The Office of Communications (Ofcom) and the Communications Act 2003 (Act) regulate the UK communications landscape. Ofcom's current priorities are set out in its 2019–20 Annual Plan.2 They include encouraging investment and improving broadband and mobile coverage across the UK, supporting UK broadcasting and supporting consumers and industry through Brexit. Twenty-eight European Commission (Commission) Digital Single Market (DSM) proposals have been finalised, which promise to make significant changes to the UK communications landscape, and subject to longer-term changes to national legislation as a result of Brexit.3

European and national law and standards currently govern the UK data protection framework and impose compliance obligations on organisations that process personal data. These rules apply broadly to, inter alia, the collection, use, storage and disclosure of personal data. In general, personal data is defined as information relating to an identified or identifiable natural person who can be identified directly or indirectly from that data (e.g., names, contact information, or special categories of personal data such as health data).

These laws and regulations have undergone substantial change as a result of the General Data Protection Regulation (GDPR), which came into force on 25 May 2018 across Europe, and the UK government's implementing legislation – the Data Protection Act 2018 (DPA) – which came into force on 23 May 2018. The legal landscape in this sector has also been impacted by the Network and Information Security Directive (NISD)4 (adopted by the European Parliament in July 2016 and implemented in the UK by the Network and Information Systems Regulations 2018 (NIS Regulation), effective as of 10 May 2018), which is the first EU-wide legislation on cybersecurity. The GDPR and NISD introduce significant fines based on a percentage of global turnover, similar to the regime imposed for antitrust violations. In relation to Brexit implications, both the GDPR and NISD have been implemented into UK national law, as a result of which equivalent standards for data protection and cybersecurity have already been established in the UK and will continue to apply post-Brexit (at least in the short and medium terms). However, at the time of writing it is unclear exactly what type of arrangement the EU and UK will reach regarding the UK's data protection regime in the post-Brexit period.


i The regulators and key legislation

Ofcom is the independent communications regulator in the UK. The Department for Digital, Culture, Media and Sport (DCMS) remains responsible for certain high-level policy, but most key policy initiatives are constructed and pursued by Ofcom. Ofcom has largely delegated its duties in respect of advertising regulation to the Advertising Standards Authority (ASA). The Committee of Advertising Practice is responsible for writing and updating the Non-broadcast Code and the Broadcast Committee of Advertising Practice is responsible for the Broadcast Code. On 1 November 2014, Ofcom renewed its 10-year contract with the ASA for broadcast advertising regulation until 2024.5

Ofcom's principal statutory duty (pursuant to the Act) is to further the interests of citizens in relation to communications matters and to further the interests of consumers in relevant markets, where appropriate by promoting competition.6 This is enshrined in Ofcom's three main objectives: 'to promote competition and ensure that markets work effectively for consumers;7 to secure standards and improve quality; and to protect consumers from harm'. The government published a draft statement of strategic priorities for consultation in February 2019, upon which Ofcom's priorities have been based. The post-consultation policy paper entitled Statement of Strategic Priorities for telecommunications, the management of radio spectrum, and postal services has since been published, in July 2019.

Ofcom's priorities and major work areas for 2019 and 2020 are set out below:8

  1. improving broadband and mobile connectivity for people across the UK:
    • ensuring the universality of broadband services by designating broadband universal service provider(s) (USPs) and setting out the conditions that will apply to them;
    • promoting investment in fibre networks;
    • helping to improve mobile coverage, particularly in rural areas;
    • improving opportunities for spectrum sharing; and
    • preparing for the launch of 5G mobile services;
  2. delivering a fair deal for consumers and protecting people from unfair and harmful pricing practices:
    • improving pricing for mobile handset and airtime contracts;
    • considering differential pricing practices;
    • end-of-contract and best tariff notifications;
    • implementation of the European Electronic Communications Code, particularly in respect of switching mobile service providers; and
    • ensuring consumer data is available on availability, speeds and usage of communications services;
  3. supporting UK broadcasting:
    • reviewing public service broadcasting;
    • supporting future public service broadcasting;
    • reviewing the BBC's news and current affairs output;
    • considering material changes to BBC public service activities (e.g., the BBC's iPlayer proposals); and
    • considering any material changes to the BBC's commercial activities;
  4. raising awareness of online harms:
    • developing an in-depth understanding of specific harms;
    • working with external partners to develop a rounded view of online harms and potential solutions; and
    • actively contributing to the international discussion about online harms and media literacy;
  5. supporting consumers and industry through Brexit:
    • ensuring preparation for a range of potential Brexit outcomes;
    • providing independent technical advice to the government on aspects of any negotiations about the UK's future relationship with the EU; and
    • engaging with the industry to better understand the concerns and post-Brexit plans;
  6. enabling strong, secure networks:
    • monitoring potential security risks and working closely with the government, National Cyber Security Centre and industry;
    • implementing the Network and Information Systems Regulations, placing legal obligations on providers to protect UK critical services; and
    • launching a version of a threat intelligence-led penetration testing scheme that assesses how well a company stands up to a concerted attack based on the techniques known to be used by cyber criminals and hostile nation states;
  7. increasing diversity and inclusion by publishing:
    • the Diversity and Inclusion at Ofcom report;
    • an Equal Pay and Gender-ethnicity Pay audit;
    • annual reports on diversity and equality opportunities in TV and radio; and
    • an annual report on the BBC;
  8. sustaining the universal postal service:
    • carrying out a review of Royal Mail's efficiency; and
    • seeking to understand the needs of postal users better;
  9. continuing to innovate Ofcom's approach to regulation:
    • enabling better use of data analytics;
    • collaborating to protect vulnerable people; and
    • assessing Ofcom's existing duties and programmatic work in light of the shift towards delivering communications services online.

Ofcom's main statutory duties fall into six areas:

  1. ensuring the UK has a wide range of electronic communications services;
  2. ensuring optimal use is made of the radio spectrum;
  3. ensuring a wide range of high-quality television and radio programmes are provided by a range of different organisations, appealing to a range of tastes and interests;
  4. ensuring people are protected from harmful or offensive material, unfair treatment and invasion of privacy on television and radio;
  5. ensuring the BBC is held to account on its compliance with appropriate content standards, its performance against its mission and public purposes, and the impact of its activities on fair and effective competition; and
  6. ensuring the universal service obligation on postal services is secured in the UK.

Following its overarching review of the UK's digital communications over the course of 2015 and 2016, Ofcom's strategy has focused on six fundamental measures intended to facilitate the development of the UK communications market:

  1. universal availability of fixed and mobile services;
  2. a strategic shift to large-scale full-fibre deployment;
  3. a step change in the quality of service;
  4. significantly strengthening the independence of Openreach;
  5. empowering and protecting consumers; and
  6. simplifying and removing unnecessary regulation.

