Locations
In our latest edition, we provide an update of the key regulatory developments in the UK and EU across the topics of Digital Platforms, Online Safety, AI, Data and Cyber.
Platform
Digital Markets, Competition and Consumers Bill (UK)
On 25 April 2023, after much anticipation, the UK Government introduced the Digital Markets, Competition and Consumers Bill. The heavyweight document comprising of 388 pages proposes a range of reforms to overhaul the UK's competition and consumer enforcement landscape. The Bill establishes the UK's answer to the EU Digital Markets Act, placing "pro-competitive" obligations on the largest tech firms to be overseen and enforced by the new Digital Markets Unit. But it's not just Big Tech that will feel the effects – changes to the CMA's general competition framework, including updated merger and fining thresholds, will impact many businesses. And the UK's consumer law enforcement regime is set to change radically: for the first time the CMA will have powers to fine businesses up to 10% of their global turnover for infringing consumer law.
Next steps: The Bill is currently on its second reading in the House of Commons and is expected to come into force some time in 2024.
Read more
Digital Markets Act (EU)
The Digital Markets Act (DMA) began to apply in full on 2 May 2023. It applies to "gatekeepers" providing core platform services (essentially the very largest digital firms), and sets out a series of upfront obligations and restrictions in relation to areas including self-preferencing, interoperability, app stores and data-related obligations. The DMA aims to ensure fair and open markets, as well as alleviate the burden on the existing competition law enforcement regime, which seeks to tackle abuses of market power after they occur. By the beginning of July 2023, companies providing core platform services will have to notify the European Commission and provide all relevant information. The Commission will then have two months to adopt a decision designating a specified gatekeeper, and gatekeepers will in turn have a maximum of six months to ensure compliance with the DMA.
Next steps: The Commission recently held a number of technical workshops with interested stakeholders to receive their views on gatekeepers’ compliance. In the meantime, (potential) gatekeepers will need to design and implement measures over the coming months to demonstrate that they meet the requirements of the DMA.
Read more
Online safety
Online Safety Bill (UK)
The Online Safety Bill continues to proceed through a (very) slow Parliamentary process. Committee stage in the House of Lords (a line by line analysis of the Bill) began on 19 April and continued throughout May 2023.
Meanwhile, Ofcom has announced how it will approach online safety risk assessments if and when the Bill enters into force: https://www.ofcom.org.uk/news-centre/2023/how-we-are-approaching-online-safety-risk-assessments
In April, WhatsApp, Signal and other end to end encryption services published an open letter threatening to leave the UK if the Bill is passed. This is due to a perceived lack of protection in the Bill for e2e encrypted messaging, which compromises the privacy of all users: https://blog.whatsapp.com/an-open-letter
Next steps: If/when Committee stage is complete the Bill will proceed to Report stage and third reading in the Lords.
Read more
Digital Services Act (EU)
The Digital Services Act (DSA) intends to enhance and harmonise the rules applicable to online intermediaries such as hosting providers, social media networks, online platforms and marketplaces. The DSA tackles two key topics: (i) harmonized rules on notice and action obligations for illegal content, and (ii) new transparency obligations for online intermediary services, especially in relation to content moderation and online advertising. The strictest rules apply to very large online platforms and search engines (VLOPs and VLOSEs).
Next steps: Online intermediaries have until 17 February 2024 to comply with the new rules. One notable exception is the six-monthly reporting requirement of the average monthly active recipients, which started on 17 February 2023. VLOPs and VLOSEs need to start complying with the DSA four months after having been designated as such by the European Commission. As such, a first batch of 19 online platforms, including Facebook, TikTok, Twitter, and Google Search will need to start complying with the DSA by 25 August 2023.
Read more
Loot boxes (UK and EU)
Both the UK government and EU have been considering proposals to regulate the use of loot boxes in gaming.
At the end of April this year, the UK published its policy paper on gambling reform for the digital age. Although it had previously been anticipated this could include bespoke regulation for loot boxes, the UK government confirmed that 'we do not intend to adjust the legal definitions of gambling at this time in order to capture loot boxes. In our view, it would be premature to pursue legislative options without first pursuing enhanced industry-led protections'.
Next steps: We await the UK technical working group update on progress made to strengthen industry-led measures – see as promised here. Similarly, we expect the European Commission to publish further analysis on the way in which loot boxes are sold, and it may take further steps to bring about a common European approach on loot boxes – see as promised from January resolution.
Read more
AI
White Paper on AI (UK)
At the end of March 2023, the UK government published its White Paper on AI with the aim 'to guide the use of artificial intelligence in the UK, to drive responsible innovation and maintain public trust in this revolutionary technology'. Unlike the EU, the UK's approach to AI is not by way of a new regulator or legislation but instead will establish key principles that existing regulators should consider as part of their remit. Regulators within scope will be expected to issue guidance relevant to their area. The CMA has started a review of competition and consumer protection considerations for AI to understand how AI is currently being used and produce guiding principles to support the area as AI develops.
Next steps: The consultation on the White Paper closes on 21 June 2023.
