Skip to main content

Clifford Chance

Clifford Chance


Talking Tech

Tech Policy Unit Horizon Scanner

April 2022

Fintech Data Privacy Crypto 2 May 2022

It comes as no surprise that Elon Musk's bid for Twitter has ruffled a few feathers. Besides the board's initial response of putting a 'poison pill' in place, this has sparked wider discussions on the future of free speech. In particular, this has reenergised debates on how best to regulate social media, given the prominent role it plays in functioning democracies and the platform it provides to various groups.

In this regard, Europe has led the way with the Digital Markets Act and Digital Services Act, which places obligations on Big Tech to change their data processing practices. European regulators have also expressed their concerns over using 'legitimate interests' as grounds for legality for data processing.

In the US, the President has signed the cyber incident reporting framework, which places obligations on entities to provide reporting on data incidents. The EU and US have also reached a political agreement on data transfers. Finally, the department of labour has also issued warnings against including crypto assets in retirement plans.

In Africa, new laws have been introduced in Kenya and Ghana relating to the regulation of digital lenders and electronic transactions.    

In China, incentives have been issued by Shenzhen to promote Fintech innovation and Vietnam has signed a national strategy for digital economy and society development.

In the Middle East, Dubai has led the way with regulation to both promote digital services as well as to ensure that consumers are protected in the process. 


Incentives issued by Shenzhen to promote Fintech innovation

On 7 April 2022,  China’s tech hub Shenzhen issued several incentive measures to promote fintech innovation. Among others, fintech infrastructure and equity investment enterprises focusing on fintech sector domiciled in Shenzhen could be eligible for cash reward, preferential treatment in office rental and other subsidies. If a fintech enterprise would like to raise money by way of bond issuance as well as asset-backed securitisation, the Shenzhen government will be supportive to facilitate its financing demands. In terms of technology, the Shenzhen government demonstrates its determination in promoting the development of central bank digital currency ("CBDC", also known as Digital Current Electronic Payment (DC/EP)). The Shenzhen government promises to issue measures to encourage key CBDC infrastructure to be domiciled in Shenzhen. Smart contract to be applied to CBDC as well as cross-border trade finance platforms using CBDC are also on the list of key areas Shenzhen government is looking to explore and foster.

APAC (excluding China)

Vietnam signs national strategy for digital economy and society development

The strategy seeks to accelerate the development of the digital economy in Vietnam and  identifies key stakeholders that will play important roles, notably, institutions, human resources and businesses. The Ministry of Information and Communications will be taking responsibility for this and directing aid to the relevant stakeholders in implementing the strategy and updating the Prime Minister with reports on their performances. This strategy is in line with its announcement to support local businesses with tech innovation.


Draft text of Digital Markets Act (DMA) requires Tech Giants to change data-consent practices

Following the political agreement struck between EU governments and lawmakers on the DMA, the legislation seeks to set out a list of obligations on digital gatekeepers for a range of topics, including data access, advertising, self-preferencing and consent.

Nonetheless, one key aspect of the draft DMA is for Tech Giants such as Google, Apple and Meta to have to make it as easy for users to withdraw consent to use personal data for targeted ads as to give it. This is in line with the stance taken by several European regulators such as France's CNIL in relation to the use of "cookie banners", where Google and Meta were fined 210 million euros for bad practice recently.

The draft DMA also places particular focus on the use of dark patterns, pushing back on these tricks used in apps or websites that are employed to gain the consent of users to get them to agree on behavioural advertising.

Digital Services Act (DSA) agreed upon on by EU bodies

Officials from various EU bodies have reached a political agreement on how Big Tech is to be regulated under the DSA, cracking down on harmful content such as child sexual abuse images, terrorist content and dangerous products. In doing so, the provisional legislation covers a broad range of areas such as content moderation, advertising, interface design and also data access.

Search engines will be treated on a case-by-case basis and provisions for small and medium companies have been made to ensure that they are not unfairly prejudiced from the new regulations.

Online platforms will also now face transparency obligations of ensuring that the use of algorithms is explained to users. Releasing biannual reports of how these companies have sought to moderate content will be required, and European regulatory bodies will be empowered to request these internet players to remove content.

