Clifford Chance

Introduction

As 2023 draws to a close, we have seen significant developments around the world. In the European Union, the European Parliament and Council reached a long-awaited political agreement on the seminal EU AI Act following crunch talks which focussed on General Purpose AI models, the use of AI in policing and a range of other issues and in the UK, the Supreme Court ruled that AI cannot be an inventor for UK patents. 

India published guidance on dark patterns and mainland China and Hong Kong regulators published joint guidelines for facilitating cross-boundary data flows within the Guangdong - Hong Kong - Macau Greater Bay Area. Saudi Arabia updated its Cybersecurity Toolkit, with mechanisms to reduce risks as it increases collaboration with the rest of the world, and we also saw developments in the cyber-security space in Singapore, South Korea and China.

The UK's Centre for Data Ethics and Innovation (CDEI) and the U.S. National Institute of Standards and Technology (NIST) published a new blog series on federated learning in AI. Malawi introduced a personal data protection bill into its parliament with the aim of bringing it in line with internationally accepted standards.

We have also published an article on the G7 Principles and Code on advanced AI systems, which incorporate international business and human rights (BHR) standards and provide guidance on risks that might arise when developing AI systems, as well as steps to advance responsible AI stewardship.

We wish you all a peaceful end of the year, and look forward to following the rapid evolution of tech policy around the work with you in 2024

APAC (excluding China)

Singapore Ministry of Health publishes standards for healthcare providers' data and cyber security

On 4 December 2023, the Singapore Ministry of Health published its Cyber & Data Security Guidelines for Healthcare Providers. The recommendations direct the implementation of cyber and data security measures for the appropriate storage, access, use, and sharing of health information by healthcare providers. They were prepared in conjunction with other authorities, particularly the Personal Data Protection Commission (PDPC). The Ministry of Health notes that whilst these are currently only guidelines to promote early awareness and familiarity, these obligations will eventually become regulatory requirements under a health information bill which is due to be introduced in mid-2024. 

South Korean Internet & Security Agency and Defense Agency for Technology and Quality enter into Memorandum of Understanding to improve response to cyber threats

On 5 December 2023, a Memorandum of Understanding (MoU) was signed by the South Korean Defense Agency for Technology and Quality and the Korea Internet & Security Agency, to boost security capabilities in the defence industry and to coordinate responses to cyber infringement situations. The MoU specifies that the organisations will specifically cooperate in responding to cyber incidents; share mutual threat information via the Cyber Threat Information Analysis and Sharing System (C-TAS); support training programs for small and medium-sized defence industry businesses regarding information protection and personal data; and establish a framework for using information protection services.

Japan's Ministry of Economy, Trade and Industry requests public feedback on draft assessment of the fairness and transparency of particular digital platforms

On 5 December 2023, Japan's Ministry of Economy, Trade, and Industry (METI) published a request for public feedback, on its draft assessment on the fairness and transparency of particular digital platforms. The consultation specifically seeks public input on the assessment standards for app stores, digital advertising, and comprehensive online malls within the ambit of the Act on Improvement of Transparency and Fairness in Specific Digital Platforms (Transparency Act). The METI stated that Article 9(2) of the Transparency Act requires it to assess the fairness and transparency of these specific digital platforms.

The draft assessment was based on reports submitted by specific digital platform providers, information gathered from the Digital Platform Transaction Consultation Service, and the opinions of the Monitoring Meeting on Transparency and Fairness of Digital Platforms. Public comments can be submitted at the government's website until 12 January 2024, and a summary of these will be published in due course.

India's Official Gazette publishes guidance on dark patterns

On 30 November 2023, the Central Consumer Protection Authority of India issued the 2023 Guidelines for Prevention and Regulation of Dark Patterns (the Guidelines) in the Official Gazette, and these came into force on the same day. This follows a public consultation on the Guidelines by the Department of Consumer Affairs. The Guidelines define "dark patterns" as "any practices or deceptive design pattern using user interface or user experience interactions on any platform that is intended to subvert or impair the consumer's autonomy, decision-making, or choice, amounting to misleading advertisement or unfair trade practice or violation of consumer rights."

The Guidelines apply to all platforms systematically offering goods or services in India, advertisers and sellers, and dark patterns prohibited include false urgency, basket sneaking and confirm shaming (with the full list in Annexure I of the Guidelines).

