Skip to main content

Clifford Chance

Clifford Chance
Tech<br />

Tech

Talking Tech

Tech Policy Unit Horizon Scanner

September 2024

Artificial Intelligence Data Privacy Cyber Security 30 September 2024

In the world of tech policy, September can be marked as a month of firsts. The world's first legally binding treaty on artificial intelligence  (AI) was signed by, among others, the US, EU and UK. The treaty's purpose is to set out fundamental principles and rules to ensure the use of AI is fully compatible with human rights, democracy and the rule of law. Meanwhile, Rwanda joined forces with Singapore to publish the world's first AI playbook for small states, addressing the unique challenges small states face in harnessing AI and developing infrastructure to foster AI growth. Continuing the theme of international cooperation, for the first time in the G20's history, the agenda of tackling disinformation and promoting information integrity formed part of the G20 ministerial declaration.

Elsewhere, deepfakes were top of the policy agenda. Saudi Arabia opened a public consultation on draft guidelines for deepfake technologies. Singapore tackled the threat posed by deepfakes to the integrity of elections by introducing a bill to parliament which would make publishing a deepfake of a candidate during the election period an offence punishable by a fine or up to 12 months in prison.

Data - the new water? In the UK the government classified data centres as Critical National Infrastructure (CNI). This new status, the first new classification since 2015, puts data centres on par with essential services like water and energy. It will guarantee them greater government support during critical incidents, including priority access to government security agencies, such as the National Cyber Security Centre, and emergency services.

Finally, tech companies have been active in the courts this month. In the US, TikTok continues to resist the Protecting Americans From Foreign Adversary Controlled Applications Act which requires ByteDance to divest the company by January 2025. In Europe the Court of Justice of the European Union upheld a EUR 2.4 billion fine imposed on Google by the European Commission in 2017 for abusing its dominant market position through self-preferencing behaviour.

APAC (excluding China)

DISR opens public consultation on mandatory safeguards for high-risk AI and publishes Voluntary AI Safety Standard

On 5 September 2024, Australia's Department of Industry, Science, and Resources (DISR) published a notice inviting the public to comment on a proposals paper outlining required guardrails for the responsible and safe application of AI in high-risk situations. DISR is seeking views on the proposed guardrails, how to define high-risk AI, and regulatory options for mandating the guardrails.

On the same day, DISR also released the Voluntary AI Safety Standard which consists of 10 voluntary guardrails that apply to all organisations throughout the AI supply chain. DISR explained that the standard "gives practical guidance to all Australian organisations on how to safely and responsibly use and innovate with artificial intelligence".

HKMA publishes circular on AI monitoring of money laundering and terrorist financing

On 9 September 2024, the Hong King Monetary Authority (HKMA) published a  Circular titled 'Use of Artificial Intelligence for Monitoring Suspicious Activities' and accompanying Annex . The Circular demonstrated how AI outperforms traditional rules-based transaction monitoring systems in the surveillance of money laundering and terrorist financing. The Circular described how AI-powered systems may consider a wide range of contextual data, with a particular emphasis on the active risk profile and historical transaction patterns of customers, to decide if a customer's activity warrants more inquiry.

Bill concerning deepfakes in elections is presented to Singaporean Parliament

On 9 September 2024, Bill No. 29/2024, the Elections (Integrity of Online Advertising) (Amendment) Act 2024 was introduced to the Singaporean Parliament, amending the Presidential Elections Act of 1991 and the Parliamentary Elections Act of 1954.

The bill makes it an offence during the election period to publish, or cause to be published, digitally generated or manipulated online election advertising that realistically depicts a candidate saying or doing something that he or she did not in fact say or do. An individual found guilty of the new offence would be liable to a maximum fine of $1,000 or to imprisonment for a term not exceeding 12 months or to both. According to the Ministry of Development and Misinformation, Singapore has "observed a worrying trend of malicious deepfakes, including those used for scams and extortion … such content, if left unaddressed, can threaten the integrity of our electoral process. Voters must be able to make informed choices based on facts and not misinformation."

China

China's Cyberspace Administration publishes the annual report concerning information development and consultation paper regarding AI

On 6 September 2024, the Cyberspace Administration of China (CAC) published the National Informatization Development Report (2023), which highlights the advancements in informatization across China. The report emphasises the importance of information technology in economic and social development, and sets key tasks for 2024 to further integrate informatization into national reform and development.

On 14 September 2024, the CAC issued a consultation paper Labelling Method for Content Generated by Artificial Intelligence, which outlines explicit and implicit labelling requirements for service providers and sets guidelines for content dissemination platforms to ensure proper identification and user awareness of AI-generated content. The consultation is open for comments until 14 October 2024.

