In our September edition, we provide an update of the key regulatory developments in the UK and EU across the topics of Digital Platforms, Online Safety, Data, Cyber, AI and more.
Digital Markets, Competition and Consumers Bill (UK)
The Digital Markets, Competition and Consumers Bill is the most significant overhaul to the UK's competition law regime since 1998. The Bill empowers the Competition and Markets Authority (CMA) (through the new Digital Markets Unit) to designate undertakings, which are very powerful in particular digital activities, as having strategic market status (SMS). SMS firms will face unique obligations under the Bill, including bespoke conduct requirements (with the prospect of significant penalties for non-compliance) and mandatory merger reporting. Outside of Big Tech, reforms to the general competition law framework will seek to introduce a rebalanced merger control system, stronger enforcement against anti-competitive conduct and a series of enhancements to the CMA’s investigative and enforcement powers. Finally, the CMA's consumer law enforcement powers are being brought to the same level as the competition enforcement regime, with the CMA able to fine businesses up to 10% of their global turnover for infringing consumer law.
Next steps: The Bill is at Report stage in the House of Commons, and is expected to come into force some time in 2024.
Read our blog series:
- Part 1: enhanced consumer rights and consumer enforcement powers
- Part 2: the DMU and competition law reforms
Regulatory action on Online Choice Architecture (UK)
In a recently published joint paper, the UK's CMA and Information Commissioner's Office (ICO) have warned online businesses against harmful design practices that could undermine people’s control over their personal information, and lead to worse consumer and competition outcomes. The paper sets out practical examples of potentially harmful design practices, and establishes best practice principles for businesses' "Online Choice Architecture". Those principles include putting users at the heart of design choice, using design that empowers user choice and control, testing and trialling design choices, and ensuring that those choices comply with relevant laws. The regulators have stated that if they don't see improvements, they will take enforcement action against businesses.
Next steps: The CMA and ICO have invited stakeholders to get in touch if interested in engaging further on the issues discussed in the joint paper. In the meantime, businesses should consider whether their online design practices expose them to unwanted risks, assessing these in particular against the CMA / ICO's examples of harmful practices, the principles set out in the joint paper, as well as the standards of data protection, competition and consumer law more generally.
Digital Markets Act (EU)
The Digital Markets Act (DMA), which imposes conduct obligations and restrictions on the largest digital firms in the name of fair, open and competitive markets, is now in force. Under the DMA, the European Commission can designate digital platforms as "gatekeepers" if they provide an important gateway between businesses and consumers in relation to core platform services. Non-compliance carries the threat of fines of up to 10% of the gatekeeper's total worldwide turnover, which can increase to 20% in case of repeated infringement.
Next steps: On 6 September 2023, the Commission designated Alphabet, Amazon, Apple, ByteDance, Meta and Microsoft as gatekeepers in relation to 22 of their core platform services. The designated gatekeepers now have six months to comply with the DMA obligations for each of their core platform services. Meanwhile, Microsoft and Apple have challenged the designation of particular services as core (namely for Microsoft, Bing, Edge and Microsoft Advertising, and for Apple, iMessage).
Online Safety Bill (UK)
At the time of writing, the Online Safety Bill (OSB) continues to proceed through Parliament. The Third Reading in the Lords took place on 6 September 2023 and the bill is expected to receive Royal Assent very soon. The Bill represents a paradigm shift in the approach to the regulation of online platforms and adopts a proactive approach - requiring providers to carry out risk assessments and implement design choices, operational controls and other systems and processes to prevent users encountering certain types of content and mitigate the risk of harm online.
The battle between UK legislators and big tech companies on the issue of encryption continues. In April, WhatsApp, Signal and other end to end encryption services published an open letter threatening to leave the UK if the Bill is passed. Meanwhile, child protection charities such as the NSPCC continue to seek support for the Bill and have asked for no more delays. In July, Wikipedia joined the ranks in announcing that it would refuse to apply age-gating on its website if required to do so by the OSB.
