Cyber Resilience Act and DORA: digital operational resilience.

Partner Jonathan Kewley says...

"Cyberattacks can be so vast and unpredictable that they could be uninsurable. That's why we're seeing new legislation that requires businesses to think ahead."

2. Data in the spotlight

The proliferation of heavy-hitting data protection laws continued in 2022. We are seeing some laws come into full effect as well as regimes developing the specificity of their requirements and others strengthening their sanctions. Privacy enforcement has been active, including large GDPR fines and the first ever CCPA enforcement action. Joining the data governance landscape are new laws and proposals tackling how certain data sets – containing both personal and non-personal data – may be shared and used.

What's next?

Increased complexity in data governance and transfer: Significant new privacy laws and changes to data protection regimes are on the horizon in 2023 – including in the USA, the UK, India, Nigeria and Saudi Arabia. Alongside these privacy developments, we will also see wider data governance laws and frameworks being introduced or developed, with the EU leading the charge as the Data Act and the Common European Data Spaces initiative follow hot on the heels of last year's enactment of the EU's Data Governance Act.

Senior Associate Arun Visweswaran says...

"Technology's growth goes hand-in-hand with how technology treats and respects data. The fact that the Middle East is pushing for technology to grow in this region, and is at the same time ensuring there are regulations in place to respect data, increases confidence in the market."

What's next?

International co-operation for data transfers: High-profile enforcement activity in relation to data transfers has put pressure on international co-operation efforts to facilitate legal transfer of data between continents. With momentum building behind the Global Cross-Border Privacy Rules Forum and progress of the EU-US Data Privacy Framework expected to be fast-paced, we should see businesses being able to meaningfully leverage related transfer mechanisms. Of course, the testing of these frameworks in court will doubtless follow.

Enforcement and litigation risk: Data governance will remain a key area of legal, operational and reputational risk across sectors in 2023, given the severe and active enforcement regimes and increasing cost and risk of litigation. We will see forms of group redress or class actions centring on privacy issues in many jurisdictions. Key areas of focus for regulators and courts this year are expected to be the processing of children's data and biometric data, automated decisions, data monetisation and transfers. There will also be sustained attention on the intersection between privacy and antitrust as the use of data by big tech companies is scrutinised.

For more, see our articles: U.S. Executive Order on data transfers from 'qualified states' and Beyond adequacy: multi-jurisdictional privacy compliance.

Partner Sharis Pozen says...

"The trend of conflation of antitrust, privacy and data will continue. Governments around the globe are concerned about the power that accumulated data represents and are enacting legislative initiatives around data accordingly."

3. The AI legal landscape evolves

We are seeing significant evolutions in the capabilities of AI and machine learning technologies – including generative AI with greater capacity for seemingly creative action and personalisation. Interactions with other emerging technologies, such as neurotechnology and quantum computing, could hugely accelerate these developments. This presents both exciting opportunities and a range of legal, ethical and practical questions. In 2023, we will see significant milestones in the development of the regulatory frameworks for AI, and businesses will be stepping up their internal AI capabilities.

What's next?

Evolving legal frameworks: The EU's AI Regulation is expected to be finalised and adopted in the year ahead. It will sit alongside the proposed AI Liability Directive in regulating how AI can be used and who is liable for harms caused by use of AI. The UK is expected to issue an AI framework to underpin sector-specific rules. In the US, we expect to see progress of the AI Bill of Rights, and the testing of the practical application of New York City's law governing AI in recruitment. China's regulatory architecture for AI is expected to continue to emerge following its regulation on recommendation algorithms coming into effect last year and its recently released measures on production of 'deepfakes'. Such AI-focused legislation will form part of the andscape of privacy, product safety, consumer protection and other laws which regulate the use of AI.

Ethics and risk management: Businesses will also be navigating ethical and risk management frameworks that will influence market practice, shape customer expectations and inform regulatory views of appropriate AI development, deployment and governance. Standards organisations and hubs are expected to release AI-related standards and guidance. In turn, we will likely see the rise of AI assurance ecosystems and audit services, as well as businesses making greater investments in hiring, developing and retaining talent that can deliver and govern AI projects.

Intellectual property: As AI becomes more sophisticated and "creative", key legal issues in 2023 will include the concepts of "inventorship" and "patentability" of products created by, or using, AI as well as the provenance and ownership of data.

