UK Digital Regulations

The Online Safety Act is a new regulatory regime which regulates online providers of user-to-user content and search, as well as providers of pornography. It imposes a duty of care on entities within scope of law to conduct risk assessments and take proportionate measures to deal with specified risks. The Bill received the Royal Assent on 26 October 2023.

The Act imposes new obligations on a very wide range of organisations to assess and manage online risks. Whilst the largest Category 1 services are in scope, it is estimated that 25,000 entities in the UK alone are caught by the requirements of the new law and in particular the user-to-user provisions are likely to cut across sectors and affect a wide variety of companies who may not be expecting this.

We are able to provide wide-ranging support in this area, including:

• Assess and advise whether organisations are caught by the scope of the Act and if so what steps should be taken to comply with the requirements imposed
• Assist in scoping and undertaking necessary risk assessment
• Advise on whether changes can be made to allow organisations to fall outside the scope of the Act, or to rely upon applicable exemptions where the services which bring them in scope are not part of their core business

Visit our Online Safety page

The UK is introducing a new digital competition regime which will seek to regulate digital companies designated as having Strategic Market Status (SMS).  The regime will be enforced by the specialist Digital Markets Unit (DMU) in the Competition and Markets Authority (CMA). The DMU will be able to impose a range of tailored remedies and have strong enforcement powers (including criminal sanctions). This regime is similar to the EU’s Digital Markets Act which regulates “Gatekeepers”.  These changes as well as wider reforms to the UK competition regime - which will impact (i) merger control, (ii) market inquiries, (iii) investigations and (iv) and enforcement - will be introduced through the Digital Markets, Competition and Consumer Bill which is expected to be adopted in 2024.

Firms designated as having SMS will be subject to:

• A range of tailored remedies to ensure fair dealing, open choices and trust and transparency, designed to manage the effects of market power and ensure markets are open to competition and innovation;
• Potential pro-competitive interventions to address the root cause of the firms’ market power; and
• Mandatory merger reporting

Separately, the UK merger control turnover thresholds will increase to £100 million (for the UK turnover of the target entity). There will also be a new threshold for merger review, designed to capture so-called “killer acquisitions” where an acquirer of the merging enterprises has at least 33% share of supply of goods or services in the UK and a UK turnover of greater than £350 million. Finally, there is also a safe harbour for transactions where all of the merging enterprises have a UK turnover below £10 million.  There are also wider changes to establish more efficient, flexible and proportionate market inquiries, stronger powers to investigate illegal anti-competitive conduct as well as enable faster and more effective enforcement.

Whilst competition compliance is essential for all companies, firms with substantial and entrenched market power in at least one digital activity (where this digital activity provides them with a strategic position) will be designated with SMS status by the DMU and will be subject to the new regime.

We are able to provide wide-ranging support in this area, including:

• Guidance on the application of the new digital competition regime in the UK as well as the EU’s Digital Markets Act
• Competition compliance assistance as well as advice on merger control, subsidy regulation and foreign direct investment requirements
• Assistance with investigations and enforcement
• Access to award winning competition compliance tools

Our international capabilities mean that we can advise companies not only on the UK competition landscape but also EU and national competition laws globally to provide comprehensive support to our clients. 

As the use of data to drive innovative technologies gains momentum, so too has the attention from regulators, policymakers, and legislators. Regulators have sought to leverage existing laws to enforce regulations against tech companies. The UK is currently working on the Data Protection and Digital Information Bill, likely due to be finalised in Q1 2024, which is a key component of their strategy in this area and the first part of what will undoubtedly be a multi-bill approach to broader data strategy.

UK businesses particularly from the technology & communications, life sciences and financial services sectors should prepare for more regulatory involvement, encompassing guidance and enforcement measures, alongside the likelihood of more regulatory frameworks emerging. Companies across all sectors who make use of data in any context will need to be aware of these new regulations – the new regulatory frameworks will apply across the board. In order to be able to react and review compliance approaches, companies must gain a comprehensive understanding of the quantity and characteristics of the data they possess. This will help not only make compliance more straightforward, it will also streamline operations and allow identification of key opportunities to capitalise on commercial prospects in the future.

