United Kingdom: TMT

There is no single regulatory regime which is solely targeted at technology, per se. However, there are various regulatory regimes pertaining to particular sectors or types of services (e.g. telecoms or financial services) which will have provisions and requirements that will impact upon technology services and/or solutions.

Yes, communications networks and services are regulated. However, most providers of communications networks and services do not require a licence or specific authorisation to operate; rather, they have ‘general authorisation’, meaning that they can operate provided they comply with a set of general rules which are largely set out in the General Conditions of Entitlement (which are established under section 45 of the Communications Act 2003).

The exceptions to the principle of general authorisation include:

1. networks or services using radio spectrum (except where exempted by the government);
2. mobile operators wanting, for wireless telegraphy, to (i) establish and use base stations, or (ii) install or use apparatus;
3. satellite operators;
4. multiplex operators; and
5. certain premium rate services regulated by the Phone-paid Services Authority.

The communications services and networks which are in scope for the purposes of being regulated are:

1. ‘electronic communication networks’ – i.e. the system (and its associated apparatus, equipment, software and stored data) which is used to transmit signals; and
2. ‘electronic communication services’ – i.e. the conveying of signals over the electronic communication network.

Now that the UK has withdrawn from the EU, a number of changes have taken place. As part of the withdrawal agreement, the UK was required to adopt the terms of the European Electronic Communications Code Directive that came into force in 2018. This was achieved through the enactment of ‘The Electronic Communications and Wireless Telegraphy (Amendment) (European Electronic Communications Code and EU Exit) Regulations 2020’ which transposed the terms of the Directive into national law.

Due to the withdrawal, parts of the UK electronic communications regulatory framework were made inappropriate. Example of this include the previous requirement of notification of matters to the European Commission and further obligations with which the UK regulator Ofcom will no longer need to comply. This has been addressed through secondary legislation under the EU Withdrawal Act 2018 which removes reference to EU obligations and replaces them with reference to the applicable national legislation.

The use of radio spectrum requires a licence from Ofcom (section 8, Wireless Telegraphy Act 2006 (WTA)). Radio spectrum is auctioned by Ofcom from time to time, for vast sums running into billions of pounds.

Digital TV and radio broadcasting requires various multiplex and radio broadcast licences under the Broadcasting Act 1996. These are different from the licence of the relevant spectrum, which is licensed under the WTA. Licences are granted by Ofcom for a fixed fee payable. There can also be an annual percentage of revenue payable.

Operating a satellite in outer space. The licence is obtained from the UK Space Agency.

Yes – communications networks and services are primarily regulated by Ofcom.

Ofcom, whilst independent of government control:

• must act in accordance with its powers and duties set out in law;
• is accountable to the UK Parliament; and
• is funded from regulatory fees and grant-in-aid from the UK government.

Following amendments made by the Digital Economy Act 2017, Ofcom has to have regard to the government’s statements of strategic priorities relating to telecoms and radio spectrum management (section 98 2A-2C).

Platform Providers in the UK are regulated to an extent by the Electronic Commerce (EC Directive) Regulations 2002 which implement the Articles 12-15 EU Directive 2000/31/EC. The regime applies to content which appears on platforms, but with respect to which the platform operator performs only certain technical functions (services whose primary function is hosting content contributed by others). The legislation imposes obligations upon a seller before a contract is formed and information that must be provided to the consumer.

Due to the UK’S withdrawal from the EU, the remaining provisions of the Directive no longer apply to UK providers in the UK. To align the 2002 Regulations with national legislation and remove reference to the EU framework, the Electronic Commerce (Amendment etc.) (EU Exit) Regulations 2019 were introduced. Amongst other changes, this disapplies the EU ‘country of origin’ principle for UK providers.

The Statutory Code of Practice for providers of online social media platforms has been published in accordance with Section 103 of the Digital Economy Act 2017. The Code provides guidance for social media platforms, in advance of the new regulatory framework envisaged in the Online Harms White Paper. It sets out actions that the Government believes social media platforms should take to prevent bullying, insulting, intimidating and humiliating behaviours on their sites.

The UK framework regulates providers that provide services within the UK, including those domiciled outside of the UK. The UK Government however have stated that this will not protect UK providers who provide services within the EEA as the provisions of EU Directive 2000/31/EC may continue to apply to them. It is therefore recommended that assessments of provided services are be taken to ensure they are not still subject to the Directive by virtue of providing regulated services within a member state of the EEA.

