Clifford Chance
Tech Policy Horizon Scanner
November 2021
Introduction
Like you, all we want for Christmas is a tungsten metal cube NFT to keep us warm.
This month, Midwest Tungsten Service, a metal manufacturer based in the US, sold an NFT which represents a 2,000-pound (907 KG) tungsten cube for around USD 250,000. Once every year, the lucky owner has the right to visit and touch the cube. Beats putting it under the Christmas tree, and better for storage, so numerous upsides.
But NFTs aren't all cuddly tungsten metal cubes. They also have a darker side. The US Treasury Department's Office of Foreign Assets Control (OFAC) recently announced new sanctions against cryptocurrency exchange and addresses. These include an address that control NFTs that were still for sale.
In Europe, the EU Commission published its annual Work Programme. Several European countries and the US have reached a compromise on digital services taxes (DST). The Europeans agreed to withdraw the DSTs, which were seen to be primarily targeting American tech giants, in return for the US terminating retaliatory tariffs imposed on European exports.
China clarified how exporting data out of China works. Microsoft announced that LinkedIn will leave the country due to increasing compliance requirements. TSMC, the largest contract chipmaker in the world, announced plans to build a chipmaking factory in Japan.
Botswana's Data Protection Act came into force. We produced a briefing on data protection developments in the Middle East.
The UK's data protection consultation closed on 19 November. The proposed reforms, according EU's data flows chief, may impact the UK's data adequacy status with the EU. All this and more below.
Africa
Botswana's data protection law came into effect
On 15 October 2021, Botswana's Data Protection Act 2018 (DPA) came into force following the passing of the Data Protection Act (Commencement Date) Order 2021. This is the first piece of legislation in Botswana focused solely on the protection of personal data, and as such establishes the requirements for data processing within the country.
Under the DPA, personal data is defined broadly, and the territorial scope applies both to individuals that collect and process data within Botswana, as well as those that process locally collected data abroad. Whilst there are carve outs for national security, the DPA provides higher protection for 'sensitive' data.
The DPA is enforced by monetary fines and prison sentences, although it should be noted that the maximum fines of tens of thousands of dollars would be insignificant for an international corporation.
APAC
China promotes fintech and intensifies crackdown on cryptocurrency
The PRC government is actively encouraging the development of fintech – the People’s Bank of China (PBOC) and Hong Kong Monetary Authority announced that they have signed a memorandum to cooperate on fintech sandbox trials in the Greater Bay Area. Meanwhile, PBOC, together with four other Mainland authorities, encouraged financial institutions to work on the development and standardisation of open-source technology in the financial sector and said that governmental authorities will also promote the application of open-source technology.
Meanwhile, the government continues the crackdown on cryptocurrency. The Circular on Furthering Preventing and Handling the Speculative Risk related to Cryptocurrency Transactions (2021) sets out additional bans on financial institutions, payment institutions and internet platforms providing crypto-trading related services, and provides that the employees of non-PRC cryptocurrency exchanges located in the PRC, and the legal persons, non-legal persons and individuals providing marketing, payment, settlement and technical support to such exchanges, who know or should have known that such exchanges operate cryptocurrency business activities, shall be held liable in accordance with the laws and regulations.
China's data export rules
Data processors in China now have more clarity on the country's data export rules. The Cyberspace Administration of China released the Security Assessment Measures for Data Export (Consultation Draft) (the Draft Measures) on 29 October 2021, seeking public comments until 28 November 2021. The Draft Measures clarified the indicative threshold that might trigger security assessments for data export, the procedure for such security assessments and provided guidance on the terms and conditions to be covered by the PRC version of “data transfer contract” for use in data export. Market participants should watch out for relevant regulatory developments.
LinkedIn leaves China
On 14 October, Microsoft announced that it is going to "sunset" the current local version of LinkedIn used in China later this year, citing "significantly more challenging operating environment and greater compliance requirements" in China. Microsoft said that it will launch "InJobs" in China, which is a standalone job application portal without the functionality of the social feed or the ability to share posts or articles.
TSMC announces plans to build chip factories in Japan
-Semiconductor chips are one of the most sought-after commodities this year. This month, Taiwan Semiconductor Manufacturing Co. (TSMC), the world's largest contract chip maker, announced plans to build a chipmaking factory in Japan in 2022 and start operations there in 2024. In an unexpected move, TSMC will invest in the factory together with Sony. The Japanese government also announced that there will be a total investment of 1 trillion yen into the project.
