Clifford Chance

Recent weeks have seen substantial regulatory activity in the realm of data protection, cybersecurity and artificial intelligence. Social media has continued to be in the crosshairs of public scrutiny and policymakers. X was taken offline in Brazil after a deadline passed for it to name a legal representative in that county. A possible re-opening of the UK's recently passed Online Safety Act was the focus of policymakers in the UK following widespread violence by far-right groups which seemed to be aggravated by misinformation spread on X, which was widely circulated following stabbings in the northern English town of Southport.

Regulators and shareholders alike scrutinised CrowdStrike in the U.S. in the aftermath of the outage on 19 July  2024. CrowdStrike was immediately hit with a securities class-action by shareholders alleging that the company made materially "false and misleading" statements about the integrity of its IT controls. Subsequently, two nationwide class action suits were filed against the company alleging the company was negligent in testing and deploying its software , other companies affected by the outage are also considering legal action.

On 28 August, 2024, the California Senate passed SB 1047 (the "Safe and Secure Innovation for Frontier Artificial Intelligence Models Act"), moving the bill onto Governor Newsom’s desk to either sign into legislation or veto. If passed, the bill would have a significant impact on artificial intelligence (AI).

Elsewhere, we have seen a trend of countries strengthening data protection and privacy laws, to align with global data regulatory standards. Building the momentum in the Africa region, Botswana's Minister published a bill amending the Data Protection Act, extending the application of the Act to data controllers who may not be established in Botswana, but have processing activities or services related to data subjects in Botswana.

European action has not let up either this month, as the Dutch Data Protection Authority fined Uber EUR 290 million for unlawful data transfers of European taxi drivers' personal data to the US without adequate safeguards. The DPA found this to be a clear violation of the GDPR, as sensitive data was transferred without sufficient protection, and the DPA worked closely with the French DPA and other European DPAs to coordinate action.

APAC (excluding China)

Hong Kong Monetary Authority issues a circular on Consumer Protection in respect of Use of Generative AI

On 19 August 2024, the Hong Kong Monetary Authority (HKMA) issued a circular to authorized institutions with a set of guiding principles on the use of generative AI in customer-facing applications from consumer protection perspective. The circular builds on its previous circular on consumer protection with respect to the use of big data analytics and AI (BDAI), issued on 5 November 2019 (2019 BDAI Circular). In this circular, the HKMA set out additional principles under each of the four major areas (including governance and accountability, fairness, transparency and disclosure, and data privacy and protection) in the 2019 BDAI Circular to ensure appropriate safeguards for consumer protection when GenAI is adopted for customer-facing applications. 

Australian Government publishes policy for responsible use of AI

On August 16 2024, the Australian Government released the Policy for the Responsible Use of AI in Government, which takes effect on 1 September 2024. The policy specifies, in particular, how Australian Public Services would embrace the benefit of AI and bolster public confidence by improving transparency, governance and risk assurance. Agencies are also strongly encouraged to implement AI fundamentals training for all staff within six months of the policy taking effect, with additional training tailored to roles involving procurement, development, training, and deployment of AI systems. Agencies must make publicly available a statement outlining their approach to AI adoption within 6 months of this policy taking effect, which should also be reviewed and updated annually. They have to must also designate accountable officials for implementation of the policy within their organization.

Australian Prudential Regulation Authority releases guidance on common cyber control weaknesses

On 15 August 2024, the Australian Prudential Regulation Authority (APRA) sent a letter to all regulated firms in Australia outlining common cyber control flaws. APRA reiterated the importance of complying with CPS 234 Information Security (CPS 234)  requirements and highlighted common cyber weaknesses observed in configuration management, privileged access management, and security testing. Regulated firms  must address any identified gaps that could materially impact their risk profile or financial soundness and notify APRA of such material security control weaknesses as required under CPS 234. The letter also encourages entities to conduct regular self-assessments as per the Prudential Practice Guide, CPG 234, and adopt mitigation strategies from established frameworks like the so-called "Essential Eight" set of measures.

Singapore CSA calls for feedback on guidelines on securing AI systems

The Cyber Security Agency of Singapore (CSA) issued a call for public feedback on the proposed Companion Guide on Securing AI Systems and Guidelines on Securing AI Systems on July 31, 2024. Specifically, the CSA emphasized that as AI becomes more and more integrated into enterprise systems, the draft Guidelines seek to identify potential security risks associated with the use of AI and sets out guidelines for mitigating security risks at each stage of the AI lifecycle. The proposed Guidelines have made it clear that they should be applied in conjunction with current IT environment security regulations and best practices. Furthermore, the draft Guidelines state that they do not address particular AI problems, such as the misuse of AI for the purpose of circulating deceptive information, deepfakes used in scams, and cyberattacks facilitated by AI. The Companion Guide is intended as a community-driven resource that complements the Guidelines, as a helpful reference containing practical measures.

