Clifford Chance

As 2024 drew to a close, there was no let-up in tech public policy activity from regulators and governments. As one of its last acts, the Biden Administration is reportedly drafting a plan to allow the construction of data centres and power plants on federal lands with easy access to clean energy. Meanwhile, the Commerce Department has awarded $6.1 billion to Micron under the CHIPS and Science Act to strengthen US semiconductor manufacturing. Both developments are driven by a desire to maintain the US' competitive edge in the development of AI. Unsurprisingly, the EU is looking to keep up with the US through investing in its own AI infrastructure: the Commission has announced the selection of seven proposals to establish the continent’s first ‘AI Factories’ as part of a €1.5 billion investment, combining national and EU funding. These sites will host advanced supercomputers, supporting AI model development. 

December was also a busy month in the cybersecurity sphere. China’s National Financial Regulatory Administration issued the Administrative Measures on Data Security in Banking and Insurance Institutions. The EU’s Cyber Resilience Act entered into force on 10 December 2024 and is the first EU law to set out detailed statutory requirements on product cybersecurity. CC’s Tech Group Partner, Patrice Navarro and Senior Associate, Oscar Tang have written an article for Infosecurity Magazine examining key legislative instruments on cybersecurity and looking ahead to 2025: ‘2025: A Critical Year for Cybersecurity Compliance in the EU and UK’

Elsewhere, both Kenya and Saudi Arabia have launched public consultations on accreditation processes under their respective data protection regimes. The UK government has initiated a consultation to clarify the use of copyright material in AI training for the creative industries and AI developers. Australia and Meta have reached an AUD 50 million settlement over Privacy Act violations involving the 'This is Your Digital Life' app and possible disclosure of data to Cambridge Analytica and other third parties.

APAC (excluding China)

Australia and Meta agree AUD 50 million settlement over exposure of personal data

On 17 December 2024, the Office of the Australian Information Commissioner (OAIC) reached a settlement with Meta Platforms, Inc. for AUD 50 million due to Privacy Act violations involving the 'This is Your Digital Life' app and possible disclosure of data to Cambridge Analytica and other third parties.

Court-ordered mediation led to the settlement, which wraps up civil penalty proceedings in the Federal Court that began in March 2020. After it was determined that Meta's actions might have violated the Australian Privacy Principles, an enforceable undertaking was created, which includes a payment plan for the impacted Australian Facebook users. Users who had a Facebook account during a given time period and were connected to the app—either directly or through friends—are compensated by the plan.

Three-year Review of the Act on Protection of Personal Information of Japan

On 25 December 2024, the Study Group on the Three-year Review of the Act on Protection of Personal Information (APPI) has published its report of the result of the discussions about the introduction of new monetary penalty and a system for consumer representative groups to request injunctions and bring a class action.

The new penalty system is designed to deter violations by imposing financial penalties on businesses that violate the APPI. In particular, acts that are likely to infringe on the rights and interests of individuals, such as illegal provision to third parties and violations of security control obligations, are targeted. The report recognises that, in the design of the system, it is necessary to clearly limit the scope of the system so as not to adversely affect the legal use of data.

The right of consumer representative groups to request injunctions against the illegal handling of personal information, and the introduction of a class action system by which such groups seek collective recovery of damages for consumers who have suffered damage due to the leakage of personal information, are also being considered.

China

China's National Financial Regulatory Administration publishes the Administrative Measures on Data Security in Banking and Insurance Institutions

On 27 December 2024, the National Financial Regulatory Administration issued the Administrative Measures on Data Security in Banking and Insurance Institutions.

The measures establish a series of data protection protocols, including a requirement on banking and insurance institutions to develop a data classification and grading protection system. The measures further strengthen the data protection of transaction data in financial institutions, enhancing the overall security level of financial institutions and increasing market trust.