The next steps set out in phase two of the review were to implement the proposed measures through the usual mechanism of regular reviews of individual markets and likewise to implement specific dedicated projects. Specific dedicated projects that have been envisaged or undertaken include:

  1. Ofcom working with the government to introduce the new universal right to broadband. This culminated in the introduction of legislation for a broadband Universal Service Obligation in March 2018, which came into force on 23 April 2018 and which Ofcom is responsible for implementing. The USO provides a legal right to request a broadband connection of at least 10Mbps download speed (discussed further in Section III.ii). Ofcom has designated BT and KCOM9 to provide universal broadband service connections in the UK, and has set a deadline of March 2020 for the relevant infrastructure to be in place;
  2. Ofcom continuing to provide accurate, comparable, accessible and increasingly granular coverage information, published in its annual Connected Nations reports, and launching an interactive data portal for Ofcom's cross-sector communications market data;
  3. Ofcom using its power to require operators to improve mobile coverage, for example by including increasingly demanding licence conditions on population and geographic coverage for new spectrum releases, including in relation to 5G. Ofcom intends to release 5G spectrum bands over the course of 2019 and 2020;
  4. Ofcom working with communications providers to minimise potential disruption in the migration to voice-over-IP services and possible switch-off of the PSTN in the future, including a review of relevant regulation and consumer safeguards.
  5. Ofcom working with BT and industry to make BT's underground duct system more easily accessible to competitors. Ofcom implemented these changes through the Civil Infrastructure Directive and UK transposition legislation, which came into effect on 31 July 2016. Ofcom has also made specific proposals for improving access in its Wholesale Local Access Market Review, including implementing regulated access and pricing policies to support investment in access networks. Ofcom envisages implementing a new approach to the regulation of wholesale access to broadband networks by April 2021, to be in place for at least five years;
  6. Ofcom setting tough minimum standards for Openreach in the business market with rigorous enforcement and fines for underperformance. Ofcom fined Openreach £42 million in March 2017 for breaching contracts with telecoms providers;
  7. Ofcom extending minimum standards and introducing rules to incentivise Openreach to go beyond minimum standards and deliver better service. These rules were introduced in 2016, and have been consulted on throughout Ofcom's Wholesale Local Access Market Review, which took place from March 2017 until June 2017. The results of this Review were published on 28 March 2018, as modified, with new measures resulting from this taking effect in April 2018. Ofcom is planning a further, single review of business and residential full-fibre markets to be undertaken by April 2021 and which will supersede previous separate reviews including the Wholesale Local Access Market Review;
  8. Ofcom consulting on and implementing an automatic compensation scheme for consumers and small businesses; this came into effect in April 2019;
  9. Ofcom developed detailed proposals on Openreach independence and discussed these proposals with the Commission in 2016. In response to Ofcom's competition concerns, BT agreed in 2017 to Ofcom's requirements to make Openreach a distinct company with its own staff, management and strategy, and a legal purpose to serve all of its customers equally, and Openreach become a legally separate entity in October 2018. Ofcom established the Open Reach Monitoring Unit in 2018 to support the ongoing assessment of Openreach: an interim report was published in November 2018 and a full annual compliance report was released in July 2019;
  10. Ofcom working with industry and third parties (e.g., price comparison sites) to improve the level of information available to consumers, including introducing requirements for providers to publish a standard cost comparison measure alongside their tariffs, as well as end-of-contract statements and best tariff notifications;
  11. Ofcom consulted on mobile switching in the first half of 2016, and completed a qualitative research piece on switching triple-play services (phone line, TV, broadband), in July 2016. Following a consultation in 2017, Ofcom's reforms and a range of new rules on mobile switching came into force in July 2019;
  12. Ofcom consulted on proposals to streamline and update the General Conditions throughout 2016 and 2017, and set out its conclusions in statements published in September 2017, March 2018 and July 2018. All of the revised conditions came into force on 1 October 2018. Ofcom will start a review and revision of the General Conditions in the third quarter of 2019 to reflect requirements under the new European Electronic Communications Code (to be implemented into national law by 21 December 2020);
  13. Ofcom working with the government and Information Commissioner's Office (ICO) to develop a regulatory framework and communications plan around online harms. An initial product of this work is a joint research report published by Ofcom and the ICO in September 2018 on internet users' experience of online harms; and
  14. Ofcom working closely with the government, the National Cyber Security Centre and industry to monitor cybersecurity risks and improve network resilience, including implementation of the NIS Regulations and operation of the TBEST penetration testing scheme as part of the wider Security and Resilience Assurance Scheme launched in February 2019.

In terms of other regulators, the Body of European Regulators for Electronic Communications (BEREC), formed after the adoption of Regulation (EC) 1211/2009,10 is now playing an increasingly significant role at a European level. BEREC replaced the European Regulators Group, and acts as an exclusive forum and vehicle for cooperation between NRAs and between NRAs and the Commission.

The prevailing regulatory regime in the UK is contained primarily in the Act, which entered into force on 25 July 2003. Broadcasting is regulated under a separate part of the Act in conjunction with the Broadcasting Acts of 1990 and 1996. Other domestic and European legislation also affects this area, including:

  1. the Wireless Telegraphy Act 2006;
  2. the Digital Economy Act 2010;
  3. the GDPR and the Data Protection Act 2018;
  4. the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011);
  5. European Regulation 2017/003 (e-Privacy Regulation), once it takes effect;
  6. the NISD and the NIS Regulation;
  7. the Freedom of Information Act 2000;
  8. the Investigatory Powers Act 2016;
  9. the Enterprise Act 2002;
  10. the Copyright, Designs and Patents Act 1988;
  11. the Digital Economy Act 2017 (DEA) (although some sections of the DEA are in force, the remainder are subject to staggered commencement dates);
  12. the Competition Act 1998;
  13. the European Electronic Communications Code Directive,11 establishing the European Electronic Communications Code; and
  14. the European Union (Withdrawal) Act 2018.

The European data protection regime has undergone wholesale reform with the introduction of the GDPR, which became applicable on 25 May 2018, and the UK implementing legislation, the Data Protection Act 2018, which came into effect on 23 May 2018. This legislation replaces the previous Data Protection Directive12 and the corresponding UK implementing legislation, the Data Protection Act 1998, and introduces more stringent standards and an enhanced enforcement regime.

