The 10 most important UK/EU tech and data laws to know about

There's a lot of legislation coming down the track

Top 10 tech and UK/EU tech and data laws to be aware of

Image:
Top 10 tech and UK/EU tech and data laws to be aware of

Compared to technological change legislation moves at a snail's pace. But when changes do arrive they are generally significant, with far-reaching and long-lasting consequences.

It always pays, therefore, to stay abreast of what the legislators are cooking up. For many UK organisations post-Brexit that means observing two tracks, because EU laws still apply when transacting with Europe.

Recently a host of legislative juggernauts have loomed into view that are now on the statute books or will be very shortly, including the Online Safety Bill, the UK Digital Markets Competition and Consumers Bill, the EU Digital Markets, Digital Services and Cyber Resilience Acts and the AI Act, among others.

Here are the Top 10 UK, EU and multinational acts, bills and directives that tech companies and those that work with their products need to keep an eye on. Thanks to Dr Kuan Hon of law firm Dentons for her assistance in compiling the list. For clarity, she was not involved in and hasn't verified any aspects beyond those where she was specifically quoted.

The 10 most important UK/EU tech and data laws to know about

There's a lot of legislation coming down the track

UK Online Safety Bill

The OSB is the epitome of slow moving yet enormously consequential legislation. Intended to tackle the horrific problem of child exploitation online, this hugely contentious piece of legislation is close to becoming law in the UK after five years of wrangling.

The aims of the bill are laudable, but throughout its long journey the means proposed to deliver them have often been controversial. The government has frequently argued that nothing should be beyond the oversight of law enforcement when it comes to protecting children, while opponents point to the dangers of untargeted surveillance.

Lat week the government backed down on its original intent to scan end-to-end encrypted (E2EE) messaging apps following threats by WhatsApp and Signal to quit the UK, conceding that the technology to scan encrypted messages is not yet available. While, the government could still feasibly mandate client-side scanning, it seems unlikely it would do so unless the EU does the same - which it could do.

Under the OSB, platforms will need to take measures to deal with risks, including harmful content and cyberbullying. They will be obliged to implement age verification or assurance measures and to remove harmful content, such as CSAM, terrorist content and suicide promotion.

There is a grey area around ‘legal but harmful' content with the bill now requiring a tick box opt in, akin to that used by search engines.

Ofcom will have new powers to oversee and regulate tech companies' efforts on online safety, with fines of up to 10% of annual global turnover for violations.

Platforms will be required to assess risks and put proportionate systems in place to improve user safety. Larger platforms will also need to publish transparency reports.

They must also give users tools to filter out certain types of content they don't want to see, and allow them to verify their age.

Who will it affect?

The scope is broad and still rather vague. Potentially all online platforms that host user-generated content are in scope, although there are three categories based primarily on size and functionality of the platform, with category 1 services, which will include ‘user-to-user' platforms, subject to additional duties.

When does it come into force?

No fixed date but most likely in November 2023.

The 10 most important UK/EU tech and data laws to know about

There's a lot of legislation coming down the track

UK Data Protection & Digital Information (No. 2) Bill

This is the UK's revised (hence the No. 2) attempt to rewrite the EU GDPR. It will "create a new UK data rights regime tailor-made for our needs," according to secretary of state for science, innovation and technology Michelle Donelan.

The Bill is intended to make the GDPR more practicable and less burdensome in lower-risk situations. Organisations trading with Europe will be already be compliant with GDPR anyway, but UK DPDI clarifies some aspects of legitimate interest (e.g., tracking for marketing), and transferring personal data to third countries will be risk-based.

Unlike the GDPR, organisations will be able to refuse data subject access requests or charge fees to provide information. Businesses will no longer need to hire a dedicated data protection officer, and data protection impact assessments will only be required for "high risk" processing.

It will also remove the requirement for cookie pop-ups.

Some NGOs argue that overall, it reduces the requirements for business at the expense of the data rights of individuals.

Who will it affect?

Anyone who processes personal data in the context of activities of their UK establishment (wherever in the world the processing takes place), and if there's no UK establishment, any personal data processing that's "related to" offering goods/services to individuals in the UK (citizens or not) or related to their behaviour taking place in the UK. Same as under UK GDPR Art. 3.

When does it come into force?

Likely Spring/Summer 2024.

What else to watch out for

The Bill "seeks to ensure data adequacy while moving away from the ‘one-size-fits-all' approach of European Union's GDPR ," aaccording to the government.

If it diverges too far from the GDPR, the European Commission could terminate, suspend or amend its adequacy decision that allows free transfers of personal data from the EEA to the UK.

Next: The UK Digital Markets, Competition and Consumers Bill

The 10 most important UK/EU tech and data laws to know about

There's a lot of legislation coming down the track

UK Digital Markets, Competition and Consumers Bill

The Digital Markets, Competition and Consumers (DMCC) Bill seeks to curb the dominance of big tech in digital markets. It updates the Competition Act 1998 and the Enterprise Act 2002.

The Digital Markets Unit (DMU), a branch of the UK Competition and Markets Authority (CMA), will receive specific powers to identify large companies with substantial market influence.

