Tech Policy Horizon Scanner
November 2023
Introduction
International collaboration will be fundamental to the development of AI regulation, and we saw progress in that direction during the UK's AI Safety Summit that took place on 1-2 November 2023, following which the Bletchley Declaration was signed by the 28 participating countries, including China. The agreement acknowledged both the transformative potential and significant risks of AI.
We also saw the UK and U.S. announce the first set of global Guidelines to ensure the secure development of AI technology, released by the UK's National Cyber Security Centre (NCSC) in collaboration with the U.S. Cybersecurity and Infrastructure Security Agency. This followed on from developments at the end of October which included the Global Privacy Assembly passing resolutions on AI and Employment and generative AI systems at its annual meeting, and the G7 announcing the launch of International Guiding Principles and an International Code of Conduct, both designed to encourage global cooperation in the governance of AI.
Collaboration between governments and agencies was also evident in the data protection and cybersecurity space. The U.S. Cybersecurity and Infrastructure Agency and South Korea's National Intelligence Service signed a Memorandum of Understanding on best practices for cybersecurity and cyber threat information exchange, which is a development of the bilateral Cyber Framework which both countries entered into in April. Collaboration was evident between the UK and EU in a Memorandum of Understanding that was entered into by the UK's Information Commissioner's Office and the European Data Protection Supervisor on their work in the data privacy space.
In the Middle East, the Abu Dhabi Global Market (ADGM) also published an addendum to the European Commission's Standard Contractual Clauses for personal data transfers – the first financial centre in the Middle East region to do so – again, with the aim of allowing organisations operating cross-border to comply with ADGM regulations where they have already implemented the EU SCCs.
Finally, organisations across the world appeared keen to increase regulation on digital currencies. The European Central Bank has launched a new preparatory phase for the digital euro project, where assessments will be made on the potential digital currency's effect on privacy and financial equality. Kenya's parliament directed the country's blockchain association to draft a digital assets regulatory framework, and the U.S. increased scrutiny on regulatory compliance by cryptocurrency exchanges, with a large fine imposed on Binance and action brought against Kraken
APAC (excluding China)
Reserve Bank of India releases master directive on IT governance and cybersecurity
On 7 November 2023, the Reserve Bank of India released its Master Direction on Information Technology Governance, Risk, Controls, and Assurance Practises, which will come into effect on 1 April 2024. The Master Direction will apply to regulated entities, covering banking and non-banking financial institutions, and specifically states that these regulated entities must put an IT Governance Framework into place.
The aforementioned IT Governance Framework must include, among other things, adequate oversight mechanisms to ensure accountability and mitigation of IT and cyber/information security risks, and must contain provisions which require the regulated entities to have an IT and Information Security Risk Management Framework, an Information Security Policy and Cyber Security Policy, and to perform a periodic review of IT-related risks.
USA and South Korea sign Memorandum of Understanding on cybersecurity best practices and cyber threat information exchange
On 9 November 2023, the U.S. Cybersecurity and Infrastructure Agency announced that it had signed a Memorandum of Understanding (MoU) with South Korea's National Intelligence Service, which outlines optimal methods for the two agencies to cooperate and exchange data concerning cyber risks. This follows the bilateral Cyber Framework which was signed by South Korean President Baek Jong-wook and Joe Biden in April 2023.
The MoU outlines the various best practices, including regular consultation between the countries on methods for cybersecurity threat responses, enhanced communication between Computer Emergency Responses Teams, sharing best practices between agencies by utilising joint training exercises, and sharing best practices on governing new technologies.
Industry partnership led by Monetary Authority of Singapore creates risk framework for the financial sector using generative AI
On 15 November 2023, the Monetary Authority of Singapore announced that phase one of Project MindForge had concluded, which aims to develop a clear and concise risk framework for the use of Generative AI in the financial sector, looking at the risks and opportunities. A full white paper with details of the risk framework is due to be published in January, and the executive summary of the white paper has been released.
The Project MindForge consortium has developed a comprehensive generative AI risk framework which includes seven dimensions: accountability and governance, monitoring and stability, transparency and explainability, fairness and bias, legal and regulatory, ethics and impact, and cyber and data security. In the next phase, the consortium will look into developing strong industry use cases that will benefit from the application of generative AI including in managing complex compliance tasks and risk identification, and expand its scope to involve financial institutions from the insurance and asset management sectors.
Thailand's data protection authority releases draft regulations on data transfers
On 27 October 2023, Thailand's Personal Data Protection Committee (PDPC) released its draft regulations on international data transfers, under sections 28 and 29 of the Personal Data Protection Act 2019 (PDPA).
