Clifford Chance
Tech Policy Unit Horizon Scanner
April 2021
Welcome to our Tech Policy Unit Horizon Scanner. It is our monthly dive into the key tech policy and legislative developments around the world.
This month in tech, it's been a song of ice and fire. British OneWeb and Elon Musk's SpaceX are circling the Arctic with satellites as they compete to capture lucrative Internet contracts in one of the world's final frontiers for connectivity. Meanwhile, a fire at a Japanese chip plant has intensified the global shortage in semiconductors. The disruption reinforces US concerns about foreign dependence in microelectronics, a focal point of the National Security Commission on AI. Americans are anxious to bolster their domestic resilience for when the chips are down.
But for now, sit down and switch in to your monthly Horizon Scanner with tech news from around the globe.
In this edition, we put our finger on the problem with biometrics. Facial geometry and fingerprints are easy to capture, hard to change and profoundly personal. That's why consumers in Illinois are facing off against TikTok and Facebook, with more fights to come.
Sticking with privacy, new regimes are blossoming from Abu Dhabi to Virginia and everywhere in between. We dive in on forthcoming GDPR-style rules in South Africa, to make sure you know your IOs from your DPOs.
In China, regulators are taking a hard look at asterisks. There's only so many fields you can require users to fill before allowing them into your app, according to new guidance. The approach might mean reducing burdens on consumers at the expense of constraining app design.
And finally, Christine Lagarde all but confirms ECB plans to start work on a digital Euro, adding a few asterisks of her own: a final decision won't be taken until mid-2021, and the project will last four years. But if those points were meant to limit our excitement, then no one told Mme Lagarde: her joyous interview with Bloomberg is a highlight.
.................................................................................................................................
Africa
Privacy in South Africa: Gather your cookies while you may, another GDPR is about to land
When the EU adopted GDPR in 2016, it had spillover effects far beyond its borders, as companies globally began complying to retain their European customer base. Since then we have seen a legislative spillover, in which governments globally have emulated GDPR in their own statute books. Regimes in California, Brazil, and India owe much of their DNA to the EU framework - and you can now add South Africa to that list.
South Africa's Protection of Personal Information Act (POPIA) will take effect on 1 July 2021. Under its rules, data subjects gain a familiar set of rights: the right to be notified of a data breach, the right to access data held on your file, and the right to have your data corrected or forgotten. Consent requirements will mean that if South Africans aren't already acquainted with cookie banners, they're about to be.
Like GDPR, POPIA requires organisations to nominate an officer as the point of contact with the local regulator. But here there is an important nuance: where 'data protection officers' under GDPR must remain independent from the organisation, 'information officers' under POPIA are directly responsible for ensuring compliance. In another key departure, organisations must obtain prior authorisation from the regulator before processing certain kinds of data. Authorisation requirements under GDPR, by contrast, are rare.
Americas
Biometric data in Illinois: Why consumers are getting touchy about fingerprint and face recognition data
In the hierarchy of data, biometrics are in a field of their own. Credit card numbers and passwords can be replaced, but fingerprints, irises and facial geometry are both immutable and intrinsic to our identity. For those reasons, complaints over the processing of biometric data are on the rise.
Take Illinois, for instance, where a federal judge will soon decide on a biometrics dispute between TikTok's parent company, ByteDance Ltd, and up to 89 million members in a class action. Consumers allege that TikTok deploys facial recognition algorithms to assess users' race, gender and age, in order to build profiles for ad targeting purposes. As we discuss in our Talking Tech article, that may fall foul of biometric privacy legislation from Illinois, California and further afield. A settlement agreement has been drafted: if approved, the $92 million payout will pale in comparison to the $650 million award against Facebook on similar grounds in February. The fight over biometrics is heating up.
In other privacy news, Virginia has passed the Consumer Data Protection Act, taking inspiration from principles in GDPR and the California Consumer Privacy Act. Expect to see other states follow suit in 2021. You can read our summary here.
