Clifford Chance

2024 will go down as a year of momentous elections. As we reach the halfway mark, data remains centre stage. With the UK taking to the polls on 4 July, the country's data protection agency, the ICO, issued advice on the appropriate use of data for the election campaign. Meanwhile, the UK government, in its pre-election 'wash-up' period, had to decide fast which bills to push through, before parliament went into recess. Notably, the Digital Markets, Competition and Consumers Act made its way through, imposing new consumer-facing obligations on businesses with significant market power in the digital sector. The Competition and Markets Authority will be the responsible enforcing entity, and it launched a consultation, seeking feedback on its supervisory plans. The Data Protection and Digital Information Bill, however, did not make the cut.

Elsewhere in the world, the threat to IT systems posed by hacking and scamming is occupying the minds of regulators. Australia issued updated guidance for the risks posed by the use of legacy IT systems, together with another set of cybersecurity guidance for small businesses. In India, the Data Security Council released a white paper on scamming in the Unified Payments Interface system, a popular payments platform used in both B2B and B2C transactions. China's information security committee, the TC260, added two cybersecurity consultations to a long list of national standards the country has issued in the first half of the year. The progress in Europe on its centralised cybersecurity certification scheme has hit another roadblock, however, with the latest proposal stuck due to a lack of clarity on the interplay between the EUCS and national systems.

Following a busy spring of issuing new guidance and legislation, many regulators are now turning to enforcement. The European Commission has been busy monitoring compliance under its flagship digital markets package, with the latest move consisting of sending out requests of information to three market players under the Digital Services Act. Israel's Privacy Protection Authority continues its work on the indictment of nine defendants involved in a large scale trafficking of sensitive insurance information, and Kenya published two new fines under its Data Protection Act.

APAC (excluding China)

Australian Signals Directorate releases updated cybersecurity guidance

On 12 June 2024, the Australian Signals Directorate (ASD) released two sets of updated cybersecurity resources, one aimed at smaller businesses and another on legacy IT systems. The former outlines common cybersecurity threats that impact smaller businesses and offers guidance on how these businesses can protect themselves online. It examines the common threats of email compromise attacks, scam messages, malicious software and ransomware, noting that small and medium businesses are increasingly becoming targets. The second guidance focuses on mitigating cybersecurity risks associated with legacy IT systems, i.e. outdated IT systems still in use. It offers advice both on managing and updating the legacy systems, but also practical advice on how to minimise the risk of issues if a move away from the outdated systems is not yet possible.

Data Security Council of India releases white paper on UPI

On 4 June 2024, the Data Security Council of India (DSCI) released a white paper addressing the issue of scams within the Unified Payments Interface (UPI) system. The UPI system is an instant payment system popular in India that facilitates both inter-bank and customer-merchant transactions. The paper identifies the methods by which fraudsters gain access to sensitive user information or deceive users into authorising transactions. It outlines the particular vulnerabilities that exist within UPI at product and system levels and suggests a comprehensive strategy to reduce the risk of fraud. One of the central recommendations is the creation of a Comprehensive Fraud Reporting and Management System (CFRMS), which would streamline the processes of reporting, investigating, and managing fraud.

Hong Kong PCPD publishes model personal data protection framework for AI

On 11 June 2024, the Hong Kong Privacy Commissioner for Personal Data (PCPD) released the Artificial Intelligence: Model Personal Data Protection Framework, which provides personal data protection guidance for the use of AI systems. The framework, building on previous guidance from 2021, outlines best practices for organisations that procure AI solutions, focusing on compliance with the Personal Data (Privacy) Ordinance (PDPO) and emphasising accountability, the importance of risk assessments, and the customisation of AI systems to ensure data protection principles are upheld. It recommends the establishment of an AI strategy and governance program and the customisation of AI systems with continuous monitoring and human oversight. Additionally, the framework advises on transparency with data subjects and stakeholders regarding AI use and the handling of personal data, including compliance with data subject rights under the PDPO. It also highlights the importance of explainability in AI decisions and outputs, especially when they significantly impact individuals.

Australia and EU hold second digital dialogue

On 12 June 2024, the European Union and Australia held their second Digital Dialogue, during which they agreed to sign an administrative agreement to enhance the enforcement of social media regulations and foster closer cooperation on digital platforms. The dialogue also included discussion on artificial intelligence, focusing on the implementation of the EU's Artificial Intelligence Act and the establishment of an AI Office to guide research and innovation. Additionally, the EU and Australia committed to developing a human-centric data economy characterised by security, interoperability, and trustworthiness. The countries reaffirmed the necessity of preserving a global, open, stable, and secure cyberspace, emphasising the protection of critical infrastructure and the sharing of information on ransomware threats and situational awareness.

