Blanca Escribano Cañas
EY Law, Madrid
blanca.escribano.canas@es.ey.com

Vittorio Noseda
ADVANT-Nctm, Milan
vittorio.noseda@advant-nctm.com

Africa

Africa is a diverse continent of 55 countries with diverse legal systems, economies, languages and cultures. As the largest continent with the richest land mass, youngest population, an estimated gross domestic product (GDP) of $2.6tn (2019) and significant potential for growth, it has been touted as the ‘last frontier for global growth’. And this is evident in the significant efforts to develop and create an enabling legal environment for the communications sector – which has been one of the key catalysts to economic development.

The communications sector in the continent continues to witness sustained accelerated structural, policy and legal reforms. Most of the recent reforms have been undertaken at the African Union level by the development and promotion of a comprehensive data policies, digital ID interoperability frameworks, artificial intelligence (AI) strategy, and development of e-commerce and digital trade protocols to facilitate the implementation of the Africa Continental Free Trade Agreement (AfCFTA). One of the identified challenges that continues to undermine continental growth especially in the area of communications has been around the lack of harmonised legal frameworks. In recent years, therefore, the African Union championed several efforts to facilitate and enable the harmonisation efforts.

On the development of laws, the continent is seeing growth in the area of cybersecurity, data protection, data and other emerging technologies. More countries and regions of the continent are also looking at the development of policies or strategies on big data and AI. While these efforts have not yet culminated into laws, some point to the development of laws in the future.

The continent is also experiencing some mergers and acquisitions in communication service operations, leading to a reduction in the number of operators that the growth in the sector witnessed in the last two decades. There is also growth in infrastructure sharing among communication service providers, as a result of the intensive competition in the industry fuelled also by the dynamic legal frameworks adopted. Major communication service providers are also diversifying their operations from traditional telecommunications services to technology companies looking at harmonising digital platforms across Africa.

Information and communications technology (ICT) no doubt plays a significant role in Africa’s Agenda 2063 to transform the continent into a ‘global powerhouse of the future’. As efforts continue towards these goals, many African countries are progressing to develop innovative communications laws and implementation strategies to facilitate and enable such growth.

Asia

People’s Republic of China

China has established its Personal Information Protection Law (PIPL), complementing its Cybersecurity Law and Data Security Law, to regulate the handling of personal information of natural persons within China. The PIPL will also apply to certain activities targeting persons in China even if carried out from outside China. The PIPL establishes various obligations in relation to personal information, such as requiring a legal basis for data collection, obtaining consent and enhanced protection for sensitive data (including personal information of minors under the age of 14). Individuals also have rights to correct, delete and view or transfer the data collected about them. Overseas transfers of personal data outside of China are also regulated.

Republic of India

In India, the much-anticipated Personal Data Protection Bill was withdrawn by the Indian Government in August 2022. The bill had been controversial as apart from enhancing the rights of data subjects, it sought to impose strict rules on cross-border data flows, and also empowered the government to obtain user data records. A government notice indicated that the parliamentary panel’s review of the 2019 bill highlighted that many amendments were needed, such that there was a need or for a new ‘comprehensive legal framework’, and the government will now present a new bill.

Japan

In 2021, Japan amended its Telecommunications Business Act (TBA) to establish a regulatory framework for telecommunications companies operating in Japan. The TBA requires any foreign entity which provides telecommunications services to persons in Japan, including where services are provided in Japanese, or paid for in Japanese yen (JPY), or promoted in Japan, to file a notification with the Minister of Internal Affairs and Communications as a foreign telecommunication business operator, appoint a local representative or agent in Japan, and be subject to other regulations applicable to local telecommunications operators. This applies even if the entity does not have telecommunications facilities or offices in Japan. Further amendments have been introduced in 2022 to impose requirements on online business operators regulating transmission of user related information (URI), including as to notification, consent and opt-outs.

Malaysia

Malaysia’s 5G rollout can now move forward after all of the nation’s six main mobile network operators (MNOs) have finally taken equity stakes in a state-controlled 5G wholesale provider, Digital Nasional Berhad (DNB). The 5G roll out in Malaysia has been long delayed on account of negotiations over the ownership stakes the MNOs could have in DNB.

In press reports, the Finance Minister, Tengku Zafrul Aziz, said finalising terms that outline issues – such as network quality, dispute resolution and, most crucially, cost – was targeted for the end of October 2022, and the shareholders of DNB are required to purchase 5G capacity from it. The single wholesale provider structure has been controversial as the leading MNOs had been opposed to it, while the government insisted that it was necessary to reduce duplication of costs.