Americas
The American Innovation and Choice Online Act introduced in the United States Senate
On October 18, Senators Amy Klobuchar (D-Minnesota) and Chuck Grassley (R-Iowa) introduced the American Innovation and Choice Online Act (S.2992) in the United States Senate. Other co-sponsors are Senators Durbin (D-Illinois), Graham (R-South Carolina), Blumenthal (D-Connecticut), Kennedy (R-Louisiana), Booker (D-New Jersey), Lummis (R-Wyoming), Hirono (D-Hawaii), Warner (D-Virginia), Hawley (R-Missouri), and Daines (R-Montana), signaling it has large bi-partisan support. The bill has been referred to the Senate Judiciary Committee for review.
The bill would make it illegal "for a person operating a covered platform" to: (1) unfairly preference the covered platform operator's own products, services, or lines of business over those of another business user; (2) unfairly limit the ability of another business user's products, services, or lines of business to compete on the covered platform; or (3) discriminate in the application or enforcement of the covered platform’s terms of service among similarly situated business users. A "covered platform" is defined as an online platform that in the previous 12 months has had at least 1) having 50 million U.S.-based monthly active users or 100,000 U.S.-based monthly active business users; 2) having a market capitalization of more than $550 billion at any point in the previous two years; and 3) "is a critical trading partner for sale or provision of any product or services offered on or directly related to the online platform."
Representative Cicilline (D-Rhode Island) introduced a nearly-identical version of the American Choice and Innovation Online Act (H.R. 3816) in the House of Representatives in June 2021. The House version passed out of the House Judiciary Committee on June 24th, 2021.
Facebook Papers
On October 22, seventeen United States news organizations began publishing hundreds of redacted internal Facebook documents that had been made in disclosures to the Securities Exchange Commission and Congress. These revelations came after weeks of public scrutiny following disclosures made by former Facebook employee and whistleblower Frances Haugen. The documents show internal discussions of how the company handled a plethora of situations, including human trafficking, conspiracy theories, and planning efforts that that took place prior to the event at the U.S. Capitol on January 6.
During a quarterly earnings call on October 25, CEO Mark Zuckerberg said, "Good-faith criticism helps us get better, but my view is that we are seeing a coordinated effort to selectively use leaked documents to paint a false picture of our company. The reality is that we have an open culture that encourages discussion and research on our work so we can make progress on many complex issues that are not specific just to us."
These internal disclosures will only fuel the call for legislators to make changes to provide more oversight of social media platforms.
OFAC issues sanctions compliance guidance for cryptocurrency service providers
On October 15, 2021, the US Treasury Department's Office of Foreign Assets Control (OFAC) issued the Sanctions Compliance Guidance for the Virtual Currency Industry (the "Guidance"). The Guidance followed recent enforcement actions against two companies in the virtual currency industry, including one against BitPay, which had allegedly processed transactions on behalf of individuals located in sanctioned jurisdictions.
The Guidance cited OFAC's Framework for OFAC Compliance Commitments (the "Framework") published in May 2019, and restated the five core elements of an effective risk-based sanctions compliance programme (SCP): (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training. OFAC encourages cryptocurrency service providers to consider a range of factors when implementing the SCP, including the type of business involved, its size and sophistication, products and services offered, customers and counterparties and geographic locations served.
The Guidance also sets out specific recommendations - for example, geolocation and IP blocking to prevent individuals in sanctions jurisdictions from accessing online platforms, robust know-your-customer procedures, and transaction screening controls to identify customers that are OFAC sanctions targets.
In very clear language, OFAC advised the virtual currency industry that it is holding them to the same compliance standards and expectations as the fiat currency industry. This is in line with the Biden Administration's increasing focus on combatting cyber-crimes and on service providers as the gatekeepers to the cryptocurrency ransom payments. There may be more cyber-related OFAC enforcement actions and SDN designations to come. (See our briefing here.)
FinCEN releases report on ransomware trends
On October 15, 2021, the US Treasury Department's Financial Crimes Enforcement Network (FinCEN) issued the Report on Ransomware Trends in Bank Secrecy Act Data (Report). This follows a wave of governmental actions on ransomware, including OFAC's sanctions compliance guidance reported above and earlier guidance for companies facilitating and making ransomware payments in response to a ransomware attack.
The Report found that ransomware attacks are occurring with increasing frequency, with ransomware-related suspicious activity reports (SAR) reporting in the first six months of 2021 up by 30% compared with the same period last year. Companies reported over USD 590 million in payments tied to ransomware attacks during this period, an almost 50% increase compared to all payments reported in 2020.