Finally, the DSA also makes provisions for fines of up to 6% of global revenue for violation of these rules. European officials are hoping both the DMA and DSA can be approved in Parliament in July this year.

European Parliament approves the Data Governance Act

The proposed legislation seeks to improve data sharing for companies in the EU, allowing businesses to benefit from a lower cost of data and lower market entry barriers. The tools to achieve this would range from technical solutions such as anonymisation and pooling of data to legally binding agreements. 

European data spaces to use data collected in public sector areas such as health, environment and finance will be created. New rules for data marketplaces including online platforms for users to buy and sell data will be put in place, which will give legitimacy to these recognised and licensed data intermediaries. Besides this, data altruism will be encouraged, which amongst other things, seeks to improve access to data by scientific institutions or think tanks.

EU to decide whether 'legitimate interests' will be a legal basis for data processing

Under the General Data Protection Regulations (GDPR), "legitimate interests" is one of the lawful grounds for data processing. Germany's federal data protection commissioner has said that this year, European regulators will decide whether this will be upheld under the EU's data protection rules. While a balancing test is required in managing the legitimate interests of companies in processing data vis-à-vis the interests, rights and freedoms of its users inter, many question whether the former can ever outweigh the latter.

It was further argued that rather than having court rulings on the legality of legitimate interests as a basis for data processing, the better alternative would be to be involved in the early stage of creating a business model or introducing new technology to the market to ensure that consumer protection is not affected.

New British Energy Security Strategy released

The British government released its highly anticipated Energy Security Strategy to ensure it is on track to meet its net zero targets plan by 2050. Key highlights of the strategy include a focus on nuclear energy, setting a target of 24 GW coming from nuclear by 2050 that would represent 25% of projected energy demand. The government also signified its intention to rely more on offshore wind and has promised to introduced measures to reduce the time it takes for new projects to reach construction stages. The capacity of solar projects will also increase, with focus on encouraging rooftop installation on commercial and domestic buildings. Nonetheless, the strategy has drawn criticism for its failure to address the high energy bills in the immediate future.

On top of this, the government also confirmed plans to introduced a new Future Systems Operator (FOS) that will be tasked with supporting the transition to net zero by 2050 and securing the independence of UK energy supplies. The FSO will take a whole-system approach, including identifying ways to integrate emerging technologies, such as hydrogen and carbon capture, into the existing network.


US and EU Agree on Framework for Privacy Shield Replacement

On March 25, 2022, US President Joe Biden and European Commission President Ursula von der Leyen announced that the United States and European Commission have agreed "in principle" to a long-awaited replacement for the Privacy Shield as a mechanism to satisfy the GDPR for cross-border transfers.  According to the announcement, the Trans-Atlantic Data Privacy Framework (TADPF) would address the deficiencies that led the Court of Justice of the European Union to strike down the Privacy Shield in 2020, with the United States' committing to placing limits on foreign intelligence surveillance activities and establishing a new, multi-layer redress mechanism to adjudicate complaints by EU residents of unlawful access to their data.  While specific details of the framework have yet to be worked out, the mechanism will operate similarly to the Privacy Shield, with companies self-certifying compliance with a set of principles under a program administered by the US Department of Commerce.  While many business and industry leaders welcomed the news, regulators and privacy advocates have voiced caution, pointing out that the framework still had a long way to go until becoming a viable mechanism to support cross-border transfers.  In the meantime, companies looking to make cross-border transfers of personal data from the EEA to the US must still rely on another mechanism, such as the revised Standard Contractual Clauses adopted by the EU last summer. 

President Biden Signs the Cyber Incident Reporting for Critical Infrastructure Act of 2022

The Cyber Incident Reporting for Critical Infrastructure Act, which was signed on March 15th by President Biden, requires critical infrastructure providers to report substantial cyber incidents within 72 hours to the Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security. After reporting an incident covered by the bill, entities are required to submit periodic updates of ongoing cyber incidents as "substantial new or different information becomes available." At a minimum, the type of incidents that must be reported include the occurrence of substantial loss of confidentiality, integrity, or availability of information systems or networks; serious impact to the safety or resiliency of operational systems; disruption of business or industry operations; or unauthorized access to business or industrial operations due to a compromise. Separately, if a covered entity submits a ransomware payment, the entity must report the payment to CISA within 24 hours. As part of the reporting, any identifying or contact information about the responsible actor for the ransomware attack and the entity that paid the ransom must be provided. Reports made to CISA will not be made public.

