The technology regulation roadmap: the what, when and how of upcoming changes
A long list of regulatory changes are set to challenge organisations who work with, in or around technology, as they face a host of new obligations and enforcement across both Europe and the UK.
This quick reference guide to the latest in EU and UK regulation, will be updated with new developments.
From conversations with our clients across a range of industries we know that a key challenge for general counsel and their legal teams is regulatory change management. Our aim is to provide you with a map of the landscape of current and upcoming technology regulation in the UK and EU. This is a time in which more and more businesses are in some way technology businesses, and the regulation of technology is becoming more invasive, pervasive and much more complex.Over the coming year, a long list of regulatory changes are set to challenge organisations who work with, in or around technology, as they face a host of new obligations and enforcement both in the UK, and across Europe. Covering everything from hardware manufacture and copyright management, to data handling and harmful online content, the regulatory and statutory updates are set to impact a wide scope of businesses.
This series will bring some clarity to what is happening, outline why it is happening and make suggestions as what your business might need, or want, to do about it. Please read the list of current and upcoming pieces outlined below; sign up to keep yourself informed, and let us know if there are other topics that you would like covered.
Subscribe here to receive our detailed posts on each of these topics.
EU Technology Regulation
Digital Copyright Directive
Member States are in the process of implementing the biggest overhaul in copyright law in the last 20 years. The new law aims to enhance the freedoms and rights enjoyed by internet users, allow copyright owners to obtain fair and proportionate remuneration for their work through licensing agreements, and clarify the legal framework within which online platforms operate.
Next steps: Member States were required to bring into force the laws, regulations and administrative provisions necessary to comply with this Directive by 7 June 2021.
Read our latest update here.
New provisions on privacy will replace those contained in 2002 ePrivacy Directive. The Regulation aims to reform cookie consent and communications content/metadata rules in the EU. It will ensure that EU privacy rules are consistent with the GDPR; though whereas the GDPR sets out a broad framework for the processing of personal data, the Regulation will contain more specific rules for the processing of personal data in an electronic communications context.
Next steps: The European Council and Parliament will now negotiate the terms of the final text of the Regulation. It is not yet clear when the terms of the Regulation are likely to come into force.
Read our latest update here.
On 15 December 2020, the European Commission released its highly anticipated proposal for a Digital Services Act (DSA). The DSA aims to introduce unifying rules across the EU to protect online users against illegal content, and reform the provisions in the e-Commerce Directive on the responsibilities of digital services providers. The DSA will apply to all online intermediary service providers as long as their users (businesses or individuals) have their place of establishment or residence in the EU.
Next steps: The Commission will summarise and present feedback from a recent public consultation to the European Parliament and Council, which will then work to agree the content of the legislation.
Read our latest update here.
Also on 15 December 2020, the European Commission released the draft text of the Digital Markets Act (DMA). The DMA has a narrower application than the DSA, creating rules for the very largest "gatekeeper" platforms providing any of eight "core platform services" (such as online intermediation services, search engines, video-sharing platforms or social networks) to EU-based users. The DMA sets obligations on gatekeepers including to allow interoperability and access to the data they hold. It also gives significant investigation and enforcement powers – including the ability to fine gatekeeper companies – to the European Commission.
Next steps: The Commission will summarise and present feedback from a recent public consultation to the European Parliament and Council, which will then work to agree the content of the legislation.
The Directive introduces contractual protections for consumers using digital stores, cloud services or social media platforms. It aims to protect consumers when digital content and digital services are faulty, giving them the right to a number of remedies that previously only existed for physical goods. Crucially, the rights under the Directive will cover equally paying customers, and customers who do not pay money but provide their personal data in order to receive digital content and services. This marks a significant step in recognising the value of consumers' personal data held by companies.
Next steps: Member States have to adopt measures to comply with the Directive by 1 July 2021.
The Directive updates and replaces a number of existing EU telecoms laws – namely the Framework Directive, Access Directive, Authorisation Directive and Universal Service Directive. It expands the definition of electronic communications services to try and level the playing field between traditional telecoms operators and online entrants to the market, including those providing "number-based" and "number-independent" interpersonal communications services. The Directive introduces new rights for users of electronic communications services, amends the rules governing the assignment and use of telecoms infrastructure, and includes measures to encourage national regulatory authorities to invest in improved network coverage.
Next steps: EU Member States were required to implement the provisions of the Directive into domestic law by 21 December 2020. The UK has deprioritised the implementation of certain "non-critical" provisions until December 2021.
The European Commission has proposed a new regulation laying down harmonised rules on artificial intelligence (AI). This will include a technology neutral and future proof definition of AI, and establish a list of prohibited AI practices (based on the Commission's assessment of those which pose "unacceptable risk"). The Commission will create rules applying to providers of high risk AI systems (which might include AI systems intended to be used to recruit people or evaluate their creditworthiness, or for judicial decision making). Finally, the Commission intends to place transparency obligations on providers to disclose when they are presenting, for example, "deep fake" content.
Next steps: The Commission presented its proposal on 21 April 2021. The European Parliament and Member States will need to adopt the Commission's proposals in the ordinary legislative procedure.
The EU is updating existing rules on the export of so-called "dual use" goods (i.e. products, such as drones and chemicals, which are designed for civilian use, but in the wrong hands could be used for terrorism or human rights violations). The rules will amend the existing export control regime to cover cyber-surveillance items and other emerging technologies. They also aim to strengthen Member States' public reporting obligations to make them more transparent.
Next steps: The European Parliament agreed the new rules on 25 March 2021. The European Council now needs to agree the updated regulation before it can enter into effect.
UK Technology Regulation
The Digital Markets Unit
The Competition and Markets Authority (CMA) has issued advice to the UK Government on the design and implementation of a new regulatory regime for digital markets. The regime will introduce a legally binding code of conduct applying to tech companies considered to hold "strategic market status" (i.e. considerable market power). A Digital Markets Unit within the CMA will be established, possessing enforcement powers that could include the ability to impose financial penalties, and require actions from tech companies to achieve compliance with the code of conduct.
Next steps: The Digital Markets Unit was set up in April 2021. However, new formal powers for the Unit will be subject to legislation, which the Government has promised to introduce as soon as parliamentary time allows.
Read our latest update here.
The Government plans to establish a new regime to secure the remove of unlawful and harmful online content. The regime will apply to companies hosting user-generated content accessible in the UK, or facilitating user-to-user interaction, and will impose a statutory duty of care towards users. The Government has indicated that sanctions – including significant fines – will apply for non-compliance with the regime.
Next steps: The Government has confirmed that it will introduce the Online Safety Bill this year.
The Government has announced laws that will impose new security requirements on smart devices that are sold to consumers in the UK. These are:
- Device passwords must be unique and not resettable to any universal factory setting.
- Manufacturers must provide a public point of contact so anyone can report a vulnerability.
- Manufacturers must state the minimum length of time for which the device will receive security updates.