Tech Policy Unit Horizon Scanner
This month all eyes have been on tech bros and their billion-dollar companies.
Since Elon Musk took over Twitter, declaring "the bird is freed" on 28 October, his policy and employment changes at Twitter have been making waves in the tech sector. The $8-per-month Twitter blue subscription was immediately exploited after launching in mid-November, with Elon Musk himself and President Biden being immediately impersonated. One of the most disruptive impersonations was of US pharmaceutical company Eli Lilly, where a fake account purchased a blue tick and tweeted, "We are excited to announce insulin is free now", sending the real company's stock price down by 4.5% over a few hours. It's back to the drawing board with Twitter blue, proving that anything to do with ID verification is always going to be extremely challenging to get right.
Elon Musk is not only the big tech bro hitting the headlines. Sam Bankman-Fried (nicknamed "SBF") was the founder and CEO of the FTX cryptocurrency exchange and quantitative crypto trading firm Alameda Research. A son of two Stanford law professors, SBF supported regulators' pleas to regulate crypto and was for a time a poster-boy for what looked like well-run, well-regulated crypto. Since FTX's collapse into bankruptcy, a court heard that FTX and Alameda Research were run as his 'personal fiefdom' - Alameda Research had lent $1 billion to Bankman-Fried and FTX had lent its customers’ money to Alameda to help it meet its liabilities. Although some are based on blockchain, cryptocurrency exchanges and platforms still deal with customer assets and are, in some ways, not so different from fiat-based platforms. Investors and regulators should take care to understand the technical features and actual implementation in crypto projects and not fall into the trap of assuming that blockchain-like security exists by default in cryptocurrency exchanges.
Finally, this month we learned that neurotechnology is coming to the workplace (maybe). Israel based startup InnerEye and Silicon Valley company Emotiv are bringing neural sensors, which are now more reliable, affordable and functional without conductive gel, into the marketplace to record data from the brain. These companies believe that neural data can be exploited to help make workers more efficient and to help understand employee wellbeing. You read our minds – we are also asking if data privacy regulators are ready for this.
New rules outlining China's personal data certification regime
On 18 November 2022, the State Administration for Market Regulation and the Cyberspace Administration of China released the "Implementing Rules on the Certification of Personal Information Protection". The rules specify that the certification of personal information protection shall be processed in accordance with following steps:
- technical verification, which will be conducted by the technical verification institution based on the certification plan the certification agency ("Agency") formulated at the request of the personal information processor ("PI Processor");
- onsite examination, which will be conducted by the Agency; and
- post-certification ongoing supervision, which will be conducted by the Agency on a periodic basis during the validity period (3 years) of the certification.
In this process reports will be produced based on the technical verification and onsite examination. Depending on whether they will engage in cross-border personal information transfer, PI Processors will receive different certification marks.
Relatedly, on 8 November 2022, TC260 also issued the consultation draft of the revised "Practice Guidelines for Cybersecurity Standards - Technical Specification for the Certification of Cross-Border Processing of Personal Information" (the "V2.0 Certification Specification"). Compared with the current version (available in Chinese here), the V2.0 Certification Specification enhances the requirements on the offshore data recipients, which expressly requires the personal information export contract to clearly set out, among other things, the purpose, sensitivity, volume, retention period and location of the exported data, list the data subjects' rights and outline the redressing methods.
Furthermore, TC260 released the full text of the "Information security technology - Guidelines for Personal Information Security Engineering" (the "PI Security Engineering Guidelines") on 8 November 2022. The guidelines, among other things, highlight the necessity to address the security concern of personal information throughout the design process of network products and services that deal with personal information, and require the relevant designers and developers to consider compliance requirements and examine security risks before finalizing the product design.
