Digital Markets, Competition and Consumer Bill (UK)
The Digital Markets, Competition and Consumer Bill is set to implement the UK Government's digital markets strategy. The Bill is expected to (a) give powers to the Digital Markets Unit (DMU), which will be responsible for enforcing a new code of conduct for digital firms deemed to have "strategic market status", (b) tackle so-called subscription traps through changes to the consumer laws applying to subscription services, (c) introduce direct fining powers for regulators in relation to breaches of consumer law, and (d) update various aspects of the UK's merger control regime in relation to tech acquisitions. The Bill represents a leap forward in competition and consumer law enforcement against digital firms, with the UK finally presenting its answer to the rules that are set to apply to Big Tech under the EU's Digital Markets Act.
Next steps: The Government's Autumn Statement on 17 November 2022 confirmed that the Bill will be brought forward in the third Parliamentary Session (i.e. in early 2023).
Digital Markets Act (EU)
The Digital Markets Act (DMA) entered into force on 1 November 2022. The DMA defines when large online platforms qualify as "gatekeepers" i.e. firms offering "core platform services" such as social networks, search engines and video sharing platforms, which meet defined turnover and user base thresholds. The DMA places significant obligations on gatekeeper firms – and sets out prohibitions on certain conduct – with the aim of creating fairer business environments and encouraging competition. The European Commission is granted substantial enforcement powers for non-compliance. The new rules mark a key shift towards upfront competition regulation, imposing prescriptive rules regulating the conduct of the largest firms by virtue of their market position.
Next steps: The DMA will start to apply on 2 May 2023. Potential gatekeepers will then have until 3 July 2023 to notify their core platform services to the Commission if they meet the thresholds established by the DMA. Any firms confirmed by the Commission as gatekeepers will have to comply with the DMA's requirements at the latest by 6 March 2024.
Online Safety Bill (UK)
The Online Safety Bill returned to Parliament in December 2022 after a 5-month postponement. The so-called "legal but harmful" category has been removed from the Bill, although firms subject to the new rules will still need to protect children and remove content that is illegal or prohibited by their terms of service. The changes to the Bill are said to offer users a "triple shield" of protection when online: social media firms will be legally required to remove illegal content, take down material in breach of their own terms of service, and provide adults with greater choice over the content they see and engage with. Financial penalties under the Bill will remain severe with the maximum fine in the bill as currently drafted as 10% of the platform's annual worldwide revenue.
Next steps: Second reading of the Bill took place on 1 February 2023. "Committee stage" in the House of Lords (i.e. a line by line examination of the Bill) is yet to be scheduled.
Digital Services Act (EU)
The Digital Services Act (DSA) entered into force on 16 November 2022. The DSA applies to all digital services that connect consumers to goods, services, or content. It creates comprehensive new obligations for online platforms to limit the spread of illegal content and illegal products online, increase the protection of minors, and give users more choice and better information. All online intermediaries will have to comply with new transparency obligations to increase accountability and oversight. For platforms with more than 45 million users, further obligations will apply include wide-ranging annual assessments of the risks for online harms on their services.
On 1 February 2023, the Commission released guidance and a Q&A on how to count users, particularly if they are not registered with an account (e.g. using unique IP addresses etc.), but there is still some lack of clarity and the legislation remains quite new for platforms.
Next steps: Online platforms and search engines to publish their average monthly EU user numbers for the first time on 17 February 2023, and at least once every six months going forward. The new rules will apply as of 17 February 2024
Online Sale of Goods (Safety) Bill
The Online Sale of Goods (Safety) Bill aims to ensure that online marketplaces are just as responsible for product safety as high street retailers and that consumers receive equivalent protection wherever they buy. The Bill requires the government to make regulations requiring online marketplaces to take reasonable steps to ensure that all goods offered for sale via their platforms comply with the General Product Safety Regulations 2005 and any other safety requirements that the Government specifies, with criminal liability for non-compliance.
Next steps: The Bill began its second reading in the House of Commons on 20 January 2023, which is scheduled to continue on 24 March 2023.
Review of the Computer Misuse Act 1990 (UK)
The Computer Misuse Act 1990 is the main legislation that criminalises unauthorised access to computer systems and data, and the damaging or destroying of these. To ensure that the UK’s legislative framework continues to support action against the harms caused by criminals operating online, the Government has carried out a review of the Act to account for new forms of cyber threat, including foreign state attacks and "hacktivist" groups. The Government is considering the development of new powers including (1) domain name and IP address takedown and seizures; (2) a requirement for the preservation of computer data to prevent it being deleted where it may be needed for an investigation, and (3) a power to take action against a person possessing or using data obtained by another person through a relevant computer misuse offence.