China

Mainland China and Hong Kong regulators publish joint guidelines for facilitating cross-boundary data flows within the Greater Bay Area

On 13 December 2023, further to the draft practical guidelines last month, regulators in Mainland China and Hong Kong jointly issued the Implementation Guidelines on the Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong - Hong Kong - Macau Greater Bay Area.

The Guidelines require the personal information processors and recipients in applicable countries to conduct filing procedures with the Guangdong Provincial Cyberspace Administration of China or Hong Kong's Office of the Government Chief Information Officer, within ten working days of the Guidelines becoming effective. In addition, processors and recipients are subject to the supervision and management of both organisations.

The Guidelines apply to personal information processors which are registered or located in the Greater Bay Area, i.e., Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen, Zhaoqing, or Hong Kong - but processors in Macau are tentatively not covered.

Cyberspace Administration of China publishes the consultation draft of the Administrative Measures on the Reporting of Cybersecurity Incidents

On 8 December 2023, the Cybersecurity Administration of China released the consultation draft of the Administrative Measures on the Reporting of Cybersecurity Incidents, which are open for public comment until 7 January 2024. The draft Measures will apply to all operators that construct or operate networks, or provide services through networks within China. Relevant network operators will be required to report cybersecurity incidents, such as those which cause harm to networks and information systems, and software and hardware defects.

EU

European Parliament negotiators reach political agreement on AI Act

On 9 December 2023, the European Council, European Parliament and European Commission reached a political accord regarding the proposal on harmonised rules on artificial intelligence (AI Act) after three days of trilogue negotiations. Amongst the major themes agreed upon were prohibited practices (including exceptions regarding remote biometric identification for law enforcement purposes), foundation models (including horizontal obligations for all models and specific obligations for high-risk models), as well as the respective competencies of the various governance institutions (including the creation of a new AI Office). Multiple technical meetings are expected in the coming weeks to finalise the text, before the approval of the final version by the Parliament and the Council.

European Council agrees its position on European Health Data

On 6 December 2023, EU member states agreed upon a mandate for a new law that facilitates the sharing and access of health data at the EU level. The proposed regulation for a European Health Data Space (EHDS) aims to improve the access to and control over electronic personal health data, whilst also facilitating the exchange of data for research and innovation purposes. The new mandate expands on the Commission’s proposal by providing clarity on EU GDPR alignment and access criteria for health data, enhancing member states' role in EHDS governance, suggesting separate national and cross-border profiles for the European electronic health record exchange format, granting member states the discretion to allow patient opt-outs, and delaying the application of the regulation until two years post-entry into force.  However, further negotiations with the EU council are required in relation to the following key points of contention: the opt-out system for secondary use of health data, the role of member states in EHDS governance, GDPR alignment and timelines for data registration.

Court of Justice of the European Union clarifies conditions for awarding "non-material damage" under the EU GDPR

On 14 December 2023, the Court of Justice of the European Union ("CJEU") issued a judgment, ruling that misuse of personal data following a cyberattack constitutes "non-material damage" under the EU GDPR. This stemmed from a 2019 cyberattack of the Bulgarian National Revenue Agency, where cybercriminals published personal data concerning millions of persons. The CJEU clarified that in the event of unauthorised disclosure of personal data or unauthorised access to that data, courts cannot infer from this fact alone that protective measures implemented by the controller were not appropriate - the appropriateness of measures must be assessed by the courts in a concrete manner. It is for the controller to prove that its implemented protective measures were appropriate.

The CJEU also clarified that where unauthorised access to personal data has been committed by a third party, such as cybercriminals, the controller may be required to compensate the data subjects who have suffered damage, unless the controller can prove that it is in no way responsible for that damage.

Further, the court stated that the fear experienced by a data subject with regard to the possible misuse of their personal data by third parties as a result of an infringement of the GDPR is capable, in itself, of constituting "non-material damage".

EU agrees new platform work data rules

The EU's Platform Work Directive sets out new rules to impose restrictions on digital labour platforms regarding the processing of 'gig-economy' workers' data. It prohibits certain types of personal data processing, including personal beliefs, psychological states, private conversations and biometric data (except for authentication purposes). Additionally, the Directive includes wording to prevent automated decision making in relation to dismissals and account suspensions, ensuring that workers remain informed about any automated monitoring and decision making systems being introduced. Lastly, the Directive requires platforms to share information on worker numbers with national authorities and representative bodies (e.g. trade unions)..

