Skip to main content

Clifford Chance

Clifford Chance

Tech

Talking Tech

Tech Policy Unit Horizon Scanner

August 2022

Data Privacy Artificial Intelligence Fintech 31 August 2022

Introduction

August has given us a flurry of firsts within the data, crypto and AI world. Notably, China's Cyberspace Administration (CAC) has given us a peek into some of the world's most coveted algorithms, offering the public a first-of-its-kind glimpse into the secret sauce that makes behemoths like Alibaba and Tencent tick. It is a similar story within the African region, with Nigeria taking a first step towards forming a National Artificial Intelligence Policy and Egypt signing into action its first ever state-wide integration of electronic signatures.

This thirst for the first even extends to the UK where the current Chancellor of the Exchequer, Nadhim Zahawi, has announced the long-awaited debut of stablecoins within a UK Parliamentary Bill. Speaking at his first Annual Mansion House Speech, Zahawi declared that despite the UK being "gripped by a great national contest", the government will continue to reinforce the country's commitment to being a "leading centre for technology" regardless of "who wins Love Island" this year. Even Matt Hancock, the UK's former Health Secretary, has caught the blockchain bug by becoming the "first MP" to feature in the metaverse with a personalised avatar – Conservative Party mandarins are clearly adding in some extra DLTs in their members' lunchtime BLTs!

Alongside this month's debuts, we've also seen some seasoned actors take the regulatory stage, with South Korea's telecommunication regulator probing into large tech firms' app stores as well as the UK's ICO powering forward in aid of empowering and safeguarding vulnerable people and encouraging responsible innovation. The US FTC has also made an appearance by issuing an Advanced Notice of Proposed Rulemaking (ANPR)concerning the protection of consumer privacy and information heralding a big push by them to encourage federal legislation on the subject.

Tuning into the EU's frequency, data-related stories have dominated the region's wavelengths, with the CJEU's recent broadened interpretation of Article 9 of the GDPR creating firm ripples. The reverberations of the CJEU ruling, which started in the Lithuanian courts, will likely be felt far and wide, impacting companies and applications ranging from dating apps to advertising targeting tools. Furthermore, the EDPB and EDPS have signalled big worries about the European Commission's recent child abuse-related proposals and concluded that the Commission is out of tune with personal data privacy concerns.

ChinaAPAC (excluding China) | EU | UKAmericas | Middle East | Africa

 

CHINA

With great algorithms, come great responsibility: China's CAC publish tech giants' algorithms for public review

Since the Internet Information Service Algorithmic Recommendation Management Provisions (the Provisions) came into effect on March 1, 2022, technology giants are required to file details of their algorithms with regulators.

On 12 August 2022, for the first time since the March Provisions, the Cyberspace Administration of China (CAC) has published a consolidated list of algorithms that have been filed with the regulator as well as providing a link to the algorithm filing system which is open for public inspection. The information, which is available for public review, is confined to the name of the relevant algorithm, a few introductory paragraphs of the fundamentals and operating mechanics and its relevant application scenarios.

However, the CAC user filing guide states that to make a successful filing, technology companies actually need to share further details with regulators, including the algorithm data, algorithm mode, algorithm strategy, risk and control plans indicating that technology companies are likely to have revealed much more to the CAC than what has been published.

Well-known technology giants, such as Alibaba, Tencent, Meituan and Bytedance, have all successfully filed the algorithm of their key products with the CAC. This marks another step for the PRC regulators in framing the regulatory framework of technology companies and requiring them to be more transparent to the government.

 

APAC (excluding China)

India scraps privacy bill that alarmed big tech companies, works on new law

India has announced that it is working on a new comprehensive data protection and privacy bill following the government's withdrawal of its previous bill proposed in 2019. This withdrawal comes after large technology companies such as Facebook and Google indicated alarm at the 2019 privacy bill which was designed to protect Indian citizens and establish a so-called data protection authority. Large technology companies raised concerns that it could increase their compliance burden and data storage requirements.