APAC (Excluding China)
India rolls out new proposed comprehensive data protection legislation
India's Ministry of Electronics and Information Technology has proposed new privacy legislation, called the Digital Personal Data Protection Act 2022, which is intended to provide a legal framework governing personal data protection in India. It includes seven key data protection principles:
- usage of personal data must be done in a lawful, transparent and fair manner for individuals concerned;
- purpose limitation (personal data is used for the purposes for which it was collected);
- data minimization (only items required for the specified purpose is collected);
- reasonable effort to ensure personal data is accurate and kept up to date;
- storage limitation (personal data is only stored for a limited duration as is necessary for the specified purpose);
- reasonable safeguards to prevent personal data breach; and
- personal accountability (the person who decides the purpose and means of processing personal data should be accountable).
It would create a new regulator, the Data Protection Board of India, to oversee compliance and impose penalties, stated not to exceed 5 billion rupees. The new bill also places the personal data of children under the age of 18 in a special data protection category. Further details are not set out in detail yet and there is little practical guidance available. The ministry welcomes public feedback on the draft bill until 17 December 2022.
India orders Google to allow third-party payments, and imposes a fine
On 25 October, the Competition Commission of India (CCI) said Google used its "dominant position" to force app developers to use its in-app payment system and fined Google USD 113 million for such anti-competitive practices. Google was asked to adopt eight remedies or operations adjustments within three months, including not restricting "app developers from using any third-party billing/ payment processing services, either for in-app purchases or for purchasing apps". This is not the only jurisdiction Google has faced challenges on – Google has faced criticism globally, including in the UK, the EU, South Korea and Indonesia.
This is the latest setback for Google in one of its priority markets. Google was fined another USD 162 million for anti-competitive practices related to its Android operating system. Google is facing another probe into its business conduct in the Indian smart TV market.
NIS 2 Directive: Europe revamps its cybersecurity framework
On 28 November 2022, the Council of the EU formally adopted the revised Network and Information Security Directive (NIS 2). This is the final stage of the legislative proposal and follows a vote in the European Parliament on 10 November 2022. Seeking to expand, strengthen and harmonise implementation of Europe's existing cybersecurity framework, NIS 2 forms a key part of the EU's Cybersecurity Strategy with new provisions and increased obligations concerning incident response, supply chain security, encryption and vulnerability disclosure for private and many public entities. Publication in the EU's Official Journal is expected soon, with Member State implementation to follow within 21 months. For more information about the key changes and what organisations should be doing now to prepare, see our article: NIS 2 Directive: Europe revamps its cybersecurity framework.
Digital finance: EU adopts Digital Operational Resilience Act (DORA)
On 28 November 2022, the Council of the EU formally adopted the Digital Operational Resilience Act (DORA) with the aim of strengthening the IT security of financial institutions such as banks, insurance companies and investment firms. DORA sets uniform requirements for the security of network and information systems of companies and organisations operating in the financial sector as well as critical third parties which provide ICT-related services to financial institutions, such as cloud platforms or data analytics services. Adoption by the Council is the final stage of the legislative process, and publication in the Official Journal is expected shortly. In line with DORA, the European Supervisory Authorities will have new oversight responsibilities and will develop technical standards for all financial services institutions to abide by, from banking to insurance to asset management. For more on DORA, see our article: DORA: Exploring what the new European Framework for Digital Operational Resilience means for your business
EU algorithmic transparency centre to open in 2023 to support DSA enforcement
The European Commission has announced that its Joint Research Centre (JRC) is setting up a new 'European Centre for Algorithmic Transparency' (ECAT), which is expected to be fully operational in the first quarter of 2023. The ECAT will provide in-house technical assistance in the area of algorithmic systems linked to the Digital Services Act's (DSA's) aim of ensuring a safe, predictable and trusted online environment. It will integrate technical, ethical, economic, legal and environmental perspectives. It will also centralise research with a focus on algorithmic transparency, ensuring that decisions made by algorithms supporting the provision of digital services are transparent, explainable and in line with the risk management obligations of the very large online platforms and search engines under the DSA.
