Skip to main content

Clifford Chance

Clifford Chance
Tech<br />

Tech

Talking Tech

Tech Policy Horizon Scanner

October 2022

Data Privacy Cyber Security Fintech Artificial Intelligence 31 October 2022

If you’re anything like us, there are few things that say “Halloween” more than the prospect of EU-US data-sharing coming back from the dead. Earlier this month, President Biden signed an Executive Order implementing a new series of measures which could re-animate the EU’s data adequacy decision in relation to the US, hopefully by early 2023. Did the President also personally design the spooky bat-GIF currently adorning the masthead of the whitehouse.gov website? We don’t know, but we like to think so.

In the EU, the Digital Services Act has received the green light for implementation. It will come into force in November (detail below), and become applicable six months after that in May. Will the DSA and DMA come back to haunt the EU? Only time will tell.

In other developments this month, China released 14 new cybersecurity standards covering data security requirements in gait, genetics, voiceprint and face recognition, as well as automobiles. South Korea and Japan have stepped into the metaverse with a firm intention to regulate it, the UK’s parliament has launched an inquiry into the governance of AI and the Dubai Chamber of Digital Economy has launched a training academy for businesses hoping to operate in the metaverse.

Finally, one of our favourite developments this month comes from the Ivory Coast. Cerco, a private company, has apparently developed a “superphone” targeted at illiterate people. 40% of the country’s population is estimated to be illiterate, and the phone is said to feature a voice control system that works in 50 African languages, including 17 spoken in Ivory Coast.

China

China released 14 National Cybersecurity Standards

On 12 October 2022, the National Information Security Standardization Technical Committee published 14 national standards for cyber security, including data security requirements in gait, genetics, voiceprint and face recognition, as well as in automobiles, communications, express delivery, online shopping, etc. These standards will come into force on May 1, 2023.

The Ministry of Justice Clarifies the Rules for Cross-Border Retrieval of Data and Information in Lawsuits

The Ministry of Justice (MOJ) published Frequently Asked Questions about Judicial Assistance in International Civil and Commercial Matters (FAQs), providing a set of guidance on service of judicial documents, investigation and evidence collection, and recognition and enforcement of judgments. In particular, the FAQs clarified the rules for cross-border retrieval of litigation-related data and information including: (1) foreign judicial authorities or individuals cannot directly collect evidence in China or question witnesses in China, but shall go through judicial and diplomatic channels; (2) export of materials located in the PRC shall be subject to the relevant provisions under the PRC Civil Procedure Law, the PRC Data Security Law and the PRC Personal Information Protection Law, i.e., prior  security assessment and certification organised by the competent authorities is required before such export. While the MOJ has set up an online submission system (www.ilcc.online) where foreign parties can directly submit request material online, the FAQs have reaffirmed the importance of complying with data/privacy regulatory requirements for cross-border data transfer in judicial proceedings.

APAC (Excluding China)

South Korea and Japan Announce Metaverse Regulation Plans

South Korea's National Data Policy Committee announced on Sept. 23, 2022, that it would develop regulatory amendments specific to the metaverse (Press Release). The Committee is chaired by South Korean Prime Minister Han Duck-soo and co-administered by the Ministers of Science and ICT and the Minister of Interior and Safety. The announcement focused on the metaverse as an issue that could "lead the success of national competitiveness." The Committee found specifically that the South Korean framework that exists for videogaming was insufficient to deal with metaverse issues.

Earlier this year, Japan announced its creation of a Web 3.0 Policy Office under the Ministry of Economy, Trade and Industry (METI) to formulate metaverse-related policies. The Ministry noted that "as metaverses become new personal interfaces especially among younger generations such as Generation Z, digital spaces and assets could become much more important" and that Web 3.0 entrepreneurs may be departing the country for less-regulated options

Hacker Alert - Australia Updates Law to Protect Data After Optus Hack

The Australian government has announced changes to its telecommunications law to protect vulnerable customers after personal details were stolen in a major cyberattack on the nation’s second-largest wireless carrier. The changes to Telecommunications Regulations allow Optus and other providers to better coordinate with financial institutions and governments to detect and mitigate the risk of cybersecurity incidents, fraud, scams and other malicious cyber activities. The changes would include increased penalties for companies with lax cybersecurity protections and curbs on the quantities and types of customer data that businesses can amass, as well as the duration for which personal information can be kept.

EU

Green light for Digital Services Act

The Digital Services Act ('DSA') was adopted by the EU on 4 October 2022. The DSA will impose new rules on providers of certain intermediary services (e.g., cloud services and online marketplaces). The DSA supplements and enhances existing provisions of EU law under the E-Commerce Directive, which governs the obligations of online intermediaries in relation to the existence of illegal activity on their services. 

