Clifford Chance

Staying on brand, with only three months to the European parliamentary elections, the EU is wasting no time in pushing forward its ambitious tech regulation agenda. Not only was the long-awaited EU AI Act approved by the Parliament this month, it also adopted the Cyber Resilience Act (on which you can read our new briefing here). The EU institutions reached political agreements on the European Health Data Space, an initiative aiming to strike a balance between data accessibility and protection of sensitive health information, and the Cyber Solidarity Act, which seeks to enhance the cyber incident response capacity of the EU. Amid calls for a change of focus towards implementation and enforcement of the complex rulebook under construction, the 2024 – 2029 Parliament and Commission will have plenty to get stuck into.

Beyond the EU, governments around the world have doubled down on the importance of safe and efficient data transfers, with cross-border information flows at the top of the list. China issued a new action plan for facilitating cross-border data flows between foreign-invested enterprises and their headquarters, with the Hong Kong Privacy Commissioner introducing a standard contract aiming to simplify compliance requirements for data sharing in the Guangdon - Hong Kong - Macao Greater Bay Area. The UK and U.S. signed a Memorandum of Understanding on the protection of personal data, which includes provisions for greater information sharing, while the Nigerian Data Protection Commission published its new Strategic Roadmap, with global collaboration as a key priority.

Staying on the topic of data, the question of consent is coming up a lot. The new Kuwaiti Data Protection Regulation put particular emphasis on obtaining data subject consent and the UK ICO launched a consultation into the "Consent or Pay" model, which is becoming increasingly popular amongst online advertisers. South Korea pushed through amendments to its Personal Information Protection Act, strengthening the position of data subjects especially in relation to information access, while the Somali authorities kept strengthening the framework around their newly enacted Data Protection Act.

APAC (Excluding China)

South Korean Personal Information Protection Commission announces amendments to data protection law

On 6 March 2024, the South Korean Personal Information Protection Commission (PIPC) announced that new amendments to the Enforcement Decree of the Personal Information Protection Act will come into effect on 15 March 2024. On 12 March 2024, the PIPC published guidelines on these amendments.

The amendments include new rights for data subjects, such as the right to request (and in some circumstances, reject) an explanation of fully automated decisions. This aims to ensure that large companies and public institutions that process significant amounts of personal data can perform their respective obligations. The amendments also include more information on companies' privacy policies about possible transfers of personal data to foreign countries.

Indian Ministry of Corporate Affairs publishes draft bill for the Digital Competition Act

On 12 March 2024, the Indian Ministry of Corporate Affairs (MCA) published the Report of the Committee on Digital Competition Law. The Committee was set up to examine the need for an ex-ante regulatory mechanism for digital markets in India. The Committee have recommended that separate legislation is needed to supplement the current Competition Act 2002, and the report includes the text of a draft bill for a Digital Competition Act. The bill aims to identify key digital enterprises and regulate their provision of core digital services from an antitrust perspective.  In addition, it also places certain data usage, sharing and consent obligations on the identified enterprises. The report and draft bill are available on the MCA website until 15 April 2024 for review and comment from interested stakeholders.

Hong Kong Privacy Commissioner for Personal Data publishes an article on cross-boundary information flow

On 14 March 2024, the Hong Kong Privacy Commissioner for Personal Data (PCPD) published an article on the cross-boundary flow of personal data within the Guangdon – Hong Kong – Macao Greater Bay Area. The article introduces the cross-boundary personal data flow standard contract, jointly formulated by the Cyberspace Administration of China, the Hong Kong Innovation, Technology and Industry Bureau and the PCPD. The standard contract aims to facilitate information sharing in the area, simplifying the compliance requirements. The Commissioner encourages businesses to adopt the standard contract to facilitate cross-boundary transfers in the Greater Bay Area.

China

China's Information Security Standardisation Technical Committee releases basic security requirements for generative AI services

On 29 February 2024, the National Information Security Standardisation Technical Committee (TC260) published the "Technical Document on Basic Security Requirements for Generative Artificial Intelligence Services" which provides basic security requirements for generative AI services, including for data training, training models, security measures and security assessments. The Technical Document applies mainly to safety assessments carried out by service providers to improve their service safety, but also serves as a reference for the competent authority to review the safety level of generative AI services.

