Clifford Chance

A lot has been happening in the Anglosphere this month, with big developments in the USA and UK. This includes the American Data Privacy and Protection Act which moves to a House floor vote following various amendment being passed. This did not include an eye-catching carveout requested by California. The legislative snakes and ladders continued for the UK’s Online Safety Bill which was delayed by the resignation of Prime Minister Boris Johnson and is now expected to move through the House of Commons in Autumn, as opposed to earlier this month.

Freedom Fries? The US Senate advanced a bill designed to strengthen the US chip industry and decrease dependence on manufacturers outside of the US. This is an attempt to tackle the ongoing semiconductor shortage which has caused widespread disruption to industries ranging from automobiles to mobile devices.

In the EU, all eyes are on a possible ban by the Irish Data Protection Authority on Facebook sending personal data from Ireland to the USA. Their decision – which is unknown and remarkably unleaked – is being considered by other European Data Protection Authorities.

July has also seen bouts of cooperation ranging from a joint statement issued by Singapore and Japan, extending and strengthening cooperation in terms of information and communication technology, through to a political agreement reached by the European Parliament and EU member states on a 'Path to the Digital Decade' and a US-UK Data Access Agreement.

There are numerous other developments from around the world, including big developments to Chinese data rules, competition developments in South Africa, continuing AI and tech initiatives in the Middle East and more.

China

New regulatory rules and enforcement activity in sector

The Cyberspace Administration of China ("CAC") has released (a) the "Security Assessment Measures for Data Export", which will take effect on 1 September and (b) the "Provisions on the Standard Contract for Personal Information Export (Consultation Draft)", seeking comments until 29 July (collectively known as "Data Rules"). The Data Rules provide further clarity on the regulatory framework as to (a) how security assessment procedures shall apply to cross-border data transfer from inside China to outside China and accessing onshore data from outside China and (b) the form of the "Standard Contract for Personal Information Export" (the "China SCCs").

With these newly developed Data Rules, multinational companies exporting and/or receiving PRC sourced data and personal information in the ordinary course of business are advised to prepare for, and consider, the challenging aspects from a global compliance strategy perspective. Further, on 21 July, CAC announced that after its one-year investigation, it imposed a fine of USD 1.18 billion on Didi because of Didi's severe violation of PRC data laws. This included excessive collection of various types of data and personal information and the long enduring, and continuing, violation of data security and cybersecurity obligations.  

APAC (excluding China)

Taiwan and EU in talks surrounding chips – hold the mayo

The EU has been courting Taiwan, a major semiconductor producer, as one of the "like-minded" partners it would like to work with under the European Chips Act. Unveiled in February, the Act tries to deal with a persistent global chip shortage. A senior Taiwanese official stated that Taiwan would be "happy" to see its chip firms invest in the EU.

Whilst Taiwan and the EU held-high level trade talks, Taiwan Semiconductor Manufacturing Co Ltd ("TSMC") said it had no concrete plans for factories in Europe, having flagged a year ago that it was in the early stages of reviewing a potential expansion into Germany. Link

Thailand spearheads automation technology for SMEs

Under the economic spearhead programme, Thailand's Department of Industrial Promotion recently announced the successful development and demonstration of an auto storage and retrieval system ("ASRS") – a type of warehouse automation technology designed to store and retrieve products and inventory on demand.

The economic spearhead initiative encouraged the development of ASRS to reduce the price of this promising technology for the benefit of Thai SMEs. Not only did the innovation follow the public-private partnership paradigm for its creation, but also for its commercialisation. Link

Singapore and Japan further cooperate on information and communication technology

On 13 July, the Singapore Ministry of Communications and Information announced that it had issued a joint statement with Japan's Ministry of Internal Affairs and Communications, which extends and strengthens cooperation between the two ministries in terms of information and communication technology.

Amongst other things, the statement affirms the strong cybersecurity cooperation between Singapore and Japan and identified ways to deepen their ongoing cooperation. This included working together in multilateral frameworks regarding responsible AI and Data Free Flow.

EU

Facebook blackout in Europe?

