Tech Policy Unit Horizon Scanner
13 June 2021
Welcome to our Tech Policy Unit Horizon Scanner. It is our monthly dive into the key tech policy and legislative developments around the world.
This month, a new messaging app has hit the headlines. Step aside, Clubhouse – ANOM is so exclusive that only FBI agents and wanted archcriminals are invited. The network played the starring role in a multi-year sting operation co-ordinated by law enforcement officials across the globe. Criminal arrests, drug seizures, recovery of proceeds: yes, it turns out there's an app for that.
Meanwhile, Europeans marked a very special birthday in May, as GDPR turned three years old. There were fewer balloons on show in Madrid on the news that, over that period, more than a third of all GDPR fines were levied by Spanish authorities. In any event, the playpen is getting crowded: below we report on Rwanda's data privacy bill, and on China's pivot in data protection toward GDPR-like extraterritoriality.
In one of the major stories globally, the G7 agreed on a new global model of corporate income tax, conceived with big tech at front of mind. Under the new model, there will be partial reallocation of taxing rights to countries consuming products and services, and a global minimum corporation tax rate of (at least) 15%. The biggest winners are, naturally, the G7 countries themselves, meaning there'll be work to do at the G20 and OECD meetings later in the year.
Elsewhere, Twitter is in a spat with a certain president, and it's not the one you might expect. President Muhammadu Buhari of Nigeria has placed a temporary ban on the platform, after it deleted one of his tweets on grounds of incitement of violence. Nigeria's young population have been circumventing the ban via virtual private networks, despite warnings of prison sentences from the Attorney-General.
And in the U.S., after ransomware ran riot in 2020, big questions are emerging on how authorities should treat victims. There are growing calls for leniency on corporates who comply with ransom demands, especially given the possibility of unlawful data breaches if terms are not met. Meanwhile, a Californian tech firm has been replaced by a Michigan carmaker at the top of Nikkei's self-driving technology league table, reflecting a wider trend in the nascent industry. Here's hoping ransomware and autonomous vehicles never appear in the same paragraph again…
Social media in Nigeria
In March, we covered Nigeria's ban of cryptocurrency exchanges, and the response from its crypto-avid population. A new ban, this time on Twitter, speaks to an emerging pattern of technological retrenchment.
On 4 June, the National Broadcasting Commission issued an order to telecommunications operators to shut down access to Twitter nationwide. Most operators have complied. The order came just days after Twitter's decision to delete a post by President Muhammadu Buhari, in which the head of state referenced Nigeria's three-year civil war in his threat to treat 'misbehaving' separatists 'in the language they understand'. The presidency has described the ban as 'temporary', but the broadcast regulator will require Twitter to have a licence to operate in the future.
This incident recalls deletions of President Trump's tweets earlier this year for incitement of violence at the Capitol riots, later leading to the permanent suspension of his account. Trump's response to earlier deletions had been to threaten removal of liability protections for tech platforms under the Communications Decency Act, as we reported in June and October. The terms of Twitter's Nigerian operating licence are also likely to carry a big stick.
5G in Nigeria
Staying with Nigeria, the Senate has asked the federal government to suspend implementation of a 5G network to enable the lawmakers to study the trend of 5G deployment across the world. The Senate based its decision on a report produced by the government's science and technology committee, urging relevant regulators to consider whether a correlation exists between 5G networks and public health.
Fintech in Kenya
For years, the Kenyan fintech industry has been held up as a showpiece of domestic innovation, with digital credit services like M-Pesa becoming household names across the continent. Yet the success of the industry has come at a cost: interest on micro-loans and credit routinely exceed 100% on an annualised basis, and can reach up to 500% for some services. Many of these loans are ploughed into Kenya's exploding gambling industry, leading to defaults that have landed millions of Kenyans on credit blacklists. The resulting impact on employability has driven a cycle of poverty.
That's one reason why the Kenyan Parliament is seeking to regulate digital credit service providers and ensure fair and unbiased access to credit. Published in April, the Central Bank of Kenya (Amendment) Bill 2021 sets out to: (i) regulate and licence digital credit service providers; (ii) determine capital adequacy and minimum liquidity requirements; (iii) approve digital channels and business models; (iv) supervise digital credit providers; and (v) suspend or revoke licences. Digital credit providers are those persons licensed by the Central Bank to carry on digital credit business.
Data protection in Rwanda
Rwanda is the latest in a growing list of African states drafting data protection legislation. The Personal Data Protection and Privacy Bill was adopted by Rwanda's Chamber of Deputies in early May, marking a key milestone on the road to enactment.
Under the scheme, data controllers will need to notify data breaches to the National Cyber Security Authority within 24 hours and submit a full report within 72 hours. Failure to comply could result in penalties of up to RWF 10 million (approx. £7,000) or 5% of annual turnover, plus imprisonment of up to five years in the most severe cases. Once enacted, data controllers and processors will have just one year to reach compliance with the regime.
Ransomware in the U.S.