China's Cyberspace Administration publishes implementation guidelines and memorandum for cross-border data flows in the Greater Bay Area

On 9 September 2024, the CAC announced that it had signed a Memorandum of Cooperation on Promoting Cross-Border Data Flows in the Guangdong-Hong Kong-Macao Greater Bay Area (the Greater Bay Area) with the Financial Affairs Bureau of the Macao Special Administrative Region Government. The memorandum aims at promoting safe and orderly cross-border flow of data in the Greater Bay Area.

In addition, on 10 September 2024, following the memorandum, the CAC issued the Implementation Guidelines for the Standard Contract on Cross-Border Transfer of Personal Information in the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland China and Macao).

The guidelines allow parties in the Greater Bay Area to transfer personal information by entering into the Standard Contract, except for such personal information classified as "important data". The guidelines also emphasise the obligations on data processors to obtain consent and conduct a personal information protection impact assessment before transferring personal information.

Furthermore, the guidelines require the Standard Contract to be filed with the relevant authorities (Guangdong Provincial Cyberspace Administration or Macau Special Administrative Region Government Office for Personal Data Protection).

Europe

EU Commission publishes FAQs and a fact page about the Data Act

On 6 September 2024, the European Commission released Frequently Asked Questions (FAQs) and a fact page to assist with the implementation of the Data Act, which will become applicable on 12 September 2025. The newly published FAQs cover a range of topics, including the interaction of the Data Act with other EU laws, the rights and obligations of users of data, data holders and third parties, as well as guidelines on fair, reasonable, and non-discriminatory (FRAND) conditions, the switching between data processing services, interoperability, and the enforcement of the Data Act.

The fact page titled 'Data Act explained' aims to provide a comprehensive overview of the Data Act, including its objectives and how it works in practice.

EDPB and EU Commission collaborate to clarify the interplay between GDPR and DMA

On 10 September 2024, the European Data Protection Board (EDPB) announced an agreement with the European Commission's services responsible for enforcing the Digital Markets Act (DMA) to jointly develop guidance on the interplay between the DMA and the GDPR. This collaboration aims to ensure the coherent application of both laws to digital gatekeepers. The dialogue will focus on clarifying the obligations of gatekeepers under the DMA that have a significant overlap with the GDPR.

The EDPB and the European Data Protection Supervisor have already engaged with the European Commission on data-related and interoperability obligations within the DMA High-Level Group. The latter was established to provide the European Commission with advice and expertise to ensure coherent implementation of the DMA and other sectoral regulations applicable to gatekeepers.

CJEU upholds EUR 2.4 billion antitrust fine in the 'Google Shopping' case

On 10 September 2024, the Court of Justice of the European Union (CJEU) upheld a EUR 2.4 billion fine imposed on Google by the European Commission in 2017 for abusing its dominant market position. The CJEU's ruling confirmed the decision of the General Court of the European Union, which had also upheld the European Commission's findings. At the heart of the case was Google’s self-preferencing behaviour, where the company favoured its own comparison-shopping service (Google Shopping) by giving it more prominent placement in search results, while demoting competing services through algorithmic adjustments.

Although self-preferencing is not inherently anti-competitive, the CJEU ruled that in this instance, Google’s conduct amounted to an abuse of dominance. The court highlighted that self-preferencing practices must be assessed on a case-by-case basis to determine their competitive impact, concluding that Google's practices distorted competition and unfairly disadvantaged rivals.

UK signs world's first legally-binding AI treaty

On 5 September 2024, the UK signed the Council of Europe Framework Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law in a ceremony in Vilnius, Lithuania. This is the first binding international treaty on AI and was also signed by the US, the EU, Andorra, Georgia, Iceland, Israel, Norway, the Republic of Moldova and San Marino. The treaty formulates fundamental principles and rules to ensure AI is fully compatible with human rights, democracy and the rule of law. Notably, AI systems related to national security are excluded from the Convention's scope. 

Data centres to be classed as Critical National Infrastructure

On 12 September 2024, the Department for Science, Innovation, and Technology (DSIT) announced that UK data centres, including both physical centres and cloud operators, have been classified as Critical National Infrastructure (CNI). This is the first CNI designation in nearly a decade, following the space and defence sectors in 2015. DSIT highlighted that this classification aims to enhance the security of data housed in these centres, such as personal photos, NHS records, and sensitive financial information, against outages, cyber attacks, and adverse weather.