In July 2013, the DCMS published a policy paper titled 'Connectivity, content and consumers – Britain's digital platform for growth' (Strategy Paper).13 In line with the government's view that a large-scale overhaul of the existing legislation was unnecessary, the Strategy Paper focused on specific and incremental legislative changes to a number of areas, including the following:

  1. a consumer rights bill introducing a new category of digital content in consumer law, together with a set of statutory rights for the quality standards that this content should meet and the remedies available to consumers when digital content does not meet these standards;
  2. changes to improve spectrum management and amendments to the Wireless Telegraphy Act 2006; and
  3. amending the Electronic Communications Code (ECC), in line with the new European Electronic Communications Code, to make it easier for communications companies to use land for broadband infrastructure.

Following on from the above, the Consumer Rights Act 2015 introduced rights in respect of the quality of digital content and digital services. The Act received royal assent on 26 March 2015 and came into force in stages; it is now fully in force. The main provisions of the Act, including those relating to goods, services and digital content, came into force on 1 October 2015.

In April 2018, the government announced in the Modernising Consumer Markets Green Paper14 that it would review the regulatory model for providing various consumer-facing services, including utilities, telecoms and financial services, with a particular focus on ensuring that consumers benefit from new technology while ensuring that personal data is protected. It simultaneously launched a call for evidence on the review of competition law. The consultation closed on 4 July 2018. Following this, the UK government appointed an expert panel to examine competition in the data economy and explore what steps were possible to ensure that new technology markets support healthy competition. The panel ran from September 2018 to March 2019 and culminated in a final report of recommendations to the government (the Furman Report).15 The recommendations in the Furman Report included:

  1. the establishment of a digital markets unit, with three functions: developing a code of competitive conduct with the participation of stakeholders, enabling greater personal data mobility and systems with open standards, and advancing data openness. This unit would have links to the Competition and Markets Authority (CMA) and Ofcom and a strong relationship with the Information Commissioner's Office (ICO);
  2. a revision of merger assessment in digital markets. The revisions would entail the CMA taking more frequent, and firmer, action on mergers that could be detrimental to consumer welfare through reducing future levels of innovation and competition;
  3. updates to the CMA's enforcement tools against anticompetitive conduct to protect and promote competition in the digital economy. The Report notes that existing tools have been used infrequently in a digital markets context, and that cases have moved slowly;
  4. the government, the CMA and the Centre for Data Ethics and Innovation continuing to monitor how use of machine learning algorithms and artificial intelligence evolves to ensure it does not lead to anticompetitive activity or consumer detriment, in particular to vulnerable consumers;
  5. the CMA conducting a market study into the digital advertising market encompassing the entire value chain, using its investigatory powers to examine whether competition is working effectively and whether consumer harms are arising. On 3 July 2019, the CMA launched a market study into online platforms and the digital advertising with the aim of assessing three broad potential sources of harm to consumers in connection with the market for digital advertising: to what extent online platforms have market power in user-facing markets, and what impact this has on consumers; whether consumers are able and willing to control how data about them is used and collected by online platforms; and whether competition in the digital advertising market may be distorted by any market power held by platforms. The consultation on the CMA's statement of scope for this market study closed on 30 July 2019 and further details and responses are available on the CMA's case page;16 and
  6. the government engaging internationally on the recommendations it chooses to adopt, encouraging closer cross-border cooperation between competition authorities in sharing best practice and developing a common approach to issues across international digital markets.

The DCMS issued its spectrum management strategy in March 2014, recognising the need for, among other things:

  1. a uniform system for the valuation of spectrum to set licence fees;
  2. the government to work with Ofcom to encourage efficient use of spectrum, in particular in the release of spectrum, transfer of spectrum and assignment of spectrum to new users;
  3. encouragement of innovation; and
  4. a strategy to address increased demands on spectrum that will evolve from the growth of the IoT, M2M communication and 5G.

The DCMS's strategy was followed in April 2014 by Ofcom's spectrum management strategy, discussed in more detail below.

In August 2014, the DCMS issued a consultation paper17 seeking input on the goals and policies set out in a July 2013 report entitled 'Connectivity, content and consumers – Britain's digital platform for growth', which was explored further within a framework published in February 2014. The results of this consultation were used to develop the government's digital communications infrastructure strategy, which was published on 18 March 2015.18 For the past few years, the government has made commitments in relation to broadband infrastructure, in particular superfast broadband, connectivity in rural areas and the delivery of mobile broadband connectivity. One step towards this objective came in the form of the DEA, which received royal assent in April 2017. This provided the statutory basis for the development of the new broadband USO (discussed above).

The DEA, among other things, reformed the ECC by introducing a range of measures to make it easier for network operators to deploy infrastructure (phone masts, exchanges, etc.) on public and private land. Ofcom was obliged to publish a new Code of Practice to accompany the proposed changes, to create a number of templates to be used by Code operators and landowners or occupiers, and to create standard terms that may be used by Code operators and landowners or occupiers when negotiating agreements to confer Code rights. Ofcom published final versions of these documents on 15 December 2017.19

ii Regulated activities

Ofcom oversees and administers the licensing for a range of activities, including, broadly speaking, mobile telecommunications and wireless broadband, broadcast TV and radio, postal services, and the use of radio spectrum.

The Act replaced the system of individual licences with a general authorisation regime for the provision of ECNs and ECSs. Operators of ECNs and ECSs are able to provide networks or services to the public without the need for prior authorisation from Ofcom where they have complied with the general conditions of entitlement. A revised version of the general conditions came into force on 1 October 2018. As well as the general conditions, individual ECN and ECS operators may also be subject to further conditions specifically addressed to them. These fall into four main categories: universal service conditions, access-related conditions, privileged supplier conditions, and conditions imposed as a result of a finding of significant market power (SMP) of an ECN or ECS operator in a relevant economic market.

Use of radio spectrum requires a licence from Ofcom under the Wireless Telegraphy Act 2006 (subject to certain exemptions).

Television and radio broadcasting requires a licence from Ofcom under the Broadcasting Act 1990 or 1996. Providers of on-demand programme services have to notify Ofcom of their services in advance.

iii Ownership and market access restrictions

No foreign ownership restrictions apply to authorisations to provide telecommunications services, although the Act directs that the Secretary of State for DCMS may require Ofcom to suspend or restrict any provider's entitlement in the interests of national security.

In the context of media regulation, although the Act and the Broadcasting Acts impose restrictions on the persons that may own or control broadcast licences, there are no longer any rules that prohibit those not established or resident in the EEA from holding broadcast licences.