China supports cross-border data flow between foreign-invested enterprises and their headquarters

On 19 March 2024, the General Office of the State Council in China issued the "Circular on Action Plan for Solidly Promoting High-Level Openness to the World and Making Greater Efforts to Attract and Utilize Foreign Investments". According to the Action Plan, cross-border data flow between foreign-invested enterprises and their headquarters will be supported and facilitated. Specifically, China will standardise cross-border data security management and personal information export filing, in order to promote data flow in areas such as research and development, production, and marketing of foreign-invested enterprises. In addition, measures will be taken to make data flow steadily more convenient and a "white list" mechanism for cross-border data flow will be explored within the Guangdong - Hong Kong - Macao Greater Bay Area.

EU

The European Parliament approves the AI Act 

On 13 March 2024, the Artificial Intelligence Act (AI Act) received approval from the European Parliament. The AI Act sets forth regulatory requirements for AI systems on the basis of their associated risks and impact. Following approval from the European Parliament, the regulation will now undergo a final review by lawyer-linguists and is anticipated to be formally adopted before the end of the current legislative period, following the corrigendum procedure. In addition, the law must still be formally endorsed by the Council of the European Union.

The version approved by the European Parliament has been published here.    

European institutions reach a political agreement on the European Health Data Space

On 15 March 2024, the European Parliament and the Council of the European Union struck a deal regarding the European Health Data Space (EHDS). The initiative aims to promote digital access to, and control of, electronic personal health data at both national and EU levels. The EHDS facilitates a safe and secure exchange of health data for healthcare delivery, research, and policymaking within the EU. The compromise reached centered on balancing the need for data accessibility with stringent protection of personal health information. Going forward, the provisional agreement must now receive endorsement from both the Parliament and the Council.  

Provisions pertaining to gatekeepers under the EU Digital Markets Act come into force  

The Digital Markets Act (DMA) entered into force on 1 November 2022 and became applicable on 2 May 2023. It establishes obligations for "gatekeepers" that provide core platform services, such as search engines, applications distribution interface (app stores), and messenger services, to ensure fair and open markets in the digital sector. On 6 September 2023, the European Commission designated six organisations, namely Alphabet, Amazon, Apple, ByteDance, Meta, and Microsoft, as "gatekeepers" that will be subject to the relevant DMA obligations. These gatekeepers had six months to ensure compliance with the DMA.

On 7 March 2024, the European Commission announced that the six designated gatekeepers must now fully comply with all provisions in the DMA. Compliance includes submitting a detailed report outlining the measures taken to comply with the DMA’s requirements. For instance, on 5 March 2024, Google publicly announced some of the measures it is taking to comply (including, for example, changes to search results, the introduction of choice screens, additional consent protocols for Google services, and improved data portability) and on 7 March 2024,  Apple published its compliance report . The European Commission is responsible for overseeing the gatekeepers’ compliance with the DMA and ensuring that their measures are effective and meet the established obligations. 

The European Parliament approves the Cyber Resilience Act 

On 12 March 2024, the European Parliament approved the new Cyber Resilience Act (CRA). It aims at enhancing cybersecurity across products with digital elements. The Act also extends the scope of cybersecurity to include various products such as identity management softwares and smart home devices. Notably, the Act mandates that security updates must be distinguished from and installed independently of functionality updates. Should vulnerabilities or incidents arise, Member States are compelled to inform the European Union Agency for Cybersecurity (ENISA). Following this, ENISA will assess the circumstances and, where required, warn other Member States about potential widespread risks. Before the Act becomes binding, the Council of the European Union must formally endorse it.

The version approved by the European Parliament has been published here.    

European lawmakers reach political agreement on the Cyber Solidarity Act 

On 6 March 2024, the European Parliament and the Council of the European Union reached a political agreement on the EU Cyber Solidarity Act (CSA). It aims at enhancing the overall preparedness and response capacity of the EU to large-scale cyber incidents and threats. Notably, a "European Cybersecurity Alert System" comprised of national and EU cyber hubs, will provide real-time awareness of cyber threats and incidents to Member States and EU authorities, facilitating detection and timely response. A "Cybersecurity Emergency Mechanism" will enhance preparedness and response capabilities, while a "Cybersecurity Reserve", comprised of incident response services from trusted providers which can be activated by Member States, EU institutions, and associated third countries, helps respond to significant or large-scale cybersecurity incidents. Following the political agreement, the CSA must now receive formal ratification by both the Parliament and the Council. 

UK

ICO issues new guidance on biometric data

On 4 March 2024, the UK Information Commissioner's Office (ICO) published new guidance on biometric data and how data protection laws are applicable when employing biometric recognition systems. The guidance is aimed at organisations that intend to or are considering the use of biometric recognition systems and the providers of such systems.

