Skip to main content

Clifford Chance

Clifford Chance


Talking Tech

Tech Policy Horizon Scanner

September 2023

Artificial Intelligence Data Privacy 30 September 2023


It's six months since Elon Musk, Max Tegmark, Yuval Noah Harari and others published a letter calling for a pause in AI development over that period. The pause didn't happen, but it had an impact. Policymakers and governments around the world became acutely aware of the risks posed by AI. The UK government's global AI Safety Summit on 1-2 November is one of the events focussing on this, bringing heads of state, leading technology organisations, academia and civil society together. It will aim to progress five key objectives including a shared understanding of the risks posed by frontier AI and international collaboration on AI safety, standards and research. Those expected to attend the summit include Emmanuel Macron, Justin Trudeau and Ursula von der Leyen.

We are organising an AI Fringe with a number of partners including Milltown Partners, the Partnership on AI and Google Deepmind to complement the AI Safety Summit – events will be held from 30 October to 3 November 2023. Our aim is to inform, expand and progress the conversation about AI. Check the website for further details as they become available.

In the midst of discussion about AI's future potential, there has also been legislation progressed this month in the global data protection sphere. Having passed through its final Parliamentary stages, the UK's Online Safety Bill is set to "make the UK the safest place in the world to be online" and will "deliver the most powerful child protection laws in a generation". The Dubai International Financial Centre has also enacted the first regulation in the Middle East region to cover personal data processing in generative AI.

Finally, we published a report on "Responsible AI in Practice: Public Expectations of Approaches to Developing and Deploying AI" in partnership with Milltown Partners, where we conducted focus groups in the U.S., UK and Germany on opinions about issues such as AI governance, bias and consent.

APAC (excluding China)

Advertising Standards Council of India publishes white paper on generative AI

On 1 August 2023, the Advertising Standards Council of India released a white paper titled "Generative AI and Advertising - Opportunities, Risks and Best Practises". The white paper provides organisations with considerations and best practices to review before deploying generative AI for advertising and marketing, focusing on the legal implications and major hurdles. It goes into detail about how consumer protection and generative AI interact, and the major hazards such as AI bias, privacy problems, creative displacement and copyright issues. It also suggests ways to reduce risks.

Digital Platform Regulators Forum in Australia submits a common AI proposal

On 11 September 2023, members of Australia's Digital Platform Regulators Forum (DP-REG) submitted a joint response to the Department of Industry, Science and Resources consultation on the Safe and responsible AI in Australia Discussion Paper. DP-REG's strategic priorities for 2023–24, which included evaluating the advantages and disadvantages of AI, were in line with the submission, according to the Office of the Australian Information Commissioner.

The submission included commentary on the impact of AI on consumer protection, competition, media, privacy, and online safety. AI can be used to create misinformation and false statements as well as process personal data in ways that data subjects do not fully understand. DP-REG also called for an analysis on how existing regulatory frameworks can be adapted to provide appropriate safeguards for the rise of AI technology.

ASEAN begins discussions on a framework agreement for the digital economy

On 3 September 2023, the Association of Southeast Asian Nations (ASEAN) launched the negotiations on the ASEAN Digital Economy Framework Agreement (DEFA), set to be the first major region-wide digital economy agreement in the world. The DEFA negotiations will centre on nine key areas including cross-border e-commerce, cybersecurity, digital ID, digital payments, cross-border data flows, and emergent topics. The ASEAN DEFA Negotiations Committee is expected to hold its first meeting by the end of 2023, with the goal of wrapping up the negotiations by 2025.


China's Information Security Standardisation Technical Committee (TC260) publishes consultations and standards, and announces new action on cyber security

On 25 August 2023, China's TC260 released a draft of the national standard on the Security Requirements for Processing of Key Data for public comments, which sets out the requirements for the safety of (i) facilities (including system and cloud computing service platform), (ii) data processing activities, and (iii) the operation and management. Additionally they released the consultation draft of the national standard on the Criteria for Determinations of Network Attack and Network Attack Incidents.

On 25 August 2023, following the consultation draft on generative AI released on 9 August 2023, TC260 released the final version of the Practice Guidelines for Cybersecurity Standards - Identification Method for Generative AI Service Content. These guidelines outline the methods for identifying the contents produced by using generative AI services, and provide guidance for generative AI service providers to enhance their security management levels.

On 30 August 2023, TC260 announced that they are preparing a series of 27 national standards on cyber security, including, among others, (i) the Security Specifications for the Manual Labelling of Generative Artificial Intelligence, (ii) the Guidance for the Risk Management of Information Security, and (iii) the Format of Alert Messages in relation to the Interconnecting of Network Security Products.

