Photo of Sam Jungyun Choi

Sam Jungyun Choi

Recognized by Law.com International as a Rising Star (2023), Sam Jungyun Choi is an associate in the technology regulatory group in Brussels. She advises leading multinationals on European and UK data protection law and new regulations and policy relating to innovative technologies, such as AI, digital health, and autonomous vehicles.

Sam is an expert on the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act, having advised on these laws since they started to apply. In recent years, her work has evolved to include advising companies on new data and digital laws in the EU, including the AI Act, Data Act and the Digital Services Act.

Sam's practice includes advising on regulatory, compliance and policy issues that affect leading companies in the technology, life sciences and gaming companies on laws relating to privacy and data protection, digital services and AI. She advises clients on designing of new products and services, preparing privacy documentation, and developing data and AI governance programs. She also advises clients on matters relating to children’s privacy and policy initiatives relating to online safety.

On 29 June 2024, the Net-Zero Industry Act (“NZIA”) entered into force.  The primary aim of the NZIA is to ensure that the EU has access to secure and sustainable net-zero technologies by scaling up their manufacturing capacity within the EU.

Here are the key takeaways:

  • The NZIA focuses on 19 Net-Zero Technologies (“NZTs”), including renewable fuels of non-biological origin (“RFNBOs”), solar, wind, nuclear, batteries, and carbon capture and carbon storage technologies.  The Regulation sets non-binding benchmarks for 40% local production of such technologies by 2030 and 15% global market share by 2040.  
  • To reach those benchmarks, Net-Zero Technologies Manufacturing Projects (“NZT Manufacturing Projects”) will benefit from streamlined permitting procedures.  Further, NZT Manufacturing Projects that are deemed “strategic” will benefit from expedited permitting timelines.
  • The NZIA introduces a target of achieving an annual injection capacity of at least 50 million tons of CO2 by 2030.  Oil and gas producers identified by Member States must contribute to this target, according to a proportion to be defined by the Commission for each individual producer.  Member States must adopt penalties for non-compliance.
  • National public procurement procedures for NZT Manufacturing Projects must include requirements for achieving a minimum level of environmental sustainability, to be set out in future implementing regulations.  In addition, for any given NZT Manufacturing Project, the contracting authorities and entities must consider the project’s so-called “resilience contribution”, which relates to supply chain diversification.  When the majority (or a near majority) of a specific net-zero technology (or any of its main components) originates from a third country, the contracting authority or entity must impose specific public procurement conditions to reduce dependency on that country.
  • Auctions to deploy renewable energy sources and schemes that incentivize households, companies, and consumers to purchase NZT final products must also be designed to favor bidders that contribute to increasing the sustainability and resilience of the supply of NZTs within the EU.
  • Member States may establish regulatory sandboxes, i.e., schemes enabling companies to test technologies in a controlled real-world environment under monitoring by a competent authority.

Continue Reading The EU Net-Zero Industry Act enters into force

On 23 May 2024, the EU’s Critical Raw Materials Act (“CRMA”) entered into force.  The Regulation’s adoption within just one year after it was first proposed in March 2023 signals the EU’s political commitment to strengthen Europe’s strategic autonomy on the supply of Strategic Raw Materials (“SRMs”) and the broader category of “Critical Raw Materials” (“CRMs”).   

Here are the key takeaways for companies:

  • The CRMA sets non-binding capacity targets within the EU for the extraction, processing, refining, and recycling of SRMs that are key to achieve the green and digital transition.
  • To reach such targets, the CRMA empowers the European Commission (“the Commission”) to recognize projects that extract, process, refine or recycle SRMs, including projects outside the EU, as Strategic Projects (“SPs”) so that they may benefit from easier access to financing, expedited permitting process, and matchmaking with off-takers.  The Commission is expected to recognize the first SPs by the end of 2024.
  • The Commission must monitor disruption risks and propose mitigation measures, if needed, to ensure a secure supply of CRMs.  To enable the Commission to do this effectively, companies may be subject to new specific obligations, such as participating in surveys, carrying out risk assessments of SRMs supply chains, mitigating possible vulnerabilities, reporting on the implementation and the financing of their SPs, labelling some products, and recycling a minimum content of permanent magnets.  
  • The Commission will also create and operate a Joint Purchasing Mechanism to aggregate the demand of interested EU off-takers consuming SRMs and seek offers from suppliers to match that aggregated demand.

