Photo of Sam Jungyun Choi

Sam Jungyun Choi

Sam Jungyun Choi is an associate in the technology regulatory group in the London office. Her practice focuses on European data protection law and new policies and legislation relating to innovative technologies such as artificial intelligence, online platforms, digital health products and autonomous vehicles. She also advises clients on matters relating to children’s privacy and policy initiatives relating to online safety.

Sam advises leading technology, software and life sciences companies on a wide range of matters relating to data protection and cybersecurity issues. Her work in this area has involved advising global companies on compliance with European data protection legislation, such as the General Data Protection Regulation (GDPR), the UK Data Protection Act, the ePrivacy Directive, and related EU and global legislation. She also advises on a variety of policy developments in Europe, including providing strategic advice on EU and national initiatives relating to artificial intelligence, data sharing, digital health, and online platforms.

From February 17, 2024, the Digital Services Act (“DSA”) will apply to providers of intermediary services (e.g., cloud services, file-sharing services, search engines, social networks and online marketplaces). These entities will be required to comply with a number of obligations, including implementing notice-and-action mechanisms, complying with detailed rules on terms and conditions, and publishing transparency reports on content moderation practices, among others. For more information on the DSA, see our previous blog posts here and here.

As part of its powers conferred under the DSA, the European Commission is empowered to adopt delegated and implementing acts* on certain aspects of implementation and enforcement of the DSA. In 2023, the Commission adopted one delegated act on supervisory fees to be paid by very large online platforms and very large online search engines (“VLOPs” and “VLOSEs” respectively), and one implementing act on procedural matters relating to the Commission’s enforcement powers. The Commission has proposed several other delegated and implementing acts, which we set out below. The consultation period for these draft acts have now passed, and we anticipate that they will be adopted in the coming months.

Pending Delegated Acts

  • Draft Delegated Act on Conducting Independent Audits. This draft delegated act defines the steps that designated VLOPs and VLOSEs will need to follow to verify the independence of the auditors, particularly setting the rules for the procedures, methodology and templates used. According to the draft delegated act, designated VLOPS and VLOSEs should be subject to their first audit at the latest 16 months after their designation. The consultation period for this draft delegated act ended on June 2, 2023.
  • Draft Delegated Act on Data Access for Research. This draft delegated act specifies the conditions under which vetted researchers may access data from VLOPs and VLOSEs. The consultation period for this draft delegated act ended on May 31, 2023.

Continue Reading Draft Delegated and Implementing Acts Pursuant to the Digital Services Act

In a new strategy published on July 11, the European Commission has identified Web 4.0 and virtual worlds—often also referred to as the metaverse—as having the potential to transform the ways in which EU citizens live, work and interact.  The EU’s strategy consists of ten action points addressing four themes drawn from the Digital Decade policy programme and the Commission’s Connectivity package: (1) People and Skills; (2) Business; (3) Government (i.e., public services and projects); and (4) Governance.

The European Commission’s strategy indicates that it is unlikely to propose new regulation in the short to medium-term: indeed, European Competition Commissioner Margarethe Vestager has recently warned against jumping to regulation of virtual worlds as the “first sort of safety pad.” Instead, the Commission views its framework of current and upcoming digital technology-related legislation (including the GDPR, the Digital Services Act, the Digital Markets Act and the proposed Markets in Crypto-Assets Regulation) to be applicable to Web 4.0 and virtual worlds in a “robust” and “future-oriented” manner. 

What Are Virtual Worlds and Web 4.0?

The Commission defines virtual worlds as being “persistent, immersive environments, based on technologies including 3D and extended reality (XR), which make it possible to blend physical and digital worlds in realtime, for a variety of purposes.”  It considers Web 4.0 to be the “fourth generation of the World Wide Web,” which will feature “advanced artificial and ambient intelligence, the internet of things, trusted blockchain transactions, virtual worlds and XR capabilities.”  These will enable digital and real objects to integrate and communicate with each other to “seamlessly blen[d] the physical and digital worlds.”  According to Internal Market Commissioner Thierry Breton, the EU will “connect virtual world developers with industry users, invest in the uptake and scale-up of new technologies, and give people the tools and the skills to safely and confidently use virtual worlds.”  The EU is keen to ensure that it establishes itself as a leader in Web 4.0 and virtual worlds, and that the emerging metaverse reflects EU values, principles, and fundamental rights. The strategy is the latest in a series of metaverse-related EU initiatives and announcements.Continue Reading European Commission Publishes New Strategy on Virtual Worlds

Late yesterday, the EU institutions reached political agreement on the European Data Act (see the European Commission’s press release here and the Council’s press release here).  The proposal for a Data Act was first tabled by the European Commission in February 2022 as a key piece of the European Strategy for Data (see our

There is a flurry of new EU initiatives to regulate the metaverse. Last week, the European Commission launched a public consultation (open until May 3, 2023) to “develop a vision for emerging virtual worlds (e.g. metaverses), based on respect for digital rights and EU laws and values” such that “open, interoperable and innovative virtual worlds … can be used safely and with confidence by the public and businesses.” This initiative follows closely on another EU public consultation on allocating costs of expanding network infrastructure (open until May 19, 2023). As explained by the EU’s internal market commissioner, Thierry Breton, the increased data required by new technologies such as the metaverse necessitate transforming the underlying digital infrastructure. Separately, Commission President Ursula von der Leyen launched last September a non-legislative initiative on the metaverse. Similarly, the European Parliament is also working on its own-initiative report on opportunities, risk and policy implications for the metaverse.

