Tech Policy Horizon Scanner
July 2023
Tech continues to exert its gravitational pull on policymakers. On 21 July, the White House secured agreement from seven AI companies to sign up to a set of voluntary commitments to manage risks from AI, and on 26 July 2023, Anthropic, Google, Microsoft and OpenAI announced the launch of Frontier Model Forum, an industry body focused on ensuring the safe and responsible development of frontier AI models.
Various jurisdictions have progressed data privacy and protection legislation. The Indian Cabinet reportedly approved India's Digital Personal Data Protection (DPDP) Bill, while Saudi Arabia's Data & Artificial Intelligence Authority and Nigeria's Communications Commission both published consultations on data privacy and protection laws. The U.S.'s patchwork of privacy laws has continued to develop, with Oregon's Consumer Privacy Act becoming law and Colorado's Privacy Act coming into effect.
AI has also been a continued focus with China issuing its first regulation on generative AI services and the OECD publishing a report on regulatory sandboxes within the context of AI. In the UK, the House of Lords published a report entitled "Artificial Intelligence: Development, risks and regulation" and its Communications and Digital Committee launched an inquiry into LLMs.
In Europe, the EU Commission adopted its much-anticipated adequacy decision on EU-U.S. data flows on 10 July 2023. Already, the EDPB has published an information note on the decision and Max Schrems, leader of NOYB, has announced that his organisation has a challenge ready to be filed before the CJEU and an expectation that a challenge would reach the CJEU by the end of the year or beginning of 2024. The EU Commission has also published new proposed rules for cross-border GDPR cases and there have been reports about its Metaverse strategy for 'virtual worlds', among other things.
APAC (excluding China)
India: Cabinet approves DPDP Bill
Media reports indicate that the Union Cabinet of the Indian Government approved the DPDP Bill on 5 July 2023. The DPDP Bill is designed to ensure the protection of individuals' personal data across India and contains rigorous measures on data protection, data sharing and data storage. It is currently set to be introduced in the monsoon session of the Indian Parliament, this summer.
Singapore makes open-source AI toolbox available for financial sector
The Monetary Authority of Singapore (MAS), Singapore's central bank, has released an open-source toolkit called Veritas Toolkit version 2.0, intended to enable the responsible use of AI in the financial sector and to allow firms to assess whether their AI or data analytics follow the fairness, ethics, accountability and transparency principles. The consortium of 31 industry players that developed the toolkit have also published some key lessons learned by seven of the financial institutions that piloted the methodology.
Japan signs joint declaration with the EU
On 3 July 2023, during the first meeting of the Japan – EU Digital Partnership Council, Japan signed a joint statement with the EU on a range of digital issues, including a forthcoming Memorandum of Cooperation on semiconductors, continued cooperation on 5G mobile technologies, the establishment of a permanent communication channel on legislative approaches to regulating AI and a commitment to completing ongoing negotiations on cross-border data flows. Both parties' commitment to this joint statement was reaffirmed 10 days later during the 29th Summit between the EU and Japan.
China
China releases the first nationwide regulation on generative artificial intelligence services
The Cyberspace Administration of China (CAC) together with six other PRC regulatory authorities jointly published the final version of the Provisional Administrative Measures on Generative Artificial Intelligence Services which will take effect from 15 August 2023. The Measures will become the first set of regulatory rules specifically applicable to the rapidly developing field of generative AI in China. The Measures apply to any person that uses generative AI technology or uses generative AI technology via programming interfaces and APIs to provide services (including, among others, generating text, pictures, audio and video content) to the public in China. For more information, see our alert.
Mainland China and Hong Kong regulators enter into MoU to govern data flow within the Greater Bay Area
On 29 June 2023, the CAC and Hong Kong's Innovation, Technology & Industry Bureau (ITIB) signed the Memorandum of Understanding on Facilitating Cross-boundary Data Flow within the Guangdong-Hong Kong-Macao Greater Bay Area (the MoU). Under the MoU, CAC and ITIB will work closely to explore effective management measures with a view to fostering cross-boundary data flow within the Greater Bay Area. According to Professor Sun Dong, the secretary for ITIB, this move will be an important initiative for facilitating data flow in the Greater Bay Area, lowering the compliance costs of enterprises, and supporting innovative development of Hong Kong as a global data hub.
