Skip to main content

Clifford Chance

Clifford Chance
Tech<br />

Tech

Talking Tech

Tech Policy Unit Horizon Scanner

February 2024

Artificial Intelligence Data Privacy Cyber Security 1 March 2024

Do you value your neural privacy? Montana and Colorado certainly do. In the midst of U.S. states enacting their own state data privacy laws, those states have proposed extending their privacy legislation to cover consumers’ neural privacy. Please read our individual overviews of currently enacted comprehensive state data privacy laws, which has been updated to include New Jersey's privacy law passed on 16 January 2024, and New Hampshire's proposed statute.

Global collaboration in the tech policy space continued this month. The EU and Japan signed a protocol introducing cross-border data flow measures between the regions, and the EU and Canada also began work on their joint digital partnership which aims to increase cooperation on topics including AI, public policy related to online platforms, secure international connectivity and cybersecurity. The Association of South East Asian Nations (ASEAN) released a Guide on AI Governance and Ethics, which aims to foster the interoperability of AI frameworks across the ASEAN jurisdictions and includes recommendations on national and regional-level initiatives for responsible AI deployment.

New guidance and commentary on existing data protection and privacy legislation also continues to be prevalent, aiming to improve understanding and encourage implementation. India's Data Security Council published FAQs on their Digital Personal Data Protection Act of 2023, Somalia issued guidance on their Data Protection Act, and the UK's Information Commissioner's office issued a warning to organisations on adhering to advertising cookies policies, following a call to action last November.

One year on from the establishment of the UK Department of Science, Innovation and Technology (DSIT), the UK government published a policy paper on the progress of their Science and Technology Framework. They appeared confident that they had seen "sustained and rapid technological development and an increase in global competition" in recent months, where the adoption of AI is a transformative opportunity which requires domestic and global action to ensure its safe and responsible use. The domestic action was addressed in the UK's response to their AI Regulation White Paper consultation, which gave key regulators a deadline of the end of April to publish their plans to respond to AI risks and opportunities.

APAC (Excluding China)

India Data Security Council publishes FAQs on the Digital Personal Data Protection Act

On 8 February 2024, the Data Security Council of India (DSCI) published a set of frequently asked questions (FAQs) regarding the Digital Personal Data Protection Act of 2023. Specifically, the FAQs address the following: the responsibilities and rights of a data principal; the duties of data fiduciaries; methods of enforcement; and exemptions and cross-border transfers of data.

EU and Japan sign cross-border data transmission protocol

On 31 January 2024, following an agreement between the parties, the European Commission announced that the EU had signed a protocol to incorporate clauses on cross-border data transfers in the agreement between the EU and Japan for an Economic Partnership. According to the Commission, the agreement will guarantee that unwarranted data localisation measures do not impede data flows between the EU and Japan. It will also guarantee that the benefits of free data flow are adhered to in accordance with the regulations on data protection and the digital economy of both the EU and Japan. The protocol can come into effect after it has been approved by Japan, and both parties have informed one another that their internal processes have been completed.

ASEAN releases Ethics and Governance Guide for AI

On 2 February 2024, the Association of South East Asian Nations (ASEAN) released a Guide on AI Governance and Ethics, during the 4th ASEAN Digital Ministers' Meeting (ADGIM). Specifically, the ADGIM emphasised that the Guide will function as a useful and workable instrument to facilitate the reliable implementation of AI solutions. General guidelines for an AI governance framework are outlined in the Guide and include human-centricity, security and safety, robustness and dependability, privacy and data governance, accountability and integrity, and openness and explainability.

South Korea Information Commission publishes new recommendations for handling pseudonymous data

On 2 February 2024, South Korea's Personal Information Protection Commission released updated "Pseudonymous Information Processing Guidelines". The recommendations in previous standards were limited to structured data, but the revised guidelines include new rules for recognising and managing the risks to personal information that arise during the pseudonymisation and use of unstructured data. The revised guidelines contain several recommendations, including to consider the environment of data processing to determine the risk of identification and set reasonable processing methods and levels; implement measures to compensate for the technical limitations; and implement control measures when using pseudonymous unstructured data.

