Skip to main content

Clifford Chance

Clifford Chance
Tech<br />


Talking Tech

Tech Policy Unit Horizon Scanner

January 2022

Data Privacy Crypto Cyber Security 25 January 2022

The Tech Policy Unit Horizon Scanner is our monthly dive into the key tech policy and legislative developments around the world

Metaverse was one of the big buzzwords of 2021. As we enter the new year, the concept of metaverse, where avatars work, play and spend virtual money, continues to heat up. Companies including Tencent, Sony, and even Walmart are now planning to establish a foothold in the virtual universe.

In the non-virtual world, virtual currency has come under increasing scrutiny. While promoting its Central Bank Digital Currency, China aims to eliminate cryptocurrency mining as a sector. Australia is also planning to implement comprehensive crypto-related reforms.

On the data protection front, the UAE's data protection law also came into force on 2 January. China, which implemented the Personal Information Protection Law last year, issued the amended Network Security Review Measures which takes effect from February this year. The EU finalised its adequacy decision for South Korea, which allowed data to flow between the two economies without requiring additional authorisations.

In the US, the American Innovation and Choice Online Act, which is aimed at big tech, will be subject to a mark-up session. At the state level, an anti-trust bill has been reintroduced.

Countries across the world are also ramping up other laws and regulations. In Africa, Sierra Leone, Libya and South Africa have enacted laws targeting cybercrimes. In Kenya, the new Central Bank (Amendment) Act imposes stricter requirements on digital lending. In the UK, the draft Online Safety Bill has been subject to tough scrutiny, and the parliament recommended major changes to the bill which will make the online safety regime stricter than the original proposal. The EU's Digital Services Act and Digital Markets Act have also entered the final stretch of the legislative process.

The great chip shortage continues to plague the tech industry . In the latest move, India has approved a USD 10 billion plan to attract semiconductor and display manufacturers. Manufacturers have reportedly shown interests in setting up chip factories in India.


Regulation of Digital Lenders in Kenya

The President of Kenya signed the Central Bank (Amendment) Bill 2021 into law on 7 December 2021 (the Act). The Act regulates digital lenders in Kenya. It requires any person carrying on digital credit business, who not licensed under any other law to obtain a license from the Central Bank of Kenya (CBK) within six months of the coming into force of the Act.

The legislation defines the specific terms “digital channels,” “digital credit,” “digital credit business” and “digital credit providers.” This effectively gives the CBK a wider net of powers to regulate the growing digital lending sector.

The legislation also empowers the CBK to make additional regulations to give effect to the provisions in the Act, including registration requirements, capital adequacy requirements, licence fees, permissible and prohibited activities and reporting requirements. It anticipates that the regulations will be made within three months of the Act coming into force.

Sierra Leone's Cybersecurity and Crime Bill 2021 becomes law 

President Dr Julius Maada Bio signed into law the Cybersecurity and Crime Bill 2021 on 17 November 2021 (the Cybersecurity Act). The Cybersecurity Act provides a comprehensive legal and regulatory framework for the prohibition, prosecution and punishment of cybercrime. It also regulates the collection of electronic evidence for the purpose of investigation and prosecution of cybercrime.

The legislation gives Sierra Leone’s criminal justice system powers and procedures to address unauthorised access to protected systems, unauthorised data interception or interference, computer-related forgery, identity theft and impersonation. It will also help prosecute those responsible for online child sexual abuse.

It is reported that the Cybersecurity Act fulfils the nation's commitment in complying with international treaties like the Budapest Convention, Malabo Convention, ECOWAS Directives and the Commonwealth Declaration.

Libya’s new cybercrime law

The Libyan House of Representatives (HoR) passed the cyber transactions bill to combat cybercrime on 26 October 2021. The Anti-Cybercrime Law, as it is now called, is reported to use generalised language in its articles that leaves judges with room for interpretation and broad discretionary powers in relation to evidence and criminalisation. This has drawn criticism from several rights groups, who argue that this new law gives Libyan authorities extensive discretionary power to restrict freedom of expression online.

Libyan legislators have also expanded the law’s scope of enforcement to include crimes committed outside the country “if their impact and consequences extend to Libya.” It is suggested that this imposes a form of self-censorship on citizens outside Libya, especially if they are considering returning to Libya at some point in the future.

More than 30 rights groups – including Euro-Mediterranean Human Rights Monitor – have called upon the Libyan authorities to rescind the Anti-Cybercrime Law.

South Africa's Cybercrimes Act of 2020 Becomes Partially Active

President Ramaphosa recently announced that certain provisions of the Cybercrimes Act would become operational on 1 December 2021. This follows the signature of the Bill by the president in May 2021 as part of South Africa's aim to protect its businesses and its citizens against malicious cyber-attacks.

Some of the key provisions now in force include the definitions, the sections that cover the types of cybercrime and malicious communications captured by the Act, the jurisdiction of the courts including for crimes committed outside of South Africa, and the powers of the police, investigators and the government.

