Skip to main content

Clifford Chance

Clifford Chance
Tech<br />

Tech

Talking Tech

Tech Policy Horizon Scanner

March 2022

Data Privacy Cyber Security 8 April 2022

Introduction

Following the Russian invasion in Ukraine, spurred by pressure from the public and world leaders, social media companies are scrambling to respond to misinformation that is rife on digital platforms.

Unsurprisingly, taking on Big Tech and tackling the complex issues these platforms have created have been on the agenda of regulators for a while. For instance, the UK introduced its new Online Safety Bill in parliament this month that imposes a duty of care on social media platforms to regulate their own content. The Irish regulator has fined Meta €17 million and France has enacted new laws on parental control and cybersecurity scoring.

China has issued its consultation drafts to protect the privacy of consumers and minors, imposing deeper compliance frameworks for social media platforms.

There has also been a push for greater international cooperation to the responsible use of cyber technologies, with India and Australia affirming their commitment to adopt a principles based approach in regulating such technologies.

Different states in the US have started pushing their own privacy laws, with the Securities and Exchange Commission proposing new regulations for Investment firms dealing with cryptocurrency. In this regard, the President has also issued an executive order for responsible digital assets management.

South Africa has also referred social media giant Meta to a tribunal for alleged antitrust violations. Ghana has issued a designed paper for a Ghanaian digital currency, while regulators from a number of countries have also signed a Memorandum of Understanding to address digital markets challenges.

Finally Dubai has sought to establish a new law to regulate virtual assets.

APAC

New consultation drafts issued by the Cyberspace Administration of China (CAC) on privacy and the protection of minors

In late January and early March, the CAC issued consultation drafts to provide specific regulatory guidance on deep synthesis technology and pop-up windows, demonstrating their determination to enhance protection for the legitimate interests of consumers. Namely, this relates to the misuse of biological information (such facial image and voice) in the sector of deep synthesis technology and unconsented advertising by way of pop-up windows. This is in response to a large number of consumer complaints and the drafts will surely help guide the relevant business operators in upgrading their privacy compliance frameworks.

Protection of minors is also prioritised by CAC. CAC issued the second consultation draft of the Administrative Regulations on Cybersecurity Protection of Minors on 14 March 2022, which in particular, requires giant platforms having significant minor users and/or having significant impact on minors to inter alia, (a) carry out cybersecurity impact assessment for minor group; (b) offer "minor mode" for products and services; (c) establish external overseeing mechanism on the impact for minors and (d) issue a social responsibility report specific to cybersecurity afforded to minors. Giant internet gaming companies as well as social media platforms should be prepared for these changes in their compliance frameworks.

Australia and India reaffirm their commitment to create an open, secure, free and accessible cyberspace through deeper bilateral cooperation

On 12 February 2022, India and Australia committed to deepen their ties in promoting the use of cyberspace and cyber-enabled technologies through the Australia- India Framework Arrangement on Cyber and Cyber-Enabled Critical Technology Cooperation. In particular, the countries condemn the use of these technologies to undermine international peace and stability, reiterating the importance of cyber technologies in fostering sustainable development and inclusive economic growth. The growth of cyberspace should be informed by shared democratic values a respect for human rights.

The countries also recognise the importance of working collaboratively with international partners, managing their supply chains using trusted partners and ensuring that diversity, gender equality and women's empowerment inform the design, development and use of cyberspace technologies.

Europe

European Commission unveils a new Data Act

On 23 February 2022, the European Commission published a much-anticipated proposal for a Regulation on harmonised rules on fair access to and use of data with the objective of fostering data (re)use. 

The Data Act is intended to: (i) give IoT device users more control over the data they generate and its use; (ii) enable use of privately held data by public sector bodies in cases of "exceptional" data need; (iii) improve switching between cloud and edge services; (iv) restrict access by non-EU / non-EEA governments to data held in the EU by providers of cloud and edge services; and (v) remove barriers to data sharing by developing interoperability standards for data reuse.

The rules set out in the proposal would be directly applicable to all sectors and across the EU as minimum standards, though planned revisions of sectoral regulations (e.g., in the health, energy, finance, and automotive sectors) may go beyond these rules.

The draft Data Act must now be approved by the European Parliament and Council under the ordinary legislative procedure.  For more information, please see our dedicated client briefing: "The Data Act: a proposed new framework for data access and porting within the EU".

France enacts new laws on parental control and online platform cybersecurity scoring

A new law on parental control over access to the Internet requires device manufacturers to give parents the option to control their children's internet access.  It was published in the French Official Journal on 3 March 2022 but will only apply after the required standstill period set by the notification procedure to the European Commission.  The end of the standstill period is 23 May 2022.

A new law on online platform cybersecurity scoring provides for audit and transparency obligations relating to cybersecurity.  It was enacted on 4 March and will enter into force on 1 October 2023.  The law applies to large-scale online platforms and messaging and videoconferencing service providers exceeding specific activity thresholds (to be set by a separate decree).  Targeted online platforms will be required to carry out a cybersecurity audit, the results of which would be disclosed to consumers in the form of a Cyber Score that reflects the level of security of the platform or service and the location of the hosted data.