Read more
Artificial Intelligence Act (EU)
With some last minute changes to incorporate rules for foundation models, the European Parliament's Civil Liberties and Internal Market committees jointly endorsed the new EU AI Act. The Act proposes a risk-based approach to AI regulation, whereby AI systems will either be (a) prohibited on the basis of unacceptable risk; (b) permitted subject to compliance with stringent requirements and an ex ante conformity assessment, (c) permitted but subject to certain information and transparency obligations, or (d) permitted without restrictions.
Next steps: The Act will now progress to a plenary vote in Parliament which is expected in June 2023, before moving to final negotiations with national governments. Even if the Act is enacted soon, it may take longer for its provisions to bite – Margarethe Vestager, Executive Vice President of the European Commission, has suggested that in the best of cases the Act will take effect in 2.5-3 years' time.
Read more
Code of Conduct for Artificial Intelligence (EU)
The EU has committed to producing a draft Code of Conduct for AI, which would provide a set of voluntary standards for the use of AI. The Code of Conduct would serve as something of a stopgap while the Artificial Intelligence Act continues through the legislative process, allowing governments to respond in real-time to a very fast-moving area. The EU has encouraged global lawmakers – including in the US, Indonesia and India – to contribute to developing the standards.
Next steps: The EU has suggested that a draft Code of Conduct could be ready within weeks, with a final proposal that industry could sign up to available very soon after.
Read more
Privacy
Data Protection and Digital Information Bill (UK)
After a number of postponements (and Prime Ministers), the new Data Protection and Digital Information (No.2) Bill was laid before Parliament on 8 March 2023. The aim of this bill remains the same as the now-withdrawn Data Protection and Digital Information Bill – to update and simplify the UK’s data protection framework to reduce burdens on organisations while maintaining high data protection standards and facilitating innovation – but there are a few updates and additions. See our blog here, which summarises these changes. It recently had its second reading in the House of Commons on 17 April 2023.
Next steps: The Bill is still only a proposal and has a long journey through parliament before it receives royal assent (although it is not impossible this could happen during 2023). Next stop is the Committee stage (a line by line examination of the legislation). The Public Bill Committee is expected to report to the House by Tuesday 13 June 2023. It will then return to the floor of the House of Commons for its report stage, where it can be debated and further amendments proposed.
Read more
Data Governance Act and Data Act (EU)
The European Strategy for Data aims to support the creation of a single European market for data by supporting responsible access, broader sharing and re-use of personal and non-personal data, in accordance with the values and existing laws of the EU, in particular on the protection of personal data, consumer protection and competition rules. The Data Governance Act (DGA) strengthens the single European market's governance mechanisms and establishes a framework to facilitate general and sector-specific data sharing, and the draft Data Act (DA) concerns the actual rights on the access to and use of data.
Next steps: The DGA entered into force on 23 June 2022 and, following a 15-month grace period, will be applicable from 24 September 2023. The European Commission will establish the European Data Innovation Board to assist and advise the Commission by issuing guidelines on how development of data spaces can be facilitated and sharing best practices in relation to, among other things, data altruism, data intermediation and the use of public data not available as open data.
Meanwhile, the draft DA was adopted by the European Parliament after an overwhelming vote of 500 to 23, with 110 abstentions. The next step now is for the European Council and the Members of European Parliament to engage in a trilogue in order to agree a finalised text. Presently the DA has a 12-month implementation period after the date it enters into force.
Read more
Health Data Spaces Regulation (EU)
The Health Data Space Regulation (EHDS) is a health specific ecosystem aimed at addressing the complexities of current European rules on data sharing in the health sector in order to maximise the potential of health data. The EHDS is comprised of common standards and practices, infrastructures, rules and a governance framework. The framework will empower individuals through increased digital access to and control of their electronic personal health data, at both national and EU-wide level as well as foster a single market for electronic health record systems, relevant medical devices and high risk AI systems. In addition, the EHDS will provide a trustworthy and efficient set-up for the use of health data for research, innovation, policy-making and regulatory activities. The options for this secondary use of data are being explored by TEHDAS, the joint action Towards the European Health Data Space. The EHDS is a key pillar of the European Health Union and will build on the EU GDPR as well as NIS 2 Directive, the Data Act and Data Governance Act.
Next steps: The EHDS was proposed by the European Commission on 3 May 2022 with the stated aim that it will be operational by 31 October 2024. On 14 February 2023, the Industry, Research and Energy Committee released its draft Opinion which contains the latest draft text with amendments proposed (here). The Council continues to debate its own position but a number of concerns have been raised as to the scope of the EHDS. The European consumer group, BEUC, has stated that people need more control over their health data through opt-in and opt-out mechanisms after surveying more than 8,000 European citizens, many of which expressed discomfort with the current proposals. The body of the data protection authorities of Germany's 16 states (Datenschutzkonferenz) has also called for improvements to ensure that the privacy and data protection rights outlined in the GDPR, as well as Articles 7 and 8 of the Charter of Fundamental Rights of the EU are not undermined.