Next steps: The public consultation ends on 6 April 2023
Call for views on software resilience and security for businesses and organisations (UK)
The Government has introduced a call for views to better understand the nature of software risks as a whole to UK organisations, and where government should focus on mitigating them. The Government is exploring how it can build on its existing interventions including the Product Security and Telecommunications Infrastructure Act 2022 and Code of Practice for App Store Operators and App Developers. It now seeks views on whether potential measures including international standards, guidance on best practices, accreditation, training and targeted funding will be effective in addressing concerns specific to seven risk areas: (1) cross-cutting and cyber risks, (2) software development security, (3) barriers in the open source community, (4) security and resilience in software distribution, (5) transparency and communication of software materials, vulnerabilities and incident management, (6) procurement, supplier assurance and supplier management, and (7) maintenance, configuration and use of software by the customer.
Next steps: The closing date for responses to the call for views is 1 May 2023, with the Government aiming to publish its formal response in summer 2023.
Digital Operational Resilience Act (EU)
The financial sector has become inevitably exposed to cyber disruptions and threats. The European Commission has decided to streamline and fill the gaps of the current fragmented framework by proposing a consolidated cross-sectoral approach. The Digital Operational Resilience Act introduces five core sets of obligations applicable to financial entities: (1) the implementation of a risk management framework and governance to detect, prevent and manage IT risks, (2) the classification of IT incidents and the reporting of the major ones, (3) the performance of resilience testing, (4) the sharing of information and intelligence within the sector, and (5) the sound management of ICT third-party risk and the review of providers' contracts.
Next steps: The new regulations will take effect 24 months after the publication in the Official Journal of the EU.
NIS2 Directive (EU)
The Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive) entered into force on 16 January 2023. The aim of the NIS 2 Directive is to enhance the overall level of cybersecurity in the EU. In so doing, it replaces and repeals the existing Network and Information Systes Directive (EU) 2016/1148 (NIS 1 Directive). The NIS 2 Directive reflects a considerable broadening of scope versus the NIS 1 Directive, bringing a large number of new industry sectors (and therefore, new types of entities) within scope of the obligations – including e.g. wastewater, waste management, space, postal and courier services, chemicals, food, manufacturing and public administration. New measures under the NIS 2 Directive include:
- imposing direct obligations on management in respect of an organisation's compliance, and onerous penalties where those are not complied with;
- requiring all covered organisations to put in place cyber risk management measures;
- acknowledging the importance of security at all levels in supply chains and supplier relationships;
- clarifying and strengthening incident reporting requirements;
- providing supervisory authorities with a greater ability to supervise companies; and
- increasing the sanctions for non-compliance.
Next steps: Member States now have 21 months – i.e. until 17 October 2024 – to transpose the Directive into national legislation. The majority of obligations imposed on organisations will come into force when the implementing legislation becomes effective in the relevant Member State.
Cyber Resilience Act (EU)
On 15 September 2022, the European Commission released a proposal on a regulation on horizontal cybersecurity requirements for products with digital elements. The Cyber Resilience Act will affect a range of economic actors who are developing, manufacturing, marketing, importing and distributing connectable products. The proposal entails significant obligations for manufacturers, importers and distributors of Products. More specifically, Products may not be placed in the EU market, unless (1) they have been designed, developed and produced in compliance with the essential cybersecurity requirements identified in Annex I to the proposal, and (2) the manufacturer puts in place the required processes to handle vulnerabilities effectively.
Next steps: Once adopted, the Cyber Resilience Act would come into force after a two-year period of transition, except for the reporting obligation on manufacturers, which would be applicable after one year. The Act will only apply to Products that have already been placed on the market before its date of application if, from that date, those Products are subject to substantial modifications in their design or intended purpose.
Data Governance Act (EU)
The Data Governance Act (DGA) is part of the European strategy for data and aims to increase trust in the voluntary sharing of data for the benefit of both businesses and individuals. The framework that the DGA provides will make data more available and facilitate data sharing across EU Member States and sectors. This will be done by regulating the reuse of publicly held, protected data; boosting data sharing through the regulation of novel data intermediaries; and encouraging the sharing of data for altruistic purposes. Both personal and non-personal data are in scope of the DGA (and therefore any sharing of personal data will need to be EU GDPR compliant).
Next steps: The DGA entered into force on 23 June 2022 and, following a 15-month grace period, will be applicable from 24 September 2023.