In March 2017, the Secretary of State intervened in connection with media plurality when it asked Ofcom to review the anticipated acquisition by Twenty-First Century Fox, Inc (21st Century Fox) of 100 per cent of the shares in Sky plc (Sky), a British pay-TV operator. The Secretary of State's stated potential concerns were twofold: whether there would be sufficient plurality of persons with control of the media enterprises and whether the parties would have genuine commitment to the attainment of standard objectives in relation to broadcasting. Ofcom published its report in June 2017 and found that the anticipated transaction raised potential public interest concerns relating to media plurality due to a risk of increased influence by members of the Murdoch Family Trust over the UK news agenda and political process, with its unique presence on radio, television, in print and online.20 Ofcom recommended a reference by the Secretary of State to the CMA.

In January 2018, the CMA provisionally found that 21st Century Fox's anticipated acquisition was not in the public interest due to media plurality concerns, but not due to a lack of commitment to meeting broadcasting standards. The CMA sent its final report to the DCMS in May 2018, following which the Secretary of State accepted the CMA's recommendation that the anticipated acquisition was not in the public interest due to media plurality concerns and that the most effective and proportionate remedy would be for the Sky News channel to be divested to a suitable third party.21 21st Century Fox then agreed to divest Sky News to the Walt Disney Company.22 However, Comcast has since outbid Disney for a majority interest in Sky. The takeover of Sky by Comcast was completed in October 2018.23

iv Transfers of control and assignments

For transactions that do not fall within EU merger control jurisdiction, the UK operates a merger regime in which the parties to a transaction can choose whether to notify a transaction prior to closing. The UK CMA monitors transactions prior to closing and has the power to intervene in un-notified transactions prior to closing or up to four months from the closing of a transaction being publicised. Where the CMA intervenes in a closed transaction it is policy to impose a hold-separate order.24

The administrative body currently responsible for UK merger control is the CMA. The CMA consults Ofcom when considering transactions in the broadcast, telecommunications and newspaper publishing markets.25

The Secretary of State also retains powers under the Enterprise Act 2002 to intervene in certain merger cases, which include those that involve public interest considerations. In the context of media mergers, such considerations include the need to ensure sufficient plurality of persons with control of media enterprises serving UK audiences; the need for the availability throughout the UK of high-quality broadcasting calculated to appeal to a broad variety of tastes and interests; and the need for accurate presentation of news, plurality of views and free expression in newspaper mergers. Importantly, the Secretary of State is subject to the same four-month time limit to intervene in un-notified transactions as the CMA, as recently confirmed by the Competition Appeal Tribunal.26 In such cases, the Secretary of State may require Ofcom to report on a merger's potential impact on the public interest as it relates to ensuring the sufficiency of plurality of persons with control of media enterprises (as was the case, for example, in relation to the recent attempted acquisition of Sky by 21st Century Fox discussed in Section II.iii). Ofcom is also under a duty to satisfy itself as to whether a proposed acquirer of a licence holder would be fit and proper to hold a broadcasting licence pursuant to Section 3(3) of each of the 1990 and 1996 Broadcasting Acts.27

Following the 2017 National Security and Infrastructure Investment Review Green Paper,28 amendments to the UK's merger control regime for transactions in the defence and technology sectors came into force on 11 June 2018. The aim of the amendments is to provide greater powers for the Secretary of State to intervene in transactions on public interest grounds. Among other changes, under the new rules, the target turnover threshold has been lowered from £70 million to £1 million for transactions between parties operating in either the design and maintenance of aspects of computing hardware or the development of quantum technology.29

v DSM: e-commerce, online platforms, geo-blocking and telecoms


On 6 May 2015, the Commission published a Communication on a DSM Strategy for Europe. This Strategy aims to make the EU's single market fit for the digital age through three pillars: better online access for consumers and businesses across Europe; creating the right conditions and a level playing field for advanced digital networks and innovative services; and maximising the growth potential of the digital economy. The Strategy includes legislative proposals in a range of areas with a view to make cross-border e-commerce easier, end unjustified geo-blocking, reform the copyright regime and reduce burdens due to different VAT regimes. Twenty-eight of these proposals have been agreed or finalised by the European Parliament and the Council of the European Union, and an update on progress was provided in a DSM factsheet published by the Commission in July 2019.30 For instance, a regulation on cross-border portability of online content services has applied across the EU since 1 April 2018 and allows EU consumers to access their online content services while travelling within the EU (discussed further in Section V.ii). This can be seen as complementary to the data roaming rules of June 2017, which enable EU consumers to use their domestic mobile data allowance and rates when roaming in other Member States.

In May 2017, the Commission published its mid-term review on the implementation of the DSM, which identifies three main areas where further EU action is needed: the development of the European data economy to its full potential; the protection of Europe's assets by tackling cybersecurity challenges; and the promotion of online platforms as responsible players in a fair internet ecosystem.31 The mid-term review also clearly emphasised the necessity to rapidly adopt the proposals for the Electronic Communications Code, which has since occurred in December 2018. As a direct response to the challenges identified in the mid-term review, the Commission announced in April 2018 that revisions are being made to Directive 2003/98/EC, which governs the use of public sector information. The aim is to tap into the huge resource of data that is currently held in the public sector, thought to be worth approximately €52 billion, and reuse it to help address a range of different societal problems such as healthcare, public transport and even artificial intelligence.32


On 10 May 2017, the Commission published a report on the e-commerce sector enquiry. One of the main points the Commission raised was that, with the growth of e-commerce, business practices have emerged that may raise competition concerns, such as pricing restrictions and online marketplace (platform) bans. The Commission noted that it is important to avoid diverging interpretations of the EU competition rules in e-commerce markets, which may in turn create obstacles for companies to the detriment of a DSM. One significant development has been the abolition of retail roaming charges throughout the EU, effective from 15 June 2017, as part of the ongoing focus on promoting cross-border e-commerce. Since the roaming charges developments, the Commission's focus for e-commerce reforms has been preventing unjustified geo-blocking (discussed in more detail below), as well as revised general consumer protection rules.

Online platforms

The Commission has emphasised the role of online platforms, with one million businesses already selling goods and services via online platforms and more than 50 per cent of SMEs that operate through online marketplaces selling cross-border.33 In May 2016, it published a communication that proposed ways to foster development of such platforms and identified two specific issues for further investigation: safeguarding a fair and innovation-friendly business environment; and ensuring that illegal content online is timely and effectively removed, with proper checks and balances, from online platforms.34 In its mid-term review, the Commission identified online platforms as one of three emerging challenges, and proposed the implementation of actions to tackle these challenges.35 The result, announced by the Commission on 26 April 2018, was a proposed suite of new standards on transparency and fairness in relation to online platforms, which were agreed by the Commission, Parliament and Council in February 2019 and adopted on 14 June 2019. The aim of these new rules is to create a fair, transparent and predictable business environment for smaller businesses when using online platforms. The new Regulation (Regulation on promoting fairness and transparency for business users of online intermediary services36) includes measures seeking to reduce unfair trading practices, increase transparency, resolve disputes more effectively as well as establishing an Online Platform Observatory to monitor the impact and implementation of the new rules.37 The new Regulation will apply from 20 June 2020, and will be subject to a review within 18 months of that date.