We are able to provide wide-ranging advice in this area, including:

• Addressing regulatory challenges when using data, including privacy aspects where personal data is involved and broader regulatory compliance
• Auditing your data usage
• Providing guidance on the latest data regulations and their practical impact on your company’s use of data
• Reviewing data sharing arrangements
• Identifying commercial opportunities created by new regulatory developments

Artificial intelligence (AI) is already making significant waves in our society and economy. As it begins to revolutionise critical sectors the government aims for AI to be a driving force behind economic growth, pushing the UK into a leading position as a global AI powerhouse. While the UK does not currently have any regulation which specifically targets the development and use of AI systems, it does have a robust digital regulatory framework that will extend to the advancement, implementation, and utilisation of AI systems, which includes the Data Protection Act 2018 and the UK's intellectual property regulations, and safeguards against discrimination under the Equalities Act 2010. Certain applications of AI are also covered by the National Security and Investment Act 2021.

Looking ahead, the government published a White Paper on AI regulation in March 2023, which sets out its vision and proposals for implementing a proportionate, future-proof and pro-innovation framework.

The new regulatory approach which emerges following publication of White Paper will be relevant to businesses in many sectors including life sciences, heath care, education, media, online business and technology & communications. For business involved in AI development, deployment, or usage in the UK, it’s important to stay up to date on the evolving AI regulatory landscape, while also actively participating in discussions and providing feedback to shape AI regulations in the UK. Beyond legislation itself, following guidance and best practices from regulatory bodies such as the ICO's AI auditing framework and the CDEI's AI barometer will also be essential.

We are able to provide wide-ranging advice in this area, including:

• Tracking new regulatory developments and engaging with the regulatory process
• Developing guidelines, frameworks and policies for responsible AI
• Advising on the IP, data protection and commercial issues arising from the development, acquisition and use of AI technology
• Contracting for AI technology
• Corporate transactions where AI technology are a key part of the deal
• Disputes involving AI systems and AI training data

UK Regulators are taking forward plans to reform the financial services regulatory framework to ensure the UK remains a competitive global hub of financial services. This includes creating a framework that is fit for the evolving challenges and opportunities for cryptoasset firms. The UK has seen an increased number of initiatives relating to cryptoassets introduced by the Financial Services and Markets Act 2023 including new FCA rules for cryptoasset financial promotions.

The Financial Services and Markets Act 2023 makes amendments to the Financial Services and Markets Act 2000 and set out regulatory principles for both regulators, the FCA and PRA to facilitate the international competitiveness of the UK economy in the medium to long term and meet a UK net zero emissions target. Further to this, the Act sets out new regimes for cryptoassets including:

• Financial promotion requirements
• Designated activities regime
• Digital settlement systems
• Includes cryptoassets within the scope of S22 Regulated Activities

Firms (including firms based outside the UK) who market or provide cryptoasset services to UK customers will need to be aware of new compliance and legal requirements as of October 2023, particularly for new cryptoasset financial promotion rules produced by the FCA.

We are able to provide wide-ranging support in this area, including:

• New authorisation requirements for cryptoasset firms and any transition periods
• Assist with compliance requirements around new financial promotion requirements
• Advise merchants, brands and sports organisations on their crypto-asset projects, including partnership arrangements, token issuances and marketing issues
• A considered approach to how regulation may develop to impact new products and services
• Changes in regulation around different cryptoasset types such as NFTs
• Advice on applying the consumer duty to any newly authorised cryptoasset firms and any other FCA handbook rules which may become applicable on authorisation

New technologies are impacting communication services and their use of communications data. At the same time, non-traditional communication services are also finding themselves impacted by ePrivacy rules as service providers or directly subject to law enforcement requests for data. The latest developments include:

• New technologies like AI changing the way communications services are provided
• There are new use cases for communications data driving innovation in the market
• The Home Office has published additional guidance on the definition of communications data and operators
• The review of the Investigatory Powers Act 2016 was completed in June 2023 and, which recommends incremental and more substantial changes

Communications providers should consider whether the services that they provide meet the requirements of the Privacy and Electronic Communications Regulations and Investigatory Powers Act (and more broadly general data protection laws read in light of these requirements).

