Home | Newsletters & Shorts | DW Weekly #101 – 6 March 2023

DW Weekly #101 – 6 March 2023

Geneva Internet Platform; digwatch Weekly; Capturing top digital policy news worldwide
DW Weekly #101 – 6 March 2023 9

Dear readers,

This week, we dive into the White House’s new cybersecurity strategy, which marks a fundamental shift away from a decades-long environment in support of self-regulation. In other news, the European Commission has halved its antitrust investigation on Apple’s marketplace practices, whereas China and India announce new plans for development and non-personal data. 

Happy March!

Stephanie and the Digital Watch team


USA’s new cybersecurity strategy: Big companies should take more responsibility for insecure software products and services

The White House’s new National Cybersecurity Plan, released last week, makes a major announcement: The US government will shift the burden of defending cyberspace to large tech manufacturers and software companies and away from individuals, small businesses, and local governments.

In essence, this means new laws – down the line – that will hold large companies accountable for failing to take reasonable precautions to secure their products and services. Down the line, because it’s not something that will be developed overnight. And with the presidential election in 2024, there’s only so much that can be achieved. (Let’s also wait for the strategy’s implementation plan to be published in a few months’ time).

And yet, this sets the tone for a fundamental shift away from a decades-long environment where the end users (you and me) have been facing the brunt of digital technologies vulnerable to viruses due to early releases or personal data breaches, which companies failed to adequately prevent. The idea is that companies that fail to meet specific standards will be held liable for any data losses or harm caused by cybersecurity errors that could have been avoided with more rigorous security. They will also be prevented from strong-arming their way out of liability just because they hold market power.

An updated cyber-social contract. This major shift in who should bear responsibility is what Kemba Walden, acting national cyber director, described as a change in America’s cyber-social contract. In a press briefing, Walden explained: ‘Today, across the public and private sectors, we tend to devolve responsibility for cyber risk downwards. We ask individuals, small businesses, and local governments to shoulder a significant burden for defending us all. This isn’t just unfair, it’s ineffective.’

Under this reimagined cyber-social contract, the division of tasks between governments and the private sector is quite clear. The strategy explains that ‘in a free and interconnected society, protecting data and assuring the reliability of critical systems must be the responsibility of the owners and operators of the systems that hold our data and make our society function, as well as of the technology providers that build and service these systems.’

On the other hand, ‘government’s role is to protect its own systems; to ensure private entities, particularly critical infrastructure, are protecting their systems; and to carry out core governmental functions such as engaging in diplomacy, collecting intelligence, imposing economic costs, enforcing the law, and, conducting disruptive actions to counter cyber threats.’

The days of self-regulation are numbered. The strategy’s heavy stance on regulation signals a break from two decades of efforts to get companies – including those in critical sectors – to voluntarily strengthen all aspects of their cybersecurity, both internally and in their products, databases, and services. 

Voluntary approaches to cybersecurity are no longer adequate, Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger explained during an event in Washington. 

Coalitions for combating ransomware. You may all recall the Biden-Putin summit in Geneva in June 2021, which marked the start of cyber detente (we even ran a monthly newsletter on cyber detente). At the time, the two countries agreed to cooperate to deter ransomware criminal cells (of Russian origin or operating from Russia). Technical work was progressing, until it all went downhill just over a year ago. 

In lieu of such cooperation, the USA is working with its allies (such as through the Counter Ransomware Initiative) to pressure Russia and other countries to disrupt malicious behaviour. Through the new plan, the USA also hopes to strengthen these partnerships and carry out what the USA-Russia cyber detente failed to do, especially in combating ransomware.

Image shows a slightly open laptop with a dark background
DW Weekly #101 – 6 March 2023 10

Digital policy roundup (27 February – 6 March)

Apple convinces EU in antitrust probe

In a rare move, the European Commission dropped its complaint against Apple’s in-app purchase mechanism, which obliges music streaming app developers to use the proprietary system if they want to distribute paid content on iOS devices. 