The start of July was marked with an important step in the procedure led by the Irish data protection authority ("DPA") in relation to the potential ban of Facebook's personal data transfers to the US. The Irish DPA sent its draft decision to the other concerned authorities. The draft has not been made publicly available, or even leaked, so we do not have the details on the basis of the decision and the identified infringements justifying the ban of transfers to the US. In light of the multiple decisions of European DPAs on the use of Google Analytics, we imagine that the underlying issue is the assessment by the DPA that the privacy safeguards put in place to framework the transfers of personal data by Facebook to the US are not sufficient.

Now that the draft decision is with the authorities, they will have one month to give their opinion. Depending on how the consultation of the other concerned authorities goes, we can expect the decision in several weeks or in several months.

At this stage, another interesting aspect are the reactions of Meta and Max Schrems's organization None-of-your-Business (“NOYB”). While Meta believes that the ongoing discussions on a new EU-US transfers framework will prevent the ban of its transfers of data to the US, Non-of-your-business considers that there are major issues that are not dealt with in the draft decision. In its publication on the matter, NOYB criticized the fact that the envisaged sanction is a ban of transfers rather than a fine, which it believes would be more effective.  

EU umbrella data privacy watchdog's statement on personal data transfers to Russia

In its statement adopted on 12 July the EU's umbrella data privacy watchdog ("EDPB") recalls the need for exporters of personal data to ensure the protection of personal data transferred from Europe to Russia. Given the absence of an adequacy decision for EU-Russia data transfers, it is recommended to use appropriate safeguards for transfers of data such as standard contractual clauses or binding company rules. The EDPB promises to pay particular attention to cases concerning these data transfers and mentions that some DPAs are conducting investigations pertaining to the lawfulness of data transfers to Russia. However, it does not offer any formal assessment of Russia's legal framework.

EDPB's criteria for strategic cases for closer enforcement cooperation between DPAs

On 14 July, the EDPB detailed the criteria for defining the "strategic" cross-border cases on which EU DPAs should cooperate as a priority. Nine criteria are taken into account, including the presence of reoccurring or structural issues, issues related to the interaction with another legal field, a large number of concerned individuals or of related complaints, and "high-risk" cases, such as the processing of sensitive data. Another important criteria is where a case involves processing operations subject to a data protection impact assessment. Only one of these criteria is sufficient for a national authority to propose the case as a priority. The other DPAs will then have to decide which of the proposed cases will be identified as a case of strategic importance at a European level. In any case, proposals and cooperation on these priority strategic cases are voluntary.

EU companies' call for strong protections against foreign access to data under the EU cloud certification scheme

In an open letter seen by Euractive, 34 companies, led by OVH and 3DS Outscale, advocate for the adoption of the highest level of extraterritorial law protection criteria in the European Cybersecurity Certification Scheme for Cloud Services ("EUCS"), for which the EU Cybersecurity Agency ("ENISA") is set to present a final version in September. The signatories "are convinced that such a level of assurance is the only way to achieve a high level of cybersecurity and data protection, while creating trust in cloud services in Europe". In June, Digital Europe and several US lobby groups had warned against such a framework, qualifying it as politically motivated and unrelated to objective enhancing of cybersecurity standards.

Digital Services Act (DSA) and DMA (DMA) getting closer to integrating the EU legislative framework

On 5 July, the EU Parliament's plenary session approved the trialogue compromise agreements on the DSA and the DMA in two votes without amendments. As a quick reminder, the DSA, together with its sister regulation, the DMA, will form a set of new rules intended to create a safer and more open digital space and to foster innovation and competitiveness (you can read a more detailed overview of the new requirements here). The DMA has also been given final approval by the Council on 18 July and the adoption of the DSA by the ministers is expected in September.

ECB addresses key objectives of digital euro, highlights importance of privacy

On 13 July, the European Central Bank (ECB) published a blog post addressing key objectives of the digital euro. Among other things, the ECB noted that to ensure financial stability in this digital age, it was crucial that people had easy access to the central banks' money.

Whilst acknowledging that the trend towards digital money is convenient for both people and businesses, it posed certain risks and the post highlighted that the digital euro can only be successful if it becomes part of the everyday lives of Europeans. This could only be achieved if the protection of privacy was of the highest standard. As long as people are complying with the prevailing laws, individuals should be able to decide how much they want to disclose.

