This country-specific Q&A provides an overview to technology laws and regulations that may occur in the United Kingdom.
It will cover communications networks and their operators, databases and software, data protection, AI, cybersecurity as well as the author’s view on planned future reforms of the merger control regime.
This Q&A is part of the global guide to Technology. For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/index.php/practice-areas/technology
Are communications networks or services regulated? If so what activities are covered and what licences or authorisations are required?
Yes, communications networks and services are regulated. However, most providers of communications networks and services do not require a licence or specific authorisation to operate; rather, they have 'general authorisation', meaning that they can operate provided they comply with a set of general rules which are largely set out in the General Conditions of Entitlement (which are established under section 45 of the Communications Act 2003).
The exceptions to the principle of general authorisation include:
- networks or services using radio spectrum (except where exempted by the government);
- mobile operators wanting, for wireless telegraphy, to (i) establish and use base stations, or (ii) install or use apparatus;
- satellite operators;
- multiplex operators; and
- certain premium rate services regulated by the Phone-paid Services Authority.
The communications services and networks which are in scope for the purposes of being regulated are:
- 'electronic communication networks' – i.e. the system (and its associated apparatus, equipment, software and stored data) which is used to transmit signals; and
- 'electronic communication services' – i.e. the conveying of signals over the electronic communication network.
Is there any specific regulator for the provisions of communications-related services? Are they independent of the government control?
Yes – communications networks and services are primarily regulated by Ofcom. Ofcom, whilst independent of government control:
- must act in accordance with its powers and duties set out in law;
- is accountable to the UK Parliament; and
- is funded from regulatory fees and grant-in-aid from the UK government.
Does an operator need to be domiciled in the country? Are there any restrictions on foreign ownership of telecoms operators?
There are no requirements for a communications provider to be domiciled in the UK prior to or during the provision of services, and there are no foreign ownership restrictions.
That said, Ofcom does have the right to, amongst other things, revoke licences for the installation and use of wireless telegraphy equipment where necessary in the interests of national security. This could, theoretically, be used to restrict foreign ownership of certain telecoms operators, although this right is unlikely to be invoked.
Are there any regulations covering interconnection between operators? If so are these different for operators with market power? What are the principal consumer protection regulations that apply specifically to telecoms services?
Yes – the rules on interconnection are governed by a mixture of communications- and competition-related laws.
The General Conditions require that a provider of public electronic communication networks negotiates with another public electronic communication networks provider based in the EC with a view to concluding an agreement (or an amendment to an existing agreement) for interconnection within a reasonable period. This is a general obligation which applies to providers of public electronic communication networks.
In addition, Ofcom has the power to impose access-related conditions on providers of electronic communication networks for the purposes of securing:
- efficiency (e.g. by making associated facilities available);
- sustainable competition;
- efficient investment and innovation; and
- the greatest possible benefit for the end-users of public electronic communications services.
These access-related conditions may include obligations to share the use of electronic communications apparatus (and apportioning and contributing towards the costs of this sharing) where there are no viable alternative arrangements that may be made. Hence these are more likely to be applied on electronic communication networks providers with significant market power.
Moreover, general European competition law applies in respect of anti-competitive agreements and the abuse of dominant positions.
Various consumer-specific provisions are set out in the General Conditions of Entitlement. A 'consumer' is defined as someone who uses or requests a service for purposes which are outside his or her trade, business or profession.
Specific obligations relating to consumers include:
- the requirement to include certain minimum terms in consumer contracts;
- certain parameters regarding the term and termination rights under the consumer contract (e.g. so that the procedures for contract termination do not act as disincentives for consumers against changing their communications provider);
- a requirement to make certain information available to the consumer (e.g. any access charges, the payment terms, the existence of any termination rights and any termination procedures);
- number portability; and
- various restrictions on sales and marketing activities.
What legal protections are offered in relation to the creators of computer software?
Creators of computer software are entitled to copyright protection through the Copyright, Designs and Patents Act 1988 ("CDPA"). This gives the owner of the software the exclusive right to use and distribute it for a period of 70 years from the end of the calendar year in which the author of the software died (section 12(2)).
Elements of a computer program, such as screen displays and graphics may give the creator of computer software design rights under the Community Design Regulation (6/2002/EC) and/or the Registered Designs Act 1949, although a computer program itself does not attract a design right.