Republic of Singapore

Singapore is exploring mandatory registration of organisations using Sender IDs in short message service (SMS) texts to combat a rise in scams. Sender IDs allow text messages to be identified as originating from particular senders as opposed to phone numbers. While a Singapore SMS Sender ID Registry (SSIR) was established in March 2022 allowing for texts that spoofed/made use of registered IDs on the SSIR to be blocked, this was a voluntary scheme, such that spoofed texts may still be received with non-registered Sender IDs (eg, where organisations using those Sender IDs have chosen not to register, or the Sender IDs are not claimed by any organisation). The Infocomm Media Development Authority (IMDA) has thus announced making SSIR registration a requirement for organisations that use Sender IDs (ie, a full registration regime), such that only registered Sender IDs will be allowed and all other non-registered Sender IDs will be blocked as a default.

Australia

Following the election in early 2022 of a new federal government, a shake-up of Australia’s communications related regulation over the next few years is likely. In the area of infrastructure, the government has shelved plans to privatise NBN, the state-owned enterprise that operates Australia’s national broadband network, providing wholesale services to retailers. Instead, it has committed to make further capital investment in the network to provide higher broadband speeds for more consumers, including in regional and remote Australia. It has also made clear to the Australian Competition and Consumer Commission (ACCC), which regulates NBN’s pricing, that it expects lower wholesale prices, that should be passed on to consumers by retailers.

The ACCC will report to the new government in late 2022 on whether specific regulation is required for digital platforms to address both competition and consumer protection concerns. Such regulation may be on terms similar to the EU’s Digital Markets Act and Digital Services Act, the development of which has been watched from Australia with great interest. The new government is likely to be more enthusiastic in implementing such reforms than the previous government, which had expended significant effort in battling Google and Meta in 2021 over the implementation of Australia’s news media bargaining code, which required those platforms to pay publishers for the use of news content. These digital-platform-specific regulatory reforms will be implemented at approximately the same time as reforms of Australia’s Privacy Act, which the government proposes to modernise to ensure it is fit for purpose in the current digital age when vast quantities of information are collected about individuals online.

The government has also announced an ambitious agenda to reform media laws, starting with content regulation. Early initiatives include a proposal to regulate prominence to ensure Australian free-to-air broadcasting services are easily discoverable on connected devices and an indication that steps will be taken to impose binding commitments on large international streaming services to produce Australian content.

European Union

The European Electronic Communications Code (EECC), which entered into force in December 2018, revised and updated the EU telecommunications regulatory framework that had applied since 2002. The deadline to implement this piece of legislation into national laws was 21 December 2020. However, many Member States failed to complete the transposition within the deadline and on 6 April 2022 the European Commission referred ten Member States (Croatia, Ireland, Latvia, Lithuania, Poland, Portugal, Romania, Slovenia, Spain and Sweden) to the Court of Justice of the European Union for this reason. The first review of the functioning of the EECC will be published by the Commission in December 2025, and every five years thereafter.

On the other hand, the EU’s efforts to adapt the regulations to the digital age are still under way. Several significant proposals are currently in different stages of the legislative process and, once finally enacted, they will complete the increasingly complex regulatory framework in the EU. Such is the case of the Artificial Intelligence Act (which introduces rules for the placing on the market, putting into service and use of AI systems), the Data Act (which regulates access and use of data, clarifying who can create value from data and under which conditions), the Digital Services Act (which regulates online services and platforms) and the Digital Markets Act (which focuses on large online platforms who act as ‘gatekeepers’ in digital markets).

These upcoming laws – together with the General Data Protection Regulation (GDPR) (which governs the processing of personal data) and the recent Data Governance Act (in force since June 2022 and applicable as from September 2023, and which intends to promote and facilitate data sharing by companies, individuals and the public sector) – will shape what has been called the hexagram of EU digital constitutionalism.^[1] This concept essentially refers to a framework under which fundamental rights are properly protected in the digital environment, and the mentioned six regulations (the hexagram) are the core of such framework.

Other recent remarkable initiatives, published in September 2022, are the proposal for a Directive on adapting non contractual civil liability rules to artificial intelligence and the proposal for revision of the Product Liability Directive, that aim at adapting the liability rules to the digital age, the circular economy business models and global value chains.

With regard to cybersecurity, the proposal for a Cyber Resilience Act, which introduces cybersecurity requirements for products with digital elements, was also presented in September 2022. The proposal for a revised Directive on Security of Network and Information Systems (‘NIS 2 Directive’) and the proposal for a directive on the resilience of critical entities are also yet to be adopted.

As regards the media landscape, in May 2022 the European Commission decided to refer five Member States (Czechia, Ireland, Romania, Slovakia and Spain) to the Court of Justice of the European Union over the failure to transpose the revised Audiovisual Media Services Directive, which lays down EU rules governing audio-visual media and which had to be officially implemented into national laws in September 2020. In addition, the Commission has recently presented a proposal for a European Media Freedom Act, introducing a number of rules to protect media pluralism and independence in the EU.