European Commission sued for violating EU’s data protection rules

Thomas Bindl, German citizen and founder of EuGD, a group that has launched several data protection claims and who have expressed support for Bindl, has brought a lawsuit against the European Commission alleging violation of the EU GDPR. It is alleged that the Commission broke data protection rules by allowing personal data collected via its website to be transferred to the US, against the "Schrems II" ruling, without the appropriate safeguards.

Additionally, Bindl is claiming that the Commission failed to respond to his requests for information about the data processing.

European Commission welcomes political agreement on digital decade policy programme driving successful digital transformation in Europe

The European Commission has welcomed the political agreement reached by the European Parliament and the 27 EU member states on the "2030 Policy Programme: Path to the Digital Decade". The programme sets up a monitoring and cooperation mechanism to achieve the common objectives and targets, including planned regulatory measures and investments. Among other things, this includes skills and infrastructure, the digitalisation of businesses and online public services.

The political agreement is now subject to formal approval by two co-legislators. If enacted, the Commission together with the member states will develop key performance indicators (KPIs) to measure progress towards the 2030 digital targets in preparation of the first annual report. Within nine months, the member states shall present national strategic roadmaps, to launch the cooperation cycle.

UK

UK and US Data Access Agreement to take effect on 3 October 2022

The US Department of Justice ("DoJ") and UK Home Office recently announced their joint agreement on the Access to Electronic Data for the Purpose of Countering Serious Crime Agreement (the "Data Access Agreement") which will come into force on 3 October.  The Data Access Agreement will enable law enforcement agencies of both countries to gain better access to access electronic data held by tech companies so that the prevention, detection, investigation, or prosecution of serious crime can be carried out more quickly. The agreement emphasized that the Data Access Agreement will maintain strong oversight and ensure these protections do not compromise or erode existing human rights and freedoms of US and UK citizens.

DCMS publishes AI regulation policy paper for consultation

The DCMS has published a policy paper outlining the UK government's approach to regulating AI in the UK.  Among other things, the government proposed plans that would diverge from the approach taken by the draft EU AI Act, by allocating the responsibility for AI governance to multiple regulators instead of a central regulatory body and allowing regulators to set out and evolve more detailed definitions of AI in accordance with their specific domains and sectors, whilst abiding by cross-sectoral principles.  Additionally, it would require that legal liability for AI rests with an individual or corporate person, citing the example that self-driving vehicles will represent a shift in responsibility from driver to manufacturer and operators.

Government publishes Data Protection and Digital Information Bill

The UK Government introduced the Data Protection and Digital Information Bill to the House of Commons on 18 July.  The Bill would make certain changes to the existing UK data protection framework, in areas including automated decision making, DPIAs, data protection officers, DSARs, privacy and electronic communications including cookies and the regulation of customer and business data. The Bill is currently undergoing its second reading albeit Parliament will be rising for the summer recess on 22 July, so we expect the Bill to progress further when Parliament returns in September.

Online Safety Bill delayed

Following Boris Johnson's resignation, the UK Online Safety Bill, which ministers had hoped to move through the House of Commons before 21 July, is expected to be delayed until Autumn. The delay may prompt relief in the tech industry which has expressed its concerns about the draft legislation which is designed to force tech platforms such as Google, Facebook and Twitter to deal with harmful content on the internet, ranging from terrorist material and racist abuse, to threats of harm and psychologically distressing messages.

FCA speech on future regulation

Nikhil Rathi, the Chief Executive of the Financial Conduct Authority ("FCA"), recently gave a speech on the FCA's approach to regulating the financial services sector of the future. Among other things, Rathi notes that the FCA intends to take a new approach to digital regulation, including by seeking greater input from communications, privacy and competition regulators, and increasing collaboration with international regulators on issues such as cryptoassets.

Treasury Committee inquiry into cryptoassets

The UK Parliament Treasury Committee have called for evidence as part of its inquiry into the role of cryptoassets in the UK. In particular, the committee is looking for feedback on whether cryptocurrencies are likely to replace traditional currencies, what opportunities and risks the use of cryptoassets pose for individuals and the economy, and their impact on social inclusion. Submissions for the inquiry close on 12 September.

