Clifford Chance

The race to regulate AI is gathering speed. The Council of the EU passed the AI Act, which was the final step before the Act comes into force in June, starting a complex and phased implementation period. A bipartisan senate committee in the US published a long-awaited AI roadmap which stopped short of proposing federal legislation. A two-day summit on AI safety took place in Seoul, co-hosted by the UK and the Republic of Korea. Ahead of the summit, the UK's Department for Science, Innovation and Technology published an interim report on the safety of advanced AI systems, proposing a three-way categorisation of risks facing general purpose AI systems. The department was also busy concluding a cooperation agreement on AI safety with Canada, while the UK's AI Safety Institute launched a first-of-its-kind publicly available platform, which will help organisations on all levels evaluate the safety of their AI systems.

Throughout May, a number of countries started revealing their plans for upcoming legislative cycles. Australia's Attorney General announced plans to rework the country's Privacy Act 1988 as part of a wider privacy reform, while China issued its 2024 legislative plan for the State Council, according to which a general AI bill will be introduced to the National People's Congress. Meanwhile the EU Council approved plans for the future of the EU's digital policy, which will focus on the implementation of already adopted laws. The EU also announced plans to start a data adequacy dialogue with Kenya, with Saudi Arabia launching a program for the research, development, and innovation of its cybersecurity space.

At the beginning of the month, cyber security regulators from Australia, the UK, US, Canada and New Zealand issued new guidance on the topic of security-by-design, an approach that envisages the implementation of security measures at the outset of a product's development. They reminded organisations of the importance of following such approach when developing new digital products, and discussed what measures can be taken to improve both the security of the products and their privacy.

APAC (Excluding China)

27 countries sign statement on AI risk thresholds at AI Seoul Summit

On 22 May 2024, 27 nations endorsed the Seoul Ministerial Statement, committing to establishing common risk thresholds for the advancement and application of cutting-edge artificial intelligence (AI) technologies. The statement acknowledges the necessity of balancing safety, innovation, and inclusivity in AI development and proposes concrete measures to leverage AI's advantages while mitigating its risks. The statement calls for all stakeholders to ensure accountability and transparency across the AI lifecycle, with a focus on frameworks to manage AI risks and the need for credible external evaluations to identify significant risk thresholds. It also recognises AI's transformative potential in various sectors and promotes the accessibility of AI resources for various entities, while emphasising the need for sustainable practices and skills development in the AI workforce.

Additionally, the AI Seoul Summit saw the leaders of Australia, Canada, France, Germany, Italy, Singapore, Japan, South Korea, UK, US and the EU sign a declaration committing to further collaborate amongst themselves and international organisations on the safe, innovative and inclusive development of AI. Sixteen global AI tech companies also signed the Frontier AI Safety Commitments, under which the organisations committed to publishing a safety framework on their risk management, ahead of the 2025 AI Summit in France.

Cybersecurity authorities from Australia, UK, US, Canada and New Zealand publish guidance on security-by-design

On 9 May 2024, the Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC), in collaboration with the US Cybersecurity Infrastructure Security Agency (CISA), Canadian Centre for Cyber Security (CCCS), UK National Cyber Security Centre (UK NCSC) and the New Zealand National Cyber Security Centre (NZ NCSC), released guidance titled 'Secure-by-Design: Choosing Secure and Verifiable Technologies.'

The guidance provides key cybersecurity considerations for organisations in the process of acquiring digital products and services. It underscores the importance of a 'secure-by-design' approach, which incorporates cybersecurity features from the outset of the product development process, thereby pre-emptively addressing potential threats to bolster both security and user privacy. Furthermore, the guidance details a dual-phase assessment protocol for procurement, advocating for the selection of inherently secure products to reduce exposure to vulnerabilities. It also recommends that organisations review and adapt their own cybersecurity strategies and frameworks to ensure they are in sync with new acquisitions.

Cybersecurity (Amendment) Bill passed by Singaporean Parliament

On 7 May 2024, the Singaporean Parliament passed the new Cybersecurity (Amendment) Bill. This follows the introduction of the Bill in Parliament on 3 April, after it had undergone an extensive consultation period between 2022 and early 2024.

The new Bill revises the Cybersecurity Act 2018, broadening its reach to include all relevant digital infrastructure, not just the current critical infrastructure providers. It will also enhance the existing provisions for critical infrastructure entities, such as imposing more stringent incident reporting duties that extend to supply chain events. Additionally, the Bill establishes two new categories of regulated entities that will be subject to less onerous regulatory demands.

