Clifford Chance

Kenya appoints first Data Protection Commissioner, giving teeth to the 2019 GDPR-style Data Protection Act

On 16 November 2020, the President of Kenya appointed Immaculate Kassait as the country's first data protection commissioner. As commissioner, Kassait will oversee the establishment of the Office of the Data Commissioner, including the appointment of its various officers, and will be responsible for enforcing Kenya's Data Protection Act (DPA) 2019. The DPA aligned Kenya's data protection laws, for the most part, with the GDPR and whilst it has been in effect since 25 November 2019, its provisions have, so far, been unenforced pending the appointment of a commissioner.

Once established, the Office of the Data Commissioner will have various functions, including: (i) overseeing the implementation and enforcement of the DPA; (ii) establishing and maintaining a register of data controllers and processors; (iii) promoting self-regulation amongst data controllers and processors; (iv) receiving and investigating complaints and breaches with respect to the DPA; and (v) promoting international cooperation in matters relating to data protection and ensuring Kenya's compliance with international data protection conventions.

Kenya passes bill allowing government to access personal data for national security reasons

On 12 December 2020, the President of Kenya signed the Statute Law (Miscellaneous Amendments) Bill 2020. The Bill will allow the government to demand access to data from its citizens' mobile phones, laptops and other technological devices if it believes it is in the interest of national security. If requested, Kenyan citizens will be compelled to provide data such as emails, SMS, WhatsApp messages and call logs and those who refuse will face fines and criminal sanctions.

Critics argue that this is a disproportionate infringement on the privacy of Kenyan citizens and may have a stifling effect on legitimate criticism and opposition of the government.

Nigeria publishes draft National Adoption Blockchain Strategy

The Government of Nigeria has taken a significant step in the development of a framework for the adoption of Blockchain technology, in various sectors and industries in the country, with a stated aim of generating $10 billion revenue by 2030, by publishing its draft National Adoption Blockchain Strategy.

The strategy is built on six key initiatives: (i) the establishment of a Nigeria Blockchain Consortium, made up of key stakeholders from industry, academia and government, to drive the initiatives set out in the framework and consider how to apply Blockchain the public sector; (ii) establishing and strengthening the regulatory and legal framework for Blockchain in the country to provide clarity and certainty for developers; (iii) create a unique national digital identity for every Nigerian citizen using Blockchain; (iv) promoting Blockchain digital literacy and awareness through education and widespread government partnerships with public and private sectors; (v) creating an incentive programme to support SME and start-up engagement with Blockchain technologies; and (vi) establishing a national Blockchain sandbox for proof of concepts and pilot implementation to help foster innovation and development.

State Attorneys General and the Federal Trade Commission File Lawsuits Against Facebook

In the United States, the trend of increasing antitrust enforcement in the technology industry continues. On December 9th, the Federal Trade Commission (FTC) and the attorneys general from 46 states, the District of Columbia, and Guam, filed separate complaints against Facebook in federal court, alleging anticompetitive conduct. Facebook allegedly engaged in various conduct to maintain its monopoly, including the anticompetitive acquisitions of Instagram and WhatsApp.

The FTC and State AGs complaints allege that Facebook acquired Instagram in 2012 for $1B and WhatsApp in 2014 for $19B in the hopes of cutting off any potential threat these companies posed. In announcing the suit, the FTC stated "Facebook targeted potential competitive threats to its dominance. Instagram, a rapidly growing startup, emerged at a critical time in personal social networking competition, when users of personal social networking services were migrating from desktop computers to smartphones, and when consumers were increasingly embracing photo-sharing." In the same year that Instagram was acquired, Facebook realized that WhatsApp had emerged as the clear global leader in mobile messaging. By acquiring WhatsApp two years later, Facebook was able to neutralize the threat that WhatsApp presented and make it more difficult for a future threat to gain scale in mobile messaging.

In addition to the acquisitions of Instagram and WhatsApp, the complaints allege Facebook imposed anticompetitive conditions on third-party software developers' access to Facebook's APIs. The FTC has requested that the lawsuits be consolidated. Both the FTC and the State AGs are requesting that the company be broken up, if necessary.

Alibaba faces antitrust scrutiny in China

China has launched an antitrust investigation into Alibaba. The investigation follows complaints from competitors, JD and Pinduoduo, and allegations of monopolistic practice by the Chinese regulator, in particular alleging that Alibaba compels merchants to sell exclusively on its platform, a practice known as "choosing one of two" in China.

The investigation is part of intensifying regulatory scrutiny by the Chinese state against online platform businesses. It follows the release, in November 2020, of draft Guidelines for Anti-monopoly in the Platform Economy by China's State Administration for Market Regulation.

The Ant Group, including Alibaba and its sister companies, has been the focus of a number of regulatory enforcement measures in recent months, including the high-profile suspension of Ant's planned IPO in November 2020, which was forecasted to break the record as the largest IPO in the world.

China publishes lists and procedural rules in respect of the import and export of commercial encryption

On 26 November 2020, the Chinese Ministry of Commerce, the State Cryptography Administration and the General Administration of Customs jointly issued the import licensing list and the export control list of commercial cryptography and relevant regulatory measures, which took effect on 1 January 2021. For importing or exporting commercial cryptography products on the licensing list, relevant business operators shall apply to the local counterpart of MOFCOM for an Import and Export License for Dual-purpose Items and Technologies.