Irish Data Protection Commission (DPC) has fined Meta €17 million

The DPC has fined Meta €17 million over a series of 12 data breaches from June to December 2018 in violation of Articles 5(2) and 24(1) of the GDPR. Primarily, this relates to the failure to implement appropriate technical and organisational measures to protect EU users' personal data. This case is the first-of-its-kind in terms of using the formal cooperation mechanism between European regulators, with DPC taking the lead. Meta has responded in an email statement that the fine related to its record keeping practices and not a failure to protect people's data.

UK's Online Safety Bill introduced in parliament

Five years after it was proposed, the Online Safety Bill was introduced in Parliament on 17 March 2022 and lawmakers will scrutinise its proposed tough duties and penalties for tech companies. Broadly speaking, the proposed legislation seeks to hold technology companies to account by ensuring that children are protected from harmful content while limiting people's exposure to illegal content. The bill also seeks to hold executives and senior managers to account should they fail to comply with the provisions of the new legislation, for instance, in failing to attend interviews with the UK's Office of Communications (OFCOM).

Americas

New US Executive Order lays the groundwork for an international standard for digital asset regulation.

US President, Joe Biden, sets forth his ambitious aim of making the US more virtual-asset friendly by unifying his country's regulatory approach to all things crypto.

The Executive Order on Ensuring Responsible Development of Digital Assets (the "Executive Order") examines a broad remit of issues relating to digital assets, namely cryptocurrencies. Ranging from promoting responsible financial innovation to protecting US consumers, investors and businesses, the Executive Order requires a synergy from several executive branch departments and agencies to form a more cohesive approach to digital assets regulation by requiring departments of Justice, Treasury, State, Defences and others to submit reports and regulatory proposals. The Executive Order should, in theory, be the start of a long and sustained series of regulatory change – but with this being such a new frontier, we will have to wait and see whether this will be effective or simply be a token gesture.

The key policy priorities are geared towards protecting US consumers, investors and businesses. The Executive Order notes that an unregulated digital asset space will increase the risk of theft, fraud, illicit financial activity and other statutory and regulatory violations which also bring with it the potential of negatively impacting US financial stability and so therefore, a national approach to this space is required.

The US also has bold plans to be the leader in the virtual asset space on a global stage. The Executive Order emphasises the importance of an outward looking regulatory cooperation for digital assets; this is enacted by ensuring that upcoming policy changes partner and are informed by international forums such as the G7, the G20, the Financial Action Task Force and the Financial Stability Board; but with Dubai entering the digital asset regulation fray with their newly issued VARA on the same day; the US might have some stiff competition in this exciting space.

SEC Proposes New Cybersecurity Regulations for Registered Investment Advisors and Funds

On 9 February 2022, the Securities and Exchange Commission voted to adopt rules and amendments that would prevent firms from hiding incidents from clients where their cybersecurity has been breached.

The rules are drastic and the first of their kind as they would require advisers to report significant cybersecurity incidents to the SEC directly. Advisors would also be required to report incidents of their clients that are registered investment companies, registered business development companies, or private funds. The proposed rules would require advisors to report "significant" cybersecurity incidents within 48 hours of having a reasonable basis to conclude that an incident was occurring. This is defined as incidents that significantly disrupt or degrade a firm's ability to maintain critical operation or lead to the unauthorised access or use of firm information, which results in (1) substantial harm to the firm, or (2) substantial harm to a client or investor whose information was accessed.  

Under the proposed rules, disclosure is required to the client of significant cybersecurity incidents that have occurred within the past two years which could lead to quite the scrambling from firms to meet these potential requirements. They are also required to disclose cybersecurity risks that "could materially affect the advisory relationship". The disclosure obligation would be ongoing with advisers required to provide interim updates to existing clients. Advisors would be required to provide brochure amendments and registered funds would be required to amend their prospectus by filing a supplement as well as include information in their annual reports; so these proposed rules are by no means trivial.

Although these regulations are only proposals and are likely to be subject to significant comment, advisers and registered funds should consider adopting steps that are designed to ensure future compliance. This will provide a head start to future compliance and help protect IT infrastructure and sensitive data.

States Push to Pass Comprehensive Privacy Laws

As efforts to pass a federal privacy law continue to flounder, states have continued to push forward their own comprehensive privacy laws. The first quarter of 2022 has seen a flurry of activity, with as many as 18 states actively considering privacy bills.  The drafts are similar but not identical.  Most drafts include data subject access rights, notice and transparency requirements, and limitations on sales and transfers of data to third parties.  But they vary in details, such as the scope of application and whether they provide a private right of action.  These variations are sure to cause headaches for employees tasked with compliance, as the US privacy law patchwork becomes ever more complex.