There has been significant discussion around the controversial 'spy clause', clause 122 in the bill, which remains unamended in the legislation as finalised. Some fear that the clause will give Ofcom powers to require end-to-end encrypted messaging service providers to deploy software to scan phones for prohibited content. There have been mixed messages from government as to when and how the spy clause would be used by Ofcom. The government's line has been that a notice can only be issued where technically feasible and where technology has been accredited as meeting minimum standards of accuracy in detecting only child sexual abuse and exploitation content. The wording remains part of the bill so if technology does become available that can 'spy' on encrypted content, it could still be imposed on tech companies.
Next steps: Some of Ofcom's powers will enter into force immediately after Royal Assent so that Ofcom can get started on publishing guidance and codes of practice.
The Digital Services Act (EU)
The Digital Services Act (DSA) intends to enhance and harmonise the rules applicable to online intermediaries such as hosting providers, social media networks, online platforms and marketplaces. The DSA tackles two key topics: (i) harmonized rules on notice and action obligations for illegal content, and (ii) new transparency obligations for online intermediary services, especially in relation to content moderation and online advertising. The strictest rules apply to very large online platforms and search engines (VLOPs and VLOSEs).
Next steps: The first batch of 19 online platforms, including Facebook, Twitter, and Google Search received their designations as VLOPs or VLOSEs in April 2023, providing a four month window in which to start complying with the DSA or face a fine of up to 6% of global annual turnover. That deadline passed on 25 August 2023 and within the past week there has been a flurry of press reports published by the online platforms setting out the steps they have taken towards DSA compliance. Two of the online platforms, Zalando and Amazon, have challenged their designation as VLOPs on the basis of the calculation of user numbers and that fundamentally, their platforms do not present a systematic risk of disseminating harmful or illegal content from third parties, despite their high average user numbers on which the designation is based. These challenges appear to be unresolved. All other online intermediaries have until 17 February 2024 to start complying with the DSA.
Loot boxes (UK and EU)
In the latest quarter, we saw the UK Department for Culture, Media and Sport (UK DCMS) release its new guidance on the use of "loot boxes" in videogames, coordinated by the Association for UK Interactive Entertainment (UKIE). The UKIE's 11 industry principles that form the centre of the guidance include a focus on improving transparency and information standards surrounding loot boxes in video games. The guidance also establishes a number of new requirements relating to age-gating and age assurance; as well as requiring more lenient refund policies for in-game purchases and greater restrictions on the external sale of items acquired from paid loot boxes for real money. These align with a continuing trend of increased demands on compliance regimes for loot boxes we have seen across Europe.
Next Steps: We are still waiting on the outcome of the European Parliament's calls for harmonized rules on consumer protection in video-games, announced at the start of this year. With an increasing divergence between states taking industry led / gambling-based / bespoke-legislation approaches, it appears that European legislatures are continuing to hold the prospect of an outright ban as an incentive for more consumer-friendly practice in this area.
CMA principles on competitive AI markets (UK)
On 18 September 2023, the CMA published proposed principles to guide the ongoing development of AI and help developers/businesses stay on the right side of competition and consumer protection law. The rapid adoption of AI has the potential to transform how we live and work, much to our benefit if it works well. But there are important questions raised. In the CMA's view, if competition is weak, people and businesses could be harmed – both immediately for consumers if they are exposed to significant levels of false information, AI-enabled fraud, or fake reviews; and over the longer term, if a handful of firms gain or entrench positions of market power and fail to offer the best products and services and/or charge high prices. The CMA has therefore put forward six principles of 1. Access, 2. Diversity, 3. Choice, 4. Flexibility, 5. Fair dealing, and 6. Transparency, underpinned by the need for accountability of AI Foundation Model developers and deployers.
Next steps: The CMA will publish an update on its thinking on the principles, and how they have been received and adopted, in early 2024, also reflecting on further developments in the market.
White Paper on AI (UK)
The UK Government's consultation on its White Paper on AI closed on 21 June 2023.