The government aims to get the new bill approved and made into law by early 2023 in the parliament's budget session which typically runs January-February.

Can we have the bill please? South Korean regulator to probe large tech companies' in-app billing practices

South Korea's telecommunications regulator said that it will launch an official fact-finding investigation into Google Inc., Apple Inc. and ONE store Co.'s app stores, saying that the companies may be in violation of the country's in-app payment laws.

Last year, the South Korean National Assembly passed the law that bans app store operators from forcing in-app payment systems on developers, making South Korea the first country in the world to introduce such curbs on in-app billing policies of global tech giants.

 

EU

CJEU rules to expand the scope of Article 9 of the GDPR

On 1 August 2022, the CJEU issued its ruling on OT v Vyriausioji tarnybinės etikos komisija following a referral by a Regional Administrative Court in Lithuania. In this ruling, the CJEU significantly broadened the interpretation of Article 9 of the GDPR in relation to the processing of sensitive data.

Arising originally in the Lithuanian courts, the initial proceedings concerned the publishing of certain citizens' declarations of interests on a public authority's website which included information about the individuals' "spouse, cohabitee or partner". The CJEU noted that the publishing of that data could, through an "intellectual operation involving comparison or deduction", reveal that person's sexual orientation or information about their sex life which is deemed as 'sensitive data' protected by Article 9 of the GDRP. By implication, this ruling's broad interpretation would be applied to other types of special category data found in Article 9 of the GDPR, which include "racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership".

The ramifications of this CJEU ruling are likely to be huge for companies and tools that process data falling within the Article 9 definition such as dating apps, location data which note places of worship or medical appointments, online advertisement tools and food choices for airplane rides.

Child abuse proposal could present serious risks for personal privacy, say the EDPB and EDPS

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have voiced serious data privacy-related concerns about the European Commission's May 2022 Proposals to prevent and combat child sexual abuse. In the Proposals, technology companies, including hosting service providers, interpersonal communication services and application stores, would be mandated to detect, report, remove and block online child sexual abuse material (CSAM).

Despite supporting the core intention of the Proposals, the EDPB and EDPS highlighted that the suggested measures could undermine people's privacy and data rights. Citing the Proposal's lack of detail or clarity in relation to the how AI will be used to target CSAM materials, the EDPB and EDPS stated that the current plan will represent a high level of intrusiveness while also leading to a high volume of errors. They went further and claimed that the Proposals could lead to a "generalised and indiscriminate" scanning of all electronic communications content which, the EDPB and EDPS claim, may present more risks "to society at large, than to the criminals pursued for CSAM".

Czechs and Balances: Czech Presidency suggests limitations to the EU Data Act

The Czech Presidency of the EU Council have presented a compromise to Chapter V of the proposed EU Data Act. Chapter V of the Act, which informs how public entities can demand access to privately held data, has proved controversial for many businesses who claim the powers granted to public bodies are "disproportionate" and "arbitrary".

The new Czech compromise aims to address these concerns by limiting the scope of the Chapter and introducing more stringent safeguards. The core features of the Czech Presidency's compromise are that public sector bodies must request private company data only in "exceptional cases", which have been defined as circumstances that are "unforeseeable and limited in time and scope". Further suggested changes include ensuring the requested data is necessary only to fulfil a not-for-profit purpose that is in the public interest. The compromise wording also requests that public entities need to explain precisely what data is needed, why they need it and, most importantly, how they are going to protect it.

The Czech Presidency compromise is scheduled to be discussed in the EU Council Telecom Working Party meeting on 5 September 2022.

 

UK

Strong and Stable…coins? Stablecoins feature in UK Financial Services and Markets Bill

The Financial Services and Markets Bill will extend the Banking Act 2009 and Financial Services (Banking Reform) Act 2013 to cover 'stablecoins'.

The Bill refers to 'stablecoins' as Digital Settlement Assets (DSA) and defines them as "digital representation[s] of value or rights, whether or not cryptographically secured, that can be used for the settlement of payment obligations, can be transferred, stored or traded electronically, and uses technology supporting the recording or storage of data (which may include distributed ledger technology)”. The denomination of DSAs within the Bill will formalise certain types of 'stablecoins' and enable them to be accepted as a legitimate form of payment within the UK's banking systems.