China's regulatory authorities release 'Opinions on Promoting the Development and Utilisation of Enterprise Data Resources'

On 25 December 2024, the National Data Administration, together with four other regulatory authorities, released the Opinions on Promoting the Development and Utilisation of Enterprise Data Resources. The opinions aim to fully leverage the value of enterprise data resources and promote the development of the digital economy.

China's TC260 releases guidelines for stopping collecting out-of-vehicle data

On 19 December 2024, the National Information Security Standardization Technical Committee (TC260) issued the Cybersecurity Standard Practice Guidelines - One-Click Stop Collection of Out-of-Vehicle Data Guidelines.

The guidelines provide guidance on setting up a one-click function to stop the collection of external data on intelligent connected vehicles, which primarily serve as (a) best practice guidance for automobile manufacturers, autonomous driving research and development enterprises and the relevant components or service providers; (b) actionable guidance for authorities of restricted areas on monitoring data collection activities of the automobiles that enter into the relevant areas; and (c) reference points for third-party evaluation agencies conducting functionality and security assessments of the data collection cessation feature in intelligent connected vehicles.

Europe

Cyber Resilience Act enters into force

On 10 December 2024, the Cyber Resilience Act entered into force. The Act mandates cybersecurity requirements for products with digital elements (PDEs). Manufacturers, importers, and distributors must embed cybersecurity measures into product design. Although the act will be fully applicable by 2027, incremental requirements mean businesses must act now. The Act emphasizes proactive risk management, reflecting the EU’s broader goal of fostering resilience at the product development stage.

Please see the following article written by our Tech Group Partner, Patrice Navarro and Senior Associate, Oscar Tang for Infosecurity Magazine which examines key legislative instruments on cybersecurity and looks ahead to 2025: ‘2025: A Critical Year for Cybersecurity Compliance in the EU and UK’

Commission announces seven selected proposals for AI Factories

On 10 December 2024, the Commission announced that the European High Performance Computing Joint Undertaking (EuroHPC) has chosen seven proposals to establish the first ‘AI Factories’ in Europe as part of a €1.5 billion investment, combining national and EU funding. These sites will host advanced supercomputers, enhancing EuroHPC's computing capacity and supporting AI model development. The initiative aims to foster AI innovation across sectors like health, manufacturing, and finance, linking academia, industry, and financial entities. Deployment is expected between 2025 and 2026.

The seven sites are:

·        Barcelona, Spain: “BSC AIF” at the Barcelona Supercomputing Centre

·        Bologna, Italy: “IT4LIA” at CINECA - Bologna Tecnopolo

·        Kajaani, Finland: “LUMI AIF” at CSC

·        Bissen, Luxembourg: “Meluxina-AI” at LuxProvide

·        Linköping, Sweden: “MIMER” at the University of Linköping

·        Stuttgart, Germany: “HammerHAI” at the University of Stuttgart

·        Athens, Greece: “Pharos” at GRNET

EDPB releases opinion on personal data processing in the context of AI models

On 18 December 2024, the European Data Protection Board (EDPB) issued Opinion 28/2024, addressing personal data processing in AI models. The opinion offers general guidance for DPAs on assessing AI models but excludes certain areas like special data categories, automated decision-making, and Data Protection Impact Assessments.

For AI models to be considered anonymous, DPAs should evaluate the likelihood of personal data extraction and unintentional data retrieval. The EDPB suggests that these risks must be minimal and provides non-exhaustive methods to demonstrate anonymity.

Regarding legitimate interest as a legal basis, the EDPB outlines a three-step assessment: identifying the legitimate interest, conducting a necessity test, and performing a balancing test. The EDPB also discusses the consequences of unlawful data processing, highlighting scenarios where personal data is retained and processed by the same or different controllers, and the implications of anonymising unlawfully processed data.

United Kingdom

Government consults on AI and copyright laws

On 17 December 2024, the Intellectual Property Office, the Department for Science, Innovation, and Technology, and the Department for Culture, Media, and Sport initiated a consultation to clarify the use of copyright material in AI training for the creative industries and AI developers.