On 27 February 2018, the EU adopted the Geo-blocking Regulation, which will apply from 3 December 2018. The Regulation prohibits unjustified geo-blocking, and other forms of discrimination, based on customers' nationality, place of residence or place of establishment. The Regulation tackles the concern that geo-blocking potentially limits online shopping and cross-border trade, and leads to undesirable geographical market segmentation. Importantly, electronically supplied services offering copyright-protected content are excluded from the Regulation: territorial exclusivity is essential for the creative industries to monetise and exploit their content, and the Commission argues that facilitating access to audiovisual services across borders is part of other initiatives under the DSM Strategy.38 For this reason, the Regulation does not affect online television, films, streamed sports, music, e-books or games. However, the Commission will evaluate the Regulation's impact two years after its entry into force to assess the possibility of an extension of the new rules to online services related to non-audiovisual copyright-protected content.


The current European Commission telecoms and connectivity proposals include:

  1. recasting the Framework, Authorisation, Access and Universal Services Directives as one directive, the European Electronic Communications Code;
  2. upgrading BEREC to a fully fledged EU agency;
  3. a 5G Action Plan for the development and deployment of 5G networks in Europe; and
  4. a WiFi4EU initiative to aid European villages and cities roll out free public Wi-Fi.

In December 2018, the Commission adopted the European Electronic Communications Code (the Code) and a revised remit for the Body of European Regulators for Electronic Communication (BEREC). The Commission implemented these changes as a step towards modernising and improving connectivity.

The Code aims to address and harmonise spectrum policy and regulation, including spectrum auction timing, across the single market in part to stimulate competition and investment in 5G networks. It also tries to address new technologies and services that are not clearly contemplated by current legislation. In the UK, the rules and timelines for the spectrum auctions were announced by Ofcom in July 2017. The results of the principal bidding stage were announced on 5 April 2018.39

OTT services would be classified a sub-class of ECS and subject to regulations concerning security (including security audits) and interconnectivity (among end users and to emergency services). Other amendments regarding number allocation have been made to address potential competition issues with the expected advent of the IoT and M2M communication: national regulators would be allowed (but not required) to assign numbers to undertakings other than providers of ECNs and services. The Code moves away from universal service access requirements to legacy technologies (e.g., public payphones) and replaces them with a requirement to ensure end users have access to affordable, functional internet and voice communication services, as defined by reference to a dynamic basket of basic online services delivered via broadband. In addition, the Code contains additional consumer protections via proposed regulations requiring telecoms providers to provide contract summaries and improved comparison tools.

The regulatory role of BEREC has been enhanced with a view to improving regulatory consistency across the single market. For example, decisions on spectrum assignment are subject to a peer review process whereby BEREC issues an opinion on whether a decision should be amended or withdrawn to ensure consistent spectrum assignment. BEREC can also issue an opinion on any remedy proposed by an NRA in relation to maintaining the Code's objectives. BEREC has also been granted legally binding powers, including a double-lock system in relation to any draft remedy proposed by an NRA. New rules on cheaper intra-EU calls are also intended to cap the retail price of mobile or fixed calls from the customer's home Member State to another EU Member State. There will also be a cap for intra-EU text messages. The new caps started to apply as early as 15 May 2019.

In terms of policy proposals, the 5G Action Plan proposes to bring uninterrupted 5G coverage to all major European urban areas and transportation corridors by 2025, with several interim deadlines relating to, inter alia, spectrum assignment and development of global 5G standards (2019). In December 2017, Urve Palo, Minister of Entrepreneurship and Information Technology, set out the deployment road map and detailed commitments, for example to transpose the Code into national law by mid-2020. The specifics of the 5G Action Plan, such as the development of 5G standards, are still evolving. There is limited guidance on funding for the 5G Action Plan, although the Code itself has stimulated to an extent such investment, and the Commission has launched the European Broadband Fund (combining private and public investments) to support network deployment throughout the EU. The Commission has also committed to exploring a proposal by a telecoms industry group to provide a venture-financing facility (jointly funded by public and private sources) for start-ups developing 5G technologies and applications.

The WiFi4EU initiative intends to assist local authorities to offer free Wi-Fi connections in parks, libraries and other public spaces by providing local authorities with small grants of up to €60,000 (from a total initial budget of €120 million) for equipment and installation costs. In May 2017, the European Parliament, Council and Commission reached a political agreement on the initiative and its funding, and as of May 2018, local communities have been able to apply for WiFi4EU vouchers to set up free public Wi-Fi networks. There have been two calls for members of the public to apply for funding in connection with WiFi4EU (in November 2018 and April 2019 respectively). To date a combined total of €93 million has been allocated to implement free Wi-Fi across the EU. It is intended that this will develop into a more harmonised telecoms regulatory regime, with an advanced 5G network that could be in place by 2025.


i Internet and internet protocol regulation

As previously noted, the Act is technology-neutral, and as such there is no specific regulatory regime for internet services. ISPs are also ECNs or ECSs depending on whether they operate their own transmission systems, and are entitled to provide services under the Act in compliance with the general conditions and, where applicable, specific conditions.

VoIP and VoB are specifically subject to a number of general authorisation conditions under the Act, such as those related to emergency call numbers.

In the context of the net neutrality debate, the Revised EU Framework adopted a range of internet traffic management provisions allowing NRAs such as Ofcom to adopt measures to ensure minimum quality levels for network transmission services, and to require ECN and ECS operators to provide information about the presence of any traffic-shaping processes operated by ISPs. These provisions were implemented into UK law.

Prior to the Regulation on Open Internet Access coming into force in 2016, the Broadband Stakeholders' Group published a voluntary industry code of practice on traffic management transparency in March 2011. In July 2012, major ISPs published the Open Internet Code of Practice, which commits ISPs to providing full and open internet access. The latest Open Internet Code was published on 8 June 2016. The Code preserves the concept of an open internet while clarifying the context in which some innovative services, which could become more prevalent as the IoT becomes a reality, could be provided alongside the open internet. The Code added three new commitments: ISPs promise open and full access to the net across their range of products; firms cannot market a subscription package as including internet access if certain kinds of legal content or services are barred; and members must not target and degrade content or applications offered by a specific rival.40 Notably, Everything Everywhere (EE) opted out of signing the Code.