Patents are not available for computer software "as such" under the Patents Act 1977, although the Court of Appeal in the Aerotel Ltd v Telco Holdings Ltd and Macrossan  EWCA Civ 1371 set out guidance to establish when computer software may be patentable, which is currently being followed by the Intellectual Property Office when deciding whether or not to grant a patent.
Are specific intellectual property rights in respect of data/databases recognised?
As a general principle, there are no intellectual property rights ("IPRs") in data itself, although databases may be protected by IPRs. The CDPA gives copyright protection to the author of a database for the period of 70 years from the calendar year in which the author died (section 12(2)). Moral rights, which grant rights such as the right to be identified as the author of the database (sections 77-79) will be granted to the author, unless the database was created in the course of an employee's employment (sections 79(3) and 82(1)).
The Copyright and Rights in Database Regulations 1997 give the author a database right for 15 years from the end of the calendar year in which the making of the database was completed, or if a substantial change is made to the contents of a database so the database can be considered to be a "substantial new investment", 15 years from the end of the calendar year in which the substantial change was made (Regulation 17).
A patent may be available under the Patents Act 1977 if the database can be shown to achieve a technical effect that is novel and inventive (section 1). Databases used to implement new business methods are not, however, patentable (section 1(2)(c)).
What key protections exist for personal data?
Personal data (being any data which – alone or in combination with other information in the hands of the party in question – would enable a living person to be individually identified) is subject to detailed regulation and protection by way of the Data Protection Act 1998. This will in 2017 be replaced/augmented by the General Data Protection Regulation (GDPR).
Under the 1998 Act, data controllers may only collect and process personal data when certain specific conditions are met, including:
- where the data subject has consented;
- where it is necessary for a contract to which the data subject is a party;
- where there is a "legitimate reason" for processing which does not itself damage the data subject's rights, freedoms or own legitimate interests.
More stringent rules apply to "sensitive" personal data (eg as to health or sexual orientation etc).
All data controllers must take appropriate technical and organisational measures to safeguard against unauthorised or unlawful processing, and against accidental loss of or destruction of personal data. The ICO does not mandate any particular standard in this regard but recommends adherence to ISO 27001.
Are there restrictions on the transfer of personal data overseas?
Yes, if such data would then be going to a processor outside the EEA. In such event, extra-territorial transfers would only be permissible if:
- the data subject consents;
- the transfer is essential for a contract to which the data subject is a party;
- the transfer is essential for a different contract but it serves the data subject's interests;
- the transfer is legally required/essential to an important public interest;
- the non-EEA jurisdiction provides "adequate protections" (eg has laws commensurate with those in the UK/EU);
- the transfer is pursuant to "standard contractual clauses" approved by the European Commission;
- the transfer is to the US in compliance with the "Privacy Shield" programme.
What is the maximum fine that can be applied for breach of data protection laws?
Currently in the UK the maximum fine that can be levied by the Information Commissioner's Office is £500,000 (and as at April 2017, the highest fine that has in fact been levied is £400,000). This will, however, change in 2018, when the General Data Protection Regulation (GDPR) comes into effect in the UK (as it will, prior to Brexit taking effect in the period thereafter). At that point, the maximum fines will increase to €20m / 4% of worldwide turnover re (for example) breaches of the basic principles of processing (eg re: consent), or a lower threshold of €10m / 2% of annual turnover for breaches of some of the more ancillary obligations such as security arrangements or breach notifications.
Are there any restrictions applicable to cloud-based services?
There are no specific 'Cloud laws', indeed a recent study for the European Commission (http://ec.europa.eu/justice/contract/cloud-computing/studies-data/index_en.htm)
found that in general, no specific "cloud laws" exist in the 28 investigated countries. Nonetheless, many sector-specific regulatory initiatives (either issued by administrative or supervisory authorities or by the industry itself) have been issued which may further fuel the drive towards national cloud regulations. Some of these initiatives are binding, such as the guidelines issued by several financial supervisory bodies, whereas the guidelines of data protection authorities may not as such be binding but nonetheless tend to lead to a best practice standard.
For example, in the financial services sector, the Financial Conduct Authority (FCA) has stated that financial services companies operating in the UK can make use of cloud-based services without falling foul of regulatory obligations. The published guidance (https://www.fca.org.uk/publication/finalised-guidance/fg16-5.pdf) is not binding but the FCA said it expects firms to take note of them and use them to inform their systems and controls on outsourcing.
Aside from sector-specific guidance, the key restriction applicable to cloud-based services will depend upon the nature of the data being placed in the cloud. In the event that the data is personal data then the points made at 8 and 9 above will apply.
