Skip to main content

Clifford Chance

Clifford Chance
Tech<br />

Tech

Talking Tech

Tech Policy Horizon Scanner

February 2023

Data Privacy Artificial Intelligence Cyber Security 28 February 2023

Having burst onto the scene last year, Large Language Model (LLM) based AI services like ChatGPT continue to dominate tech news. Companies across sectors are rushing to either integrate it in their services or build rivals.

Microsoft was first out of the gates when it rolled-out ChatGPT based functionality, developed in partnership with OpenAI, in its search engine Bing. It promptly freaked-out a New York Times journalist who had a two-hour conversation where the chatbot started referring to itself as 'Sydney' and that it wanted to be human. The full transcript is here. Within a week of the launch, Microsoft decided to limit the number of chat Q&A's and released a statement addressing some of the issues that users had experienced. Google announced that it was developing a similar tool called 'Bard' and Meta announced that the company was working on AI "experiences" on Messenger and WhatsApp and has launched two chatbots.

The ethical and safety risks as well as economic implications of increasingly powerful AI applications are difficult to overstate. Issues around privacy, online safety, bias and misinformation will continue to be the immediate focus for regulators, but we can expect regulators to start to engage with the implications of much more advanced AI this year. OpenAI is focussed on Artificial General Intelligence (AGI – AI which is generally smarter than humans) and a statement on their latest thinking, serves to preview some of the issues policy makers will have to grapple with.

Highlights this month include our hot-take on the tech aspects of President Biden's State of the Union here and staying in the USA, the Gonzales case in the Supreme Court shone a light on the 1996-vintage section 230 of the Communications Decency Act. We also cover the usual range of developments from around the world – with news from China, Singapore, the UK and EU on online safety, cyber, data transfers and privacy.

We have released our annual tech trends predictions this year – we dive into crisis, the metaverse, fintech, digital assets and more – watch them here.

CHINA

Cyberspace Administration of Shanghai Q&A

On 1 February 2023, the Cyberspace Administration of Shanghai (Shanghai CAC) announced that as of 31 January 2023, a total of 67 business operators covering sectors such as retail, automobiles, finance and pharmaceuticals have officially submitted their applications for security assessment for cross-border data transfers. 35 cases (out of 67 operators) have passed the pro forma check on the completeness of application pack and have been passed on to the Cyberspace Administration of China for further review. 17 applicants are still finalizing the materials under the guidance of Shanghai CAC.

It also published the second round of the practical Q&A on how to apply for security assessment for cross-border data transfers.

APAC (Excluding China)

Singapore: Online Safety Amendments Act enters into force

The Ministry of Communications and Information (MCI) announced, on 31 January 2023, that the Online Safety (Miscellaneous Amendments) Act is now effective from 1 February 2023. The legislation, originally passed in the Singapore Parliament on 9 November 2022, sets out new measures to tackle harmful content on online services accessible to users in Singapore. From now on, the Infocomm Media Development Authority (IMDA) can issue directions to disable users' access to egregious content (topics including suicide, self-harm, physical or sexual violence and terrorism) found on online communication services, issue directions to stop delivering the content to users and issue directions to an internet access service provider to block user access to the Online Communication Services. The IMDA may also designate online communication services with significant reach or impact as Regulated Online Communication Services, which must comply with Codes of Practice. IMDA provided a draft Code of Practice and will implement later in 2023.

Hong Kong: PCPD publishes report on data breach incident regarding Hong Kong Institute of Bankers

The Office of the Privacy Commissioner for Personal Data (PCPD) released an investigation report into a data breach incident relating to the Hong Kong Institute of Bankers (HKIB). HKIB originally lodged a data breach notification reporting that six servers which contained personal data had been attacked by ransomware and maliciously encrypted, and that a hacker had threatened to upload the files in the servers to the internet and demanded a ransom. The personal data of over 13,000 members and about 100,000 non-members had been leaked in the incident. The PCPD considered that the HKIB had not taken all practicable steps to ensure that the personal data was protected from unauthorised or accidental access, processing, erasure, loss or use, thereby contravening the Personal Data (Privacy) Ordinance (PDPO). As a result, the PCPD served an enforcement notice on the HKIB, directing it to remedy and prevent recurrence of the contravention.