From April 2016, the Regulation on Open Internet Access41 put in place EU-wide rules for net neutrality, and granted end users rights to access and distribute information and content, use and provide applications and services, and use terminal equipment of their choice, irrespective of such end user's or provider's location (Article 3(1)). The aim is that users will have access to online content that is not subject to discrimination or interference. Likewise, companies may not pay for prioritisation, so access to an SME's website will not be unjustly slowed down to allow access for larger companies. The requirement that all internet traffic be treated equally is subject to exceptions to:

  1. comply with EU or national legislation related to the lawfulness of content or with criminal law;
  2. preserve the security and integrity of the network such as to combat viruses;
  3. minimise network congestion that is temporary or exceptional; and
  4. filter spam (i.e., to filter unsolicited communications and allow parents to set up parental filters).

In terms of the latter, such measures need to be transparent, non-discriminatory and proportionate, and must not be maintained for longer than is necessary. Likewise, providers of internet access services must publish information on traffic-management measures in end user contracts, along with details on the privacy of end users and the protection of their personal data. Notably, NRAs are required to monitor and enforce the open internet rules, although it is for Member States to lay down rules on the penalties applicable for infringements of the net neutrality provisions. On 30 August 2016, BEREC published guidelines42 for NRAs on the implementation of net neutrality under the Regulation on Open Internet Access, in particular covering obligations to monitor closely and ensure compliance with the EU net neutrality rules to ensure equal treatment of traffic in the provision of internet access services and related end user rights. Ofcom published a statement on its approach to assessing compliance with the Regulation on Open Internet Access in May 2019.43 Ofcom's report focuses on two primary areas: the practice of 'zero-rating' data traffic, and traffic management practices, and also concludes Ofcom's initial enforcement programme started in December 2017 (though Ofcom will continue to monitor compliance with the Regulation on an ongoing basis).

ii Universal service

Universal service is provided under the Act by way of the Universal Service Order. Effective from April 2018, the Secretary of State published an order for a minimum affordable broadband connection to be available throughout the UK providing, inter alia, a download sync speed of at least 10Mbps and the capability to allow data usage of at least 100GB per month.44 The Order in the UK covers ECNs and ECSs and activities in connection with these services. Ofcom designated BT and KCOM as universal service providers in the geographical areas they cover; in June 2019, Ofcom published a statement setting conditions for the delivery of Universal Service Order connections and services by the universal service providers.45 Consumers and businesses will be able to request connections from 20 March 2020.

In June 2015, Ofcom published a report setting out its assessment and recommendations on the provision and availability of communications services for SMEs in the UK.46 Ofcom found that the availability of superfast broadband to SMEs is significantly lower than to residential premises. In its annual review for 2017 to 2018, Ofcom noted that it was key to continue to help SMEs engage in the communications market, and in 2018 it identified a lack of ICT specialism within SMEs and adequate assistance from providers as contributing factors to this lack of engagement.47

Access and interconnection are regulated in the UK by EU competition law and specific provisions in the Act aimed at increasing competition. The General Conditions require all providers of public ECNs to negotiate interconnection with other providers of public ECNs. Specific access conditions may also be imposed on operators with SMP. Although prices charged to end users are not regulated, Ofcom may regulate wholesale rates charged by certain operators to alternative operators for network access. This is the case, inter alia, for wholesale fixed termination rates, wholesale mobile call termination rates, wholesale broadband access rates, local loop unbundling and wholesale line rental services.

Ofcom imposed specific conditions on BT and KCOM in certain areas where they enjoy SMP so as to allow alternative operators to compete in the retail broadband market.48 These include an obligation to provide general and non-discriminatory network access to BT and KCOM's wholesale broadband products to alternative operators on reasonable request; an obligation to maintain separate accounts between services to alternative operators and its own retail division as well as other related transparency obligations; and a charge control on BT to ensure that charges for its broadband wholesale products are based on the costs of provision. Network access obligations included virtual access to new fibre lines laid by BT (through its access service division, Openreach), allowing alternative operators to combine their own electronics with physical infrastructure rented from BT. Furthermore, in June 2015, Ofcom proposed a charge control on the wholesale prices BT charges for products using leased telecoms lines, which provide vital high-speed links for businesses and providers of superfast broadband and mobile services.49 In 2016, Ofcom also stated that Openreach must become more independent from BT, and proposed that Openreach become a distinct company with its own board and accountable executives. Likewise, in February 2016, Ofcom committed to making it easier for telecoms providers to invest in advanced, competing infrastructure by improving access to Openreach's network of telegraph poles and ducts, allowing competitors to connect their own fibre-optic cables directly to homes and businesses.50

Ofcom's aim to promote the restructuring of BT and Openreach came to fruition in March 2017, when BT agreed that Openreach should become a distinct company with its own staff, management, strategy and legal purpose. This separation will likely take some time to be fully reflected in the market. Indeed, Ofcom noted in April 2018 that many SMEs still perceive BT as having specialist access to the Openreach network for installation and fault-finding, which deters switching between providers. However, significant progress has occurred already.

iii Restrictions on the provision of service

The Digital Economy Act 2010 (DEA 2010) includes provisions that were aimed at tackling online copyright infringement as a result of file sharing. It empowers the Secretary of State to impose obligations on ISPs to limit the internet access of subscribers who engage in online copyright infringement. Under the DEA 2010, Ofcom proposed a code of practice governing the initial obligations on ISPs. A second draft was published in June 2012. However, this version, and legislation on cost sharing in relation to the new obligations on ISPs, have not been finalised, and it is unclear whether they will ever come into force. Instead, the government has looked to industry to develop voluntary measures. In July 2014, the DCMS announced a scheme, Creative Content UK, spearheaded by ISPs and media industry leaders and supported by a government contribution of £3.5 million, to raise awareness of copyright infringement and warn internet users whose accounts are used to illegally access and share copyright material. The subscriber alert programme, which was initially known as the Voluntary Copyright Alert Programme (VCAP), evolved to encompass the Get it Right from a Genuine Site campaign launched in January 2017.

On 28 March 2018, the government launched the Creative Industries Sector Deal, which includes various specific commitments of interest concerning the tackling of online infringement of copyright. More than £150 million will be jointly invested by the government and industry to assist the UK's cultural and creative businesses thrive in the digital age. As part of the deal, £2 million is being committed to extend the Get it Right from a Genuine Site campaign.51 On 15 August 2019, Get it Right from a Genuine Site launched an awareness-raising video on its YouTube channel, aimed at encouraging consumers to take time to identify and access genuine and licensed sources of content.52

Among the provisions of the DEA is an increased maximum penalty for online copyright infringement of 10 years.

