Clifford Chance

The UK's key digital regulators have announced an unprecedented programme of ambitious regulatory reforms

In the United Kingdom, a series of announcements from the Competition and Markets Authority (CMA), Ofcom, and the Information Commissioner’s Office (ICO) point to greater regulatory powers and coordination efforts to tackle the market power of so-called ‘Big Tech’ firms in the UK. For digital platforms, the announcement heralds a heightened level of enforcement and political risk.

At present, the CMA, ICO and Ofcom have overlapping regulatory responsibilities for digital markets. A joint body formed from the CMA, ICO and Ofcom, the newly-formed Digital Regulation Cooperation Forum (DRCF) has been created to advance a coherent regulatory approach and inform policymaking.

The DRCF’s objectives will likely focus on the UK’s regulatory pipeline for digital services, including regulation of online harms and age appropriate design, and will be informed by emerging approaches globally. In Australia, for example, the Australian Competition and Consumer Commission has been tasked with overseeing the development of a new voluntary code to address bargaining power imbalances between digital platforms and news media businesses.

The CMA has also called for a new ‘pro-competition regulatory regime’, led by a new ‘Digital Markets Unit’ to tackle the perceived anticompetitive effects of digital platforms’ market power. This follows a year-long study into online platforms and the digital advertising market, and the March 2019 ‘Furman Report’, which suggested the creation of a new regulator with wide powers to police powerful tech companies. In its Annual Report, the CMA has stated that it will take forward "work on what more we can do to improve the robustness of the regimes without legislative reform, and we will announce more on this over the next year,"

Meanwhile, the CMA's Digital Markets Taskforce published a call for information from platform operators and customers of “digital platforms” and have also launched questionnaires for a wide range of businesses, including those who sell or distribute their products and services using app stores.

Ofcom has published its own Call for Evidence in relation to its anticipated future role as the UK's regulator of UK-established video-sharing platforms (VSPs). As set out in the Call for Evidence, under the EU's Audiovisual Media Services Directive the UK is required to implement a new statutory framework which will for the first time mean that UK online services which provide access to user-generated videos will fall within the scope of statutory regulation.  

The Call for Evidence (which closes on 24 September) sets out Ofcom’s approach to VSP regulation based around some core principles: protection and assurance; freedom of expression; adaptability; transparency; enforcement; independence; and proportionality. The UK Government has stated its intention for VSP regulation in the UK to be superseded by the Online Harms Bill, when that comes into force.

In June 2020 the Central Bank of Nigeria (the "CBN") released the Regulatory Framework for Sandbox Operations in Nigeria, proposing for the first time a framework that seeks to provide regulatory oversight for innovation in the FinTech sphere. The sandbox is a formal process for firms to conduct live tests of new innovative products, services, delivery channels, or business models. These processes would take place in a controlled environment and would be supervised by the CBN. The sandbox will be open to existing licensees, such as financial institutions and FinTech initiatives, as well as other businesses including telecoms companies. One of the objectives of the sandbox is to provide an "avenue for regulatory engagement" with FinTech firms in the payment space, while contributing to economic growth.

In South Africa, the Minister of Finance published proposed amendments to the Financial Intelligence Centre Act ("FICA") for public comment. The proposed amendments will include new rules around crypto-asset service providers ("CASPs"), including further responsibilities around which information they must maintain, and conducting due diligence on customers. The list of CASPs is wide and will cover the majority of CASP businesses in South Africa, including the service providers operating outside the country. Such businesses will be regarded as "accountable institutions" and will be required to comply with the regulatory requirements and obligations imposed on accountable institutions by FICA. This includes the requirement to register as an "accountable institution" with FICA, conducting due diligence and KYC checks on all customers in accordance with a risk-based approach, and developing, implementing and maintaining a risk management and compliance programme.

In Kenya the Central Bank of Kenya (Amendment) Bill, 2020 (the "Bill") was released in June 2020. Currently, digital lending in Kenya is not regulated and there have been accusations of predatory lending with excessively high interest rates. The main aim of the Bill is to amend the Central Bank of Kenya Act to regulate the loan rates of digital lenders and the conduct of digital financial services operating in the country. If passed into law, the Bill will give the Central Bank of Kenya the power to regulate the monthly interest rates that can be charged by digital mobile lenders.

The political hot potatoes of facial recognition, encryption and online advertising spend remain in the headlines

A boycott of social media advertising services has grown over the past month, with over a thousand brands and companies recently halting their purchases of advertising on Facebook. The boycott follows calls from several civil rights groups, including the Anti-Defamation League, Color of Change, and the NAACP, for brands to temporarily halt their advertising under the #StopHateForProfit campaign.

Although Facebook has an explicit policy against hate speech, critics argue that the company has failed to sufficiently police its platform to prohibit hate, racism, and misinformation, or to prevent extremists from coordinating and communicating. A meeting in early July between Facebook CEO Mark Zuckerberg and civil rights activists leading the boycott met with little success, and the activists say their demands have not been met. While major brands have joined the boycott, Facebook has indicated it affects a small percent of the company's revenue.

