Tech Policy Unit Horizon Scanner
May 2022
May appears to have been a painful month for cryptocurrency holders – the price of cryptocurrencies such as Bitcoin and Ether continue to drop, and the collapse of the luna cryptocurrency and its associated terraUSD stablecoin saw a $40bn loss in value for investors. Despite this turmoil, it's been a landmark month for crypto assets in terms of legal protection. Courts in the UK and Shanghai declared that NFTs and bitcoin, respectively, can be classified as legal property, and are likely to have far-reaching implications for crypto asset holders in the future.
In the UAE, government authorities have continued to develop the crypto asset market, licensing its first global crypto exchange to offer Bitcoin trading directly in dirhams, along with the announcement of the entry of the UAE Virtual Assets Regulatory Authority into the Metaverse. The Nigerian securities regulator also published a rulebook governing the issuing of digital assets, aiming to provide a regulatory framework for the booming digital asset market.
In the cybersecurity space, EU bodies reached a provisional agreement on the NIS2 Directive, which will set out baseline cybersecurity risk management requirements and reporting obligations across applicable sectors, replacing the EU Network and Information Security Directive. Japan also passed an economic security bill aimed at guarding sensitive technology and critical supply chains.
In the US, two bills were introduced by senators that aim to regulate big tech – the Competition and Transparency in Digital Advertising Act, which seeks to break up digital advertising monopolies – and the Digital Platform Commission Act, which would set up a federal agency to regulate digital platforms. The EU continues to progress the Digital Markets Act, writing a letter in response to the Irish Council of Civil Liberties to settle privacy concerns in relation to the proposed legislation.
As part of the EU's Digital Strategy, the Data Governance Act has been adopted by the Council and will soon come into force, covering matters such as access to public sector data and data shared by intermediary services. The European Data Protection Supervisor and the European Data Protection Board adopted a joint opinion on the proposed EU Data Act, raising privacy concerns on the legislation. The European Commission also revealed a proposed regulation that would require digital companies to find, report and remove online child sexual abuse material circulating on their platforms.
The UK Government announced several bills in the Queen's speech that would bring about substantial tech policy reform – among them being a Data Reform Bill, that would introduce significant changes to the data protection regime in the UK.
Large fines imposed for breaches of data protection regulations continue – the Spanish data protection authority announced its biggest fine ever of EUR 10m to Google for breaches of GDPR, and the UK ICO fined Clearview AI GBP 7.5M for various UK GDPR breaches. Meta and one of its subcontractors are also being sued in Kenya for claims of labour exploitation and poor working conditions.
China
Shanghai High People's Court Declares Bitcoin as Virtual Property
In a landmark ruling, the Shanghai High People’s Court declared that bitcoin qualifies as a virtual asset protected by Chinese law, despite the ban on cryptocurrency trading in China. The court’s official Wechat channel posted a notice stating: "the People's Court has formed a unified opinion on the legal position of bitcoin, and identified it as a virtual property". The court further explained that bitcoin “has a certain economic value and conforms to the property’s attributes, the legal rules of property rights are applied for protection.” The statement marks the first time that a higher court in China has issued a ruling concerning a bitcoin case. Although China is not a jurisdiction which recognises case law in general, such judgement may still help confirm that in Chinese judicial proceedings, economic value of virtual assets, regardless of its regulated status, will still be taken into consideration. consideration.
APAC (excluding China)
Japan Passes Economic Security Bill to Guard Sensitive Technology
Japan's parliament passed an economic security bill aimed at guarding technology and reinforcing critical supply chains, while also imposing tighter oversight of Japanese firms working in sensitive sectors or in critical infrastructure. The bill will be implemented over two years once enacted. It will give Japan's government the ability to order companies to notify the government of software updates, and to vet equipment procurement in 14 industries, including energy, water supply, information technology, finance and transportation. The legislation also provides subsidies for companies to help them strengthen supply chains against disruption, such as shortages of components shipped from overseas. It further establishes a system for government officials to make on-site inspections at firms.
Europe
European Parliament and Council reach a political agreement on new rules on cybersecurity of network and information systems
The European Parliament and the Council of the EU announced that they have reached a provisional agreement on the NIS2 Directive, which will replace the EU Network and Information Security Directive. The proposed NIS2 Directive sets out baseline cybersecurity risk management requirements and reporting obligations across applicable sectors, including transport and digital infrastructure, and strengthens enforcement powers. Proposed provisions include a requirement to make an initial notification to a competent authority or Computer Security Incident Response Team within 24 hours upon becoming aware of a cyber incident. Once signed into law, organisations will have a 21-month implementation period to ensure compliance.
