Clifford Chance

SVB's collapse. Credit Suisse's takeover by UBS. The demise of three further mid-sized US banks. There's no question that banking turmoil has dominated this month's news. And yet…

Flying under the news-radar, a swathe of data protection and privacy legislation has been published, amended, and debated – some even passed. The UK's Data Protection and Digital Information Bill No. 2 was published, and both the European Parliament and Council adopted amendments in respect of the EU's Data Act. In the U.S., bills relating to data privacy and protection progressed through the legislative process in various states, including California, Virginia, Hawaii, Oklahoma, Tennessee and Iowa. At a federal level, the White House announced its National Cybersecurity Strategy, a roadmap for strengthening U.S. resilience to cybersecurity threats.

Generative AI continues to be a big topic of conversation in both commercial and legislative circles. Google launched its first large language model, Bard, and Adobe launched a private beta version of its first Firefly model which focuses on content creation. In the U.S., the Chamber of Commerce drafted a report stressing the need for AI technology regulation.

The UK published a White Paper on AI regulation on 29 March, proposing a principles based approach, and the creation of a new "central risk function". It might be one of the first governments to explicitly refer to "existential risks posed by artificial general intelligence", which is quite some timing given that was the same day as the publication of an open-letter calling for a six-month moratorium on the training of AI systems more powerful than GPT-4, signed by Max Tegmark, Steve Wozniak, Yuval Noah Harari, Elon Musk, Andrew Yang and others.

CHINA

China plans to establish a State Administration of Data

China's State Council unveiled a plan to reform its institutions (the Reform Plan) on 7 March 2023. This was approved by the National People's Congress on 10 March 2023. Part of China's Reform Plan involves establishing a State Administration of Data (SAD), also referred to as a National Bureau of Data, which will be administered by the National Development and Reform Commission (NDRC).

Among other things, the SAD will:

• formulate a plan to construct a more digital China;
• coordinate and promote the use of technology to reform traditional government management and public services;
• coordinate and promote the construction of smart cities;
• coordinate the development, usage and sharing of important national information resources; and
• promote the interconnection of information resources across industries and departments.

CAC publishes Provisions on Administrative Law Enforcement Procedures of Cyberspace Administration

One 23 March 2023, the Cyberspace Administration of China (CAC) published the Provisions on Administrative Law Enforcement Procedures of Cyberspace Administration. These set out procedures governing the administrative supervision of enforcement actions for violations of relevant data protection and security regulations.

In addition to detailing the procedures that the cybersecurity and informatisation departments must follow when investigating and collecting evidence, the Provisions set out the process they must follow before imposing administrative penalties. The cybersecurity and informatisation departments have to notify the relevant parties of their right to request a hearing, from which point those parties must make their request within five days. If a party fails to do so, they waive their right to a hearing and can be subject to the following penalties:

• a large fine;
• the confiscation of relatively large amounts of illegal income and large-value illegal property;
• the lowering of qualification levels and revocation of licenses;
• orders to stop production and business to close down or restrict business operations; and
• other heavier administrative penalties.

APAC (Excluding China)

Monetary Authority of Singapore promises new crypto regulation plans by mid-2023

Back in October 2022, the Monetary Authority of Singapore (MAS) published two consultation papers on proposed regulatory measures to make cryptocurrency trading safer. On 20 March 2023, in response to a parliamentary question, Tharman Shanmugaratnam, the Senior Minister and Chairman of MAS confirmed that MAS was reviewing the feedback it had received and hoped to publish its response by mid-2023. This drive to protect against crypto-related harms comes after several Singapore-based firms, including Three Arrows Capital and Zipmex, imploded last year.

Crypto transactions now within the scope of India's AML regime

On 7 March 2023, India's Finance Ministry issued a notice bringing token and cryptocurrency transactions within the scope of India's anti-money laundering (AML) regime. India's Prevention of Money Laundering Act 2002 (PMLA) will now also apply to transactions involving virtual digital assets. Crytpo companies will now be considered "reporting companies" and must comply with KYC and AML standards.

Hong Kong gears up to develop ChatGPT-like platform

Hong Kong's Secretary for Innovation, Technology and Industry, Sun Dong, has stated that authorities will hold a public consultation this year on their plans to set up an AI supercomputing centre, which they hope will encourage top talent and technology enterprises to come to Hong Kong. Part of Hong Kong's broader efforts to make the city a centre of IT and innovation – an initiative with a budget of more than HK$10 billion (US$1.27 billion) – it hopes to combat a sense that Hong Kong needs to catch up with the progress made globally in this sector.