The White Paper aims 'to guide the use of artificial intelligence in the UK, to drive responsible innovation and maintain public trust in this revolutionary technology'. Unlike the EU, the UK's approach to AI is not by way of a new regulator or legislation but instead will establish key principles that existing regulators should consider as part of their remit.
Even though the consultation has closed, the Government is still engaging with stakeholders. There are no published timescales on when we may see the feedback and/or output from the consultation.
In related news, the BBC has reported that some MPs are pushing for a new AI law in the UK, contrary to the approach laid out in the UK government's White Paper.
Next steps: The UK Government will publish the output following the consultation. Watch for announcements in the King's speech on 7 November 2023.
Artificial Intelligence Act (EU)
Following the EU Parliament's adoption of its position on the new EU AI Act, the EU institutions have stated their positions.
The Act proposes a risk-based approach to AI regulation, whereby AI systems will either be (a) prohibited on the basis of unacceptable risk; (b) permitted subject to compliance with stringent requirements and an ex ante conformity assessment, (c) permitted but subject to certain information and transparency obligations, or (d) permitted without restrictions.
Next steps: The Act is currently being negotiated in Trilogue negotiations between the EU legislators, with negotiation sessions scheduled until at least mid-October. Once the final text of Act is approved, it will likely take another two years before the Act enters into force. It's possible that certain elements may be introduced earlier.
Read our insights on the AI Act in the context of digital health.
Code of Conduct for Artificial Intelligence (EU)
Despite announcements from the EU in May 2023 about producing a draft Code of Conduct for AI "within weeks" to provide a set of voluntary standards for the use of AI, we have yet to see a draft published. A Code of Conduct would serve as something of a stopgap while the AI Act continues through the legislative process, allowing governments to respond in real-time to a very fast-moving area.
Next steps: Awaiting a draft from the EU.
Data Protection and Digital Information Bill (UK)
The new Data Protection and Digital Information (No.2) Bill continues to progress through Parliament. A revised version of the Bill (as amended by the Public Bill Committee) was published on 9 June 2023 and is now due to return to the House of Commons for its report stage and third reading. The Bill has gained some coverage in the UK press lately, following a statement from the digital campaigning organisation, Open Rights Group, that the changes to the rules on subject access requests undermine an individual's control over and access to their data. This relates to changes that allow businesses to reject a subject rights request or charge a fee if it is a "manifestly unfounded or excessive" request. The Bill changes this to "vexatious or excessive", which is said to lower the threshold for refusals.
Next steps: The Public Bill Committee had its eighth sitting on 23 May 2023, and the Bill (as amended) moved to Report stage, where it will be debated and further amendments proposed. A date for the Report stage is still to be announced. Amendments can still be made to the Bill at Report stage.
Data Governance Act and Data Act (EU)
The European Strategy for Data aims to support the creation of a single European market for data. Forming part of this, the Data Governance Act (DGA) specifically aims to encourage wider re-use of data held by public sector bodies, boost data sharing through the regulation of novel "data intermediaries" (organisations which set up commercial arrangements between data holders and data users, but which do not themselves add extra value to the data) and encourage data sharing for altruistic purposes. In August, as part of the implementation of the DGA, the EU Commission introduced common logos to easily identify trusted data intermediaries. Trusted data intermediaries will follow a set of rules based on the principles of neutrality and transparency. Also part of the European Strategy for Data, the draft Data Act (DA) complements the DGA as while the DGA creates the processes and structures to facilitate data, the DA clarifies who can create value from data and under which conditions. The DA still awaits formal approval from the European Parliament.
Next steps: The DGA entered into force on 23 June 2022 and following a 15-month grace period, will be applicable from 24 September 2023. The European Commission is still to establish the European Data Innovation Board to assist and advise the Commission by issuing guidelines on how development of data spaces can be facilitated and sharing best practices in relation to, among other things, data altruism, data intermediation and the use of public data not available as open data.