2020 may have been the worst year on record for ransomware attacks globally. In the U.S., the FBI tracked a 20% increase in the practice last year, while a survey of IT security professionals across 17 countries and 19 industries found that a record 69% of organisations were hit by successful attacks. High-profile hacks on the Irish healthcare system and the Colonial Pipeline in the U.S. have hit the headlines and have had devastating social consequences. So what advice is the U.S. government giving to victims?
The official line remains: don't pay up. FBI guidance from earlier this year cautions against ransom payment on the basis that it encourages distribution of malware and does not guarantee recovery of system access. The Treasury Department's Office of Foreign Assets goes a step further, warning that companies that pay ransoms (and intermediaries facilitating payments) risk violating sanctions laws. Sanction violation is a strict liability offence, so ignorance of the payee's identity does not constitute a lawful excuse.
This places ransomware victims in a bind: pay the ransom and risk sanctions violation, or refuse the ransom and suffer crippling disruptions to business operations, along with potential breach of privacy rules if the hackers publish confidential data. That's why some argue that, rather than threatening victims with offences, authorities should work with them to share intelligence, so that victims can make informed decisions and authorities can better track the real offenders.
For advice on how to prevent and respond to ransomware attacks, see our Ransomware playbook. Senior associate Ellen Lake also has a write-up on the UK National Crime Agency's recent annual report, with a focus on ransomware.
GDPR in the U.S.
GDPR is well known for its wide effect, both within and beyond the EU. So what happens when data protection requirements under GDPR conflict with disclosure obligations in U.S. courts?
That remains an open question, following the U.S. Supreme Court's refusal to consider the point last month. In the Vesuvius case, a former employee sued his employer in an Ohio state court, alleging that his termination was discriminatory. In the course of discovery, he requested that the employer produce personnel files from the employer's European affiliate. Despite the employer's submissions that release of the files would breach GDPR, the state court ordered production, and the Ohio Court of Appeal affirmed in part, noting that breach of GDPR is not an absolute bar to discovery. Despite some differences between US states on this point, the Supreme Court declined the employer's petition to review the decision.
The case, and the absence of an answer from the Supreme Court, speaks to the tension between GDPR and discovery. That tension can leave litigants between a rock and a hard place: for an exploration of the issues in this area, see our client briefing.
Japanese report on autonomous vehicles
Think driverless cars, and many people think of projects led by big tech, like Alphabet's Waymo and its self-driving taxi service in Phoenix, Arizona. But a report from Nikkei suggests that the new leaders in the autonomous vehicle sector are, in fact, the old leaders. Ranking companies by the number and importance of their self-driving patents, Ford Motor and Toyota Motor top the list at 1 and 2 respectively. Waymo, falling to third place from its pole position in 2018, is the only big tech player in the top five.
The report reflects a shift in the autonomous vehicle market. Highly publicised accidents, including a recent Tesla crash in Houston, have prompted exits from some non-carmakers. Uber sold off its autonomous driving unit in January, while Toyota snapped up Lyft's division in April. But a few tech players remain in the race: Israel's Mobileye, enriched by its acquisition by Intel in 2017, has jumped from nineteenth place in 2018 to tenth place.
Extraterritorial data protection in China
Draft legislation is set to dramatically expand the extraterritoriality of Chinese data protection laws. The draft Personal Information Protection Law (PIPL) adopts a GDPR-like approach to jurisdiction: any persons processing personal data to provide products and services to, or analyse behaviours of Chinese residents will now be caught by the legislation. They will then need to establish an office or appoint a representative in China to fulfil PIPL regulatory duties. Moreover, the draft Data Security Law (DSL) asserts jurisdiction over any data processing activities outside China which undermine national security and the public interest.
Besides extraterritoriality, the draft DSL will also introduce a national data grading system, identifying levels of importance and corresponding duties for different categories of data. Chinese regulators are developing a knack for pronouncements on the importance of data categories across sectors: see our April edition piece on asterisks in data fields.
Cyber compliance in Australia
Australian officials are getting tougher on data breaches. Last year, the Australian Securities and Investment Commission brought its first ever enforcement proceedings in respect of deficient cybersecurity practices against a financial services provider. More recently, National Australia Bank was called before a Parliamentary standing committee to explain its response to a 2019 data breach affecting 10,000 customers. Australia's Information Commissioner has cautioned that compliance with the national Notifiable Data Breach Scheme, now in operation for three years, remains subject to close monitoring. See our Talking Tech article for more.
G7 tax deal at UK summit
Big Tech is coming to terms with the possibility of a seismic shift in global taxation, following a deal struck at the G7 summit in Cornwall, UK. The official communiqué agrees starting positions on two distinct matters in relation to corporate income tax on large multinational companies.
Firstly, there will be a reallocation of taxing rights toward market countries (where goods and services are consumed) away from countries where corporates are headquartered. Market countries will be entitled to taxes on 20% (and possibly more) of profit exceeding a 10% margin, in exchange for the retirement of digital services taxes.