Critical and Strategic Raw Materials and Capacity Targets

SRMs are indispensable raw materials for strategic sectors that facilitate transition to a greener, digital economy.  They are characterized by high forecasted demand growth and significant challenges in scaling up production in Europe to meet such demand.  Annex I to the CRMA lists 17 SRMs, including copper, gallium, lithium, manganese, and titanium metal.Continue Reading The EU Critical Raw Materials Act enters into force

From February 17, 2024, the Digital Services Act (“DSA”) will apply to providers of intermediary services (e.g., cloud services, file-sharing services, search engines, social networks and online marketplaces). These entities will be required to comply with a number of obligations, including implementing notice-and-action mechanisms, complying with detailed rules on terms and conditions, and publishing transparency reports on content moderation practices, among others. For more information on the DSA, see our previous blog posts here and here.

As part of its powers conferred under the DSA, the European Commission is empowered to adopt delegated and implementing acts* on certain aspects of implementation and enforcement of the DSA. In 2023, the Commission adopted one delegated act on supervisory fees to be paid by very large online platforms and very large online search engines (“VLOPs” and “VLOSEs” respectively), and one implementing act on procedural matters relating to the Commission’s enforcement powers. The Commission has proposed several other delegated and implementing acts, which we set out below. The consultation period for these draft acts have now passed, and we anticipate that they will be adopted in the coming months.

Pending Delegated Acts

  • Draft Delegated Act on Conducting Independent Audits. This draft delegated act defines the steps that designated VLOPs and VLOSEs will need to follow to verify the independence of the auditors, particularly setting the rules for the procedures, methodology and templates used. According to the draft delegated act, designated VLOPS and VLOSEs should be subject to their first audit at the latest 16 months after their designation. The consultation period for this draft delegated act ended on June 2, 2023.
  • Draft Delegated Act on Data Access for Research. This draft delegated act specifies the conditions under which vetted researchers may access data from VLOPs and VLOSEs. The consultation period for this draft delegated act ended on May 31, 2023.

Continue Reading Draft Delegated and Implementing Acts Pursuant to the Digital Services Act

In a new strategy published on July 11, the European Commission has identified Web 4.0 and virtual worlds—often also referred to as the metaverse—as having the potential to transform the ways in which EU citizens live, work and interact.  The EU’s strategy consists of ten action points addressing four themes drawn from the Digital Decade policy programme and the Commission’s Connectivity package: (1) People and Skills; (2) Business; (3) Government (i.e., public services and projects); and (4) Governance.

The European Commission’s strategy indicates that it is unlikely to propose new regulation in the short to medium-term: indeed, European Competition Commissioner Margarethe Vestager has recently warned against jumping to regulation of virtual worlds as the “first sort of safety pad.” Instead, the Commission views its framework of current and upcoming digital technology-related legislation (including the GDPR, the Digital Services Act, the Digital Markets Act and the proposed Markets in Crypto-Assets Regulation) to be applicable to Web 4.0 and virtual worlds in a “robust” and “future-oriented” manner. 

What Are Virtual Worlds and Web 4.0?