The consultation sets out a copyright exception for AI training, allowing commercial use of protected materials while enabling rights holders to negotiate licences. It also calls for AI developers to disclose training dataset content and sources, addresses copyright for computer-generated works and digital replicas, and explores licensing and remuneration for creators. Additionally, the consultation examines the level of protection of personality rights afforded by current laws, especially around deepfake imitations.

The consultation will close on 25 February 2025.

Ofcom publishes Online safety Act guidelines and codes of practice

On 16 December 2024, Ofcom released Guidance and Codes of Practice under the Online Safety Act, 4 months ahead of the statutory deadline set by the Act. The Act covers user-to-user services like social media, messaging platforms, online gaming, search services, and pornography sites. It requires companies to ensure online safety, particularly for children, by assessing and managing risks from content and conduct on their platforms. Under the Act, organisations must complete a risk assessment by 16 March 2025 to understand the dangers of illegal content.

Ofcom has published several documents, including Risk Assessment Guidance, a Register of Risks, and draft Codes of Practice for illegal content.

ICO opens public consultation on draft guidance for storage and access technologies

On 20 December 2024, the Information Commissioner's Office opened a public consultation on its updated draft guidance for storage and access technologies, previously referred to as the 'detailed cookies guidance.'

This guidance explains how the Privacy and Electronic Communications Regulations (PECR) apply to technologies like cookies and tracking pixels, and their interaction with data protection laws such as the UK GDPR. It targets online service providers, including web and app developers, to clarify compliance obligations. The guidance covers technologies under PECR, consent management, special considerations for children, and consent requirements for tracking and profiling, including models like cookie walls.

The consultation will close on 14 March 2025.

Americas

United States Supreme Court to hear TikTok’s challenge to potential ban

On 18 December 2024, the Supreme Court of the United States agreed to hear TikTok's challenge to a law that could ban the social media platform's United States operations. Oral arguments are set for early January 2025. This case pits free expression against national security concerns, as the law would require ByteDance, TikTok's Chinese parent company, to sell the app to a non-Chinese company or face a ban by 19 January 2025.

TikTok argues such a ban violates the First Amendment while the government cites national security risks due to TikTok's Chinese ownership and allegations of collecting American users' data that could potentially be used for "espionage or blackmail." The Court's decision will have significant implications for TikTok's future in the United States, the technology sector, and freedom of speech.

Commerce Department awards $6.1 billion to Micron under the CHIPS and Science Act to strengthen U.S. semiconductor manufacturing

On 10 December 2024, the Department of Commerce announced it had granted Micron Technology $6.165 billion under the CHIPS and Science Act. Micron, a leading producer of dynamic random-access memory (DRAM) chips, which are essential for new AI models and technologies like high-performance computing and wireless communication, will use this grant to support its $125 billion investment in chip manufacturing facilities in New York and Idaho over the next two decades.

The CHIPS Act, enacted on 9 August 2022, aims to return semiconductor manufacturing to American shores and promote technological leadership in fields such as quantum computing, clean energy, and AI. It allocates $52.7 billion for semiconductor research, development, manufacturing, and workforce development, with a goal to boost the United States' share of advanced memory manufacturing from under 2% to 10% by 2035. The Commerce Department has also finalized similar deals with Intel Corp, Taiwan Semiconductor Manufacturing Company, and GlobalFoundries Inc., collectively accounting for half of the direct funding from the CHIPS Act.

Biden administration considers building AI data centres on federal land to boost AI competitiveness

To maintain the United States' competitive edge in the development of AI, the Biden Administration is reportedly drafting a plan to allow the construction of data centres and power plants on federal lands with easy access to clean energy. This initiative, expected to be signed by President Biden before his term ends, would ease environmental restrictions on select federal lands for next-generation data centres that consume at least one gigawatt of electricity.