EU

Data Act: Parliament adopts its position

The European Commission adopted its proposal for Regulation on harmonised rules on fair access to and use of data (the Data Act) on 23 February 2022. The Data Act aims to ensure fairness in the allocation of value from data and to improve access it / its use. The European Parliament plenary session adopted amendments to the Data Act on 14 March 2023. The Council of the European Union then published its own mandate for negotiations with the European Parliament on 24 March. It supports the general thrust of the Commission's proposal, but also suggests some amendments. Informal trilogue discussions between the Commission, Parliament and Council can now begin.

Net-Zero Industry Act's emphasis on clean tech production

The European Commission tabled its Net-Zero Industry Act, part of the Green Deal Industrial Plan, on 16 March 2023. Notably, it includes a goal for the EU to be producing at least 40% of the technology it needs to achieve its climate / energy targets by 2030 – though this is a political objective, rather than a legal requirement. Commission President, Ursula von der Leyen, has stressed the need for a regulatory environment that will allow for the clean energy transition to be scaled up quickly. Specific aims within the Regulation include reducing the administrative burden involved in setting up net-zero technology projects and simplifying permit-granting processes. Next, the Regulation will need to be discussed and agreed by the European Parliament and the Council of the European Union.

Electronic goods: new right to repair

The European Commission has published a new initiative on the "right to repair". The proposal is in the form of common rules promoting the repair of goods, which the Commission hopes will result in cost savings for consumers and waste reduction as people prioritise repair as opposed to replacing goods. The proposal covers consumer goods (any tangible movable item) whether or not they are still under legal guarantee. Producers will have an obligation to repair goods for five to ten years after they were bought, depending on the type of product. Initially the proposal will only apply to goods for which "reparability requirements" are set out in EU law (for the moment that includes household appliances such as washing machines and dryers, dishwashers, fridges, electronic displays, welding equipment, vacuum cleaners, and servers and data storage). Once reparability requirements are adopted for mobile phones, cordless phones and tablets, the rules will also apply to them. The Commission's proposal will now be debated and adopted by the European Parliament and the Council.

Council of Europe updates its draft Model Contractual Clauses

On 3 March 2023, the Council of Europe published a revised version of its draft Model Contractual Clauses for the Transfer of Personal Data from Controller to Controller (MCCs) under the Amending Protocol to the Convention for the Protection of Individuals with regard to the Processing of Personal Data (also known as Convention 108+). The changes include new definitions of the terms "data breach", "data exporter" and "data importer" and amendments to clauses governing due diligence, data security, onward transfers and redress for data subjects.

The measures within the Council of Europe's Convention 108+ are distinct from those within the GDPR. Convention 108+ has been seen as a way of encouraging countries that are not in the EU to adopt GDPR's basic tenets.

UK

New Data Protection and Digital Information Bill Published

The Data Protection and Digital Information (No. 2) Bill (updated DPDI Bill) was introduced into Parliament by Michelle Donelan, the Secretary of State for Science, Innovation and Technology, on 8 March 2023. The original version of the DPDI Bill, intended to be the UK's new version of the EU GDPR, was initially introduced to Parliament in July 2022, but was put on hold to give ministers time to engage further with business leaders and data experts on its contents.

Among other things, the Bill intends to reduce the costs and burdens of demonstrating compliance on British businesses in the sector. The government hopes this will save the UK economy more than £4 billion over next 10 years.

While the updated DPDI Bill largely reproduces the original DPDI Bill, there are some notable changes. In particular, the updated DPDI Bill proposes that direct marketing, intra-group transmission of personal data and ensuring the security of network and information systems are legitimate interests that businesses can rely on for the processing of personal data. The updated DPDI Bill also limits the GDPR restrictions on the use of automated decision-making to decisions which are made without human involvement. Although updated DPDI Bill does not change the previous bill's proposals on cookies, the Department for Science, Innovation and Technology has indicated that it continues to engage with businesses on this point.