While "biometric recognition" is not explicitly defined in UK data protection law, the guidance underlines the similarity of the concept with "special category biometric data" under the UK GDPR. The guidance emphasises that any use of biometric data in a system which recognises people based on their physical or behavioural characteristics will qualify as processing of special category biometric data.

ICO launches “Consent or Pay” consultation

On 6 March 2024, the ICO launched a call for views on "Consent or Pay" business models. The Consent or Pay model, which is growing in popularity in the online advertising industry, gives users of a website the option to either use the website for free in exchange for consenting to the use of their data for personalised advertising, or pay a fee to avoid tracking. Currently, UK data protection law does not, in principle, prohibit the use of a Consent or Pay model.

Stephen Almond (Executive Director, Regulatory Risk at the ICO) noted that there are many lawful ways online advertising can be used in this way, as long as people are given a fair choice over whether their personal data is used. He also highlighted that the ICO's efforts to track down websites that do not provide such fair choice continues and comments that "this is the last chance to change. Our next announcement in this space will be about enforcement action".

The consultation is open until 17 April 2024. 

ICO publishes its new Data Protection Fining Guidance

On 18 March 2024, after concluding a consultation carried out towards the end of 2023, the ICO published its new Data Protection Fining Guidance, where it sets out how the ICO will issue penalties and calculate fines under the UK GDPR and the Data Protection Act 2018. The new Guidance replaces the penalty guidance from the Regulatory Action Policy published in November 2018. The Guidance covers, among other things: (i) the statutory framework that empowers the ICO to impose fines; (ii) the infringements for which the ICO can impose fines; (iii) the circumstances in which the ICO would consider it appropriate to issue a penalty notice; and (iv) a five-step approach that the ICO would use to calculate the amount of fines.

ICO and US FCC sign a Memorandum of Understanding to cooperate on protecting consumer data

On 29 February 2024, the ICO and the US Federal Communications Commission (FCC) signed a Memorandum of Understanding (MoU) to cooperate on protecting consumer privacy and sensitive data. Among other things, the MoU outlines shared priorities regarding: (i) risks arising from the misuse of communications networks; (ii) exploitation of private and sensitive data; (iii) threats from cybercriminals and adversaries; and (iv) cross-border issues. Amid the ICO's strategic plan to tackle predatory marketing, the MoU will enable greater information sharing between the countries to better protect people from the misuse of their personal data.

G7 nations sign declaration on the use of AI

On 15 March 2024, the UK Department for Science, Innovation & Technology announced that the G7 nations have signed a joint ministerial declaration on the use of AI and innovation, in the wake of a meeting between Industry, Tech & Digital Ministers of the group. The declaration focuses on the potential for intra-group collaboration with the goal to enhance productivity and to create an environment where AI technologies can be leveraged in a safe and trustworthy manner. The declaration also envisages the creation of an AI toolkit, which would allow governments to map out the opportunities and risks of AI.

House of Lords European Affairs Committee calls for evidence on data adequacy

On 15 March 2024, the House of Lords European Affairs Committee announced that it is seeking views on the UK's data adequacy arrangements and the current free flow of data arrangement with the EU for commercial and criminal investigations. The inquiry will focus on how the current system is working in practice and will aim to map out any divergence in the UK and EU data protection regimes. The Committee invites interested parties to submit their views by 3 May 2024, with the aim to complete a report of its findings by July 2024.

National Cyber Security Centre publishes guidance on cyber attack responses

On 21 March 2024, the National Cyber Security Centre (NCSC) published guidance on how private and public sector organisations should respond to cyber security attacks. The guidance, which is aimed at CEOs, lists some of the steps they should take when faced with a cyber incident, including for example: (i) implementing proportionate and effective governance guidelines; (ii) bringing in a specialist, such as a cyber incident response company; (iii) considering if any data breach should be notified; (iv) considering how to report the incident; and (v) reviewing the lessons learned from the incident. In addition to measures to be taken internally, organisations should report significant incidents to the NCSC and police, who can give extra support.

Americas

U.S

House of Representatives passes bill to ban TikTok

On 13 March 2024, 385 US House representatives voted to pass bill H.R.7521 to ban TikTok in the United States, with 65 representatives voting against. The bill will now move to a vote in the Senate, with President Biden saying that he will sign the bill if it passes. Opponents of the bill are calling for comprehensive federal data privacy laws instead of the envisaged "Band-Aid" ban on the foreign social media company. The Senate is divided on the issue and Vice President Harris said that it is not the administration's aim to ban TikTok.