The Commission defines virtual worlds as being “persistent, immersive environments, based on technologies including 3D and extended reality (XR), which make it possible to blend physical and digital worlds in realtime, for a variety of purposes.”  It considers Web 4.0 to be the “fourth generation of the World Wide Web,” which will feature “advanced artificial and ambient intelligence, the internet of things, trusted blockchain transactions, virtual worlds and XR capabilities.”  These will enable digital and real objects to integrate and communicate with each other to “seamlessly blen[d] the physical and digital worlds.”  According to Internal Market Commissioner Thierry Breton, the EU will “connect virtual world developers with industry users, invest in the uptake and scale-up of new technologies, and give people the tools and the skills to safely and confidently use virtual worlds.”  The EU is keen to ensure that it establishes itself as a leader in Web 4.0 and virtual worlds, and that the emerging metaverse reflects EU values, principles, and fundamental rights. The strategy is the latest in a series of metaverse-related EU initiatives and announcements.Continue Reading European Commission Publishes New Strategy on Virtual Worlds

Late yesterday, the EU institutions reached political agreement on the European Data Act (see the European Commission’s press release here and the Council’s press release here).  The proposal for a Data Act was first tabled by the European Commission in February 2022 as a key piece of the European

Continue Reading Political Agreement Reached on the European Data Act

There is a flurry of new EU initiatives to regulate the metaverse. Last week, the European Commission launched a public consultation (open until May 3, 2023) to “develop a vision for emerging virtual worlds (e.g. metaverses), based on respect for digital rights and EU laws and values” such that “open, interoperable and innovative virtual worlds … can be used safely and with confidence by the public and businesses.” This initiative follows closely on another EU public consultation on allocating costs of expanding network infrastructure (open until May 19, 2023). As explained by the EU’s internal market commissioner, Thierry Breton, the increased data required by new technologies such as the metaverse necessitate transforming the underlying digital infrastructure. Separately, Commission President Ursula von der Leyen launched last September a non-legislative initiative on the metaverse. Similarly, the European Parliament is also working on its own-initiative report on opportunities, risk and policy implications for the metaverse.

As EU officials grapple with potential regulatory constraints as well as policy building blocks for the metaverse, they will need to address issues common across the globe: how to take advantage of the technological inflection point offered by the metaverse, while ensuring competition, privacy, and cybersecurity, among the many legal topics raised by the metaverse.

Metaverse Prospects

This rapidly increasing regulatory attention is unsurprising as the metaverse is estimated to generate up to $5 trillion in global market impact by 2030 and already in 2022, investments into the metaverse doubled compared to the previous year, reaching over $120 billion. As a multifaceted and complex digital ecosystem, the metaverse provides a wide array of investment opportunities as, in principle, nearly anything done physically could be done meta.Continue Reading Regulating the Metaverse in Europe

In 2022, the European Union announced the creation of Digital Partnerships with three Asian countries: Japan, South Korea and Singapore. This is in line with the EU’s Digital Compass strategy which seeks to make the European Union the most connected continent by 2030. The European Commission is expanding its connections between Europe and the rest of the world to address the digital divide and further develop a sustainable digital economy with trusted partners.

Below we set out the key points from the Digital Partnerships that the European Commission has announced with Japan, South Korea and Singapore, respectively.

EU-Japan Digital Partnership

During the EU-Japan Summit organised on May 12, 2022, the European Union and Japan concluded the EU-Japan Digital Partnership, the first digital cooperation initiative to advance economic growth and provide a safe and inclusive space to solve digital issues. This effort furthers the “Data Free Flow with Trust” agenda, aimed at facilitating safe and secure cross-border data flows.

The EU-Japan Partnership will also focus on the following areas:

  • 5G/6G technologies;
  • Ethical considerations for Artificial Intelligence (“AI”);
  • Global supply chains in the semiconductor industry;
  • Green data infrastructures and data innovation;
  • Development of digital skills for private and public sectors; and
  • Facilitation of digital trade and application of global interoperable standards.

As part of the common vision, the Digital Partnership identified a number of key action items, as follows:

  • Collaborating on the development of innovative technologies through research;
  • Implementing concrete pilot projects in cutting-edge areas such as AI and digital identity;
  • Establishing mechanisms for international collaboration and common approaches to digital transformation; and
  • Developing common principles and rules through regulatory cooperation on key technology enablers for digital trade.