The new status places data centres on par with essential services like water and energy, ensuring greater government support for recovery and threat anticipation. This includes establishing a dedicated data infrastructure team, prioritised access to security agencies, and coordinated emergency services. Technology Secretary Peter Kyle emphasised that this move will improve coordination with the government to protect against cyber threats and unforeseen events, thereby supporting economic growth.

Americas

TikTok ban goes to Appeals Court

On 16 September 2024, TikTok brought the order to change the company's operating structure before the U.S. Court of Appeals for the District of Columbia. As previously reported in the Scanner, the Protecting Americans from Foreign Adversary Controlled Applications Act signed by President Biden requires TikTok to divest from its owner, ByteDance by January 2025.

TikTok has argued that divesting is not possible and the Act effectively constitutes a ban. In their court appearance, the company and US-based creators defended the app and called for less restrictive means than complete divestiture. TikTok's attorney, Andrew Pincus, focused his argument on freedom of speech and the lack of evidence that TikTok poses a national security risk. The court is expected to rule on this case by early December 2024.

Middle East

Qatar Central Bank publishes AI Guideline

On 4 September 2024, the Qatar Central Bank (QCB) published an AI Guideline, regulating the use of AI by QCB-licensed entities. This guideline outlines various key definitions and governance requirements to ensure the responsible use of AI. It is effective immediately.

Among other things, the guideline emphasises the requirement for entities to create a defined AI strategy, which includes periodic reviews and implementation plans, and that the board of directors and senior management are accountable for the outcomes and decisions of an entity's AI systems.

Israel's PPA publishes guidance on directors' obligations under data security regulations

On 12 September 2024, Israel's Privacy Protection Authority (PPA) published its finalised guidance on the role of the board of directors in fulfilling a company's obligations under the Protection of Privacy Regulations (the Data Security Regulation). The guidance calls for significant involvement from the board of directors in approving the main principles of the organisational information security procedure and ensuring compliance with the Protection of Privacy Law (PPL). The guidance highlights that failure to fulfil their duties may result in sanctions for the board.

Saudi Arabia opens public consultation on deepfake guidelines

On 18 September 2024, the Saudi Data & Artificial Intelligence Authority (SDAIA) opened a public consultation on draft guidelines for deepfake technologies. These guidelines aim to address the implications and risks associated with deepfake tools, targeting developers, content creators, and content consumers. The guidelines draw a distinction between malicious and non-malicious deepfakes with the latter defined as being created for benign purposes such as for use in the healthcare, entertainment, and education industries.

The guidelines state that non-malicious deepfake creators must obtain explicit consent from individuals whose likeness is used and explicitly label the content, so viewers know that it is synthetically generated or altered. The consultation is open for comments until 11 October 2024.

Africa

Rwanda joins forces with Singapore to publish world's first AI playbook for small states

On 22 September 2024, Rwanda and Singapore announced the release of the world's first 'AI Playbook for Small States' on behalf of the Forum of Small States (FOSS). The Playbook addresses the unique challenges small states face with AI, providing strategies for developing human resources and infrastructure to foster AI growth. The Playbook highlights the importance of international cooperation in AI, citing initiatives such as the Digital FOSS Fellowship and Executive Programmes along with the International Telecommunication Union (ITU) AI for Good partnership.

Rwanda's Ministry of ICT and Innovation stated that "as advocates of inclusive digitization, we are collaborating on both the regional and the international level to define the best approaches for the regulation of artificial intelligence."

South Africa among G20 states to adopt declaration on digital inclusion for all

On 13 September 2024, the G20 adopted a ministerial declaration on digital inclusion for all. The discussions centred on aiming to close the connectivity gap and halve the gender digital divide by 2030, tackling misinformation, and the safe use of AI to address global inequalities. Ahead of South Africa's presidency of the G20 in 2025, the G20 welcomed "South Africa’s plans to further work on the topics of Artificial Intelligence, the deployment of digital public infrastructure, Digital Innovation Ecosystems to support MSMEs, and measures to further advance universal and meaningful connectivity."

Additional Information

This publication does not necessarily deal with every important topic nor cover every aspect of the topics with which it deals. It is not designed to provide legal or other advice. Clifford Chance is not responsible for third party content. Please note that English language translations may not be available for some content.

The content above relating to the PRC is based on our experience as international counsel representing clients in business activities in the PRC and should not be construed as constituting a legal opinion on the application of PRC law. As is the case for all international law firms with offices in the PRC, whilst we are authorised to provide information concerning the effect of the Chinese legal environment, we are not permitted to engage in Chinese legal affairs. Our employees who have PRC legal professional qualification certificates are currently not PRC practising lawyers.