UK

UK Centre for Data Ethics and Innovation and U.S. NIST launch blog series on safer data sharing techniques

On 7 December 2023, the UK's Centre for Data Ethics and Innovation (CDEI) and the U.S. National Institute of Standards and Technology (NIST) announced a new blog series focusing on federated learning, a machine-learning approach that prioritises data privacy. The series aims to explore the advancements and challenges in this field. Federated learning differs from traditional centralised data collection as it allows each participant to update a partially trained model with their local data without sharing the data itself. This method keeps the data secure at its original location and can potentially mitigate privacy risks associated with central data collection.

However, the blog series also highlights privacy concerns in federated learning, such as potential attacks on model updates and the final trained model, which could reveal sensitive training data. These challenges have led to the development of practical and privacy-secure machine learning classifiers, particularly in financial crime prevention and public health response.

In future blogs, the CDEI plans to delve deeper into privacy threat models in federated learning, solutions from prize challenges, and resources for implementing federated learning. These posts will feature contributions from experts and organisations involved in the prize challenges, providing a comprehensive understanding of the subject

Court of Appeal denies GDPR immigration exemption

On 11 December 2023, the Court of Appeal invalidated an exemption in the Data Protection Act 2018 that excluded certain GDPR rights in immigration-related cases. The UK GDPR was subject to an amendment in 2022 by secondary legislation that disapplied certain GDPR data subject rights for any processing necessary for “the maintenance of effective immigration control”. However, the 2022 amendment, aiming to limit the scope to the Home Secretary's processing, was deemed a breach of GDPR Article 23 by the court. The court unanimously ruled that the new exemption breached GDPR Article 23, which mandates safeguards against personal data abuse. The government's argument that a policy document sufficed as a safeguard was dismissed by the court.

Judicial guidance issued on the use of AI in the courts

On 12 December 2023, prominent members of the judiciary issued judicial guidance on the use of AI within the courts. Judges are now permitted to utilise ChatGPT for specific tasks, provided they adhere to the guidance setting out its permissible use. This guidance arises in response to numerous reports highlighting AI's existing applications in the judicial system, while also cautioning against instances of AI-generated fictitious cases and other mishaps encountered by chatbots in different legal settings. Notably however, the guidance does not indicate a move towards AI-based decision-making by the courts. Nonetheless, it represents a prudent initial step towards how the judiciary plans to integrate AI to support its functions.

UK Information Commissioner's Office publishes draft guidance on employment practices and data protection

On 12 December 2023, the UK's Information Commissioner's Office (ICO) released two draft guidance pieces to assist employers in complying with data protection laws during recruitment and employment record-keeping. The first piece of draft guidance targets employers maintaining employment records, outlining their obligations under the UK GDPR and the Data Protection Act 2018. This emphasises the balance between the necessity of maintaining employment records and workers' privacy rights. The second piece of draft guidance is aimed at employers and recruitment agencies, covering recruitment for all potential employment relationships. It addresses the handling of sensitive information, such as health, diversity, or criminal history, during recruitment. The guidance aims to provide regulatory certainty, protect candidates' data protection rights, and ensure effective recruitment exercises in compliance with data protection laws. Comments on both drafts are open for submission until 5 March 2024.

UK Supreme Court states AI cannot be an inventor

On 20 December 2023, the UK Supreme Court (UKSC) held that AI systems cannot be deemed to be 'inventors' under the Patents Act 1977. The requirement under the act provides that an inventor to be a natural person; this cannot be interpreted to be inclusive of AI systems. However, the UKSC clarified that this interpretation only applies to the requirement under the Patents Act 1977; it should not be construed as a broader ruling on whether AI generated works are patentable (see our article on the case).

Americas

Bill on protection for AI-generated media stalls in the U.S. Senate

On 13 December 2023, a bipartisan bill to clarify the scope of protections under Section 230 of the Communications Decency Act and exclude AI-generated media, was rejected in a motion for unanimous consent. The bill was originally introduced in the Senate in June 2023. Currently, text and visual content generated by AI are protected under Section 230, which grants immunity to companies from third-party speech claims. If Section 230 were clarified to exclude AI, major technology companies would likely face a huge increase in lawsuits for AI-generated content. While the bill has gained some support, senators such as Ted Cruz objected to the motion, where he stated that the bill required "serious debate".