China

China's Information Security Standardisation Technical Committee releases consultation drafts on several topics

In the past month, the National Information Security Standardisation Technical Committee (TC260) issued several consultation papers seeking public comments:

On 11 June 2024, TC260 issued a consultation paper for the national standard Cybersecurity Standard Practice Guidelines - Guidelines for Identifying Sensitive Personal Information, which provides a method for identifying sensitive personal information, and lists categories and examples of typical such information. The comment period closed on 24 June 2024, and the Committee is now considering the results.

On 20 June 2024, TC260 issued a consultation paper for the national standard Information Security Technology - Guidelines on Social Responsibility for Data Security and Personal Information Protection, which provides guidance to organisations on understanding social responsibility for data security and personal information protection. The comment period will close on 19 August 2024.

In addition, TC260 released two consultation papers on security protection capability and boundary identification for critical information infrastructure entities, and announced the issuance plan of four further recommended national cybersecurity standards.

China releases a three-year action plan for improving alignment of technology standards

On 29 May 2024, the Cyberspace Administration of China (CAC), the State Administration for Market Regulation and the Ministry of Industry and Information Technology of the People's Republic of China jointly issued the Action Plan for the Construction of Informatisation Standards (2024-2027). The action plan will mainly focus on: (1) innovating the working mechanism of informatisation standards; (2) promoting the development of standards in key areas, such as key information technology, digital infrastructure, data resources, industrial digitisation, e-government, information for the benefit of the people, digital culture, digitalisation, and synergies between digitisation and greening;  (3) promoting the internationalisation of informatisation standards; and (4) enhancing the basic capacity for developing informatisation standards including talent training.

China issues new rules to clamp down cyber violence

On 12 June 2024, CAC and four other departments jointly issued the Regulations on the Governance of Online Violence Information, which will come into effect on 1 August 2024. The regulation defines cyber violence as illegal or harmful content targeting individuals such as insults, rumors, defamation and discrimination, and provides strong support for strengthening the governance of cyber violence and building a sound online environment. Specifically, the regulation stipulates that cyber information service providers shall take primary responsibility for managing online content. It proposes establishing and improving the prevention and warning mechanisms and standardising the disposal of online violence information and closing of cyber violence accounts.

Europe

EU AI Act signed by Presidents of the European Parliament and Council

On 13 June 2024, the respective Presidents of the European Parliament and Council of the European Union signed the EU Artificial Intelligence Act (AI Act). The AI Act sets unified rules for developing, deploying, and using AI systems in the EU. It adopts a risk-based approach to regulation, banning certain AI practices considered harmful, such as manipulative cognitive behavioural techniques and social scoring, while imposing strict requirements on high-risk AI systems, including the requirement to carry out a fundamental rights impact assessment. The AI Act will now be published in the EU's Official Journal and will come into force 20 days after publication, with obligations coming into effect in phases, with the first applying six months after the AI Act's entry into force.

On 19 June 2024, the European Commission announced the first high-level meeting of the AI Board under the AI Act. This meeting aimed to set the agenda for its implementation. The Commission noted that the AI Board discussed the strategic vision for the AI Act and the role of the AI Board, national approaches to AI governance and supervision, and the organisation of the AI Board.

European Commission continues DSA enforcement by targeting pornographic platforms

On 13 June 2024, the European Commission sent formal requests for information to Pornhub, XVideos, and Stripchat, as the Commission continues its enforcement of the Digital Services Act (DSA) to ensure compliance with the new regulatory standards protecting users online and enhancing transparency. These platforms are now required to detail the measures they have implemented to assess and mitigate risks related to the protection of minors online, prevent the spread of illegal content, and curb gender-based violence. Furthermore, the Commission seeks information on the age verification mechanisms these companies have adopted and their internal organisational structures to ensure DSA compliance. Pornhub, XVideos, and Stripchat have been given until 4 July 2024 to provide the requested information. The Commission has warned that a failure to respond, or providing incorrect, incomplete, or misleading information, could result in significant fines and a formal decision to compel the information.