China

China's Information Security Standardisation Technical Committee releases consultation draft on assessment methods for security capabilities of cloud computing services

On 4 February 2024, China's National Information Security Standardisation Technical Committee released the consultation draft of "Information Security Technology – the assessment method for security capabilities of cloud computing services" for public comments. The draft stipulates the principles of assessment, the implementation process, and the assessment method specific to security capability requirements of cloud computing services. Third-party assessment organisations may use the draft guidelines to assess the security capability of cloud service providers, and cloud service providers may also use the draft guidelines for self-assessment.

Cyber Security Association of China releases the consultation draft series of group standards on personal information protection and privacy computing

On 5 February 2024, the Cyber Security Association of China released the consultation draft series of group standards of Personal Information Protection and Privacy Computing for public comments. These mainly include technical requirements of personal information protection for mobility service systems, telecommunications and video surveillance users; and capability assessments of desensitisation algorithms.

EU

Digital Services Act starts applying to all online platforms in the EU

As of 17 February, the Digital Services Act (DSA) extends its reach to all but small online intermediaries in the EU, mandating robust measures against illegal content, enhanced user protections, transparent advertising, and detailed content moderation disclosures. Platforms must now offer redress mechanisms, publish annual reports, and maintain clear terms while liaising with designated authorities. Previously applicable to major platforms, the DSA's broader scope gives others until April 2024 to align, with the European Board for Digital Services beginning its oversight role on 19 February. Guidelines on electoral safeguards and data access are also forthcoming, with a public consultation and enactment expected in 2024. The Commission's secondary legislation facilitates an information-sharing system for regulatory enforcement, complemented by the launch of a Transparency Database and dashboard to democratise insights into platforms' content decisions.

EU AI Act provisional Agreement approved in parliamentary committees

On 13 February 2024, the European Parliament's Internal Market and Civil Liberties Committees approved the provisional agreement on the Artificial Intelligence Act in a joint vote. The AI Act is set to undergo formal adoption during a forthcoming EU Parliament plenary session, scheduled for mid-April, and will require the final endorsement of the EU Council. Once the Act enters into force, it will become fully enforceable 24 months later. However, certain provisions will be implemented in phases: bans on prohibited practices will come into effect six months after the Act's entry into force, codes of practice at nine months, general-purpose AI rules including governance at twelve months, and obligations for high-risk systems at thirty-six months.

GDPR Enforcement Regulation

On 15 February, the European Parliament's civil liberties committee passed amendments to enhance GDPR enforcement, mandating swift investigations into significant cases and bolstering complainant powers. The revisions modify the initial Commission proposal by setting deadlines for case resolution and granting privacy advocates and consumer groups greater participatory rights and document access during investigations. The regulation introduces steps for early consensus among DPAs to prevent later disputes, operating within the existing GDPR framework.

EU adopts its first ever Cybersecurity Certification scheme: the Common Criteria Scheme (EUCC) for ICT products and services

The 2019 Cybersecurity Act established the EU Cybersecurity certification framework which the new EUCC scheme is part of. This framework aims to enhance the cybersecurity of ICT products, services, and processes within the EU market by implementing a uniform set of rules, including technical standards, requirements, and procedures. On 31 January 2024, the European Cybersecurity Scheme on Common Criteria (EUCC) drafted by the European Union Agency for Cybersecurity (ENISA) has been adopted as the first scheme within the EU cybersecurity certification framework. The EUCC scheme is voluntary and enables ICT suppliers to demonstrate their commitment to cybersecurity. Suppliers can opt to undergo a standardised assessment process to certify their ICT products, (e.g., technological components like chips and smartcards, hardware and software). This certification helps to ensure a high level of cybersecurity across the EU and provides a clear indication of security assurance to consumers and businesses alike.

