United Kingdom: TMT

There is no single regulatory regime which is solely targeted at technology, per se. However, there are various regulatory regimes pertaining to particular sectors or types of services (e.g. telecoms or financial services) which will have provisions and requirements that will impact upon technology services and/or solutions.

Yes, communications networks and services are regulated. However, most providers of communications networks and services do not require a licence or specific authorisation to operate; rather, they have ‘general authorisation’, meaning that they can operate provided they comply with a set of general rules which are largely set out in the General Conditions of Entitlement (which are established under section 45 of the Communications Act 2003).

The exceptions to the principle of general authorisation include:

1. networks or services using radio spectrum (except where exempted by the government);
2. mobile operators wanting, for wireless telegraphy, to (i) establish and use base stations, or (ii) install or use apparatus;
3. satellite operators;
4. multiplex operators; and
5. certain premium rate services regulated by the Phone-paid Services Authority.

The communications services and networks which are in scope for the purposes of being regulated are:

• ‘electronic communication networks’ – i.e. the system (and its associated apparatus, equipment, software and stored data) which is used to transmit signals; and
• ‘electronic communication services’ – i.e. the conveying of signals over the electronic communication network.

Following Brexit, a number of changes have taken place. As part of the withdrawal agreement, the UK was required to adopt the terms of the European Electronic Communications Code Directive that came into force in 2018. This was achieved through the enactment of ‘The Electronic Communications and Wireless Telegraphy (Amendment) (European Electronic Communications Code and EU Exit) Regulations 2020’ which transposed the terms of the Directive into national law.

The use of radio spectrum requires a licence from Ofcom (section 8, Wireless Telegraphy Act 2006 (WTA)). Radio spectrum is auctioned by Ofcom from time to time, for vast sums running into billions of pounds.

Digital TV and radio broadcasting requires various multiplex and radio broadcast licences under the Broadcasting Act 1996. These are different from the licence of the relevant spectrum, which is licensed under the WTA. Licences are granted by Ofcom for a fixed fee payable. There can also be an annual percentage of revenue payable.

Yes – communications networks and services are primarily regulated by Ofcom.

Ofcom, whilst independent of government control:

• must act in accordance with its powers and duties set out in law;
• is accountable to the UK Parliament; and
• is funded from regulatory fees and grant-in-aid from the UK government.

Following amendments made by the Digital Economy Act 2017, Ofcom has to have regard to the government’s statements of strategic priorities relating to telecoms and radio spectrum management (section 98 2A-2C).

Platform Providers in the UK are regulated to an extent by the Electronic Commerce (EC Directive) Regulations 2002 which implement the Articles 12-15 EU Directive 2000/31/EC. The regime applies to content which appears on platforms, but with respect to which the platform operator performs only certain technical functions (services whose primary function is hosting content contributed by others). The legislation imposes obligations upon a seller before a contract is formed and information that must be provided to the consumer.

Following Brexit, the remaining provisions of the Directive no longer apply to providers operating in the UK. To align the 2002 Regulations with national legislation, the Electronic Commerce (Amendment etc.) (EU Exit) Regulations 2019 were introduced. Amongst other changes, this disapplies the EU ‘country of origin’ principle for UK providers.

The Statutory Code of Practice for providers of online social media platforms has been published in accordance with Section 103 of the Digital Economy Act 2017. The Code provides guidance for social media platforms, in advance of the new regulatory framework envisaged in the Online Harms White Paper. It sets out actions that the Government believes social media platforms should take to prevent bullying, insulting, intimidating and humiliating behaviours on their sites.

The UK framework regulates providers that provide services within the UK, including those domiciled outside of the UK. The UK Government however have stated that this will not protect UK providers who provide services within the EEA as the provisions of EU Directive 2000/31/EC may continue to apply to them. It is therefore recommended that assessments of provided services are to be taken, to ensure they are not still subject to the Directive by virtue of providing regulated services within a member state of the EEA.

There are no requirements for a communications provider to be domiciled in the UK prior to or during the provision of services, and there are no foreign ownership restrictions.

Potentially, while there is no specific restriction on foreign ownership within the regulatory framework, Ofcom does have the right to, amongst other things, revoke licences for the installation and use of wireless telegraphy equipment where necessary in the interests of national security. This could, theoretically, be used to restrict foreign ownership of certain telecoms operators, although this right is unlikely to be invoked.

While there is no general restriction on foreign ownership of telecoms operators, under the National Security and Investment Act 2021 a person acquiring qualifying types of telecoms operators would be legally required to notify the Government if the transaction met certain threshold criteria. On notification, the government would then have a power to review and block the acquisition if it could harm the UK’s national security.