In addition to the increase in frequency of attacks, the Report also found that attackers have become more sophisticated in evading law enforcement. While Bitcoin was still the primary cryptocurrency used for ransom payments, attackers have increasingly requested payments in anonymity-enhanced cryptocurrencies (AECs). Attackers have also adopted other tactics to cover their tracks, such as avoiding the re-use of wallets and using exchanges in high-risk jurisdictions with low anti-money laundering standards.
While attackers are becoming more sophisticate, so has FinCEN's ability to identify and track unlawful activities related to cryptocurrency. FinCEN's use of blockchain analytics enabled it to identify 10 of the most used of the roughly 70 variants of software used in attacks, along with the unique CVC wallets associated with these malware attacks. FinCEN was also able to identify a number of "money-laundering typologies" that it says signal that a transaction may involve ransomware payments.
Companies that facilitate cryptocurrency transactions, especially those that relate to the money-laundering typologies, must stay vigilant and strengthen their detection and monitoring systems to prevent unlawful transactions and avoid scrutiny or enforcement from US authorities. (See our briefing here.)
Europe
European Commission plans key tech proposals in 2022
The European Commission has set out its Work Programme for 2022. On the technology front, in 2022 the Commission will propose a European chips act, aimed at addressing Europe's dependency on a limited number of non-EU suppliers for semi-conductors, a European cyber resilience act to establish common cybersecurity standards for products, an EU space-based global secure communications system, an action plan for an accelerated digital transformation of the energy sector, a new European Media Freedom Act and an initiative to further promote the ability to make instant payments throughout the EU. (See our briefing here.)
It is also worth noting that some of the proposed initiatives in the 2021 Work Programme have not been implemented yet. In particular, a new Data act aimed at ensuring access to and the use of data, including in business-to-business and business-to-government situations is expected to be published in December 2021.
US reaches agreement with European countries on withdrawal of digital taxes
The US and several European countries have reached a political compromise on a trade dispute relating to digital services taxes (DST). Over the past few years, countries including Austria, France, Italy, Spain and the UK have introduced laws on DST, which apply to social media platforms, search engines and online marketplaces, with the tax levied against the revenue of these businesses that derives from the participation of users within the country.
The US argued that these measures unfairly target American tech giants. In June this year, the Office of the United States Trade Representatives (USTR) announced that it intended to impose an additional tariff of 25% on certain imports from these European countries as retaliation. The tariffs were suspended immediately to allow the then-ongoing OECD negotiations on the taxation of digital services to progress.
On 8 October, the US, Austria, France, Italy, Spain and the UK joined other members of the OECD/G20 Inclusive Framework and reached a political agreement on the Statement on a Two-Pillar Solution to Address the Tax Challenges Arising from the Digitalization of the Economy. As part of Pillar 1, the European countries committed to withdraw their domestic DST. The US then agreed to suspend the proposed tariffs, bringing this long-standing dispute to an end.
UK's data protection consultation
In our September edition, we reported on the UK's consultation on reforms to the data protection regime. The consultation closed on 19 November. The proposed reforms may not bode well for the EU adequacy decision, however. Bruno Gencarelli, the head of EU's data flows warned on 17 November that the proposed data framework could have a "significant, substantive impact" on the UK's data adequacy status with the EU.
Middle East
New $1 billion tech fund
STV, a venture capital firm based in Saudi Arabia and set up by an ex-Google executive, is reportedly looking to raise $1 billion for a second Middle East technology fund. As Middle Eastern governments increasingly diversify away from traditional oil businesses, and new start-ups emerge thanks to hubs like Abu Dhabi's Hub71, the Middle East is becoming a new frontier in tech investments.
In case you missed it…
We have produced a client briefing on changes to the data protection laws in the UAE in the past year. Click here for more details.
Any advice above relating to the PRC is based on our experience as international counsel representing clients in business activities in the PRC and should not be construed as constituting a legal opinion on the application of PRC law. As is the case for all international law firms with offices in the PRC, whilst we are authorised to provide information concerning the effect of the Chinese legal environment, we are not permitted to engage in Chinese legal affairs. Our employees who have PRC legal professional qualification certificates are currently not PRC practising lawyers. This publication does not necessarily deal with every important topic or cover every aspect of the topics with which it deals. It is not designed to provide legal or other advice.