There are no requirements for a communications provider to be domiciled in the UK prior to or during the provision of services, and there are no foreign ownership restrictions.

Potentially, while there is no specific restriction on foreign ownership within the regulatory framework, Ofcom does have the right to, amongst other things, revoke licences for the installation and use of wireless telegraphy equipment where necessary in the interests of national security. This could, theoretically, be used to restrict foreign ownership of certain telecoms operators, although this right is unlikely to be invoked.

Yes – the rules on interconnection are governed by a mixture of communications and competition-related laws.

The General Conditions of Entitlement require that a provider of public electronic communication networks negotiates with another public electronic communication networks provider based in the UK with a view to concluding an agreement (or an amendment to an existing agreement) for interconnection within a reasonable period. This is a general obligation which applies to providers of public electronic communication networks.

In addition, Ofcom has the power to impose access-related conditions on providers of electronic communication networks for the purposes of securing:

• efficiency (e.g. by making associated facilities available);
• sustainable competition;
• efficient investment and innovation; and
• the greatest possible benefit for the end-users of public electronic communications services.

Ofcom also regulates the wholesale rates for termination of phone calls from other networks of their customers. All operators are currently required to provide call termination on fair and reasonable terms, conditions and charges.

These access-related conditions may include obligations to share the use of electronic communications apparatus (and apportioning and contributing towards the costs of this sharing) and the fixing of service prices where there are no viable alternative arrangements that may be made and Ofcom has deemed there to be a lack of appropriate competition. Hence, these are more likely to be applied on electronic communication networks providers with significant market power.

Moreover, general UK competition law applies in respect of anti-competitive agreements and the abuse of dominant positions.

Various consumer-specific provisions are set out in the General Conditions of Entitlement. A ‘consumer’ is defined as someone who uses or requests a service for purposes which are outside his or her trade, business or profession.

Specific obligations relating to consumers include:

• the requirement to include certain minimum terms in consumer contracts;
• certain parameters regarding the term and termination rights under the consumer contract (e.g. so that the procedures for contract termination do not act as disincentives for consumers against changing their communications provider);
• a requirement to make certain information available to the consumer (e.g. any access charges, the payment terms, the existence of any termination rights and any termination procedures);
• number portability; and
• various restrictions on sales and marketing activities.

Creators of computer software are entitled to copyright protection through the Copyright, Designs and Patents Act 1988 (“CDPA“). This gives the owner of the software the exclusive right to use and distribute it for a period of 70 years from the end of the calendar year in which the author of the software died (section 12(2)).

However, if the work is computer-generated, where there is no human author of the work copyright expires 50 years from the end of the calendar year in which the work was made (section 12(7)).

Elements of a computer program, such as screen displays and graphics may give the creator of computer software design rights under the Registered Designs Act 1949, although a computer program itself does not attract a design right.

Under the European Union (Withdrawal) Act 2018 (EUWA), EU-derived legislation, as it has effect in UK law is retained unless and until it is specifically amended or repealed at some point in the future. This includes legislation created to implement EU directives. From the end of the Brexit transition period however, the UK will no longer be part of the EU Community Design System. As a means of creating some form of compensation for rights holders, three new rights emerged: the continuing unregistered design (derived from unregistered Community Designs (CD)s), re-registered designs (replacing registered CDs), and unregistered designs which is intended to replicate the effect of unregistered CDs.

Patents are not available for computer software “as such” under the Patents Act 1977. although the However, the Intellectual Property Office currently follows judicial guidance (including Aerotel Ltd v Telco Holdings Ltd and Macrossan [2006] EWCA Civ 1371 and Astron Clinica Ltd & Ors v The Comptroller General of Patents, Designs and Trade Marks [2008] EWHC 85) which sets out criteria for when computer software may be patentable.

As a general principle, there are no intellectual property rights (“IPRs“) in data itself, although databases may be protected by IPRs. The CDPA gives copyright protection to the author of a database for the period of 70 years from the calendar year in which the author died (section 12(2)). Moral rights, which grant rights such as the right to be identified as the author of the database (sections 77-79) will be granted to the author, unless the database was created in the course of an employee’s employment (sections 79(3) and 82(1)).

