Tech Policy Horizon Scanner
Legislation in the tech sector is never too distant from geopolitics. While the PRC's State Council moved to make cross-border data exports easier for multinational companies, President Biden issued an Executive Order restricting U.S. outbound investments in several Chinese technologies. Meanwhile, Dubai International Financial Centre's Commissioner of Data Protection issued an adequacy decision – the first of its kind – in relation to the California Privacy Rights Act of 2018, which was amended in 2020 and took effect on 1 January 2023.
India's landmark Digital Personal Data Protection Act 2023 raced through the final stages of India's legislative process to be published this month (see our briefing on this here, hot off the press). In Europe, enforcement of the Digital Services Act is underway for Very Large Online Platforms and Very Large Online Search Engines.
Finally, a large number of consultations were published globally. From the UK Information Commissioner's Office's consultation on biometric data and technologies, to Saudi Arabia's National Cybersecurity Authority's consultation on Internet of Things cybersecurity guidelines, lawmakers are keen for input from the public on how best to regulate the constantly evolving technological landscape.
We dive into these, and many more tech policy developments around the world, below.
APAC (excluding China)
India publishes landmark Digital Personal Data Protection Act 2023
On 11 August 2023, the Digital Personal Data Protection Act 2023 ("DPDP Act") received the President of India's assent and was published in the Official Gazette. The Act outlines obligations and rules for entities handling and processing the personal data of individuals and their related rights, including access, correction, erasure, and grievance redressal. It applies to: (i) the processing of personal data that is collected in a digital form and non-digital form and subsequently digitized within India; and (ii) the processing of personal data that is collected outside of India if that processing is connected with any activity related to the offering of goods and services those within India, subject to limited exemptions. For more information, see our client briefing here, co-authored with J. Sagar Associates (JSA).
South Korean PIPC announces new strategy
On 17 August 2023, South Korea's Personal Information Protection Commission ("PIPC") announced its National My Data Innovation Promotion Strategy. Among other things, the Strategy aims to realise a digital platform where all data is connected and to strengthen individuals' right to self-determination of their personal information. Its key focus areas include establishing privacy protection measures, basic data safety rules, and measures to prevent unfair transmission inducements.
South Korean PIPC requests comments on guidance for PIPA violation fines
A day later, the PIPC published its revised Criteria for Imposition of Fines for Violation of the Personal Information Protection Act ("PIPA") for comment. The draft guidance is aptly named – it provides guidance on the criteria for imposing fines in accordance with Article 75 of the PIPA and Article 63 of the PIPA's Enforcement Decree. The deadline for comments is 7 September 2023. Amendments to PIPA were published on 14 March 2023 and will come into effect on 15 September 2023.
CAC releases consultation drafts on compliance audit of personal information and security management of facial recognition technology
On 3 August 2023, the Cyberspace Administration of China ("CAC") issued the consultation draft of the 'Administrative Measures for Compliance Audit of Personal Information Protection' for comments. Per Article 54 of the PRC Personal Information Protection Law, personal information ("PI") processors should regularly conduct compliance audits of their PI processing activities. Among other things, the consultation draft specifically requires that PI processors which process the PI of over 1 million individuals should conduct such a compliance audit annually.
On 8 August 2023, the CAC issued the consultation draft of the 'Administrative Measures for Security Management of Facial Recognition Technology (for Trial Implementation)' (the "FRT Administrative Measures") for comments. The FRT Administrative Measures set out the preconditions for using facial recognition technology: (i) the existence of a specific purpose; (ii) justified demand; and (iii) the adoption of strict protective measures. Non-biometric identification solutions should be prioritized where such solutions are equally effective or could meet the same business demands as using FRT.
China information security standardization technical committee publishes three consultation drafts
To further the development of administrative measures relating to generative AI, on 7 August 2023 the National Information Security Standardization Technical Committee ("TC260") issued the consultation draft of the 'Practice Guidelines for Cybersecurity Standards - Identification Method for Generative Artificial Intelligence Service Content' for comments, with a focus on the methods used to identify content produced using generative AI services.
Two days later, the TC260 released a consultation draft on the 'Security Requirements for Processing of Sensitive Personal Information' for comments. These: (i) clarify how to identify sensitive personal information ("SPI"); (ii) provide common categories of SPI; and (iii) outline the general and specific security requirements for processing SPI. Finally, on 16 August 2023, the TC260 released a consultation draft on the 'Security Requirements for Automated Decision Making Based on Personal Information' for public comments. This aims to safeguard the individuals' rights and interests when PI processors carry out automated decision-making processing activities.