On 13 September 2023, TC260 released the draft of the Guideline for Cybersecurity Insurance Application for public comments. According to the Guideline for Cybersecurity Insurance Application, "cybersecurity insurance" is a type of property insurance that covers financial losses and legal liability incurred by cyber security incidents. The Guideline for Cybersecurity Insurance Application outlines the processes and methods that should be taken at each stage of the application of cybersecurity insurance, including (i) the pre-insurance risk assessment, (ii) the risk control throughout the insurance period, and (iii) the assessment of post-insurance events.


Digital Markets Act: EU Commission designates six gatekeepers

On 6 September 2023, the European Commission released a statement regarding the designation of six gatekeepers under the Digital Markets Act (DMA): Alphabet, Amazon, Apple, ByteDance, Meta and Microsoft. In total, 22 core platform services provided by gatekeepers have been designated. The six gatekeepers will now have six months from the date of their designation to ensure full compliance with the DMA obligations for each of their designated core platform services. Among others, the DMA requires gatekeepers to (i) allow end users to uninstall preloaded apps, (ii) allow hardware providers, business users and alternative service providers effective interoperability with hardware, software and operating systems available to the gatekeeper, and (iii) provide effective portability of data provided by the end user of generated through the end user’s activities.

Data transfers: EU-US Data Privacy Framework challenged at EU court by French lawmaker

On 8 September 2023, Philippe Latombe, a French lawmaker, announced that he had submitted challenges to the European General Court against the EU-US Data Privacy Framework (DPF). He argued that the DPF violates the General Data Protection Regulation and the Charter of Fundamental Rights. In particular, he considered that the DPF does not grant European citizens who want to contest the collection of personal data by US authorities a guaranteed right to an effective remedy and access to an impartial tribunal. Latombe filed two challenges: (i) one to suspend the agreement immediately, and (ii) another on the content of the DPF.

Artificial Intelligence: EU Commission calls for a global approach on AI

On 13 September 2023, during the annual State of the European Union, the European Commission President Ursula von der Leyen called for a global approach to understanding the impact of AI modelled on the Intergovernmental Panel on Climate Change. The European Commission will work with AI companies in order to voluntarily commit to the principles of the Artificial Intelligence Act before it comes into force. In parallel, further trilogue negotiations are underway to reach a final agreement on the AI Act.


UK's Online Safety Bill passes Parliament

On 19 September 2023, the Online Safety Bill completed its final Parliamentary stage, and is set to become law. The bill takes a zero-tolerance approach to protecting children online, and will require social media platforms to remove illegal content quickly or prevent it appearing in the first place, prevent children from accessing harmful and age-inappropriate content, enforce age limits, ensure that the risks and dangers posed to children are more transparent, and provide parents and children with clear and accessible ways to report problems online. Once the bill becomes law, the Office of Communications will consult on the first set of standards that tech firms should meet in tackling illegal online harms including terrorism, fraud and child sexual exploitation.

DSIT announces new AI compliance and advisory service

On 19 September 2023, the UK's Department for Science, Innovation and Technology announced a new pilot scheme, set to launch in 2024, for a multi-agency advice service to support businesses in meeting the requirements for digital technology and AI. The service would be run by members of the Digital Regulation Cooperation Forum, which is made up of the Information Commissioner's Office, the Office of Communications, the Competition and Markets Authority and the Financial Conduct Authority.

CMA publishes report and proposed principles on AI foundation models

On 18 September 2023, the Competition and Markets Authority published a report, highlighting the potential benefits of developing and using AI foundation models (AI FMs). The report also covers the competition and consumer protection risks posed by AI FMs including the potential increase in AI-generated misleading information and fraud, as well as recommending principles to guide the development of AI FMs: accountability, access, diversity, choice, flexibility, fair dealing and transparency.


Google on trial in U.S. government's first monopoly case in decades

On 12 September 2023, the United States v Google trial began – the U.S. government's first monopoly case since 1998. The U.S. Department of Justice's original complaint stated that Google, which controls 90% of the internet search market today, abused its power as a monopoly to dominate the search engine market. The trial highlights a monumental shift in U.S. policy vis-a-vis technology giants and arrives at a time of explosion of generative AI and broader search tools, including TikTok and Amazon. This case will have significant implications for the tech industry, users of Google and the internet as a whole.

New U.S. AI framework in the works

On 8 September 2023, U.S. Senators Richard Blumenthal and Josh Hawley unveiled a bipartisan framework for AI legislation. The framework is viewed as a "blueprint for real, enforceable AI protections" and its principles strive to "form the backbone" of Congress' approach to AI regulation. The framework focuses on, among other goals, an independent oversight body, accountability, transparency, and protection of consumers and children. Industry leaders, such as Microsoft President, Brad Smith, OpenAI CEO, Sam Altman and Elon Musk, will participate in hearings, aimed to bring the framework and related legislation to life.