In addition to the formal recognition of DSAs as a form of payment, the Bill will also grant new powers to the Treasury, in consultation with the Financial Conduct Authority (FCA) and the Bank of England (BoE), to regulate i) DSAs, ii) payments made with DSAs, iii) DSA service providers, iv) DSA insolvency arrangements and v) imposing enforcement obligations on DSAs. Firms will be able to test their products within the context of these legislative changes using the Bill's proposed creation of Financial Markets Infrastructure Sandboxes.

Rt Hon Nadhim Zahawi, UK's Chancellor of the Exchequer, affirmed that the Financial Service and Markets Bill "reinforces the UK's position as a leading centre for technology as we safely adopt crypto assets". The Bill must go through two more readings in the House of Commons, the committee and report stages and then finally the House of Lords before it becomes law.

Power to the people: the ICO's new strategic plan aims to 'empower us through information'

The Information Commissioner's Office (ICO) has published a draft of its periodic strategic plan which lays out the regulator's vision and strategy for the upcoming 12 – 36 months.

The ICO's new draft strategic plan, titled 'ICO25 – Empowering you through information' (ICO25), describes the ICO's new strategic objectives as (i) safeguarding and empowering people, particularly vulnerable groups; (ii) empowering responsible innovation and sustainable economic growth; (iii) promoting openness, transparency and accountability; and (iv) continuously developing the ICO's culture, capability and capacity.

The ICO25 includes a broad range of measures aimed at achieving these objectives. These include the launch of a Subject Access Request Generator tool, which will enable individuals to identify and request information about their personal data from companies, and the introduction of iAdvice, a bespoke advice portal for quick advice to those bringing new products to market. John Edwards, the UK's Information Commissioner stated that the ICO will aims to provide "certainty in what the law requires, coupled with a predictable approach to enforcement action that allows businesses to invest and innovate with confidence".

The ICO is now consulting on the ICO25 with a consultation period ending on 22 September 2022. Views and input will be analysed and used to inform the final version of the ICO25 that is due to be published in autumn.

Law Commission proposes a new, distinct category of property for digital assets

The Law Commission has responded to a request by the UK Government to review the law relating to digital assets by publishing a consultation paper containing a number of proposed reforms.

The Law Commission consultation paper highlights that, when compared to tradition physical assets, digital assets have a variety of unique qualities that mean they do not fit into any of the existing private property law definitions or categories. The Law Commission argue that to ensure a strong legal foundation for this emerging industry and its users, the law must expand and create a third category of personal property which has provisionally been defined as "data objects".

To describe the relationship between the 'data object' and people, the Law Commission paper proposes that factual control over a digital asset is more important than possession; however, the paper falls short of specifically defining control. While the paper does suggest specific statutory clarifications, namely within the Law of Property Act 1925, the paper does emphasise the importance of the courts developing the common law in this space.

The Law Commission is seeking responses to its consultation until 4 November 2022.

 

Americas

Do you want CHIPS with that? President Biden signs bill aimed at strengthening US semiconductor industry

On 9 August, President Joe Biden signed into law a bill designed to strengthen the US semiconductor industry and decrease dependence on manufacturers outside the US. The bill provides about USD 50 billion in subsidies as well as a tax credit to encourage companies to build their plants in the US. The ongoing shortage in semiconductors has been disruptive for industries ranging from automobiles to weaponry to mobile devices.

US Consumer Protection Regulator Starts Privacy Rulemaking Process

On August 11, a divided US Federal Trade Commission issued an Advanced Notice of Proposed Rulemaking (ANPR) aimed at "commercial surveillance" and whether rules are needed to protect consumer privacy and information. In comments accompanying the ANPR, the Commissioners expressed continued support for federal legislation and stated that they would not adopt any rules that would conflict with any such federal laws that pass. However, with the prospects of a federal law murky as legislators prepare for an upcoming midterm election season, it is unclear whether and when this will be an issue.

