Introduction
In recent decades, tech companies have massively advanced their capabilities, leading to heightened scrutiny in the present era. Among other issues, tech companies are being closely looked at for antitrust, cybersecurity and data use. In the last six months alone there has been an onslaught of conflict in tech, such as OpenAI vs. New York Times, Getty Images vs. Stability AI and the recent FTC inquiry into Generative AI investments and partnerships.
Notwithstanding recent conflicts, there has also been great progress in tech regulation globally. In August 2023, India’s first comprehensive personal data law was developed.In October 2023, new regulations on data transfers came into effect in South Korea, and the E.U. reached an agreement on the ‘world's first’ comprehensive horizontal AI regulation in December 2023. Regulatory developments, however, are slow-going, and it seems that tech companies are always just ‘a beat ahead.’ That said, a ‘flurry’ of European Court of Justice judgments on data protection were issued in the last months of 2023, so perhaps regulation is finally catching up, and technology regulations are being increasingly prioritised. Technology regulations are evidently swiftly moving up in priority. Moreover, given how intertwined AI, data and cybersecurity are, advancement and regulation in one domain can be anticipated to lead to developments in the others.
Additionally, where regulations come into force in one jurisdiction, developments in other jurisdictions quickly follow. A month after the political agreement reached by the E.U. on the Cyber Resilience Act, the U.K. government released a draft Code of Practice also relating to cybersecurity governance. Whilst these developments follow one another in rapid succession, there is limited conformity between the regulations, with the U.K.'s approach to regulating AI being said to be far more ‘adaptive’ than the stance of the EU. Much of the conformity on regulation seen tends to stem from needing certain capabilities rather than having similar philosophies. For instance, both the E.U. and the U.K. created data-bridge agreements with the U.S. in July and September respectively to allow for U.S. entities to extend their DPF certifications that cover data transfers from those jurisdictions.
In the E.U., the regulatory landscape of tech is rapidly becoming a legal quagmire. This article will explore two key developments in data privacy and cybersecurity in an effort to disseminate the longue durée of tech regulation in the E.U.
E.U. Data Act
On 27 November 2023, the E.U. adopted the final version of the E.U. Data Act which came into force on 11 January 2024. The Data Act is an attempt to “address the challenges and unleash the opportunities presented by data.” The Data Act aims to protect personal data and to ensure its ‘fair use.'
The Act covers both personal and non-personal data. It creates an obligation for natural and legal persons who are data holders to share that data which has been generated, obtained or collected with the users who generated the data and with third parties. These ‘data holders’ are obliged to share the data collected through ‘connected products’, ‘related services’ and ‘virtual assistants.’ The Act applies only to the following entities in the Union: manufacturers of products and suppliers of related services, data holders, data recipients, data recipients and providers of data processing services. Unlike the GDPR, the Data Act does not apply outside of the E.U.
Broadly speaking, the regulation intends to make data allocation fair, create a competitive data market, facilitate data innovation and make data more accessible overall. In order to execute these goals, the law has created a range of requirements for entities in the E.U. The Act creates a few key requirements including but not limited to data holders being obliged to make the in-scope data available to third parties under fair, reasonable and non-discriminatory terms; data may be shared with public bodies in circumstances of exceptional need subject to specific requirements; unfair contractual terms concerning the access to and use of data are prohibited.
José Luis Escrivá, Spanish Minister of Digital Transformation said that the new Act would “unlock a huge economic potential and significantly contribute to a European internal market for data.” Notably, this regulation will increase the competitiveness of the data market, strengthen smaller businesses and prevent the “abuse of contractual imbalances in data sharing contracts.” Not only does the Act enable data to be shared more fairly, but it also puts in place various protections for trade secrets.
The E.U. Data Act works in tandem with the Data Governance Act which came into force on 23 June 2022, and was applicable from 24 September 2023. The Data Governance Act also focusses on increasing trust in data sharing and making it easier to access data. Evidently, there has been considerable effort over the last year to develop safeguards for data sharing that would realise the E.U.'s goal of leveraging the economic potential of data.
By contrast, the U.K. has not passed any new Data Acts. Instead, it is working on amending the GDPR regime to create the new DPDI legislation, which will recognise the rights under U.K. law rather than retained E.U. law. Despite the E.U. taking a more prescriptive stance on tech regulation, the E.U.'s stance has informed a more comprehensive and uniform approach to data protection. Additionally, more measures are being put in place to encourage the economic potential of data than can be seen in the United Kingdom.
The Cyber Resilience Act
The Cyber Resilience Act (CRA) further extends the level of data protection E.U. citizens are entitled to. The CRA follows the NIS2, which was an E.U. wide cyber law that entered into force in January 2023. While the NIS2 focussed more on the cybersecurity of companies, the CRA focusses on the cybersecurity of the products those companies sell. It has been suggested that the legislation which preceded the CRA only partially addressed cybersecurity problems, “creating a legislative patchwork within the internal market.”
The E.U. reached a political agreement on the CRA on 30 November 2023 to create one of the world’s first legislative proposals to increase the cybersecurity of products with digital elements. Again, the CRA shows Europe at the vanguard when it comes to tech regulation, with law firm Bird & Bird suggesting that the new NIS2, CRA and CER directives “will influence cybersecurity standards beyond Europe.” At present, the U.K. continues to follow the NIS1 legislation. Following Brexit, the U.K. is updating this ,and it increasingly seems like the U.K. will adopt a more flexible approach within cybersecurity spaces and AI. However, the U.K. has limited room to manoeuvre. If the U.K. diverges too substantially, it will lead to extra costs for U.K. businesses, as they would have to comply with two sets of regulations.
The increasingly demanding legislation on cybersecurity and data also provokes questions about what the European Commission is trying to achieve. Foreign Policy writer Jeremiah Johnson thus asks: “with bill after bill strictly regulating every area of the field, has Europe given up on even trying to succeed in tech?”
Whilst the E.U. may be inhibiting their prospects of helping their tech sector boom, there is little doubt that the jurisdiction is trying to help consumers. The European Commission states that the CRA addresses two problems: the inadequate cybersecurity in many products, and the difficulty consumers face in ascertaining whether their products are cybersecure.
The CRA will increase the standards for cybersecurity by placing products to different categories and subcategories based on the level of risk associated with the product. Some of the essential security criteria which products with digital elements (PDEs) have to comply with include unauthorised access prevention, protection of confidentiality, protection of integrity and resilience against service attacks.
The focus on cybersecurity does not issue solely from the E.U., and there is projected to be an increase in reporting obligations to regulators in 2024. Although there are many positives to this, it presents its own unique threat. Indeed, one U.S. firm recently reported in a strange turn of events that the self-same threat actor group which had ransomed its software also complained about the firm they had attacked to the Securities and Exchange Commission (SEC), stating that it had not reported the breach in compliance with SEC rules. This is certainly an unexpected and unwelcome—albeit amusing—development for regulators.
The Future for Tech Regulation
Evidently, there is much regulation to come in various jurisdictions, and it will be interesting to see how the U.K.’s approach diverges from that of the E.U. in the next few years. Moreover, the political agreement reached on 8 December 2023 regarding the E.U. AI Act was recently endorsed on 2 February 2024, creating the “world’s first comprehensive rulebook for Artificial Intelligence.” Although some minor issues remain to be settled, the core aspects of the AI regulation have been confirmed. Given the E.U.'s reputation for being at the forefront of regulatory development, it will be particularly interesting to see whether the E.U. AI Act will become the ‘de facto’ global yardstick for AI regulation, in the same way that the GDPR was previously. However, the question remains as to whether E.U. regulation is stifling technological innovation.