(a) Internet (e-commerce)
The Internet has no specific regulatory regime; however, internet service providers (ISPs) are subject to regulatory frameworks as well as specific regulations depending on the nature of the services they offer.
The global nature of the Internet means that ISPs need to be aware of where services come within the scope of UK law.
Generally, ISPs are treated as providers of electronic communications networks and services, and therefore these laws are applicable. However, depending on the nature of the services offered by the ISP, other regulatory frameworks may be applicable where content is aimed or contributed by UK consumers, as this has wide implications and touches on a number of different areas of potential liability for ISPs. Key laws to be aware of include:
- the Communications Act 2003;
- the Digital Economy Act 2017 (including the Electronic Communications Code);
- the Data Protection Act 2018 – if any personal data is being processed by the ISP;
- the Computer Misuse Act 1990;
- the Regulation of Investigatory Powers Act 2000 and Investigatory Powers Act 2016;
- the Consumer Rights Act 2015;
- the Network and Information Security (NIS) Directive;
- the Defamation Act 2013 – depending on the nature of content on the ISP’s site; and
- the Copyright Designs and Patents Act 1988.
Prior to the United Kingdom leaving the European Union, the United Kingdom is also subject to relevant EU regulations:
- EU Regulation 2015/2120 on universal service and users’ rights in relation to electronic communications networks and services;
- the General Data Protection Regulation (GDPR); and
- the Privacy and Electronic Communications (EC Directive) Regulations 2003.
ISPs should also be aware of general conditions and specific conditions issued by Ofcom.
(b) Mobile (m-commerce)
Mobile commerce does not have a specific regulatory regime. It is often regarded as a subset of e-commerce and the same regulatory framework applies.
(c) Big data (mining)
Big data mining, a form of data processing, is subject to the regulatory regime applicable to data protection in the United Kingdom, the Data Protection Act 2018 and the GDPR. The nature of big data and the technology used for big data analytics raise a number of specific issues in this regard. Anonymisation or pseudonymisation is commonly used in the context of big data; and anonymous data is by definition not personal data, and therefore not subject to the GDPR regime.
If the dataset has not been anonymised, particular data protection issues are raised by the characteristics of big data analytics, including the opacity of processing, the tendency to collect as much data as possible, the repurposing of data and the use of new types of data. In this context, it is important to ensure that sufficient information is provided to the data subjects when data is collected or acquired, that processing is carried out in as transparent a way as possible, and that the principles of purpose limitation and data minimisation are observed. Data must be stored with adequate measures in place to ensure it remains secure.
The GDPR harmonises the data protection regime at the EU level. When the United Kingdom leaves the European Union, the GDPR will be incorporated in UK law (subject to a few minor changes), so data protection standards will remain the same. However, as the United Kingdom will become a third country, data transfers from the European Union may occur only if the safeguards required by the GDPR, such as standard contractual clauses or binding corporate rules, are in place. In order for data to be transferred freely between the United Kingdom and the European Union, an adequacy agreement must be reached with the European Union. In order to secure such an agreement, the United Kingdom must be judged to provide a level of protection for personal data processed in the United Kingdom which is equivalent to the level of protection which is applicable in the European Union.
(d) Cloud computing
As a technology, the cloud is not regulated. However, cloud service providers (CSPs) and cloud service users (CSUs) will need to comply with regulations applicable to their use of the cloud as they would as an ISP (see question 3.1 for further information). The most critical of these are in respect of data protection and security, and both CSPs and CSUs will need to comply with applicable laws and regulation related to data and security.
Although optional, the National Cyber Security Centre operates a cyber essential scheme which companies can be assessed and certified against to demonstrate that they are appropriately managing cybersecurity.
Where a CSP is a regulated firm, use of the cloud may be considered an ‘outsourcing of a critical function’ and therefore the firm will need to comply with the regulations and guidance issued by its regulator (either the Prudential Regulatory Authority (PRA) or the Financial Conduct Authority (FCA)), which include:
- the Capital Requirements Directive IV (2013/36/EU);
- the recast EU Markets in Financial Instruments Directive (MiFID II) (2014/65/EU) and the Delegated Regulation (EU) 2017/565;
- Chapter 8 of the FCA’s Senior Management, Arrangements and Controls Sourcebook (as well as Sections 13 and 14 for insurers); and
- the outsourcing section of the PRA Rulebook.
European regulators have also published guidelines and recommendations on outsourcing by regulated firms, including:
- the Committee of European Banking Supervisors’ high-level guidelines applicable to outsourcing in the banking sector across the European Union;
- the European Securities and Markets Authority’s guidelines on certain aspects of the MiFID compliance function requirements; and
- the European Banking Authority’s guidelines on outsourcing.
(e) Artificial intelligence
Artificial intelligence (AI) is not regulated in and of itself; rather, it is subject to different regulatory regimes, depending on how the AI is being used. AI includes a broad range of different technologies, including machine/deep learning, use of algorithms and natural language processing; and therefore there is no one applicable set of laws.
In the United Kingdom, specific consideration is being given in respect of self-driving cars and the Law Commission is currently undertaking a review (intended to run until 2020) as to how current laws in England and Scotland need to be updated to take into account issues related to non-human driven cars.
However, until specific regulations are provided, AI will be subject to law applicable to the nature of the AI. Key laws to be aware of include:
- the Data Protection Act 2018;
- the Consumer Protection Act 1987;
- the Consumer Rights Act 2015;
- the Network and Information Security Directive; and
- the Copyright Designs and Patents Act 1988.
Prior to the United Kingdom leaving the European Union, the United Kingdom is also subject to relevant EU regulations, including those in respect of personal data. The United Kingdom also has the benefit of EU IP rights and further information is awaited depending on what these will look like after the United Kingdom leaves the European Union.
It is generally acknowledged that current laws and regulations are not appropriate to deal with the considerations of AI and as part of the United Kingdom’s AI Sector Deal the government is considering required changes.
(f) Distributed ledger technology (Blockchain, cryptocurrencies)
Distributed ledger technology (DLT) is not regulated in and of itself; however, its applications in some instances are. The regulatory approach to crypto assets in the United Kingdom has been clarified by the FCA in its latest policy statement on 31 July 2019. In an effort to remain technology neutral, the FCA has determined the characteristics of tokens traded using DLT and regulated in kind. The recent statement refines its taxonomy of crypto assets and divides them into security tokens, e-money tokens and unregulated tokens. Security tokens will be regulated in line with the Regulated Activities Order and e-money in line with the Electronic Money Regulations. Later this year the Treasury will be moving forward with its approach to unregulated tokens. The FCA intend to use existing regulations to cover this technology as opposed to creating a new regime; however, this has not been the case in all jurisdictions – notably, Malta and France have come up with bespoke models that look to address specific aspects of tokens. There is yet to be a harmonised approach across countries; however, the European Union’s Fifth Anti-Money Laundering Directive has expanded the scope of obliged entities to bring within its remit virtual currency exchange platforms and wallet providers, meaning that they will have to carry out identity checks for clients and beneficial owners as well as report on any suspicious activity. In addition, the European Parliament in its draft report on the European Crowdfunding Service Providers Regulation looked to bring token sales within the remit of the legislation treating certain offerings the same way as traditional crowdfunds.
The key issues around crypto assets relate to ensuring that anti-money laundering provisions are adhered to, investors and consumers are protected and the stability of the financial system is protected, as well as to taxation.