Australia announces plans to renew its Privacy Act 1988

On 2 May 2024, speaking at the Privacy by Design Awards 2024, Australia's Attorney General, the Hon Mark Dreyfus, announced that new amendments to the Privacy Act 1988 (as amended) are set to be introduced this August, as part of a wider privacy reform. The Attorney General confirmed that these changes are being made in response to a directive from the Prime Minister. Furthermore, the Attorney General elaborated that the Government had issued a response to the Privacy Act review covering the period from 2020 to 2023, signalling the commencement of the review process.

South Korean Personal Information Protection Commission publishes manual for personal data leaks

On 29 April 2024, the Personal Information Protection Commission (PIPC) of South Korea released guidance aimed at entities that have experienced a breach of personal data. The PIPC emphasised the necessity for an immediate response when data breaches occur. The guide outlines steps that companies should undertake to limit the fallout from such incidents and details the information that needs to be disclosed to the PIPC and other regulatory bodies. The set of rules applicable and measures to be taken will vary according to the nature of the personal data compromised, the processing circumstances, and the categories of individuals affected.

Japan's Personal Information Protection Commission launches consultation on personal data security

On 15 May 2024, Japan's Personal Information Protection Commission (PPC) launched a public survey focusing on personal data security practices within small and medium-sized enterprises. The survey aims to gather insights of the existing safety management measures that businesses employ to safeguard private and personal data. The results will guide the PPC in developing future strategies and programmes to enhance the understanding of personal information protection among businesses and to consider potential revisions to the system. Interested parties are invited to submit their responses by 28 June 2024. To participate, please complete the survey form available at this link and mail it to the PPC's official address.

China

AI and network data security will feature on the 2024 Chinese legislative plan

On 9 May 2024, China's General Office of the State Council issued the State Council 2024 Legislative Work Plan. According to the plan, a draft AI law will be submitted to the Standing Committee of the National People's Congress for review during the 2024 legislative season. In addition, the consultation draft of the Administrative Regulations on Network Data Security, issued by the Cyberspace Administration of China (CAC) in November 2021, will be put under review as it will likely be suggested for potential issuance in the near future.

China regulates new types of unfair competition in the internet sphere

On 11 May 2024, the State Administration for Market Regulation announced the Interim Regulations on Anti-Unfair Competition on the Internet aiming to protect customers and prevent unfair competition online. The Regulations comprehensively sort out and list unfair competition behaviours on the internet and highlight the main responsibilities of the platforms. In particular, new types of unfair competition behaviours such as the abuse of business data and algorithms and illegal data collection with the purpose to gain a competitive advantage by technical means will now become subject to competition regulation. The Regulations will become effective on 1 September 2024.

China releases interim measures on audit data for Chinese accounting firms

On 10 May 2024, CAC and the Ministry of Finance jointly published the Interim Measures for Data Security Management of Accounting Firms. The measures will apply to accounting firms established in China that carry out data processing activities by providing audit services to various entities including, but not limited to: listed companies, unlisted state-owned financial institutions, centrally administered enterprises, critical information infrastructure operators, operators of internet platforms with over one million users, and domestic enterprises for overseas listing. In addition to the other data security regulations set out by the measures, they also require the audit working papers of the in-scope firms to be stored domestically, with approval to be obtained for any exporting of such documents. The measures will take effect on 1 October 2024.

EUROPE

EU Council approves the Artificial Intelligence Act

On 21 May 2024, the Council of the European Union approved rules on AI which will have a global impact. The Artificial Intelligence Act (AI Act) establishes harmonised rules for the development, deployment, and use of AI systems within the EU. It adopts a risk-based approach to regulation, banning certain AI practices considered harmful, such as manipulative cognitive behavioural techniques and social scoring, while imposing strict requirements on high-risk AI systems, including the requirement to carry out a fundamental rights impact assessment. The AI Act also outlines governance structures, including establishing an AI Office, a scientific panel of experts, an AI Board, and an advisory forum. Companies in breach of the Act can be fined up to EUR 35 million or 7% of their annual global turnover, with proportional fines for SMEs and start-ups. The Act will now be published in the EU's Official Journal and will come into force 20 days after publication, with obligations coming into effect in phases, with the first applying six months after the Act's entry into force.