Yes – the rules on interconnection are governed by a mixture of communications and competition-related laws.

The General Conditions of Entitlement require that a provider of public electronic communication networks negotiates with another public electronic communication networks provider based in the UK with a view to concluding an agreement (or an amendment to an existing agreement) for interconnection within a reasonable period. This is a general obligation which applies to providers of public electronic communication networks.

In addition, Ofcom has the power to impose access-related conditions on providers of electronic communication networks for the purposes of securing:

• Efficiency (e.g. by making associated facilities available);
• Sustainable competition;
• Efficient investment and innovation; and
• The greatest possible benefit for the end-users of public electronic communication services.

Ofcom also regulates the wholesale rates for termination of phone calls from other networks of their customers. All operates are currently required to provide call termination on fair and reasonable terms, conditions and charges.

These access-related conditions may include obligations to share the use of electronic communications apparatus (and apportioning and contributing towards the costs of this sharing) and the fixing of service prices where there are no viable alternative arrangements that may be made and Ofcom has deemed there to be a lack of appropriate competition. Hence, these are more likely to be applied on electronic communication networks providers with significant market power.

Moreover, general UK competition law applies in respect of anti-competitive agreements and the abuse of dominant positions.

Various consumer-specific provisions are set out in the General Conditions of Entitlement. A ‘consumer’ is defined as someone who uses or requests a service for purposes which are outside his or her trade, business or profession.

Specific obligations relating to consumers include:

• the requirement to include certain minimum terms in consumer contracts;
• certain parameters regarding the term and termination rights under the consumer contract (e.g. so that the procedures for contract termination do not act as disincentives for consumers against changing their communications provider);
• a requirement to make certain information available to the consumer (e.g. any access charges, the payment terms, the existence of any termination rights and any termination procedures);
• number portability; and
• various restrictions on sales and marketing activities.

Creators of computer software are entitled to copyright protection through the Copyright, Designs and Patents Act 1988 (“CDPA”). This gives the owner of the software the exclusive right to use and distribute it for a period of 70 years from the end of the calendar year in which the author of the software died (section 12(2)).

However, if the work is computer-generated, where there is no human author of the work copyright expires 50 years from the end of the calendar year in which the work was made (section 12(7)).

Elements of a computer program, such as screen displays and graphics may give the creator of computer software design rights under the Registered Designs Act 1949, although a computer program itself does not attract a design right.

Following Brexit, the UK is no longer part of the EU Community Design System. As a means of creating some form of compensation for rights holders, three new rights have since emerged: the continuing unregistered design (derived from unregistered Community Designs (CD)s), re-registered designs (replacing registered CDs), and unregistered designs which is intended to replicate the effect of unregistered CDs.

Patents are not available for computer software “as such” under the Patents Act 1977. However, the Intellectual Property Office currently follows judicial guidance (including Aerotel Ltd v Telco Holdings Ltd and Macrossan [2006] EWCA Civ 1371 and Astron Clinica Ltd & Ors v The Comptroller General of Patents, Designs and Trade Marks [2008] EWHC 85) which sets out criteria for when computer software may be patentable.

In a more recent case (Thaler v The Comptroller General of Patents Trade Marks and Designs [2021] EWCA Civ 1374), the Court of Appeal rejected an appeal claiming it should be possible for an AI entity to be named as the inventor on UK patent applications.

As a general principle, there are no intellectual property rights (“IPRs”) in data itself, although databases may be protected by IPRs. The CDPA gives copyright protection to the author of a database for the period of 70 years from the calendar year in which the author died (section 12(2)). Moral rights, which grant rights such as the right to be identified as the author of the database (sections 77-79) will be granted to the author, unless the database was created in the course of an employee’s employment (sections 79(3) and 82(1)).

The Copyright and Rights in Database Regulations 1997 give the author a database right for 15 years from the end of the calendar year in which the making of the database was completed, or if a substantial change is made to the contents of a database so the database can be considered to be a “substantial new investment”, 15 years from the end of the calendar year in which the substantial change was made (Regulation 17).

A patent may be available under the Patents Act 1977 if the database can be shown to achieve a technical effect that is novel and inventive (section 1). Databases used to implement new business methods are not, however, patentable (section 1(2)(c)).

Following the UK’s exit from the European Union, the UK Government has transposed the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”) into UK national law (thereby creating the “UK GDPR”). In so doing, the UK has made several technical changes to the GDPR in order account for its status as a national law of the United Kingdom (e.g., to change references to “Member State” to “the United Kingdom”). These changes were made under the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. At this time, all material obligations on controller and processors essentially remain the same under the UK GDPR as under the EU GDPR. 