The availability of defences for online intermediaries in respect of unlawful content is governed primarily at a European level by the E-Commerce Directive,53 as implemented into UK law by the Electronic Commerce (EC Directive) Regulations 2002 and applicable case law. The Directive sets out defences for intermediary information society service providers.

iv Security

Privacy and consumer protection overview

In the UK, consumers' personal data is primarily protected by the GDPR and DPA; the Privacy and Electronic Communications (EC Directive) Regulations 2003 as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (ePrivacy UK Regulations), which implement the EU Directive on Privacy and Electronic Communication,54 as amended by the ePrivacy Directive;55 and the NISD and NIS Regulation. The GDPR has significantly changed the current UK – and broader European – data protection framework. In line with the Commission's DSM Strategy and the reforms brought in by the GDPR, the ePrivacy Directive is also undergoing reform. In 2017, the Commission proposed a draft ePrivacy Regulation (Draft ePrivacy Regulation),56 which is currently partway through the European legislative review process. The Draft ePrivacy Regulation is expected to be agreed and adopted in late 2019 or early 2020, and therefore to come into force in 2020 or 2021 following a minimum transition period of one year.

Data protection

The GDPR and DPA impose strict controls on the use or 'processing' (including disclosure) of personal data, including:

  1. providing specific conditions that must be met to ensure personal data is processed fairly, lawfully and in a transparent manner, such as that the individual has consented or that the processing is necessary for the purposes of fulfilling a contract;
  2. the requirement that data can generally only be processed for the purpose for which it was obtained and for no longer than is necessary, must be kept accurate and up to date, and must not be excessive;
  3. the requirement that data be kept secure (i.e., be protected against unlawful processing and accidental loss, destruction or damage);
  4. the restriction that data cannot be transferred to countries outside the EEA unless certain conditions are met, such as with the EU–US Privacy Shield (see 'Litigation and EU–US transfers of personal data' for more details) or signing the European Commission-approved Standard Contractual Clauses for personal data export; and
  5. personal data must be processed in accordance with the rights of the data subject under the GDPR, including that individuals have a right to access the personal data held about them, and a right in certain circumstances to have inaccurate personal data rectified or destroyed, among various other rights.

As noted above, the GDPR has significantly changed the current UK – and broader European – data protection framework. The key changes under the GDPR include:

  1. the implementation of the new rules as a regulation, rather than a directive, such that it is directly applicable in every Member State (though Member States are permitted certain derogations in a number of areas);
  2. the removal of the requirement to notify or register data processing activities with national regulators; however, controllers and processors will need to keep their own record of processing which is disclosable to national regulators;
  3. an expanded extraterritorial effect, resulting in the regulation applying not only to organisations established within the EEA, but also to organisations established outside the EEA but offering goods or services to, or monitoring the behaviour of, individuals in the EEA. Such non-EEA organisations are required to appoint a legal representative within the EEA, to enable national regulators to effectively communicate with, and take enforcement action against, those organisations without an EEA presence;
  4. a tightening of the requirements for valid consent, with the effect that consent will only be deemed to be valid if it is freely given, specific, informed and unambiguous;
  5. a stricter approach to the export of data outside the EEA, resulting from the general standards of data protection being raised throughout the Regulation as a whole;
  6. the introduction of mandatory data breach notification requirements (including notification to both national regulators and, in certain circumstances, to data subjects affected by a breach). On the occurrence of a breach that is likely to result in harm to individuals, organisations must now inform the ICO without undue delay and, where feasible, not later than 72 hours after becoming aware of a data breach;
  7. a right to data portability that will require the data controller to provide information to a data subject in a machine-readable format, in certain circumstances, so that it may be transferred to another controller;
  8. maximum fines of the higher of up to €20 million or 4 per cent of an organisation's annual global turnover for breaches. The GDPR relies on the European antitrust concept of 'undertaking' for the purposes of calculating fines, which encompasses wider corporate groups rather than looking solely at specific legal entities;
  9. certain categories of online identifiers such as internet cookies and IP addresses may be classified as personal data;57 and
  10. new definitions termed genetic data and biometric data, which include data relating to characteristics obtained during foetal development and data that allows the unique identification of a person to be confirmed through facial images or dactyloscopic data – now categorised as special categories of personal data (i.e., sensitive personal data).

The GDPR permits certain derogations by Member States, and the DPA seeks to provide for these accordingly to accommodate various existing UK statutes. For instance:

  1. it includes exemptions for journalists, research organisations, financial services firms (for anti-money laundering purposes) and employers (to process special categories of personal data and criminal conviction data without consent to comply with employment law obligations);
  2. certain actions (with some exceptions for actions necessary for preventing crime, etc.) relating to data will be criminal offences (subject to a fine), for example obtaining, procuring, retaining or selling data against a controller's wishes (even where lawfully obtained); intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data (or knowingly processing such data); and altering records with the intent to prevent disclosure following a subject access request; and
  3. a parent's or guardian's consent will be required to process the personal data of a child who is under 13 years old (the GDPR permits Member States to set this age between 13 and 16 years old).

Litigation and EU–US transfers of personal data

There are several valid legal bases for the transfer of personal data from the EU to countries outside the EU, of which two are subject to ongoing litigation: the Privacy Shield (successor to the Safe Harbor) and standard contractual clauses (also known as model clauses).

Under the historic Safe Harbor agreement, if a US recipient of personal data was self-certified under the US Safe Harbor regime, data transfers could be made to that recipient in the US, notwithstanding the general prohibition on transfer under the European data protection legislation in place at that time, because such a recipient was deemed to have adequate protection in place. The Safe Harbor regime was challenged in Schrems v. Data Protection Commissioner. This case was brought by privacy activist Max Schrems, who argued that the EU–US Safe Harbor agreement did not provide adequate security for EU citizens in light of the revelations exposed by Edward Snowden about PRISM and United States National Security Agency surveillance programmes. The CJEU invalidated the legal basis for the Safe Harbor Framework on 6 October 2015 with the immediate effect that the agreement was no longer considered to provide adequate protection under the eighth data protection principle.