While no date has been set for the remaining sections, Justice Minister Ronald Lamola welcomed the changes as a step towards streamlining South Africa's laws and aligning them with international trends and best practices.


Senate to Hold Markup Session for American Innovation and Choice Online Act

On January 11th, Senator Amy Klobuchar (D-MN) and Senator Chuck Grassley (R-IA) announced that the Senate Judiciary Committee would hold a markup session for the American Innovation and Choice Online Act (S-2992) on January 13th. The Act, introduced in the Senate in October 2021, would make some discriminatory and exclusionary conduct that is arguably outside current antitrust case law illegal. The bill looks to codify a prohibition on conduct that namely allows companies to self-preference their own products or services, or restricts other business's access to services or data.

Aimed at big tech, the bill introduces the concept of a "covered platform," which is an online platform that meets certain criteria. An online platform includes websites, online or mobile applications, operating systems, digital assistants, or online services. To meet the criteria of a covered platform, an online platform must have: (1) at least 50 million U.S.-based monthly active users or 100,000 U.S.-based monthly active business users in the last 12 months; (2) a market capitalization of more than $550 billion at any point in the previous two years; and (3) "is a critical trading partner for sale or provision of any product or service offered on or directly related to the online platform." Meeting this criteria alone is not sufficient to automatically qualify as a covered platform. The Federal Trade Commission and the Department of Justice's Antitrust Division need to designate a company as a covered platform, and that designation needs to be published in the Federal Register. The covered platform designation lasts for seven years unless the agencies decide to remove the designation early. Only covered platforms would be regulated by this bill.

Speaking of the bill, Senator Grassley said, "For too long, tech giants have used their power to suppress their rivals, unfairly put their products first in their marketplaces, and force sellers on their platforms to buy more services from them in exchange for better placement on their site. This has hurt both small businesses and consumers. A broad, bipartisan group of our colleagues agree and have signed on to our legislation to implement common sense rules of the road for these platforms. I look forward to voting this bill out of committee and bringing it one step closer to becoming law." The bill has ten cosponsors, five from each party, including Senators Richard Blumenthal (D-CT) and Josh Hawley (R-MO), both of whom have introduced other pieces of antitrust legislation in 2021. The Act also has companion legislation in the House of Representatives. The House bill passed out of the House Judiciary Committee in June 2021 during a two-day marathon session. Five other antitrust bills were also passed out of the House Judiciary Committee during that session.

Sweeping New York Antitrust Bill Reintroduced

At the state level, New York introduced a bill in 2021 that would have significantly modified the Donnelly Act, the state's antitrust statute. The bill, titled the Twenty-First Century Anti-Trust Act (S-933A), passed the New York Senate in June 2021 by a vote of 43-20 and was sent to the Assembly. The bill died in the Assembly as it was never voted on. On January 5th, the bill was reintroduced and referred to the NY Senate Consumer Protection Committee. The Senate Consumer Protection Committee is holding a meeting on January 12th, where the Twenty-First Century Anti-Trust Act is one of six bills on the agenda.


China's network security review measures

PRC regulators have amended the Measures on Network Security Review, which will take effect on 15 February 2022. The new measures will expand the applicability of the network security review procedure to cover internet platform operators that hold the personal information of more than one million people. Specifically, these network operators must apply for a network security review for any initial public offering (IPO) on an overseas exchange, which means that the timeline and the likelihood of getting the network security review clearance will need to be taken into account in these IPOs.

Chinese government promotes its central bank digital currency…

In China, the App E-CNY is now available in more pilot zones, including Shenzhen, Suzhou, Xiong’an, Chengdu, Hainan, Changsha, Xi’an, Qingdao, Dalian and Winter Olympics venues (Beijing and Zhangjiakou). Users may register and manage a digital wallet as well as transfer cash into such wallet as E-CNY on this App.

…but continues to clamp down on other virtual currency

PRC regulators took an even harsher stance against virtual currency mining activities: the National Regulatory and Development Commission officially announced that the Guiding Catalogue on Industry Restructuring (2019 Amendment) is now amended to add “virtual currency mining’ activities” into “sectors to be eliminated”.

Australia proposes new law to regulate cryptocurrency exchanges and online payments

In a speech given on 8 December 2021, Australia's Treasurer Josh Frydenberg said that Australia will implement "comprehensive payments and crypto reforms". The government will create a licensing framework for cryptocurrency exchanges, finalise consultation on a custody or depository regime for businesses holding crypto-assets for consumers, and launch a consultation on developing a retail Central Bank Digital Currency. The government also plans to modernise payments system legislation to cater for new ways of payments, such as BNPL (buy now pay later) and digital wallets.

The central theme of the speech is addressing the disruption in the payments and crypto-asset sectors brought about by emerging technologies. In particular, Australia is looking to become a "leading digital economy". According to Frydenberg, "if we do not reform the current framework it will be Silicon Valley that determines the future of our payments system."