On 29 May 2024, the European Commission also revealed the structure of the new AI Office, shedding light on the governance aspects of the Act. The AI Office will be divided into five key subsections, focusing not only on AI safety, regulation and compliance, but also on excellence, innovation and how AI can be used for wider societal benefit.

European Digital Identity Regulation published in the Official Journal

On 30 April 2024, Regulation (EU) 2024/1183, establishing the European Digital Identity Framework was published in the Official Journal of the EU. The Regulation sets out rules around the provision and use of European Digital Identity Wallets, consisting of electronic identification means that allow the user to securely store, manage and validate person identification data. The Regulation entered into force on 20 May 2024 and will be fully implemented by the end of 2026.

EU Commission opens proceedings against Facebook and Instagram under the Digital Services Act

On 30 April 2024, the EU Commission initiated proceedings against Meta, the provider of Facebook and Instagram, under the Digital Services Act (DSA). The EU Commission indicated that the investigation will focus on specific issues such as: alleged deceptive advertisement and disinformation, visibility of political content, the lack of a reliable tool for third parties to monitor civic discussions and elections in real time, and the mechanisms to report illegal content. Separately, on 8 May 2024, the European Commission issued a request for information to X, seeking details and internal documents concerning the company's content moderation resources. The Commission is inquiring about the company's risk assessments and its strategies to mitigate potential issues arising from the use of generative AI (genAI) tools.  

EU Council identifies main priorities for EU digital policy for the next legislative cycle

On 21 May 2024, the Council of the European Union approved plans on the future of EU's digital policy, emphasising the transformative impact digital technologies will continue to have on EU citizens and businesses. The Council stressed the importance of a safe, inclusive, and human-centric digital transformation, ensuring that digital rights are protected, essential digital skills fostered, and active online participation promoted. To enhance EU's competitiveness, the Council highlighted the need to balance innovation with regulatory measures that protect economic security, and a top priority for the next legislative cycle will be the effective implementation of recently adopted laws. The Council emphasised that digital transformation must also align with the green transition and the EU's ambitious sustainability goals, alongside attracting and retaining a digitally skilled workforce, and addressing the digital divide for women.

UK's ICO publishes its approach to regulating AI

On 30 April 2024, the UK's Information Commissioner's Office (ICO) published its approach to regulating AI. The regulatory strategy focuses on providing risk mitigation guidance for organisations, supporting AI innovators, engaging in rigorous enforcement to protect individuals, and continuing its collaboration with various other bodies. The ICO has already released guidance on several AI-related topics such as automated decision-making, profiling and the explainability of AI-driven decisions, which the regulator will continue to update in parallel to advancements in AI technology.

At the start of 2024, the ICO launched a consultations series on genAI (see our entry below, and our earlier updates here and here) and also paid close attention to biometric technologies, with guidance published in March 2024 (see our earlier update here). The regulator plans to update its AI data protection guidance by spring 2025, however, given the UK's general elections set to take place in early July 2024, and given the Data Protection and Digital Information Bill has been abandoned, the regulator's focus might still change.

UK Department for Science, Innovation and Technology publishes report on AI safety

On 17 May 2024, the UK Department for Science, Innovation and Technology (DSIT) released an interim report, in connection with the AI Seoul Summit, on the safety of advanced AI. The interim report identifies three risk categories connected to general-purpose AI models: the malicious use of the technology, the risk of malfunctioning leading to biases or loss of control, and the potential of systemic impacts on society in areas such as employment or privacy.

The report proposes technical safeguards such as improved AI training and continuous system monitoring but recognises the limitations in fully understanding AI and assessing its societal effects. It concludes by urging policymakers to stay informed and actively guide AI development to ensure its benefits are harnessed and risks managed, emphasising the importance of balancing innovation with safety and ethics in AI advancement.

UK National Cyber Security Centre publishes guidance on security of machine learning

On 22 May 2024, the UK NCSC released an updated version of its machine learning principles, which it first published in August 2022. The principles are aimed at guiding organisations involved in the creation, deployment and management of machine learning (ML) systems, ensuring they make well-informed decisions developing the system throughout its lifecycle. ML, a subset of AI, enables computers to identify patterns or solve problems autonomously without explicit programming. The updated principles include new guidance on large language models, supply chain security, lifecycle management, and they reinforce the importance of incorporating security early in the ML development process.