We are able to provide wide-ranging support in this area, including:

• Compliance with privacy requirements for communications providers
• Advice on using communications data as a software-as-a-service (SaaS) provider
• Responding to requests for communications data from law enforcement

The current UK cybersecurity regulatory landscape is under UK Government review. There are three key pieces of legislation which are in the process of being improved or introduced:

1. The Computer Misuse Act 1990: 6 April 2023 saw the end of a UK Government consultation paper to amend and update the Computer Misuse Act 1990. We are awaiting the publication of the response paper setting out the results from this consultation
2. Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023: The introduction of the UK’s consumer connectable product security regime is anticipated to be achieved by 29 April 2024
3. The Network and Information Systems Regulations 2018: On 30 November 2022, the UK Government confirmed that the ongoing public consultation on proposals for legislation to improve the UK’s cyber resilience regime will also lead to changes being made to these cybersecurity regulations

These developments affect organisations in the following ways:

• The Computer Misuse Act 1990: While the Computer Misuse Act does not impose security obligations on businesses, organisations should still be aware of the new powers proposed to be given to law enforcement agencies
• Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023: From the date of introduction of these regulations, manufacturers of UK consumer connectable products will be legally required to comply with minimum security requirements
• The Network and Information Systems Regulations 2018: The UK Consultation placed a particular focus on organisations that play an important part in the UK economy, such as managed IT service providers. The effect of this expands the scope of application of the NIS Regulations such that more types of organisations could fall within the scope of the NIS Regulations, and the compliance and reporting measures within them

We are able to provide wide-ranging support in this area, including:

• Advising on whether any of your business units or subsidiaries will fall within the scope of the cybersecurity regimes described above
• Providing clarity for your business on what exactly you need to do to be compliant with UK cybersecurity regulation
• Helping you develop and amend your internal cybersecurity related materials, processes, procedures, and policies
• Providing cybersecurity training including simulation exercises
• Advising on cyber insurance including coverage and policy wording
• Emergency response and consequential support

In addition to the above, Bird & Bird provides a CyberBox offering, which is an award winning multi-disciplinary approach to cyber threat, providing a complete support solution to clients who are addressing the risk of cyber-attack. You can find out more about CyberBox offering here.

Communications network and service providers are subject to a range of regulatory obligations, including: numbering, porting, network interconnection, contractual, reporting, licensing, switching, administrative fees, confidentiality of communications, ePrivacy and security. There are also new product safety requirements for connected devices which will take effect from April 2024. In the UK, many of these obligations are set out in the general conditions imposed by the Office of Communications (Ofcom) as well as in the Communications Act 2003 (as amended).

Telecoms security and resilience in the UK is a core Government priority and this resulted in the adoption of new strengthened telecoms security measures in October 2022. These changes were introduced in the Telecommunications (Security) Act 2021 which amended the Communications Act 2003. The new requirements include strengthened overarching security duties, obligations for all communication service and network providers in relation to monitoring, taking measures to prevent and mitigate the risk of security compromises and to report security incidents. Measures to address “high risk vendors” were also introduced at the same time.

The new requirements are further detailed in the Electronic Communications (Security Measures) Regulations 2022 and the Telecommunications Security Code of Practice which sets out the measures that must be taken to ensure compliance with the new requirements.

Companies that provide telecoms services in the UK need to be aware of these new requirements and will need to take steps to ensure compliance as well as ensure senior leadership oversight. The requirements are being implemented in accordance with a tiering system based on commercial scale with the largest providers being subject to the most stringent requirements and implementation timeframes with some measures needing to be introduced by March 2024. Providers will need to consider which tier they fall within and the associated requirements that will apply. Entities that engage with telecoms providers as part of their business may also be approached in relation to these new requirements as there is a strong focus on supply chain resilience. Ofcom has already commenced a compliance programme.

