Skip to main content

Clifford Chance

Clifford Chance
Tech<br />

Tech

Talking Tech

Tech Policy Horizon Scanner

December 2022

Data Privacy Cyber Security Artificial Intelligence 23 December 2022

As we say good-bye to 2022, it's also been a month of farewells and reunions in the world of tech. Oh, and wish us luck on the big project we have in the works – email's below.

Following a Twitter poll, Elon Musk has announced that he will step aside as Twitter CEO once a successor has been found. Mr. Musk isn't the only person on the way out. This month we bid goodbye to the Czech presidency of the EU Council, which has had a particularly active month, among other things, closing off its positions on the AI Act, issuing a fresh compromise text of the Data Act and ending with a European Declaration on Digital Rights and Principles. Czech them out.

The incoming Swedish presidency has published the priorities for its six-month Presidency of the EU which begins on 1 January 2023. The tech policy work being prioritised include the Artificial Intelligence Act, the European Data Strategy and the Data Act. Sweden will also seek to advance the negotiations in the Council on the Cyber Resilience Act and to continue negotiations with the European Parliament on the ePrivacy Regulation.

This month we're scratching the final country off our GDPR implementation map, as Slovenia becomes the final Member State to enact its GDPR data protection law. It seems that in Ljubljana, privacy law is best served four years cold.

The EU and the US could see their data flows reunited after the Commission announced its draft adequacy decision. Rest assured, a certain Austrian privacy activist already has his sights set on a challenge. The UK's Online Safety Bill is also back in the House of Commons with a few minor (OK, actually quite major) adjustments.

As we head into 2023, leaving behind a year full of Twitter takeovers, AI chat bots and record-breaking privacy enforcement action, what can we expect from the year ahead?

Aside from Japanese billionaire, Yusaku Maezawa's artist-packed SpaceX flight, here's what else is taking off in the near future.

The UK plans to develop a new a new legislative framework to allow for the wider rollout of autonomous vehicles (AVs) on UK roads by 2025. The Australian Government is currently reviewing a report on privacy law reform, and we can expect it announce any plans for a new privacy regime in the coming few months. The US's AI Blueprint could turn into concrete legislation. In the absence of action on a federal privacy law, US states, such as New Jersey, will continue to push forward with their own privacy laws (don't worry, we've already got an order in with the printers for another scratch-off map).

Lastly, we thought we'd share this, which has just hit our inboxes. We've redacted the name of the partner who sent this, for obvious reasons.

            [Confidential – CC internal fax distribution only]

            To: [Redacted]

            Subject: All I want for Christmas

Hi all,

It’s probably a bit too late for this year, but we might consider a briefing aimed at ChristmasX (unlisted - appears to be privately owned with a super opaque structure), a global logistical operation that swings into action at this time of year.

This Chairman and CEO led company is notoriously secretive - probably party due to several significant legal risks, not least in the employment and Data Protection space - that they appear to be running.

I suggest a briefing that covers:

- the employment issues raised by employment of Elves. Potentially Modern Slavery Act issues. Do they have employer’s liability insurance?

- Are they GDPR compliant? They appear to hold the personal details of about 1.1bn children, and it’s not clear if they are compliant with purpose limitation, data minimisation, etc.

- Clear product liability issues. IP issues producing exact replicas of popular toys.

- Are they completely avoiding WTO/GATS, customs obligations?

- The Company, Chairman and CEO, and senior elf-secutives do not appear to be declaring any earnings. BEPS??

I am scratching the surface here but this is potentially a massive client. They clearly have a very bullish appetite for risk, but a public thought leadership piece next year might be a good way to get on their reindeer-dar.

Happy to discuss,

[A very senior partner at Clifford Chance, name redacted]

We all wish you, your families and loved ones a safe, healthy and happy time over the festive holidays and a very happy 2023!

CHINA

Government issues regulations on synthetic media

The Ministry of Industry and Information Technology (MIIT) has issued the Internet Information Service Deep Synthesis Management Regulations, regarding the application of AI-aided deep synthesis technology used in the generation of text, speech synthesis, deep fakes and virtual reality. The Regulations will require, among other things, certain service and technology providers to: (i) adopt measures to ensure the security of training data; (ii) conduct regular reviews of algorithms; (iii) seek consent from information subjects; and (iv) conduct security assessments before generating or editing biometric data. Where synthetic media technology involves public opinion or impacts society, service providers will be required to register their algorithms. The Regulations are due to be effective from January 10, 2023.

