Clifford Chance

International efforts to understand and regulate Artificial Intelligence (AI) continue. Leaders of the Group of Seven (G7) nations discussed the regulation of AI at their annual Summit in Hiroshima on 19 – 21 May and their joint statement stressed the, "importance of international discussions on AI governance and interoperability between AI governance frameworks".

On 24 May we hosted Sam Altman, the CEO of OpenAI, at an event in London. He said that OpenAI would likely be able to comply with AI regulation in some jurisdictions, but not in others. He added it was good that there is a spectrum of approaches emerging around the world and that, "we will see what works and what doesn’t". On 22 May an article on the governance of super-intelligence by Sam Altman and others at OpenAI proposed the creation of an international authority for super-intelligence, akin to the International Atomic Energy Agency ("IAEA").

On 11 May Dessislava Savova, Partner and Head of the Continental Europe Tech Group at Clifford Chance, spoke about the EU AI Act on BBC News, discussing the European Parliament's Internal Market and Civil Liberties Committee’s amendments to the Commission's proposal.

In more conventional but no less dramatic news, social media giants Meta and TikTok were both fined for breaching data protection law. The Irish Data Protection Commission published the full text of its €1.2 billion fine against Meta Platforms Ireland Limited for mishandling data, which Meta is appealing. Meanwhile the UK Information Commissioner's Office fined TikTok £12.7 million for several breaches of data protection law, including failing to use children's personal data lawfully. TikTok was also banned from operating in Montana in the U.S., the first state-wide ban of the app, but has already filed a federal suit arguing that the ban is unconstitutional.

APAC (excluding China)

Australian Competition & Consumer Commission publishes report on social media

On 28 April 2023, the Australian Competition & Consumer Commission ("ACCC") published its report on social media services and on how consumers and businesses interact with them in Australia. It identifies a range of harms that consumers and small businesses experience across social media services, including "excessive data collection practices, lack of effective dispute resolution options, prevalence of scams, lack of transparency for advertisers and inadequate disclosure of sponsored content by influencers and brands." ACCC Chair Gina Cass-Gottlieb said: “Social media services are an essential part of our daily lives and have provided many benefits to society. But we are concerned about the level of influence social media platforms hold over users and their position as critical intermediaries for businesses to reach customers. Limited competition in these services can lead to poorer outcomes for consumers and small businesses.”

Monetary Authority of Singapore and U.S. Treasury conduct joint exercise to strengthen cross-border cyber incident coordination and crisis management

On 2 May 2023, the Monetary Authority of Singapore published a press release describing a cross-border cybersecurity exercise that it had conducted with the U.S. Treasury from 25 to 27 April 2023. Both agencies tested and improved existing protocols for information exchange and incident response coordination for cyber incidents involving banks operating in both jurisdictions. The exercise followed a Memorandum of Understanding on Cybersecurity Cooperation which both agencies signed in August 2021.

Singapore's plan to transform its Information & Communications Industry to power a Global-Asia Digital Hub

The Singapore Deputy Prime Minister and Minister for Finance, Lawrence Wong has launched the refreshed Information & Comunications Industry Transformation Map ("I&C ITM"). The refreshed I&C ITM, developed by Digital Industry Singapore ("DISG"), will  build on the momentum of the earlier ITM (launched in 2017) which outlined strategies that contributed to the sector's expansion. It is hoped that the I&C ITM will continue that work and help "develop a strong and resilient I&C sector to power the growth of our [their] Digital Economy and strengthen Singapore’s position as a hub for leading tech companies and talent". The I&C ITM's scope will include sub-sectors such as software, IT services, online services and telcos.

China

Over 30 companies have taken action to obtain the certification on personal information protection under SAMR

Li Chunjiang, the deputy director-general of the department in charge of certification work under the State Administration for Market Regulation (SAMR) provided various updates on the certification work of data-security management and personal-information protection when he spoke at the Digital Security Forum held in Fuzhou on 27-28 April. He stated that over 30 companies in China have applied to obtain certifications on their personal-information protection and five network operators have received certifications on their data security management. To facilitate the certification of personal information protection, Chinese regulators have established a certification team comprised of one certification institution, more than 10 technical verification organizations and more than 50 staff who are dedicated to conducting on-spot checking.

Shanghai CAC announces the first two companies which have passed the security assessment for data export

On 5 May 2023, the Shanghai office of the Cyberspace Administration of China (Shanghai CAC) announced that Mazda Motor (China) Co., Ltd. and Sephora (Shanghai) Cosmetics Co., Ltd., were the first two companies to have passed the security assessment for data export. Shanghai CAC also mentioned that it had answered more than 3,300 consultation calls and received more than 400 applications for data export security assessments from institutions across key industries, including automotive, finance, retail, business services and healthcare. Of these, nearly 60 applications have passed the initial review stage and have now been submitted to the Cyberspace Administration of China for further review.