Government released White Paper on AI regulation

On 29 March, the UK government released a White Paper, "A pro-innovation approach to AI regulation." Whilst the government is not proposing legislation, it does wish to create a statutory obligation for regulators to have regard to the five principles that form part of the White Paper (Safety, security and robustness, Appropriate transparency and Explainability, Fairness, Accountability and governance, and Contestability and redress.) The proposals are largely principles based, but include the possibility that regulators will issue, amongst other things, "risk assessment templates" and that the government will create a "central risk function". The UK is consulting on the proposals until 21 June.

ICO updates AI and Data Protection guidance

The ICO confirmed on 15 March 2023 that it had updated its Guidance on AI and Data Protection, adding new content and restructuring several existing chapters. It did so in response to industry feedback and in line with a key ICO25 commitment: to help organisations adopt new technologies while protecting people and vulnerable groups.

Additions include:

• a new chapter on the transparency principle (article 5(1)(a), UK GDPR) in the context of AI;
• a new chapter setting out the considerations / details that a firm needs to cover in its Data Privacy Impact Assessment ("DPIA") when using AI to process personal data; and
• new chapters on ensuring "fairness" and "lawfulness" in AI.

Online Safety Bill risk assessments: Ofcom publishes discussion document on proposed guidance

Ofcom published a discussion document on its proposed guidance in relation to the risk assessments that companies within the scope of the Online Safety Bill will have to undertake.

The Bill currently requires all regulated providers to conduct risk assessments of illegal content that may appear on their service. For services likely to be accessed by children, regulated providers will also have to carry out risk assessments of content that may harm them (such as pornography and content promoting eating disorders). Ofcom will produce guidance to help services meet these requirements.

Ofcom currently proposes that services follow these four steps:

• establish the context;
• assess the risks;
• decide measures and implement; and
• report, review and update.

Ofcom plans to launch a formal consultation as soon as possible after its powers commence. Once Ofcom has published its guidance, services will have three months to carry out their first illegal content risk assessments.

Government to produce code of practice for generative AI

This month, the government published both the Pro-innovation Regulation of Technologies Review: Digital Technologies report and the HM Government Response to Sir Patrick Vallance's Pro-Innovation Regulation of Technologies Review.

In his report, Sir Patrick Vallance identifies the need for the government to announce a clear policy position on the relationship between intellectual property law and generative AI, which creates content by learning from existing available content, to provide innovators and investors with confidence. The Intellectual Property Office (IPO) will produce a code of practice by the summer and the government promises to provide clarity in terms of the application of intellectual property law to the AI sector more broadly.

UK Science and Technology Framework

The Department for Science, Innovation & Technology published its 'UK Science and Technology Framework' on 6 March 2023. The Framework is intended to strengthen the UK's science and technology sectors to drive prosperity in the country going forward. It has ten sections and lists key "outcomes" within these – including increasing private sector investment into research and building a varied set of science and technology-based international partnerships.

The government promises to publish a progress update in relation to each section this summer.

Americas

Biden-Harris administration announces National Cybersecurity Strategy

On 2 March 2023, the Biden-Harris Administration released the National Cybersecurity Strategy, a 39-page document built around five pillars of action meant to strengthen U.S. resilience to cybersecurity threats. The document does not set out new law; rather, it coalesces existing initiatives and aligns future planned initiatives into a comprehensive roadmap for strengthening U.S. cybersecurity. In so doing, the White House has signaled how it will use its executive power to support national cybersecurity, including using its influence over the federal budget and federal contracts; directing resources towards assessment, collaboration, and information sharing; supporting research among federal agencies to issue cybersecurity guidance; and directing agencies to target key areas of enforcement. The document also includes calls on Congress to develop legislation in alignment with the strategy (including support for a comprehensive privacy law) and calls on the private sector to strengthen industry standards.

Antitrust laws targeting Big Tech

On 7 March 2023, the U.S. Senate's Antitrust Subcommittee held a hearing entitled "Reining in Dominant Digital Platforms: Restoring Competition to Our Digital Markets." The hearing focused on the American Innovation and Choice Online Act (AICOA), a Bill intended to regulate "self-preferencing" by large tech platforms operating at multiple levels of commerce, and the Open App Markets Act, which would establish rules for the distribution of software applications in "app stores." Both Bills cleared the House Judiciary Committee last term but did not receive a floor vote. At the hearing, senators from both parties expressed support for the Bills, with Sen. Amy Klobuchar (D-MN) in particular arguing that the U.S. is ceding ground on global competition policy to other countries by failing to pass new legislation. Participants expressed opposing views on whether the Bills laid out clear standards for evaluating competitive impact and the extent to which the legislation would affect the content-moderation efforts of social platforms.