As EU officials grapple with potential regulatory constraints as well as policy building blocks for the metaverse, they will need to address issues common across the globe: how to take advantage of the technological inflection point offered by the metaverse, while ensuring competition, privacy, and cybersecurity, among the many legal topics raised by the metaverse.

Metaverse Prospects

This rapidly increasing regulatory attention is unsurprising as the metaverse is estimated to generate up to $5 trillion in global market impact by 2030 and already in 2022, investments into the metaverse doubled compared to the previous year, reaching over $120 billion. As a multifaceted and complex digital ecosystem, the metaverse provides a wide array of investment opportunities as, in principle, nearly anything done physically could be done meta.Continue Reading Regulating the Metaverse in Europe

In 2022, the European Union announced the creation of Digital Partnerships with three Asian countries: Japan, South Korea and Singapore. This is in line with the EU’s Digital Compass strategy which seeks to make the European Union the most connected continent by 2030. The European Commission is expanding its connections between Europe and the rest of the world to address the digital divide and further develop a sustainable digital economy with trusted partners.

Below we set out the key points from the Digital Partnerships that the European Commission has announced with Japan, South Korea and Singapore, respectively.

EU-Japan Digital Partnership

During the EU-Japan Summit organised on May 12, 2022, the European Union and Japan concluded the EU-Japan Digital Partnership, the first digital cooperation initiative to advance economic growth and provide a safe and inclusive space to solve digital issues. This effort furthers the “Data Free Flow with Trust” agenda, aimed at facilitating safe and secure cross-border data flows.

The EU-Japan Partnership will also focus on the following areas:

  • 5G/6G technologies;
  • Ethical considerations for Artificial Intelligence (“AI”);
  • Global supply chains in the semiconductor industry;
  • Green data infrastructures and data innovation;
  • Development of digital skills for private and public sectors; and
  • Facilitation of digital trade and application of global interoperable standards.

As part of the common vision, the Digital Partnership identified a number of key action items, as follows:

  • Collaborating on the development of innovative technologies through research;
  • Implementing concrete pilot projects in cutting-edge areas such as AI and digital identity;
  • Establishing mechanisms for international collaboration and common approaches to digital transformation; and
  • Developing common principles and rules through regulatory cooperation on key technology enablers for digital trade.

All the above will reflect the highest standards of data protection and follow the objectives set out by the EU-Japan mutual adequacy arrangement. The implementation of the EU-Japan Digital Partnership will start in 2023 and the countries will review their targets and progress on an annual basis.

EU-South Korea Digital Partnership

On November 28, 2022, the European Union and the Republic of Korea launched a new Digital Partnership to boost the cooperation between the two countries in the digital field. This collaboration will mainly focus on:

  • Semiconductors;
  • Next generation mobile networks;
  • Quantum technology;
  • High Performing Computing (“HPC”);
  • Cybersecurity;
  • AI;
  • Digital platforms and standardization; and
  • Data and digital skills.

The key action items from the EU-Korea Digital Partnership include:

  • Engaging in collaborative research activities, facilitating access to, and participation in, international standardisation relating to emerging technologies in the digital sector.
  • The sharing of information on: (i) cybersecurity threats and other aspects of cybersecurity, (ii) data-related laws and systems, which build on the existing adequacy decision that the European Commission granted to Korea (and ensuring data free flow of data between Korea and the EU) and working towards identifying commonalities between their existing regulatory approaches, (iii) views on a 6G roadmap and future 6G spectrum needs, (iv) the laws and systems aimed at the development and global use of trustworthy and human-centric AI (e.g., definitions, use cases, high risk AI applications, and response measures) and coordinating positions on AI governance, (v) platform policies, and (vi) approaches to protectionist measures in the digital space.
  • The Digital Partnership will also establish a Korea-EU forum for semiconductor researchers to (i) discuss and share information on the latest technologies and trends, (ii) identify gaps and potential disruptions to the global supply chain, and (iii) explore potential opportunities for international standardisation of trusted chips and chip security.

EU-Singapore Digital Partnership

The European Union and Singapore announced on December 15, 2022 a new partnership that will focus on the digital sector and its issues. The EU-Singapore Digital Partnership will be formally signed and launched in 2023 and aims at reinforcing existing relationships between the European Union and Singapore in the digital realm to achieve sustainable economic growth. The range of digital issues the collaboration will focus on are:

  • Trade facilitation;
  • Trusted data flows and data innovation;
  • Digital trust and standards;
  • Digital skills for workers;
  • Digital transformation of businesses and public services; and
  • Emerging technologies (e.g. 5G/6G, AI and digital identities).