UK's AI Safety Institute launches an AI safety evaluation platform

On 10 May 2024, the UK's AI Safety Institute launched Inspect, a new platform for evaluating the safety of AI systems. This software library provides a toolkit for various users, such as start-ups, AI developers, and governmental bodies, to test and score the performance of their AI models. The Institute outlined that Inspect's utility spans several domains, allowing for the examination of a model's foundational knowledge, reasoning skills, and self-governing functions. They have made Inspect accessible to the wider AI community by releasing it under an open-source license, permitting unrestricted and rapid use.

UK's ICO launches fourth genAI consultation

On 13 May 2024, the ICO launched its fourth consultation chapter on genAI focusing, this time, on data subject rights in relation to training and fine-tuning of genAI models. Individuals have certain rights to access, rectify and erase their personal data, and the ICO is interested in how these rights will apply and be protected throughout the AI lifecycle, specifically for data used to train and fine-tune genAI models. Organisations developing or deploying genAI models are mandated to ensure individuals can exercise these rights, which will include informing individuals about data processing, providing clear information on data usage and rights, justifying exemptions, and employing privacy-enhancing technologies. The consultation seeks input on effective measures to prevent unauthorised data use and evidence on meeting legal obligations while fostering genAI innovation.

UK Department of Science, Innovation and Technology launches consultation on AI and software cybersecurity codes

On 15 May 2024, the DSIT released two draft voluntary codes of practice designed to enhance cybersecurity, launching a public consultation on both draft codes. The first code targets AI and outlines steps for developers to reinforce AI systems against malicious acts, such as tampering and hacking, throughout the lifespan of the system. This code provides specific security guidance and clarifies the duties and responsibilities of different parties involved in maintaining AI security. The second code relates to software cybersecurity, intending to help developers protect software products and services from their early developmental stages through to their retirement. The guidelines are crafted to help organisations implement secure development protocols and handle security weaknesses, differentiating mandatory 'shall' clauses from recommended 'should' clauses to strike a balance between required actions and suggested best practices.

Comments with respect to both draft codes can be submitted until 10 July 2024.

Americas

U.S

Bipartisan Senate Group Releases AI Roadmap

On 15 May 2024, a group of bipartisan Senators unveiled an AI roadmap, titled 'Driving U.S. Innovation in Artificial Intelligence'. The group, led by Senate Majority Leader Charles Schumer, has been meeting with tech strategy leaders and CEOs for months to develop the plan. The roadmap calls for millions of dollars of funding and necessary AI bills to combat the urgent threats posed by AI.

Updates to American Privacy Rights Act of 2024

On 22 May, the US House Committee on Energy and Commerce Subcommittee on Innovation, Data, and Commerce (Innovation Subcommittee) released a markup of the American Privacy Rights Act of 2024 (APRA), leading to an updated text of the draft bill. One of the key updates was merging the Children and Teens’ Online Privacy Protection Act (COPPA 2.0) into the APRA under Title II. Notably, the new APRA text also adds exemptions for processing and transferring covered data for public or peer-reviewed research projects. The US House Committee on Energy and the Innovation Subcommittee approved the updated draft the following day on 23 May, and the bill will now advance to full committee consideration.

Canada and UK sign agreement to cooperate on AI safety

On 20 May 2024, shortly before the AI Seoul Summit kicked off, Canada and the UK signed an agreement to enhance cooperation on AI safety through their respective AI safety institutes. The agreement, that builds on the Bletchley Declaration adopted last year, includes a commitment from both parties to exchange knowledge to strengthen their current testing and evaluation initiatives, as well as to collectively pinpoint further areas for research partnership. The countries will also be working towards a detailed Memorandum of Understanding concerning AI safety. Significantly, the UK and Canada plan to join forces with the US AI Safety Institute to spearhead a research programme aimed at accelerating progress in the area of systemic AI safety, which focuses on protecting societal infrastructures that are integrating AI technologies.

Middle East

Saudi Arabia's National Cybersecurity Authority launches cybersecurity research and development program

On 9 May 2024, the Saudi Arabian National Cybersecurity Authority (NCA) launched the National Program for Research, Development, and Innovation in Cybersecurity, aimed at revolutionising the country's cybersecurity framework. Its goals are to expedite cyber research progress, improve the creation of cutting-edge solutions for present and impending cybersecurity issues, and to capitalise on both national and international alliances within the cybersecurity sphere.