The ANPR starts a months-long process that will include multiple public consultation periods and drafts, but the ANPR is a notable first step and reflects the FTC's continued focus on consumer data privacy and security.

 

Middle East

Dubai Chamber of Digital Economy announces formation of Dubai Digital Assets Business Group

Dubai Chambers has announced the formation of the Dubai Digital Assets Business Group (D2A2), which aims to strengthen the digital asset industry’s role in the economic development of the UAE and Middle East region, enhance digital business infrastructure and support the growth of digital companies in Dubai. The purposes include promoting the digital asset industry in Dubai, boosting transparency through market intelligence and data, supporting the interests, growing digital asset companies and fostering cross-border cooperation.

Omar bin Sultan Al Olama, Minister of State for Artificial Intelligence, Digital Economy, and Teleworking Applications, and Chairman of Dubai Chamber of Digital Economy, underscored the formation of the D2A2 as a strategic move aligned with Dubai Chamber of Digital Economy’s strategy, which aims to fast track the growth of Dubai’s digital economy.

Cabinet approves formation of 'Higher Committee for Government Digital Transformation'

Chaired by His Highness Sheikh Mohammed bin Rashid Al Maktoum, Vice President, Prime Minister and Ruler of Dubai, the UAE Cabinet approved the formation of the "Higher Committee for Government Digital Transformation".

The Higher Committee for Government Digital Transformation aims to supervise and guide the development of the digital ecosystem for the UAE government, and enhance readiness, competitiveness, flexibility and digital alignment between projects and digital systems in federal government agencies.

It will raise the efficiency of its use of infrastructure and digital assets, while enhancing integration between government agencies and institutions to maximise the impact of the comprehensive digital transformation. The duties include preparing policies for comprehensive digital transformation in the federal government as well as reviewing and following up with necessary strategies, programmes, and initiatives to promote digital transformation.

Egypt starts new phase of digital services based on electronic signature

Egypt has taken clear steps towards developing and building a digital state by implementing the wide use of an electronic signature system.

The electronic signature system was activated in several stages, starting with its activation in government applications where government employees will use the electronic signature in the performance of their work with the government’s move to the new administrative capital, then the stage of activating electronic signature systems in applications for enterprises and companies, such as electronic invoices, in cooperation with the Ministry of Finance. The third phase will relate to the application of electronic signatures for use in citizens’ services, such as consular services for Egyptians residing abroad.

The adoption of electronic signatures aligns with the Ministry of Communications and Information Technology's wider strategy which, as Amr Tallat stated, is based on three axes, i) digital transformation, ii) providing highly efficient and stable telecommunication services, and iii) providing digital job opportunities for youth. Egypt has shown a continued commitment to digital transformation through recent initiatives, such as the recent launch of the Digital Egypt platform which aims to provide all Egyptian citizens with a unified electronic portal to over 130 government services, as well as the recent establishment of domestic data centres for its citizens' data.

 

Africa

Nigeria takes first steps in creating a National Artificial Intelligence Policy

Nigeria's Ministry of Communications and Digital Economy have directed their National Information Technology Development Agency (NITDA) to create the country's first National Artificial Intelligence Policy (NAIP).

The NITDA, which is statutorily responsible for the formulation of standards, guidelines and frameworks for Nigeria's active IT sector, have taken the first steps in establishing the vision and purpose of the NAIP. The Policy's core objective will be to ensure that Nigeria's general population benefits from the use and development of AI while also raising awareness, and taking steps to mitigate, the key risks associated with this emerging technology. The NAIP also aims to provide a framework for how the adoption of AI can facilitate the development of Nigeria into a prosperous and sustainable digital economy.

The NAIP will become only the first unified national AI policy dedicated exclusively to regulating the technology within Nigeria. However, this consistent drive to establish institutional bodies that aim to understand and utilise AI technology (e.g. being the first African nation to establish an AI-dedicated national research centre) places Nigeria as one of the region's most pioneering AI proponents.