This month Utah appears poised to be the first state to reach the privacy law finish line in 2022.  The state's legislature passed the bill on March 15, sending it to the governor who is expected to sign the law in the next few days.  As an example of the mentioned variations, the state has the narrowest scope that the United States has seen so far—the law only applies to controllers that have an annual revenue of USD 25 million or more and that process or control the personal data of 100,000 or more Utah citizens or derive more than 50% of its gross revenue from processing the personal data of 25,000 or more Utah consumers.  Compare this to California, which has over ten times as many residents and whose law applies to companies that either have annual revenue of USD 25 million, process personal data of 50,000 or more California residents, or receive over half their revenue from the sale of personal data. 

Look for our briefing on the law in the next few days once the governor signs the bill.  

New bill introduced to regulate the activity on social media platforms

On the 22nd February 2022, the Senate proposed a bill known as the  Kids Online Safety Act (KOSA) that seeks to protect children and young people from online harms.

Notably, social media platforms will have a duty of care to prevent the promotion of harmful behaviour of minors. It also gives parents and users under 16 the right to opt out of recommendation systems, prevent third parties from viewing a minor's data and controlling the time spent on such platforms. There are also auditing and reporting requirements on tech platforms to control the risks of harm to minors. In particular, the bill seeks to open up black box algorithms for academic researchers and non-profit organisations with access to critical datasets involving harms to the safety and well-being of minors.

Africa

South Africa looks to fine Meta

South Africa's Competition Commission has referred Facebook and WhatsApp owner Meta Platforms to a tribunal for allegedly abusing its dominant position in the market. Meta restricted GovChat, a start-up that connects government and citizens, and its subsidiary #LetsTalk’s access to data on its WhatsApp Business Application Programming Interface. The tribunal looked to penalize Meta by 10% of its South African revenue.

In a statement, the regulator accused Meta of "abusing its dominance by engaging in exclusionary conduct geared at preventing competitors or potential competitors from entering into, participating, and expanding in a market". It also said the company had "imposed and/or selectively enforced exclusionary terms and conditions regulating access to the WhatsApp Business API, mainly restrictions on the use of data". Meta has reportedly denied the charges, citing its reason for restricting access as the failure by GovChat to comply with its terms of service.

The referral for prosecution comes just days after competition regulators from five African countries, including South Africa, signed a memorandum of understanding aimed at working together to prevent barriers to the emergence and expansion of African digital platforms (see next story).

South Africa's case against Facebook joins Meta's growing list of accusations for anti-competitive behaviour in different parts of the world, including in the US where Meta's VR product Oculus is being scrutinised and the EU, where a deal on Meta and Google's advertising practices is under investigation.

Co-operation on competition in digital markets

Regulators from Kenya, South Africa, Nigeria, Mauritius and Egypt signed a memorandum of understanding in Johannesburg on 18 February 2022 to work together under the Africa Heads of Competition Dialogue to address emerging digital markets challenges and provide a streamlined response. This signals a more concerted effort to enforce competition laws.

The regulators have agreed to collaboratively assess the conduct in their digital markets, share information and knowledge and collectively research the obstacles to emergence and expansion of African digital platforms to enhance competition and inclusion in the digital markets.

Central Bank of Ghana issues Digital Cedi Design Paper

The Central Bank of Ghana issued a Design Paper for the Digital Cedi (eCedi), the Ghanaian digital currency.  The concept is similar to cash payment transactions, where payment is done by transferring banknotes and/or coins from person A to person B.

According to the Design Paper, the eCedi will be under the control of the Central Bank and made available via banks and payment providers. It will be stored on two types of wallets, namely hosted wallets (managed by financial institutions) and hardware wallets (secure portable storage devices held by individuals). Hosted wallets require access to the internet while hardware wallets work in offline mode.

Some key financial sector stakeholders are concerned of signals in the Design Paper that the Central Bank is seeking to restore the dwindling influence of banks in financial transactions intermediation, currently dominated by mobile money.

This initiative by the Central Bank is consistent with the position of other central banks across the continent, such as in South Africa and Rwanda, who are encouraging the switch to cashless economies.

Middle East

Dubai aims to become a global hub for virtual assets following the creation of the Dubai Virtual Assets Regulatory Authority (VARA).

Dubai's new Virtual Assets Regulatory Authority (VARA) has been established to regulate, supervise and control virtual asset services and enforce the newly introduced Dubai Virtual Asset Regulation Law.

VARA, and by extension the new Virtual Assets Regulation Law aims to spur major growth in virtual assets sector within Dubai and make it a hub for potential industry service providers to grow in a regulatory landscape that fit their needs. VARA's remit will be mainly authorising virtual asset service providers as well as a wider organisational role in the trading of virtual assets and tokens. There will also be a major thrust aimed at ensuring personal data protection and monitoring larger transactions to ensure regulatory compliance. With the backing of the Central Bank of the UAE, the implications of these new changes will be to protect investors and create international standards to govern this under-regulated industry making Dubai an attractive proposition for key players in this space.

Finally, we hosted a digital ethics seminar on the 29th March - you can view the recording of  Putting digital ethics back on the agenda webinar for free.