China

Cyberspace Administration of China releases consultation draft on administrative measures for network identity authentication

On 26 July 2024, the Cyberspace Administration of China issued a consultation paper for the Administration Rules of National Network Identity Authentication Public Services aiming to enhance personal information protection and regulate the administration of public services. The consultation paper comprised 16 articles, clarifying key concepts such as public services, net number, and net certificate, as well as specifying the ways and scenarios for public services usage. It also emphasizes the obligations and liabilities of public service and internet platforms concerning data and personal information protection. The comment period closed on 25 August 2024.

China's Information Security Standardisation Technical Committee releases drafts on data interface security risk monitoring and security requirements for data processing during internet platform outages for comments

On 2 August 2024, the National Information Security Standardization Technical Committee (TC260) issued a consultation draft for the national standard  Data Security Technology - Data Interface Security Risk Monitoring Methodology. This draft outlines the methods, content, and processes for monitoring data interface security risks, and specifies the monitoring points for each stage of risk monitoring. The comment period will close on 1 October 2024.

On 7 August, 2024, TC260 issued a consultation paper for the national standard Cybersecurity Standard Practice Guidelines - Security Requirements for Data Processing during Internet Platform Outages, which provides requirements for processing general, personal and key data where internet platforms shut down. The consultation paper offered practical guidance for data processors on internet platforms and further promotes cybersecurity and data utilisation. The comment period closed on 22 August 2024.

Europe

EU Commission seeks public feedback regarding review of EU-US Data Privacy Framework

On 9 August 2024, the European Commission announced the launch of a public consultation to gather feedback for its upcoming report on the first review of the EU-US Data Privacy Framework (DPF). The DPF allows free flows of personal data from the EU to participating companies in the US. This review, mandated by the adequacy decision adopted in July 2023, is intended to assess the effectiveness and proper implementation of the DPF. Feedback can be submitted until 6 September 2024.

EU Commission sends request for information to Meta under the DSA

On 16 August 2024, the European Commission informed Meta of its request for information under the DSA about its compliance with giving researchers access to public data on Meta's platforms such as Facebook and Instagram, along with updates on election and civic monitoring. The request concerns details about Meta's content library and application programming interface (API). This is in addition to the formal opening of proceedings by the European Commission against Meta in April 2024, which is still pending. One of the complaints being the alleged absence of an effective third party, real-time civic discourse and an election monitoring tool ahead of European Parliament and national elections, as well as Meta's alleged shortcomings regarding researchers' access to publicly available data.  Meta must submit the required information by 6 September 2024. After evaluating the responses, the European Commission will decide on the subsequent actions, which may involve interim measures or non-compliance rulings.

Apple to comply with the DMA by allowing EU users more freedom in their use of Apple products

On 22 August 2024, Apple indicated to its developers that there will be upcoming changes for EU Apple products users' regarding the deletion of applications. By the end of this year, Apple will introduce changes to the browser choice screen, default apps, and app deletion for iOS and iPadOS users in the EU. These changes result from talks between the European Commission and Apple about meeting the Digital Market Act's (DMA) requirements. From now on, EU users with Safari set as their default browser will see the updated choice screen. iOS 18 and iPadOS 18 will feature a new Default Apps section in Settings listing available default options for each user. For instance, the App Store, Messages, Photos, Camera and Safari will now be removable for EU users.

Dutch DPA fines Uber EUR 290 million for unlawful data transfers to the US*

On 26 August 2024, the Dutch Data Protection Authority (AP) imposed a fine of EUR 290 million on Uber for transferring the personal data of European taxi drivers to the US without adequate safeguards. The AP found that Uber’s actions violated the EU GDPR, as the company failed to ensure sufficient protection of sensitive data, including account details, location data, and identity documents. This breach persisted for over two years, during which Uber did not use appropriate transfer mechanisms after the invalidation of the EU-US Privacy Shield. This investigation was initiated after more than 170 French drivers lodged complaints, leading the French DPA (CNIL) to involve the AP, given Uber's European headquarters in the Netherlands. The AP worked closely with CNIL and coordinated the decision with other European DPAs.