Read more here or listen to our webinar on the EU Data Act
Data Protection and Digital Information Bill (UK)
The UK's Data Protection and Digital Information Bill, introduced into the House of Commons on 18 July 2022, is intended to update and simplify the UK’s data protection framework to reduce burdens on organisations while maintaining high data protection standards and facilitating innovation. It proposes significant amendments to UK legislation including the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and the UK's incorporation of the EU General Data Protection Regulation into domestic law i.e. UK GDPR. The Bill is part of the UK’s National Data Strategy and followed the Department for Digital, Culture, Media and Sport’s (DCMS) consultation “Data: A New Direction”, the results of which were published in June 2022. The Bill was timetabled for its second reading on 5 September 2022; however, following the appointment of Liz Truss as Prime Minister, the second reading was postponed.
Next steps: Michelle Donelan, Secretary of State for the newly created Department of Science, Innovation and Technology (DSIT) now responsible for data, has confirmed that the Bill will receive its second reading during week commencing 6 March 2023.
Data Act (EU)
The Data Act is also part of the European Strategy for data and complements the DGA. The Data Act harmonises the rules on the use of and fair access to data by setting out who can access and use data generated by connected products such as the Internet of things and related services; promoting the sharing and exchange of data between organisatons by removing barriers to access which will allow public bodies to request data held by companies under specific conditions (Business to Government (B2G)); and increasing transparency as to how data is generated and used.
Next steps: The European Commission's proposal for the Data Act was published on 23 February 2022. The European Parliament's Industry, Research and Energy Committee is responsible for arranging various opinions and Presidency compromise texts on behalf of Parliament adopted a 'report' on 9 February 2023 which will be put to a vote on 13-16 March 2023. Once both Parliament's position and the Council's are decided, the trilogue stage will begin for the three institutions to agree a finalised text. Presently the Data Act has a 12-month implementation period after the date it enters into force.
Read more here or listen to our webinar on the EU Data Act.
Health Data Spaces Regulation (EU)
The Health Data Space Regulation (EHDS) is a health specific ecosystem aimed at addressing the complexities of current European rules on data sharing in the health sector in order to maximise the potential of health data. The EHDS is comprised of common standards and practices, infrastructures, rules and a governance framework. The framework will empower individuals through increased digital access to and control of their electronic personal health data, at both national and EU-wide level and as well as foster a single market for electronic health record systems, relevant medical devices and high risk AI systems. In addition, the EHDS will provide a trustworthy and efficient set-up for the use of health data for research, innovation, policy-making and regulatory activities. The options for this secondary use of data are being explored by TEHDAS, the joint action Towards the European Health Data Space. The EHDS is a key pillar of the European Health Union and will build on the EU GDPR as well as NIS 2 Directive, the Data Act and Data Governance Act.
Next steps: The EHDS was proposed by the European Commission on 3 May 2022 with the stated aim that it will be operational by 31 October 2024. On 14 February 2023, the Industry, Research and Energy Committee released its draft Opinion which contains the latest draft text with amendments proposed (here). The Council continues to debate its own position.
ePrivacy Regulation (EU)
The ePrivacy Regulation is intended to replace the current 2002 ePrivacy Directive. The Regulation was originally intended to come into effect alongside the EU GDPR. However, there has been much pushback and lobbying from different stakeholders that has delayed the process. The aim of the Regulation is to strengthen and update the online privacy rights of users. This will be done by giving users more control over their personal data by aligning the Regulation with the EU GDPR; applying stricter rules on companies that collect or process personal data including publicly accessible electronic communications services such as social media platforms, instant messaging, email and VolP (Voice over Internet Protocol) calls; besides simplifying the rules on cookies.
Next steps: The agreed text of the ePrivacy Regulation is not expected before the end of 2023. With the rules potentially only coming into effect 24 months from the twentieth day following its publication in the Official Journal, it could well be early 2026 before the Regulation is applicable
Artificial Intelligence Act (EU)
The EU AI Act continues to progress through the legislative process, with specifying prohibited AI use cases and the classification of high risk AI systems among the key issues remaining open. Whilst we were expecting a plenary vote at the end of this quarter, this has now been delayed due to further discussion being required to agree these key issues.
Next steps: A plenary vote will be held in the European Parliament, before the trilogue begins.
AI governance guidance (UK)
The need for good governance has been a recurring theme when it comes to integrating new technologies. This is especially true for artificial intelligence. The UK Equality and Human Rights Commission has demonstrated a desire to push good AI governance higher up the agenda. Last September, it published new guidance for public bodies and those carrying out public functions in England, Scotland and Wales to help them avoid breaching equality law when using artificial intelligence, and in particular to help those using AI to implement an effective governance framework to support compliance with existing equality obligations.
Next steps: The guidance reiterates how good governance is an ongoing duty and it is important that organisations carrying out public functions regularly assess whether people with one or more protected characteristics are being treated less favourably than others.
Sign up to our email digest