Section 28 of the PDPA covers personal data that is transferred to a country or international organisation deemed to have sufficient data protection standards, where adequacy is determined by factors including the existence of legal measures or mechanisms in the country which are not less than those in Thailand.
Section 29 of the PDPA states that if the sender or transferor and the recipient of personal data have established a policy for personal data protection in the same affiliated business or in the same group of undertakings that has been reviewed and certified by the PDPC, then the data controller or data processor in Thailand may send or transfer personal data to the recipient, who is located abroad and engaged in the same affiliated business or is in the same group of undertakings.
China
China's TC260 unveils the draft of practical guidelines for cross-border personal information protection requirements in the Guangdong-Hong Kong-Macau Greater Bay Area
On 1 November 2023, the National Information Security Standardisation Technical Committee (TC260) released the draft Practical Guidelines for Cross-border Personal Information Protection Requirements in the Guangdong-Hong Kong-Macau Greater Bay Area for public comments. The aim of these guidelines is to further implement the "Memorandum of Understanding on Facilitating Cross-boundary Data Flow within the Guangdong-Hong Kong-Macao Greater Bay Area" which was issued last June.
The Guidelines apply to personal information processors which are registered or located in the Guangdong-Hong Kong-Macau Greater Bay Area (i.e., that are registered in Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen, Zhaoqing, or Hong Kong) that choose to rely on the Greater Bay Area personal information protection certification regime to legitimise their cross-border transfer activities. However, it is worth noting that personal information processors in Macau are currently not covered under the Guidelines.
China to tighten the "PRC Law on Guarding State Secrets" amid data processing risks
On 25 October 2023, the National People's Congress of China released the consultation draft of the revised PRC Law on Guarding State Secrets for public comments. The consultation draft does not propose any changes to the scope and grading of "state secrets" compared with the previous version of the law. The consultation draft explicitly adds that processing activities involving state secrets should comply with rules governing state secrets. Chinese authorities are expected to establish security and protection systems and relevant measures to address potential breach risks arising from aggregating and analysing large volumes of data using new technologies like big data, and mitigate the risk of state secret compromises in these scenarios. The consultation draft was open for public comment until 23 November 2023.
EU
EU Council and Parliament adopt political agreement on Data Act
On 27 November 2023, the Council of the European Union adopted the political agreement reached on 27 June 2023 regarding the proposal for a regulation on harmonised rules on fair access to and use of data (the Data Act). This follows the first reading adoption of the text by the EU Parliament on 9 November 2023. The proposal aims to provide a clearer legal framework regarding the sharing of data, and includes obligations pertaining to the design of connected products, data sharing with users and governmental actors, and unfair contractual clauses. The text will be published in the EU official journal in the coming weeks, then apply 20 months from the date of entry into force.
EU member states agree common position on the revised Cybersecurity Act
On 15 November 2023, representatives from EU member states adopted a common position to amend certain sections of the Cybersecurity Act (CSA). The amendments relate to the adoption of European Certification Schemes regarding "managed security services", or services responsible for providing assistance for activities related to cybersecurity risk management. In particular, the amendments clarify the definition of "managed security services" by aligning it with the revised Network Information Systems directive (NIS 2), as well as aligning the security objectives of these certification schemes with other schemes under the CSA, and a number of technical and drafting modifications. Trilogue negotiations with the EU Parliament are next to be conducted to determine a final version of the text.
AI Act negotiations hampered over disagreement on foundation models
On 10 November 2023, technical negotiations between the European Parliament and the Council on the draft AI Act reached a halt regarding the topic of foundation models. France, Spain and Germany released a statement on 19 November 2023 which expressed their opposition to provisions on the subject, citing the damage that this could cause to the European AI industry and advocating for a voluntary regulatory approach. This could potentially imperil an agreement regarding the text on 6 December 2023, the next official trilogue negotiation date between the EU Parliament and the Council.
ECB starts preparation for digital euro in multi-year project
On 1 November 2023, the European Central Bank launched a new preparatory phase regarding the digital euro project, following the completion of an initial investigatory stage. This phase is to last for two years and involves the development of a digital euro rulebook, selecting providers to develop the necessary technological infrastructure, and determining the potential implications that such a project could have with regards to privacy, the environmental, and financial equality. This new phase does not constitute a decision to launch a digital euro, as this has yet to be made by the ECB Governing Council.