The Data Protection Act 2018 (“DPA”) remains in place as a national data protection law and supplements the UK GDPR regime.  It deals with matters that were previously permitted derogations and exemptions from the EU GDPR (for example, substantial public interest bases for the processing of special category data, and context-specific exemptions from parts of the GDPR such as data subject rights).

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under these principles, personal data must be (Article 5):

• processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”);
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the “purpose limitation principle”);
• adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”);
• accurate and where necessary kept up to date (the “accuracy principle”);
• kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (the “storage limitation principle”); and
• processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (the “integrity and confidentiality principle”). The ICO does not mandate any particular standard in this regard but recommends adherence to ISO 27001.

The controller is responsible for and must be able to demonstrate compliance with the above principles (the “accountability principle”). Accountability is a core theme of the UK GDPR. Record keeping, audit and appropriate governance will all form a key role in achieving accountability.

Transfers of personal data by a controller or a processor to third countries outside of the United Kingdom are only permitted where the conditions laid down in the UK GDPR are met (Article 44).

The United Kingdom Government has the power to make an adequacy decision in respect of a third country under the UK GDPR (Article 45). This power is equivalent to the similar authorities granted to the EC has under the EU GDPR and involves the Secretary of State making a positive determination that the third country provides for adequate level of data protection, following which personal data may be freely transferred to that third country (Article 45(1)). The EU adequacy decisions have essentially been ‘rolled over’ from the EU GDPR.  The UK is also treating all EU and EEA Member States as adequate jurisdictions. The UK intends to reassess all these adequacy decisions before the end of 2024. It also has the power to make its own adequacy decisions.

Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor and on condition that enforceable data subject rights and effective legal remedies for the data subject are available (Article 46). The list of appropriate safeguards includes, amongst others, binding corporate rules and standard contractual clauses with additional safeguards to guarantee an essentially equivalent level of protection to data subject’s and their personal data.  The UK Standard Contractual Clauses (IDTA) are now in force. The IDTA consolidates the full range of standard contractual clauses that may be required into one document (i.e. controller to processor, controller to controller, processor to processor, processor to controller), with certain sections expressly stated not to apply depending on the type of transfer taking place. Alongside the IDTA, organisations can also use an Addendum to the EU Standard Contractual Clauses (“EU SCCs”). This can be used as an alternative to the IDTA, to essentially apply EU SCCs in the context of UK data transfers (e.g., replacing references to EU GDPR with UK GDPR etc.).

The UK benefits from an EU adequacy decision, which means it is not considered a “third country” for the purposes of the EU GDPR.

The UK GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or GBP 17.5 million (whichever is higher).

The highest fines of up to GBP 17.5 million or, in the case of an undertaking, up to 4% of total worldwide turnover of the preceding year, whichever is higher, apply to infringement of:

• the basic principles for processing including conditions for consent;
• data subjects’ rights;
• international transfer restrictions;
• any obligations imposed by domestic law for special cases such as processing employee data; and
• certain orders of a supervisory authority.

The lower category of fines of up to GBP 8.7 million or, in the case of an undertaking, up to 2% of total worldwide turnover of the preceding year, whichever is the higher, apply to infringement of:

• obligations of controllers and processors, including security and data breach notification obligations;
• obligations of certification bodies; and
• obligations of a monitoring body.

The DPA supplements the UK GDPR regime.  It deals with matters that were previously permitted derogations and exemptions from the EU GDPR (for example, substantial public interest bases for the processing of special category data, and context-specific exemptions from parts of the GDPR such as data subject rights).

In addition, the DPA transposes the Law Enforcement Directive ((EU) 2016/680) into UK law, creating a data protection regime specifically for law enforcement personal data processing; updates the data protection regime for national security processing; and sets out the scope of the Information Commissioner’s mandate and enforcement powers, and creates a number of criminal offences relating to personal data processing.

Specific rules on electronic marketing (including circumstances in which consent must be obtained) are found in the Privacy and Electronic Communications Regulations 2003 (as amended) (“PEC Regulations”). The PEC Regulations are derived from European Union Directive 2002/58/EC (ePrivacy Directive), which have been retained in UK law post-Brexit.

The PEC Regulations prohibit the use of automated calling systems without the consent of the recipient.  The PEC Regulations contain certain prohibitions in relation to unsolicited electronic communications (i.e. by email or SMS text) for direct marketing purposes without prior consent from the consumer. Enforcement of a breach of the PEC Regulations is dealt with by the ICO.   The maximum fine for a breach of the PEC Regulations is currently GBP 500,000 (although there are currently proposals to bring this in line with GDPR fines), which can be issued against a company or its directors.