Antitrust in the US: Congress eyes the Australian model for tech-media bargaining
Antitrust legislative proposals continue to be a key focus in the United States. Federal legislators recently introduced a bill to facilitate negotiations between media groups and major platforms, such as Facebook and Google. The proposed legislation, which has bipartisan support, would allow collective bargaining by news organisations and would provide a four-year exemption from antitrust laws for such arrangements. In their deliberations, members of Congress have drawn explicit analogies with Australia's News Media Bargaining Code, though US legislators have given the 'baseball arbitration' provisions a wide berth - see our previous edition for more.
The chair of the House Antitrust Subcommittee also plans to introduce a series of bills advancing recommendations from the Investigation of Competition in Digital Markets Majority House Report, released last autumn.
Cybersecurity in the US: The Microsoft Exchange Server hack is the second major recent scare
In early March, Microsoft announced that its Exchange Server software (linked with its Outlook email application) had been compromised. Hackers were able to install ransomware akin to the 2017 Wannacry bug, and add backdoors to enable access to the server even after the initial vulnerability had been patched. An estimated 250,000 companies have been affected.
The attack comes on the heels of the SolarWinds attack, reported in December 2020, in which hackers gained access to servers used by the US government, NATO, and the European Parliament. At the time, Microsoft argued that a more effective US and global cybersecurity strategy was needed. Among other things, it called upon the US government to refuse legal immunities to foreign private actors like the NSO Group, alleged to have facilitated a spyware attack on WhatsApp in 2019. Now with two major incidents hitting headlines since his election, the pressure on President Biden to pursue cybersecurity reform is growing.
The phenomenon has not been limited to the US, with ransomware attacks reportedly rising 200% in the UK last year. For information on the risks posed by server attacks, and data breach notification obligations that may flow from these, review our article.
APAC
Privacy in China: Apps face new limits on which personal information fields get 'asterisked'
Chinese regulators have issued binding guidance for app operators on data gathering. The guidance defines the scope of 'necessary personal information' across 39 categories of apps, ranging from instant messaging to fitness, to ride-hailing and beyond. While apps may continue to ask for a wide range of personal information, they are limited in the data they can require: that means fewer asterisks for required fields on your next registration.
For example, the guidance allows second-hand car sale apps to require a seller to provide her name, license and vehicle ID number as preconditions to access. By contrast, they cannot deny her use of the app if she refuses to provide her sex or location. If the app asks for such information at user registration, those fields must not bear an asterisk.
This exhaustive classification of necessary data points seeks to provide legal certainty, but may prove to be a straitjacket for the market. A dating app may have legitimate grounds for requiring verified personal information to prevent catfishing and promote trust in the service. But under the new guidance, coming into effect from 1 May 2021, only sex, age and relationship status may be required by such apps. For some aspiring entrepreneurs, these rules might get in the way.
Antitrust in China: Regulators are taking a closer look at domestic tech giants
A Wall Street Journal report indicates that China's antitrust regulators are contemplating issuing their largest ever fine against ecommerce marketplace Alibaba. The tech giant has already faced criticism for its 'choose one of two' policy, whereby it penalises third party retailers for selling their products on platforms other than Alibaba (discussed in our January edition). Regulators may put an end to that practice, in addition to issuing a fine of over $975 million, the report suggests.
Meanwhile, Alibaba's rival Tencent has also been in conversation with China's antitrust regulators. Here the concern relates to the company's acquisition practices: Tencent reportedly spent $12 billion on investments in 163 start-ups last year. It has already faced a penalty for its failure to notify regulators of an investment in an online tutoring platform in 2018. Now there may be more fines to come.
Europe
Digital currency in the EU: The movement for a digital Euro is gathering steam
In late March, the European Central Bank (ECB) presented findings from a public consultation on introducing a central bank digital currency (CBDC), also known as the digital Euro. The audience consisted exclusively of Eurozone deputy finance ministers, and the results will not be made public until mid-April.