UK
UK and U.S. develop global guidelines for AI security
On 27 November 2023, the UK government announced the first global Guidelines to ensure the secure development of AI technology, which were developed by the UK GCHQ's National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency, in cooperation with industry experts and international agencies. The Guidelines have been endorsed by 18 countries in total, including Australia, Canada, Japan and some EU countries.
The Guidelines are broken into four key areas of secure design, secure development, secure deployment and secure operation and maintenance, and aim to help developers of AI systems to make informed cybersecurity decisions at every stage of the development process. Each section contains considerations and mitigations that are intended to help reduce the overall risk to an organised AI system development process.
The NCSC has stated that the Guidelines will help developers to ensure that cybersecurity is an essential pre-condition of AI system safety and integral to the development process, known as a "secure by design" approach.
Pioneer AI safety declaration agreed by 28 countries and EU at AI Safety Summit
On 1 November 2023, the countries which attended the AI Safety Summit (1-2 November 2023) signed the Bletchley Declaration. The Declaration emphasises the importance of AI being designed, developed, and used safely, responsibly, and human-centrically. It encourages international cooperation to promote inclusive economic growth and sustainable development through AI, as well as to protect human rights and foster public trust in AI systems.
The Declaration recognises the significant safety risks posed by advanced AI models, especially in cybersecurity and biotechnology, and calls for an urgent deepening of understanding of these risks. The signatories commit to international cooperation to ensure safe, responsible AI and to address the broad range of risks posed by AI. They also affirm the responsibility of those developing advanced AI capabilities to ensure their safety and encourage transparency and accountability. The declaration outlines an agenda focused on identifying AI safety risks and building risk-based policies. It also supports an internationally inclusive network of scientific research on frontier AI safety.
Data protection implications announced in King's Speech
On 7 November 2023, King Charles III delivered his 2023 speech which outlined the government's legislative agenda for the upcoming parliamentary session.
The Data Protection and Digital Information (No. 2) Bill, to be renamed as the Data Protection and Digital Information Bill (DPDI Bill), aims to modernise the UK's data protection framework. Proposed measures include simplifying compliance with the Data Protection Act 2018 and the UK GDPR, addressing issues like nuisance calls and repetitive "cookie pop-ups," refining rules for using personal data in scientific research, establishing a framework for secure digital verification services, promoting "smart data" initiatives across the economy, and enhancing the delivery of various government services. The DPDI Bill is scheduled for the report stage and third reading on an as-yet-unannounced date. Ongoing concerns include the potential impact on the EU-UK adequacy decision.
Further, the Investigatory Powers (Amendment) Bill, designed to update the Investigatory Powers Act 2016 to ensure its relevance and effectiveness. The aim is to empower security and law enforcement agencies to respond to evolving threats and technological advancements. The bill includes changes to the bulk personal dataset regime, updates to conditions for using internet connection records, amendments to the Notices regime, and an extension of the powers of the Investigatory Powers Commissioner's Office.
The speech also mentioned the Digital Markets, Competition and Consumers Bill which aims to secure better outcomes for consumers and businesses by driving innovation and addressing competition issues in digital markets, with the goal of levelling the playing field across the sector.
European Data Protection Supervisor and UK ICO Sign Memorandum of Understanding
On 8 November 2023, the UK Information Commissioner’s Office (ICO) and the European Data Protection Supervisor (EDPS) signed a Memorandum of Understanding (MoU) to reinforce their shared mission of upholding individuals' data protection and privacy rights. It aims to reduce divergences in regulatory approaches, benefitting public and private organisations, individuals, and other stakeholders in the UK and EU.
The MoU lists common interests for collaboration, such as ensuring necessary regulatory cooperation, enforcing respective data protection and privacy laws, sharing experiences, implementing joint research projects, exchanging information on potential or ongoing investigations, staff secondment, and convening bilateral meetings. The MoU is a statement of intent and does not impose any legally binding obligations on either the ICO or EDPS.
Americas
U.S. regulators crack down on cryptocurrency exchanges with Binance's USD 4.3 billion settlement and SEC's Kraken Complaint
On 21 November 2023, the U.S. Department of Justice announced that Binance, the world's largest cryptocurrency exchange, will pay $4.3 billion in a settlement for their violations of U.S. anti-money laundering and sanctions laws. Pleading guilty, Binance's CEO and founder, Changpeng Zhao, has stepped down and will personally pay $50 million - one of the largest penalties in U.S. history. This news comes as the U.S. regulators continue to crack down on previously unregulated cryptocurrency exchanges, with the SEC bringing an action against Kraken. Kraken has stated that the action has "no impact" on the products that they, offer and they will "continue to provide services to clients without interruption."