The DSA will introduce a ‘notice and action’ reporting procedure for reporting, and a similar procedure for the removal or blocking of access to content. Additionally, provisions have been introduced which aim to limit targeted advertising based on the use of individuals’ sensitive personal data and targeted advertising at children using any of their personal data will also be prohibited. The new legislation will restrict the way platforms can influence user behaviour through the way their interfaces are designed or operate. In-scope businesses will need to (i) conduct annual assessments of systemic risks (e.g. the dissemination of illegal content or disinformation, adverse effects on fundamental rights, on electoral processes and on gender-based violence or mental health) in the EU; (ii) conduct independent audits each year; and (iii) grant authorities access to certain data upon request.

The most stringent rules will apply to businesses that fall into the category of very large platforms, (defined by average active monthly users amounting to about 10% of the EU population) and mandate heightened transparency and accountability requirements. Such platforms will also need to: perform annual risk assessments, implement effective risk mitigation plans, and appoint one or more compliance officers with appropriate qualifications, knowledge, and experience in the field. Auditors must provide their findings in the form of an “opinion” which is categorised as “positive”, “positive with comments” or “negative”. If an audit opinion is not positive, recommendations on specific measures to achieve compliance shall be included. The very large online platforms shall, within one month of receiving such recommendations, adopt an audit implementation report which lays out those measures.

The DSA will now be signed into law. It was published in the Official Journal on 27th October and it will start applying 15 months after publication ― expected to be in January 2024.

Read our articles: The EU Digital Services Act has been published in the Official Journal and The Digital Services Act – What is it and what impact will it have?

UK

Across the Pond - US-UK Data Access Agreement becomes effective

On 3 October 2022, the USA and UK entered into an Agreement on Access to Electronic Data for the Purpose of Countering Serious Crime. Under the Agreement, law enforcement agencies in one country can make requests for certain vital data types from service providers (e.g. telcos) in the other country, without the risk of breaching restrictions on cross-border disclosures. Due to local legal restrictions on US providers sharing their data with foreign governments, investigators were previously forced to make requests via Mutual Legal Assistance Treaties (MLATs), which was a slow, and error-prone process.

The Data Access Agreement (DAA) now aims to facilitate this process through requiring digital service providers to reply to overseas production orders (OPOs) within seven days in order to tighten the prevention, detection, investigation, and prosecution of serious crime (e.g. terrorism, transnational organized crime, and child exploitation). This provides an effective means of streamlining cross-border law enforcement within the boundaries set by privacy and civil liberties laws. The UK Home Office has noted that the DAA will aid the UK considerably given so much online data is held by companies operating within the US where it hasn't been easily accessible. This includes, for example, data held by popular social media platforms and messaging services. It is therefore expected that there will be a considerable rise in OPOs served on US communications service providers by UK authorities due to the vast quantities of US companies holding data of interest to UK law enforcement.

The powers under the DAA are subject to certain conditions however. For example, orders submitted by UK authorities must not target US persons or persons located in the United States (and vice-versa) and must relate to a serious crime. US and UK authorities must also comply with agreed requirements, limitations and conditions when obtaining and using data obtained under the DAA.

Nevertheless, the DAA has been subject to criticism as more legislative attention may be needed to ensure such bilateral agreements are consistent with privacy and legal commitments and avoid undermining rights for third-country persons.

House of Commons committee launches inquiry into the governance of artificial intelligence

The House of Commons Science and Technology Committee has launched an inquiry into the governance of artificial intelligence (AI) and published a call for evidence to the inquiry.

This is against the backdrop of the UK Government's policy paper on regulating the use of AI titled "Establishing a pro-innovation approach to regulating AI". In the paper, the UK Government notes that guidance on AI has already been issued by the Information Commissioner's Office, the Equality and Human Rights Commission, the Medicines and Healthcare products Regulatory Agency and the Health and Safety Executive but there is a lack of clarity on the scope of what AI is and how current rules apply to it, overlaps between different regulatory and legal areas, inconsistencies of regulatory approach between different sectors, and regulatory gaps. The Government then made "light-touch" proposals and plans to set out the core characteristics and capabilities of AI but allow regulators to create more detailed definitions that are appropriate for specific domains or sectors. It has said that it will publish a White Paper for consultation in late 2022 to set out a proposed framework, and its implementation and monitoring.