Shanghai government issues new autonomous vehicle testing rules

The Shanghai legislative assembly has reportedly (article in Chinese) passed a regulation to promote the innovation of driverless, smart-connected vehicles. The regulation applies to the Pudong New Area. Participants will need to: (i) obtain regulatory confirmation of compliance with safety requirements; and (ii) connect to designated data platforms and transmit data to a municipal data platform in real time. The rules warn those that violate any personal information or security laws could have their testing activities suspended. The rules will take effect on February 1, 2023.

REST OF APAC

Malaysia: Securities Commission to release new technology risk framework

The Securities Commission Malaysia (SC) intends to release a new regulatory framework on technology risk management in early 2023. The framework will be designed to improve management of technology risks by capital market entities and is part of the SC’s commitment to enhance governance and oversight of technology risks in capital market entities while further strengthening their technological resilience.

South Korea: New Digital Partnership with the EU

EU and South Korea have signed a Digital Partnership Agreement that seeks to establish joint digital trade rules and interoperability between digital systems in the two countries. The Agreement highlights AI as one of its key focus areas, with an aim to: (i) share information on laws and systems aimed at realising trustworthy AI; (ii) discuss their respective definitions, use cases, high risk AI applications and response measures; and (iii) facilitate cooperation to coordinate their positions on AI governance, e.g., in GPAI and OECD, as well as international standardisation bodies.

Japan: Digital Partnership with UK

The Ministry of Internal Affairs and Communications, the Ministry of Economy, Trade and Industry, and the Digital Agency of Japan and the Department for Digital, Culture, Media and Sport of the UK have established a Digital Partnership. The Partnership includes a focus on AI, with the parties agreeing to work closely to support trustworthy, human-centric and responsible development and application of AI. In particular, the parties have agreed to: (i) deepen collaboration in multilateral fora, such as the OECD; (ii) exchange information on their progress in implementing the G20 and OECD AI principles; (iii) explore opportunities for AI standards collaboration; and (iv) share information to improve AI policies.

EU

EU: EU publishes draft adequacy decision for the US

On 13 December 2022, the European Commission published a draft adequacy decision, paving the way for the new EU-US Data Privacy Framework which will enable transatlantic data transfers. The previous regimes, Safe Harbour and the Privacy Shield, were both struck down by the Court of Justice of the EU.

The Commission's draft decision follows an agreement in principle announced by President Biden and President von der Leyen in March 2022 following months of negotiations. The US implemented the agreement in principle via an Executive Order signed on 7 October 2022, and via regulations issued by US Attorney General Merrick Garland.

The draft adequacy decision runs to 58 pages and concludes that the United States ensures an adequate level of protection for personal data transferred from the EU to US companies. US companies must commit to comply with a set of obligations, including to delete personal data when it is no longer necessary for the purpose for which it was collected, and to ensure continuity of protection when personal data is shared with third parties. EU citizens will benefit from several redress avenues, including free of charge before independent dispute resolution mechanisms and an arbitration panel.

The draft decision has been transmitted to the European Data Protection Board (EDPB) for an opinion. It must then be approved by a committee of EU member states before final adoption, and the European Parliament has a right of scrutiny. The process is expected to conclude in the summer of 2023 and a new legal challenge is likely.

EU: Ombudsman recommends that European Commission monitor Irish DPC's Big Tech cases

Following a ten-month inquiry, the EU Ombudsman, Dr Emily O’Reilly, has recommended that the European Commission monitor the progress of every Big Tech case that the Irish Data Protection Commission (DPC) is responsible for. The EU Ombudsman issued its decision following a complaint received by the Irish Council for Civil Liberties’ (ICCL) against the European Commission for its failure to adequately monitor Ireland’s application of the General Data Protection Regulation (GDPR). Ireland is considered to play a special role in the implementation of the GDPR because it hosts most of the big tech companies in the European Union including Google, Meta, Apple, and Microsoft and the Irish DPC is the lead supervisory authority for these companies. The ICCL has argued that the application of the GDPR in Ireland is inadequate. The inquiry revealed that the European Commission does examine a regular case overview from the Irish DPC and this was considered by the Ombudsman to be "appropriate and in line with good administration". She considered, however, that a number of technical improvements could be made.

Slovenia: National Assembly adopts Personal Data Protection Act

Slovenia's National Assembly has adopted the Personal Data Protection Act, which implements the GDPR into Slovenian law, making it the final EU Member State to do so. Though the GDPR is directly effective in each EU Member State, it permits Member States to derogate in several important areas. EU members were supposed to implement the GDPR by mid-2018, and the European Commission has alerted Slovenia of its failure to do so several times.

