Tech Policy Unit Horizon Scanner
April 2024
The US state of Kentucky has become the fifteenth state to enact comprehensive data protection legislation, which will take effect on 1 January 2026. The new law follows legislation adopted in other states, with data correction, deletion and opt-out rights in store for consumers. Federal lawmakers, however, do not wish to leave the topic of privacy to states alone – a few days after the bill in Kentucky was signed into law, the American Privacy Rights Act of 2024 was introduced in Washington. It's not the first attempt to pass federal privacy legislation, and it may not be the last.
Questions around cybersecurity also kept legislators and regulators busy in the past month. Singapore introduced a bill amending its Cybersecurity Act 2018, while the Malaysian Parliament approved its Cybersecurity Bill 2024, aiming to boost the protection of critical information infrastructure across industries. The Chinese information security regulator released two consultation drafts on disaster recovery and cybersecurity operations and maintenance respectively, which will remain open for public consultation for two months. In Europe, the EU cybersecurity certification scheme for cloud services continues to provoke debate, while across the channel the UK's National Cyber Security Centre released its updated Cyber Assessment Framework.
Despite the high volume of local activity, April saw a number of multinational cooperation agreements coming to fruition. The Cyberspace Administration of China announced a China-Africa AI cooperation, while the UAE signed an agreement on AI and digital infrastructure development with Kenya. Both the UK and Dubai joined the Global Cooperation Arrangement for Privacy Enforcement (Global CAPE), a privacy enforcement cooperation mechanism, which has recently opened its doors to countries outside the Asia Pacific. Finally, the US concluded two multilateral projects on AI, one resulting in an agreement with the UK on AI safety and another in guidance on securely deploying AI systems, published together with the UK, Australia, New Zealand and Canada.
APAC (Excluding China)
Malaysian Parliament approves new cybersecurity bill
On 27 March 2024, the Parliament of Malaysia passed its Cybersecurity Bill 2024 which will establish a National Cyber Security Committee and enhance the protection of critical information infrastructure across various sectors.
The Bill allows the government to designate companies as National Critical Information Infrastructure (CII) entities, which would require these entities to comply with certain cybersecurity standards. Importantly, the Bill also introduces new licensing requirements for cybersecurity service providers, which will be mandatory going forward with certain exceptions.
The approved Bill will become law after it receives royal assent and will enter into effect on the day specified in the Gazette.
South Korean Personal Information Protection Commission publishes guidance for overseas businesses
On 4 April 2024, the South Korean Personal Information Protection Commission (PIPC) issued a Guide to Application of the Personal Information Protection Act for Overseas Businesses, to help foreign companies comply with South Korea's recently amended Personal Information Protection Act (PIPA).
The Guidelines clarify that foreign companies are subject to the PIPA in the same way as local businesses, if the foreign company offers services to South Korean users, handles personal data that impacts South Koreans, or maintains a physical presence in the country. The guidelines cover various legal obligations under the PIPA, including overseas data transfers, disclosure methods and leak notifications. For example, if subject to the PIPA, companies must notify authorities and affected individuals in the event of a data breach and provide notice when transferring personal information outside South Korea.
Japan's Personal Information Protection Commission publishes its updated international strategy
On 27 March 2024, Japan's Personal Information Protection Commission (PPC) published its updated international strategy, where it set out a number of initiatives for the coming year. A key priority will continue to be the development of data adequacy arrangements with other regions (one example of which we reported on in February, between the EU and Japan), for the mutual recognition of data protection practices to facilitate cross-border data transfers. Japan also seeks to cooperate on designing and implementing international corporate certification systems, for example, through the Global Cross-Border Privacy Rules, and work on international model contractual provisions. Finally, the PPC envisages further collaboration in the enforcement space, which is becoming increasingly popular with many countries signing on to the Global CAPE (see further information in the UK and Middle East sections).
