Clifford Chance

South Africa leads the way with the world's first patent listing an AI system as the inventor

In our August edition, we reported on the ground-breaking decision of an Australian court to recognise AI as the inventor of a patent. In fact, preceding that decision, South Africa was the first country in the world to grant a patent on inventions created by an AI inventor. On 28 July, the Companies and Intellectual Property Commission of South Africa granted a patent relating to two inventions, one for interlocking food containers that are easy for robots to grasp and stack, and one for an emergency light system, both invented by an AI system that simulates human brainstorming called DABUS. This could signify a landmark moment in the struggle for legal recognition of inventions by AI in the United States and other countries. The patent application listing DABUS as the inventor was filed in patent offices around the world, including the US, UK, Europe, Australia, and South Africa - but only South Africa, followed days later by Australia, have granted the patent. There has been widespread criticism of this decision, with experts stating that this could lead to intellectual property abuses and make it harder for people to file patents.

Leaked bill alarms Nigeria's start-up founders

A new bill to reform Nigeria's technology regulator, the National Information Technology Development Agency (NITDA) is raising alarm bells amongst start-up founders and venture capitalists.

The amended bill grants further powers to NITDA including the power to fix licensing and authorisation charges, collect fees and issue penalties or contravention notices for non-compliance with the act. The bill also introduces a levy of 1% of profit before tax on tech companies making an annual turnover of $200,000. NITDA also reserves the right to “enter premises, inspect, seize, seal, detain and impose administrative sanctions on erring persons and companies who contravene any provision of the act", subject to a court order.

Nigeria lifts twitter ban

Nigeria's government has announced that it will soon lift the ban on Twitter which has been in place since 4 June 2021. The ban came after Twitter removed a tweet from President Muhammadu Buhari which the platform said violated its terms of service. In response, the Nigerian government had imposed a ban on Twitter. With some of the differences between Nigeria and Twitter resolved (for example, Twitter has agreed to set up an office in Nigeria), the ban is set to be lifted.

Nigeria ready to deploy 5G network

In our June edition, we reported on Nigeria's decision to halt the deploying of 5G network until investigations into the potential health or security threat of the 5G network was completed. These investigations have now concluded, and Nigeria is ready to deploy its 5G network. Dr Isa Pantami, Minister for Communication and Digital Economy, made the announcement that the investigation had "absolved the 5G network of posing a security or health threat" and blamed the delay on conspiracy theories that COVID-19 was related to the deployment of the 5G network. The Federal Government now expects the 5G spectrum to be auctioned by the end of the year, with all major urban centres being 5G enabled by 2025.

Bank of Ghana confirms plans for digital currency

The Bank of Ghana has appointed the German payment solutions provider Giesecke+Devrient to implement its pilot central bank digital currency project. The pilot is a precursor to the issuance of a digital national currency, the e-Cedi, which is intended to act as a digital alternative to cash and ensure secure and robust payment infrastructure in Ghana. Throughout the pilot a study will be conducted on the acceptance of the e-Cedi from the end user's perspective, IT security of the infrastructure, the impact of the project on monetary policy and payment systems, and the legal implications.

SEC fines firms for data breaches

The SEC has issued a string of fines for cybersecurity breaches. On 16 August, it announced a settlement with London-based publisher Pearson PLC  for a 2018 cybersecurity breach that affected the personal data of millions of students. Pearson's violations, according to the SEC, lie in two sets of material misstatements and omissions. First, it referred to cybersecurity incidents as a "hypothetical" risk in the Form 6-K filed in July 2018. Secondly, SEC alleged that Pearson's statement to the media downplayed the incident.

On 31 August, the SEC issued fines against eight registered investment advisers and broker-dealers for deficient cybersecurity practices that led to breaches of personal information of clients and customers. Notably, each charge highlighted the failure to require multi-factor authentication for email accounts of independent contractors with access to client and customer data—a strong signal to the industry to implement these security measures. The lesson is clear: as SEC's Cyber Unit Chief Kristina Littman warned, it was "not enough to write a policy" if those policies aren't fully implemented. (See our client briefings here and here for more details)

Epic Games v. Apple Trial Verdict

As South Korea passed the "anti-Google law", Judge Yvonne Gonzalez Rogers in California handed down the highly anticipated decision in the Epic Games v. Apple  trial on 10 September. She declined to hold that Apple is a monopolist under either federal or state antitrust laws, and ruled that Epic breached its contract with Apple and was liable for damages amounting to 30% of the revenue it collected since implementing the alternative payment system that bypassed the in-app purchase system.

The judge did find in favour of Epic on one count, namely that Apple violated California's Unfair Competition Law. As a remedy, the judge issued an injunction where Apple was banned from prohibiting developers from bypassing the in-app purchase system by directing customers to other payment methods and communicating with customers. The injunction is set to take effect on 9 December, although it could be stayed pending appeal. Epic has already indicated it intends to appeal the decision.

Capitol Hill has been quick to respond to the Epic v. Apple decision by pushing for further antitrust legislation. Senator Amy Klobuchar (D-MN), the Chair of the Senate Subcommittee on Competition Policy, Antitrust, and Consumer Rights, said that "we need to pass federal legislation on app store conduct to protect consumers, promote competition, and foster innovation." Senator Klobuchar, along with Senators Richard Blumenthal (D-CT) and Marsha Blackburn (R-TN), had introduced the Open App Markets Act bill in August, which would require, inter alia, Apple to open up the iOS ecosystem to the sideloading of apps, third-party app stores, and third-party in-app payment services. Representative Ken Buck (R-CO), the Ranking Member of the House Subcommittee on Antitrust, Commercial, and Administrative Law, also called for the passage of the Open App Markets Act.