Beijing government publishes the first regulation on data security management in an autonomous driving pilot area

On 12 May 2023, Beijing's government issued the Administrative Measures on Data Security in Beijing Intelligent Connected Vehicle Policy Pilot Area (for Trial) (the "Administrative Measures"), which is the first regulation on data security management in autonomous driving within pilot areas. Among other things, the Administrative Measures provide that: (a) in terms of personal information, enterprises should explicitly describe the method for processing personal information, anonymizing sensitive data for further transmission, and storing certain data within vehicles; and (b) in terms of important data, enterprises should carry out data mapping and conduct security review of data export when necessary.

EU

Meta faces record €1.2 billion fine from Irish Data Protection Commission

The Irish Data Protection Commission (DPC) published the conclusions of its enquiry into Meta on 22 May 2023. It ruled that: (i) Meta Ireland must suspend any future transfer of personal data to the U.S. within five months; (ii) Meta would be fined €1.2 billion; and (iii) Meta Ireland must bring its processing operations into compliance with Chapter V of the General Data Protection Regulation (GDPR) within six months. The ruling is the final step in a long process that triggered the cooperation procedure mandated by Article 60 of the GDPR whereby the draft decision prepared by the DPC was submitted to the other data protection authorities in all the EU/EEA countries as "Concerned Supervisory Authorities" (CSAs). When no consensus could be reached among the CSAs on the measures to be taken, the DPC referred the case to the European Data Protection Board (EDPB) for determination pursuant to the Article 65 dispute resolution mechanism. The EDPB adopted its decision on 13 April 2023 and this forms the basis of the DPC's conclusions, as foreseen by the GDPR. The EDPB has published the final decision on its website. It is the largest fine to be issued under the GDPR to-date.

Data transfers: European Parliament rejects proposed new EU-U.S. Data Privacy Framework

On 11 May 2023, the European Parliament formally opposed the adoption of a U.S. Adequacy Decision, confirming the position of its Civil Liberties Committee. According to the Parliament, the EU-U.S. Data Privacy Framework (DPF) is an improvement on previous frameworks, but still does not provide sufficient safeguards for EU citizens. Among other things, MEPs noted that decisions of the new Data Protection Review Court created by the EU-U.S. DPF would be secret, violating citizens' right to access and rectify data about them, and its judges could be dismissed by the U.S. President, who would also have the power to overrule the Court's decisions, meaning it would not be truly independent. The European Parliament therefore urged the European Commission to oppose the new agreement. The Parliament's opinion is advisory only – it is up to the Member States to greenlight the decision which is ultimately adopted by the European Commission.

Mergers: European Commission clears Microsoft Activision deal

On 15 May 2023 the European Commission approved the proposed acquisition of Activision Blizzard by Microsoft. The deal is subject to commitments offered by Microsoft in order to address competition concerns identified by the Commission. This follows a decision by the UK's Competition and Markets Authority (CMA) to prevent the merger over concerns it would alter the future of the fast-growing cloud gaming market, leading to reduced innovation and less choice for UK gamers over the years to come.

EU-India Trade and Technology summit

The EU and India have held their first joint Trade and Technology Council (TTC), set up as a means of coordinating on key trade, trusted technology and security challenges. The TTC agreed to work on three areas: (1) strategic technologies, digital governance and digital connectivity, which includes cooperation on quantum and High-Performance Computing R&D projects to address climate change and personalised medicine, as well as cooperation on trustworthy AI and a dedicated Memorandum of Understanding on semiconductors; (2) green and clean energy technologies, including wastewater management (plastic litter and waste to hydrogen in particular) and the recycling of electric vehicles batteries; and (3) trade, investment and "resilient value chains". The EU and India will try and resolve bilateral market access issues and exchange information on their respective foreign direct investment screening. They also agreed to intensify their engagement on carbon border measures, a reference to the EU Carbon Border Adjustment Mechanism (CBAM) that is likely to impact India's steel sector.

European Parliament Committee amends EU AI act

On 11 May 2023, the European Parliament's Internal Market and Civil Liberties Committees adopted their amendments to the Commission's proposal for a new AI Act. The Parliament's version of the text would ban certain practices from using AI, including predictive policing, biometric identification, emotion recognition and the indiscriminate scraping of biometric data from CCTV. It would also impose specific obligations on the providers of general-purpose AI tools in response to the surge in ChatGPT's recent popularity. Dessislava Savova, Partner and Head of Continental Europe of Clifford Chance's Tech Group spoke to BBC News about the EU's AI proposals, describing them as a "gamechanger".