CISA is authorized to issue subpoenas to entities it believes were required to submit a cyber incident report but failed to do so. If an entity fails to comply with the subpoena, CISA can provide that information to the Department of Justice, who can pursue enforcement action.

These new reporting obligations do not take effect until the Director of CISA promulgates implementing regulations regarding the bill's applicability and scope. From passage, CISA has 24 months to publish its initial notice of proposed rulemaking and has an additional 18 months from the notice to issue its final regulations.

Department of Labor Issues Warning Against Including Crypto Assets in Retirement Plans

The U.S. Department of Labor (DOL) recently warned fiduciaries to "exercise extreme care" before including cryptocurrency assets and crypto-based products as potential investment options in 401(k) retirement plans. The DOL guides fiduciaries on how to best uphold their duties in a rapidly changing financial sector, and its most recent release highlights its concerns with including crypto assets and any derivatives in retirement plans.

In particular, the DOL stated that fiduciaries "should expect to be questioned about how they can square their actions with their duties of prudence and loyalty." The DOL articulate five reasons for its sceptical approach to crypto assets and derivatives. First, it warned that crypto assets are by nature highly speculative and volatile investments. Second, plan participants are less likely to have the knowledge about crypto to make sound investment decisions. Third, the loss of passwords could result in a permanent loss in access to assets. Fourth, plan participants may find it very difficult to evaluate assets in accordance with academically sound models that traditional assets have been valued upon. Finally, the agency emphasized that the regulatory framework surrounding crypto was still in its infancy and market participants may be currently operating outside of existing regulatory framework. As such, fiduciaries should use extreme caution when including crypto assets in retirement plans. The DOL has promised that it will investigate and question fiduciaries who include crypto assets in these plans.

Middle East

The Dubai Electronic Security Centre (DESC) launches Cyber Node initiative to support digital transformation

The DESC is the government entity responsible for ensuring that Dubai becomes a leader in cybersecurity and promoting technological progress and smart transformation of the region, which aligns with the Dubai Cyber Security Strategy. The Cyber Node initiative aims to develop an advanced and specialised cyber workforce at the local and national level to support the process of digital transformation across the emirate. This includes upskilling the cyber workforce, and promoting Dubai as a hub for cyber experts form the public and private sectors, as well as academic institutions.

Dubai issues law to regulate digital services

The Prime Minister of the UAE issued a law to accelerate the emirate's digital transformation and to enhance the provision of digital services in both the private and public sector. It sets out the rules for providing digital services and adopting digital identities for obtaining subscribed services, as well as cybersecurity requirements set by the Dubai Electronic Security Centre.

In particular, digital services provided must be user-friendly and accessible to people. The law will also stipulate the conditions for electronic payment solutions approved by the Department of Finance in Dubai. An entity can also outsource its digital services to a public or private company, where the outsourcing contract should clearly outline the responsibilities of each party, including the contract duration and confidentiality requirements, as well as the rules for providing digital services.

Financial Services regulatory Authority (FSRA) issues discussion paper on DeFi

Abu Dhabi's FSRA issued this discussion paper to foster dialogue amongst the DeFi community, including financial institutions, digital asset businesses and policy makers on how DeFi may be regulated. The document sets out the FSRA's views on the likely medium-term direction of DeFi, high level policy positions that the FSRA is considering adopting and an exploration of what a DeFi regulatory framework might look like.

The DeFi discussion paper will also be mapped as a knowledge graph within the FSRA’s digital regulations beta pilot. This will allow market participants to visualize and better grasp the concepts that link DeFi to traditional finance and their implications for regulatory guidance.


Regulation of Digital Lenders in Kenya

The Central Bank of Kenya ("the Central Bank") have published new law, 'The Central Bank of Kenya (Digital Credit Providers) Regulations 2022' ("the DCP Regulations") which will fully regulate digital credit providers ("DCPs") in Kenya. This follows similar regulations enacted in 2021 that introduced regulations for digital lenders, 'the Central Bank of Kenya (Amendment) Act 2021 ("the CBK Act") which were enacted to ensure the "“the existence of fair and non-discriminatory practices in the credit market,” according to Kenya's president, Uhuru Kenyatta.