The NCA has rolled out the inaugural phase of the programme, introducing three pivotal initiatives: the Cyber Research and Innovation Pioneer Grants, the Cyber Industry Research Grants, and the Cyber Innovation Bridges. These schemes are directed at a broad spectrum of participants, including universities, research bodies, cybersecurity experts, researchers, and students with a focus on cybersecurity. The programme has been formulated in tight conjunction with the technical division of the NCA, the Saudi Information Technology Company (SITE), ensuring it is in harmony with the NCA's objectives to cultivate human talent in the cybersecurity domain and to amplify the influence of the nation's cybersecurity efforts.

Israeli Ministry of Justice introduces bill on privacy violation class actions

On 2 May 2024, Israel's Privacy Protection Authority (PPA) disclosed that the Israeli Ministry of Justice has put forward a legislative proposal aimed at revising the existing class action legislation to encompass breaches of privacy, and is seeking public comments on the proposal. The proposed amendments would permit the initiation of class action lawsuits for a range of privacy infringements as outlined in Section 2 of the Protection of Privacy Law (5741-1981). This includes the illicit utilisation of personal data, failure to comply with notification obligations, and grave security events impacting a substantial segment of a database or more than 1,000 individuals. The intention behind the bill is to streamline the process for initiating legitimate and substantiated class actions, with a particular focus on cases involving the infringement of privacy.

Israel Bar Association releases statement on the use of AI within the legal profession

On 7 May 2024, the Israel Bar Association released a statement addressing the employment of AI within the legal profession. The statement highlights the associated hazards, particularly concerning the preservation of client confidentiality and the potential for inadvertent disclosure of private data. The Bar Association recommends that legal practitioners ensure the accuracy of AI-sourced information and limit their use to non-specific or conceptual matters. It further advises against entering personal client data into AI systems and stresses the importance of securing explicit consent prior to utilising client information on AI platforms. These directives are intended to maintain the principle of confidentiality amidst the adoption of AI technologies in legal work.

Africa

Nigerian National Information Technology Development Agency publishes its 2024 – 2027 roadmap

On 4 May 2024, the Nigerian National Information Technology Development Agency (NITDA) published its updated Strategic Roadmap and Action Plan for 2024 – 2027 (SRAP 2.0). The updated SRAP builds on the initial successes of SRAP 1.0, which achieved notable advancements, such as introducing the Nigeria Data Protection Regulation.

SRAP 2.0 aims to cultivate a robust technological research environment with a focus on fields such as AI, the Internet of Things, robotics, and blockchain. It further seeks to strengthen cybersecurity measures and enhance digital trust. SRAP 2.0 is also dedicated to enhancing the enforcement of existing policies, with actions such as the establishment of a data exchange framework, the passing of the Digital Economy Bill, and revisions to the NITDA bill envisaged. These objectives are intended to steer NITDA's activities in advancing Nigeria's digital economy throughout the forthcoming three-year span.

EU and Kenya commence dialogue on data adequacy

On 7 May 2024, Mr Ondrej Simek, the acting Charge d'Affairs of the EU Delegation to Kenya, announced the commencement of a data adequacy dialogue between Kenya and the EU, marking the first such dialogue in Africa. The EU, Kenya's Office of the Data Protection Commissioner, and the Ministry of Information, Communication and Digital Economy will now commence discussions on creating a secure 'personal data bridge' between Kenya and the EU.

Speaking at the Network for African Data Protection Authorities (NADPA) Conference, Mr Simek highlighted the possibility of Kenya receiving an adequacy decision from the EU, should the discussions prove successful. A favourable adequacy decision would facilitate free data transfers between Kenya and the EU, further enhancing the benefits of the recently concluded EU-Kenya Economic Partnership Agreement. 

Additional Information

This publication does not necessarily deal with every important topic nor cover every aspect of the topics with which it deals. It is not designed to provide legal or other advice. Clifford Chance is not responsible for third party content. Please note that English language translations may not be available for some content.

The content above relating to the PRC is based on our experience as international counsel representing clients in business activities in the PRC and should not be construed as constituting a legal opinion on the application of PRC law. As is the case for all international law firms with offices in the PRC, whilst we are authorised to provide information concerning the effect of the Chinese legal environment, we are not permitted to engage in Chinese legal affairs. Our employees who have PRC legal professional qualification certificates are currently not PRC practising lawyers.