This was one of two complaints. The second – the so-called anti-steering practice, which restricts app developers from informing iPhone and iPad users of alternative music subscription services – is still a concern for the commission’s ongoing anti-competition investigation. 

During an event last week, EU competition chief Margrethe Vestager said ‘We remain concerned about Apple’s anti-steering provisions and its impact on the music streaming market. But we refocused our competition concerns on the direct consumer impact.’

Senior European Commission and national competition officials held a hearing for Apple executives and complainants on 14 February, nine months after the commission sent its first set of objections. The case was initiated in 2020.


EDPB welcomes improvements under EU-US Data Privacy Framework, but concerns remain

The European Data Protection Board (EDPB), the EU’s data watchdog, wants to see the USA’s commitment to limiting US security agencies’ data collection activities not only on paper but also in practice. 

The EDPB’s non-binding opinion on the Draft Adequacy Decision (published by the European Commission in December) welcomes the improvements introduced by a recent executive order, which limits data collection to what is necessary and proportional. However, ‘close monitoring is needed concerning the practical application of the newly introduced principles of necessity and proportionality. Further clarity is also necessary regarding temporary bulk collection and the further retention and dissemination of the data collected in bulk,’ the watchdog said.

An adequacy decision will ultimately confirm that the data of European citizens can be transferred to the USA without additional safeguards.

The image shows a red fingerprint on a black background on which computer code is written in white.
DW Weekly #101 – 6 March 2023 11

Digital India Bill to introduce rules for non-personal data sharing

The Indian government is discussing new rules for non-personal data sharing under the draft Digital India law. The rules could include pricing for sharing anonymised data sets and provisions for free government access to boost the efficiency of the government’s welfare schemes.

A public consultation on the basic guiding principles and architecture of the upcoming law will take place on 9 March. Once the consultation process is concluded, the government will release a final draft for consultation. The law will replace the decades-old Information Technology Act.

Was this newsletter forwarded to you, and you’d like to see more?


China unveils plans for developing a digital China by 2035

China’s ambitious new plan for building a digital China by 2035 aims to place the country at the forefront of digital development worldwide. 

Under this new plan, China will apply digital technology more seriously to the economic sector, as well as to the agriculture, manufacturing, finance, education, medical services, transportation, and energy sectors.

On the global front, China also plans to continue participating in multilateral forums, and to cooperate on developing new international rules such as those related to cross-border data flows.

Chinese experts have said that more efforts were needed to strengthen the private sector’s role in the semiconductors sector and to cultivate globally competitive high-tech enterprises.

Image shows EU Commissioner for Competition Margrethe Vestager speaking at a podium
EU Commissioner for Competition Margrethe Vestager speaks at a podium
(File photo. Credit: European Parliament)

‘It is already time’, says EU competition chief

Speaking during a public event, EU Commissioner for Competition Margrethe Vestager hinted that European policymakers are already looking into metaverse policy. 

She said: ‘digital markets have not fulfilled their promise for small businesses to achieve scale and greater reach with fewer physical barriers to get in their way. We have certainly not been too quick to act – and this can be an important lesson for us in the future. We need to anticipate and plan for change, given the obvious fact that our enforcement and legislative process will always be slower than the markets themselves.  For example, it is already time for us to start asking what healthy competition should look like in the metaverse, or how something like ChatGPT may change the equation.’

// AI //

Can an AI machine be granted a patent for an invention?

This is the question which UK Supreme Court judges are deliberating after hearing arguments brought forward on appeal by American inventor Stephen Thaler.

The case involves two patent applications for two inventions which Thaler says were created by an AI machine he owns called Dabus (an acronym for Device for the Autonomous Bootstrapping of Unified Sentience). The case has already been dismissed by the High Court and the Court of Appeal, which ruled that patents cannot be awarded in cases where the inventor is not a natural person. 

