Clifford Chance

The Hight Court of Kenya "Huduma Namba Decision'

On the 14 October 2021, the High Court of Kenya declared the Huduma Namba registration cards rollout unlawful on the basis that it breached the Data Protection Act 2019 (DPA). A Huduma Card is a digital multipurpose identity card issued to individuals in Kenya. The card has a person’s data merged and installed in an electronic chip, eliminating the requirement for other identity documents.

The High Court held that a Data Protection Impact Assessment (DPIA) should have been carried out by the Government prior to the collection and processing activities in accordance with Article 31 of the DPA. It ordered the Government to stop any further processing of Huduma Namba data and to stop issuing Huduma cards until it completes a DPIA and creates new safeguards to protect the personal data of Kenyans.

The Government has issued a press statement announcing that it will move to the Court of Appeal to challenge the High Court’s decision. 

Crackdown on Data Privacy Abuse in Nigeria

The National Information Technology Development Agency (NITDA), Nigeria's de facto technology regulator, and the Federal Competition and Consumer Protection Council, Nigeria's consumer and antitrust watchdog, are clamping down on data privacy breaches by money lending operators.

Loan app operators' debt recovery strategy often includes sending text messages to the close contacts of their loan defaulters with the intention of shaming the defaulters by tagging them with such terms as "criminal", "fraudsters" and "terrible debtor". In some cases, full names, phone numbers and pictures of the alleged loan defaulters are shared with their contacts including family, friends, work colleagues and religious leaders.  

NITDA described this kind of debt recovery strategy adopted by some of these loan operators as a data-sharing breach under Nigeria Data Protection Regulation 2019. In response to this activity, the NITDA recently imposed a sanction of N10 million on an online lending platform, Soko Lending Company Limited (Sokoloan) for data privacy invasion. This decision may deter other loan app operators from adopting such practices. 

G7 compendium on competition regulatory efforts in the digital sector

On November 29, the G7 published a compendium detailing how competition authorities around the world have responded to issues of market power in the digital sector. The compendium is written for national governments, policy makers, and industry participants as well as other competition authorities and regulators. The compendium describes the effort as "the first time in the history of competition law and policy that so many competition authorities, and in many cases governments, have prioritised examination and investigation of the same markets and the same or similar conduct." The particular focus on the digital sector was motivated by unique problems the sector poses for competition enforcement, along with certain features of digital markets, including network effects, multi-sided markets, and issues related to data, that make market power more probable and especially problematic. The compendium highlighted the high level of commonality in the approaches that authorities have been taking to address competition concerns; in addition to investigations, studies, and enforcement actions, common actions include advocacy for legislative reform, strengthening of institutional capabilities through technical expertise, and regulatory cooperation among domestic and foreign regulators.

Nomination of Alvaro Bedoya to the Federal Trade Commission

On December 1, the Commerce Committee of the U.S. Senate held a hearing and voted on whether to advance the confirmation of Alvaro Bedoya for a commissioner seat at the Federal Trade Commission (FTC), following his nomination by President Biden in September. The committee deadlocked 14-14 on the vote, permitting the nomination to advance for consideration by the full Senate at a future date. President Biden nominated Bedoya to fill the seat vacated by Rohit Chopra, who now leads the Consumer Financial Protection Board. Bedoya, a professor at the Georgetown University Law Center, founded the school's Center on Privacy & Technology in 2014; previously, Bedoya served as chief counsel to the Senate Judiciary Subcommittee on Privacy, Technology and the Law. Bedoya has criticized the use of facial recognition and other surveillance technologies, and his research contributed to Senate oversight hearings on mobile location tracking and biometric privacy. The nomination signals the administration's focus on privacy, especially in conjunction with a proposed congressional budget of over $1 billion over 10 years to establish and run a new privacy bureau at the FTC.

China's data protection regulations

In our September edition, we reported on the Personal Information Protection Law (PIPL), the milestone data protection legislation in China. In November 2021, the PRC regulator issued the Administrative Regulation on Internet Data Security (Consultation Draft) (the “Draft Regulations”), which clarified some practical matters for data processors. For example, the Draft Regulations provide indicative thresholds for reportable breaches and the relevant reporting requirements. The data processor shall notify the relevant stakeholders of relevant data breaches within 3 working days unless exempted by laws and regulations. Data breaches affecting 100,000 individuals or more shall be reported to competent authorities within 8 hours of occurrence, followed by an investigation assessment report within 5 working days once resolved. The Draft Regulations also impose enhanced regulatory obligations for data processors which process personal information of over one million people. Additional data export security assessment process and certain regulatory requirements relating to important data will apply to these processors.