The power consumption by United States data centres is projected to reach 17% of all domestic electricity by 2030, more than four times their current consumption. The plan aims to address energy shortage issues that threaten AI industry growth, allowing companies like OpenAI, Microsoft, and Google to build power plants independent of regional power grids. However, environmental groups and some Democratic senators have raised concerns about the potential environmental impact.

Middle East

Saudi Arabia publishes two consultations on the rules for accreditation certificates and licensing audits

The Saudi Data & Artificial Intelligence Authority (SDAIA) published two draft rules for public consultation; one on accreditation certificates for personal data protection and the second one is on the licensing audits of personal data processing activities.

The accreditation certificates rules outline the requirements for data processors and controllers to obtain certificates to confirm their compliance with the Saudi Personal Data Protection Law (PDPL) and its Implementing Regulations.

The licensing audits rules detail the licensing process for entities to conduct audits or issue accreditation certificates. This would include the methodology, term, and conditions for license renewal or revocation.

The consultation closes on 11 January 2025. These rules apply to independent legal entities that plan to apply to perform audits or issue certifications with a physical presence in the Kingdom, as long as they have the official contact details, such as a legal name, address and commercial registration or foreign investor license number.

Israel issues guidance on the transfer of ownership in databases

On 22 December 2024, the Privacy Protection Authority (PPA) of Israel issued guidance on the transfer of ownership in databases. It stipulates that the transfer should not change the databases' original purpose of use. Any expansion or change in purpose of the databases in question would trigger the requirement of obtaining data subjects' prior consent. Data subjects can be informed by email about the transfer if the purpose of the databases remains the same.

Africa

South Africa issues guidance note on direct marketing under POPIA

On 3 December 2024, South Africa's Information Regulator released a guidance note regarding direct marketing under the Protection of Personal Information Act (POPIA). The note is intended to help organisations comply with POPIA when handling personal data for direct marketing, whether through unsolicited non-electronic or electronic communications.

The guidance explains how personal data should be processed according to the eight conditions for lawful processing. It distinguishes between two types of direct marketing: non-electronic communications (Section 11 of POPIA) and electronic communications (Section 69 of POPIA).

For non-electronic direct marketing, organisations might not need to obtain consent from individuals if they can justify this under Sections 11(1)(d) or 11(1)(f) of POPIA. In such cases, they must first identify the legitimate interest of the individual, the organisation, or a third party, as applicable.

Kenya launches public consultation on draft Regulations for accreditation of auditors and Data Sharing Code

On 3 December 2024, Kenya's Office of the Data Protection Commissioner (ODPC) released two draft documents for public consultation: the Data Protection (Accreditation of Auditors) Regulations and the Data Sharing Code.

The draft regulations outline the audit procedures by the ODPC and the accreditation process for entities wishing to conduct data protection audits. They cover the application process, criteria for accreditation, conditions for granting or refusing accreditation, and procedures for renewing or revoking it.

The draft code provides principles, guidelines, and responsibilities for those involved in data-sharing activities. Among other things, it sets out the legal basis and scope of data sharing, the responsibilities of entities transferring and receiving data, key elements of data-sharing agreements, contracts between data controllers and processors, and practices for sharing data across borders.

Additional information

This publication does not necessarily deal with every important topic nor cover every aspect of the topics with which it deals. It is not designed to provide legal or other advice. Clifford Chance is not responsible for third party content. Please note that English language translations may not be available for some content.

The content above relating to the PRC is based on our experience as international counsel representing clients in business activities in the PRC and should not be construed as constituting a legal opinion on the application of PRC law. As is the case for all international law firms with offices in the PRC, whilst we are authorised to provide information concerning the effect of the Chinese legal environment, we are not permitted to engage in Chinese legal affairs. Our employees who have PRC legal professional qualification certificates are currently not PRC practising lawyers.