Secondly, there will be a global minimum corporation tax rate of 15% (and possibly more). This would mean that companies operating in jurisdictions with tax rates below 15% may need to pay "top-up" tax in other jurisdictions, incentivising low-tax countries to increase their rates to at least 15%.
We tackle some of the big questions below:
Is it just Big Tech? Google, Apple, Facebook, Amazon and Microsoft comprise the five largest companies in the U.S. and will likely be impacted by a new global tax order. However, the communiqué refers without limitation to 'the largest and most profitable multinational companies', leaving the breadth undefined. The U.S. has previously called for the list to comprise the world's hundred largest companies, in order to share the burden among corporate giants globally.
Who are the winners and losers? The global minimum tax will principally benefit the U.S., at the expense of smaller countries with low tax rates. In Ireland for instance, where the corporate tax rate is 12.5%, the Department of Finance estimates a loss of revenues of €2.2 billion. The reallocation of taxing rights is likely to benefit other G7 countries, like the UK, France and Italy.
What are the pitfalls? There are several points to work through. A key point is that a 15% minimum tax rate ignores the question of the tax base: without adequate agreement, there is a risk the 'race to the bottom' will shift from rates to definitions of the base. Then there's the politics: there is still strong opposition in the U.S. to the reallocation of taxing rights, while some non-G7 countries (like Ireland) have their doubts about the whole project.
When will it happen? The next step will be to reach agreement at G20, and then among the 139 countries involved in the OECD projects. Officials suggest that a full international agreement may be possible by October.
Digital Markets Act / Digital Services Act in the EU
On 27 May 2021, Ministers from Europe's 27 Member States had a first discussion on the Digital Markets Act (DMA) and Digital Services Act (DSA), proposed by the European Commission last year. Ministers highlighted effective enforcement and the involvement of national authorities as key elements of the debate.
Austria, Belgium and the Czech Republic issued their (curiously named) non-paper in advance of the meeting in which they argued that 'every effort' should be made to ensure the DMA proposal 'is not watered down'.
The European Parliament's rapporteur, Andreas Schwab, has published his draft report on the DMA and proposed 134 changes to the Commission's proposal. Among other things, he wants to increase the quantitative thresholds for the gatekeeper designation and require that they be providers of not one but at least two core platform services. The rapporteur on the DSA, Christel Schaldemose, has also published her draft report which makes 182 changes to the Commission draft. The Parliament's Internal Market Committee will consider the two reports and may propose additional amendments.
We co-hosted a discussion on the DMA in early May with guest speakers Andreas Schwab MEP, Isabelle de Silva and Andreas Mundt, Presidents of the French and German competition authorities respectively. You can watch it back here.
Disinformation in the EU
The European Commission has published guidance on how its 2018 Code of Practice on Disinformation should be strengthened. Thierry Breton, Commissioner for the Market, said: 'We need to rein in the infodemic and the diffusion of false information putting people's life in danger. […] We need to see stronger commitments by online platforms, the entire advertising ecosystem and networks of fact-checkers.' He added that the DSA should provide additional tools to tackle disinformation once it becomes EU law.
The Commission called upon the signatories of the Code of Practice to convene and strengthen the Code in line with the Guidance. The Commission also hopes to propose legislation to improve the transparency of political advertising.
EU-UK data flows
In a Resolution passed on 21 May 2021, the European Parliament voted narrowly for the Commission to amend its draft decisions on UK data protection to ensure EU standards for citizens’ privacy are respected. MEPs want the Commission to amend its decision to reflect the latest EU court rulings and respond to concerns raised by the European Data Protection Board (EDPB) (reported in last month's edition), in particular in relation to UK exemptions in the fields of national security and immigration, and onward data transfers.
The deadline for the adequacy decision is the end of this month, when the interim regime between the UK and EU expires. The last remaining hurdle for the adequacy decisions is a green light from member states. Once formally adopted, the decisions will be valid for four years and can be renewed if the level of protection in the UK continues to be considered 'adequate'.
While an adequacy decision seems likely, it's not too late for politics to get in the way. EU officials will be looking closely at a Court of Appeal decision from late May which, consonant with the view of MEPs, finds that the UK immigration exemptions fail to comply with GDPR.
And in case you missed it…
Here is our client briefing on the European Commission's proposal for a Regulation on AI.
Edtech in the Middle East
Disruption to school schedules across the Middle East over the last year has produced soaring demand for educational technology. Reports indicate a 500% year-on-year increase in subscribers throughout the region in 2020, while 72% of educational institutions in the Gulf accelerated their digital roadmaps by at least one year.
In response to the rising demand, video e-learning platforms like Almentor have flourished. Almentor provides courses in fields like health, business and media, with recordings provided in both Arabic and English. It recently raised USD 6.5 million in Series B funding, adding to the spate of growth stories in the Middle Eastern edtech market
Why not subscribe to future editions of the round-up.
This publication does not necessarily deal with every important topic nor cover every aspect of the topics with which it deals. It is not designed to provide legal or other advice. Clifford Chance is not responsible for third party content. Please note that English language translations may not be available for some content.