UK

Chancellor's vision for 21st Century Silicon Valleys in the UK - industry experts appointed

On the 18 December it was announced here that, as part of the Government's Pro-Innovation Regulation of Technologies Project, five leading experts have been appointed to accelerate the development and deployment of emerging tech within the UK. It is the second in a series of the Government's big growth announcements. The Chancellor's vision is to create the Silicon Valleys of the 21st Century. The experts appointed will work together with industry and Sir Patrick Vallance to advise on new rules that use the UK's regulatory freedom to promote innovation.

The Chancellor and Business Secretary have chosen five specific areas as potential growth sectors: digital technology, green industries, life sciences, advanced manufacture, and the creative industries, and plan to pursue their ambitions using the UK's post-Brexit regulatory freedom. Existing rules will be reviewed to develop a pro-innovation approach to regulation with the aim to make the UK a science superpower and world leader in the selected key growth sectors.

The experts will support Sir Patrick Vallance in working with industry to identify barriers to innovation and getting emerging technologies to market. In relation to digital technology, including artificial intelligence, the Government has appointed Matt Clifford, Chair of the new Advanced Research and Invention Agency (ARIA), and Priya Lakhani OBE, a member of the AI Council.

Government releases new National Cyber Strategy 2022 policy paper

One year after its initial announcement on 15 December 2021, the UK Government published its new National Cyber Strategy which sets out how the UK aims to solidify its position as a leading responsible and democratic cyber power by 2030.

In the latest paper, the UK Government said it has committed to spend £22 billion on research and development, and to put technology at the heart of our plans for national security. There are five pillars to the strategy.

·         Pillar 1: Strengthening the UK cyber ecosystem.

·         Pillar 2: Building a cyber resilient and prosperous digital UK

·         Pillar 3: Taking the lead in the technologies vital to cyber power

·         Pillar 4: Advancing UK global leadership and influence

·         Pillar 5: Detecting, disrupting and deterring our adversaries to enhance UK security in and through cyberspace

The proposals in the paper include strengthening the structures, partnerships and networks to support a whole-of-society approach to cyber. This would mean establishing a new senior National Cyber Advisory Board to facilitate an inclusive and strategic national cyber dialogue between government, academia and industry, as well as working with regional Cyber Clusters, innovation centres and Cyber Resilience Centres to create an integrated network across the UK from government level to local businesses. More technical proposals include adopting the National Cyber Security Centre's Cyber Assessment Framework (CAF) as the assurance framework for all government departments, and critical systems and common suppliers. As you may recall, the National Cyber Force (NCF) was set up last year pursuant to the strategy. The new strategy proposes scaling up the NCF to integrate it with GCHQ, Ministry of Defence, SIS and Dstl. The Government will provide more legal tools and powers in law enforcement by reviewing the Computer Misuse Act (CMA) and amending

MIDDLE EAST

DIFC Courts announces world’s first International Digital Economy Court

The Dubai International Financial Centre (DIFC) Courts have announced the launch of a new set of specialised rules for its recently formed Digital Economy Court (DEC) Division including the launch of the world’s first International Digital Economy Court.

AMERICAS

US Senators continue to push for action on children's privacy

U.S. Senators, Ed Markey, D-Mass., Bill Cassidy, R-La., Cynthia Lummis, R-Wyo., and Richard Blumenthal, D-Conn, wrote to Congressional leadership calling for action on children's privacy. The Senators urged Congress to accelerate its efforts to protect children and teenagers online. Against this backdrop, the Californian Age-Appropriate Design Code is being challenged by industry groups.

Government issues statement on tech cooperation with EU

The US and EU have issued a joint-statement, following the third Ministerial Meeting of the Trade and Technology Council. The statement, among other things, announces a new Joint Roadmap on Evaluation and Measurement Tools for Trustworthy AI and Risk Management. The Roadmap is designed to align the EU and US' risk-based approach to regulating AI systems. Furthermore, the Roadmap outlines the parties' intention to: (i) share terminologies and taxonomies; (ii) cooperate on international standards and tools; and (iii) work together to monitor and measure AI risk.

Federal omnibus spending bill omits major antitrust and privacy legislation

On December 22, 2022, the US Senate passed a $1.7 trillion omnibus spending bill. The bill includes several technology measures, including the INFORM Act, which aims to verify the identity of online sellers on virtual marketplaces in order to address retail theft, and a bill requiring the removal of the TikTok app from government devices. From a technology policy perspective, however, what may be most notable is what the legislation did not contain. Left out from the bill were two pieces of antitrust legislation that received substantial attention throughout this legislative term: the Open Apps Market Act, intended to "promote competition and reduce gatekeeper power in the app economy" through rules prohibiting certain restrictions on app distribution, and the American Innovation and Choice Online Act, regulating the conduct of certain online platforms and preventing certain means of "self-preferencing." Also not included were several privacy bills being considered by the legislature, including a comprehensive privacy law (the American Data Privacy and Protection Act) and two bills intended to protect children's privacy online (the Kids Online Safety Act and the Children's Online Privacy Protection Rule 2.0).  Advocates in and out of Congress continue to urge action on these bills before the legislative session ends on January 3, after which a new Congress may bring different priorities.   