The Copyright and Rights in Database Regulations 1997 give the author a database right for 15 years from the end of the calendar year in which the making of the database was completed, or if a substantial change is made to the contents of a database so the database can be considered to be a “substantial new investment”, 15 years from the end of the calendar year in which the substantial change was made (Regulation 17).

A patent may be available under the Patents Act 1977 if the database can be shown to achieve a technical effect that is novel and inventive (section 1). Databases used to implement new business methods are not, however, patentable (section 1(2)(c)).

Prior to Brexit, personal data (being any data which – alone or in combination with other information in the hands of the party in question – would enable a living person to be individually identified) was subject to detailed regulation and protection by way of the EU General Data Protection Regulation ( “EU GDPR”). As of 1 January 2021, the GDPR is no longer directly applicable to the UK. However, at the end of the transition period, the DP Brexit Regulations 2019 introduced a new UK GDPR, which largely replicates the EU GDPR.The main rights afforded to individuals generally under the UK GDPR remain unchanged. They are:

• the right to be informed – individuals have the right to be informed about the collection and use of their personal data;
• the right of access – individuals have the right to access their personal data and supplementary information. This right allows individuals to be aware of and verify the lawfulness of the processing;
• the right to rectification – individuals have the right to have inaccurate personal data rectified, or completed if it is incomplete;
• the right to erasure – individuals have the right to have personal data erased;
• the right to restrict processing – individuals have the right to request the restriction or suppression of their personal data;
• the right to data portability – individuals have the right to obtain and reuse their personal data for their own purposes across different services; and
• the right to object – individuals have the right to object to: (i) processing based on legitimate interests or the performance of a task in the public interest / exercise of an official authority; (ii) direct marketing; and (iii) processing for the purposes of scientific or historical research and statistics.
• rights in relation to automated decision making and profiling.

Under the UK GDPR, data controllers may only collect and process personal data when certain specific conditions are met, including:

• where the data subject has consented;
• where it is necessary for a contract to which the data subject is a party; and
• where there is a “legitimate reason” for processing which does not itself damage the data subject’s rights, freedoms or own legitimate interests.

More stringent rules apply to special categories of personal data (e.g. as to health or sexual orientation etc.).

All data controllers must take appropriate technical and organisational measures to safeguard against unauthorised or unlawful processing, and against accidental loss of or destruction of personal data. The ICO does not mandate any particular standard in this regard but recommends adherence to ISO 27001.

The UK currently benefits from a temporary bridging mechanism, which means it is not considered a “third country” for the purposes of the EU GDPR. This mechanism will fall away at the end of June 2021, or once the EU makes an adequacy decision on the UK’s status, whichever is soonest.

Under the UK GDPR, personal data may only be transferred to third parties outside of the EU in compliance with the conditions for transfer set out in Chapter V of the GDPR. The main two situations in which it is permissible for personal data to be transferred to third parties outside of the EU are:

• transfers on the basis of an adequacy decision – prior to Brexit this would be . where the European Commission had decided that a third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensured an adequate level of protection. Post-Brexit, the Secretary of State for DDCMS has the power to make adequacy decisions (s. 17A Data Protection Act 2018). So far the UK government has already adopted the European Commission’s decisions and has suggested that it intends to increase the number of adequate destinations. ; and
• transfers subject to appropriate safeguards – i.e. if the UK government has not made a relevant adequacy decision, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

The Information Commissioner’s Office has the power to levy fines pursuant to the UK GDPR or Data Protection Act 2018. The maximum fine is £17.5 million / 4% of worldwide turnover re: (for example) breaches of the basic principles of processing (eg re: consent), or a lower threshold of £8.7 million / 2% of annual turnover for breaches of some of the more ancillary obligations such as security arrangements or breach notifications.

The Data Protection Act 2018 is a complete data protection system. As well as containing applied aspects of the EU GDPR which make up part of the UK GDPR it covers all other general data, law enforcement data and national security data. The Act also works for the benefit of the UK in areas such as academic research, financial services and child protection.

The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act and the UK GDPR. They give people specific privacy rights in relation to electronic communications. They are derived from European Directive 2002/58/EC (but continue to apply in the UK following Brexit) and set out specific rules on marketing calls, emails, texts and faxes; cookies; keeping communications services secure; and customer privacy regarding traffic and location data. PECR was amended in 2019 to ban cold-calling of pensions schemes in certain circumstances.

