Clifford Chance

Discussions on regulating AI have continued on a global level this month. UK Prime Minister, Rishi Sunak announced on 7 June that the UK would host the first major global summit on AI safety and on 12 June U.N. Secretary-General Antonia Guterres endorsed the idea of an international authority for AI akin to the International Atomic Energy Agency ("IAEA"). The U.S. and UK announced their 'Atlantic Declaration: A Framework for a Twenty-First Century U.S.-UK Economic Partnership' on 8 June, and the G7's Data Protection and Privacy Authorities Roundtable took place on 20 and 21 June in Tokyo.

The EU has progressed a host of legislation. The European Parliament adopted its position on the draft AI Act on 14 June, and the final text of the Data Act was agreed on 27 June. Clifford Chance published an article on the EU AI Act here.

In the U.S., the Senate Majority leader Chuck Schumer, launched the latest – and most high-profile – initiative on AI in Congress so far, a series of listening sessions under a new 'SAFE Innovation Framework', and the FCC, FTC and statehouses kept up a steady pace of regulatory action and law making. U.S. Representative Ritchie Torres filed new legislation requiring all content generated by artificial intelligence technology to be accompanied by a mandatory disclaimer.

For more on generative AI, see our paper: Generative AI: The big questions, launched this month. We explore the opportunities presented by generative AI and key considerations in navigating them effectively across areas including AI ethics and legal strategies, privacy, IP, contracts, existing and developing legal frameworks, business continuity, and cyber-security and resilience.

APAC (excluding China)

Singapore launches quantum-safe network infrastructure and establishes AI Verify Foundation

On 6 June 2023, Heng Swee Keat, Singapore's Deputy Prime Minister, announced the launch of Singapore's National Quantum-Safe Network Plus ("NQSN+") during the ATxSummit Social, part of Asia Tech x Singapore ("ATxSG"). The NQSN+ will "support network operators to deploy quantum-safe networks nationwide, so that businesses have easy access to solutions to safeguard their critical data". The following day, Josephine Teo, Singapore's Minister for Communications and Information, announced the launch of the AI Verify Foundation. AI Verify is an AI governance testing framework and software toolkit.

The NQSN+, AI Verify Foundation and other Singaporean tech developments are explored in a recent Talking Tech article here.

Taiwan's amendments to its PDPA come into effect

On 2 June 2023, Taiwan's amendments to its Personal Data Protection Act 2015 ("PDPA") came into effect following presidential approval. This was announced by the National Development Council ("NDC") on 31 May. Among other things, the amendments will compel non-public agencies to allocate resources to protecting individuals' personal data and promote policies relating to combatting fraud, with non-public agencies who fail to rectify violations of their security maintenance obligations facing fines.

Japanese privacy commission issues guidance to OpenAI

On 2 June 2023, the Japanese Personal Information Protection Commission ("PPC") issued OpenAI with administrative guidance warning OpenAI against using individuals' personal information without their consent and against including sensitive personal information in its machine learning. The PPC is particularly concerned with ChatGPT's collection of sensitive personal information. It also asked for OpenAI's privacy policy to be made available in Japanese.

Australian government releases two discussion papers on AI

On 1 June 2023, the Australian government released two papers discussing safeguards for the safe and responsible growth of AI:

• The Department of Industry, Science and Resources' 'Safe and Responsible AI in Australia: Discussion Paper', which focuses on AI regulation and governance, providing an overview of Australia's existing regulatory framework and recent international developments; and
• Australia's National Science and Technology Council's 'Generative AI Rapid Research Information Report', which reflects on AI's risks and opportunities and the international strategies that have been employed to regulate it.

The Australian government invites feedback on the former discussion paper by 26 July, hoping to "identify potential gaps in the existing domestic governance landscape and any possible additional AI governance mechanisms to support the development and adoption of AI".

China

CAC publishes filing guidelines on standard contracts for facilitating personal information transfer

On 30 May 2023, the Cyberspace Administration of China ("CAC") issued the Filing Guidelines on the Standard Contracts on Cross-border Transfer of Personal Information which outline the filing procedure and provide operational guidance (along with a template for personal information impact assessment reports) for personal information processors that plan to export personal information via the standard contract route.

PRC State Council unveils legislation plan for AI, data and cryptography

On 31 May 2023, the State Council unveiled a legislation plan which provides that China's draft law on AI will be prepared and submitted to the Standing Committee of the National People's Congress, the country's top legislature, for deliberation this year. The following administrative statutes will also be reviewed this year: the draft Administrative Regulations on Cyber-Data Security; the draft Administrative Regulations on the Protection of Minors Online; and the revised draft Administrative Regulations on Commercial Cryptography.