At the municipal level, Shanghai issued its regional data regulations which will take effect on 1 January 2022. Among others, the Shanghai government emphasises its determination to establish a data element market and explore the possibility to establish a data asset assessment mechanism and create proper legal warrant to reflect the title to data assets. This echoes the establishment of the Shanghai Data Exchange this November, and it would be advisable to look into further how these regulatory developments evolve.

Australia strengthens technology partnership with India

To strengthen its technology partnership with India, Australia plans to establish a new Consulate-General in Bengaluru and a Centre of Excellence for Critical and Emerging Technology Policy which is also to be based in India. The new Consulate-General will support Australian businesses in the world's fourth-largest technology cluster and focus on deepening ties with India's innovators. The Centre of Excellence is one of the flagship initiatives for Australia's new Action plan for Critical Technologies, and will provide a practical platform for Australia and India to work together on technology governance.  

New platform regulation starts to take shape

Less than a year after the European Commission proposed the new Digital Markets Act (DMA) to regulate online platforms, the positions of the European Parliament and Council are taking shape, paving the way for three-way interinstitutional negotiations to begin in early 2022.

On 23 November, the European Parliament's Internal Market Committee amended the Commission's proposal to ensure the DMA will apply to companies offering core platform services with annual turnover in the European Economic Area (EEA) of at least €8 billion (up from €6.5 billion) or a market capitalisation of at least €80billion (up from €65 billion). Parliament added three core platform services to the list: (i) web browsers, (ii) virtual assistants, and (iii) connected TVs. Parliament also placed strict conditions on the use of data for targeted advertising, and imposed a ban on the processing of children's personal data for commercial purposes, such as “direct marketing, profiling and behaviourally targeted advertising."

On 25 November, the Council agreed its position on the DMA, introducing a new obligation to enhance the right of end users to unsubscribe from core platform services and confirming the European Commission as the sole enforcer of the DMA.

A comparison of the three texts: European Commission proposal, European Parliament amendments, Council amendments is available upon request. Please get in touch with your Clifford Chance contact to obtain a copy.

Google loses EU Court appeal over Shopping fine

On 10 November 2021, the General Court of the European Union upheld the 2017 finding of the European Commission that Google abused its dominant position by favouring its own shopping comparison service in its general search results. The Court also upheld the fine of €2.42 billion imposed on Google.

Google has two months and ten days from the date of the notification of the judgment to decide whether to appeal. Its obligation to implement the remedy of the 2017 Decision was not suspended, and Google claims to have implemented this remedy already. However, its implementation faces heavy criticism from rival comparison shopping services and could trigger separate enforcement action by the Commission. The Google Shopping judgment could lift the suspension of various damages actions brought in national courts by rival comparison shopping services against Google, which had been put on hold pending the outcome of the appeal.

For a more in-depth analysis of the judgment and its broader implications, please see our client briefing.

New UK bill on the security of smart digital devices

On 24 November, the UK government introduced the Product Security and Telecommunications Infrastructure Bill (PSTI Bill) in parliament. The PSTI Bill aims to protect consumer connectable products (such as smart phones, TVs, speakers, and toys) from cyber attacks. The Bill contains provisions that will prevent the sale of consumer connectable products in the UK that do not meet baseline security requirements. The Bill will also allow the government to ban universal default passwords, force firms to be transparent to customers about what they are doing to fix security flaws in connectable products, and create a better public reporting system for vulnerabilities found in those products.

UK's cross-government standard for algorithmic transparency

On 29 November, the UK Cabinet Office's Central Digital and Data Office (CDDO) has published a cross-government standard for algorithmic transparency. This move makes the UK one of the first countries in the world to make progress on developing a national algorithmic transparency standard. The CDDO was established in January 2021 as the new strategic centre for Digital, Data and Technology for the government. The standard is made up of an algorithmic transparency data standard and an algorithmic transparency template and guidance that helps public sector organisations provide information to the data standard. Several public sector organisations will trial the standard in the coming months, and provide user feedback to CDDO. CDDO is also seeking further feedback from stakeholders outside of government. Following the pilot, CDDO will iterate the standard based on feedback gathered and seek formal approval from the Data Standards Authority in 2022.

Dubai World Trade Centre Free Zone to set up a special hub for cryptoassets and blockchain

The Dubai World Trade Centre (DWTC) Free Zone and digital assets exchange, CoinMENA, have concluded an agreement to develop a special "crypto asset and block chain hub" in DWTC. The hub will, according to DWTC, accelerate its role as an incubator for companies that rely on blockchain. CoinMENA's UAE headquarters would also relocate to the DWTC.