Council approves Data Governance Act
The Council of the European Union has adopted the Data Governance Act. The provisions in the proposed Act cover matters such as access to public sector data and data shared by intermediary services (organisations which set up commercial arrangements between data holders and data users, but which do not themselves add extra value to the data). The Act will enter into force 20 days after its publication in the Official Journal of the European Union and will become applicable 15 months later.
EDPB-EDPS joint opinion on draft Data Act
The European Data Protection Supervisor and the European Data Protection Board adopted a joint Opinion on the proposed EU Data Act, raising privacy concerns on the legislation. Among other things, the Opinion advises that legislators: (i) limit the use of personal data generated by the use of a product or related services for the purposes of direct marketing or advertising, employee monitoring, credit scoring, health insurance or calculating insurance premiums; (ii) limit the scope of the obligation to make data available to EU bodies in case of "exceptional need"; and (iii) designate national data protection supervisory authorities as coordinating competent authorities.
EU Commission settles privacy concerns relating to the Digital Markets Act
The Irish Council for Civil Liberties, in collaboration with data privacy and competition experts and associations, raised concerns over the wording of Article 5 of the Digital Markets Act (DMA), arguing that it would enable platforms to claim that a single opt-in is enough to serve as basis for multiple data processing purposes. Article 5 of the DMA includes a prohibition for gatekeepers to process individuals' personal data collected via third-party services for the purpose of providing advertising services, unless the individual has been presented with a "specific choice" and provided consent. The letter argued that the wording "specific choice" does not equal specific consent for separate specific purposes, and creates ambiguity that may allow gatekeepers to seek global consent for all advertising operations even if such operations actually contain many different processing purposes.
To address these concerns, the EU Commission responded by stating that the requirements for a freely given, informed, specific and unambiguous consent apply to article 5 of the DMA, in an aim to remove any doubt as to the possibility to circumvent the requirements of the GDPR. Following the Commission's response, the Irish Council for Civil Liberties expressed its approval of such declaration by the Commission.
Spanish data protection authority fines Google EUR 10m for GDPR breaches
The Agencia Española de Protección de Datos (AEPD) has fined Google 10 million euros for EU GDPR violations, its highest fine to date. The AEPD found third-party data sharing by Google with legal database Lumen Project lacked a valid legal basis. The AEPD has ordered Google to amend its procedures and to delete all personal data that it holds related to this contravention. This decision confirms the upward trend in the fines imposed by the AEPD. It is also the first of such fines to be imposed on a data controller established outside the European Economic Area.
European Commission unveils a law against child sexual abuse online
The European Commission has revealed a proposed regulation that would require digital companies to find, report and remove online child sexual abuse material circulating on their platforms. It would apply to providers of information society services offering services in the EU, such as hosting service providers and interpersonal communications service providers like Whatsapp. The European Parliament and the Council will now review and adopt their respective positions on the proposal. Once the final text is adopted, the new regulation would enter into force 20 days following its publication in the Official Journal of the EU and would apply 6 months thereafter.
UK
Queen's speech outlines substantial tech policy reforms
In the Queen's speech on May 10, the UK government announced several bills that will be introduced in the new Parliamentary session. Among them included a new Data Reform Bill, which would create a new data protection framework in the UK, strengthen the ICO's capabilities and enforcement powers, and increase industry participation in data sharing schemes. The government also announced a Financial Services and Markets Bill that supports fintech innovation and improves resilience in technology outsourcing in financial services, and new rules to enable the use of self-driving vehicles on public roads.
In addition, the government confirmed that it will also continue with its plans to stiffen cybersecurity obligated for connected products and make it easier for telecoms providers to improve the UK’s digital infrastructure under its Product Security and Telecommunications Infrastructure Bill, first presented to parliament in November 2021. Another existing piece of draft legislation, the Online Safety Bill, which was tabled earlier this year and envisages new obligations for many online service providers, is also to be progressed.
High Court of Justice rules that NFTs represent "private property"
In a landmark ruling, the High Court of England and Wales has recognised NFTs as property able to be frozen by the courts through an injunction. This decision clarifies that NFTs will be treated the same way as other property in England and Wales, and provides legal protections for NFT owners in relation to legal recourse and remedies. There are far reaching implications of this ruling, including that it empowers NFT holders to seek recourse from the courts where NFTs have been unlawfully removed, suggests that NFTs are taxable, and that they can be held on trust, gifted and much more.