EU: Draft AI Act progresses through EU legislative process
Representatives of the EU's Member States have reportedly reached a provisional agreement on the proposed Artificial Intelligence Act (AI Act) in the Council. The text must still be signed off by Ministers. Meanwhile, the European Parliament is considering a new batch of compromise amendments redesigning the enforcement structure of the AI Act. The proposed updates include unannounced on-site checks of high-risk AI systems, joint investigations for large-scale incidents and a broader approach to a pan-European database for such systems. Additional changes to incident reporting obligations and approach to noncompliance concerning technical documentation have also been raised. The next stage in the legislative process will involve negotiations between the Council and the European Parliament before the Act can be finalised.
UK AI fairness guidelines to be published in early 2023
Stephen Almond from the UK Information Commissioner's Office said that it will publish guidance on fairness in AI and establish a new “Innovation Advice” service early next year on how data protection law applies to new users of technology. By way of reminder, the UK Government produced an AI strategy in September 2021 and released an AI regulation policy paper in July this year. For more on the policy paper, see our article: CMA response to the UK's AI policy paper
Alex Leonidou, head of regulation at the Office for Artificial Intelligence, speaking at the Next steps for AI in the UK Westminster eForum policy conference, emphasised that "AI is a really important area of focus for the government" and noted that the government has made an effort to engage with stakeholders and experts to improve on current AI regulatory frameworks.
Claim against Meta on "right to object" the processing of data for ad targeting based on the GDPR
Human rights campaigner Tanya O’Carroll has filed a claim in the High Court King's Bench Division against Meta over its use of her data for ad targeting and profiling despite her exercising the right to object under the GDPR.
She is seeking a declaration that Meta is in breach of the regional GDPR by continuing to process her data and a compliance order requiring Meta to cease processing her data for direct marking purposes. She is not seeking damages. Her goal is to set a precedent to enforce the right of millions of Meta users by denying Meta's ability to track and profile people who object to its surveillance. The claim document includes long lists of ad interests Meta assigned to O'Carroll from 16 June 2021 to 14 October 2022, including a number of topics containing sensitive interests.
DCMS Committee to hold inquiry into the future of the NFT market – call for evidence
It has been announced that the Department for Digital, Culture, Media and Sport (DCMS) Committee will be holding and inquiry into the operation, risks, and benefit of Non-Fungible Tokens (NFTs) and the wider blockchain. The DCMS Committee is currently accepting evidence here (deadline Friday 6 January 2023).
The inquiry is expected to enable MPs to consider market risk faced by NFT investors (especially vulnerable speculators). The enquiry is also likely to consider (i) the wider benefits to the UK economy of NFTs and blockchain and (ii) whether more legislation is needed amidst concern of market volatility, ahead of a Treasury review.
CMA to perform quantitative test of Google's Privacy Sandbox technologies - call for input
The CMA have released the following note detailing the framework on how quantitative testing may inform their assessment of Google's Privacy Sandbox proposals. Privacy Sandbox is a set of technologies developed by Google to enable the removal of third-party cookies on Google which will lead to a significant change in the function of online advertising.
The aim of Privacy Sandbox is to protect personal privacy while permitting companies to provide personalised adverts, along with other functionality. The CMA agreed legally binding commitments with Google in February 2022 about how the technology will function. The aim of the CMA is to ensure advertising will function well and competitively after the technology's introduction and they will be testing and trialling the new technology.
The CMA are keen to have market participants' view on the note and the proposals, including ways in which the testing could be made more effective. The CMA are also keen for market participants to consider engaging in trails and highlight any barriers that may prevent them from doing so.
Elon Musk's recent actions at Twitter may be violating US FTC consent decree, Democratic US senators tell FTC
Seven Democratic senators, including Senator Elizabeth Warren of Massachusetts and Senator Cory Booker of New Jersey, wrote to the chair of US Federal Trade Commission (FTC), Lina Khan, on 17 November 2022 that actions by new Twitter owner and Chief Executive Elon Musk may have violated the company's privacy consent decree with the FTC. They noted the FTC was already on notice prior to Musk's acquisition about Twitter's inadequate security practices based on whistleblower disclosures and Twitter paid USD 150 million to settle allegations by the FTC and the Department of Justice.