There are currently no specific ‘Cloud laws’ in the UK. However, many sector-specific regulatory initiatives (either issued by administrative or supervisory authorities or by the industry itself) have been issued which may further fuel the drive towards national cloud regulations.

One example is the Cloud Security Guidance issued by the UK National Cyber Security Centre (link). Further, in the financial services sector, the Financial Conduct Authority (FCA) has stated that financial services companies operating in the UK can make use of cloud-based services without falling foul of regulatory obligations. The published guidance (link) is not binding but the FCA said it expects firms to take note of them and use them to inform their systems and controls on outsourcing.

The UK has implemented internal legislation (“UK eIDAS Regulations”) which is similar to the European electronic signature regulations (EU Regulation 910/2014).

Under the UK eIDAS Regulations, a ‘qualified electronic signature’ has the same effect as a handwritten signature. A qualified signature features high levels of security: identification of the signing person can be carried out (for example) by biometric data or multi-factor authentication.

Conversely, a ‘simple signature’ (such as that at the end of an email) will show an association between the alleged signatory and the document, but will not be conclusive evidence.

No transfers of assets or third party contracts would occur automatically. However, there will frequently be detailed contract provisions negotiated between the parties to the outsourcing arrangement to facilitate this. In the case of the other signatories to the third party contracts, their consent to the proposed transfer of their contracts to the new outsource service provider will ordinary be required.

If there are individuals who are wholly or substantially engaged in the services/functions which are being outsourced, however (and whether they be employed by the customer entity or its other service providers), then their contracts of employment may transfer automatically to the outsource service provider by virtue of the Transfer of Undertakings (Protection of Employment) Regulations 2006 (TUPE). In such event, all of their rights and obligations (including claims arising from employment related mistreatment by their previous employer) will transfer to the outsource service provider.

Ordinarily, there will be strict liability for the producer of defective products for consumers (Consumer Protection Act 1987) and this would include products which are themselves software or which include software components. Where such defects have resulted from computer assisted design or other software assisted processes, it will ordinarily be the person who programmed the CAD tool who will then face liability. However, this is all predicated on a principle of casual connection, i.e. “Because of A + B, C necessarily came next”. When the software starts to make decisions for itself based upon its “learning” from what it observes/receives from external sources and so ceases to be predictable, this liability concept becomes more strained.

There are discussions as to whether AI could be given a separate legal personality, and so be held accountable in a similar way to a company. In addition, the licensors/programmers responsible for the AI could be open to claims through vicarious liability. Alternatively, a similar framework to that which is applied to animals who cause harm or damage, where there is strict liability on their owner(s), could be applied. However, both of these discussions have not been fully developed and therefore, for the time being at least, it would seem most likely that the licensor/programmer of the AI product would be liable pursuant to the strict liability regime in the Consumer Protection Act as referred to above. In the business (i.e. non-consumer) context, contractual provisions will usually specify where liability will sit in any event.

The key laws imposing obligations on companies to maintain cyber-security include UK GDPR, the DPA, the Network and Information Systems Regulations 2018 (“NIS Regulations”), and the Communications Act 2003 (“2003 Act”).

The UK GDPR is not prescriptive about specific technical standards or measures. Rather, the UK GDPR adopts a proportionate, context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A ‘one size fits all’ approach is therefore the antithesis of this requirement.

However the UK GDPR does require controllers and processors to consider the following when assessing what might constitute adequate security:

• the pseudonymisation and encryption of personal data;
• the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
• a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

The UK GDPR also contains a general requirement for a personal data breach to be notified by the controller to the ICO, and for more serious breaches to also be notified to affected data subjects. A “personal data breach” is a wide concept, defined as any “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” (Article 4 UK GDPR). The controller must notify a breach to the ICO without undue delay, and where feasible, not later than 72 hours after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and freedoms of natural persons. When the personal data breach is likely to result in a high risk to natural persons, the controller is also required to notify the affected data subjects without undue delay (Article 34 UK GDPR).

Under the DPA, controllers are subject to various obligations including to select a processor that sufficiently guarantees appropriate technical and organisational measures. Specifically, Articles 56 and 59 of the DPA require controllers and processors to implement measures that ensure a level of data security appropriate for the level of risk presented by processing personal data – this incudes encryption.