New Cybersecurity (Amendment) Bill introduced in Singapore
On 3 April 2024, the new Singaporean Cybersecurity (Amendment) Bill was introduced and read in Parliament. The Bill was initially proposed by the Cyber Security Agency of Singapore (CSA) and has undergone an extensive consultation period which kicked off in 2022 and finished early 2024. The feedback received during the consultation period was also published on 2 April.
The proposed legislation aims to revise the Cybersecurity Act 2018, broadening its reach to include all relevant digital infrastructure, not just the current critical infrastructure providers. It will enhance the existing provisions for critical infrastructure entities, such as imposing more stringent incident reporting duties that extend to supply chain events. Additionally, the Bill intends to establish two new categories of regulated entities that will be subject to less onerous regulatory demands.
China
China's Information Security Standardisation Technical Committee releases multiple consultation drafts on the areas of generative AI, personal information transfers and cybersecurity
On 3 April 2024, China's National Information Security Standardisation Technical Committee (TC260) issued consultation drafts on:
- Information Security Technology - Data Annotation Security Specification for Generative Artificial Intelligence and Information Security Technology – Pre-training and Fine-tuning Security Specification for Generative Artificial Intelligence. The two consultation drafts provide guidance on the security requirements in respect of data annotation and data processing activities involved in pre-training and fine-tuning of generative AI and aim to improve the safe implementation and application of such technologies; and
- Information Security Technology – Requirements for Personal Information Transfer Based on Request of Personal Information Subject. This consultation draft offers guidance on how to properly handle personal information (PI) transfer requests, covering the scope of PI that may be transferred and the procedures and requirements that PI processors should comply with. Third-party assessment organisations may consider the contents of the consultation draft for the supervision, management and assessment of PI transfer-related processing activities.
Additionally, on 15 April 2024, TC260 issued consultation drafts on:
- Cybersecurity Technology - Disaster Recovery Specification for Information System and Cybersecurity Technology - Implementation Guide for Cybersecurity Operations and Maintenance. These two consultation drafts provide the framework, principles and requirements respectively applicable to (a) disaster recovery of information systems and (b) cybersecurity operation and maintenance. Relevant network operators, service providers and third-party organisations and other stakeholders are advised to properly consider the contents of these consultation drafts when handling the relevant subject matters.
All consultation drafts have been issued for public comments, which are due two months after the date of publication of the relevant draft.
EU
European Parliament releases corrigendum on its position on the AI Act
On 19 April 2024, the European Parliament published a corrigendum to its previously stated position on the proposed Artificial Intelligence Act (AI Act), addressing linguistic and numerical errors. Going forward, the Committee on Internal Market and Consumer Protection, alongside the Committee on Civil Liberties, Justice, and Home Affairs, will now review the updated text.
In December 2023, the EU institutions reached a political agreement on the provisional text of the AI Act, which was followed by Committee approval on 13 February 2024, and Parliament approval on 13 March 2024. The regulation will now undergo a final review by linguists and await formal endorsement by the EU Council.
European Parliament adopts its position on new procedural rules for the enforcement of the GDPR
On 10 April 2024, the European Parliament adopted its position regarding additional procedural regulations for enforcing the General Data Protection Regulation (GDPR). The proposed procedural regulation seeks to enhance collaboration among national data protection authorities (DPAs) in cross-border investigations and ensure consistent standards for managing complaints and inquiries. Key provisions include strengthening complainants' rights, establishing clear procedural deadlines, and clarifying guidelines for amicable resolutions. Notably, the Parliament endorsed provisions granting complainants, including privacy activists and consumer organisations, greater involvement in investigations and access to non-confidential documents, alongside enhancing the authority of Member State DPAs and the European Data Protection Board (EDPB) in significant cases. Negotiations on the stance of the Council of the European Union are still ongoing.
European Data Protection Board publishes its opinion on “Consent or Pay” models
On 17 April 2024, the EDPB adopted an opinion about the validity of requesting consent to process personal data for behavioural advertising through “Consent or Pay” models. The EDPB concluded that, in its opinion, it will not be possible for large online platforms to comply with the requirements for valid consent, in cases where they are only providing users with a binary choice between consenting to the processing of personal data for behavioural advertising or paying a fee.