Regulators focus on cloud resilience

The FCA, Bank of England and Prudential Regulation Authority have published a consultation paper under which critical third party ("CTPs") companies may have to conform to minimum standards of resilience. The rules are aimed at tackling the potential system risks posed by financial sector firms relying on the services of a small number of CTPs, including cloud providers. If firms fail or suffer disruption, there is a risk to the wider market integrity of the UK financial system. The proposals outline that the CTPs themselves would not be regulated, instead the services they provide would be the focus for regulators. The measures, which form part of the Financial Services and Markets Bill, would give regulators the power to enforce rules on CTPs, as well as gathering information from them on their activities.

Americas

Federal Privacy Bill moves to the house floor

The US House Committee on Energy and Commerce has passed amendments to the American Data Privacy and Protection Act. The proposed Act will now advance to a House floor vote. In the latest draft there have been changes to, among other things, consent requirements, the definition of sensitive data and the private right of action (which will now come into effect after two years rather than four years).

The attempt to exempt the California Consumer Privacy Act and the California Privacy Rights Act from the Act's pre-emption provisions was not taken up. This follows a statement from the California Privacy Protection Authority requesting that California be carved out of the draft American Data Privacy and Protection Act as the draft Act would, among other things: remove nearly all authority from the CPPA including its enforcement capabilities, preclude the California legislature from adding new protections and compromise additional existing protections, such as the existing Californian global opt-out requirement. 

US Senate advances bill to strengthen semiconductor industry

On 19 July, the US Senate voted to advance a bill designed to strengthen the US semiconductor industry and decrease dependence on manufacturers outside the US. The ongoing shortage in semiconductors has been disruptive for industries ranging from automobiles to weaponry to mobile devices. The bill would provide about USD 50 billion in subsidies as well as a tax credit to encourage companies to build their plants in the US. The procedural measure sets the stage for a vote on the legislation in the coming days; if passed, the bill would travel to the House for passage and would then await President Biden's signature.

Children's privacy bills on Senate agenda

The Senate Committee on Commerce, Science, and Transportation has scheduled a committee markup for 27 July to consider two children's privacy bills: the Children and Teens’ Online Privacy Protection Act and the Kids Online Safety Act. The Children and Teens' Online Privacy Protection Act, introduced in May 2021, aims to modernise provisions of the Children's Online Privacy Protection Act ("COPPA") including prohibiting the collection of data from users ages 13 to 15 without consent, creating an "Eraser Button" on websites to delete children's data, and adding a children's privacy unit to the US Federal Trade Commission (FTC). The Kids Online Safety Act, first introduced in February, offers provisions focused on prohibiting algorithms and targeted advertising to children aged 16 and under.

Middle East

UAE government bolsters its plans to adopt advanced tech

Omar bin Sultan Al Olama, Minister of State for Artificial Intelligence, Digital Economy, and Teleworking Applications, affirmed that the UAE government adopted advanced technology as a key pillar in its development journey, reflecting the UAE leadership's directives in leveraging new technology in building capabilities, enhancing services and shaping a brighter future.

A Memorandum of Understanding ("MoU") has also signed by Al Olama and Bas Lemmens, General Manager for Europe, the Middle East, and Africa at Chainalysis, for building cooperation to provide a virtual training programme for government institution employees in the areas of Blockchain and virtual assets. In addition, it aims to develop their capabilities and skills in this future field, leverage global experiences and share success stories. The MoU aims to enhance the utilisation of Blockchain technologies in building a smart future for the UAE. Link

Hub71, e& enterprise to launch UAE's first AI Centre of Excellence in Abu Dhabi

Hub71, Abu Dhabi's global tech ecosystem, and e& enterprise, part of e& have announced the launch of the region's first AI CoE. This highlights the importance of pursuing partnerships and collaborations with businesses, governments, investors, and startups to create a smarter, safer, and more sustainable world through the co-creation of industry-specific and case-driven AI solutions.

The AI CoE will provide a platform for AI solutions to be built and scaled from Abu Dhabi. The partnership was signed at Hub71's headquarters in Abu Dhabi by Badr Al-Olama, Acting Chief Executive Officer of Hub71, and Salvador Anglada, Chief Executive Officer of e& enterprise. Link

Africa

Organisations need to comply with Kenya's privacy regulations

The Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021  (the "Registration Regulations") came into effect on 14 July and gave effect to Part III of the Data Protection Act, 2019 ("DPA") on the registration of data controllers and data processors. Kenya's data controllers and processors now need to register with the country's regulator in order to handle personal data, or they risk a substantial fine.