In principle, the ECB will not decide whether to proceed with a digital Euro until mid-2021. Yet all the signs point in the direction of a spirited adoption. One such sign is the palpable enthusiasm written on the face of the ECB President, Christine Lagarde, while discussing the digital Euro's prospects in an interview with Bloomberg. Her cautions that the digital currency may take up to four years to be deployed sound like an attempt to contain her own excitement, as much as anyone else's.
And once again, how do CBDCs work exactly? Money in the real economy consists of credit claims on commercial banks: your account balance is the debt owed to you by the bank. That debt is not risk-free: there is a possibility that the bank will go bust before you can realise your claim. Under a fully fledged CBDC model, it would be as if individuals held 'accounts' directly with a central bank, making their balance as near as possible to risk-free. 'Accounts' would be a misnomer, however, since digital currency holders would be in the same position as holders of paper banknotes, owning a direct claim on the central bank of issue. Transfers of CBDCs could also occur in real time, consigning overnight interbank settlement of credit claims (and associated risks) to the annals of history. That's the utopian vision anyway: for more details, and some shortcomings in the CBDC concept, see Simon Gleeson's magisterial primer.
Regulation in the EU: Commission leaders continue their roadshow for the Digital Services Act package
The Digital Markets Act (DMA) and Digital Services Act (DSA) will bring once-in-a-generation regulatory change to the tech sector, rewriting the rulebook on everything from content moderation to merger control. That has left some legislators with butterflies in their stomachs, prompting the European Commission to go on the offensive. The leading proponents of the package, Executive Vice President Margrethe Vestager and European Commissioner for the Internal Market Thierry Breton, are campaigning to win the hearts and minds of Europeans.
Commissioner Vestager appeared before Members of the European Parliament's Industry Committee in early March. She fielded questions from MEPs on topics including core messenger services and interoperability, the role of meta data and algorithms, the interaction between the DMA and competition policy, and lobbying by US tech interests. A complete note of the discussion is available upon request.
In late March, European Commissioner for the Internal Market Thierry Breton took to LinkedIn to post the first of a series of articles entitled: 'DSA/DMA Myths – What is the EU digital regulation really about?' The purpose of the series is to forestall the spread of 'a number of incorrect claims' about the package. His first article takes aim at the 'myth' that the DMA will stifle development of innovative tech companies.
For a refresher on the DSA/DMA, consult our briefing.
Tax in the EU: The Commission is preparing a unilateral digital levy
In late March, leaders of the 27 EU Member States adopted conclusions reaffirming their backing of the European Commission proposal for a digital levy before the end of June 2021, to be introduced by 1 January 2023 at the latest. However, the conclusions also stated that the EU has a 'strong preference for and commitment to a global solution on international digital taxation' through the OECD.
Six member states have already introduced domestic digital services taxes, with five more intending to do so.
Cyber in the UK: The Government has published a sprawling foreign policy and defence review
On the occasion of the release of the Integrated Review of Security, Defence, Development and Foreign Policy, Boris Johnson described it as the 'the largest review of its kind since the end of the Cold War'. The Review certainly leaves the eighties far behind, weighing in on major modern technology questions including the UK strategy on cybersecurity. That section of the Review flags two major policy limbs: the Government will not only build resilience to cyber-attacks through public-private collaboration, but will also deploy cyber offensives to deter threats.
For more detail on the Review, consult our Talking Tech article.
Middle East
Privacy in the UAE: The financial free zone in Abu Dhabi has embraced GDPR-style privacy rules
The Abu Dhabi Global Market, a specialist financial free zone in Abu Dhabi, has adopted privacy regulations reminiscent of GDPR. Data subjects will have rights to access, correct and destroy personal data. There are also obligations on data controllers to keep personal data secure from attacks.
Along with our stories above on South Africa and Virginia, this adoption speaks to a global shift in market standards for privacy regulation. At a local level, it follows a similar move by the other large Emirati financial free zone, the Dubai International Finance Centre, last year.
.................................................................................................................................
Why not subscribe to future editions of the round-up.
This publication does not necessarily deal with every important topic nor cover every aspect of the topics with which it deals. It is not designed to provide legal or other advice. Clifford Chance is not responsible for third party content. Please note that English language translations may not be available for some content.