Citing Musk's Twitter Blue subscription plan causing an increase of fake accounts and reported changes to internal reviews and data security practices, including dismissals and resignations of key staff, the senators "are concerned that the actions taken by Mr. Musk and others in Twitter management could already represent a violation of the FTC’s consent decree, which prohibits misrepresentation and requires that Twitter maintain a comprehensive information security program."
They urged the FTC to "vigorously oversee its consent decree with Twitter and to bring enforcement actions against any breaches or business practices that are unfair or deceptive", including bringing civil penalties and imposing liability on individual Twitter executives where appropriate.
The FTC previously commented on Twitter's development prior to the senators' letter, saying "We are tracking recent developments at Twitter with deep concern. No CEO or company is above the law and companies must follow our consent decrees". Musk himself responded to this warning that “Twitter will do whatever it takes to adhere to both the letter and spirit of the FTC consent decree.”
The FTC declined to comment on the senators' letter which will be sure to increase the FTC's focus on Twitter.
Google to pay USD 391.5 million to 40 US states to settle geolocation privacy misrepresentation claims
On 14 November 2022, Google has reached a USD 391.5 million multistate settlement with attorneys general from over 40 US states, over its location tracking practices relating to Google Account settings. The attorneys general of Oregon and Nebraska led the settlement negotiations, assisted by Arkansas, Florida, Illinois, Louisiana, New Jersey, North Carolina, Pennsylvania, and Tennessee. The final settlement was joined by Alabama, Alaska, Colorado, Connecticut, Delaware, Georgia, Hawaii, Idaho, Iowa, Kansas, Kentucky, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Nevada, New Mexico, New York, North Dakota, Ohio, Oklahoma, South Carolina, South Dakota, Utah, Vermont, Virginia, and Wisconsin.
This is the largest general-led multistate consumer privacy settlement in U.S. history. Oregon will receive USD 14.8 million; Nebraska will receive more than USD 11.8 million; New Jersey will receive approximately USD 17.79 million; and Connecticut will receive more than USD 6.5 million from the settlement.
The attorneys general opened the Google investigation following a 2018 Associated Press article that revealed Google “records your movements even when you explicitly tell it not to.” The article explained two Google account settings: Location History and Web & App Activity. Location History is “off” unless a user turns on the setting, but Web & App Activity, a separate account setting, is automatically “on” when users set up a Google account, including all Android users.
The attorneys general found that Google violated state consumer protection laws by misleading consumers about its location tracking practices since at least 2014. Specifically, Google misled users about the scope of the Location History setting, the fact that the Web & App Activity setting existed separately and collected location information, and the extent to which users could limit Google’s location tracking by adjusting their account and device settings.
The settlement requires Google to be more transparent with consumers about its location tracking practices. For example Google must show additional information to users whenever they turn a location-related account setting “on” or “off” and the key information about location tracking must not be hidden from users. There must also be a dedicated webpage providing detailed information about the types of location data Google collects and how that data is used.
Google made a public policy announcement on the settlement, explaining how Google has introduced more transparency on data collection.
Google separately settled a similar location tracking lawsuit with Arizona for $85 million in October 2022. Google faces additional lawsuits brought by Washington, D.C., Indiana and Texas for deceptive location tracking.
Class action lawsuit alleges Amazon locks customers into prime subscriptions with dark patterns
A proposed class action in Washington (filed on 9 November 2022) alleges that Amazon relies on exploitative dark patterns to prevent consumers from cancelling their Prime members. It alleged that Amazon "intentionally and knowingly misled" consumers, having "created and implemented its Project Iliad precisely to deceive members of the public". The complaint also extensively cited the complaint filed by the Electronic Privacy Information Centre (EPIC) in 2021 to the D.C. Attorney General’s office, which explained how Amazon’s deceptive cancellation interface effectively prevents Prime subscribers from ending their memberships and leads to further subscription fees. The class action complaint outlines that the plaintiffs seek to recover damages and obtain all other relief allowed under the Washington Consumer Protection Act.