MIddle East

Dubai International Financial Centre amends data protection regulations

On 7 September 2023, the Dubai International Financial Centre (DIFC) enacted amendments to its Data Protection Law No. 5 of 2020, aiming to improve the safety and ethical management of personal data processing and operations. The amendments provide clarity on the following topics: personal data breach assessment and reporting obligations, the use and collection of personal data for marketing and communications, and the investigations and enforcement powers of the DIFC Commissioner (the DIFC's competent regulator) when a controller or processor may employ unfair or deceptive practices.

The updates include Regulation 10, which is the first enacted regulation in the Middle East region covering the processing of personal data via autonomous systems such as AI, generative AI and machine learning technology. This allows the DIFC to operate various guidelines and principles issued by governments and non-governmental organisations, and use cases are expected to be tested through further consultations.

Saudi Arabia publishes finalised Personal Data Protection Law regulations in Official Gazette

On 7 September 2023, the finalised Personal Data Protection Law (PDPL) Executive Regulations and the Regulations on Personal Data Transfers outside Saudi Arabia were published, following a public consultation period which ended on 31 July 2023.

The final version of the PDPL Executive Regulations contain notable changes compared to the draft version – including the removal of the consolidated list of the legal bases for processing data under Articles 6, 10 and 15 of the PDPL, and that general conditions for the exercise of data subjects' rights are no longer dependent on the legal basis on which the processing in question relies.

The final version of the Regulation on Personal Data Transfers specifies, in greater detail, where a personal data transfer under Articles 5 and 6 of the PDPL must be stopped.

Israel's Privacy Protection Authority seeks public comments on a board of directors' role in draft data security regulations

On 7 September 2023, Israel's Privacy Protection Authority announced that it is seeking input on the draft guidelines on the role of a board of directors in fulfilling a company's obligations under the Protection of Privacy Regulations (Data Security) (the Regulations), with submissions open until 22 October 2023.

The draft guidelines state that companies with a core activity in personal information processing or increased privacy risks must have their board of directors perform supervisory duties, including approving central principles in the organisational information security procedure, conducting risk surveys and penetration tests, correcting deficiencies, holding quarterly or annual board discussions on information security events, and conducting periodic audits. The guidelines also allow a board to determine another body responsible for these duties, but do not reduce the of a company's management or other authorised individuals.

Saudi Arabia's Data & AI Authority publishes second version of AI Ethics Framework

On 14 September 2023, the Saudi Arabia Data & AI Authority published their AI Ethics Framework version 2.0, aiming to help entities develop responsible AI based solutions whilst furthering innovation. The framework applies to all entities involved in AI systems in Saudi Arabia, including researchers, workers, and consumers and includes a risk typology associated with the development and use of AI as well as guidelines and principles that govern AI usage.



Experts state that South Africa's POPIA principles must align with AI governance

On 21 September 2023, at the 10 Years of POPIA (the Protection of Personal Information Act) Symposium hosted by the South African Information Regulator, data protection experts stated that law-makers should focus on aligning legislative principles with the governance of AI applications. Whilst recognising that POPIA had brought South Africa in line with international standards of the protection, collection, recording and storage of personal information, panellists at the symposium also recognised that local organisations increasingly using AI, generative AI and machine learning involving personal data carry an increase in potential risks. There was discussion as to whether existing legislation should be amended to cover AI, or whether South Africa should establish a standalone AI act similarly to nations such as Brazil.

South Africa's news media market enquiry places digital companies under the spotlight

On 15 September 2023, the South Africa Competition Commission published the final terms of reference to commence a market inquiry into the distribution of media content, the Media and Digital Platforms Inquiry The enquiry covers a broad range of stakeholders including digital platforms (search engines, social media and digital news platforms), ad-tech companies and generative AI services. Amongst other issues, the Competition Commission highlighted the concerns that stem from the use of generative AI; it can answer queries directly and potentially drive traffic away from news publishers' websites as well as be trained without authorisation. The enquiry will investigate AI models to safeguard competition and consider how algorithms used by digital platforms to rank news items can favour more established news companies.

The enquiry is due to commence within 20 business days from the publication of the final terms of reference on 13 October 2023, with the final report to be delivered in 18 months.

Additional Information

This publication does not necessarily deal with every important topic nor cover every aspect of the topics with which it deals. It is not designed to provide legal or other advice. Clifford Chance is not responsible for third party content. Please note that English language translations may not be available for some content.

The content above relating to the PRC is based on our experience as international counsel representing clients in business activities in the PRC and should not be construed as constituting a legal opinion on the application of PRC law. As is the case for all international law firms with offices in the PRC, whilst we are authorised to provide information concerning the effect of the Chinese legal environment, we are not permitted to engage in Chinese legal affairs. Our employees who have PRC legal professional qualification certificates are currently not PRC practising lawyers