The DMU will be able to investigate competition issues in digital markets and take action, against companies colluding to increase prices at the expense of consumers, or who pay for fake reviews. The CMA will be able to unilaterally fine firms up to 10% of global turnover.

In a move against "subscription traps," the Bill requires that customers should be able to terminate subscriptions easily, inexpensively and promptly, with companies obliged to notify them when a free trial or promotional offer is about to expire.

DMCC is the UK equivalent of the EU Digital Markets Act (DMA).

Who will it affect?

Very large (as yet unnamed) companies with a turnover of either £25 billion worldwide or £1 billion in the UK, and having "strategic market status." Apple, Meta and Microsoft have all lobbied against it. According to Kuan Hon, there will likely be a "trickle-down impact" on those doing business with those companies too.

When does it come into force?

Likely in 2024.

Next: The EU DMA

The 10 most important UK/EU tech and data laws to know about

There's a lot of legislation coming down the track

EU Digital Markets Act (DMA)

The DMA entered into force in this year. Together with the Digital Services Act (DSA) it creates a set of EU-wide rules to govern online content, ensure rights are upheld and foster fair competition.

The DMA is a competition law that imposes significant new obligations on "gatekeepers", a category that includes large providers of online platform services, intermediation services, social media and cloud computing providers. The DMA's aim is to increase competition and ensure a more level playing field for smaller companies.

Last week the EU named the gatekeepers: Alphabet, Amazon, Apple, ByteDance, Meta and Microsoft. This list will change over time.

Under the DMA, gatekeepers must allow business users to access the data they generate while using their platform. Businesses must also be allowed to promote offers and conclude contracts with their customers outside of the gatekeepers' platforms, reducing lock-in to those platforms.

If a gatekeeper violates the DMA, a fine of up to 10% of its total worldwide turnover can be levied, rising to 20% of worldwide turnover for a repeat offence.

Who will it affect?

"In total, 22 core platform services provided by gatekeepers have been designated," the EU said last week.

The services are:

"The six gatekeepers will now have six months to ensure full compliance with the DMA obligations for each of their designated core platform services," the EU said.

When does it come into force?

The DMA is still open to legal challenge and so details may change. The six gatekeepers must comply by March 2024.

What to be aware of

"DMA will only apply to a handful of big tech companies designated as gatekeepers by the Commission," said Hon. "But it requires changes on their part which will affect their business and consumer customers and some others dealing with them, for example impacting the huge online advertising market, so many UK businesses are likely to be affected indirectly."

Next: The EU DSA

The 10 most important UK/EU tech and data laws to know about

There's a lot of legislation coming down the track

Digital Services Act (DSA)

Together with the Digital Markets Act, the Digital Services Act (DSA) creates a set of EU-wide rules to govern online content, ensure rights are upheld and foster fair competition.

The DSA is groundbreaking legislation that imposes a set of due diligence obligations in relation to disinformation and illegal content on hosting services, search engines, app stores, content sharing platforms, online platforms and "very large online platforms" (VLOPs), those with 45 million or more registered EU users. Eventually all digital players operating in Europe will be covered.

Platforms are not legally liable for harmful or illegal content posted by users, but the DSA requires that swift action is taken to remove it. It also introduces a transparency and accountability framework which includes banning targeted advertising aimed at children or based on sensitive personal data.

For the largest platforms, the EC will judge compliance directly, rather than delegating to individual member states. Failure to comply could lead to fines of up to 6% of global revenue.

When will it become law?

February 2024. The services currently in scope need to start complying as of now, proving they can identify and take down illegal content quickly. They need to come up with their own standards based on the priciples of the DSA and abide by those standards, as adjudged by a third-party auditor. The audit will occur throughout the first year and VLOPs will need to provide evidience that they are compliant.

Who does it affect?

At this point, 19 services are in scope.

Eventually, all businesses providing cloud and hosting (including online platforms, online marketplaces), caching, CDN and search services to EU citizens will need to comply but they will face fewer obligations than the biggest players.

Next: The EU DGA

The 10 most important UK/EU tech and data laws to know about

There's a lot of legislation coming down the track

EU Data Governance Act (DGA)

The DGA seeks to increase trust in data sharing, strengthen mechanisms to increase the availability of data and overcome technical obstacles to its reuse.

It does this through the regulation of data intermediaries and by supporting data sharing for "altruistic purposes," such as for scientific or medical research. It applies to a wide range of data, both personal and non-personal

It does not oblige organisations to share data, but rather seeks to make it easier for them to do so for the common good. As such, it includes measures to rebalance negotiation power of SMEs by preventing abuse of contractual imbalances in data sharing contracts, and rules allowing customers to more easily switch between different data processing providers.

For public sector bodies that provide access to data, there are data protection rules. For example, some data will only be shareable after anonymisation.

Who does it affect?

In the UK the DGA will mainly affect organisations that want to acquire EU public sector data, or act as "data intermediation service providers" or "data altruism organisations".

When does it come into force?