ICO fines Clearview AI more than £7.5m for breaches of UK data protection law
The Information Commissioner’s Office (ICO) announced that it fined Clearview AI approximately £7.5m for breaches of the UK GDPR, including the obligations to process information fairly, transparently and lawfully. Clearview AI used images of people in the UK, and elsewhere, that were collected from the web and social media to create a global online database that could be used for facial recognition. The ICO has also issued an enforcement notice, ordering the company to stop the processing and to delete the data of UK residents from its systems.
Americas
Senator Mike Lee introduces the Competition and Transparency in Digital Advertising Act
On May 19, Senator Mike Lee introduced the Competition and Transparency in Digital Advertising Act. The goal of the bill is to protect competition in digital advertising, and if signed into law, the bill has the potential to dramatically alter the digital advertising space. Senators Amy Klobuchar, Richard Blumenthal and Ted Cruz co-sponsored the bill.
The bill targets big tech companies and seeks to break up alleged monopolies in the digital advertising space. If passed, the bill would prevent companies that process over $20 billion in digital advertising transactions annually, such as Google and Meta, from owning more than one facet of the digital advertising process and would mandate that these companies divest part of their digital advertising business within one year. For example, if the bill passed, these businesses would not be able to own a digital advertising exchange if they also own a demand-side or sell-side platform. According to the bill's summary, the authors of the bill also suggest that Amazon may have to make divestments, and Apple's digital advertising efforts would be stifled.
In addition to targeting companies like Google and Meta, smaller companies (those that process over $5 billion in digital advertising transactions per year) would also be required to follow new rules and obligations. For example, one duty is to act in the best interests of customers on every transaction and to provide transparency about advertising pricing. The proposed legislation also mandates a duty of execution, where the company must seek the most favorable terms reasonably available to a customer for every transaction. The bill also states that if a digital advertising company is allowed to operate on both sides of the market (provided they fall below the $20 billion threshold), firewalls must be put into place to prevent abuses and conflicts of interest. Finally, companies must provide fair access to data for all customers, including details on transactions, exchange processes, and functionality.
Speaking of the bill, Senator Lee stated that "companies like Google and Facebook have been able to exploit their unprecedented troves of detailed user data to obtain vice grip-like control over digital advertising, amassing power on every side of the market and using it to block competition and take advantage of their customers . . . This lack of competition in digital advertising means that monopoly rents are being imposed upon every website that is ad-supported and every company - small, medium, or large - that relies on internet advertising to grow its business. It is essentially a tax on thousands of American businesses, and thus a tax on millions of American consumers."
Senator Michael Bennet introduces the Digital Platform Commission Act
On May 12, Senator Michael Bennet introduced the Digital Platform Commission Act of 2022, which would establish a new federal agency to regulate digital platforms. The proposed federal agency would consist of five Commissioners, including a Chair, who would be authorised to promulgate rules, hold hearings, conduct investigations, and enforce civil penalties against digital platforms that violate the bill.
The bill would also provide additional oversight and regulation to "systemically important digital platforms," as determined by the Commission, based on the platform's size, dominance, and consumer influence. The bill would require any Hart-Scott-Rodino filings to be directed to the Commission for mergers involving these digital platforms. The Commission would be entitled to request additional information from the merging parties and would work alongside the Department of Justice (DOJ) and the Federal Trade Commission (FTC) to determine whether the merger violates federal antitrust laws. Additionally, the bill creates a research office and an eighteen-member Code Council composed of digital platform representatives, industry experts, academics, and individuals from nonprofit public interest groups to establish technical standards, policies, and behavioral codes that govern digital platforms.
Speaking on the bill, Senator Bennet said, "we don't have to choose between letting digital platforms write their own rules, allowing competitors like China and the E.U. to write those rules, or leaving it to politicians in Congress. We should follow the long precedent in American history of empowering an expert body to protect the public interest through common-sense rules and oversight for complex and powerful sectors of the economy."
It should be noted that this bill has no co-sponsors, suggesting it does not have the bipartisan support that other recent antitrust bills have received.
Middle East
Dubai's Virtual Assets Regulatory Authority (VARA) announces its entry into the Metaverse
After announcing the establishment of its Metaverse HQ in 'The Sandbox', Dubai's VARA is the world's first government authority to debut in the Metaverse in an attempt to facilitate collaboration between global Virtual Asset Service Providers (VASPs), industry thought-leaders, and international regulatory authorities. VARA seeks to establish a secure and progressive operating framework for the virtual asset (VA) sector to be scalable whilst maintaining market and investor protection. The VARA MetaHQ reflects the Dubai Government's readiness to establish itself as the world's VA capital and its confidence in the integral part VAs will play in the future digital economy.