United Nations adopts US-spearheaded AI Resolution

On 21 March 2024, without a vote, the United Nations General Assembly unanimously adopted the resolution: "Seizing the opportunities of safe, secure and trustworthy artificial intelligence systems for sustainable development". The resolution was sponsored and led by the United States with more than 120 other Member States backing the resolution. Linda Thomas-Greenfield, US Ambassador and Permanent Representative to the UN, introduced the resolution, stating it is the UN’s responsibility “to govern this technology rather than let it govern us.” Although the resolution is non-binding, its adoption signals the first worldwide recognition and focus on the importance of safe and secure AI. In the face of the AI boom, the Member States are encouraged to protect privacy and human rights and monitor threats to jobs and infrastructure.

Middle East

Kuwait publishes a new Data Privacy Protection Regulation

On 19 February 2024, the Kuwaiti Communication and Information Technology Regulatory Authority (CITRA) published its new Data Privacy Protection Regulation (No 26 2024), which replaces the previous regulation from 2021. The Regulation provides guidelines for managing and processing telecommunications and IT related data, and applies to all service providers, licensed by CITRA, who collect, process and store personal data and user content, whether inside or outside Kuwait. The Regulation put particular emphasis on the requirement to obtain the consent of the data subject before collecting and processing their data.

Israel's Privacy Protection Authority publishes a protection of patient privacy policy document

On 3 March 2024, the Israeli Privacy Protection Authority (PPA) published a policy document on the protection of patient privacy in circumstances where medical data is transferred by digital means. The PPA noted that the policy document is intended for organisations, authorities and institutions providing health services, and will apply alongside their existing instructions and recommendations. The policy document highlights challenges, such as the possibility of data leaks, inadvertent exposure of information, and possible theft of sensitive information, that arise from insufficient information sharing practices, such as using non-designated software. The document recommends organisations to review their patient confidentiality, security and software policies to avoid such risks.

Israel's Privacy Protection Authority publishes a report on data security in public organisations

On 23 February 2024, the Israeli Privacy Protection Authority (PPA) published a report on the protection of personal information by public and civil society organisations that have been providing services to the public since the start of the Middle Eastern conflict. Many of these organisations collect and store personal information of applicants who use their services, also sharing the data with third parties. The report revealed a widespread lack of awareness of the relevant data protection laws and the importance of securing the personal data provided to the organisations.

Saudi Arabia's Data & Artificial Intelligence Authority requests comments on the draft Data Sovereignty Public Policy

On 11 March 2024, the Saudi Data & Artificial Intelligence Authority (SDAIA) posted a call for public comments on the draft Data Sovereignty Public Policy. The draft policy aims to set principles around Saudi Arabia's use of data and the development and encouragement of data sovereignty, providing guidance of the same to public and private organisations, non-profits and the international community. The draft policy is currently built around four principles, namely data as a national asset, data protection, data availability and the encouragement of local and foreign investment. The public can submit comments until 9 April 2024. 

Africa

Nigerian Data Protection Commission publishes its Strategic Roadmap and Action Plan

On 23 February 2024 , the Nigerian Data Protection Commission (NDPC) published its 2023 – 2027 Strategic Roadmap and Action Plan (SRAP), with governance, ecosystem and technology, capacity development, cooperation and collaboration and funding and sustainability as its five key pillars. The SRAP lays out an estimated timeline of key focus areas for the Commission, including increasing collaboration with global counterparts in 2024, developing a data privacy syllabus in 2025 and creating 500,000 new jobs in the sector by 2027.

Somalia continues to strengthen its data protection framework

Following the guidance published on the Somali Data Protection Act (that we reported on last month), on 13 March 2024, the Somali Data Protection Authority published FAQs on its role and responsibilities for ensuring personal data is protected in accordance with the Act. The Authority also published a number of forms for data controllers, processors and members of the public, including registration, complaint and data breach report forms, which will facilitate communication with the Authority on matters falling under the Data Protection Act.

Additional Information

This publication does not necessarily deal with every important topic nor cover every aspect of the topics with which it deals. It is not designed to provide legal or other advice. Clifford Chance is not responsible for third party content. Please note that English language translations may not be available for some content.

The content above relating to the PRC is based on our experience as international counsel representing clients in business activities in the PRC and should not be construed as constituting a legal opinion on the application of PRC law. As is the case for all international law firms with offices in the PRC, whilst we are authorised to provide information concerning the effect of the Chinese legal environment, we are not permitted to engage in Chinese legal affairs. Our employees who have PRC legal professional qualification certificates are currently not PRC practising lawyers.