While the Committee will examine the White Paper in its inquiry, MPs in this instance will explore how risks posed to the public by the improper use of AI should be addressed, and how the government can ensure AI is used in an ethical and responsible way. The Committee is specifically calling for written evidence by 25 November 2022 on the following topics:

  • the effectiveness, strengths and weaknesses of the current governance of AI in the UK, including for research;
  • measures to make the use of AI more transparent and explainable to the public;
  • how decisions involving AI should be reviewed and scrutinised in both public and private sectors;
  • how the use of AI should be regulated and what body or bodies should provide regulatory oversight;
  • the extent to which the legal framework for the use of AI, especially in making decisions, is fit for purpose and whether more legislation or better guidance is required; and
  • how the UK can learn from other countries on AI governance.

Americas

Getting to grips with AI - Biden Administration signs AI training bill into law

On Monday, October 17, President Biden signed into law the Artificial Intelligence Training for the Acquisition Workforce (AI Training) Act, which establishes an artificial intelligence training program for federal procurement officials. The statute is intended to ensure that the procurement workforce has knowledge of the capabilities and risks associated with AI. The AI training program is required to include information relating to the science behind AI, the ways in which AI can benefit the US government, the risks posed by AI (including discrimination and risks to privacy) and future trends in AI, including "trends for homeland and national security and innovation."

Significant Progress on EU-US Data Transfer Mechanism

On 7 October 2022, U.S. President Joe Biden issued an Executive Order entitled "On Enhancing Safeguards for United States Signals Intelligence Activities," a major step towards the Trans-Atlantic Data Privacy Framework, known colloquially as Privacy Shield 2.0 (Press Release).  The Framework would provide a GDPR-compliant mechanism for EU to US transfers of personal data for entities that self-certify compliance with the Framework.  The Executive Order sets out safeguards for personal data processing in the context of US surveillance activities and establishes redress mechanisms for individuals who believe their personal data was processed unlawfully, key points of issue in the Schrems II decision that made the original Privacy Shield invalid as a GDPR-compliant cross-border transfer mechanism.  The ball is now in the European Commission's court, as it commences the adequacy decision process, which will include an opinion by the European Data Protection Board and approval from a majority of EU Member States.  All parties have optimistically targeted the end of Q1 2023 as the date of adoption for an adequacy decision, but whether this aggressive timeline will be met remains to be seen.

See our article: Next steps after U.S. President Biden issues Executive Order on U.S. data transfers from 'qualified states'

House of Representatives approves bill to raise filing fees on large mergers and acquisitions

On Thursday, September 29, the US House passed the Merger Filing Fee Modernization Act, an antitrust package providing US and state authorities with greater resources to pursue litigation and investigations of large mergers and anticompetitive conduct (Press Release). A version of the bill has already passed the Senate, and the White House has issued a statement supporting the House package. The bill would increase the fees that parties to a large merger must pay the US Department of Justice and Federal Trade Commission. Another portion of the bill, the Foreign Merger Subsidy Disclosure Act, requires merging parties to disclose to US antitrust authorities subsidies from certain foreign governments that are deemed "strategic or economic threats" to the US. The final portion of the bill, the State Antitrust Enforcement Venue Act, would give state attorneys general greater choice regarding the jurisdiction in which their antitrust challenges under federal law are brought. The bill was motivated in part to prevent antitrust defendants from having lawsuits transferred to what they believe will be a more favorable jurisdiction, such as when Google successfully moved for a lawsuit brought against it by state attorneys general targeting its digital advertising business from Texas to New York.

Middle East

Yas Island Metaverse expected to be completed in 2023.

People in any part of the world will be able to experience and explore many offerings at the island on leading metaverse platforms after a coalition of key Abu Dhabi entities came together to take Yas Island into the metaverse.

The entities involved in the project – which is the first phase in placing Abu Dhabi in the virtual world – are the Department of Culture and Tourism – Abu Dhabi (DCT Abu Dhabi), Aldar, Miral, twofour54, Abu Dhabi Motorsports Management, Flash Entertainment and Yas Island.

The virtual experiences conceptualised by these businesses will enable users to gather, socialise, play, create, and transact. From building and purchasing digital homes, to discovering cultural attractions, to enjoying theme park adventures, special events, premier golf courses, and a world-class motorsport racing circuit, individuals will be able to experience all that Yas Island has to offer in a digital-first journey.

Ministry of Interior & Al Fardan Exchange launch facial recognition technology to new customers

Al Fardan Exchange L.L.C, the leading money transfer and currency exchange firm which is licensed and regulated by the Central Bank of the United Arab Emirates, has announced a collaboration with the Ministry of Interior (MoI).

The agreement sees the launch of a complete digital KYC journey that uses new-age facial recognition technology to onboard new customers onto Al Fardan Exchange’s recently launched mobile application, AlfaPay.