The DGA comes into force this month

Next: The EU Data Act

The 10 most important UK/EU tech and data laws to know about

There's a lot of legislation coming down the track

EU Data Act

The Data Act is still in draft. It aims to create a fair environment by setting out rules to govern data generated by IoT services, including allowing users of connected devices to gain access to data generated by them, which is often exclusively harvested by manufacturers. It will apply to manufacturers of connected devices, service providers and data holders.

Proposals include

"While it's meant to improve data access and portability, including machine-generated data, it also wants to facilitate cloud switching and interoperability, and has unclear possible restrictions on transfers outside the EU/EEA of non-personal data," said Hon.

Who does it affect?

Mainly IoT device manufacturers, cloud and data services providers and their customers.

When will it come into force?

The Data Act is not yet passed but was recently agreed in trialogue, so it's likely to be adopted in the autumn or spring 2024 with probably 20 months to prepare after that.

Next: The EU Cyber Resilience and UK Product Security & Telecommunications Infrastructure Acts

The 10 most important UK/EU tech and data laws to know about

There's a lot of legislation coming down the track

EU Cyber Resilience Act (CRA) / UK Product Security & Telecommunications Infrastructure Act

The EC agreed a position on the Cyber Resilience Act (CRA), legislation intended to enhance cybersecurity and protect digital products including hardware and software products "with digital elements" and their "remote data processing solutions".

It will apply to "all products that are connected either directly or indirectly to another device or network."

The CRA hasn't been finalised yet but it will introduce mandatory cybersecurity requirements for the design, development, production and making available on the market of hardware and software products.

It aims to allow consumers more choice by through more transparency over cybersecurity credentials.

Who will it affect?

Manufacturers of hardware and software that can be digitally networked, their customers and contributors.

When does it come into force?

Not known. Upon entry into force, stakeholders will have 24 months in which to adapt to the new requirements.

What to be aware of

Developers of open source software have complained that their concerns have not been taken into account. As it stands, the Act could delegitimise many open source products, components and services. A major issue is the proposed disclosure rules for security vulnerabilities. The CRA aims to force projects to report vulnerabilities to an EU institution within a matter of hours, which goes against industry practices.

UK Product Security & Telecommunications Infrastructure Act

The UK Product Security & Telecommunications Infrastructure Act is similar but narrower in scope.

UK manufacturers, importers and distributors of networkable IoT equipment including smartphones, smartwatches, games consoles, smart speakers, sound systems, TVs and cameras and various appliances will have a duty to comply with the relevant security requirements.

The maximum penalty for non-compliance with a duty, under penalty notices, is either £10 million or 4% of the qualifying worldwide revenue.

When will it come into force?

April 2024.

Next: The EU Network and Information Security Directive 2

The 10 most important UK/EU tech and data laws to know about

There's a lot of legislation coming down the track

EU Network and Information Security Directive 2 (NIS2)

NIS2 is a comprehensive cybersecurity directive with strict requirements for risk management and incident reporting, and increased penalties for non-compliance.

It updates EU cybersecurity rules introduced in 2016 modernising the existing legal framework to keep up with increased digitisation and the evolving cybersecurity threat landscape. It also expands the scope of the cybersecurity rules to cover new sectors and entities.

Fines of up to €10,000,000 or 2% of global annual revenue can be imposed on "essential entities" ( transport, finance energy, water, space, health, public administration, digital infrastructure ) for non-compliance.

Who is affected?

Organisations offering services in the EU. The scope has been expanded to include datacentre service providers, CDNs, MSP, social media, online marketplaces, manufacturers of computer/electrical equipment, motor vehicles, etc. Hundreds of thousands of organisations are having to reassess their cybersecurity posture as the scope has broadened.

When did it come into force?

January 2023

Next: The EU AI Act

The 10 most important UK/EU tech and data laws to know about

There's a lot of legislation coming down the track

EU AI Act

The EU AI act is the first proposed law on AI by a major regulator anywhere in the world. It aims to address and categorise the various risks posed by AI systems. The Act sets harmonised rules for the development, commercialisation and use of AI systems in the EU.

The key aims of the AI Act are:

Who is affected?

EU organisations creating and using AI products and services

When will it come into force?

In June 2023 MEPs adopted the European Parliament's negotiating position on the AI Act. The aim is to reach an agreement between member states by the end of this year. Ther is no concrete deadline for it coming into force there will be grace period of around two years to allow affected parties to comply with the regulations.

What else to watch out for?

There are several proposals related to the AI Act in the EU, the UK and internationally.

AI Liability Directive

Complementing the AI Act, the EC has proposed the AI Liability Directive It aims to establish a harmonised regime across the bloc for dealing with consumer liability claims for damage caused by AI products and services. It removes much of the burden of proof from the consumer, ensuring that victims can seek effective redress for AI-related damages.

In the UK, the UK government its White Paper on AI regulation, calling out "the need to consider which actors should be responsible and liable for complying with the principles" set out in the paper. However, the white paper says it is "too soon" to make decisions about liability.

EU-US AI Code of Conduct

In May EU Executive vice president Margrethe Vestager revealed a US-EU AI Code of Conduct, presented as a first step in laying ground rules for international AI governance.

It presented non-binding international standards for companies developing AI systems ahead of legislation being passed in any country.