Tech Regulation – Quarterly Newsletter March 2024

In our March 2024 edition, we provide an update on the key regulatory developments in the UK and EU across the topics of Online Safety, Digital Platforms, Cyber, Data, AI and more. Check below whether your business is in scope, and actions you may need to take before any obligations begin to apply.

Online Safety

Online Safety Act (OSA) UK

The OSA imposes duties on a range of online service providers to keep users safe. The obligations under the OSA fall into three pillars: illegal harms duties (such as removing terrorism content and child sexual exploitation and abuse from online services); child safety duties; and additional duties including transparency and user empowerment. Ofcom is the regulator for online safety in the UK and has been granted new investigatory and enforcement powers. Fines of up to 10% of qualifying worldwide revenue can be levied on services in breach of the OSA.

Scope: Providers of internet services where content is generated, uploaded or shared by users ("user-to-user services"); or providers of a search engine ("search services"). The OSA will impact a broad range of sectors including social media, online marketplaces, video games, dating apps, photo and video sharing platforms, collaboration platforms, chat and instant messaging platforms, p2p services, streaming services and online forums. To be in scope, services must have a significant number of UK users, or the UK must form one of the service's target markets. There are some limited exceptions covering internal business services, emails, SMS, and one-to-one aural communications.

Next steps:

• Q2 2024:
  • Ofcom's consultation on guidance and codes of practice for protection of children (for all in-scope services).
  • Ofcom's consultation on transparency guidance (for categorised services).
  • Ofcom's consultation on fees (for services meeting or exceeding a qualifying worldwide revenue).
• Q2/Q3 2024:
  • Ofcom to set thresholds for categorisation.

Read more:

• Age assurance: a modern coming of age approach to ensure the safety of children online and an age appropriate experience
• The Online Safety Act becomes law – what action does your business need to take
• How Ofcom's approach to Video Sharing Platforms will inform its regulation of the Online Safety Act | Fieldfisher

Digital Services Act (DSA) (EU)

The DSA creates a single set of rules for increased safety and consistency across digital services in the EU. It imposes new obligations relating to illegal content, content moderation, advertising, transparency reporting, terms and conditions, dark patterns and online marketplaces.

Scope: The DSA applies to a broad range of digital businesses including hosting providers and online platforms, whether b2c or b2b. Businesses caught include cloud service providers, social media platforms, app stores, online marketplaces, messaging and email services, online forums, games business, dating websites and many others.

Next Steps: As of February 17, 2024, the DSA is applicable to all intermediary services falling within its scope. EU Member States are now in the final stages of designating their Digital Services Coordinator, responsible for overseeing the enforcement of the DSA for non-Very Large Online Platforms / Search Engines ("VLOP/SEs"). Oversight for the latter will be provided by the European Commission. The Commission is actively engaged in consulting and adopting delegated and implementing acts and guidelines to develop various aspects of the DSA:

• The Delegated Regulation on independent audit provides a framework for VLOP/SEs and auditing organisations to conduct and issue annual audits.
• Guidelines on election integrity dialogue detailing best practices and measures mitigating systemic risks on VLOP/SEs threatening the integrity of the democratic electoral processes are currently under public consultation.
• The Implementing Regulation on transparency report providing templates for all intermediary services is expected to be adopted in May 2024. Initial transparency reports for all intermediary services (excluding VLOP/SEs) must cover the period from 17 February 2024 to December 31 2024. Subsequently, reports will cover a full calendar year from 1 January to 31 December, with publication required within two months after the reporting period.
• A consultation on the Delegated Regulation on Data Access regulating access by vetted researchers to VLOP/SEs data is scheduled to be launched by the end of April or beginning of May.

Watch our latest webinar

End-to-end encryption rules

The European Court of Human Rights has delivered a judgment ruling in favour of end-to-end encryption ("E2EE").

The case of Podchasov v Russia [2024] ECHR 134 related to a requirement under Russian law for Internet communication organisers ("ICOs") to store communications data along with the information necessary to decrypt any encrypted messages. Telegram, a designated ICO, appealed a request by the Russian Federal Security Service to disclose information relating to Telegram accounts including the keys necessary for decryption. The Court found that because the measures could not be limited to specific individuals, they would affect all users indiscriminately. It held that an obligation to decrypt E2EE messages amounting to a weakening of encryption for all users was not proportionate.