On the 28 June 2023 the trilogue negotiations between the European Parliament and the Council on the DA came to a conclusion and the text now awaits formal approval. Once adopted, the DA will enter into force 20 days after Official Journal Publication, with a 20-month transition period once in force.
Health Data Spaces Regulation (EU)
The Health Data Space Regulation (EHDS) is a health specific ecosystem, comprised of common standards and practices, aimed at addressing the complexities of current European rules on data sharing in the health sector in order to maximise the potential of health data.
Next steps: The EHDS continues to be analysed by Parliament and Council. with the stated aim that it will be operational by 31 October 2024. On 14 February 2023, the Industry, Research and Energy Committee released its draft Opinion which contains the latest draft text with amendments proposed. The Council continues to debate its own position, but this is expected to be finalised by the end of this year. The European consumer group, BEUC, has stated that people need more control over their health data through opt-in and opt-out mechanisms after surveying more than 8,000 European citizens, many of which expressed discomfort with the current proposals. The body of the data protection authorities of Germany's 16 states (Datenschutzkonferenz) has also called for improvements to ensure that the privacy and data protection rights outlined in the GDPR, as well as Articles 7 and 8 of the Charter of Fundamental Rights of the EU are not undermined. The European Commission is hopeful that the EHDS will be finalised by June 2024, and in force by 2025.
Digital Operational Resilience Act (EU)
In keeping with a more general approach being taken by regulators globally to focus on the security of their critical infrastructure assets, the EU has in recent years adopted a strong focus on developing a framework to bolster the resilience of financial systems operating within their territories. The culmination of this is the Digital Operational Resilience Act (DORA), which looks to harmonise approaches on tackling digital operational resilience and IT security.
Flowing from the EU's aim to harmonise approaches across the sector as a whole, DORA seeks to cover the vast majority of the financial services ecosystem and, therefore, applies to a broad spectrum of market participants. Article 2(1) of DORA sets out the exhaustive list of covered entities, which include amongst others, payment institutions, investment firms, account information service providers, credit rating agencies, insurers and electronic money institutions.
Given the breadth of coverage of DORA, a significant number of firms and their IT suppliers will have to get to grips with the new regulation, which will demand a more resilient financial technology than ever before. Firms will need to heavily assess their technology providers' performance and may even need to revisit the terms of those relationships in some circumstances. Providers may need to improve their infrastructure and performance to stay in the market. Some providers will be directly regulated for the first time.
Next steps: DORA has a two year implementation period, and will apply from 17 January 2025.
Read our blog series:
- Part 1: overview
- Part 2: ICT incident management, classification and reporting
- Part 3: managing ICT third party risk
Other technology regulation
Batteries Regulation (EU)
Since 2006, batteries and waste batteries have been regulated at the EU level under the Batteries Directive. In July 2023, the Council of the European Union adopted a new framework, which will regulate the entire life cycle of batteries – from production to reuse and recycling – with the aim of ensuring that they are safe, sustainable and competitive. The new Batteries Regulation will seek to achieve that, in the future, batteries have a low carbon footprint, use minimal harmful substances, need fewer raw materials from non-EU countries, and are collected, reused and recycled. Under the new law’s due diligence obligations, companies must identify, prevent and address social and environmental risks linked to the sourcing, processing and trading of raw materials such as lithium, cobalt, nickel and natural graphite contained in their batteries, as well as ensure that the information placed on the European Market in relation to their batteries are correct and up to date.
Next steps: The regulation will apply from February 2024. However, additional obligations and requirements will be introduced more gradually. Starting from 2025, the Regulation will introduce declaration requirements, performance classes and maximum limits on the carbon footprint of electric vehicles, light means of transport (such as e-bikes and scooters) and rechargeable industrial batteries. Further, the Regulation also creates a digital record system, referred to as Battery Passport, for which it will be the responsibility of the party placing the battery on the market to ensure that all data required, such as basic characteristics and durability, is entered in the digital record and that the information is up to date.
Sign up to our email digest