European Cybersecurity Certification Group discusses the EU cybersecurity certification scheme for cloud services
On 15 April 2024, Member State representatives within the European Cybersecurity Certification Group took part in discussions regarding the latest compromise of the EU cybersecurity certification scheme for cloud services (EUCS). The latest version from the European Union Agency for Cybersecurity (ENISA) eliminated language on immunity from extraterritorial laws, a provision that could hinder access to the EU single market for US-based cloud providers. Instead, ENISA introduced obligatory transparency obligations.
The following day, during ENISA's national expert group deliberations, France successfully postponed the vote to adopt EUCS until June. If the vote in June favours adoption, the scheme will proceed to the Commission for endorsement and implementation under the EU Cybersecurity Act 2019, establishing a unified framework across the EU. Consequently, national certification schemes with similar scopes, such as C5 in Germany and SecNumCloud in France, would no longer be applicable.
UK
Consumer connected products legislation comes into force in the UK
UK's new consumer connectable product security regime came into force on 29 April 2024. The legislation that covers "smart" products and Internet of Things (IoT) devices, is primarily made up of the Product Security and Telecommunications Infrastructure (PSTI) Act 2022 and the accompanying Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023, both of which started to take effect from 29 April 2024. The legal framework sets in place comprehensive security measures across the supply chain of covered products, encompassing manufacturers, importers, and distributors. Failure to adhere to the requirements under the regime might prompt investigations and potentially corrective actions, including product recalls. Non-compliance may also lead to significant financial penalties, with fines reaching up to £10 million or 4% of global turnover, depending on which is higher.
National Cyber Security Centre publishes new Cyber Assessment Framework
On 18 April 2024, the National Cyber Security Centre (NCSC) published its updated Cyber Assessment Framework (CAF). The framework outlines a structured method for organisations to evaluate cyber threats to their core functions and operations, encompassing four key objectives: managing security risks, defending against cyber attacks, detecting cybersecurity events, and reducing the consequences of cybersecurity incidents.
The CAF presents a detailed framework with various specific cybersecurity outcomes that organisations are encouraged to achieve against a background of a list of fundamental principles. Indicators of good practice (IGPs) are also provided to help gauge progress towards these outcomes. The NCSC acknowledges in its press release that while some aspects of AI-related cybersecurity challenges are covered in the updated framework, the Centre plans to address AI's comprehensive impact in a subsequent version of the CAF.
UK Government publishes guidance on responsible use of AI in recruitment processes
On 25 March 2024, the UK Department for Science, Innovation and Technology issued guidance on the responsible use of artificial intelligence (AI) in recruitment processes. The guidance offers advice for organisations looking to procure or deploy AI tools, focusing on ensuring that such practices are in line with applicable legislation such as the Equality Act 2010, UK's General Data Protection Regulation and the Data Protection Act 2018. Organisations should understand the AI tools' purpose, functionality and integration with current processes and carry out continuous risk management, including impact assessments and bias audits, for example, by launching pilot programs to prevent discrimination against protected groups.
UK joins "Global CAPE"
On 4 April 2024, the UK's Information Commissioner's Office (ICO) announced that it has signed onto a new international multilateral agreement with the Global Cooperation Arrangement for Privacy Enforcement (Global CAPE) to cooperate on cross-border data protection and privacy enforcement. Going forward, the ICO will be able to provide assistance with investigations and share information with other signatory countries without having to enter into separate memorandums of understanding with them. The Global CAPE was originally set up in October 2023 to facilitate cooperation on data privacy enforcement amongst Asian Pacific countries but has since expanded to include members such as the US, Australia, Canada, Mexico, Japan, South Korea, the Philippines, Singapore and the Chinese Taipei.