CAC publishes its first consultation draft on mobile ad hoc network services

On 6 June 2023, CAC issued the Administrative Measures for Mobile Ad Hoc Network Services (2023 Consultation Draft) (the "Consultation Draft") for public consultation until 6 July 2023. The Consultation Draft defines mobile ad hoc network (the "MANET") services as services which provide an exchange of information by using information technologies such as Bluetooth and Wi-Fi to establish an ad hoc network at close range. The Consultation Draft requires MANET service providers to conduct recording, reporting and security obligations, among other things.

EU

EU policymakers strike agreement on new data sharing law

Negotiators for the European Parliament, the Council and the European Commission have struck a political agreement on the new Data Act. The regulation will introduce a number of new rules including in relation to (i) access to data generated by IoT products; (ii) switching between providers of data processing services including cloud; and (iii) the development of interoperability standards for data to be reused between sectors. There will be a formal vote in the Parliament and adoption by the Council after the summer before the Data Act will be published in the Official Journal and enter into force.

EU AI Act enters final phase of legislative process

The European Parliament adopted its position on the draft AI Act on 14 June 2023, paving the way for the interinstitutional negotiations to finalise Europe's first comprehensive law on AI. Parliament has made a number of significant changes to the European Commission's original proposal, including to: (i) address developing AI capabilities, introducing definitions of generative AI and foundation models; (ii) include core ethical principles for all AI; (iii) revisit or narrow some critical concepts, such as the definition of an AI system and what qualifies as a high-risk AI system; and (iv) take a stricter position on some AI uses and practices, including a broader ban on the hotly debated use of AI systems for remote biometric identification in public spaces. Three way talks, known as trilogues, between the Parliament, Council of Ministers and European Commission will now begin with a view to reaching an agreement later this year or early in 2024.

Dessislava Savova, Partner and Head of Continental Europe of the Clifford Chance Tech Group, spoke to BBC news about the vote here and Clifford Chance published an article on the Parliament's negotiating position on the EU AI Act here.

UK

CDEI publishes guidance on AI Assurance techniques

On 7 June 2023, the UK Centre for Data Ethics and Innovation ("CDEI") published a portfolio of AI Assurance techniques. Intended to serve as a guide for firms, the portfolio uses 14 case studies to explore a range of approaches to developing and implementing AI Assurance techniques. These techniques include: impact assessment, impact evaluation, bias audit, compliance audit, certification, conformity assessment, performance, testing and formal verification.

CMA responds to UK government's AI white paper

On 1 June 2023, the Competition and Markets Authority ("CMA") published its response to the government's white paper on AI. The CMA expressed its support for the "government's approach of leveraging and building on existing regulatory regimes whilst also establishing a central coordination function for monitoring and support", confident it would "achieve the context-specific approach to regulation that government is aiming for." Among other things, the CMA also agreed with the government's approach of initially placing the relevant principles on a non-statutory footing.

ICO publishes guidance on PETs

On 19 June 2023, the Information Commissioner's Office ("ICO") published new guidance on how to use privacy-enhancing technologies ("PETs"). According to the ICO, PETs can help firms demonstrate their 'data protection by design and by default' approach to processing, help them comply with the data minimisation principle and provide an appropriate level of security for their processing, among other things. John Edwards, UK ICO Commissioner, recommended that organisations which share large volumes of data, particularly special category data, should start considering using PETs over the next five years.

Americas

On the first day of summer, Senator Chuck Schumer announced a push for AI regulation in Congress

Senate Majority Leader Chuck Schumer announced a "SAFE innovation framework" for regulating the development of AI in Congress. "SAFE" stands for Security, Accountability, Foundations and Explainability. Senator Schumer is focusing on bringing Congressional colleagues up to speed on AI through a series of bi-partisan listening sessions with experts and key stakeholders. This is the latest, and most high-profile initiative in Congress on AI. Whilst there are differences on approach across Republicans and Democrats, this may be a step towards action on AI at a federal level, driven by Congress.

U.S. states continue adding to patchwork of Privacy and Technology laws

Ten U.S. states now have comprehensive consumer data privacy laws that protect the personal data of their state's residents.  On 18 June Texas joined its peers as the latest state to pass a comprehensive privacy law—a move that will have major impacts given the importance of the state to industries such as Energy and Tech.