US state attorneys general ask FTC to focus privacy rulemaking on data minimization, risks of biometric, medical and location data
A bipartisan group of 33 state attorneys general led by Massachusetts Attorney General Maura Healey has filed a joint comment on 17 November 2022 in response to the FTC’s Advanced Notice of Proposed Rulemaking on Commercial Surveillance and Data Security (FTC-2022-0053-0001). The attorneys generals asked the FTC to focus on the principle of data minimisation and the risks around the commercial collection of biometric, location and medical information when creating new rules to prevent misconduct and promote transparency and accountability around online data collection. The attorneys general also reiterated to the FTC on the dangers of data brokers.
Old US laws will work, but new privacy law would be helpful, FTC's Bedoya, New Jersey AG Platkin say
US Federal Trade Commissioner Alvaro Bedoya and New Jersey Attorney General Matthew J. Platkin said the much-anticipated federal privacy law would be helpful in protecting consumers, even though companies with deceptive privacy policies can be pursued for prosecution without it. Bedoya said that the Commission needs the ability to enforce the many existing laws that protect consumers from deceptive practices under the Division of Privacy and Identity Protection. While Commissioner Bedoya and AG Platkin agree there is much to be done, they found it encouraging that more people are calling for changes, and that privacy protection continues to be a rare area of bipartisan agreement.
Bipartisan support for the Informing Consumers about Smart Devices Act
On 17 November 2022, two US Senators introduced a bipartisan bill "to require the disclosure of a camera or recording capability in certain internet-connected devices." The bill would require manufacturers of certain consumer devices to "disclose, clearly and conspicuously and prior to purchase, whether the covered device manufactured by the manufacturer contains a camera or microphone as a component of the covered device." Any failure to disclose as required by the bill would be deemed an "unfair or deceptive act or practice" within the enforcement jurisdiction of the US Federal Trade Commission. The bill was introduced by Senators Maria Cantwell (D-Washington, Chair of the Senate Commerce, Science and Transportation Committee) and Ted Cruz (R-Texas) and has been referred to the Senate Committee on Commerce, Science, and Transportation. A House version passed in September 2022. The current text can be found here.
FBI Director Raises National Security Concerns Over TikTok's Operations in U.S.
On November 15, 2022, Christopher Way, the Director of the U.S. Federal Bureau of Investigations (FBI), stated to the U.S. House of Representatives Homeland Security Committee that the FBI has "a number of concerns" relating to TikTok, a popular social media application owned by ByteDance Ltd. (ByteDance), a Chinese company, and its United States operations. Specifically, Director Way raised concerns regarding TikTok's data collection practices "on millions of users" and use of recommendation algorithms, which could "influence operations" and provide an opportunity to "compromise personal devices". In September 2022, the Committee on Foreign Investment in the United States (CFIUS) negotiated a preliminary agreement ByteDance in connection with TikTok's operations in the United States. A spokesperson for TikTok confirmed that preliminary agreements with CFIUS aim to address concerns relating to U.S. data privacy and security, governance, content moderation and transparency in the company's use of algorithms. Director Way also indicated that the FBI has been involved with the CFIUS negotiations with ByteDance related to TikTok.
Director Way's comments add to the increased public scrutiny of TikTok's operations by U.S. government officials, including from U.S. Senate Intelligence Committee Chairman Mark Warner (D-VA) and Federal Communications Commissioner Brendan Carr. Recently, Sen. Marco Rubio (R-FL) and U.S. House Rep. Mike Gallagher (R-WI) published an editorial in the Washington Post, which announced their plan to introduce legislation to ban TikTok in the U.S., claiming that the social media company is "effectively controlled" by the Chinese government.
Dubai: DMCC, Safegold collaborate to use gold-backed digital assets
Dubai Multi Commodities Centre (DMCC) and SafeGold, Asia’s leading digital gold platform, have signed a Memorandum of Understanding to advance SafeGold’s vision of digitising gold investment within the Middle East and North Africa region’s US$20 billion gold market. The partnership will create an ecosystem for gold-backed digital certificates, initially in the UAE and subsequently across the entire MENA region. Gold bars will be physically stored in secure vaults and verified by warrants issued on DMCC’s Tradeflow platform, a transparent central registry of ownership for gold and commodities stored in UAE facilities. The digital certificates can then be traded on SafeGold’s platform, providing investors with greater levels of transparency and confidence.