All entities who process personal data for purposes such as: gambling, operation of educational institutions, financial services, telecommunications services, health administration, and hospitality, are required to register without exception. Others that must register are those processing personal data for crime prevention e.g., operators of CCTV systems, political canvassing, property management, direct marketing, transport service firms and entities that process genetic data.

The continued processing of personal data without registration, provision of misleading information during registration, and failure to renew an expired certificate are all offences under the Act. If convicted, a data controller or processor risks a fine of up to KES 3,000,000 (approx. USD 25,305 at the time of writing) or imprisonment for a term of up to 10 years, or both.

Anti-competitive behaviour could spell trouble for leading online platforms in South Africa

On 13 July, the Competition Commission published its provisional report in the Online Intermediation Platforms Market Inquiry (the "OIPMI"). The report, which follows 14 months of intensive evidence gathering, makes several potentially industry-changing recommendations. Whilst the report is only provisional in nature, interested parties who may be impacted have been invited to make submissions to the Commission regarding the findings and recommendations by 24 August. The Commission intends to publish its final report in November.

The OIPMI is the first market inquiry initiated under the upgraded market inquiry provisions of the Competition Act 1998, as amended. Its goal is to identify potential market features of online intermediation platforms that may impede, distort or restrict competition, with a focus on the participation of small and medium enterprises ("SMEs") and firms owned/controlled by historically disadvantaged persons ("HDPs"). The OIPMI focused on five categories of online platforms: software app stores, eCommerce, online classifieds, travel and accommodation and food delivery. In each of these categories, the report identified so-called "leading platforms", which include the likes of the Apple and Google Play Stores, Takealot.com, Property24, and Uber Eats.

Amongst others, the reports key findings and recommendations included that Google Search is a de facto monopolist in search in South Africa, price parity clauses in eCommerce are causing an impediment to competition and that the complete exclusion of competing software app stores and side-loading by Apple impedes effective competition for commission fees.

Nigerian National Information Technology Development Agency ("NITDA") announces Code of practice for online platforms

The Code of Practice applies to interactive computer service platforms and internet intermediaries, aimed at promoting a sustainable digital economy by protecting the security and welfare of Nigerians interacting on these platforms. It recognises the influence of online platforms in the social interactions and economic choices of people in Nigeria and how these providers of internet services need to comply with best practices in the wake of events such as the October 2020 EndSARS protests where fake news and hate comments were rife.

Broadly speaking, the code seeks to establish a framework to protect Nigerians from online harms such as hate speech, cyber bullying and disinformation. It also lays out procedures for these providers of internet services to carry out risk assessments to determine whether content is harmful. In particular, if the content is found to be so, these providers will have obligations to remove such content or display labels warning users of its harmful nature.

The draft legislature also makes specific provisions for large internet platform service providers, defined as platforms with more than one hundred thousand users. The draft code specifies that human supervision is required to review and improve the use of automated tools to ensure that freedom of expression and privacy of users is not compromised.

Nigeria's Senate passes the Nigeria Startup Bill

The Nigerian Senate passed the Nigeria Startup Bill which seeks to position the country's startup ecosystem as the leading digital centre in Africa. The bill aims to ensure that Nigeria's laws and regulations are clear, planned and work for the tech ecosystem.

The proposed bill is designed for labelled startups which are registered as a limited liability company and have been in existence for not more than 10 years from the date of incorporation, its objects are innovation, it is a holder of a product or process of digital technology and it has at least 51% of its shares held by one or more Nigerian. Among other things, the Bill makes provisions for training and developing talents by using the startup portal to convey information, developing workshops with the National Universities Commission, establishing digital technology acquisition centres across Nigeria's six geopolitical zones and supporting academic research. The bill seeks to provide for the establishment, development and operation of startups in the country via incentives like tax breaks, government loans, and credit guarantee schemes. The bill will also provide regulatory support to labelled startups.

The bill now moves onto the House of Representatives where it will pass through three readings. If the House of Representatives agrees with the contents of the bill, the bill will be sent to the president for his assent and will then become law.