UK and the US sign a Memorandum of Understanding on AI safety
On 1 April 2024, the UK Department for Science, Innovation and Technology and the US Department of Commerce signed a Memorandum of Understanding (MoU) on AI safety. The MoU outlines that the two signatory countries will seek to work together to develop a robust approach to AI safety testing and ensure that the risks involved are tackled effectively. In addition, the two signatories will explore opportunities for personnel exchanges between the UK and US AI safety institutes.
The MoU follows the AI Safety Summit in November 2023 in the UK, where the two countries committed to collaboration.
ICO publishes its Children's Code strategy for 2024 – 2025
On 3 April 2024, the ICO published its 2024 – 2025 strategy for children's online privacy, with a particular emphasis on social media and video-sharing platforms. The strategy extends the ICO's efforts to enhance privacy protections for children on digital services such as websites, apps, and games, following the launch of the Children's Code in 2021. The key areas of focus in the updated strategy include default privacy and geolocation settings, regulating the profiling of children for targeted advertising, managing the use of children's data in recommendation algorithms, and handling the information of children under the age of 13.
The ICO plans to conduct evidence gathering, stakeholder engagement, and supervision and enforcement activities. As a part of its evidence collection, a call for evidence will be issued in the summer of 2024 to seek contributions from various interested parties.
ICO launches third phase of genAI consultation
On 12 April 2024, the ICO launched the third phase of its consultation series on generative artificial intelligence (genAI). The third phase of the consultation focuses on how the accuracy principle applies to outputs of genAI models. The consultation briefing explains that the more important and impactful a decision made by genAI is, the higher the accuracy required for the output must be. The consultation recommends that organisations get to the bottom of the type of training data they are using, understand how it is impacting the model output and consider whether the statistical accuracy of the data set is sufficient for the purposes of the model.
Comments for the third phase of the consultation can be submitted until 10 May 2024.
Americas
U.S
Privacy legislation on both state and federal levels make progress in the US
On 4 April 2024, the Kentucky governor signed House Bill 15 into law, making Kentucky the fifteenth state to adopt a comprehensive consumer privacy law. While the new legislation largely aligns with other state privacy laws, such as the Virginia Consumer Data Protection Act, there are some notable differences such as the lack of universal opt-out mechanisms for consumers and a permanent 30-day cure provision after a violation has been identified.
Meanwhile, federal data legislation has seen movement in Washington. On 7 April 2024, federal lawmakers introduced the American Privacy Rights Act of 2024 (APRA), which is an updated version of the American Data Privacy and Protection Act of 2021, which never made it out of the committee stage. If the new legislation is passed – which remains to be seen – it would pre-empt many of the data protections passed by states individually and provide uniformity to US data privacy requirements.
US reauthorises section 702 of the Foreign Intelligence Surveillance Act
On 20 April 2024, President Biden signed legislation extending the effect of the Foreign Intelligence Surveillance Act (FISA) section 702 for another two years. Section 702 authorises US government surveillance of communications of non-Americans located outside the US for foreign intelligence purposes. The law has been heavily criticised by privacy advocates and regulators in other jurisdictions and the bill faced significant opposition from both ends of the political spectrum, as legislators sought to introduce amendments to both further restrict and expand the scope of the surveillance allowed. Ultimately, the law was passed without any of the proposed last-minute amendments, with legislators committing to continue working on amending the statute. The law as passed adds additional oversight to the program, which supporters say should heighten accountability and increase transparency.
US, UK, Australia, New Zealand and Canada publish joint guidance on securely deploying AI systems
On 15 April 2024, the US Cybersecurity and Infrastructure Security Agency (CISA) announced that cybersecurity, AI and investigations agencies across the US, UK, Australia, New Zealand and Canada have signed a Joint Guidance on Deploying AI Systems Securely. The purpose of the guidance is to provide effective measures to address and reduce known cybersecurity risks associated with AI systems. It offers strategies for organisations to safeguard, monitor, and react to threats targeting AI and related services, particularly when integrating AI systems developed by third parties into their operations. Organisations are advised on preparation steps for new AI system implementations, including ensuring system compatibility with existing IT infrastructure, establishing security perimeters for the AI system, and identifying key personnel responsible for the oversight.