Al Faradan Exchange strategically aligns with MOI to implement the eKYC, enhanced by MOI’s digital verification face gateway service, to ensure intuitive, accurate and highly secure face matching verification which eventually eliminates the need for new customers to physically visit a branch to complete the process.

Dubai Chamber of Digital Economy launches global competition for digital technologies-based innovative solutions

Dubai Chamber of Digital Economy launched a global competition for advanced digital technologies-based innovative solutions to create a major economic and social impact.

The announcement of the competition, made on the sidelines of GITEX Global 2022, is part of the Chamber’s efforts to attract and support entrepreneurs and tech businesses who are shaping the future of technology and creating a thriving digital economy ecosystem.

The Chamber would be accepting applications very soon and the winners will be announced at its upcoming ‘Expand North Star’ summit in Dubai next year.

Dubai Chamber for Digital Economy launches new training academy to immerse digital startups in metaverse

Dubai Chamber of Digital Economy, one of three chambers operating under Dubai Chambers, in collaboration with the SEE Institute, has launched the “Future of the Digital Economy: Business in the Metaverse” Academy, the first-of-its-kind specialised training programme designed to equip digital startups with practical knowledge and tools they need to build in the metaverse and leverage Web3 to their benefit.

A total of 30 businesses from Dubai and other markets will be selected to join the training academy, which utilises Virtual Reality (VR), Augmented Reality (AR), and Extended reality (XR) technologies to help participants experience and understand the dynamics of business in the metaverse. Upon completion of the programme, participants will benefit from mentorship support in Dubai, and gain access to a free sustainable co-working space, while they will also have the opportunity to share their success stories with an audience at Dubai Chamber of Digital Economy’s biggest events in 2023.

Africa

Nigeria: Start-Up Act Signed into Law, following Tunisia, Kenya, Senegal and Ethiopia.

After being submitted to the Federal Executive Council last year, the Nigerian president Muhammadu Buhari signed the Nigeria Start-up Act into law on 19th October 2022. The bill is designed to create a healthy environment for Nigerian start-ups to launch and scale their business. It also offers some protection against setbacks that have in the past restricted growth, such as bans on cryptocurrencies. This follows Tunisia, Kenya, Senegal and Ethiopia who all launched similar bills in the last couple of years.

The bill hopes to address three main challenges being (i) a lack of enabling environment, (ii) unclear regulatory framework and (iii) inadequate local content support. It also pushes incentives like tax breaks and gives access to funding opportunities, including a N10 billion fund from the federal government.

Egypt: Ericsson plans to expand the operations of its AI analytics and tech innovation activities in Egypt

Celebrating 125 years in the country, Ericsson reaffirmed its commitment to Egypt as part of its mission to support technology innovation advancement in the country. As part of this commitment, Ericsson established and is operating an Artificial Intelligence (AI) Innovation Lab at Sultan Hussein Kamel Palace in collaboration with the Information Technology Industry Development Agency (ITIDA). They announced plans to expand their operations in the AI domain and enhance activities related to technological innovation, robotics, and interaction between robots and humans.

Nigeria: advertising regulator sues Meta for ₦30 billion over loss of revenue and violation of laws

The Advertising Regulatory Council of Nigeria (ARCON) has reportedly commenced proceedings against Meta in the Federal High Court, Abuja Judicial Division. ARCON alleges that Meta has published adverts directed at the Nigerian market on Facebook and Instagram without vetting by ARCON.

ARCON, which vets all adverts published in Nigeria, claims that the Federal Government has lost revenue because of Meta's alleged failure to submit adverts for vetting and is seeking N30bn in remedies.

Nigeria: Draft data protection bill published

The National Information Technology Development Agency (NITDA) released, on 4 October 2022, the draft Data Protection Bill, 2022.

The bill outlines principles and lawful bases for the processing of personal information and includes, among other things, requirements: (i) for Data Protection Impact Assessments (DPIAs); (ii) the appointment of a data protection officers (DPOs); and (iii) for organisations to facilitate data subject rights, including the right to object, withdraw consent, make data portable, and not to be subject to a decision based solely on automated processing of personal data.

Ivory Coast: Cerco develops phone aimed at 40% illiterate population

Cerco, a private company, has reportedly developed a new mobile phone, designed and assembled in Ivory Coast, aimed at the country's estimated 40% illiterate population. The phone features a voice control system that works in 50 African languages, including 17 spoken in Ivory Coast.

In exchange for government tax breaks, Cerco will pay 3.5 percent of its income to the state and train around 1,200 young people each year.

The company hopes to incorporate 1,000 African languages and reach almost a billion people in the future.