The NIS Regulations focus on the availability of crucial network and information systems in order to protect critical infrastructure and apply to Operators of Essential Services (“OES”) and Digital Service Providers (“DSP”), requiring OESs and DSPs to: (i) take appropriate technical and organisational measures to secure their network and information systems; (ii) take into account the latest developments and consider the potential risks facing the systems; (iii) take appropriate measures to prevent and minimise the impact of security incidents to ensure service continuity; and (iv) notify the relevant supervisory authority of any security incident having a significant impact on service continuity without undue delay. The Department for Digital, Culture, Media & Sport (DCMS) has proposed wide-ranging proposals to reform the NIS Regulation, which are expected later this year.

Under the 2003 Act, public electronic communications network (“PECN”) providers and public electronic communications service (“PECS”) providers have an obligation to take technical and organisation measures to manage risks in respect of electronic communications (section 105A). This includes notifying Ofcom of any breaches (section 105B). PECS providers are also subject to obligations under the 2003 Regulations, which require them to take appropriate technical and organisational measures to safeguard the security of their services (Regulation 5(1)). PECS providers must inform the Information Commissioner’s Office (“ICO”) if there is a personal data breach (Regulation 5A(2)) and the individuals concerned if the breach is likely to adversely affect the personal data or privacy of the subscriber or user (Regulation 5A(3)).

Businesses operating in the financial services sector are also subject to the Senior Management Arrangements Systems and Controls (“SYSC”) set out in the FCA Handbook and the STAR and CBEST standards developed by the Council for Registered Ethical Security Testers and the Bank of England. The SYSC provides obligations relating to governance, systems and controls that can directly or indirectly impose cyber security obligations on financial service providers (e.g. securing systems, managing risks, reducing the risk of financial crime and protecting client confidentiality). The STAR and CBEST standards allow financial services providers to demonstrate their cyber-security assurance by passing stipulated penetration and vulnerability tests.

Company directors also have an obligation to maintain cyber-security through the fiduciary duties they owe to their company, which are set out in the Companies Act 2006. These include the duty to promote the success of the company and to exercise reasonable care, skill and diligence while conducting their role (sections 172 and 174). Failure to understand and mitigate cyber risk (e.g. by failing to implement appropriate cyber-security measures) could equate to a breach of these duties, which could lead to a claim being brought against the directors by the company or its shareholders.

The Computer Misuse Act 1990 (“CMA 1990”) covers the criminality of hacking and DDOS attacks. The Regulation of Investigatory Powers Act 2000 (“RIPA”) also creates offences in respect of the unlawful interception of communications.

The CMA 1990 creates various offences relating to cybercrime including: unauthorised access to computer material (section 1(1)), unauthorised acts with intent to impair, or with recklessness as to impairing, operation of a computer (section 3) and impairing a computer such as to cause serious damage or a significant risk of causing serious damage of a material kind (section 3ZA(1)). Persons found guilty of an offence under sections 1(1) or 3 of the CMA 1990 are liable for a prison term of up to 12 months, or a fine, or both (sections 1(3) and 3(6)). Those found guilty of an offence under section 3ZA(1) are liable for a prison term of up to 14 years, or life if the offence creates a significant risk of serious damage to human welfare or national security, or a fine, or both (section 3ZA(6) and (7)).

This will likely be a mix of blockchain, digital assets, and AI.

As far as digital assets go, there remains no real regime that works well for them. The old securities laws apply to many but not to others. While there is no unified method of taxation, HMRC have released an updated manual for looking towards this (the Cryptoassets Manual). In any case, the regulatory grey areas lead to a number of issues for clients and firms.

As far as AI, I believe we are going to see a number of developments to play catch up with the EU AI proposal. These have been in the works for a while, such as the UK government’s National AI Strategy (link). I anticipate that we will see significant developments in AI regulation over the next few years.

I have a suspicion that the AI regulation given its extraterritorial reach and the extent that it encroaches onto a number of things that would otherwise be regulated more easily (search engines for example) will cause a number of issues. I have already read of US organisations refusing to sell programmes or AI related datasets/equipment to EU vendors already due to the risk of reprisals. I believe this may occur in the UK as well.

There appears to be movement towards encouraging digital services, and I feel that the further we get from Brexit and the more the UK aims to be an international player in these areas, the more we are going to see a legal system that for better or worse will allow advanced development in technology and digital services.

In December 2021, the UK government outlined a roadmap to an effective AI assurance ecosystem. As part of this strategy, we are anticipating a forthcoming White Paper on the governance and regulation of AI. It is yet to be seen how the UK’s legal system will compare against the EU’s latest proposals. Nevertheless, without robust regulation, we risk permitting very intelligent systems coming into contact with the public which will cause a number of behavioural, privacy, and liability (in the case of injury or death) concerns.