Contracting for AI: Businesses are increasingly recognising that contracts for AI procurement, development or investment are a crucial part of the wider AI governance process. When contracting with suppliers or entering into a collaboration for AI development, there will be increased focus on case-by-case assessment in order to negotiate appropriate terms to address the non-deterministic nature of AI, to manage supplier risk exposure and to allocate clearly rights, responsibility and liability. For the same reasons, such contracts will increasingly be spotlighted in due diligence exercises prior to investment or M&A transactions.

For more, see our international expert panel discussion: Managing AI in an evolving legal landscape.

Partner Kate Scott says...

"New AI-focused legislation will form part of the greater landscape of privacy, product safety and other laws which regulate the use of AI. In parallel, litigation and regulatory enforcement will test key issues, in particular around liability, fairness and transparency, and intellectual property rights."

4. Regulatory frameworks for digital assets, services and markets

The power and real-world consequences of digital content, interactions and assets are more evident than ever before. Countries around the world are introducing regulation designed to protect consumers, promote data sharing, safeguard competition and manage the digital playing field. Courts are applying existing legal principles to new technologies. In 2023, we will see rapid evolution of the legal frameworks for the regulation of digital services, online content, digital assets and digital markets.

What's next?

Online services and content: Governments and law makers are focused on tackling unfair or harmful practices, dark patterns, disinformation, and the risk of deepfakes and other technologies being weaponised to manipulate people. From the recently introduced EU Digital Services Act and China's laws on deep synthesis technology, to the UK Online Safety Bill and the proposed US Kids Online Safety Act, we will see significant, if fragmented, progress in regulating an array of online services and technologies.

Digital markets: Antitrust authorities are continuing to focus on regulation of the digital sphere and have their sights set on curtailing the power of the largest players in the digital markets. The EU's Digital Markets Act (DMA) entered into force last year, and in 2023 we will begin to see which companies are designated gatekeepers and how aspects of the legislation will be implemented. The DMA is part of a global trend in tackling the regulation of competition in digital markets – with legislation at varying stages in the US, the UK, Australia, China and Korea. The year ahead will give a better picture of the degree of divergence in approach between jurisdictions as these laws develop. We will also see significant investigations and litigation as prominent companies come under scrutiny for alleged anti-competitive behaviour connected with their use of technology and data.

For more, see The Digital Services Act – What is it and what impact will it have? and The Digital Markets Act: A new era for the digital sector in the EU.

Cloud computing and Internet of Things (IoT): The proposed EU Data Act seeks to grant users rights to access and port data generated by IoT products and contains contraversial proposals designed to facilitate switching between cloud providers that could have significant impact on competition in these markets, as well as ramifications for database rights and complex interplays with privacy laws. Market studies by competition authorities in Europe and Asia are considering competition in relation to cloud services. These services are also in the spotlight in the context of proposed EU and UK resilience standards applicable to so-called critical third parties.

Digital assets: In the wake of the failure of key players in the cryptoasset ecosystem and as regulatory expectations for managing operational and other risks arising from uses of distributed ledger technology are maturing, regulators around the world will increasingly require more stringent risk controls as they focus on the resilience of firms holding exposures to cryptoassets. There will be an increase in disputes surrounding digital assets; it is likely that we will see court decisions shaping how insolvency proceedings, securities laws and duties of care apply in relation to digital assets, as well as further court rulings on the concept of 'property' in relation to non-fungible tokens or NFTs.

For more, see Fintech Trends 2023; Crypto Litigation & Arbitration Trends 2023 and The EU Data Act.

Partner Dessislava Savova says...

"This will be the year of strategic engagement in leveraging tech regulations in Europe. Part of the challenge will be to adopt a truly holistic approach. The winners will be those who embrace the new paradigm and make it an inherent part of their strategy, business model and brand reputation."

Partner Ling Ho says...

"We will see off-chain contracts playing a bigger role when it comes to the exploitation of digital assets – particularly with NFTs where rights of ownership and licensing of intellectual property are key considerations that have to be agreed between contracting parties."

Read Tech Trends 2023 Part 2: Tech markets and supply chains

We look at the industrial metaverse, net zero tech, semiconductors, gaming and esports, space tech, tech M&A, digital infrastructure, digital capital markets and more.

Explore

Clifford Chance