There are currently no specific ‘Cloud laws’ in the UK. However, many sector-specific regulatory initiatives (either issued by administrative or supervisory authorities or by the industry itself) have been issued which may further fuel the drive towards national cloud regulations.

One example is the Cloud Security Guidance issued by the UK National Cyber Security Centre (link). A second example is the Guidance on the Use of Cloud Computing published by the Information Commissioner’s Office (ICO) (link), which focusses on data protection issues related to cloud computing.

Further, in the financial services sector, the Financial Conduct Authority (FCA) has stated that financial services companies operating in the UK can make use of cloud-based services without falling foul of regulatory obligations. The published guidance (link) is not binding but the FCA said it expects firms to take note of them and use them to inform their systems and controls on outsourcing.

The UK has implemented internal legislation (“UK eIDAS Regulations”) which is similar to the European electronic signature regulations (EU Regulation 910/2014).

Under the UK eIDAS Regulations, a ‘qualified electronic signature’ has the same effect as a handwritten signature. A qualified signature features high levels of security: identification of the signing person can be carried out (for example) by biometric data or multi-factor authentication.

Conversely, a ‘simple signature’ (such as that at the end of an email) will show an association between the alleged signatory and the document, but will not be conclusive evidence.

No transfers of assets or third party contracts would occur automatically. However, there will frequently be detailed contract provisions negotiated between the parties to the outsourcing arrangement to facilitate this. In the case of the other signatories to the third party contracts, their consent to the proposed transfer of their contracts to the new outsource service provider will ordinary be required.

If there are individuals who are wholly or substantially engaged in the services/functions which are being outsourced, however (and whether they be employed by the customer entity or its other service providers), then their contracts of employment may transfer automatically to the outsource service provider by virtue of the Transfer of Undertakings (Protection of Employment) Regulations 2006 (TUPE). In such event, all of their rights and obligations (including claims arising from employment related mistreatment by their previous employer) will transfer to the outsource service provider.

Ordinarily, there will be strict liability for the producer of defective products for consumers (Consumer Protection Act 1987) and this would include products which are themselves software or which include software components. Where such defects have resulted from computer assisted design or other software assisted processes, it will ordinarily be the person who programmed the CAD tool who will then face liability. However, this is all predicated on a principle of casual connection, i.e. “Because of A + B, C necessarily came next”. When the software starts to make decisions for itself based upon its “learning” from what it observes/receives from external sources and so ceases to be predictable, this liability concept becomes more strained.

There are discussions as to whether AI could be given a separate legal personality, and so be held accountable in a similar way to a company. In addition, the licensors/programmers responsible for the AI could be open to claims through vicarious liability. Alternatively, a similar framework to that which is applied to animals who cause harm or damage, where there is strict liability on their owner(s), could be applied. However, both of these discussions have not been fully developed and therefore, for the time being at least, it would seem most likely that the licensor/programmer of the A.I product would be liable pursuant to the strict liability regime in the Consumer Protection Act as referred to above. In the business (i.e. non-consumer) context, contractual provisions will usually specify where liability will sit in any event.

The key laws imposing obligations on companies to maintain cyber-security include the General Data Protection Regulation (“GDPR“), the Data Protection Act 2018 (“DPA 2018“), the Network and Information Systems Regulations 2018 (“NIS Regulations“), and the Communications Act 2003 (“2003 Act.

Under the DPA 2018, which implements the GDPR, controllers are subject to various obligations including to select a processor that sufficiently guarantees appropriate technical and organisational measures. Specifically, Articles 56 and 59 of the DPA 2018 require controllers and processors to implement measures that ensure a level of data security appropriate for the level of risk presented by processing personal data – this incudes encryption. In the event of a data breach, there is a mandatory legal duty to notify the ICO of the breach having occurred (within 72 hours of a controller having become aware of such incident (Article 67)). This must be notified directly to data subjects concerned where the breach is likely to result in a high risk to the rights and freedoms of natural persons.