Are there specific requirements for the validity of an electronic signature?
EU Regulation 910/2014 ("Electronic Identification Regulation"), which has direct effect in the UK, sets out the validity requirements for electronic signatures. Under the Electronic Identification Regulation, a 'qualified electronic signature' has the same effect as a handwritten signature (Article 25(2)) as long as it was created by a qualified electronic signature device and based on a qualified certificate for electronic signatures (Article 3(12)).
The validity requirements for a qualified electronic signature are set out in Article 26 and Annexes I and II of the Electronic Identification Regulation and include the following: the signature must be uniquely linked to the signatory (Article 26(a)), the qualified electronic signature creation device must have appropriate technical and procedural measures to ensure that the confidentiality of the signature is assured (Paragraph 1(a), Annex II) and the qualified certificate for electronic signatures must clearly indicate the name or pseudonym of the signatory (Paragraph (d), Annex I).
In the event of an outsourcing of IT services, would any employees, assets or third party contracts transfer automatically to the outsourcing supplier?
No transfers of assets or third party contracts would occur automatically. However, there will frequently be detailed Contract provisions negotiated between the parties to the outsourcing arrangement to facilitate this. In the case of the other signatories to the third party contracts, their consent to the proposed transfer of their contracts to the new outsource service provider will ordinary be required.
If there are individuals who are wholly or substantially engaged in the services/functions which are being outsourced, however (and whether they be employed by the customer entity or its other service providers), then their contracts of employment may transfer automatically to the outsource service provider by virtue of the Transfer of Undertakings (Protection of Employment) Regulations 2006 (TUPE). In such event, all of their rights and obligations (including claims arising from employment related mistreatment by their previous employer) will transfer to the outsource service provider.
If a software program which purports to be an early form of A.I. malfunctions, who is liable?
Ordinarily, there will be strict liability for the producer of defective products for consumers (Consumer Protection Act 1987) and this would include products which are themselves software or which include software components. Where such defects have resulted from computer assisted design or other software assisted processes, it will ordinarily be the person who programmed the CAD tool who will then face liability. However, this is all predicated on a principle of casual connection, ie "Because of A + B, C necessarily came next". When the software starts to make decisions for itself based upon its "learning" from what it observes/receives from external sources and so ceases to be predictable, this liability concept becomes more strained. However, for the time being at least, it would seem most likely that the licensor/programmer of the A.I product would be liable pursuant to the strict liability regime in the Consumer Protection Act as referred to above. In the business (ie non-consumer) context, contractual provisions will usually specify where liability will sit in any event.
What key laws exist in terms of obligations as to the maintenance of cybersecurity?
The key laws imposing obligations on companies to maintain cybersecurity include the Communications Act 2003 ("2003 Act"), the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("2003 Regulations") and the Data Protection Act 1998 ("DPA 1998").
Under the 2003 Act, public electronic communications network ("PECN") providers and public electronic communications service ("PECS") providers have an obligation to take technical and organisation measures to manage risks in respect of electronic communications (section 105A). This includes notifying Ofcom of any breaches (section 105B).
PECS providers are also subject to obligations under the 2003 Regulations, which require them to take appropriate technical and organisational measures to safeguard the security of their services (Regulation 5(1)). PECS providers must inform the Information Commissioner's Office ("ICO") if there is a personal data breach (Regulation 5A(2)) and the individuals concerned if the breach is likely to adversely affect the personal data or privacy of the subscriber or user (Regulation 5A(3)).
Under the DPA 1998, data controllers are subject to various obligations including selecting a processor that sufficiently guarantees appropriate technical and organisational measures, and taking reasonable steps to ensure compliance with such measures (Paragraph 11, Part II, Schedule 1). In the event of a data breach, there is no mandatory legal duty to notify the ICO of the breach having occurred. However, voluntary reporting of a data breach will be taken into account by the ICO as a potential mitigating factor when exercising its enforcement powers and such voluntary notification may reduce any monetary penalty imposed.
Businesses operating in the financial services sector are also subject to the Senior Management Arrangements Systems and Controls ("SYSC") set out in the FCA Handbook and the STAR and CBEST standards developed by the Council for Registered Ethical Security Testers and the Bank of England. The SYSC provides obligations relating to governance, systems and controls that can directly or indirectly impose cyber security obligations on financial service providers (eg securing systems, managing risks, reducing the risk of financial crime and protecting client confidentiality). The STAR and CBEST standards allow financial services providers to demonstrate their cybersecurity assurance by passing stipulated penetration and vulnerability tests.