EU

GDPR: European Commission aims to streamline cooperation between national data protection authorities

The European Commission is set to publish a proposal for a Regulation in the second quarter of 2023 that will streamline cooperation between national data protection authorities (DPAs) when enforcing the General Data Protection Regulation (GDPR) in cross-border cases. The Regulation is aimed at harmonising "some aspects of the administrative procedure the national DPAs apply in cross-border cases". The Commission argues this will support a "smooth functioning of the GDPR cooperation and dispute resolution mechanisms".

The GDPR was adopted in 2016 and became applicable in 2018.  It introduced the one stop shop rule, where tech companies are overseen by the DPA in the EU country where they are headquartered. Under the one stop shop, Ireland's Data Protection Commission (DPC) has played a central role in the enforcement of the GDPR because companies including Meta, Google and Apple have their European headquarters there.

Once published, the Commission's proposal will be sent to the European Parliament and Council for adoption.

EU-US Data Transfers: European Parliament Committee considers draft data protection framework fails to provide equivalent protection

On 14 February 2023, MEPs in the Civil Liberties Committee (LIBE) submitted a draft resolution on the proposed adequacy decision put forward by the European Commission, calling for the EU-US Data Privacy Framework proposal to be rejected on the grounds that the US executive order on which it is based does not offer sufficient protections. The EU and US are seeking a replacement for the Privacy Shield which was struck down by a European court ruling following an action brought by privacy campaigner, Max Schrems.

The draft Resolution must be adopted by the full Parliament at a plenary session, before being sent to the European Commission for consideration.

Digital Services Act: European Commission consults on investigatory and enforcement powers

The European Commission is consulting on how best to implement parts of the Digital Services Act (DSA). The consultation relates to detailed arrangements on issues identified in Article 83 of the DSA, such as: the Commission’s investigatory and enforcement powers, hearings and the negotiated disclosure of information. This implementing regulation will lay down rules on all procedural practical arrangements in Article 83 of DSA. The deadline for submissions to the consultation is 16 March 2023.

UK

Proposed Text and Data Mining Exception to copyright law proposed by the UKIPO stopped by Government

On 1 February 2023, the Minister for Science, Research and Innovation, George Freeman MP, announced at the House of Commons "Artificial Intelligence: Intellectual Property Rights" debate (transcript), that the proposal from the UK Intellectual Property Office (UKIPO), originally published in June 2022, to create a general exception to copyright and database law that would have allowed text and data mining (TDM) for any purpose would not proceed. The TDM exception currently applies only in limited circumstances, such as non-commercial research. The Minister said that it would become formal Government policy once the process to consider the change by the required governmental committees has concluded. The UKIPO will continue to review the responses received on the consultation on AI and intellectual property.

UK Government creates four new departments

On 7 February 2023, the UK Government announced four new Government departments:

  • Department for Energy Security and Net Zero – this new department is created to secure the UK's long-term energy supply and bring down energy bills;
  • Department for Science, Innovation and Technology – this new department is created to focus on optimising R&D investment, promoting diverse research system with the goal of transforming technical and scientific innovations into applicable solutions to improve public services, create jobs and grow the UK's economy;
  • Department for Business and Trade – this combined department will promote investment, back UK businesses both in the UK and internationally, and champion free trade; and
  • Department for Culture, Media and Sport – this "refocused" department aims to capitalise on and support the UK's world-leading position in the creative arts and aims to create reforms and legislative review to improve grassroot access to culture and sports.

High Court in England and Wales shuts down Bitcoin copyright claim

On 7 February, the High Court released a judgment in the case of Wright & Ors v BTC Core & Ors [2023] EWHC 222 (Ch). Mellor J rejected the copyright claims in relation to an application for permission to serve outside the jurisdiction. The key point in the claim was whether copyright subsists in a file format for the Bitcoin system (the Bitcoin File Format), which was alleged to be a literary work.

Under English copyright law there is a requirement for fixation. The Court ultimately decided the creation of a block in the Bitcoin File Format is insufficient to meet the fixation and sufficient identifiability requirement because firstly the Claimant did not identify any "relevant 'work' containing content which defines the structure of the Bitcoin File Format", and secondly there is no evidence explaining that the Bitcoin File Format comprises "content and not just structure". On this basis, Mellor J determined there was "no serious issue to be tried".  The Claimant was given permission to serve out only if the copyright claims were deleted. This judgment affirms the importance of the issue of fixation of literary works and provides useful insight on how the SAS Institute Inc v World Programming Ltd cases can be applied.