The judgment matters to countries that are contemplating or have enacted controversial decryption laws like the UK OSA and the European Commission's 'chat control' proposals which aim to use technological solutions to scan encrypted data. The problem is that no technical solutions exist which maintain the integrity of E2EE. Instead, such obligations force providers to actively alter the software they offer users by inserting 'backdoors' - essentially degrading security. Although the judgment is unlikely to be the end of legislative efforts to undermine E2EE for users, it sends a clear signal that such efforts are unlikely to be compatible with the ECHR in the absence of robust safeguards.

Read more

Platform

Digital Markets, Competition and Consumers (DMCC) Bill (UK)

The DMCC Bill substantially overhauls the UK's competition and consumer law regimes. The Bill: (a) imposes unique obligations on firms that hold Strategic Market Status (SMS), (b) reforms the general competition law framework with a rebalanced merger control system and greater powers to enforce against anti-competitive conduct, (c) introduces prescriptive new consumer protection laws, and (d) finally brings the CMA's consumer enforcement powers to the same level as the competition enforcement regime, with the CMA able to fine businesses up to 10% of their global turnover for infringing consumer law.

Scope: Certain competition-focused provisions will apply only to SMS firms (i.e. the very largest digital firms); the consumer law reforms will apply to all b2c businesses.

Next steps: In January 2024, the UK Government confirmed two significant additions to the consumer rights provisions of the Bill:

• Ban on drip pricing. Businesses will be (a) prohibited from presenting a headline price for goods or services which does not incorporate in the price any fixed mandatory fees that must be paid by all consumers (for example, booking, administration or handling fees for tickets), and (b) required disclose the existence of any variable mandatory fees and how they will be calculated (for example, delivery fees).
• Ban on fake reviews. Commissioning or incentivising fake reviews will be prohibited. In addition, businesses operating online platforms will be required to take reasonable and proportionate steps to remove and prevent consumers from encountering fake reviews; and to prevent any other information presented on the platform that is determined or influenced by reviews from being false or misleading.

The Bill is currently working its way through Parliament and is expected to come into force some time in the next few months.

Read our blog series:

• Part 1: Enhanced consumer rights and consumer enforcement powers
• Part 2: The DMU and competition law reforms

Digital Markets Act (DMA) (EU)

The DMA finally came into force on 6 March 2024, with obligations applying to specified services of the six designated gatekeeper firms: Alphabet (i.e. Google), Amazon, Apple, ByteDance, Meta and Microsoft. Those firms have stated publicly the steps they are taking to comply. Some of the most notable changes include:

• Google's announcement of the removal of certain self-preferencing features where Google search results would link to Google's own products and services, the ability to switch search engines or browsers from the default more easily, and requirements for users to give their explicit consent to the sharing of data across Google services.
• iOS developers can now distribute apps via alternative, third party app marketplaces, albeit new tariffs will apply for any app wishing to use any marketplace beyond the App Store.

Scope: Only the six designated gatekeepers fall within direct scope, but this does not preclude additional firms from designation in the future.

Next steps:

• For the gatekeepers – the European Commission will evaluate the changes made. If it does not consider these to be compliant, the gatekeepers could be subject to investigations and potentially fines up to 10% of their global turnover (up to 20% for repeat offenders), or, where there are systemic issues, even more draconian remedies such as divestment.
• For other companies – companies that deal with the gatekeepers benefit from new rights under the DMA. However, they are also very likely to be subject (indirectly) to the gatekeepers passing on their costs of compliance. For example, Apple has already announced higher fees for developers looking to benefit from the introduction of third party marketplaces.

Read more

Cyber

Digital Operational Resilience Act (DORA) (EU)

DORA looks to harmonise approaches on tackling digital operational resilience and IT security across the financial services sector. Some of the specific obligations under DORA are left to be specified by the European Supervisory Authorities (EBA, EIOPA and ESMA – the "ESAs") who are required, via secondary legislation, to present regulatory technical standards ("RTSs") which give FEs and their IT suppliers more guidance on how to comply with their DORA obligations. In January, the ESAs delivered the first set of their draft RTSs. Those cover:

• Approaches to harmonising ICT risk management tools, methods, processes and policies;
• Guidance on classifying ICT related incidents, materiality thresholds for major incidents and significant cyber threats;
• Drafting standard templates for the register of information required for contractual arrangements with ICT third-party service providers; and
• Specifying the content of the required policy in relation to contractual arrangements for ICT services supporting critical or important functions.