Zoom has announced that it will now be offering free end-to-end encryption (“E2EE”) to all users of its platform, with an early beta version of the feature available in July. Zoom cautioned that the optional E2EE feature, which meeting hosts will be able to enable and disable, will limit certain functionalities. The announcement marks a reversal from the position that Zoom had staked out as recently as early June, when it cited the need to provide data to law enforcement as a key reason not to offer end-to-end encryption for free calls.

Zoom’s announcement comes at a moment when encryption itself is facing skepticism from law enforcement and advocates for accessibility. Law enforcement officials in the U.S. have long advocated for limits on encryption capabilities, and in late June, two U.S. Senators introduced the Lawful Access to Encrypted Data Act, which would require service providers and device manufacturers to assist law enforcement in accessing encrypted devices or data (although the act would require a warrant based on probable cause).

Following reversals of course by Amazon, IBM, and Microsoft from their previous promotion of the use of their facial recognition products by law enforcement, the fight now moves to Washington. At the end of June, a bill entitled “Facial Recognition and Biometric Technology Moratorium Act of 2020” was introduced in the U.S. Senate. The bill would “prohibit biometric surveillance by the Federal Government without explicit statutory authorization and to withhold certain Federal public safety grants from State and local governments that engage in biometric surveillance.” The bill includes in its definition of “biometric surveillance” techniques such as voice and facial recognition. Amazon and Microsoft had stated previously that their temporary moratorium was intended to allow legislators time to enact sufficient safeguards for the use of facial recognition by law enforcement, but so far, neither company has endorsed the national moratorium that the bill proposes.

In a major step forward for regulatory clarity in the FinTech sector, the Office of the Comptroller of the Currency released an interpretive letter concluding that national banks and federal savings associations may provide custody services for cryptocurrency on behalf of customers. The letter recognizes that, as the financial markets become increasingly technological, there will likely be increasing need for banks to leverage new technology and innovative ways to provide traditional services on behalf of customers. According to the letter, providing custody services for cryptocurrency is a permissible form of a traditional banking activity that national banks may perform through electronic means, and falls within national banks' longstanding authorities to engage in safekeeping and custody activities. The agency is of the view that providing such services will allow national banks to continue to fulfill their historical financial intermediation function.

In Singapore, the Academy of Law’s Law Reform Committee has published a report identifying issues that law and policy makers may face in applying ethical principles when developing or reforming policies and laws regarding AI.

Meanwhile, the Monetary Authority of Singapore and Temasek issued joint final report for Project Ubin, a collaborative industry project to explore the use of Blockchain and distributed ledger technology for clearing and settlement of payments and securities. The report provides technical insights into the blockchain-based multi-currency payments network prototype that was built and describes how the network could benefit the financial industry and blockchain ecosystem.

In South Korea, the Financial Services Commission (FSC) published minutes of meeting of a new working group made up of public and private sector experts, tasked with promoting the use of artificial intelligence (AI) technology in financial services. The working group aims to unveil its plans for promoting AI in financial services by the end of 2020.

While countries around the world are constructing new 5G networks, Samsung has released a White Paper setting out its vision of '6G' technology. Samsung expects that the completion of the 6G standard and its earliest commercialization date could be as early as 2028, while mass commercialization may occur around 2030.

The PRC is consulting on a new Data Security Law

On 3 July 2020, the National People’s Congress issued the Data Security Law (Consultation Draft) (the “Consultation Draft”) and is seeking public comments (the consultation closes on 16 August 2020).

The Consultation Draft sets out a regulatory regime for data which would be supervised by industrial regulators and security authorities. In terms of cross-border data flows, the Consultation Draft proposes that export controls will apply to restricted data (such as in the area of national security), while approval requirements will apply before certain entities/individuals can process any data export request from non-PRC enforcement authorities. According to the Consultation Draft, if any non-PRC jurisdiction adopted discriminatory measures against the PRC in terms of investment/trading in data technology activities, PRC regulators may take corresponding measures.

UK // The UK Government is canvassing opinion on a new online sales tax - one among many key announcements made this month

HM Treasury has announced a review of business rates – a charge on most non-domestic properties – and has mooted a potential new "online sales tax" which could apply to "the revenues that businesses generate from online sales to UK customers, and focused on sales in direct competition with those carried out through physical premises". HM Treasury notes that many online retailers oppose such measures, which would likely sit alongside the existing business rates regime, and the UK's new "digital services tax", introduced in April.

The UK Government has committed $500m to purchasing a stake in the satellite operator OneWeb, which aims to build the first global communications network to be powered by a constellation of low-Earth-orbit satellites. A corresponding ministerial direction notes "the potential long-term geo-political advantages for foreign policy and soft power that would come with sovereign ownership of a fleet of satellites".

Further details of the UK's future points-based immigration system were published on 13 July. The new policy paper sets out details of the key work and study immigration routes available to skilled workers.

Meanwhile, the UK Financial Conduct Authority and City Corporation are to collaborate on a digital sandbox pilot to support innovative firms, such as large financial institutions and start-ups, looking to play a key role in the recovery from coronavirus.