Company directors also have an obligation to maintain cybersecurity through the fiduciary duties they owe to their company, which are set out in the Companies Act 2006. These include the duty to promote the success of the company and to exercise reasonable care, skill and diligence while conducting their role (sections 172 and 174). Failure to understand and mitigate cyber risk (eg by failing to implement appropriate cybersecurity measures) could equate to a breach of these duties, which could lead to a claim being brought against the directors by the company or its shareholders.
What key laws exist in terms of the criminality of hacking/DDOS attacks?
The Computer Misuse Act 1990 ("CMA 1990") covers the criminality of hacking and DDOS attacks. The Regulation of Investigatory Powers Act 2000 ("RIPA") also creates offences in respect of the unlawful interception of communications.
The CMA 1990 creates various offences relating to cybercrime including: unauthorised access to computer material (section 1(1)), unauthorised acts with intent to impair, or with recklessness as to impairing, operation of a computer (section 3) and impairing a computer such as to cause serious damage or a significant risk of causing serious damage of a material kind (section 3ZA(1)). Persons found guilty of an offence under sections 1(1) or 3 of the CMA 1990 are liable for a prison term of up to 12 months, or a fine, or both (sections 1(3) and 3(6)). Those found guilty of an offence under section 3ZA(1) are liable for a prison term of up to 14 years, or life if the offence creates a significant risk of serious damage to human welfare or national security, or a fine, or both (section 3ZA(6) and (7)).
Under RIPA, it is an offence to intentionally and without lawful authority intercept a communication in the course of its transmission via a public or private telecommunications system (section 1). Persons found guilty are liable to a prison term of up to two years, or a fine, or both (section 7).
What technology development will create the most legal change in the jurisdiction?
Blockchain has perhaps the greatest potential to disrupt the legal market and current sets of legal arrangements.
Whilst Blockchain will not eliminate the need for lawyers it may certainly reduce it and in doing so create new challenges in terms of regulatory oversight, dispute resolution etc which those lawyers who remain will then need to grapple with.
Blockchain is in essence a public/distributed ledger; in essence, it is a network which creates a common and continually updated view of "the truth" in terms of its subject matter, whether that be ownership of Bitcoin or some other form of financial instrument. However, the potential application of Blockchain-based technology and processes is far wider, and could for example extend to:
- "smart contracts" that are conducted automatically once defined criteria are met;
- land ownership records (and the basis for taxation thereon);
- IP rights management (eg protecting rights in copyrighted works or establishing valid trade marks).
Which current legal provision/regime creates the greatest impediment to economic development/ commerce?
One might argue that the data protection regime does most to hinder the free development of digital business (albeit with the best of intentions!). This is because data and its manipulation/exploitation lies at the heart of digital business and transformation, and so companies would very much like to treat data as an asset which they can then try to monetise (an approach more in line with the US). However, the Data Protection Act (and its EU antecedents) takes a different approach which instead gives priority to the rights of individuals (Data Subjects).
Do you believe the legal system specifically encourages or hinders digital services?
The UK legal system (when viewed in combination with the economic environment) is currently seen as conducive to digital startups and is seen as the epicentre for developments in AI and machine learning, globally. DLA Piper has run three iterations of its Tech Index, https://www.dlapiper.com/~/media/Files/Insights/Publications/2016/09/EU_tech_index_2016.PDF assessing the trends in digital innovation and growth prospects (and potential blocks). The 2016 edition highlighted that the key areas of focus are cyber security, IoT, AI and robotics, FinTech and Digital Transformation.
Ongoing concerns over cyber-attacks are still high among almost half of companies interviewed; yet only one quarter have response plans in place, which leaves those unprotected open to a major attack.
The research highlights concerns over compliance regulations, staff skills and investment which could hold development of FinTech back.
Rather than the impact of the legal system, the research shows that lack of skills and investment could hinder advancement of IoT and AI.
To what extent is the legal system ready to deal with the legal issues associated with artificial intelligence?
AI will place significant strains upon the English legal regime; many criminal acts and civil offences depend on questions of state of mind, foreseeability and/or intent… all of which are difficult enough to apply to fellow human beings, but which become near impossible to apply to a computer programme which has no emotions or "intentions" per se, but which will rapidly cease to act in a manner which is foreseeable on the part of the original programmers. It is likely therefore that further legislation would be required so as to remove elements of doubt that would otherwise persist.