Scope: DORA seeks to cover the vast majority of the financial services ecosystem and, therefore, applies to a broad spectrum of market participants. There is an exhaustive list of covered entities, including payment institutions, investment firms, account information service providers, credit rating agencies, insurers and electronic money institutions. A significant number of firms and their IT suppliers will therefore have to get to grips with the new regulation and incoming RTSs. Firms will need to more closely scrutinise their technology providers' performance (including by conducting enhanced pre-contract diligence), and will in most cases need to revisit the contracts underpinning those relationships to build in certain minimum protections. IT suppliers will need to improve their infrastructure and performance to stay in the market. Some "critical" providers will be directly regulated for the first time.

Next steps: DORA will apply from 17 January 2025. We are awaiting further guidelines on practical implementation, expected in July 2024. Financial entities and their IT suppliers have already begun to engage with the available regulation, and organisations that are proactive in taking steps to uplift their compliance will be placed at a significant competitive advantage.

Read more

UK equivalent of DORA

The UK is looking to legislate to create an effective equivalent to DORA. In 2022, the Government set out its plans for new legislation to support resilient outsourcing to technology providers in the financial services sector. This has been followed up most recently in December 2023, in a consultation paper published by the BoE, the FCA and the PRA that:

• Provides details of the new regime which will enable the regulators to manage critical third party ("CTP")-related systemic risks;
• Sets out regulators' concerns that some firms are becoming increasingly dependent on third-party technology providers for services such as cloud computing and data analytics that could impact UK financial stability if they were to fail;
• Asks the question: What is “an appropriate but proportionate level of direct regulatory oversight” of CTPs?

Scope / next steps: The latest indication is that the UK government's new regime will align materially with DORA, to ensure interoperability with the EU framework. This will mean that key requirements for firms such as adequate technical and organisational measures to limit ICT risks, as well as the need for regular ICT risk assessments and testing and to establish relevant policies, will be mirrored across the EU and UK.  

Read more

NIS 2 Directive (EU)

The NIS 2 Directive entered into force on 16 January 2023. New measures under the Directive include: (a) imposing direct obligations on management in respect of an organisation's compliance, and onerous penalties where those are not complied with; (b) requiring all covered organisations to put in place cyber risk management measures; (c) acknowledging the importance of security at all levels in supply chains and supplier relationships; (d) clarifying and strengthening incident reporting requirements; (e) providing supervisory authorities with a greater ability to supervise companies; and (f) increasing the sanctions for non-compliance. 

Scope: The Directive brings a large number of new industry sectors (and therefore, new types of entities) within scope of its obligations – namely, wastewater, waste management, space, postal and courier services, chemicals, food, manufacturing and public administration.

Next steps: EU Member States have until 17 October 2024 to transpose the Directive into national legislation. The majority of obligations imposed on organisations will come into force when the implementing legislation becomes effective in the relevant Member State. Some territories (e.g. Germany) have already issued their implementing legislation; conversely, the Dutch government has also announced that the NIS 2 Directive will not be implemented in time in the Netherlands.

Read more

Cyber Resilience Act (EU)

In September 2022, the European Commission released a proposed regulation on horizontal cybersecurity requirements for products with digital elements ("Products"). The Cyber Resilience Act aims to avoid overlapping requirements stemming from different legislation in EU member states and will affect a range of economic actors who are developing, manufacturing, marketing, importing and distributing connectable Products.

Scope: The proposal entails significant obligations for manufacturers, importers and distributors of Products.

Next steps: The Act is now subject to formal approval by the European Parliament and Council. The text is expected to be voted on by the Parliament as a whole in March 2024. Once adopted, the Act will enter into force 20 days after it is published in the Official Journal. The majority of the obligations set out in the Act become effective three years after it enters into force (excluding manufacturers' reporting obligations, which will apply after 21 months).