The European Commission publishes the first work program for cybersecurity certificate for digital identity wallet

On 7 February, the European Commission unveiled its inaugural work programme dedicated to cyber certification. This programme introduces voluntary certification schemes, such as the EUCS for cloud services, which is currently in development, and the EUCC for components and software, ratified on 31 January. These certifications establish tailored requirements for a range of products and services, calibrated to the risk levels associated with their use. Notably, the work programme indicates the intention to include digital identity wallets in future certification schemes, thereby enhancing the recently introduced Cybersecurity Act. This aims to enable managed security services schemes through European Commission implementing acts. Furthermore, the Commission is set to develop a certification for managed security services (MSS), a key component of an upcoming legislative proposal. The programme also outlines how these certifications will align with the cyber resilience regulation, which is expected to introduce stringent cybersecurity standards for connected devices.

UK

AI, AdTech, children's privacy in sights of ICO for 2024

On 28 February 2024, the ICO Commissioner announced the ICO's key priorities for 2024, as well as emphasising the need to safeguard personal information while promoting innovation and privacy-respecting practices. The top priorities outlined by the Commissioner were children's privacy, third-party advertising cookies, and the emerging challenges posed by AI.

In particular, the ICO is looking to address concerns regarding the lawful use of generative AI and placed emphasis on the need for compliance with the UK GDPR. Additionally, the ICO is actively monitoring biometrics usage and children's privacy issues, implementing audits and engaging with industry for compliance. Enforcement actions against non-compliant practices, such as inadequate cookie banners are ongoing, with efforts to enhance monitoring through technological solutions such as hackathons.

UK government publishes response to consultation on AI regulation white paper

On 6 February 2024, the UK Government published a response to the consultation on its AI Regulation White Paper, which was originally published in March 2023. The response reiterates the Government's "flexible" approach to AI regulation.

Actions have already been taken by bodies such as the UK Information Commissioner’s Office (ICO) (which has updated its guidance on the application of UK data protection laws to AI systems that process of personal data) and the Competition and Markets Authority to align with these principles. The government favours a non-statutory approach for its adaptability, though it remains open to feedback suggesting statutory duties. A central function within the Department for Science, Innovation and Technology is being developed to ensure regulatory coherence. The response outlines plans for 2024, including policy development, risk management, regulator support, industry guidance, and international collaboration on AI governance, with a focus on addressing AI-related electoral interference and promoting safety summits with international partners.

Information Commissioner's Office warns organisations to proactively make advertising cookies compliant after November call to action

On 31 January 2024, Stephen Almond, the ICO Executive Director of Regulatory Risk, issued a statement emphasising the importance of organisations complying with data protection laws regarding advertising cookies. This follows the ICO's call to action in November 2023, where it wrote to 53 of the UK's top 100 websites, warning that they would face enforcement action if they did not make changes to their practices regarding advertising cookies to comply with data protection law.

The ICO stated that 38 of the 53 organisations contacted have made their cookie banners compliant and stated that others are exploring alternative advertising and subscription models, with further guidance from the ICO expected soon. The ICO is determined to extend its compliance checks to more websites and is developing an AI tool to identify non-compliant cookie banners. The ICO is advising all organisations to proactively become compliant to avoid enforcement action and notes that its initiative is already encouraging widespread changes.

Information Commissioner's Office issues guidance on online content moderation and respecting information rights

On 16 February 2024, the ICO published the guidance, outlining the legal responsibilities when using content moderation tools and emphasising the need for a lawful basis for processing personal data under the UK GDPR, particularly for any special category data. Organisations must adhere to GDPR principles, such as purpose limitation and data minimisation, and respect users' rights to information and rectification - paying close attention to children's data in line with the Children's Code. The ICO cautions against the repercussions of incorrect moderation decisions, which could lead to wrongful implications or access loss for users, potentially resulting in legal claims and ICO enforcement. The guidance also supports organisations in meeting their obligations under the Online Safety Act 2023, ensuring data protection compliance while maintaining online safety, and is part of the ICO's cooperative efforts with Ofcom.