EU Cloud Cybersecurity Certification scheme delayed amid sovereignty debate

On 18 June 2024, the European Cybersecurity Certification Group (ECCG) failed to adopt the latest version of the EU Cloud Cybersecurity Certification (EUCS) scheme, contrary to expectations. The current version excludes the controversial 'sovereignty criteria' that France is advocating for, to prevent the extraterritorial application of non-EU laws. The European Commission, which chairs ECCG meetings, has not yet addressed France's query on the interaction between EUCS and national cloud cybersecurity schemes of Member States. The Commission is reportedly preparing guidelines to clarify the conditions under which Member States can implement additional rules beyond EUCS, such as the 'immunity criteria' in France's SecNumCloud scheme. These guidelines may be presented at the ECCG's next meeting around mid-July. Meanwhile, a coalition of 26 business groups, including Allied for Startups and the American Chamber of Commerce to the EU, has expressed frustration and is advocating for the adoption of the current draft without further delay.

OECD publishes report on 'digital safety by design for children'

On 19 June 2024, the Organisation for Economic Cooperation and Development (OECD) issued a report titled Towards digital safety by design for children which explores the concept of digital safety by design. The report provides an overview of selected guidance and laws from OECD countries concerning online safety for children. It outlines various approaches to designing online safety, emphasising actions that digital service providers should consider. Key components include using technology-neutral age assurance mechanisms to provide age-appropriate experiences, safeguarding children's privacy and personal data, ensuring user safety information is presented in a clear and comprehensive manner for young audiences, facilitating complaints and redress processes, flagging unsafe and illegal content, promoting a culture of safety and well-being through public awareness and corporate responsibility, and conducting child rights impact assessments. The report underscores the importance of tailored approaches for different types of digital services.

UK Digital Markets, Competition and Consumers Act becomes law and CMA launches consultation

On 24 May 2024, the UK's Digital Markets, Competition and Consumers Act became law. The Act targets companies with 'strategic market status', a status which implies significant market power and importance in digital sectors. A company with a global turnover exceeding £25 billion, or UK turnover exceeding £1 billion, will be caught. The Act imposes new obligations on businesses, including providing clear information to consumers regarding subscriptions, notifying them before trial periods end, and facilitating easy contract termination. It also empowers the Competition and Markets Authority (CMA) to oversee digital market competition, establishes penalties for consumer law violations, and enhances consumer protections against unfair practices, subscription traps, and saving scheme prepayments. The CMA also launched a consultation on its new powers under the Act, that covers guidance for companies but also explains the regulator's investigatory and enforcement powers. The consultation will be open until 12 July 2024.

UK ICO issues guidance on personal data and the general election

On 30 May 2024, with the UK's upcoming general election set for 4 July 2024, the Information Commissioner’s Office (ICO) published guidance addressing public concerns regarding the use of personal data during the election campaign. The ICO has collaborated with multiple regulators and reinforced support for MPs managing constituency casework, reminding political parties of their data protection obligations. Clear privacy information is expected from political parties, particularly regarding how they use personal data, such as for postal vote registration, which should not be unexpectedly used in campaigns. Another topic covered is profiling, which involves combining various data sources, and is used by parties to target marketing efforts. Parties must clearly disclose any profiling techniques in their privacy notices. The ICO’s guidance ensures that personal data handling during political campaigning complies with UK GDPR, Data Protection Act, and Privacy and Electronic Communications Regulations, providing clarity and practical advice without introducing new obligations.

UK ICO and German BfDI sign Memorandum of Understanding

On 11 June 2024, the German Federal Commissioner for Data Protection and Freedom of Information (BfDI) and the UK ICO signed a Memorandum of Understanding (MoU) on bilateral cooperation, consolidating the existing cooperation between the countries. The BfDI emphasises that despite the ICO's departure from the European Data Protection Board, the two regulators have continued, and will continue to, closely work together. The MoU also touches on information exchange, joint research and other co-operation efforts, such as secondment of staff.

UK House of Commons publishes report on AI governance

On 28 May 2024, the UK House of Commons Science, Innovation and Technology Committee published a report on AI governance. The report updates the twelve challenges of AI governance initially outlined in an interim report in 2023, and is primarily concerned with the challenges of AI governance, particularly the opaque nature of the AI decision-making process, known as the black box effect. It emphasises the need for rigorous testing of AI outputs to ensure their reliability and rationality. The report also addresses the potential necessity for new legislation if the UK's current approach to AI regulation is found lacking. According to the report, the success of the UK's principles-based approach hinges on three main factors: the extension and clarity of regulatory powers through gap analysis, the coordination between overlapping regulatory jurisdictions, and ensuring that regulators have sufficient resources and expertise.