The NITDA have issued an open invitation for members of the public to contribute and input ideas to the NAIP to maximise stakeholder engagement

Kenya continues its drive towards data privacy rights with mandatory registration requirements

Following Kenya's Data Protection (Registration of Data Controllers and Data Processors) Regulations 2021 which came into effect on 14 July 2022, Kenya has further entrenched its ambitions of protecting the right to privacy for its citizens by introducing mandatory registration of certain entities with the Office of Data Protection Commissioner (ODPC).

These mandatory ODPC registration requirements are imposed on any entity which acts as a personal data controller and/or processor; meaning that entities that handle data on behalf of others are also caught by this new requirement. Whilst the ODPC have stipulated certain limitations on which entities are caught by this new regulation, such as a limitation based on revenue and employee headcount, entities that offers services within (i) the financial, ii) genetic/medical, iii) telecommunications, iv) educational or v) direct marketing sectors are all mandated to register. The requirements also encouraged entities to have a data protection officer that oversees compliance with these regulations.

This development has far-reaching ramifications for data controllers and processors who now must reveal the nature of the data they handle, the target subjects they choose and the reasons for collecting the data in the first place. They must also ensure that customer data is used lawfully by certifying that the data being kept has been gathered with the clear consent of the user and safely stored in Kenyan servers. Failure to comply with these regulations will result in fines and even jail terms.

Draft rules under South Africa's Cybercrimes Act published

The Department of Police has published its draft search and security rules for cybercrimes in South Africa. These rules, which were open for public commentary until recently, fall under the Cybercrimes Act (CCA) which was introduced at the end of 2021.

The CCA defines three types of harmful messages that have been criminalised in South Africa, including messages which: (i) incite damage to property or violence; (ii) threaten people with damage to property or violence; and (iii) unlawfully contain an intimate image. The Act also includes definitions for cyber fraud, forgery, extortion, and theft of incorporeal property.

Following the introduction of the Act, the South African Department of Police was given a period of 12 months to formulate its own standard operating protocol around the investigation, search, access, or seizure of items used for cybercrime.

“The CCA provides a new legal mechanism for addressing cybercrime in South Africa, as well as creating a range of new cybercrime offences,” the Department of Police said. “It also provides for mechanisms to preserve electronic evidence in the cyber domain, to conduct search, access and seizure operations in respect of an article as defined in the CCA and the gathering of data connected to both cyber and other crimes that are committed by means of or facilitated through the use of an article.”

The Act allows the South African Police Service to seize any pertinent ‘articles’ related to cybercrime, including; data; a computer program; a computer data storage medium; or computer systems (including laptops and phones).

South Africa Regulator publishes guidelines for security compromise notifications

The South African Information Regulator recently announced that it has published guidelines on how responsible parties must complete the security compromise form to the Regulator under section 22 of the Protection of Personal Information Act 2013 (POPIA).

The guidelines specify a step-by-step guide as to the process to follow, starting with the requirements that the responsible party notify the Regulator of any security compromise as soon as possible after it occurs using the notification form as well as specifying the reason for delay of notification to the data subjects. The guidelines also state that the responsible party must notify data subjects unless their identity cannot be established. Additionally, the Regulator noted that using the form is effective immediately and that failure to comply with the guidelines may result in the notification being regarded as non-compliant.

 

 

Additional Information

This publication does not necessarily deal with every important topic nor cover every aspect of the topics with which it deals. It is not designed to provide legal or other advice. Clifford Chance is not responsible for third party content. Please note that English language translations may not be available for some content.

The content above relating to the PRC is based on our experience as international counsel representing clients in business activities in the PRC and should not be construed as constituting a legal opinion on the application of PRC law. As is the case for all international law firms with offices in the PRC, whilst we are authorised to provide information concerning the effect of the Chinese legal environment, we are not permitted to engage in Chinese legal affairs. Our employees who have PRC legal professional qualification certificates are currently not PRC practising lawyers.