We are able to provide wide-ranging support in this area, including:

• Helping providers assess their regulatory status in relation to these new requirements and more broadly in the UK and internationally
• Advice on the security requirements and measures being imposed, assist with compliance audits as well as provide guidance on the wider telecoms and cybersecurity regulatory frameworks (including the impact of NIS2 in the EU as well as changes to the UK’s cybersecurity regime)
• Reviewing relevant supply agreements to ensure compliance with the new framework

Our international capabilities mean that we can advise companies not only on the UK framework and reforms, but how these sit alongside EU and other telecoms regulations globally.

The UK Government is in the process of developing the regulatory landscape for digital identities via two workstreams:

1. Data Reform Bill: The Data Reform Bill will set out legislation to support the delivery of digital identity verification services in the UK. The UK Government published its response to consultation in July 2023 and measures in the Data Reform Bill are likely to include:
   • The establishment of a governance function (the Office for Digital Identities and Attributes);
   • Obligations on private sector organisations providing digital identity services, with flow-down terms for parties relying on these services; and
   • Confirmation that the validity of digital identities and digital attributes will be held in the same regard as traditional physical forms of identification.
2. Digital identity and attributes trust framework (“UK DIATF”): The UK DIATF sets out the rules and standards that providers of digital identity verification products need to adhere to achieve certification as a trusted provider. The beta version of the UK DIATF was published in June 2022 and is subject to ongoing testing and updates.

Entities which provide digital identity services need to be aware of the regulatory landscape in this area, as do any parties who rely on these services due to the obligations, they are likely to be subject to once legislation is enacted. With ever increasing digital activity in both the consumer and business space, this is likely to be relevant to an ever-wider range of companies, including:

• Retailers and payment service providers relying on digital identities to validate customer identities in payment workflows;
• Suppliers of age restricted products, such as gambling operators; and
• Banks, due to various regulatory obligations, such as AML legislation, which require verification of customer identities.

We are able to provide wide-ranging advice in this area, including:

• Helping organisation assess when and how to interact with UK DIATF
• Compliance with the UK DIATF and achieving certification
• The applicability of flow-down terms to companies relying on digital identity services
• Advice on potential changes resulting from the Data Reform Bill

Our international capabilities mean that we can advise companies not only on the UK framework and reforms, but how these sit alongside EU and other digital ID and trust initiatives. 

Selling to, and interacting with, consumers is becoming increasingly complex. From the way that products/services are described and advertised to the way in which businesses contract with consumers, businesses need to understand the rules that apply to the nature of their offering in each of the countries to which such products/services are directed.

Clients in all consumer-facing sector groups need to be aware of the rules that apply to their marketing and sales to consumers, including how consumer protection laws apply in conjunction with any sector-specific regulation. For example, a financial services provider will need to be aware of the obligations to act fairly and transparently with consumers, alongside the regulatory obligations imposed under financial services regulation.

We assist clients on the full range of business-to-consumer issues, including:

• Guiding clients through the process of launching new products, or expanding the territorial reach of product offerings, in multiple markets. This support will typically include creating consumer terms, customer journeys and marketing campaigns that comply with the laws of the relevant countries. We can provide one-stop shop solution for clients who need advice and support in multiple countries at the same time, providing solutions that are tailored for the client’s business and comply with the laws in all in-scope countries
• Defending clients if they, or the sector in which they operate, are investigated by the Competition Markets Authority, the Advertising Standards Authority or equivalent consumer and advertising regulators in other countries
• Providing advice on the application of various consumer laws and regulations to new product/service offering, such as whether the ‘right to withdraw’ applies for distance sales to UK/EU consumers, how strikethrough/referencing pricing should be calculated, the use of countdown clocks/limited stock messaging and other forms of urgency claims
• Assessing any ‘green claims’ that a consumer-facing business may want to make in multiple markets