Latin America (except Mexico)

Latin American (LATAM) countries are experiencing exponential changes within the technology, media and telecom environment. From the infrastructure side, several countries are either analysing or implementing legal and regulatory frameworks related to critical telecommunications infrastructure, cybersecurity and data treatment. Regarding telecommunications services, some countries (eg, Chile) are swiftly deploying the first stage of commercial 5G networks, while others are moving forward with the rollout. Also, governmental agencies are amending their regulatory rules regarding the irruption of new satellite services. From the technology and media standpoint, the increase in data flow has caused a ‘rethinking’ of the gaming, over-the-top, and advertisement industries, compelling legislators and regulatory authorities to build solid rules mainly related to online sport betting, gambling, and taxes associated with digital services.

North America

Canada

Canada is currently considering multiple tech and telecom law changes. Among them are a government proposal to address online harms. Under the proposed rules, a digital safety commissioner would help enforce a new regime that requires social media companies to weed out child pornography, terrorist content, hate speech and other harmful posts. Also under consideration is legislation to require digital platforms like Google and Facebook to pay Canadian media outlets for allowing links to news content on their platforms. And, like the United States, Canada is focused on cybersecurity. The government is considering legislation that would promote the security of the Canadian telecommunications system, including taking measures with respect to high-risk suppliers, as well as information sharing and enforcement powers.

Mexico

In Mexico, the Congress is considering a bill to amend the Federal Telecommunications and Broadcasting Law to require over-the-top platforms that provide video and streaming services to include 30 per cent Mexican content. The Congress is also considering several other bills that would regulate content for underage persons and protect free speech rights for content creators.

United States

In the US, there is a lot of talk but not a lot of action on telecom and tech. The Federal Communications Commission (FCC) remains short one Commissioner, leaving a two–two Democrat-Republican split. Unless and until a fifth Commissioner is put in place, the agency cannot take on controversial topics, such as the return of net neutrality regulation. The FCC and other government agencies are thus focused primarily on administering massive subsidies to promote the consensus goal of ensuring that high-speed broadband is available to all people in the nation and strengthening cybersecurity in the telecom supply chain. Meanwhile, Congress and the Federal Trade Commission (FTC) are considering national privacy and data security protections, which are currently done largely on a state-by-state basis, though consensus may be elusive in Congress, and it is unclear that the FTC has the necessary legal authority. Congress is also considering banning Big Tech companies from favouring their own services in an anticompetitive way (eg, Apple would have to allow third-party payment systems, and Google could not prioritise its reviews over others in search results). But, as with privacy, it is unclear whether there will be consensus, and the coming autumn congressional elections make getting anything done at this time more difficult.

United Kingdom

Regarding the cloud computing landscape, Ofcom has launched a market study under the Enterprise Act 2002 on ‘hyperscalers’, including Amazon, Microsoft and Google (which together generate around 81 per cent of revenues in the UK public cloud infrastructure services market) in cloud services to ensure that the above-mentioned entities do not infringe UK competition law. Over the next year, Ofcom will also start a broader programme of work to examine other digital markets, including online personal communication apps and devices for accessing audio-visual content, for example, looking at how services such as WhatsApp, FaceTime and Zoom are affecting the role of traditional calling and messaging.

Regarding security obligations, the Telecommunications (Security) Act (TSA) became law in November 2021, introducing new security duties on providers of public electronic communications networks and services to identify and reduce security risks and address any adverse effects of security compromises. Pursuant to the TSA, the government has powers to make regulations and issue codes of practice in order to help providers focus their security efforts and provide detailed technical guidance on how providers can meet their security obligations. In this context, the Government issued the Electronic Communications (Security Measures) Regulations (the ‘Regulations’) and the Telecommunications Security Code of Practice (the ‘Code’) in draft form and held a public consultation on the Regulations and the Code between 1 March and 10 May 2022, seeking feedback from industry and stakeholders. Final versions of the Regulations and the Code are expected to be published in October/November 2022.

Regarding data protection, on 18 July 2022, the UK government introduced the Data Protection and Digital Information Bill to Parliament. The Bill sets out the proposed reforms to the existing UK GDPR, UK Data Protection Act and Privacy and Electronic Communications Regulations.

While as currently drafted the Bill seems to maintain the majority of the key principles that underpin the UK data protection law framework, it is apparent that it also seeks to modify certain key provisions in relation to accountability, lawful grounds for processing, data subject access requests and cookies. As a result of the death of Her Majesty Queen Elizabeth II, the second reading of the Bill has been postponed.

* Special thanks for their contributions to this to informative and forward-looking report from around the world also go to:

• Lam Chung Nian, Wong Partnership, Singapore
• Alfonso Silva, Carey, Santiago (Chile)
• Teki Akuetteh, Nsiah Akuetteh & Co, Accra
• Samuel L Feder (Sam), Jenner & Block, Washington DC
• Angela Flannery, Holding Redlich, Sydney
• Diane Mullenex, Pinsent Masons, London