Representatives Jerrold Nadler (D-NY), the Chair of the House Judiciary Committee, and David Cicilline (D-RI), the Chair of the House antitrust subcommittee, issued a joint statement saying that "while this decision includes some relief for consumers, app developers, startups, and other innovators, it is clear that courts continue to narrowly interpret the antitrust laws in favor of monopolies and against consumers, workers, and small business," before joining the calls for additional federal legislation.

Milestone data and cybersecurity regulations in China

China is ramping up its data and cybersecurity laws. It has now passed the Personal Information Protection Law (PIPL) (effective as of 1 November 2021), the Administrative Regulations on the Security Protection of Critical information Infrastructure (effective as of 1 September 2021) (CII Regulation) and the Relevant Provisions on Regulating Security of Automotive Data (effective as of 1 October 2021).

The PIPL will apply to personal information (PI) processing activities (i) taking place in China or (ii) conducted outside China to the extent that such activities are carried out for the purpose of (a) providing products or services to persons in China or (b) analysing and assessing behaviours of persons in China. Penalties for violations of the PIPL include fines of up to RMB 50 million or 5% of annual revenue – this is similar to the approach taken by EU regulators under the GDPR regime.

Multinational companies are advised to carefully revisit their data compliance programme across different jurisdictions. The relevant operators and PI processors should be prepared for the associated enhanced security requirements including data localisation, self-assessment on PI processing, security review for procurement of network product or service and security assessment for exporting any important data or PI.

In this regard, the key regulators will be the Cyberspace Administration of China and the Ministry of Public Security, while industry regulators will also be involved in the relevant assessment or review process. The regulators' top priority will be the protection of critical information infrastructure, important data for each industry and sensitive PI. (See our alerters (PIPL; CII Regulation) for further information; also see our newest client briefing)

Amazon and Flipkart face anti-competition investigation in India

In a setback to two American e-commerce giants, India's Supreme Court ruled on 9 August 2021 that Amazon and Walmart's Flipkart must submit to the antitrust investigations ordered against them by the Competition Commission of India (CCI). The CCI launched the investigations last year for the companies' alleged preferential treatment to a small group of sellers and deep discounting practices. Amazon and Flipkart challenged the investigation in lower courts and subsequently appealed to the Supreme Court, which said that they expected organisations like Amazon and Flipkart to "volunteer for inquiry and transparency". After the ruling, Amazon and Flipkart said that they will comply with the law and cooperate with the investigators.

South Korea passed a bill to curb the power of app store operators

The Epic Games v. Apple trial brought the potentially anti-competitive practice of app store operators into the limelight (the verdict in that case is covered in the Americas section of this newsletter). On 31 August, South Korea passed a bill that will ban Apple and Google from requiring developers to use their payment systems, effectively stopping them from charging commissions on in-app purchases. The amendment to the Telecommunications Business Act, dubbed the "anti-Google law", is the first time the government of a major economy intervened to curb the powers of app store operators. The law also bans app store operators for "inappropriately" removing apps from app stores and forcing developers into exclusive arrangements. Breaches could result in fines of up to 3% of their revenue in South Korea. On 10 September, Epic tweeted that it had asked Apple to restore their Fortnite developer account, as Epic plans to re-release Fortnite on iOS in South Korea, offering both Epic and Apple payments side-by-side.

In August, Ireland's Data Protection Commission (DPC) issued a fine of €225 million on WhatsApp following a binding decision of the European Data Protection Board (EDPB).

The DPC launched an investigation in 2018 into whether WhatsApp discharged its transparency obligations in relation to both user and non-user data, including the sharing of personal data between WhatsApp and various Facebook companies. It eventually found in a draft decision that WhatsApp was in breach of Articles 12, 13 and 14 of the General Data Protection Regulation (GDPR) and proposed a fine of between €30 million and €50 million. After other EU national regulators raised objections against the draft decision and a compromise could not be reached, the dispute was brought before the EDPB. The EDPB issued a binding decision ordering the DPC to amend its draft decision, to notably take into account WhatsApp's breach of the principle of transparency under Article 5 of the GDPR, and to factor into the total turnover of all Facebook Inc. group companies in calculating the fine.

The final decision issued by the DPC reflected EDPB's binding decision, and increased the amount of the fine to €225 million. WhatsApp has now filed an appeal as well as a request for judicial review of the procedures by which the DPC reached its decision.

UK announces consultation on data protection laws

The UK government launched a consultation on 9 September on reforms to the UK's data protection regime. One of the proposals under consideration is the removal of Article 22 of the GDPR, which mandates that individuals should “[not] be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her, or similarly significantly affects him or her”. Instead, the government is considering allowing the use of solely automated AI systems for decision-making, subject to meeting other requirements under the data protection legislation. This proposal has raised controversy. Watch this space for more analysis of the proposed reforms.

A new data privacy law in UAE?

The UAE currently does not have a federal data privacy and protection law, or a data protection regulator. Currently only the Dubai International Financial Centre, Dubai Healthcare City, and Abu Dhabi Global Market, all of which are free trade zones within the emirates of Dubai and Abu Dhabi, have formal data protection regimes.

The Minister of State for Artificial Intelligence, Digital Economy and Remote work Applications announced that the UAE would introduce a new federal data protection law, as one of the initiatives to be implemented under the recently published "Principles of the 50", the UAE's new strategic roadmap for development. It remains to be seen what the federal data law will include.