Middle East
Israel's Privacy Protection Authority publishes guidelines for managing open-source code security risks
On 10 April 2024, the Israeli Privacy Protection Authority (PPA) published guidelines for managing security risks inherent to open-source code. The guidelines detail how open-source code can be used in compliance with the Protection of Privacy Law 5741-1981, while still maintaining data privacy. The guidelines identify several security risks inherent to open-source code, including insufficient understanding of the code components, inadequate ongoing maintenance and support, the presence of known vulnerabilities that could permit unauthorised database access, undiscovered zero-day vulnerabilities and potential backdoors that enable remote code execution by attackers.
To counter these risks, the PPA recommends proactive measures for organisations, such as conducting training programmes and adopting a privacy by design approach before integrating open-source code.
Dubai joins "Global CAPE"
On 18 April 2024, the office of the Data Protection Commissioner at the Dubai International Financial Centre (DIFC) made an announcement on LinkedIn regarding its acceptance into the Global CAPE. The Commissioner detailed that, being at the forefront in the creation of the Global Cross-Border Privacy Rules (CBPR) Forum, they would persist in their endeavours to incorporate CBPRs as a viable alternative for data transfers. Dubai joins the UK as a new signatory to the Global CAPE, a collaboration of countries across the globe on privacy related enforcement.
Africa
Ethiopian Parliament passes Personal Data Protection Bill
On 4 April 2024, the Ethiopian Parliament approved the country's Personal Data Protection Bill. The Bill outlines fundamental data protection principles on data subject rights and processing of personal data and sets up an independent supervisory authority. The Bill focuses on personal data that can be used to uniquely identify a person based on physical, physiological or behavioural characteristics, and outlines specific requirements around processing of personal data of minors. The Bill will apply to data controllers and processors who are established in Ethiopia or where the data processed is located on a device in Ethiopia.
The Ministry of Innovation and Technology has also confirmed its approval of this Bill in Proclamation No 1321/2016.
Cyberspace Administration of China announces China-Africa artificial intelligence cooperation
On 3 April 2024, the Cyberspace Administration of China (CAC) announced a China-Africa AI cooperation. The announcement comes in the wake of the China-Africa Internet Development and Cooperation Forum held in Xiamen from 2 to 3 April 2024.
The China-Africa AI cooperation will seek to strengthen dialogue and cooperation on AI policy and best practices, promote research and development between Chinese and African enterprises, academic institutions, as well as across industry, engage in personnel exchanges and build a strong network against cyberattacks. The main areas of interest will be big data analysis, machine learning, natural language processing and computer vision within the agriculture, medical care, education and urban management sectors.
UAE and Kenya sign investment memorandum on AI and digital infrastructure development
On 29 March 2024, the UAE and Kenya signed an investment memorandum to establish a framework for collaboration in digitalisation and technology investment. The agreement envisages exploring investments in digital infrastructure and AI services in Kenya, with plans to develop data centre projects with a total capacity of up to 1,000 megawatts in the country. The cooperation also involves assessing the technical and investment potential of developing large language models. The memorandum comes in the wake of increased collaboration between the two countries under the Comprehensive Economic Partnership Agreement, with representatives from both UAE and Kenya commenting on the positive impact the memorandum will have on collaboration.
Additional Information
This publication does not necessarily deal with every important topic nor cover every aspect of the topics with which it deals. It is not designed to provide legal or other advice. Clifford Chance is not responsible for third party content. Please note that English language translations may not be available for some content.
The content above relating to the PRC is based on our experience as international counsel representing clients in business activities in the PRC and should not be construed as constituting a legal opinion on the application of PRC law. As is the case for all international law firms with offices in the PRC, whilst we are authorised to provide information concerning the effect of the Chinese legal environment, we are not permitted to engage in Chinese legal affairs. Our employees who have PRC legal professional qualification certificates are currently not PRC practising lawyers.