Americas

U.S

U.S. Patent and Trademark Office issues inventorship guidance for AI-assisted inventions

On 13 February 2024, the United States Patent and Trademark Office (USPTO) issued guidance pursuant to President Biden's "Executive Order on the Safe, Secure and Trustworthy Development and Use of Artificial Intelligence" (EO) announced in October 2023. The USPTO guidance, "Inventorship Guidance for AI-assisted Inventions," clarifies how the EO will affect the patentability of such AI-assisted inventions. Per the guidance, non-natural persons, including AI systems, cannot be an inventor. However, a natural person that uses an AI system may qualify as an inventor if the natural person(s) "significantly contributed to the claimed invention."

Other federal agencies have successfully tasked EO directives that were required to be completed within 90 days of the order, including conducting AI industry risk assessments, compiling information from AI system developers, and launching the National AI Research Resource pilot. For more information on Biden’s EO, please see our articles What businesses need to know (for now) about the Biden Executive Order on AI and Biden Executive Order on AI: what businesses can do (for now) about the safety and security mandates.

U.S. states propose extending privacy acts to consumers' neural privacy

On 2 February 2024, the states of Montana and Colorado proposed extending their state privacy acts to also cover consumers’ neural privacy. Neural privacy is the right to information collected from electrical neural signals in the brain. Consumer neuro-technology has existed in health tech products such as smartwatches, which can monitor sleep neural patterns. If the data is for research or diagnosis purposes, then the data is protected by U.S. health privacy laws; however, there is a regulatory gap, as more neuro-technology produces data solely for consumer use. Legislators and policy advocates have called for states enacting consumer privacy laws to include neutral privacy protections.

Please read our individual overviews of currently enacted comprehensive state data privacy laws, which has been updated to include discussion of New Jersey's privacy law passed on 16 January 2024, and New Hampshire's proposed statute.

Middle East

Oman government publishes executive regulations of the personal data protection law

On 28 January 2024, Oman’s Ministry of Transport, Communications, and Information Technology (MTCIT) published executive regulations for the Personal Data Protection Law. The regulations outline the data protection obligations of controllers and processors, including obtaining express consent from data subjects, obtaining a permit from the MTCIT, and responding to data subject rights requests within 45 days. Penalties for violations include warnings, suspension or cancellation of permits, and administrative fines of up to OMR 2,000 (approx. USD 5,195) for each violation.

Africa

Somali data protection authority publishes guidance on Data Protection Act

On 3 February 2024, the Somali data protection authority issued guidance on the Data Protection Act, enacted in March 2023, clarifying its scope and application. The Act is applicable to data controllers and processors based in, residing in, or operating from Somalia, as well as to those outside the country if they process the personal data of individuals within Somalia. The guidance elaborates on the Act's provisions, outlining the authority's roles and responsibilities, key definitions, the legal grounds for obtaining consent, and the fundamental principles governing data processing. It also specifies the obligations of data controllers and processors, in addition to delineating the rights of data subjects. This comprehensive guidance aims to ensure that stakeholders understand their duties and the rights of individuals under the Act.

Additional Information

This publication does not necessarily deal with every important topic nor cover every aspect of the topics with which it deals. It is not designed to provide legal or other advice. Clifford Chance is not responsible for third party content. Please note that English language translations may not be available for some content.

The content above relating to the PRC is based on our experience as international counsel representing clients in business activities in the PRC and should not be construed as constituting a legal opinion on the application of PRC law. As is the case for all international law firms with offices in the PRC, whilst we are authorised to provide information concerning the effect of the Chinese legal environment, we are not permitted to engage in Chinese legal affairs. Our employees who have PRC legal professional qualification certificates are currently not PRC practising lawyers.