All the above will reflect the highest standards of data protection and follow the objectives set out by the EU-Japan mutual adequacy arrangement. The implementation of the EU-Japan Digital Partnership will start in 2023 and the countries will review their targets and progress on an annual basis.

EU-South Korea Digital Partnership

On November 28, 2022, the European Union and the Republic of Korea launched a new Digital Partnership to boost the cooperation between the two countries in the digital field. This collaboration will mainly focus on:

  • Semiconductors;
  • Next generation mobile networks;
  • Quantum technology;
  • High Performing Computing (“HPC”);
  • Cybersecurity;
  • AI;
  • Digital platforms and standardization; and
  • Data and digital skills.

The key action items from the EU-Korea Digital Partnership include:

  • Engaging in collaborative research activities, facilitating access to, and participation in, international standardisation relating to emerging technologies in the digital sector.
  • The sharing of information on: (i) cybersecurity threats and other aspects of cybersecurity, (ii) data-related laws and systems, which build on the existing adequacy decision that the European Commission granted to Korea (and ensuring data free flow of data between Korea and the EU) and working towards identifying commonalities between their existing regulatory approaches, (iii) views on a 6G roadmap and future 6G spectrum needs, (iv) the laws and systems aimed at the development and global use of trustworthy and human-centric AI (e.g., definitions, use cases, high risk AI applications, and response measures) and coordinating positions on AI governance, (v) platform policies, and (vi) approaches to protectionist measures in the digital space.
  • The Digital Partnership will also establish a Korea-EU forum for semiconductor researchers to (i) discuss and share information on the latest technologies and trends, (ii) identify gaps and potential disruptions to the global supply chain, and (iii) explore potential opportunities for international standardisation of trusted chips and chip security.

EU-Singapore Digital Partnership

The European Union and Singapore announced on December 15, 2022 a new partnership that will focus on the digital sector and its issues. The EU-Singapore Digital Partnership will be formally signed and launched in 2023 and aims at reinforcing existing relationships between the European Union and Singapore in the digital realm to achieve sustainable economic growth. The range of digital issues the collaboration will focus on are:

  • Trade facilitation;
  • Trusted data flows and data innovation;
  • Digital trust and standards;
  • Digital skills for workers;
  • Digital transformation of businesses and public services; and
  • Emerging technologies (e.g. 5G/6G, AI and digital identities).

In contrast to the other partnerships, the EU-Singapore Digital Partnership is the first one to agree on the development and application of Digital Trade Principles (“Principles”). These Principles are designed to provide a common framework for digital strategies, which will in turn be used contribute to the ongoing OECD discussions on establishing rules regarding electronic commerce.

What are the next steps?

In announcing these Digital Partnerships, EU Commissioner, Thierry Breton mentioned that these Digital Partnerships are likely to:

  • impact recent EU proposals, such as the EU Chips Act or AI Act; and
  • help achieve interoperability between the EU and Asia, as the EU Commission and ASEAN countries continue to cooperate in the digital space.

As mentioned above, all three Digital Partnerships will be formally launched in 2023. We expect that the Digital Partnerships will be used as a strategic pathfinder for closer region-to-region digital connectivity and to develop enhanced cooperation with other ASEAN countries such as Thailand, Malaysia, among others.

If you would like to learn more about these Digital Partnerships, or how Covington could help you participate in related policy initiatives, please do not hesitate to contact us.Continue Reading EU Digital Partnerships with Asia: A New Path Towards Enhanced Digital Collaboration and Opportunities

Facial recognition technology (“FRT”) has attracted a fair amount of attention over the years, including in the EU (e.g., see our posts on the European Parliament vote and CNIL guidance), the UK (e.g., ICO opinion and High Court decision) and the U.S. (e.g., Washington state and NTIA guidelines). This post summarizes two recent developments in this space: (i) the UK Information Commissioner’s Office (“ICO”)’s announcement of a £7.5-million fine and enforcement notice against Clearview AI (“Clearview”), and (ii) the EDPB’s release of draft guidelines on the use of FRT in law enforcement.