Read more

Product Security and Telecommunications Infrastructure (PSTI) Act (UK)

The PSTI Act imposes minimum cybersecurity requirements for internet and network connected consumer products (examples include smartphones, smart TVs, smart speakers, connected baby monitors and connected alarm systems). These requirements relate to the: (a) need for passwords to be unique or user-definable; (b) provision of information on how to report security issues and (c) transparency on minimum security update periods. Products also need to be accompanied by a "Statement of Compliance": this is like an EU declaration of conformity and needs to physically (for now at least) accompany products. More requirements will be brought in over time.

Non-compliance is criminalised and there is the possibility for very significant financial penalties: 10 million or 4% of the relevant company's worldwide revenue, whichever is greater. Non-compliant products would also have to come off the market, at least for a period of time while they were brought into compliance. 

Scope: Manufacturers of UK consumer connectable products, as well as other supply-chain participants such as importers and distributors who will need to ensure that only compliant products are made available on the UK market. A number of product categories are excepted from the PSTI Act's scope: certain products to be supplied in Northern Ireland, electric vehicle charge points, medical devices, smart meter products and computers, any used or second-hand products; but otherwise the regime applies broadly to virtually all devices that can access the internet.

Next steps: The regime comes into effect on 29 April 2024 when relevant products have to be in compliance. Importantly, this also includes products which are already in the supply chain.

Read more

Data

Data Governance Act and Data Act (EU)

The Data Act (DA) aims to set out a framework for sharing of data, ease the switching between providers of data processing services, introduce safeguards against unlawful data transfer and provide for the development of interoperability standards for data to be reused between sectors. The DA is closely interlinked with the Data Governance Act (DGA) which came into force in September 2023, with the objective of establishing a harmonised framework for data sharing and governance across sectors and Member States. It specifically aims to encourage wider re-use of non-personal data held by public sector bodies, boost data sharing through the regulation of novel "data intermediaries" and encourage data sharing for altruistic purposes. It also establishes a new European Data Innovation Board which will develop guidelines and standards for data sharing with third parties, including businesses.

Scope: The DA applies to (a) manufacturers of connected products (e.g. smart devices such as medical devices and wearables etc) who offer their products to the EU market and providers of related services; (b) users (natural or legal persons) in the EU of connected products or related services; (c) public sector bodies, who may request access in exceptional circumstances; (d) providers of data processing services to customers in the EU (e.g. cloud service providers); and (e) participants in data spaces and vendors of applications or professionals using smart contracts. The DGA impacts primarily public sector bodies, data intermediation service providers (organisations which set up commercial arrangements between data holders and data users, but which do not themselves add extra value to the data) and data altruism organisations.

Next steps: The DA entered into force on 11 January 2024. The DA will become applicable on 12 September 2025, except for certain provisions that will be implemented at a later date.

Read more: Read our Fieldfisher whitepaper on the DA for more information. For more on the DGA, see here.

Data Protection and Digital Information (DPDI) Bill (UK)

The DPDI Bill seeks to create a new UK data rights regime post-Brexit.

Scope: Similar to the UK GDPR.

Next steps: The DPDI Bill continues on its legislative journey through the House of Lords and could receive Royal Assent this year, with the implementation timetable to follow.

Read more: Progress of the DPDI Bill can be followed here. Keep up to date with our podcast which gives an overview of key data and privacy news on a monthly basis.

Health Data Spaces Regulation (EHDS) (EU)

The EHDS is a health specific ecosystem aimed at addressing the complexities of current European rules on data sharing in the health sector in order to maximise the potential of health data. The EHDS is comprised of common standards and practices, infrastructures, rules and a governance framework. The framework will empower individuals through increased digital access to and control of their electronic personal health data, at both national and EU-wide level as well as foster a single market for electronic health record systems, relevant medical devices and high risk AI systems. In addition, the EHDS will provide a trustworthy and efficient set-up for the use of health data for research, innovation, policy-making and regulatory activities. The options for this secondary use of data are being explored by TEHDAS, the joint action Towards the European Health Data Space. The EHDS is a key pillar of the European Health Union and will build on the EU GDPR as well as NIS 2 Directive, the DA and DGA (see above).