Future and approach of AI play out in the OpenAI leadership battle
On 22 November 2023, the CEO and co-founder of ChatGPT's OpenAI, Sam Altman, was ousted from the company for four days, and rejoined after over 700 company employees threatened to resign. The reasons for Altman's abrupt removal remain speculative and include a letter by several staff researchers that the company is developing AI without duly weighing relevant consequences.
The AI space is divided as some believe that all AI should be open-source, a position backed by Meta’s lead AI scientist, while others believe that there should be government regulation, such as President Biden's Executive Order on AI which was published at the end of last month.
Middle East
ADGM and MBZUAI forming a strategic partnership to advance AI for regulatory compliance
On 16 November 2023, Abu Dhabi Global Market's Financial Services Regulatory Authority (FSRA) and the Mohamed bin Zayed University of Artificial Intelligence (MBZUAI) signed a Memorandum of Understanding (MoU) to develop AI-based tools for regulatory compliance in the financial services sector. The tools will use AI to generate insights from financial regulations and rules, which can be used in regulatory decisions and processes. The partnership aims to develop advanced regulatory technology and supervisory technology, enhancing regulatory compliance and operational efficiency in the delivery of financial services. The AI model will be trained to extract meaning and context from financial regulations and rules.
ADGM Office of Data Protection releases Addendum to EU Standard Contractual Clauses
On 15 November 2023, the Abu Dhabi Global Market (ADGM) issued an Addendum to the European Commission's Standard Contractual Clauses for personal data transfers.
The objective is to support businesses within the ADGM that handle data transfers involving individuals' information, as global data protection and privacy laws restrict cross-border transfers without appropriate safeguards. The ADGM Addendum will allow organizations to use it as a transfer mechanism to comply with the ADGM Data Protection Regulations, reducing duplication and eliminating additional compliance obligations.
Africa
Zambian Information and Communications Technologies Authority publishes cyber risk assessment report
On 14 November 2023, the Zambia Information and Communications Technologies Authority (ZICTA) published the National Cyber Risk Assessment Report of September 2022. The report's primary aim is to establish a national risk assessment framework to identify potential cybersecurity vulnerabilities in critical sectors and organizations, and is intended to guide the development of cyber risk reduction initiatives and cyber strategies.
The report includes the results of a survey conducted by the ZICTA, which analysed data from various participating organisations. The survey revealed that malware-using cybercriminals are considered the most significant cyber threats. The government, healthcare, and water sectors were identified as having the highest level of cyber vulnerabilities, while private organisations were found to have the least. The report concludes with a set of recommendations that will be considered for inclusion in Zambia's next cyber strategy. These recommendations will also be used to guide existing and future cyber capability and capacity-building projects as required.
Kenya's $20 billion cryptocurrencies market takes first step to regulation
On 7 November 2023, Kenya's parliament asked the Blockchain Association of Kenya (BAK) to prepare the first draft of what may eventually become the country's Virtual Asset Service Provider's Bill, commonly known as the Crypto Bill, following the BAK's second appearance before the National Assembly Committee on Finance and National Planning on 31 October.
The meeting between the BAK and the National Assembly Committee aimed to enable partnership in shaping regulation in cryptocurrencies and digital assets regulation, where the BAK, alongside Binance, Yellow Card, Kotani Pay and the Law Society of Kenya, presented key elements for a robust regulatory framework including a clear licencing framework, consumer protection framework and regulatory sandbox.
In response the parliamentary committee has directed the BAK to draft and submit a bill for Kenya's digital assets regulatory framework within two months. This mirrors similar legislation in South Africa (Financial Sector Conduct Authority), Nigeria (Finance Act 2023, SEC Regulations on Digital Assets) and Mauritius (Virtual Asset and Initial Token Offering Services Act 2021).
Additional Information This publication does not necessarily deal with every important topic nor cover every aspect of the topics with which it deals. It is not designed to provide legal or other advice. Clifford Chance is not responsible for third party content. Please note that English language translations may not be available for some content. The content above relating to the PRC is based on our experience as international counsel representing clients in business activities in the PRC and should not be construed as constituting a legal opinion on the application of PRC law. As is the case for all international law firms with offices in the PRC, whilst we are authorised to provide information concerning the effect of the Chinese legal environment, we are not permitted to engage in Chinese legal affairs. Our employees who have PRC legal professional qualification certificates are currently not PRC practising lawyers |