Australian competition authority brings proceedings against Facebook

The Australian Competition & Consumer Commissions (ACCC) has brought proceedings in the Federal Court against Facebook alleging "false, misleading or deceptive conduct" by Facebook when promoting Facebook's Onavo Protect mobile app. The ACCC alleges that

"Between 1 February 2016 to October 2017, Facebook and its subsidiaries Facebook Israel Ltd and Onavo, Inc. misled Australian consumers by representing that the Onavo Protect app would keep users’ personal activity data private, protected and secret, and that the data would not be used for any purpose other than providing Onavo Protect’s products.

In fact, the ACCC alleges, Onavo Protect collected, aggregated and used significant amounts of users’ personal activity data for Facebook’s commercial benefit. This included details about Onavo Protect users’ internet and app activity, such as records of every app they accessed and the number of seconds each day they spent using those apps."

European Commission publishes long-awaited and far-reaching legislative proposals to regulate digital platforms and online intermediaries

The European Commission has announced far-reaching proposals for regulation of digital platforms and online intermediaries. The Digital Markets Act (DMA) will impose on digital platforms that are designated as “gatekeepers” a long list of obligations and prohibitions in particular to ensure they refrain from practices that are considered to limit competition or to otherwise be unfair. In contrast, the Digital Services Act (DSA) focuses on regulating the way that providers of online intermediary services interact with their customers and users, and their obligations in respect of illegal content, in order to create “uniform rules for a safe predictable and trusted online environment”.

In combination, the two pieces of proposed legislation will create Europe’s most dramatic and interventionist sector-specific regulatory regime in decades, and would require significant changes to the business practices of digital players such as Apple, Facebook and Google, but also potentially smaller competitors.

The Commission's proposals must now be adopted by the co-legislators: the European Parliament and Council of the EU. It is therefore likely to be around two years and possibly longer before the proposals result in binding obligations. They are unlikely, in our view, to be significantly watered down during the legislative process and may even go further than proposed by the Commission.

On Thursday, 14 January 2021 at 15.00 CET, Clifford Chance is hosting a webinar entitled: 'New EU Digital Services Act and Digital Markets Act: the Commission's proposals and what they could mean for you' as part of our European Perspectives | Tech Series. You can register for the event here.

For in-depth analysis of the proposals, see Clifford Chance's briefing "The EU's proposals for far-reaching regulation of the digital sector".

European Data Protection Board (EDPB) adopts its 2021-23 strategy and issues statement on the end of the Brexit transition period

The EDPB is composed of representatives of European national data protection authorities, and is tasked with ensuring the consistent application of data protection rules throughout the EU and promoting cooperation between national authorities.

At a meeting on 15 December 2020 the EDPB agreed its Strategy for 2021-2023. The four pillars are:

• advancing harmonisation and facilitating compliance;
• supporting effective enforcement and efficient cooperation between national supervisory authorities;
• a fundamental rights approach to new technologies and;
• the global dimension.

The Strategy will be implemented through a work programme of actions building on each of the four pillars. The work programme is due to be adopted in early 2021.

The EDPB also adopted a Statement on the end of the Brexit transition period which recalled that, "any exchange of personal data between EEA stakeholders and UK entities will constitute a transfer of personal data to a third country and therefore will be subject to the provisions of Chapter V GDPR. In the absence of an adequacy decision applicable to the UK as per Article 45 GDPR, such transfer will require appropriate safeguards as well as enforceable data subject rights and effective legal remedies for data subjects, in accordance with Article 46 GDPR." The statement also recalls that, following 1 January 2021, the UK Information Commissioner's Office (ICO) will no longer be part of the GDPR "One-Stop Shop" (OSS) mechanism.

It should be noted, however, that the EDPB's statement pre-dates the EU-UK Trade and Cooperation Agreement. The Agreement also contains an "Interim provision" consisting of a "specified period" of four-months, extendable to six months, during which transfers of data from the EU to the UK can continue as long as the UK maintains its current rules.

The UK government has already confirmed that it will permit transfers to the EEA and also that it will recognise the existing adequacy decisions taken by the EU in respect of other third-countries. As a result, data transfers from the UK to the EEA and other non-EEA countries with adequacy decisions will be largely unaffected.

For more information about the EU-UK Trade and Cooperation Agreement, see Clifford Chance's briefing on the deal, "Relieved? UK and EU agree post-Brexit deal".

European Commission announces new Cybersecurity Strategy

On 16 December 2020, the European Commission, alongside the High Representative of the Union for Foreign Affairs and Security Policy, Josep Borrell, presented a new EU Cybersecurity Strategy. According to the accompanying press release, the new strategy will "bolster Europe's collective resilience against cyber threats" and will allow the EU "to step up leadership on international norms and standards in cyberspace".

In UAE, Abu Dhabi and Israel have continued to strengthen cooperation in the digital sector. Representatives from both countries met at an event hosted by Google in December 2020. The cooperation between the two countries follows from the historic Abraham Accords, in which Israel and UAE agreed to normalise diplomatic relations. Tech policy has been a key area of cooperation following the Accords, representing a significant strategic objective for both countries.