EU
Data transfers: new adequacy decision for EU-U.S. transfers
On 10 July 2023, a new European Commission adequacy decision on EU-U.S. data flows entered into force. The decision recognises the EU-U.S. Data Privacy Framework (DPF) as providing sufficient protection to personal data to allow transfers between the EU and U.S. (for those participating in the DPF), in particular through the redress mechanism in operation. The decision follows three years of negotiations, during which the U.S. agreed to limit its intelligence agencies' collection of data to what is "proportionate" and "necessary" for national security. A new Data Protection Review Court has been set up for EU citizens wishing to challenge how the U.S. has handled their data. For more information, see our article: European Commission approves EU-U.S data privacy framework.
GDPR enforcement: European Commission proposes new procedural regulation for cross-border cases
On 4 July 2023, the European Commission proposed a new regulation to support the effectiveness and efficiency of GDPR enforcement in cross-border cases by streamlining cooperation between Data Protection Authorities (DPAs) and harmonising some aspects of their administrative procedures when applying the GDPR in cases that affect individuals located in more than one EU Member State. The proposed regulation does not seek to change the 'one-stop-shop' mechanism but rather may introduce additional steps in the cooperation between DPAs to facilitate early consensus-building and reduce disagreements later in the process, thus avoiding the 'dispute resolution' mechanism.
Antitrust and GDPR: CJEU clarifies interplay
On 4 July 2023, the Court of Justice of the European Union (CJEU) ruled that a national competition authority (NCA) examining an abuse of a dominant position case could determine whether an undertaking's terms and conditions infringe the GDPR, where necessary to establish the existence of an abuse under competition law. In doing so, the NCA must cooperate closely with the relevant DPA and is bound by their prior decisions regarding the data processing being investigated. The CJEU also provided clarification on several important points of data protection law. For more information, see our article: European Court of Justice in Facebook Ruling Clarifies Interplay Between EU Competition Law and Data Protection Enforcement and Challenges Reliance on Legitimate Interests for Disclosures to Law Enforcement Authorities
Digital identity: Political agreement reached on eIDAS2
On 29 June 2023 the Council of the EU and European Parliament reached political agreement on a new Electronic Identification, Authentication and Trust Services Regulation, known as eIDAS 2. The Regulation aims to ensure universal access for citizens and businesses to secure and trustworthy electronic identification and authentication by means of a personal digital wallet on a mobile phone. The wallet will allow citizens to access public and private sector services across EU countries. Further technical work will take place to finalise the legal text and ensure it reflects the political agreement. Afterwards, it must be formally approved by the European Parliament and the Council before publication in the Official Journal.
UK
The Online Safety Bill: further developments
The Online Safety Bill, which aims to protect children and adults from harmful online content, continues to spark discussion on its journey through Parliament.
On 11 July 2023, Ofcom published a consultation, requesting input on the categorisation of regulated services under the Online Safety regime by 12 September. The following day, the National Audit Office published its report on whether the Department for Science, Innovation & Technology (DSIT) and Ofcom are sufficiently prepared to implement the Online Safety Bill when it comes into force. It discusses the progress Ofcom has made, but also outlines further actions that need to be taken.
On 19 July, the House of Lords passed an amendment at the Report Stage which allows Ofcom to have access to "information demonstrating in real time the operation of systems, processes or features, including functionalities and algorithms" (section 101(3)(a)) in respect of search engines, user-to-user online platforms and adult content sites. Its third reading in the House of Lords will take place on 4 September.
House of Lords publish inquiry and report on AI
On 7 July 2023, the House of Lords Communications and Digital Committee launched an inquiry into Large Language Models (LLMs). The inquiry poses a list of questions focusing on what steps need to be taken in the next 1 – 3 years to ensure that the UK can respond to the opportunities and risks posed by LLMs. The deadline for submissions is 5 September 2023.
On 18 July 2023, the House of Lords published a report entitled "Artificial intelligence: Development, risks and regulation". It synthesises many of the developments which have occurred over the past months, discussing AI's potential benefits and risks and comparing different jurisdictions' regulatory approaches.
Americas
More U.S. states pass privacy laws as Enforcement ramps up
As progress on a federal privacy law stalls, U.S. states continue to add to the increasingly complex patchwork of privacy laws. On 18 July, Oregon's Consumer Privacy Act became law. The law largely aligns with those passed previously in other states, with the notable exception that Oregon's law applies to not-for-profit organizations. Meanwhile, Delaware is on the threshold of enacting its own law, as the bill awaits the governor's signature (which is expected soon).