Scope: To be confirmed but it is expected to mainly impact those who operate in the health sector and those who use health data for research, innovation, policy-making and regulatory activities.

Next steps: It is hoped that consensus will be achieved on the text of the EHDS before the European Union elections scheduled for June 2024.

Read more

AI

AI (Regulation) Bill (UK)

The Bill introduces the concept of an AI Authority to: (a) coordinate with different regulators to set up a regulatory sandbox; and (b) ensure alignment of approach across regulators.

Scope: Organisations developing AI and/or using/adopting AI.

Read more

White Paper on AI (UK)

Unlike the EU, the UK's approach to AI is not by way of a new regulator or legislation but instead will establish key principles that existing regulators should consider as part of their remit. The White Paper aims 'to guide the use of artificial intelligence in the UK, to drive responsible innovation and maintain public trust in this revolutionary technology'.

Scope: Organisations developing AI and/or using/adopting AI.

Next steps: The UK Government will publish the output following the consultation.

Read more:

• Looking Ahead At AI Regulation In The EU And UK | Fieldfisher
• Hot off the press! UK Government releases much-anticipated White Paper on Artificial Intelligence | Fieldfisher

Artificial Intelligence Act (EU)

The EU AI Act proposes comprehensive framework for AI regulation. It sets out a risk-based approach, whereby AI systems will either be (a) prohibited on the basis of unacceptable risk; (b) permitted subject to compliance with stringent requirements and an ex ante conformity assessment, (c) permitted but subject to certain information and transparency obligations, or (d) permitted without restrictions.

Scope: Organisations developing AI and/or using/adopting AI.

Next steps: On 13 March 2024, the European Parliament approved the AI Act. It will enter into force twenty days after its publication in the Official Journal, and be fully applicable 24 months after its entry into force, except for: bans on prohibited practises, which will apply six months after the entry into force date; codes of practise (nine months after entry into force); general-purpose AI rules including governance (12 months after entry into force); and obligations for high-risk systems (36 months).

Read more:

• Looking Ahead At AI Regulation In The EU And UK | Fieldfisher
• The EU AI Act: A Comprehensive Regulation of Artificial Intelligence | Fieldfisher
• Debunking the EU AI Act: an overview of the new legal framework | Fieldfisher

Other technology regulation

The European Accessibility Act 2025 (EAA)

The EEA is aimed at levelling the playing field for the 135 million people in the EU with disabilities. Every member state was required to publish necessary implementation laws by June 28, 2022, and apply these by June 2025. The Directive sets out rules on products and services accessible to persons with disabilities and functional limitations. For consumers, especially those with disabilities, the EAA ensures that products and services are accessible by design, and aims to provide equal opportunities in areas like the labour market, education, and transport. While the exact fines are yet to be determined, non-compliance could result in significant penalties.

Scope: The Directive applies to all products and services in the EU as well as products such as electronic devices, websites, audio-visual media services, certain aspects of transport services (e.g. ticketing machines and travel information) and banking services (e.g. websites, mobile device-based banking). The only companies exempt are those with under 10 employees.

Next steps: The EEA is a call to action for businesses to be more inclusive, and imposes new obligations on businesses, from web accessibility to product design. Stringent enforcement mechanisms will soon be put in place.

Read more

European Digital Identity Regulation (eID)

With the view to ensuring a trusted and secure digital identity in Europe, the Council presidency and European Parliament representatives reached in November 2023 a provisional agreement on a new framework for a European digital identity (eID). The revised regulation aims to guarantee universal access for people and businesses to secure and trustworthy electronic identification and authentication. Under the new law, member states will offer citizens and businesses digital wallets that will be able to link their national digital identities with proof of other personal attributes (e.g., driving licence, diplomas, bank account).

Scope: The wallets will enable all Europeans to access online services with their national digital identification, which will be recognised throughout Europe, without having to use private identification methods or unnecessarily sharing personal data.

Next steps: Technical work will continue to complete the text in the Regulation in accordance with the provisional agreement. The text will then be submitted to the member states’ representatives for endorsement and, subject to review, the regulation will then be formally adopted by the Parliament and the Council before entering into force.

Read more