China explores "free-flow" mechanism for general data in pilot regions
The State Council of the PRC published a statement announcing that the Chinese government will make cross-border data exports easier for multinational companies on 13 August 2023. A green channel will be established to enable security assessments of data being exported by foreign companies to be conducted more efficiently.
Digital Services Act: enforcement begins
As of 25 August 2023, the nineteen Very Large Online Platforms ("VLOPs") and Very Large Online Search Engines ("VLOSEs") designated by the European Commission will have to comply with the new set of obligations provided by the Digital Services Act ("DSA"). Among other measures, these obligations include: (i) providing complaint and redress mechanisms as well as out-of-court dispute settlement mechanisms to users; (ii) cooperating with "trusted flagger" organisations that have expertise in tackling illegal content online; (iii) and complying with specific transparency obligations with regards to online advertising. The European Commission will have direct supervision and enforcement powers and will be able to issue fines of up to 6% of a company’s annual worldwide turnover in the event of non-compliance.
Digital Finance: EDPS releases opinions on financial and payment services regulations
On 22 August 2023, the European Data Protection Supervisor ("EDPS") published two opinions on: (i) the Proposal for a Regulation on a Financial Data Access Framework (the "FIDA Proposal"); (ii) the Proposal for a Regulation on payment services (the "PSR Proposal"); (iii) and the Proposal for a Directive on payment services and electronic money services (the "PSD3 Proposal") – collectively referred to as the "Proposals". The EDPS welcomes the efforts made to ensure that the Proposals are consistent with the GDPR, but recommends specifying that the granting of 'permission' to access financial data does not equate to granting consent as defined in the GDPR.
Data Governance Act: European Commission introduces common logos for data intermediation service providers and data altruism organisations
On 9 August 2023, the European Commission introduced common logos to enable trusted data intermediation service providers and data altruism organisations in the EU to be easily identified and differentiated from other services. This forms part of the Data Governance Act ("DGA")'s implementation. Data intermediation services and data altruism organisations that opt for the use of the logos will have to display the logo clearly on every online and offline publication. The logo for data altruism organisations recognised in the EU must be accompanied by a QR code with a link to the EU public register of recognised data altruism organisations, which will be available from 24 September 2023.
House of Commons committee releases report on connected devices
On 7 August 2023, the Culture, Media and Sport Committee published a report entitled, 'Connected tech: smart or sinister?'. The report sets out the potential benefits that connected technology can offer and the ways it can cause harm. It explores: (i) data processing and privacy concerns for those using connected technology; (ii) safety and cybersecurity concerns for consumers and businesses using connected technology; and (iii) the role of connected devices in broadening and exacerbating patterns of domestic abuse.
NCSC expands Cyber Incident Response Scheme
On 15 August 2023, the National Cyber Security Centre ("NCSC") announced the expansion of its Cyber Incident Response ("CIR") scheme. The CIR scheme is designed to help organisations experiencing cyberattacks to identify trusted providers of commercial incident response services quickly. It was initially aimed exclusively at helping particularly high-risk organisations running networks of national significance, including central government, critical national infrastructure ("CNI") organisations and regulated industries. The updated CIR scheme divides its Assured Service Providers into: (i) those capable of dealing with all types of cyber incidents, including the high-risk organisations for which the CIR scheme was originally designed; and (ii) those capable of supporting most organisations which experience common cyberattacks, including private sector organisations outside of CNI sectors, local authorities and smaller public sector organisations.
ICO publishes consultation on biometric data and technologies
On 18 August 2023, the Information Commissioner's Office ("ICO") published draft guidance on the use of biometric data and technologies for comments. The guidance is aimed at organisations that use or are considering using biometric recognition systems. It explains how data protection law applies in this context and includes various recommendations for good practice. The deadline for comments to be submitted is 20 October 2023.