UK

Initial Competition and Markets Authority review of AI foundation models

On 4 May 2023, the Competition and Markets Authority (CMA) published an initial review paper entitled 'AI Foundation Models: Initial Review' in response to the UK Government's AI White Paper. The CMA hopes to understand more about (1) how the competitive markets for foundation models, including large language models and AI, and their use could evolve; (2) the opportunities and risks these scenarios could bring for competition and consumer protection; and (3) which principles can best guide the ongoing development of these markets. Its ultimate goal is "to help this emergent and rapidly scaling technology develop in ways that result in open, competitive markets that will continue to bring benefits for people, businesses and the economy in the UK".

House of Commons committee hears evidence on the Data Protection and Digital Information (No. 2) Bill

On 10 May 2023, the House of Commons committee heard evidence from 23 witnesses on various issues relating to the Data Protection and Digital Information (No. 2) Bill (DPDI Bill), which was introduced to the House of Commons on 8 March 2023 and debated at second reading on 17 April. Information Commissioner, John Edwards, was among those who gave oral evidence on 10 May. He acknowledged that the new law would bring its own "transitional" challenges for the ICO, but argued that measures like direct ministerial oversight would be a net positive.

The government also published Keeling Schedules (redlines) of the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communcations (EC Directive) Regulations 2003 on 10 May 2023. These may assist the reader in understanding the Bill's amendments to other pieces of UK data protection legislation.

DSIT publishes National Semiconductor Strategy

On 19 May 2023, the Department for Science, Innovation and Technology (DSIT) published its National Semiconductor Strategy. With a focus on R&D, design and compound semiconductors, its objectives include growing the domestic sector, mitigating the risk of supple chain disruptions, and protecting national security. The UK Government plans to invest up to £1 billion into a range of measures outlined in the report. Among other things, it will fund more research, facilitate greater international cooperation and improve access to infrastructure.

Americas

U.S. States add to patchwork of Privacy Laws

U.S. states have continued to add to the patchwork of laws governing data privacy in the U.S. On 1 May 2023 Indiana's governor signed into law the Indiana Data Privacy Law, joining Tennessee and Iowa, who passed their own privacy laws earlier this year. The law is scheduled to come into effect on 1 January 2026 and has similar provisions to privacy laws in other states like Virginia and California. Montana followed shortly afterwards on 19 May, with the Montana Consumer Data Privacy Act, which is slated to go into effect on 1 October 2024 and mirrors the provisions found in Connecticut's privacy law. Meanwhile, Florida's Digital Bill of Rights passed both Houses of the State Congress and will be sent to Florida's Governor for signature, and in Texas, the state senate passed the Texas Data Privacy and Security Act, which will now goes into a conference committee of the Texas House and Senate. Massachusetts and Michigan continue to actively consider their own bills.

Meanwhile, on 17 May the governor of Montana signed a bill banning TikTok from operating in the state. The law not only bars the app from operating within the state, but also forbids app stores from making TikTok available to download within Montana. Individual users are not subject to the ban. The law is scheduled to go into effect on 1 January but TikTok has already filed suit in federal court arguing the ban is unconstitutional, throwing into question whether and when the law would actually become enforceable. Nevertheless, the law is noteworthy as the first statewide ban of the social media app.

U.S. Federal Trade Commission Issues Policy Statement Regarding Use of Biometric Information

On 18 May 2023, the U.S. Federal Trade Commission (FTC) issued a policy statement addressing how it will consider whether "companies collecting and using biometric information or marketing or using biometric information technologies" are complying with Section 5 of the FTC Act, which empowers the FTC to prevent "unfair or deceptive acts" in commerce. The FTC said that it would scrutinize business practices for both "deceptive" practices, such as "false or unsubstantiated marketing claims relating to the validity, reliability, accuracy, performance, fairness, or efficacy of technologies using biometric information," as well as "unfair" practices, such as "failing to assess foreseeable harms to consumers before collecting biometric information" and "failing to evaluate the practices and capabilities of third parties, including affiliates, vendors, and end users, who will be given access to consumers’ biometric information or will be charged with operating biometric information technologies."

This is explored further in an article by Megan Gordon, the Office Managing Partner of our Washington D.C. office.