Thaler’s attempts at similar applications have also been refused in the EU, the USA, and Australia but a patent was granted in South Africa.

The UK’s Supreme Court is expected to hand down a final judgement in the coming months.

In the image, one can see a drawing of two slightly overlapping human heads; one normal and the other with a computerised look.
DW Weekly #101 – 6 March 2023 12

The week ahead (6–12 March)

6 March: The EU commission’s next technical workshop with stakeholders on how to comply with the new Digital Markets Act will address app store-related aspects, including alternative in-app payment systems, steering (a practice which allows developers to inform users about other purchasing options) and sideloading (the process of installing an app which did not come from one of the two main app stores).

6 March: The 19th Annual State of the Net conference, taking place in Washington DC, will bring together internet stakeholders in government and in the private sector to talk about connectivity, cybersecurity, AI developments, and children’s privacy.

6–7 March: The Ad Hoc Committee on Cybercrime, tasked with advancing a new cybercrime convention, is holding the fourth intersessional stakeholder consultation in Vienna and online.

6–7 March: The Council of Europe and the Moroccan Ministry of Justice are jointly organising an international conference on strengthening cooperation on cybercrime and e-evidence in Africa.

6–10 March: The UN Open-Ended Working Group (OEWG), tasked with studying existing and potential threats to information security and possible confidence-building measures and capacity development, will hold its 4th substantive session in New York. Deeper discussions on the points of contact (PoC) directory are expected. There will be quite a few side events too.

6–17 March: The priority theme of the 67th session of the Commission on the Status of Women is ‘Innovation and technological change, and education in the digital age for achieving gender equality and the empowerment of all women and girls’.

7 March: The first ITU Forum on Embracing the metaverse, in Riyadh, Saudi Arabia, will begin ITU’s endeavour to promote metaverse pre-standardisation initiatives. The forum will be followed by the 1st meeting of the ITU-T Focus Group on metaverse on 8–9 March.

8–9 March: European trade association DIGITALEUROPE will host chief EU policymakers and leaders from the private sector for the two-day annual Masters of Digital

8–10 March: The first IGF 2023 Open Consultations and MAG meeting to start setting the programme for October’s meeting in Japan will take place in Vienna and online.  

9 March: Budget day in the USA.

10 March: The ongoing 52nd session of the UN Human Rights Council will include the annual discussion on the rights of the child in the digital age. Kids will take the floor. Consult the latest work programme for the full schedule.

10 March: European trade ministers meeting informally in Stockholm are expected to discuss EU-US trade relations in the context of ongoing work at the EU-US Trade and Technology Council (TTC).

10–12 March: The 2nd session of the European Commission citizens’ panel on the metaverse and other virtual worlds will ask people to identify, discuss and prioritise values and principles that should guide their development.

10–16 March: The ICANN76 Community Forum, to be held in Cancún, Mexico and online, will bring together ICANN supporting organisations, the advisory committee and the broader ICANN community to discuss ongoing issues on domain name system (DNS) management. Preparatory meetings took place last week.

Anastasiya Kazakova - EU CYBER RESILIENCE ACT: Enforcing cyber norms far beyond Europe
DW Weekly #101 – 6 March 2023 13

EU Cyber Resilience Act: Enforcing cyber norms far beyond Europe

A new article by our colleague Anastasiya Kazakova looks at the extra-territorial effect that the EU’s upcoming cybersecurity law, the Cyber Resilience Act, will have on products and services developed by the private sector for citizens (these points are also potentially applicable to new US laws imposing liability for cybersecurity flaws once they materialise). Assuming that companies decide not to lower the bar for non-EU users, the new rules will mean that users worldwide will benefit from these stricter requirements. Moreover, EU member states adopting these rules will also contribute to implementing at least three of the norms on responsible state behaviour.

Stephanie Borg Psaila
Director Digital Policy, DiploFoundation

Was this newsletter forwarded to you, and you’d like to see more?