The Online Safety Act is a new regulatory regime which regulates online providers of user-to-user content and search, as well as providers of pornography. It imposes a duty of care on entities within scope of law to conduct risk assessments and take proportionate measures to deal with specified risks. The Bill received the Royal Assent on 26 October 2023.
The Act imposes new obligations on a very wide range of organisations to assess and manage online risks. Whilst the largest Category 1 services are in scope, it is estimated that 25,000 entities in the UK alone are caught by the requirements of the new law and in particular the user-to-user provisions are likely to cut across sectors and affect a wide variety of companies who may not be expecting this.
We are able to provide wide-ranging support in this area, including:
The UK is introducing a new digital competition regime which will seek to regulate digital companies designated as having Strategic Market Status (SMS). The regime will be enforced by the specialist Digital Markets Unit (DMU) in the Competition and Markets Authority (CMA). The DMU will be able to impose a range of tailored remedies and have strong enforcement powers (including criminal sanctions). This regime is similar to the EU’s Digital Markets Act which regulates “Gatekeepers”. These changes as well as wider reforms to the UK competition regime - which will impact (i) merger control, (ii) market inquiries, (iii) investigations and (iv) and enforcement - will be introduced through the Digital Markets, Competition and Consumer Bill which is expected to be adopted in 2024.
Firms designated as having SMS will be subject to:
Separately, the UK merger control turnover thresholds will increase to £100 million (for the UK turnover of the target entity). There will also be a new threshold for merger review, designed to capture so-called “killer acquisitions” where an acquirer of the merging enterprises has at least 33% share of supply of goods or services in the UK and a UK turnover of greater than £350 million. Finally, there is also a safe harbour for transactions where all of the merging enterprises have a UK turnover below £10 million. There are also wider changes to establish more efficient, flexible and proportionate market inquiries, stronger powers to investigate illegal anti-competitive conduct as well as enable faster and more effective enforcement.
Whilst competition compliance is essential for all companies, firms with substantial and entrenched market power in at least one digital activity (where this digital activity provides them with a strategic position) will be designated with SMS status by the DMU and will be subject to the new regime.
We are able to provide wide-ranging support in this area, including:
Our international capabilities mean that we can advise companies not only on the UK competition landscape but also EU and national competition laws globally to provide comprehensive support to our clients.
As the use of data to drive innovative technologies gains momentum, so too has the attention from regulators, policymakers, and legislators. Regulators have sought to leverage existing laws to enforce regulations against tech companies. The UK is currently working on the Data Protection and Digital Information Bill, likely due to be finalised in Q1 2024, which is a key component of their strategy in this area and the first part of what will undoubtedly be a multi-bill approach to broader data strategy.
UK businesses particularly from the technology & communications, life sciences and financial services sectors should prepare for more regulatory involvement, encompassing guidance and enforcement measures, alongside the likelihood of more regulatory frameworks emerging. Companies across all sectors who make use of data in any context will need to be aware of these new regulations – the new regulatory frameworks will apply across the board. In order to be able to react and review compliance approaches, companies must gain a comprehensive understanding of the quantity and characteristics of the data they possess. This will help not only make compliance more straightforward, it will also streamline operations and allow identification of key opportunities to capitalise on commercial prospects in the future.
We are able to provide wide-ranging advice in this area, including:
Artificial intelligence (AI) is already making significant waves in our society and economy. As it begins to revolutionise critical sectors the government aims for AI to be a driving force behind economic growth, pushing the UK into a leading position as a global AI powerhouse. While the UK does not currently have any regulation which specifically targets the development and use of AI systems, it does have a robust digital regulatory framework that will extend to the advancement, implementation, and utilisation of AI systems, which includes the Data Protection Act 2018 and the UK's intellectual property regulations, and safeguards against discrimination under the Equalities Act 2010. Certain applications of AI are also covered by the National Security and Investment Act 2021.
Looking ahead, the government published a White Paper on AI regulation in March 2023, which sets out its vision and proposals for implementing a proportionate, future-proof and pro-innovation framework.
The new regulatory approach which emerges following publication of White Paper will be relevant to businesses in many sectors including life sciences, heath care, education, media, online business and technology & communications. For business involved in AI development, deployment, or usage in the UK, it’s important to stay up to date on the evolving AI regulatory landscape, while also actively participating in discussions and providing feedback to shape AI regulations in the UK. Beyond legislation itself, following guidance and best practices from regulatory bodies such as the ICO's AI auditing framework and the CDEI's AI barometer will also be essential.