Finally, according to SchemeServe, a UK-based insurtech company, sales of cyber insurance policies in the UK have increased by almost 3.5 times during the Covid-19 lockdown.

EU // New Competition Tool and Digital Services Act

Our podcast on the EU Commission's proposals for a "New Competition Tool" and Digital Services Act can be accessed here. Our EU competition and tech experts provide insights into the likely path ahead.

EU // 5G security: cautious assessment of progress in limiting risks

EU authorities have published a progress report on the security risks related to the rollout of 5G. The report found good progress was being made in relation to powers for Member States to regulate the procurement of network equipment and services by operators, and measures aimed at restricting the involvement of suppliers based on their risk profile.

A note of caution was raised about the importance of looking at "the network as a whole and address[ing] core network elements as well as other critical and highly sensitive elements, including management functions and the radio access network". Where a high risk vendor has already been contracted, the report said that transition periods should be put in place. Elsewhere, the report raised concerns about the current dependency on high risk suppliers and the inability of some network operators to impose multivendor strategies.

Finally, the report called on those Member States without Foreign Direct Investment (FDI) screening regimes in place to introduce them without delay as they could apply to investment developments potentially affecting the 5G value chain.

The report was produced as a follow-up to the March 2019 Commission Recommendation on Cybersecurity of 5G networks.

EU // Artificial Intelligence

The European Commission is seeking views on its roadmap for new legislation on artificial intelligence that would plug perceived gaps in the current regulatory framework, namely in relation to the protection of fundamental rights, the application of EU rules on safety and the attribution of liability.

Options on the table include soft law to encourage industry-led solutions, a voluntary labelling scheme, a new law establishing mandatory requirements for all or certain types of AI, or a mix of these depending on the level of risk associated with a particular AI application.

According to the current timetable, new rules would be proposed in early 2021. The deadline for feedback on the roadmap is 10 September 2020.  The Commission has also published a summary of the responses to its White Paper on AI, published earlier this year and to which it received over 1250 responses.

EU // Internet of Things probe

The Commission has launched an antitrust sector inquiry into the Internet of Things (IoT) for consumer-related products and services that are connected to a network and can be controlled at a distance. This includes smart home appliances and wearable devices.

The Commission is investigating potential restrictions of data access and interoperability, as well as certain forms of self-preferencing and practices linked to the use of proprietary standards. If, after analysing the results, the Commission identified specific competition concerns, it could open investigations to ensure compliance with EU rules on restrictive business practices and abuse of dominant market positions.

EU // Apple, Ireland successfully appeal 2016 State aid ruling

The General Court of the EU has annulled a decision taken by the Commission regarding Irish tax rulings in favour of Apple. The Court considered that the Commission did not succeed in showing "to the requisite legal standard" that there was an advantage for the purposes of Article 107(1) of the Treaty on the Functioning of the EU (TFEU).

The case relates to a decision by the Commission taken in 2016 in which it deemed the tax rulings constituted unlawful State aid granted to Apple by the Irish government. The Commission had demanded the recovery of the aid which amounted to EUR 13 billion. Apple and the Irish State appealed the decision (Case T-778/16). Margrethe Vestager, the Executive Vice President of the Commission who was also the Competition Commissioner at the time of the State aid ruling, has said she will study the Court's findings and decide on next steps.

Clifford Chance Tax Partner Dan Neidle appeared on Sky News to discuss Apple and Ireland's tax win against the EU Commission.

EU // Privacy Shield

The Court of Justice of the EU (CJEU) has also invalidated Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield, a mechanism used by many companies and financial institutions to transfer data between the EU and US, on the basis that it does not appropriately protect the privacy of European citizens in a manner equivalent to the European General Data Protection Regulation (GDPR). The CJEU confirmed that it considers that Commission Decision 2010/87 on standard contractual clauses (SCCs) for the transfer of personal data to processors established outside the EU is valid, which means companies will now have to assess whether existing SCCs are sufficient to facilitate their transatlantic data transfers.

In an article posted by BBC News, Clifford Chance partner and co-head of the firm's Tech Group Jonathan Kewley said: "This is a bold move by Europe. What we are seeing here looks suspiciously like a privacy trade war, where Europe is saying their data standards can be trusted but those in the US cannot." Jonathan also warned that standard contractual clauses will be much more closely scrutinised from now on.

The launch of what its issuer describes as the world's first gold-backed digital gold currency was announced in July. The USG digital currency is administered via the Ethereum blockchain platform and its issuer suggests that each USG Token is a direct representation of an American Eagle one ounce gold coin, as minted by the United States of America. By linking the value of a digital token to a physical asset, the issuers hope to ensure reduce volatility in the price of those tokens.

Dubai has launched a new "Food Security Dashboard" to support food security in the Emirate. The move follows the coronavirus pandemic, which has pushed the issue of food security into the spotlight. Earlier in the year, the UAE appointed the world's first "minister of food security". The Dashboard will use AI and big data analytics to track key indicators of food security.