In early June, Florida signed into law the Digital Bill of Rights Act, with most of its provisions applying only to large technology companies, but with certain narrow provisions relating to the privacy of children's data that will apply more broadly and on 7 June Connecticut established an Office of Artificial Intelligence and a task force to study and develop an AI bill of rights.

U.S. Consumer protection Watchdog issues guidance on use of Consumer Data to train AI Algorithms

On 13 June, the Federal Trade Commission ("FTC") issued further guidance on the use of consumer personal data to train algorithms.  The guidance provides insight into what the FTC considers to be key areas of focus, including:

• honoring consumer privacy choices (particularly by parents over their children's data);
• obtaining effective consumer consent;
• placing strict access controls on sensitive data; and
• protecting biometric data.

The guidance follows the FTC's Biometric Policy Statement, which the agency issued last month. Above all, the guidance suggests that the FTC will continue to aggressively police biometric data and children's privacy.

FCC launches Privacy and Data Protection Task Force, focusing on communications providers

On 14 June, the Federal Communications Commission ("FCC") established a Privacy and Data Protection Task Force to coordinate agency rulemaking and enforcement related to privacy and data protection.  Details will unfold as the working group commences its work, but the Commission has identified data breaches, supply chain vulnerabilities involving third-party vendors, and consumer privacy violations as areas of focus.

Middle East

TDRA launches initiative to support FedNet with AI services

On 18 June 2023, Abu Dhabi's Telecommunications and Digital Government Regulatory Authority ("TDRA") launched an initiative to support the Federal Digital Network ("FedNet") with AI services as part of the UAE's digital transformation. FedNet will provide a set of services that fall under three pillars: Applied AI, Cognitive AI, and Machine Learning. TDRA's Director-General, Majed Sultan Al Mesmar, said "AI services on AI-supported FedNet are a great step in the digital transformation process, and an important element in enhancing the ability of government entities to provide easy and fast services to all customers".

MoIAT and EDGE Group PJSC launch Talk 4.0

On 6 June 2023, the Abu Dhabi's Ministry of Industry and Advanced Technology ("MoIAT") and EDGE Group PJSC jointly launched Talk 4.0, a "new knowledge-exchange initiative to empower industrial leaders to adopt transformative technologies and sustainable practices". This forms part of the MoIAT's Technology Transformation Programme and supports the UAE's Net Zero by 2050 Strategic Initiative.

CBUAE issues guidance on AML and CTF

On 31 May 2023, the Central Bank of the UAE ("CBUAE") announced it had issued new guidance on anti-money laundering and counter-terrorist financing for Licensed Financial Institutions ("LFIs") to help them understand risks and effectively implement their obligations. The guidance discusses virtual assets ("VAs") and virtual asset service providers ("VASPs"). It "outlines the customer due diligence and enhanced due diligence for LFIs towards potential VASP customers and counterparties".

Africa

SARS appoints Deputy Commissioner in push to advance technological development

On 2 June, South African Revenue Service ("SARS") Commissioner, Edward Kieswetter, announced the appointment of Carl Scholtz as Deputy Commissioner for enterprise strategy, enablement and modernisation. Part of his role will involve furthering SARS' technological capacity and overseeing the development and implementation of modernisation techniques at SARS.

South Africa and France sign agreement to fight cybercrime

On 19 June, South Africa's Justice Minister, Ronald Lamola, signed a cooperation agreement with the French Foreign Affairs minister, Catherine Colonna to improve South Africa's Special Investigating Unit's ("SIU") cyber forensic capabilities. Plans include a French technical expert being sent to the SIU to provide training to its investigators on cybercrime. Lamola said: “we are going to benefit a lot through this process of training that will enable our forensic cyber capabilities and investigations to be on par with the standards of the world because these types of crime are no longer just national, they are transnational in nature."

Additional Information

This publication does not necessarily deal with every important topic nor cover every aspect of the topics with which it deals. It is not designed to provide legal or other advice. Clifford Chance is not responsible for third party content. Please note that English language translations may not be available for some content.

The content above relating to the PRC is based on our experience as international counsel representing clients in business activities in the PRC and should not be construed as constituting a legal opinion on the application of PRC law. As is the case for all international law firms with offices in the PRC, whilst we are authorised to provide information concerning the effect of the Chinese legal environment, we are not permitted to engage in Chinese legal affairs. Our employees who have PRC legal professional qualification certificates are currently not PRC practising lawyers.