The NIS Regulations focus on the availability of crucial network and information systems in order to protect critical infrastructure and apply to Operators of Essential Services (“OES“) and Digital Service Providers (“DSP“), requiring OESs and DSPs to: (i) take appropriate technical and organisational measures to secure their network and information systems; (ii) take into account the latest developments and consider the potential risks facing the systems; (iii) take appropriate measures to prevent and minimise the impact of security incidents to ensure service continuity; and (iv) notify the relevant supervisory authority of any security incident having a significant impact on service continuity without undue delay.

Under the 2003 Act, public electronic communications network (“PECN“) providers and public electronic communications service (“PECS“) providers have an obligation to take technical and organisation measures to manage risks in respect of electronic communications (section 105A). This includes notifying Ofcom of any breaches (section 105B). PECS providers are also subject to obligations under the 2003 Regulations, which require them to take appropriate technical and organisational measures to safeguard the security of their services (Regulation 5(1)). PECS providers must inform the Information Commissioner’s Office (“ICO”) if there is a personal data breach (Regulation 5A(2)) and the individuals concerned if the breach is likely to adversely affect the personal data or privacy of the subscriber or user (Regulation 5A(3)).

Businesses operating in the financial services sector are also subject to the Senior Management Arrangements Systems and Controls (“SYSC”) set out in the FCA Handbook and the STAR and CBEST standards developed by the Council for Registered Ethical Security Testers and the Bank of England. The SYSC provides obligations relating to governance, systems and controls that can directly or indirectly impose cyber security obligations on financial service providers (e.g. securing systems, managing risks, reducing the risk of financial crime and protecting client confidentiality). The STAR and CBEST standards allow financial services providers to demonstrate their cyber-security assurance by passing stipulated penetration and vulnerability tests.

Company directors also have an obligation to maintain cyber-security through the fiduciary duties they owe to their company, which are set out in the Companies Act 2006. These include the duty to promote the success of the company and to exercise reasonable care, skill and diligence while conducting their role (sections 172 and 174). Failure to understand and mitigate cyber risk (e.g. by failing to implement appropriate cyber-security measures) could equate to a breach of these duties, which could lead to a claim being brought against the directors by the company or its shareholders.

The Computer Misuse Act 1990 (“CMA 1990“) covers the criminality of hacking and DDOS attacks. The Regulation of Investigatory Powers Act 2000 (“RIPA“) also creates offences in respect of the unlawful interception of communications.

The CMA 1990 creates various offences relating to cybercrime including: unauthorised access to computer material (section 1(1)), unauthorised acts with intent to impair, or with recklessness as to impairing, operation of a computer (section 3) and impairing a computer such as to cause serious damage or a significant risk of causing serious damage of a material kind (section 3ZA(1)). Persons found guilty of an offence under sections 1(1) or 3 of the CMA 1990 are liable for a prison term of up to 12 months, or a fine, or both (sections 1(3) and 3(6)). Those found guilty of an offence under section 3ZA(1) are liable for a prison term of up to 14 years, or life if the offence creates a significant risk of serious damage to human welfare or national security, or a fine, or both (section 3ZA(6) and (7)).

This will likely be a mix of blockchain, digital assets, and AI.

As far as digital assets go, there remains no real regime that works well for them. The old securities laws apply to many but not to others. While there is no unified method of taxation as well, HMRC have released an updated manual for looking towards this. In any case, the regulatory grey areas lead to a number of issues for clients and firms.

As far as AI, I believe we are going to see a number of developments to play catch up with the EU AI proposal. These have been in the works for a while, evident by the number of calls for evidence, and I feel that we are only going to see more complicated regulation as technology becomes more complex.

I have a suspicion that the AI regulation given its extraterritorial reach and the extent that it encroaches onto a number of things that would otherwise be regulated more easily (search engines for example) will cause a number of issues. I have already read of US organisations refusing to sell programmes or AI related datasets/equipment to EU vendors already due to the risk of reprisals. I believe this may occur in the UK as well.

There appears to be movement towards encouraging digital services, and I feel that the further we get from Brexit and the more the UK aims to be an international player in these areas, the more we are going to see a legal system that for better or worse will allow advanced development in technology and digital services.

Currently, I don’t think it is. I think we will need to do something along the lines of what the EU is proposing. Perhaps not as far, but if we don’t then we risk permitting very intelligent systems coming into contact with the public which will cause a number of behavioural, privacy, and liability (in the case of injury or death) concerns.