Asia-Pacific Regulations Keep Pace With Rapid Evolution of Artificial Intelligence Technology
Regulation of artificial intelligence (AI) technology in the Asia-Pacific region (APAC) is developing rapidly, with at least 16 jurisdictions having some form of AI guidance or regulation. Some countries are implementing AI-specific laws and regulation, while others take a more “soft” law approach in reliance on nonbinding principles and standards. While regulatory approaches in the region differ, policy drivers feature common principles including responsible use, data security, end-user protection, and human autonomy.
EU Governments Sign-off Proposed Reforms to GDPR Procedural Rules and Council Reaches Common Member States’ Position
On 24 May 2024, the Council of the European Union (the “Council”) released new details of a proposed reform of the General Data Protection Regulation’s (“GDPR”) procedural rules, which representatives of EU national governments approved on 29 May 2024. On 13 June 2024, the Council issued a press release detailing its agreed common Member States’ position that maintains the general thrust of the original proposed reforms, but which seeks to: (i) introduce clearer timelines; (ii) improve efficiency of cooperation; and (iii) provide an early resolution mechanism.
UK proposes New Cyber Security and Resilience Bill to Boost the UK’s Cyber Defences
During the King’s Speech on 17 July 2024, the newly appointed UK Prime Minister announced the UK Government’s intention to introduce a new Cyber Security and Resilience Bill to strengthen the UK’s defences against the global rise in cyberattacks and to protect the UK’s critical infrastructure. In background briefing notes published together with the King’s Speech, the UK Government stated that the new Cyber Security and Resilience Bill will “strengthen our defences and ensure that more essential digital services than ever before are protected.” According to the briefing notes, the Cyber Security and Resilience Bill intends to address the concern that the UK has not kept up-to-date with recent legislative advancements made by the EU in the cybersecurity space, resulting in the UK being “comparably more vulnerable.” Although the form of the proposed Cyber Security and Resilience Bill has yet to be released, the UK Government has indicated that it plans to introduce the bill in the coming months.
Important Changes to Malaysia’s Data Protection Laws
In July 2024, Malaysia’s legislative body approved significant changes to the country’s Personal Data Protection Act. The changes have the effect of aligning Malaysia’s personal data protection laws more closely with international data protection laws. The effective date and other implementation guidelines are expected to follow closely.
Artificial Intelligence Tops Agenda for Global Competition Authorities: EU, UK, and U.S. Issue Joint Statement
On July 23, 2024, the competition authorities of the EU, the UK, and the U.S. issued a joint statement on competition in generative artificial intelligence (AI) foundation models and AI products (Joint Statement). Since the emergence of generative AI, each of the authorities has been individually ramping up its work in order to understand better the potential risks to competition that AI may pose. The Joint Statement may herald a more joined-up global approach with respect to scrutiny of competition in AI.
Heightened Focus in the EU for the Protection of Minors Online
The protection of minors online continues to be a focus for EU regulators. Following the publication last year by the European Parliament of its guidelines on online age verification methods for children, the European Commission has recently announced it will be holding a dedicated stakeholder workshop in September 2024 to discuss guidelines for age verification and protecting minors. Whilst the issue has been flagged as a priority by the European Data Protection Board (“EDPB”) and we are seeing an increase in guidelines and (in some cases) laws addressing the issue at a national Member State level, this is also a focus of the new EU Digital Services Act (“DSA”).
U.S. Commerce Department Issues First-of-Its-Kind Determination Banning Certain Software Products and Services
On June 20, 2024, the U.S. Department of Commerce (Commerce) Office of Information and Communications Technology and Services (OICTS) published a first-of-its-kind Final Determination against Kaspersky Lab, Inc., prohibiting the provision of its antivirus software and cybersecurity products in the United States or to U.S. persons. This Final Determination provides new insights into OICTS review of information and communications technology and services (ICTS) transactions and the prohibitions or restrictions that may result. The full text of the Final Determination is available here. OICTS also provides additional guidance on the new prohibition here.
An Artificial Intelligence, Privacy, and Cybersecurity Update for Indian Companies Doing Business in the United States and Europe
Pivotal shifts have occurred in global data privacy, artificial intelligence (AI), and cybersecurity from executives facing more pressure to monitor their organizations’ cybersecurity operations, to an unprecedented wave of consumer data privacy laws and rapid advancements in AI technology use and deployment. Indian organizations should establish best practices to address these new (and emerging) laws, regulations, and frameworks.
The Digital Markets, Competition and Consumers Act is Approved: Key Things to Know About the UK’s New Competition and Consumer Powers
On May 23, 2024, the UK finally passed its Digital Markets, Competition and Consumers Act (DMCCA), introducing a new “pro-competition” regime for digital markets and marking the biggest reform to UK competition and consumer laws in a decade. The DMCCA is the latest piece of legislation aiming to tackle the power of Big Tech, as regulators around the world debate new ways to oversee competition in the digital sector.
EU Formally Adopts Cyber Law for Connected Products
On 12 March 2024, the European Parliament approved the EU Cyber Resilience Act (“CRA”) with a large majority of 517-12 votes in favor of the legislation (with 78 abstentions). The CRA aims to ensure that “products with digital elements” (“PDE”) i.e., connected products such as smart devices, and remote data processing solutions, are resilient against cyber threats and provide key information in relation to their security properties.