Note, Clifford Chance offers an AI State Policy Tracker resource for clients. Please contact Inna Jackson for more information.

EU and China launch Cross-Border Data Flow Communication Mechanism

On 27 August 2024, the European Union and China officially launched discussions under the new Cross-Border Data Flow Communication Mechanism. Sabine Weyand, director-general of DG Trade at the European Commission, and Vice-Minister Wang Jingtao of the Cyberspace Administration of China met online to initiate this mechanism, which aims to address the challenges European companies face with cross-border transfers of non-personal data in China. This initiative stems from the 2023 political agreements between EU and Chinese leaders, aiming to facilitate data flows essential for sectors like finance, pharma, and ICT. Further expert-level engagements are planned to assess progress and enhance cooperation.

UK Online Safety Act: fit for purpose?

In the context of the violent protests over the recent Southport stabbings in the UK this month, questions have been raised about the role of social media in stirring up hatred, provoking violence and spreading disinformation, fuelling the riots.

On 7 August 2024, the UK's communications regulator, Ofcom, published an open letter to online service providers, reminding them of the range of responsibilities platforms currently having under Ofcom's regulations for video-sharing platforms, that predate the Online Safety Act, and reminding them that Ofcom expects platforms to anticipate and respond to the potential spread of harmful video content of recent events.

Despite Ofcom's warning to social media platforms to "act now", Prime Minister Keir Starmer was not satisfied with this response and two days later, announced that ministers will review the Online Safety Act. This followed comments by the London mayor, Sadiq Khan, that the role of misinformation in recent unrest has shown the Online Safety Act is not fit for purpose and needs to be revisited. Ofcom acted quickly in response to this, announcing that it is hiring more online safety staff in order to strengthen the enforcement of the Online Safety Act and projecting that its headcount in the team will grow to 557 by March 2025.

The ICO launches a public consultation on allocating controllership across the generative AI supply chain

On 22 August 2024, the Information Commissioner's Office (ICO) launched a public consultation titled: Generative AI fifth call for evidence: allocating controllership across the generative AI supply chain". This is the fifth and final draft chapter in the ICO's consultation series on generative AI and data protection, and it sets out the ICO's emerging thinking on generative AI development and use. The consultation focuses on the allocation of roles and responsibilities in the generative AI supply chain, addressing the recommendation for ICO guidance on the allocation of accountability in AI as a Service contexts, made in Sir Patrick Vallance's Pro-innovation Regulation of Technologies Review.

The ICO is seeking evidence on additional processing activities and actors not included in the consultation, alongside the relevant allocation of accountability roles. The consultation is open until 18 September 2024.

Americas

California AI Bill passes in state Senate

On 28 August, 2024, the California Senate passed SB 1047 (the "Safe and Secure Innovation for Frontier Artificial Intelligence Models Act"), moving the bill onto Governor Newsom’s desk to either sign into legislation or veto. Currently, very few U.S. states have enacted AI legislation, with California's SB 1047 being the most comprehensive.* Senator Wiener introduced the bill in February 2024 to regulate AI developers and their models similar to regulators in Europe. Elon Musk is a proponent of the bill saying though "this is a tough call and will make some people upset" the bill should pass due to the risk and safety concerns of AI. Opponents of the bill include Alphabet, OpenAI and Meta and politicians like Nancy Pelosi, who argue the bill is overreaching and will stifle innovation.

Note, Clifford Chance offers an AI State Policy Tracker resource for clients. Please contact Inna Jackson for more information..

Aftermath of the CrowdStrike outage 

Following the 19 July, 2024 CrowdStrike global IT outage, the Austin, Texas-based company faces a multitude of lawsuits and regulatory scrutiny. CrowdStrike was immediately hit with a securities class-action by shareholders claiming the company made materially "false and misleading" statements about the integrity of its IT controls (Plymouth County Retirement Association v. CrowdStrike Holdings, Inc). In August 2024, two nationwide class action lawsuits were filed against CrowdStrike alleging that the company was negligent in testing and deploying its software leading to Delta Airlines IT outages affecting travelers (Del Rio v. CrowdStrike Inc. and Harlan v. CrowdStrike Holdings Inc. and CrowdStrike Inc.). In addition, companies affected by the outage, such as other major airlines, public transport, health care and online banking systems, are considering legal action as the outage severely impacted their businesses. Delta has retained legal counsel to pursue a lawsuit against CrowdStrike for damages and claims the outage cost them $550 million. The CrowdStrike incident has also left US regulators considering IT resilience legislation as the EU gears up for the Digital Operational Resilience Act implementation in January and NIS which is already in force.