Americas

Tech Focus in the President's State of the Union

On February 7, President Biden delivered the annual State of the Union address to the US Congress – see our blog on that here. The President's address mentioned several tech policy topics that have been priorities for lawmakers.

First, President Biden called for Congress to "pass bipartisan legislation to strengthen antitrust enforcement and prevent big online platforms from giving their own products an unfair advantage." This statement came days after a bipartisan pair of US Congressmen, David Cicilline (D-RI) and Ken Buck (R-CO) announced a new Congressional Antitrust Caucus, whose aim includes "holding Big Tech and monopolies accountable, promoting healthy competition in the economy, and advocating for hardworking and law-abiding consumers and business owners."

Separately, Senator Elizabeth Warren announced that she will soon reintroduce legislation to regulate mergers more strictly and "set up a streamlined process for breaking up monopolies," stating that the "demonstrated bipartisan appetite to rein in Big Tech… means the time to move on legislation is now."

Second, President Biden urged Congress to "do more on mental health, especially for our children," stating that it was time to "hold social media companies accountable for the experiment they are running on our children for profit." Biden called for Congress to "pass bipartisan legislation to stop Big Tech from collecting personal data on kids and teenagers online, ban targeted advertising to children, and impose stricter limits on the personal data these companies collect on all of us."

These statements were followed by a Senate Judiciary Committee hearing on February 14 which focused on online safety for children. Senators from both parties stated that they planned to "act swiftly" to pass a bill in 2023 that would regulate tech companies' behavior toward children.

Third, President Biden continued to express support for stronger privacy protections.  Prior to the speech, the President's office released a fact sheet elaborating on the form such protection should take, including: "clear and strict" limits on the ability of companies to collect and process personal data and data minimization.  The fact sheet also highlighted geolocation and health information as sensitive data categories that warranted heightened protection.  Whether this show of support from the president will be enough to finally push through a federal privacy bill is hard to tell. 

California Privacy Enforcement Continues to Take Shape

While states and the federal government wrestle with nascent privacy laws, California continues to race ahead with privacy protections for the state's citizens.  The California Privacy Protection Agency (CPPA) submitted finalized regulations for approval (link). This is the last step before a comprehensive set of rules implementing the California Privacy Rights Act (CPRA) can come into effect. 

Meanwhile, as the July 1, 2023 enforcement deadline approaches for the CPRA's new requirements, the California Attorney General (CAG) continues to push ahead with enforcement of existing requirements.  Most recently, the CAG announced that his office had sent noncompliance letters to various mobile application providers following the findings of a recent investigative sweep (January 2023).  This sweep determined that many popular apps lacked clear opt-out mechanisms as well as effective processes to respond to consumer rights requests (particularly those submitted by authorized agents).

Federal Trade Commission Establishes Office of Technology Amidst Turmoil

On February 17, the Federal Trade Commission (FTC), the primary federal consumer protection regulator, announced the creation of an Office of Technology to be headed by Chief Technology Officer Stephanie T. Nguyen.  The aim of this new office will be to centralize and bolster the FTC's technology expertise to support new and ongoing enforcement efforts and investigations that have increasingly focused on the tech sector.  The move comes at an interesting time for the agency after Commissioner Christine Wilson resigned, the sole Republican on the FTC, leaving just three remaining commissioners to continue with the office's work. 

Supreme Court: Gonzalez v. Google on Section 230

Gonzalez v. Google was heard at the US Supreme Court in mid-February (docket). It is a potentially landmark case interpreting Section 230 of the Communications Decency Act of 1996 as it could unravel core legal protections for the internet. Section 230 typically protects sites from liability over user-generated content. However, the petition from the Plaintiff argued that YouTube created its own content with its recommendations, which in this this case involved terrorism, meaning YouTube might be violating laws against aiding and foreign terrorist groups. Justices from both liberal and conservative sides acknowledged that most internet services are based on algorithms and alluded that introducing liability to algorithms could be open floodgates to more lawsuits around other applications of algorithms such as URL generation and search engines. Justice Amy Coney Barrett suggested that the Supreme Court may not be able to decide until hearing the related Taamneh v. Twitter case.