According to the Crown Prince of Dubai and Chairman of Dubai Executive Council, H.H. Sheikh Hamdan bin Mohammed bin Rashid Al Maktoum, "VARA represents a serious effort to build a new, powerful economic sector that contributes to the nation's economy and creates new investment opportunities, and this is possible through the safe and modern regulatory solutions we envision", adding that "VARA has been established as a mission-focused regulator, to nurture and safely scale a rapidly decentralising business landscape founded on four cornerstone principles - secure cross-border interoperability, informed investor adoption, market protection prioritisation and responsible industry participation."
UAE welcomes first global crypto exchange licensed to offer Bitcoin trading directly in dirhams
The Abu Dhabi Global Market (ADGM), the international financial centre in the UAE capital of Abu Dhabi, has welcomed Kraken, a cryptocurrency exchange, to its fast-growing virtual asset community and financial ecosystem. Kraken has now become the first global cryptocurrency exchange to receive a financial services permission license to operate a regulated virtual asset exchange platform in the ADGM to service the needs of the Middle East and North Africa region. Kraken will also be the first global virtual assets exchange group in the UAE to offer investors the ability to invest, trade, withdraw and deposit virtual assets – including Bitcoin and Ethereum – directly in local AED currency.
Africa
Nigeria's SEC confirms that all digital assets are securities
The Nigerian securities regulator, The Securities and Exchange Commission of Nigeria (SEC), has announced new rules that govern the issuing of digital assets, such as Bitcoin and NFTs. The 54-page rulebook, “New Rules on Issuance, Offering Platforms and Custody of Digital Assets", aims to provide a regulatory framework for the booming digital asset market. The rules include registration requirements for digital asset players including Digital Asset Offering Platforms (DAOPs), Digital Asset Custodians (DACs), VASPs and Digital Assets Exchange (DAX).
In the rules, the SEC has defined “digital assets” as “a digital token that represents assets such as a debt or equity claim on the issuer” and "securities token offering (STO)” to mean "any offering and sale of digital tokens that are considered securities".
Under the new regulations, individuals or entities looking to raise funds via a private sale of tokens or coin offering must first submit an initial "assessment form and the draft white paper" in which it must provide "complete and current information regarding the initial digital asset offering projects, business plan and feasibility study". The draft document must also briefly describe the initial offering, the value of each token, the use and allocation of funds and the privileges granted to buyers. Once the required documentation is filed, the SEC will review and make a determination which will be communicated to the issuer within five days of concluding the review.
DAOPs looking to operate in the market will be required to pay filing fee equivalent to $241, a processing fee of $724, and a registration fee of $72,430, and have a minimum paid-up capital of $1,210,061. They also will be required to provide a current “Fidelity Bond” covering 25% of the minimum paid-up capital as stipulated by the Commission’s Rules and Regulations.
Meta sued in Kenya for claims of labour exploitation and poor working conditions
A lawsuit has been filed against Meta and its main Nairobi-based content review subcontractor, Sama, for inhumane working conditions. The suit claims that Sama fired content moderator Daniel Motaung after he tried to form an employee union in 2019. Motaung is seeking compensation on behalf of current and former content moderators while asking the court to compel the two companies to stop preventing efforts to form an employee union.
The petition further alleges that workers moderating Facebook posts in Kenya have been subjected to unreasonable working conditions including irregular pay, inadequate mental health support, and violations of their privacy and dignity, all of which violate Kenya's constitution.
Motaung is asking for the companies to provide mental health support for content moderators who spend thousands of hours watching graphic video clips. Sama had previously denied that it subjected employees to a low pay, psychological trauma and an opaque recruitment process. After a Time investigation, Sama published a blog post to claim that its business had "lifted more than 59,000 individuals out of poverty" and went on to increase employee salaries by 30% to 50%. The new minimum salary was around $2.20 per hour, significantly below the industry's global standard.
The content above relating to the PRC is based on our experience as international counsel representing clients in business activities in the PRC and should not be construed as constituting a legal opinion on the application of PRC law. As is the case for all international law firms with offices in the PRC, whilst we are authorised to provide information concerning the effect of the Chinese legal environment, we are not permitted to engage in Chinese legal affairs. Our employees who have PRC legal professional qualification certificates are currently not PRC practising lawyers.