I. ICO Fines Clearview AI £7.5m

In the past year, Clearview has been subject to investigations into its data processing activities by the French and Italian authorities, and a joint investigation by the ICO and the Australian Information Commissioner. All four regulators held that Clearview’s processing of biometric data scraped from over 20 billion facial images from across the internet, including from social media sites, breached data protection laws.

On 26 May 2022, the ICO released its monetary penalty notice and enforcement notice against Clearview. The ICO concluded that Clearview’s activities infringed a number of the GDPR and UK GDPR’s provisions, including:

  • Failing to process data in a way that is fair and transparent under Article 5(1)(a) GDPR. The ICO concluded that people were not made aware or would not reasonably expect their images to be scraped, added to a worldwide database, and made available to a wide range of customers for the purpose of matching images on the company’s database.
  • Failing to process data in a way that is lawful under the GDPR. The ICO ruled that Clearview’s processing did not meet any of the conditions for lawful processing set out in Article 6, nor, for biometric data, in Article 9(2) GDPR.
  • Failing to have a data retention policy and thus being unable to ensure that personal data are not retained for longer than necessary under Article 5(1)(e) GDPR. There was no indication as to when (or whether) any images are ever removed from Clearview’s database.
  • Failing to provide data subjects with the necessary information under Article 14 GDPR. According to the ICO’s investigation, the only way in which data subjects could obtain that information was by contacting Clearview and directly requesting it.
  • Impeding the exercise of data subject rights under Articles 15, 16, 17, 21 and 22 GDPR. In order to exercise these rights, data subjects needed to provide Clearview with additional personal data, by providing a photograph of themselves that can be matched against the Clearview Database.
  • Failing to conduct a Data Protection Impact Assessment (“DPIA”) under Article 35 GDPR. The ICO found that Clearview failed at any time to conduct a DPIA in respect of its processing of the personal data of UK residents.

Continue Reading Facial Recognition Update: UK ICO Fines Clearview AI £7.5m & EDPB Adopts Draft Guidelines on Use of FRT by Law Enforcement

            On April 28, 2022, Covington convened experts across our practice groups for the Covington Robotics Forum, which explored recent developments and forecasts relevant to industries affected by robotics.  Sam Jungyun Choi, Associate in Covington’s Technology Regulatory Group, and Anna Oberschelp, Associate in Covington’s Data Privacy & Cybersecurity Practice Group, discussed global regulatory trends that affect robotics, highlights of which are captured here.  A recording of the forum is available here until May 31, 2022.

Trends on Regulating Artificial Intelligence

            According to the Organization for Economic Cooperation and Development  Artificial Intelligence Policy Observatory (“OECD”), since 2017, at least 60 countries have adopted some form of AI policy, a torrent of government activity that nearly matches the pace of modern AI adoption.  Countries around the world are establishing governmental and intergovernmental strategies and initiatives to guide the development of AI.  These AI initiatives include: (1) AI regulation or policy; (2) AI enablers (e.g., research and public awareness); and (3) financial support (e.g., procurement programs for AI R&D).  The anticipated introduction of AI regulations raises concerns about looming challenges for international cooperation.Continue Reading Robotics Spotlight: Global Regulatory Trends Affecting Robotics

On 22 September 2021, the UK Government published its 10-year strategy on artificial intelligence (“AI”; the “UK AI Strategy”).

The UK AI Strategy has three main pillars: (1) investing and planning for the long-term requirements of the UK’s AI ecosystem; (2) supporting the transition to an AI-enabled economy
Continue Reading The UK Government Publishes its AI Strategy