Federal Trade Commission signals continued focus on data protection in 2023

As a federal law continues to stall, the FTC is poised to continue playing a major role in data protection enforcement and regulation in 2023.  In a rare media interview, director of the FTC's bureau of consumer protection warned that the agency is "not afraid to take companies to court" for unfair practices related to consumer data.  Meanwhile, the agency continues to mull proposed rules on commercial surveillance and data security, as it sifts through the mountain of comments received in recent months.

States push forward with data protection legislation in the absence of federal action

2023 will likely see states continue to press forward with their own data protection legislation as long as federal action remains absent.  Following the lead of California's Age-Appropriate Design Code Act (a bill modeled after the UK law aimed at protecting children's privacy online), New Jersey introduced its own children's privacy law proposal on December 5.  The bill would create a state Children's Data Protection Commission, along with requiring companies that operate in the state to conduct data protection impact assessments before launching products aimed at children.  Meanwhile, note that California, Virginia, Colorado, Connecticut, and Utah have established a blueprint for comprehensive state privacy laws, it is a sure bet that states that came close to passing such laws in 2022 will try again in 2023. 

AFRICA

Nigeria: Advertising regulator targets comedians and influencers

The Advertising Regulatory Council of Nigeria (ARCON) has reportedly said that most adverts by comedians, influencers and bloggers are illegal under the Nigerian code of Advertising Practice. According to ARCON it had received complaints about adverts made by aforementioned groups, claiming that they were unethical or even a source of misinformation. In a statement made by ARCON's Director General, the regulator stated that these groups will be required to obtain pre-exposure approval of all adverts.

Nigeria: Government to tax cryptocurrencies

The Nigerian Government has announced that, as part of the Finance Bill 2022, the country's taxable asset perimeter will be expanded to include capital gains from cryptocurrency.

Guinea: Orange opens Digital Centre

Orange, in partnership with the German Development Corporation, has opened its 13th Digital Centre in Conakry, Guinea. The Digital Centre includes a coding school, manufacturing workshop and an Orange Fab start-up accelerator, supported by the company's start-up investment fund. The company has stated that it will use the centre to train students for free and roll out programmes with universities in the surrounding region.

Aside from the latest centre in Guinea, Orange has established Digital Centres in Tunisia, Senegal, Ethiopia, Mali, Côte d’Ivoire, Cameroon, Egypt, Jordan, Madagascar, Morocco, Liberia, and Botswana.

Egypt: Vodacom Group completes purchase of 55% stake in Vodafone Egypt

Vodacom Group has completed its purchase of a 55% stake in Vodafone Egypt from its parent company, Vodafone Group. The purchase, financed by a mix of Vodacom Group shares and cash consideration, also increases Vodafone Group's shareholding in Vodacom. The deal, which was announced in November 2021, is expected to consolidate Vodacom's position as key player in the African telecom market.

Namibia: Cabinet approves 5G deployment

This month the Namibian Cabinet approved the deployment of 5G technology. This arrives after a two-year project, tasking the Ministry of Environment, Forestry and Tourism to conduct a strategic environmental assessment of the introduction of 5G in the country in 2020. The development means that Namibia could soon become one of the growing number of countries in the region to have a 5G network, joining Zambia (whose rollout of 5G has been ramping up in recent months), Kenya, Tanzania, South Africa, Nigeria and Botswana. Namibia’s biggest mobile operator, Mobile Telecommunications (MTC) Limited, recently highlighted its readiness to deploy 5G services, having already upgraded its network infrastructure to ensure that its network is ready to deploy 5G technology.

South Africa: Equinix to Enter South Africa with US$160m Data Centre in Johannesburg

Equinix, Inc. (a digital infrastructure company) has announced plans to enter the South African market with a US$160 million data centre investment in Johannesburg that supplements its current presence in Africa in Nigeria, Ghana and Côte d'Ivoire. The new data centre is expected to open mid-2024 and the investment is expected to give both South African businesses the opportunity to expand internationally and global businesses to expand into South Africa. Infrastructure will primarily be developed by adopting hybrid multi-cloud architectures and interconnecting with business partners through the Platform Equinix ecosystem of more than 10,000 customers. The data centre will use sustainable and reliable sources of energy and feature many unique sustainable attributes including hyper-efficient cooling with outside air economization using minimal water.