While new states join the fray, states with existing laws are gearing up for enforcement. Days after the Colorado Privacy Act came into effect (on 1 July), the Attorney General issued a press release announcing plans to start notifying companies of potential non-compliance, with a focus on notice requirements, sensitive data processing, and consumer rights to opt out of targeted advertising and profiling. California has also been busy—on 14 July, the California Attorney General announced a compliance sweep of large California employers' compliance with the CCPA; days later, the recently-formed California Privacy Protection Agency established a consumer complaint portal that has already begun receiving submissions.
White House announces Cybersecurity labeling program for smart devices
On 18 July, the White House announced a proposal for a new certification and labeling program for smart devices. The "U.S. Cyber Trust Mark" program would create a logo that would be affixed to smart devices that meet certain established cybersecurity criteria. A number of major consumer electronics manufacturers and retailers joined the announcement to show their support. The program would be maintained by the Federal Communications Commission (FCC) and is expected to come into effect in 2024, following a to-be-announced public comment process.
Bill requiring online platforms to report drug activity advances out of Senate Judiciary Committee
On 13 July, the U.S. Senate Judiciary Committee voted to advance a bill titled the "Cooper Davis Act" to the Senate floor. The bill would regulate social media companies and other electronic communication service providers, requiring them to report to federal law enforcement information regarding the sale or distribution of controlled substances in violation of the Controlled Substances Act on their platforms. In its statement on the bill's passage out of committee, the Committee's press release stated that "by addressing illicit drug trafficking online," the bill would address "the fentanyl crisis [that] continues to ravage communities across the country." The bill is one of several bipartisan pieces of legislation aimed at protecting children's privacy and safety online to have advanced out of the Senate Judiciary Committee this term.
Amended Kids Online Safety Act passes the Senate Commerce Committee
On 27 July, the Senate Commerce Committee passed a new version of the Kids Online Safety Act (KOSA). The amendments made related primarily to the research components of KOSA. The process which enabled independent researchers to access platform data to conduct research relating to child safety online was removed. Instead, the modified Bill gives exclusive research data access to the National Academies of Science, with the aim that it will produce five studies on the risks presented by social media to minors as part of a program administered by the Secretary of the Department of Health and Human Services
Middle East
Saudi Data & Artificial Intelligence Authority launches public consultations
On 11 July 2023, the Saudi Data & Artificial Intelligence Authority (SDAIA) launched public consultations on:
- the draft Implementing Regulations of the Personal Data Protection Law (PDPL), as amended on 21 March 2023
- the draft Regulation on Personal Data Transfer outside the Geographical Boundaries of the Kingdom.
Both draft regulations cover various aspects of data privacy and protection law with a focus on personal data in particular. Consultation responses must be submitted by 31 July 2023.
Israel Privacy Protection Authority publishes consultation on biometric employee monitoring systems
On 18 July 2023, Israel's Privacy Protection Authority (PPA) announced the publication of a consultation (only available in Hebrew) on the collection and use of biometric data for employee monitoring. The policy document focuses on the privacy risks involved and provides guidelines and recommendations for firms using, or considering using, biometric identification technology in respect of their employees. Consultation responses must be submitted by 18 August 2023.
Africa
South African regulator fines government department
On 4 July 2023, South Africa's Information Regulator announced that it had issued an Infringement Notice to the Department of Justice and Constitutional Development on 3 July 2023 in which the Department was fined ZAR 5 million for failing to comply with an earlier Enforcement Notice. The regulator had issued this Enforcement Notice on 9 May 2023 in response to its findings that the Department had breached various sections of the Protection of Personal Information Act 2013 ("POPIA"). The Department was required to submit proof to the regulator of actions it had taken to comply with the Enforcement Notice within 31 days – it failed to do so.
Nigerian Communications Commission publishes regulations for comment
On 27 June 2023, the Nigerian Communications Commission (NCC) published draft Data Protection (Communication Services) Regulations 2023 which it is requesting comments on. The draft regulations provide a regulatory framework for the protection and privacy of data in Nigeria's communications sector. Among other things, they cover issues relating to consent and data transfers. The deadline for comments to be submitted is 20 July 2023.
Additional Information
This publication does not necessarily deal with every important topic nor cover every aspect of the topics with which it deals. It is not designed to provide legal or other advice. Clifford Chance is not responsible for third party content. Please note that English language translations may not be available for some content.
The content above relating to the PRC is based on our experience as international counsel representing clients in business activities in the PRC and should not be construed as constituting a legal opinion on the application of PRC law. As is the case for all international law firms with offices in the PRC, whilst we are authorised to provide information concerning the effect of the Chinese legal environment, we are not permitted to engage in Chinese legal affairs. Our employees who have PRC legal professional qualification certificates are currently not PRC practising lawyers.