Middle East

SDAIA publishes guidelines on data transfers for public consultation

The Saudi Data & Artificial Intelligence Authority (SDAIA) recently published Guidelines for Binding Common Rules (BCR) for Personal Data Transfer for public consultation. These guidelines, announced on 15 August, 2024, by the National Competitiveness Center Istitlaa Platform, aim to set out the requirements for controllers or processors involved in transferring personal data outside the Kingdom of Saudi Arabia (KSA) to countries or international organizations that do not have an established appropriate protection level for personal data.

The scope of the Guidelines includes comprehensive instructions for entities operating within and outside KSA on developing BCR.

Notably, the Guidelines require that parties to a binding agreement ensure that none of its provisions conflict with the BCR or limit their scope of application. Amendments to the BCR are permitted with the approval of the competent authority to align with organizational changes of the group entities.

Israel's PPL amendment bill passes Knesset

On 8 August, 2024, the Privacy Protection Authority (PPA) announced that the Parliament (Knesset) passed the Privacy Protection Bill (Amendment No. 13) into law. This amendment, formerly known as Amendment 14, introduces new and advanced arrangements to address the challenges of the digital age, enhance the protection of the Israeli public's fundamental right to privacy, and strengthen the fight against growing cyber threats.

The UAE's AI Office launches charter for development and use of AI

On 30 July, 2024, the United Arab Emirates (UAE) Ministry of Cabinet Affairs announced that the UAE Artificial Intelligence, Digital Economy, and Remote Work Applications Office (the AI Office) had launched a UAE Charter for the Development & Use of Artificial Intelligence. The Charter outlines several general principles to guide the development and use of AI solutions and technologies.

Africa

Senegalese CDP publishes press release on the protection of personal data of minors

On 7 August, 2024, the Senegalese data protection authority (CDP) published a press release addressing the need to protect the personal data of minors. The CDP expressed concern regarding the proliferation of videos involving children on social media and stated that this violated the right to privacy of children.

Additionally, the CDP recalled that: (i) the collection and dissemination of images of minors without prior consent from their legal representatives is prohibited; (ii) the Senegalese Penal Code punishes the sharing and disclosure of images that violate the privacy and dignity of persons; and (iii) exposure of children to social media may expose them to risks of cyberbullying, which can lead to harm.

Nigeria's NITDA's NCAIR publishes draft national AI strategy

On 2 August, 2024, the Nigerian National Information Technology Development Agency's (NITDA) and the National Center for Artificial Intelligence and Robotics (NCAIR) published the draft National Artificial Intelligence (AI) Strategy 2024. The draft strategy analyses the AI landscape in Nigeria, discussing its potential to catalyse socio-economic development, yet highlighting its risks and challenges. The strategy proposes risk mitigation strategies such as areas of trade-offs, where the Government has to balance competing interests, and mitigating AI risks by considering four factors – accuracy, bias, transparency and governance. The draft strategy also  follows 10 principles to achieve the national AI vision for 2024-2028, including responsible and ethical conduct, inclusivity and shared prosperity, innovation and adaptation, sustainability, collaboration, global leadership, transparency and accountability, being human-centric, risk management and resilience, and data ethics and agency.

Bostwana's Minister publishes bill amending the Data Protection Act

On 26 July, 2024, the Minister for State President published Bill No. 19 of 2024 for the Data Protection Bill 2024. The bill seeks to repeal and re-enact with amendments the Data Protection Act. Some of the main amendments are to the following aspects of the Act: (i) extending the application of the Act to the processing of personal data by automated means; (ii) extending the application of the Act to data controllers not established in Botswana but have processing activities or services related to data subjects in Botswana; and (iii) providing for carrying out a Data Protection Impact Assessment prior to processing, in order to assess the risk of such processing activities.

Additional Information

This publication does not necessarily deal with every important topic nor cover every aspect of the topics with which it deals. It is not designed to provide legal or other advice. Clifford Chance is not responsible for third party content. Please note that English language translations may not be available for some content.

The content above relating to the PRC is based on our experience as international counsel representing clients in business activities in the PRC and should not be construed as constituting a legal opinion on the application of PRC law. As is the case for all international law firms with offices in the PRC, whilst we are authorised to provide information concerning the effect of the Chinese legal environment, we are not permitted to engage in Chinese legal affairs. Our employees who have PRC legal professional qualification certificates are currently not PRC practising lawyers.