Read more
ePrivacy Regulation (EU)
The ePrivacy Regulation is intended to replace the current 2002 ePrivacy Directive. The Regulation was originally intended to come into effect alongside the EU GDPR. However, there has been much pushback and lobbying from different stakeholders that has delayed the process. The aim of the Regulation is to strengthen and update the online privacy rights of users. This will be done by giving users more control over their personal data by aligning the Regulation with the EU GDPR; applying stricter rules on companies that collect or process personal data including publicly accessible electronic communications services such as social media platforms, instant messaging, email and VolP (Voice over Internet Protocol) calls; besides simplifying the rules on cookies.
Next steps: The agreed text of the ePrivacy Regulation is not expected before the end of 2023. With the rules potentially only coming into effect 24 months from the twentieth day following its publication in the Official Journal, it could well be early 2026 before the Regulation is applicable.
There has however been a lot of regulatory activity with respect to cookies from Data Protection Authorities. Organisations should therefore start planning now and seek advice if they are unsure about the compliance of their present cookie banner and cookie policy as well as considering the analytics they use.
Read more
Read more of the latest updates from our experts in Data and Privacy here.
Cyber
NIS2 Directive (EU)
The Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive) entered into force on 16 January 2023. The aim of the NIS 2 Directive is to enhance the overall level of cybersecurity in the EU. In so doing, it replaces and repeals the existing Network and Information Systems Directive (EU) 2016/1148 (NIS 1 Directive). The NIS 2 Directive reflects a considerable broadening of scope versus the NIS 1 Directive, bringing a large number of new industry sectors (and therefore, new types of entities) within scope of the obligations – including e.g. wastewater, waste management, space, postal and courier services, chemicals, food, manufacturing and public administration.
Next steps: Member States now have 21 months – i.e. until 17 October 2024 – to transpose the Directive into national legislation. The majority of obligations imposed on organisations will come into force when the implementing legislation becomes effective in the relevant Member State.
Read more
Cyber Resilience Act (EU)
On 15 September 2022, the European Commission released a proposal on a regulation on horizontal cybersecurity requirements for products with digital elements (Products). The Cyber Resilience Act will affect a range of economic actors who are developing, manufacturing, marketing, importing and distributing connectable Products. The proposal entails significant obligations for manufacturers, importers and distributors of Products. More specifically, Products may not be placed in the EU market, unless (1) they have been designed, developed and produced in compliance with the essential cybersecurity requirements identified in Annex I to the proposal, and (2) the manufacturer puts in place the required processes to handle vulnerabilities effectively. Under the original proposal, once adopted, the Cyber Resilience Act would come into force after a two-year period of transition, except for the reporting obligation on manufacturers, which would be applicable after one year. The Act will only apply to Products that have already been placed on the market before its date of application if, from that date, those Products are subject to substantial modifications in their design or intended purpose.
Next steps: The Cyber Resilience Act is still under discussion as part of the legislative process with manufacturers’ obligations, reporting, compliance and enforcement being the subject of recent intense discussion and compromise.
Read more
Digital Operational Resilience Act (EU)
The Digital Operational Resilience Act introduces five core sets of obligations applicable to financial entities in order to mitigate the risk of exposure to cyber disruptions and threats: (1) the implementation of a risk management framework and governance to detect, prevent and manage IT risks, (2) the classification of IT incidents and the reporting of the major ones, (3) the performance of resilience testing, (4) the sharing of information and intelligence within the sector, and (5) the sound management of ICT third-party risk and the review of providers' contracts.
Next steps: The new regulation will apply from 17 January 2025. Consider whether your organization is caught and what you need to do to comply.
Read more
Review of the Computer Misuse Act 1990 (UK)
The Computer Misuse Act 1990 is the main legislation that criminalises unauthorised access to computer systems and data, and the damaging or destroying of these. To ensure that the UK’s legislative framework continues to support action against the harms caused by criminals operating online, the Government has carried out a review of the Act to account for new forms of cyber threat, including foreign state attacks and "hacktivist" groups. The Government is considering the development of new powers including (1) domain name and IP address takedown and seizures; (2) a requirement for the preservation of computer data to prevent it being deleted where it may be needed for an investigation, and (3) a power to take action against a person possessing or using data obtained by another person through a relevant computer misuse offence. A public consultation was held in early 2023.
Next steps: Await the results of the public consultation to understand whether any changes will be made to the original proposals.
Read more
Call for views on software resilience and security for businesses and organisations (UK)
The Government recently concluded a call for views, which aimed at better understanding the nature of software risks as a whole to UK organisations, and where government should focus on mitigating them. The Government is exploring how it can build on its existing interventions including the Product Security and Telecommunications Infrastructure Act 2022 and Code of Practice for App Store Operators and App Developers. It sought views on whether potential measures including international standards, guidance on best practices, accreditation, training and targeted funding will be effective in addressing concerns specific to seven risk areas: (1) cross-cutting and cyber risks, (2) software development security, (3) barriers in the open source community, (4) security and resilience in software distribution, (5) transparency and communication of software materials, vulnerabilities and incident management, (6) procurement, supplier assurance and supplier management, and (7) maintenance, configuration and use of software by the customer.
Next steps: The Government is aiming to publish its formal response to the call for views in summer 2023.