Florida Governor proposed legislation to ban TikTok and other applications with foreign states

The Republican Florida Governor Ron DeSantis announced his proposal to protect Floridians’ digital rights and privacy from Big Tech companies by creating a Digital Bill of Rights. This Bill aims to protect Floridians’ privacy and promote online safety. Interestingly, it also proposes to "eliminate unfair censorship and ban the use of TikTok and other social media platforms with ties to China from all state government devices". Such applications and software would include WeChat, QQ. The Department of Management Services (DMS) may also prevent network connections to servers associated with foreign countries of concern.

Middle East

Dubai sets out regulations for Virtual Assets and Related Activities           

Dubai’s Virtual Asset Regulatory Authority (VARA) issued its Virtual Assets and Related Activities Regulations 2023 under Law No 4 of 2022 to regulate virtual assets in the Emirate of Dubai. The VARA Virtual Asset Regulations set out a comprehensive Virtual Asset (VA) framework, to be built on principles of economic sustainability and cross-border financial security. Each Virtual Asset Service Provider (VASP) must go through a four stage licensing process first and then comply with four Compulsory Rulebooks. If a VASP conducts any activity that falls under a Virtual Asset activity – Advisory, Broker-Dealer, Custody, Exchange, Lending & Borrowing, Payments & Remittances, and Management & Investment – VASPs will also need to comply with the specific activity Rulebook.

It will be interesting to see the interplay between the SCA and VARA and the related Federal Virtual Asset Decision and VARA Virtual Asset Regulations, although our understanding is that these are intended to work together hand in hand.

UAE launches 'Industrial Technology Transformation Index' to initiate digitalization and sustainability

The UAE’s Ministry of Industry and Advanced Technology (MoIAT) and the Abu Dhabi Department of Economic Development (ADDED) together launched the Industrial Technology Transformation Index (ITTI) on 15 February 2023. This aims to be a comprehensive framework to measure the digital maturity and sustainability of factories and a roadmap for industrial transformation.

The index is organised in categories which corresponds to a manufacturing value chain and measures 20 dimensions, four of which are sustainability related. Before this announcement, the MoIAT tested the ITTI with 75 manufacturing plants including 60 small and medium enterprises.

In future, third party assessors could certify and qualify to conduct assessments of the ITTI framework, produce reports for clients and advise clients on improvements on advance technology and sustainability.

Africa

Kenya: Facebook moderator case proceeds

The Kenya Employment and Labour Relations court has allowed a lawsuit brought against Facebook by one of its former moderators to proceed. The claimant, Daniel Motaung, claimed that Facebook and its sub-contractor Sama exposed him to graphic, disturbing and traumatic content (including beheadings and child abuse) without adequate prior knowledge from job adverts and psychological support, alleging he was paid about £1.80 per hour to review such posts. He also claimed he was unfairly dismissed for being sacked after trying to unionise to seek better terms and conditions. Meta argued that it was not subject to Kenyan law because Meta was "not resident, trading or domiciled in Kenya", and rather only Sama should be joined. However, the judge decided that Meta was a "proper party" to the case.

This case is a high profile one as it is supported by Foxglove, a UK tech justice non-profit, and watched closely by Mozilla and Amnesty International Kenya. Meta's defeat on this judgement means Meta would now face legal action in the global South and the continent to be held accountable for content moderators.

Cameroon: Ride hailing app suspended

Cameroon suspended Russian ride hailing app, Yango, for allegedly failing to comply with local transport regulations. Yango is owned by Russian tech giant Yandex and began operation in Cameroon in 2021. This suspension comes after transport unions complained of unfair competition and Yango received a government warning in September 2022. As part of the warning, Yango was required to, among other things, to obtain a licence from Cameroon's telecoms regulator, open an office in Cameroon and register with the tax authorities.

Zambia: central bank and securities regulators testing new technology to regulate cryptocurrencies

The Zambian Government announced that it is developing new technology to regulate cryptocurrencies with testing being done though the country's securities regulator, the Security Exchange Commission, and the Bank of Zambia. The Minister of Science and Technology, Felix Mutati, seeks to establish Zambia as a technology hub through improving digital infrastructure and attracting tech related investments. This enthuasiam is undeterred by previous reports by the Central Bank of Nigeria and the International Monetary Fund calling for regulatory framework and enforcement.