We are able to provide wide-ranging advice in this area, including:
UK Regulators are taking forward plans to reform the financial services regulatory framework to ensure the UK remains a competitive global hub of financial services. This includes creating a framework that is fit for the evolving challenges and opportunities for cryptoasset firms. The UK has seen an increased number of initiatives relating to cryptoassets introduced by the Financial Services and Markets Act 2023 including new FCA rules for cryptoasset financial promotions.
The Financial Services and Markets Act 2023 makes amendments to the Financial Services and Markets Act 2000 and set out regulatory principles for both regulators, the FCA and PRA to facilitate the international competitiveness of the UK economy in the medium to long term and meet a UK net zero emissions target. Further to this, the Act sets out new regimes for cryptoassets including:
Firms (including firms based outside the UK) who market or provide cryptoasset services to UK customers will need to be aware of new compliance and legal requirements as of October 2023, particularly for new cryptoasset financial promotion rules produced by the FCA.
We are able to provide wide-ranging support in this area, including:
New technologies are impacting communication services and their use of communications data. At the same time, non-traditional communication services are also finding themselves impacted by ePrivacy rules as service providers or directly subject to law enforcement requests for data. The latest developments include:
Communications providers should consider whether the services that they provide meet the requirements of the Privacy and Electronic Communications Regulations and Investigatory Powers Act (and more broadly general data protection laws read in light of these requirements).
We are able to provide wide-ranging support in this area, including:
The current UK cybersecurity regulatory landscape is under UK Government review. There are three key pieces of legislation which are in the process of being improved or introduced:
These developments affect organisations in the following ways:
We are able to provide wide-ranging support in this area, including:
In addition to the above, Bird & Bird provides a CyberBox offering, which is an award winning multi-disciplinary approach to cyber threat, providing a complete support solution to clients who are addressing the risk of cyber-attack. You can find out more about CyberBox offering here.
Communications network and service providers are subject to a range of regulatory obligations, including: numbering, porting, network interconnection, contractual, reporting, licensing, switching, administrative fees, confidentiality of communications, ePrivacy and security. There are also new product safety requirements for connected devices which will take effect from April 2024. In the UK, many of these obligations are set out in the general conditions imposed by the Office of Communications (Ofcom) as well as in the Communications Act 2003 (as amended).
Telecoms security and resilience in the UK is a core Government priority and this resulted in the adoption of new strengthened telecoms security measures in October 2022. These changes were introduced in the Telecommunications (Security) Act 2021 which amended the Communications Act 2003. The new requirements include strengthened overarching security duties, obligations for all communication service and network providers in relation to monitoring, taking measures to prevent and mitigate the risk of security compromises and to report security incidents. Measures to address “high risk vendors” were also introduced at the same time.
The new requirements are further detailed in the Electronic Communications (Security Measures) Regulations 2022 and the Telecommunications Security Code of Practice which sets out the measures that must be taken to ensure compliance with the new requirements.
Companies that provide telecoms services in the UK need to be aware of these new requirements and will need to take steps to ensure compliance as well as ensure senior leadership oversight. The requirements are being implemented in accordance with a tiering system based on commercial scale with the largest providers being subject to the most stringent requirements and implementation timeframes with some measures needing to be introduced by March 2024. Providers will need to consider which tier they fall within and the associated requirements that will apply. Entities that engage with telecoms providers as part of their business may also be approached in relation to these new requirements as there is a strong focus on supply chain resilience. Ofcom has already commenced a compliance programme.
We are able to provide wide-ranging support in this area, including:
Our international capabilities mean that we can advise companies not only on the UK framework and reforms, but how these sit alongside EU and other telecoms regulations globally.
The UK Government is in the process of developing the regulatory landscape for digital identities via two workstreams:
Entities which provide digital identity services need to be aware of the regulatory landscape in this area, as do any parties who rely on these services due to the obligations, they are likely to be subject to once legislation is enacted. With ever increasing digital activity in both the consumer and business space, this is likely to be relevant to an ever-wider range of companies, including:
We are able to provide wide-ranging advice in this area, including:
Our international capabilities mean that we can advise companies not only on the UK framework and reforms, but how these sit alongside EU and other digital ID and trust initiatives.
Selling to, and interacting with, consumers is becoming increasingly complex. From the way that products/services are described and advertised to the way in which businesses contract with consumers, businesses need to understand the rules that apply to the nature of their offering in each of the countries to which such products/services are directed.
Clients in all consumer-facing sector groups need to be aware of the rules that apply to their marketing and sales to consumers, including how consumer protection laws apply in conjunction with any sector-specific regulation. For example, a financial services provider will need to be aware of the obligations to act fairly and transparently with consumers, alongside the regulatory obligations imposed under financial services regulation.
We assist clients on the full range of business-to-consumer issues, including:
We have developed an in-depth tool showcasing UK digital strategy developments.