Executive Order restricts U.S. investments in Chinese technologies
On 9 August 2023, President Biden issued an Executive Order restricting U.S. outbound investments to China (including Hong Kong and Macau) in: (i) semiconductors and microelectronics; (ii) AI capabilities; and (iii) quantum information technologies. These technologies, according to the order, may pose "significant national security risks, such as the development of more sophisticated weapons systems, breaking of cryptographic codes, and other applications that could provide these countries with military advantages." The order shows growing concerns in the U.S. about investments related to China or Chinese-controlled entities and is intended to be part of a larger set of measures aimed at strengthening U.S. national security, which the U.S. Department of the Treasury will oversee. The Treasury has released an advance notice of proposed rulemaking addressing its current thinking on implementing the order and requesting feedback on the forthcoming regulations.
U.S. Securities and Exchange Commission issues expansive cybersecurity disclosure rules for public companies and foreign private issuers
On 26 July 2023, the Securities and Exchange Commission ("SEC") adopted new cybersecurity disclosure rules which will apply to public companies and foreign private issuers that are subject to reporting obligations under U.S. federal securities law. The rules require companies to disclose cybersecurity incidents within four business days of determining the incident will have a material impact on the company's business operations. In addition, the rules also require companies to make disclosures about their cybersecurity risk management, strategy, and governance in annual reports. The new obligations go into effect at the end of the year for most companies (with certain "smaller reporting companies" receiving an additional 180 days to comply with the new requirements).
Federal commission to regulate digital platforms proposed in U.S. Senate
A new bill from a bipartisan pair of U.S. Senators would create a federal regulatory body to oversee online platforms. On 27 July 2023, Senators Elizabeth Warren (D-MA) and Lindsey Graham (R-SC) introduced the "Digital Consumer Protection Commission Act of 2023," which would create a bipartisan commission of five members to oversee "dominant platforms" through investigations, hearings, and civil orders (similar to the U.S. Federal Trade Commission). The bill also contains substantive regulatory provisions related to transparency, privacy, competition, and national security, as well as a licensing requirement for "dominant platforms" overseen by an office within the new commission. A previous bill to create a commission to regulate digital platforms, titled the "Digital Platform Commission Act of 2023," was introduced in May 2023 by two Democratic Senators.
On 6 August 2023, Israel's Privacy Protection Authority ("PPA") released guidance on a data subject's right of access under Israel's Protection of Privacy Law. In particular, the guidance clarifies limited exemptions from this right, including for databases of security authorities and other authorities defined by law – though even in these cases, entities may examine access requests on an individual basis.
On 7 August 2023, Saudi Arabia's National Cybersecurity Authority ("NCA") launched a consultation on cybersecurity guidelines for the Internet of Things ("IoT"). The guidelines aim to set out best practices for firms in the IoT space, namely: (i) entities that use IoT technologies; (ii) manufacturers of IoT technologies; and (iii) IoT service providers. Comments must be submitted by 31 August 2023.
Dubai issues adequacy decision in relation to California Privacy Rights Act
On 9 August 2023, the Dubai International Financial Centre ("DIFC")'s Commissioner of Data Protection issued an adequacy decision in relation to the California Privacy Rights Act of 2018, which was amended in 2020 ("Amended CCPA") and took effect on 1 January 2023. The adequacy decision is the first of its kind. It renders the Amended CCPA equivalent to DIFC's Data Protection Law (DIFC Law No. 5 of 2020) and enables DIFC and California-based entities to transfer personal data without having to apply additional contractual measures.
New Algerian data protection law enters into force
On 10 August 2023, Algeria's data protection authority ("ANPDP") announced that the Law Relating to the Protection of Individuals in the Processing of Personal Data had entered into force. It applies to the processing of personal data by public entities and private individuals when the controller of the relevant processing is established in Algeria or the controller uses automated or non-automated means located in Algeria to process personal data. Among other things, the law: (i) provides various definitions; (ii) grants data subjects rights; and (iii) outlines rules relating to marketing, confidentiality and security, and cross-border transfers.
Kenyan High Court bars Worldcoin from collecting Kenyans' data
Following a petition filed by Kenya's Office of the Data Protection Commissioner ("ODPC"), the High Court of Kenya has ordered Worldcoin, Sam Altman's cryptocurrency start up, to stop performing iris scans and collecting of facial recognition and other personal Data in Kenya. Worldcoin was also ordered to preserve the information it collected from 19 April to 8 August 2023. Kithure Kindiki, Kenya's cabinet secretary for interior and national administration, has said the ban will remain until authorities determine "the absence of any risks to the general public whatsoever".