FCC updates breach notification rules

On 13 December 2023, the Federal Communications Commission (FCC) adopted amendments to its data breach notification rules for telecommunications service providers. Amongst other things, the amendments (i) expand the scope of notification requirements to cover certain personally identifiable information held by the providers; (ii) expand the definition of 'breach' to include inadvertent access, use, or disclosure of customer information; (iii) require service providers to notify the FCC of breaches in addition to the FBI; and (iv) revoke the waiting period before notifying customers of the breach, instead requiring providers to notify customers of a relevant data breach within 30 days, unless required to delay by court order or under any applicable law.

Middle East

Saudi Arabia's National Cybersecurity Authority expands its Cybersecurity Toolkit

On 6 December 2023, Saudi Arabia's National Cybersecurity Authority (NCA) announced that it had updated its Cybersecurity Toolkit to enhance its cyber preparedness. The updated tools, which include policies, standards, and procedures, aim to help public and private sector organisations strengthen their cybersecurity measures. The toolkit, available in both Arabic and English, covers topics such as cybersecurity responsibilities, strategy formulation, malware protection, email and network security, user device security, and data security.

Israel's Authority for the Protection of Privacy to require compliance with the Privacy Protection Law

On 3 December 2023, Israel's Authority for the Protection of Privacy announced that it will require information management and storage services to comply with the Privacy Protection Law and regulations under it. The Authority has identified several violations of the law and regulations, which attackers have exploited to access personal information and misuse it.

The Authority has been working to address information security incidents, which have harmed the privacy and security of Israeli residents. It has requested information and documents from companies providing services for database owners, including software or platform services and infrastructure services. The reference includes a list of steps that companies must take to increase the security level of their databases and systems, aiming to help them comply with the law and regulations and reduce the risk of security incidents and personal information leaks.

Africa

Kenyan Bill on Robotics and AI Society introduced to National Assembly

On 29 November 2023, Fred Ondieki Sagwe, a representative of the Robotics Society of Kenya (RSK), petitioned the Kenyan Parliament to pass the Kenya Robotics and Artificial Intelligence Society Bill 2023. The Bill aims to establish the RSK as a regulatory body for robotics and AI technology. The RSK aims to promote the development of the robotics and AI industry, enforce standards and codes of practice in collaboration with relevant authorities, carry out surveillance and inspections to ensure compliance with standards, and advise the government on emerging trends. Notably, the Bill will require registration and licensing for anyone involved in the robotics or AI business, after the payment of a prescribed fee, with penalties for non-compliance. The Public Petitions Committee will review the Bill before it is presented to the National Assembly.

Malawi Parliament introduces bill on data protection

On 7 December 2023, Malawi's Parliament introduced Bill No.22 for the Data Protection Act 2023, to provide a comprehensive framework for the regulation of personal data in line with internationally accepted principles. The bill applies to data processing within Malawi, data processing related to goods or services offered to data subjects in Malawi, and data processing in relation to monitoring of the behaviour of data subjects within Malawi. It also covers the processing of personal data by wholly or partly automated means, or by means other than automated means which forms or is intended to form part of a filing system.

The bill provides, amongst other things, definitions, data processing principles, data subject rights, controller and processor obligations, breach notification requirements, and cross-border transfer provisions. Additionally, the Malawi Communications Regulatory Authority would be the designated data protection authority. The bill requires registration of significant data controllers and processors, with a 24-month exemption for those not of significant importance and a six-month compliance period for existing entities

Additional Information This publication does not necessarily deal with every important topic nor cover every aspect of the topics with which it deals. It is not designed to provide legal or other advice. Clifford Chance is not responsible for third party content. Please note that English language translations may not be available for some content. The content above relating to the PRC is based on our experience as international counsel representing clients in business activities in the PRC and should not be construed as constituting a legal opinion on the application of PRC law. As is the case for all international law firms with offices in the PRC, whilst we are authorised to provide information concerning the effect of the Chinese legal environment, we are not permitted to engage in Chinese legal affairs. Our employees who have PRC legal professional qualification certificates are currently not PRC practising lawyers