UK Government Report
The UK digital sector covers digital goods, digital services and digitally-enabled transactions of goods and services, whether digitally or physically delivered, involving consumers, business or government, all of which are underpinned by movement of data across borders. The digital sector includes: audio-visual (AV); e-commerce; telecommunications; data; and a raft of emerging sectors, such as artificial intelligence (AI), FinTech (which is dealt with in a separate report), the internet of things, and cyber security.
The current EU regulatory regime
Existing regulatory arrangements for the digital sector are largely driven by the European Commission’s Digital Single Market (DSM) Strategy,17 published in May 2015. This outlined 16 initiatives to update the Single Market for the digital age, promote digital trade and encourage the growth of the digital economy. These consist of a mix of regulatory and non-regulatory measures, covering digital, broadcasting and telecoms. The DSM includes initiatives on:
– free flow of data;
– cyber security;
– setting ICT standards; and
– intellectual property.
While a number of these initiatives have been agreed and are being or have been implemented (e.g. the cessation of mobile roaming charges in the EU, or the Portability Regulation), the majority are currently under negotiation, or are awaiting concrete proposals from the European Commission.
Key DSM files or associated regulatory regimes (not covered in separate telecoms and broadcasting reports) which have importance to the wider UK economy, not just the digital sector itself, include: data protection; the ePrivacy Directive; the free flow of data; the eCommerce Directive; the Network and Information Security Directive; and wider technical standards and regulation.
Everyone responsible for processing personal data has to abide by rigorous data protection standards. The Commission and Member States regard data protection reform as a key enabler of the Digital Single Market – not just for the digital sector, but also underpinning the whole economy. From 25 May 2018, the EU General Data Protection Regulation (GDPR) will replace the 1995 Data Protection Directive as the EU standard on general data processing.
The UK Government has introduced a new Data Protection Bil to repeal and replace the Data Protection Act 1998 with a new law that provides a comprehensive and modern framework for data protection in the UK. This will introduce stronger sanctions for malpractice and set new standards for protecting general data – in accordance with the GDPR – giving people more control over use of their personal data, and providing new rights to move or delete personal data.
The ePrivacy Directive
The ePrivacy Directive gives people specific privacy rights in relation to electronic communications. It has been implemented by the UK through the Privacy and Electronic Communications Regulations. The Commission recently proposed a revision of the Directive. The Directive has specific rules on: marketing calls, emails, texts and faxes; cookies (and similar technologies); keeping communications services secure; and customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.
Free Flow of Data
The Commission’s Free Flow of Data proposal aims to address barriers to the efficient access, storage and use of non-personal data across EU borders, in order to unlock economic growth. It currently proposes a regulation which majors on data localisation (e.g. limiting member states from mandating that data must be stored in their own jurisdictions). The wider initiative is looking at other data related issues, such as access, re-use, ownership, liability, interoperability and portability. The Commission is expected to bring forward action in some or all of these areas during 2018.
The eCommerce Directive
The Electronic Commerce (eCommerce) Directive seeks to contribute to the proper functioning of the internal market by ensuring the free movement of ‘information society services’ between Member States. Information society services are any services normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services. It covers online services normally provided for remuneration.
This also covers services which are not remunerated by those who receive them, such as those offering on-line information or commercial communications, or those providing tools allowing for search, access and retrieval of data. One of the key parts of the Directive is its limited liability regime. This provides information society services with liability protection from hosting, caching ortransmitting illegal/unlawful content, provided certain conditions are met.
Network and Information Security (NIS) Directive
The NIS Directive, which comes into effect in May 2018, affects providers of certain key digital services (search engines, online marketplaces and cloud computing services). Its provisions aim to make the online environment more trustworthy and hence to support the smooth functioning of the EU DSM. These digital service providers will be required to implement appropriate security measures and report incidents to a national authority.
The directive aims more generally to improve cyber security capabilities in Member States and to improve Member States’ cooperation on cyber security. It also requires security and incident reporting requirements for operators of essential services in certain critical sectors (including the energy, transport, banking and healthcare sectors).
Devolution issues and Gibraltar, the Crown Dependencies and Overseas Territories
Digital policy is a UK-wide issue. However, emerging technologies impact on policy areas of the wider economy, including devolved areas such as health and skills. With digital clusters and successful digital industries based across the UK, as highlighted in the Tech Nation 2017 review,18 Government will continue to engage with Scotland, Wales and Northern Ireland to ensure that implementing the 2017 UK Digital Strategy19 benefits UK citizens as a whole.
Gibraltar is in the EU and regulatory arrangements for the digital sector apply. The Crown Dependencies are not in the EU, but have data adequacy decisions from the EU, and have started taking steps to implement the EU General Data Protection Regulation (GDPR). The other Overseas Territories are also not in the EU, but Article 37 of the Overseas Association Decision entitles co-produced audiovisual works to benefit from any scheme for the promotion of local or regional cultural content set up in the EU, the Overseas Territories and the Member States to which they are linked.