Key provisions in the DCP Regulations include the requirement for DCPs to disclose and evidence their source of funds and obtain a license from the Central Bank or wind down their operations by September 2022. Popular for their unsecured and instant loans, Kenya is home to hundreds of lending apps however there has been concerns over how these operate in practice. Therefore, the Central Bank's requirement for DCPs to disclose their source of funds is intended to prevent financial crimes such as money laundering.

Additionally, the new law bans DCPs from sharing customer data with third parties and requires them to disclose all conditions and fees for loans including interest rate and the total amount to be paid back. The Central Bank has said that "the Regulations seek to address concerns raised by the public given the recent significant growth of digital lending particularly through mobile phones. These concerns relate to the predatory practices of the previously unregulated digital credit providers, and in particular, their high cost, unethical debt collection practices, and the abuse of personal information."

Digital lenders who break the DCP Regulations risk penalties or licence withdrawals.

Ghana introduces a new levy on electronic transactions

Ghana's finance minister announced that the government intends to introduce an electronic transaction levy (e-levy) in the 2022 budget. This will mean that from May, a 1.5% charge will be added to all electronic and merchant payments, bank transfers and mobile phone transactions exceeding £10. The government said that the levy will help raise £700m this year.

Heavy promotion of mobile and digital payments by Ghana's government has created a fast-growing industry in Ghana, with financial technology firms and start-ups attracting millions of dollars in funding. Therefore, the e-levy's introduction has sparked anger about the impact it will have individuals' income, and concerns the sector could be dented.

Nigeria blocks mobile phones following SIM registration laws

In 2020, the national identity policy for SIM card registration was approved by the government which made it mandatory for anyone to be issued with a SIM to have a linked National Identity Number (NIN). Possession of a NIN would become a prerequisite for SIM activation, SIM replacement and corporate registrars would be required to appoint a telecoms master.

Nigeria has been rolling out 11-digit electronic national identity cards for almost a decade. It is required to open a bank account, apply for a driver's licence and get health insurance.

The deadline for linking SIM cards to the user's NIN was extended to 31 March 2022 with outgoing calls being barred from 4 April 2022. On 4 April 2022, 73 million SIM cards, more than a third of the 198 million in Nigeria, were barred from making outgoing calls because they had not been registered in the national digital identity database.

Nigeria is among dozens of African countries including Ghana, Egypt, and Kenya with SIM registration laws that authorities say are necessary for security purposes, but digital rights experts say it increases surveillance and hurts privacy.

Kenyan media content regulation applies to online streaming service platforms

The Kenya Film Classification Board (KFCB) have proposed a new regulation that will require broadcasters, film creators and online streaming service platforms such as Netflix and Amazon to help classify 70% of all audio-visual content shown in Kenya according to its age appropriateness. The regulation will apply to pre-recorded programmes such as movies, series, music and advertisements but not live programming such as news and talk shows which are exempted.

Under current Kenyan law, KFCB are required to examine and classify 100% of content, but the new regulation will shift the burden to industry players. “With the existing staffing levels, the film and broadcast content regulator, KFCB cannot cope with the legal requirement to examine and classify all audio-visual content meant for broadcast, distribution and exhibition in the country,” says acting KFCB CEO Christopher Wambua. “So the involvement of the industry is to ensure compliance while coping up with digital expansion.”

The regulation will affect more than 100 TV and 1,000 radio stations in Kenya, and more notably, will also apply to foreign streaming platforms. Failure to comply with the classification laws will see broadcasters or online streaming platforms submit 100 percent content to the KFCB and pay a Sh100,000 ($866,55) fine for each violation, in line with the Films and Stageplays Act. Whilst the monetary penalties seem relatively minor, the reputational damage associated with a breach is hard to quantify for global streaming services like Netflix and Amazon.



The content above relating to the PRC is based on our experience as international counsel representing clients in business activities in the PRC and should not be construed as constituting a legal opinion on the application of PRC law. As is the case for all international law firms with offices in the PRC, whilst we are authorised to provide information concerning the effect of the Chinese legal environment, we are not permitted to engage in Chinese legal affairs. Our employees who have PRC legal professional qualification certificates are currently not PRC practising lawyers.