India's new chips plan

In our November 2021 edition, we reported on the TSMC's plans to build chip factories in Japan, as well as the EU's Works Programme for 2022 which includes a proposed European chips act. India is now also pushing to establish itself as the "global hub for electronics manufacturing with semiconductors as the foundational building block."

India has approved a USD 10 billion plan to attract semiconductor and display manufacturers. It has been reported that global chip manufacturers, from Israel, Taiwan and Singapore, have shown interest in setting up chip factories in India. As companies look to diversify beyond China, and India plans to move up the manufacturing value chain, the new chips plan has exciting potential.


UK's draft Online Safety Bill

The UK's Online Safety Bill is due for approval in parliament in 2022. On 14 December 2021, the Joint Committee on the draft Online Safety Bill, which is tasked with scrutinising the provisions, said that the draft bill should be changed to make the law tougher on tech companies and make it clearer what their responsibilities are. The committee recommended dozens of significant changes, including to increase the power of Ofcom to investigate, audit and fine, and to extend the scope of the bill to include paid-for advertising. These amendments will make the online safety regime stricter than the original proposal.

New EU digital rules enter final stretch of legislative process

The Digital Markets Act (DMA) and Digital Services Act (DSA) are in the final stages of the legislative process, with interinstitutional negotiations ready to go.

The first interinstitutional meeting (referred to as trilogues) on the DMA took place on 11 January 2022 and additional technical meetings are scheduled. It is forecast that the new rules for online gatekeepers could be adopted as early as the end of March 2022, with the prospect that the DMA could apply before the end of 2022. Find out more from our DMA client briefing.

The DSA was voted through at the European Parliament's January plenary session, paving the way for interinstitutional negotiations to begin shortly. Because of the number of controversial topics and divergences between the Council and Parliament positions, we expect the DSA to take longer to be finalised than the DMA.

EU and Singapore agree to strengthen bilateral partnership on digital trade

At the inaugural Trade Committee meeting under the EU-Singapore Free Trade Agreement (EUSFTA) in December 2021, the European Union and Singapore agreed to strengthen their bilateral partnership on digital trade. The two sides discussed strengthening bilateral digital trade, including with a view to advancing towards a comprehensive EU-Singapore digital partnership. EU and Singapore officials will now start technical discussions and identify the relevant digital trade elements. The EUSFTA entered into force in November 2019.

EU adopts adequacy decision to allow personal data transfers to South Korea

In December 2021, the European Commission formally declared that South Korea provides "adequate" protection for personal data transferred from the 27 EU member states under the EU's General Data Protection Regulation (GDPR). The adequacy talks were concluded in March 2021, but the December decision marks the final step in the process. The adequacy decision builds on the protections already enshrined in Korean law, including through additional safeguards agreed as part of the talks. The joint statement released by the Commission and South Korea stated that data can now flow between the two economies "without any need for further authorisations or additional tools".

Middle East

Abu Dhabi's new cybersecurity strategy

The Abu Dhabi Digital Authority (ADDA) partnered with Etisalat, an Emirati-based telecommunications services provider, and Trend Micro Incorporated, a cybersecurity software company, to launch Cyber Eye, an initiative designed to strength the Abu Dhabi government's cybersecurity capabilities. Cyber Eye is a key part of the Abu Dhabi government's cybersecurity strategy. Working with partners from the private sector, the Abu Dhabi government hopes to strengthen the security of government infrastructure and protect its digital assets.

In its press release, the ADDA noted the increasing incidence of cybercrimes during the pandemic, and said that it hoped Cyber Eye will allow threats (including more advanced attacks) to be detected quickly.

UAE's data protection law comes into force

The UAE's data protection law came into force on 2 January 2022. The law has extra-territorial reach and applies not only to individuals and businesses established in the UAE, but also organisations that are established outside the UAE that process personal data of individuals located in the UAE. Crucially, the law does not apply to free zone companies who are already subject to data protection legislation. The law permits data transfers on basis that are similar to those under the GDPR, and also requires the appointment of a DPO if high risk activities are conducted. Nevertheless, there are certain key differences with the GDPR (for example, "legitimate interest" is not a valid basis for processing.) For more, see our article on the key takeaways of the UAE data protection law.

Additional Information

This publication does not necessarily deal with every important topic nor cover every aspect of the topics with which it deals. It is not designed to provide legal or other advice. Clifford Chance is not responsible for third party content. Please note that English language translations may not be available for some content.

The content above relating to the PRC is based on our experience as international counsel representing clients in business activities in the PRC and should not be construed as constituting a legal opinion on the application of PRC law. As is the case for all international law firms with offices in the PRC, whilst we are authorised to provide information concerning the effect of the Chinese legal environment, we are not permitted to engage in Chinese legal affairs. Our employees who have PRC legal professional qualification certificates are currently not PRC practising lawyers.