In contrast to the other partnerships, the EU-Singapore Digital Partnership is the first one to agree on the development and application of Digital Trade Principles (“Principles”). These Principles are designed to provide a common framework for digital strategies, which will in turn be used contribute to the ongoing OECD discussions on establishing rules regarding electronic commerce.

What are the next steps?

In announcing these Digital Partnerships, EU Commissioner, Thierry Breton mentioned that these Digital Partnerships are likely to:

  • impact recent EU proposals, such as the EU Chips Act or AI Act; and
  • help achieve interoperability between the EU and Asia, as the EU Commission and ASEAN countries continue to cooperate in the digital space.

As mentioned above, all three Digital Partnerships will be formally launched in 2023. We expect that the Digital Partnerships will be used as a strategic pathfinder for closer region-to-region digital connectivity and to develop enhanced cooperation with other ASEAN countries such as Thailand, Malaysia, among others.

If you would like to learn more about these Digital Partnerships, or how Covington could help you participate in related policy initiatives, please do not hesitate to contact us.Continue Reading EU Digital Partnerships with Asia: A New Path Towards Enhanced Digital Collaboration and Opportunities

Facial recognition technology (“FRT”) has attracted a fair amount of attention over the years, including in the EU (e.g., see our posts on the European Parliament vote and CNIL guidance), the UK (e.g., ICO opinion and High Court decision) and the U.S. (e.g., Washington state and NTIA guidelines). This post summarizes two recent developments in this space: (i) the UK Information Commissioner’s Office (“ICO”)’s announcement of a £7.5-million fine and enforcement notice against Clearview AI (“Clearview”), and (ii) the EDPB’s release of draft guidelines on the use of FRT in law enforcement.

I. ICO Fines Clearview AI £7.5m

In the past year, Clearview has been subject to investigations into its data processing activities by the French and Italian authorities, and a joint investigation by the ICO and the Australian Information Commissioner. All four regulators held that Clearview’s processing of biometric data scraped from over 20 billion facial images from across the internet, including from social media sites, breached data protection laws.

On 26 May 2022, the ICO released its monetary penalty notice and enforcement notice against Clearview. The ICO concluded that Clearview’s activities infringed a number of the GDPR and UK GDPR’s provisions, including:

  • Failing to process data in a way that is fair and transparent under Article 5(1)(a) GDPR. The ICO concluded that people were not made aware or would not reasonably expect their images to be scraped, added to a worldwide database, and made available to a wide range of customers for the purpose of matching images on the company’s database.
  • Failing to process data in a way that is lawful under the GDPR. The ICO ruled that Clearview’s processing did not meet any of the conditions for lawful processing set out in Article 6, nor, for biometric data, in Article 9(2) GDPR.
  • Failing to have a data retention policy and thus being unable to ensure that personal data are not retained for longer than necessary under Article 5(1)(e) GDPR. There was no indication as to when (or whether) any images are ever removed from Clearview’s database.
  • Failing to provide data subjects with the necessary information under Article 14 GDPR. According to the ICO’s investigation, the only way in which data subjects could obtain that information was by contacting Clearview and directly requesting it.
  • Impeding the exercise of data subject rights under Articles 15, 16, 17, 21 and 22 GDPR. In order to exercise these rights, data subjects needed to provide Clearview with additional personal data, by providing a photograph of themselves that can be matched against the Clearview Database.
  • Failing to conduct a Data Protection Impact Assessment (“DPIA”) under Article 35 GDPR. The ICO found that Clearview failed at any time to conduct a DPIA in respect of its processing of the personal data of UK residents.

Continue Reading Facial Recognition Update: UK ICO Fines Clearview AI £7.5m & EDPB Adopts Draft Guidelines on Use of FRT by Law Enforcement

            On April 28, 2022, Covington convened experts across our practice groups for the Covington Robotics Forum, which explored recent developments and forecasts relevant to industries affected by robotics.  Sam Jungyun Choi, Associate in Covington’s Technology Regulatory Group, and Anna Oberschelp, Associate in Covington’s Data Privacy & Cybersecurity Practice Group, discussed global regulatory trends that affect robotics, highlights of which are captured here.  A recording of the forum is available here until May 31, 2022.

Trends on Regulating Artificial Intelligence

            According to the Organization for Economic Cooperation and Development  Artificial Intelligence Policy Observatory (“OECD”), since 2017, at least 60 countries have adopted some form of AI policy, a torrent of government activity that nearly matches the pace of modern AI adoption.  Countries around the world are establishing governmental and intergovernmental strategies and initiatives to guide the development of AI.  These AI initiatives include: (1) AI regulation or policy; (2) AI enablers (e.g., research and public awareness); and (3) financial support (e.g., procurement programs for AI R&D).  The anticipated introduction of AI regulations raises concerns about looming challenges for international cooperation.Continue Reading Robotics Spotlight: Global Regulatory Trends Affecting Robotics

On 22 September 2021, the UK Government published its 10-year strategy on artificial intelligence (“AI”; the “UK AI Strategy”).

The UK AI Strategy has three main pillars: (1) investing and planning for the long-term requirements of the UK’s AI ecosystem; (2) supporting the transition to an AI-enabled economy across all sectors and regions