Americas

Vermont data privacy act is vetoed

On 13 June 2024, Vermont became the first US state to veto a proposed state-level privacy law. The draft law was passed by the Vermont House and Senate and sent to the Vermont Governor Phil Scott for signature and ratification on 7 June. However, on 13 June, Governor Scott vetoed the Act claiming that it was overly progressive and would hurt businesses, especially through the private right of action included. Governor Scott had expressed doubts over the Act previously, and he is a member of the Republican party which has been hesitant in the past to enact data privacy legislation at the state level. Subsequently, the General Assembly failed to nullify the Governor's veto and thus the veto was sustained. The democratic party, however, has already announced their plans to continue to push data privacy legislative efforts.

US Treasury Department proposes new rules to address certain technology investments in countries of concern

On 21 June 2024, the US Treasury Department proposed regulations pursuant to President Biden's 9 August 2023 executive order restricting certain US outbound technology investments to countries of concern. The current aim for the proposed rules is to prevent exploitation of US resources by China, Hong Kong and Macau seeking to enhance their military, intelligence, surveillance or cyber-enabled capabilities in a way that pose a national security risk to the US. The 'critical' technologies the regulations focus on include innovations on semiconductors, quantum computers and artificial intelligence. The Treasury Department proposal is open for public comments until 4 August 2024.

Middle East

DIFC Academy and CMT Association forge strategic partnership on technical analysis training

On 6 June 2024, the Dubai International Financial Centre (DIFC) announced that the DIFC Academy and the Chartered Market Technician (CMT) Association has partnered to enhance financial education and technical analysis training. This strategic partnership, marked by the signing of a Memorandum of Understanding (MoU), aims to develop advanced training programs in technical analysis, behavioural finance, market strategy, and FinTech integration. These programs are designed to meet the needs of finance professionals and combine the DIFC Academy's expertise in capital markets with the CMT Association's global community knowledge. The collaboration is committed to promoting continuous learning and professional development, setting new standards in financial education and technical analysis training.

Israeli Privacy Protection Authority indicts nine defendants for trafficking of sensitive personal information

On 25 June 2024, the Israeli Privacy Protection Authority (PPA) announced the indictment by the State Prosecutor's Office of nine defendants for trafficking sensitive personal information. The indictment follows a criminal investigation by the PPA in 2022, which discovered that the personal information of tens of thousands of insurance policyholders had been compromised. The personal information involved includes the names, ID numbers, mobile and insurance details of the affected. According to the indictment, multiple privacy offences including breach of privacy and disclosure of confidential information will be tried.

Africa

Nigerian Data Protection Commission issues draft NDPA implementation directive

On 31 May 2024, the Nigerian Data Protection Commission (NDPC) issued the draft General Application and Implementation Directive (GAID) to guide the implementation of the Nigeria Data Protection Act (NDPA). The GAID outlines the NDPA's scope, especially regarding data controllers and processors outside Nigeria, and specifies the data subjects covered by the Act. It clarifies that in case of conflicting provisions, the NDPA will take precedence. It also sets out the NDPC's role in creating sector-specific data protection guidelines, addresses the appointment and responsibilities of Data Protection Officers (DPOs), clarifies the conditions for conducting Data Privacy Impact Assessments (DPIAs), and provides definitions for terms such as 'necessary cookies'. Further, until specific cross-border data transfer guidelines are established, Schedule 3 of the GAID will serve as the interim standard for assessing countries' data protection adequacy.

Kenyan Data Protection Commission ramps up enforcement of the Data Protection Act

On 6 June 2024, the Kenyan Office of the Data Protection Commission (ODPC) released the decisions for two fines for Data Protection Act (DPA) violations. Under decision 0129/2024, the ODPC ordered a healthcare company to pay a fine of KES 1.45m for the failure to stop using the personal data of the complainant and informing the complainant of such use. Similarly, under decision 0151/2024, the ODPC fined a fashion company KES 1.5m for failing to obtain continued consent for the use of certain images and data for advertising purposes. These decisions follow increased activity by the ODPC, that has already issued multiple fines earlier in the year (see e.g. here and here).

Additional Information

This publication does not necessarily deal with every important topic nor cover every aspect of the topics with which it deals. It is not designed to provide legal or other advice. Clifford Chance is not responsible for third party content. Please note that English language translations may not be available for some content.

The content above relating to the PRC is based on our experience as international counsel representing clients in business activities in the PRC and should not be construed as constituting a legal opinion on the application of PRC law. As is the case for all international law firms with offices in the PRC, whilst we are authorised to provide information concerning the effect of the Chinese legal environment, we are not permitted to engage in Chinese legal affairs. Our employees who have PRC legal professional qualification certificates are currently not PRC practising lawyers.