Abu Dhabi Global Market launches ‘Mediation in the Metaverse'
The ADGM Arbitration Centre announces the launch of the world’s first mediation service in the metaverse. By using the latest Web3 technology available, ADGM’s “mediation in the metaverse” service will provide a more immersive experience, allowing virtual mediation between the participants in a 3D office space. This virtual space will be based on the physical space within the ADGM Arbitration Centre, with video imaging of participants integrated into the virtual surroundings. One can enter the virtual Arbitration Centre via a desktop or mobile device without other devices or hardware.
Nigeria: NITDA requests comment on draft National Data Strategy
The Nigerian National Information Technology Development Agency (NITDA) has published a draft National Data Strategy. The Strategy is designed to accelerate the adoption and use of digital technologies for data collection, validation, storage, analysis and transmission. In particular, the Strategy outlines NITDA's objectives to: (i) develop, adopt and adapt data security strategies standards and programmes; (ii) develop and deploy new mechanisms for ensuring compliance with Nigerian data laws; and (iii) improve compliance with the existing legal and regulatory frameworks on data protection.
Uganda: new law criminalises some internet activity – activists launch a legal challenge to the 'harsh' law
Uganda's new Computer Misuse Bill (an amendment to the 2011 Computer Misuse Bill) was implemented by lawmakers to punish those that hide behind computers to hurt others. The legislation, which proposes jail terms of up to 10 years in some cases, is being challenged in the constitutional courts by activists who believe it violates the right to freedom of expression and criminalises some digital work, including investigative journalism. Indeed, some clauses are particularly wide. Clause 2(c) states "…shares any information about or that relates to another person, commits an offence" which could be used to silence dissidents. Whether the online transmission of information will remain illegal remains to be seen.
Namibia: Cyber security council launched to combat cyber fraud
On 21 November 2022, Namibia launched a cyber security council that will constitute a platform via which the banking and non-bank financial sectors can discuss and create operational approaches to tackle cyber fraud. The council seeks to formulate a unified approach, improve the development of cybersecurity within the participating member organizations, and the financial sector as a whole by allowing leaders in information security to share their knowledge and skills across firms. Overall, it will improve efficiency in cyber-risk management as institutions can collaborate with each other. Linked to this, the Namibian government is currently finalising its cybercrime legislation, which features the draft Cybercrime Bill and the draft Data Protection Bill.
Angola: Head of state launches Huawei's Technology Park in Luanda
This month, the head of State inaugurated Huawei's technology park in Angola, an investment worth a total of US$80 million and Huawei's third technology park in Africa, after Egypt and South Africa. The park itself covers an area of 32,000 square meters in Talatona, Luanda. The infrastructure boasts three centres, the first of which is for training Angolan talent and engineers; the second is geared towards innovation (particularly new technologies); and the third is focused on advanced technological experiences. The technology park also has a data center plus a 3G, 4G and 5G telephony solutions, as well as solar panels for homes and businesses. The infrastructure also provides for energy solutions for prepaid systems, videoconferencing, artificial intelligence, smart home appliances.
This publication does not necessarily deal with every important topic nor cover every aspect of the topics with which it deals. It is not designed to provide legal or other advice. Clifford Chance is not responsible for third party content. Please note that English language translations may not be available for some content.
The content above relating to the PRC is based on our experience as international counsel representing clients in business activities in the PRC and should not be construed as constituting a legal opinion on the application of PRC law. As is the case for all international law firms with offices in the PRC, whilst we are authorised to provide information concerning the effect of the Chinese legal environment, we are not permitted to engage in Chinese legal affairs. Our employees who have PRC legal professional qualification certificates are currently not PRC practising lawyers.