SEC Proposes Amendments to Reg S-P to Strengthen Cybersecurity

On 15 March 2023, the SEC issued proposed amendments to Regulation S-P that would require brokers, dealers, investment companies, and investment advisers registered with the SEC to adopt written policies and procedures to address unauthorized access to, or use of, customer information—including breach notification provisions. The amendments would also broaden the scope of covered information and extend the application of the safeguards rule to transfer agents. These amendments are in addition to the existing requirements for companies to notify customers about how they use collected financial information. The proposed amendments come amidst a series of rule proposals aimed at strengthening cybersecurity across a range of entities over which the SEC has authority. The proposed rule also comes as other agencies are pushing for greater cybersecurity preparedness, including the FTC, which recently issued revisions to its GLBA Safeguards Rule (most of which are scheduled to become effective in June of this year). The SEC's proposal is now in a 60-day comment period, after which the SEC will consider whether the proposed amendments are appropriate and if further revisions are necessary.

Middle East

Digital Dubai issues Soulbound NFTs

Having recently adopted Soulbound Token technology, on 16 March 2023 Digital Dubai issued the world's first Secured Digital Certificates as Soulbound NFTs. This new technology allows certificates to be permanently linked to an individual's digital wallet, making it very secure.

Dubai Chambers launch six business groups in the digital industry

On 1 March 2023, the Dubai Chamber of Commerce announced it was launching six business groups in collaboration with the Dubai Chamber of Digital Economy. These business groups will focus on software services, e-commerce, connectivity, online gaming, marketing and cybersecurity. Their creation aligns with Dubai's D33 goals to create an additional AED 100 billion of economic value annually from digital transformation. Mohammed Ali Rashed Lootah, President and CEO of Dubai Chambers, stressed the importance of the business groups within the digital industry: "by providing a forum that facilitates mutual dialogue between the sector's stakeholders and government entities, the business groups will be able to address policy matters and enhance the competitiveness of their respective sectors."

Africa

Competition Commission to investigate digital media in South Africa

On 17 March 2023, South Africa's Competition Commission announced it had published its draft Terms of Reference (ToR) for a market inquiry into the distribution of news media content on digital platforms, the Media and Digital Platforms Market Inquiry (MDPMI). The Commission noted that there had been a shift towards the consumption of digital news sources and argued there was a need to explore any negative impacts this may be having on South Africa's news media sector. In particular, the Commission expressed concern that "there may exist market features in digital platforms that distribute news media content that impede, distort, or restrict competition". The MDPMI will focus predominantly on search engines, social media sites, video-sharing platforms and news aggregation platforms. It will also consider new technologies being adopted by these platforms, including generative AI. Members of the public and interested stakeholders can make written submissions in response to the proposed ToRs by 20 April. The MDPMI will commence 20 days after the final ToR are published.

Botswana focuses on tech to grow its economy

Botswana's Communications, Knowledge and Technology Minister, Thulagano Segokgo, spoke at a media roundtable at the Mobile World Congress 2023 about Botswana's drive to focus on technology as a source of economic growth and diversification. While diamond mining plays and has played a crucial role in Botswana's economy in the past, Segokgo hopes that an increased focus on digital transformation will help Botswana's economy to develop further and, in particular, to reach 5.76% growth. Segokgo described an initiative to provide all Botswanan villages of 500 people or more with connectivity to ensure no one is left behind technologically. Segokgo also described efforts to bring all government services, especially customer-facing ones, online.

Additional Information

 

This publication does not necessarily deal with every important topic nor cover every aspect of the topics with which it deals. It is not designed to provide legal or other advice. Clifford Chance is not responsible for third party content. Please note that English language translations may not be available for some content.

The content above relating to the PRC is based on our experience as international counsel representing clients in business activities in the PRC and should not be construed as constituting a legal opinion on the application of PRC law. As is the case for all international law firms with offices in the PRC, whilst we are authorised to provide information concerning the effect of the Chinese legal environment, we are not permitted to engage in Chinese legal affairs. Our employees who have PRC legal professional qualification certificates are currently not PRC practising lawyers.