U.S. Federal Trade Commission Seeks Comment on Modifying Health Breach Notification Rule

The FTC announced on 18 May 2023, that it was seeking comment on proposed changes to its Health Breach Notification Rule (HBNR) that would make explicit the rule's applicability to "health apps and other similar technologies," such as "direct-to-consumer health technologies" like fitness trackers. The rule currently imposes notification requirements on vendors of personal health records who are not covered by the Health Insurance Portability and Accountability Act (HIPAA). The FTC stated that its proposed amendments come at a time when "business practices and technological developments increase both the amount of health data collected from consumers, and the incentive for companies to use or disclose that sensitive data for marketing and other purposes." In separate statements, individual Commissioners expressed the hope that these changes would reinvigorate enforcement of the HBNR, stating that it had "laid dormant for years" and "went unenforced for its first decade, despite its potential to protect Americans’ most sensitive data concerning their health and wellness."

Middle East

Dubai Electricity and Water Authority pilots use of ChatGPT to enhance customer experience

On 9 May 2023, Dubai's Electricity and Water Authority (DEWA) announced it had been piloting the use of ChatGPT since April 2023 through Rammas, DEWA's "virtual employee", which responds to customers' queries. This is part of the DEWA's broader strategy to employ AI. DEWA's CEO Saeed Mohammed Al Tayer said: “At DEWA, we are keen to enrich the customer experience through smart services that save their time and effort using the latest AI tools. This supports the UAE National Strategy for Artificial Intelligence 2031, the Dubai 10X initiative, and the Smart Dubai initiative."

Head of the UAE Cyber Security Council and Oracle Senior Vice President sign Cybersecurity Memorandum of Understanding

On 3 May 2023, the Head of the UAE Cyber Security Council, Dr Mohamed Al Kuwaiti and a Senior Vice President at Oracle, Nick Redshaw, signed a Memorandum of Understanding where they committed to further cooperation in the field of cybersecurity. In particular, they plan to strengthen the UAE's cybersecurity framework through exchanging information and training. Dr Al Kuwaiti said: "we at the Cybersecurity Council are determined to build a cybersecurity system that protects all vital sectors in the country, supported by a safe and efficient environment in accordance with international best practices. We also work continuously in cooperation with partners, institutions and individuals to enhance cybersecurity in all vital sectors through an advanced and resilient digital security system that strengthens the UAE's leading position globally in various fields."

Israel finalises Protection of Privacy Regulations

On 7 May 2023 Israel's Department of Justice published the finalised Protection of Privacy Regulations (the Provisions Regarding Information Transferred to Israel from the European Economic Area), 5783-2023. These followed a public consultation and approval by the Israeli Parliament's Constitution, Law and Justice Committee and impose new requirements on owners of databases that contain personal data from the European Economic Area. These requirements relate to the deletion of data, data minimization, data accuracy, disclosure obligation and sensitive information. They come into force on 7 August 2023, 7 May 2024 or 1 January 2025 depending when the personal data was received and where it came from.

Africa

Central Bank of Kenya announces new QR code system for payments

On 3 May 2023, the Central Bank of Kenya (CBK) launched the Kenya Quick Response (KE-QR) Code Standard 2023 in an attempt to boost digital payments by confronting previous issues with interoperability between payment companies. CBK partnered with Safaricom, Equity Bank, ABSA, KCB, Co-operative Bank, Visa, Mastercard, PesaPal and FSD Kenya to replace the former system of till and paybill numbers with a new way of making payments that involves scanning a QR code. This is part of the CBK's National Payments Strategy (2022-2025) and will be implemented using a phased approach.

South Africa committed to National Data and Cloud Policy

On 3 May 2023, South Africa's Communications and Digital Technologies minister, Mondli Gungubele, gave the keynote speech at the Africa Tech Week Conference in Cape Town. He said that he hoped the National Data and Cloud Policy would help improve foreign investment in South Africa and stressed the importance of effective cyber security protocols and data and cloud infrastructure protection: “our main concern will be data protection and ensuring that as international partners invest in our country and African markets, they consider critical principles, such as data security and data sovereignty, in the flow of data across borders."

Additional Information

This publication does not necessarily deal with every important topic nor cover every aspect of the topics with which it deals. It is not designed to provide legal or other advice. Clifford Chance is not responsible for third party content. Please note that English language translations may not be available for some content.

The content above relating to the PRC is based on our experience as international counsel representing clients in business activities in the PRC and should not be construed as constituting a legal opinion on the application of PRC law. As is the case for all international law firms with offices in the PRC, whilst we are authorised to provide information concerning the effect of the Chinese legal environment, we are not permitted to engage in Chinese legal affairs. Our employees who have PRC legal professional qualification certificates are currently not PRC practising lawyers.