Following the decision in Schrems v. Data Protection Commissioner, the Commission and the US government entered into lengthy negotiations as to a new means of EU–US data transfers. The new EU–US Privacy Shield came into effect on 1 August 2016 following approvals by the Commission and EU Member States. Under the new Privacy Shield, US organisations commit to seven privacy principles to ensure that adequate protections are in place: the notice principle, the data integrity and purpose limitation principle, the choice principle, the security principle, the access principle, the recourse, enforcement and liability principle, and the accountability for onward transfer principle (Principles). To join the Privacy Shield, an organisation must publicly commit to and implement the Principles through a self-certification process, be subject to the authority of US law by the relevant enforcement authority and publicly disclose its privacy policy.58

The most significant changes from the Safe Harbor framework to the Privacy Shield include the following:

  1. individuals affected by non-compliance with the Principles can seek redress (from the organisation itself, from an independent dispute resolution body and from the national DPA) and non-compliance can be enforced by various bodies (the Federal Trade Commission (FTC), a newly created privacy shield panel and judicial redress);
  2. there are tighter controls on transfers of personal data;
  3. annual joint reviews by the Commission, the FTC and the Department of Commerce on whether the Privacy Shield meets the adequacy finding that entitles companies to transfer personal data overseas legally; and
  4. written assurances by the US government that any access to personal data by public authorities will be subject to clear limitations, safeguards and oversight mechanisms.

In April 2017, the European Parliament passed a non-legislative resolution stating that the Commission should review the Privacy Shield to ensure it does not undermine the EU Charter on Fundamental Rights and the GDPR. In September 2017, the first joint review of the Privacy Shield took place between the EU and US. In a report59 published following the review, the Commission concluded that the Privacy Shield continues to ensure an adequate level of protection for personal data, but that there is room for improvement. The report sets out a number of recommendations to the US authorities on how to improve the functioning of the Privacy Shield, including, for example, that the Department of Commerce should proactively search for and investigate false claims of participation in the Privacy Shield, conduct regular compliance checks and swiftly appoint a Privacy Shield Ombudsman, in addition to increasing its cooperation with the Commission on relevant legal developments in the US. The Article 29 Working Party (which has now been replaced by the European Data Protection Board) also issued a report60 on the joint review in November 2017 that highlighted commercial issues and issues relating to access by US public authorities to data transferred to the US under the Privacy Shield. The report demands that an action plan be set up immediately (or at latest at the second joint review), and threatens to bring claims regarding the Privacy Shield adequacy decision before EU national courts if the issues are not addressed by the time of the second joint review.

In the wake of the revelation that Facebook had improperly shared the data of approximately 2.7 million European citizens with political consultancy Cambridge Analytica, despite the fact that both entities are signatories to the Privacy Shield, the European Parliament issued a resolution on 5 July 2018.61 The resolution notes the findings of both the Commission report and the Article 29 Working Party report, and takes the view that the current Privacy Shield arrangement does not provide an adequate level of protection. The resolution stated that, unless the US was fully compliant by 1 September 2018, the European Commission should suspend the Privacy Shield until the US authorities comply with its terms, though the Commission did not ultimately act on that resolution. The European Parliament renewed its call to suspend the Privacy Shield via a further resolution issued in October 2018,62 during which time the Commission, EU supervisory authorities and the US government conducted their second annual review of the Privacy Shield. Following that second annual review, the Commission again concluded that the Privacy Shield regime does still provide an adequate level of protection for European personal data,63 though the Commission also called for a number of improvements including the appointment of a permanent US ombudsperson. The Privacy Shield is also under scrutiny from privacy campaigners who have brought claims before the General Court (the lower court of the CJEU) contesting the Commission's adequacy finding for the Privacy Shield on the grounds that it still does not provide a level of data protection equivalent to the level required by European data protection law.

In May 2016, Max Schrems filed a complaint with the Irish Data Protection Commissioner concerning the legal status of data transfers under Facebook's standard contractual clauses. The Irish High Court referred the case to the CJEU to determine the legal status of the use of standard contractual clauses to transfer personal data outside the EU.64 The CJEU heard the reference for a preliminary ruling on 9 July 2019 (the Schrems II case), not only in relation to the validity of the standard contractual clauses, but also on the legal status of the Privacy Shield. The Advocate General is expected to deliver his non-binding opinion on 12 December 2019, with the court's decision following between three to six months later, possibly earlier.

ePrivacy Regulation

The Draft ePrivacy Regulation is set to replace the existing ePrivacy Directive, and to amend the Directive's current controls on unsolicited direct marketing, restrictions on the use of cookies, and rules on the use of traffic and location data. The intent with the ePrivacy Regulation is to complement the GDPR, and establish a modern, comprehensive and technologically neutral framework for electronic communications.

In relation to cookies and similar tracking technologies, the ePrivacy Directive, and ePrivacy UK Regulations prescribe that the consent of users of the relevant terminal equipment for the placement of cookies is required, unless a cookie is strictly necessary to provide an online service requested by a user (such as online shopping basket functionality, session cookies for managing security tokens throughout the site, multimedia flash cookies enabling media playback or load-balancing session cookies).

The GDPR introduces a higher level of consent, stating that consent should be a clear affirmative act establishing a freely given, informed and unambiguous indication of the data subject's agreement to the processing of personal data. Silence or inactivity does not constitute consent, and consent needs to be obtained for each processing purpose.65 Further, the data subject must have the right to withdraw consent at any time.66 In July 2019, the ICO updated its guidance on cookies,67 to clarify the interplay between the GDPR, DPA and ePrivacy UK Regulations and the standard of consent required for cookies. The ICO's guidance confirms that consents for cookies should meet the GDPR standard for consent (i.e., consent mechanisms must seek clear, unbundled, express acceptance for each category of cookies (other than those that are strictly necessary to provide the online service; this is narrowly interpreted)). This means that a number of common market practices in this area, including the use of banners that do not interrupt a user's interaction with a website (rather than those that provide notice and infer consent from continued use, for example) or that rely on implied consent (i.e., consent obtained by means of a pre-ticked opt-in box or an opt-out tick box) will need to be revised to meet the GDPR's consent standards this approach. Other than functional, strictly necessary cookies, no cookies should be applied before such consent has been sought. Further, such consent should be sought on an unbundled basis (i.e., setting out, and obtaining consent for, each purpose for which cookies are used).

Individual data subjects have the right under the GDPR to notify a data controller to cease or not to begin processing their personal data for the purposes of direct marketing. Under the ePrivacy UK Regulations, an organisation must obtain prior consent before sending a marketing message by automated call, fax, email, SMS text message, video message or picture message to an individual subscriber. There is a limited exemption for marketing by electronic mail (both email and SMS) that allows businesses to send electronic mail to existing customers provided that they are marketing their own goods or services, or goods and services that are similar to those that were being purchased when the contact information was provided; and the customer is given a simple opportunity to opt out free of charge at the time the details were initially collected and in all subsequent messages.

Under the ePrivacy UK Regulations, location data (any data that identifies the geographical location of a person using a mobile device) can be used to provide value-added services (e.g., advertising) only if the user cannot be identified from the data or the customer has given prior consent. To give consent, the user must be aware of the types of location data that will be processed, the purposes and duration of the processing of that data, and whether the data will be transmitted to a third party to provide the value-added service.

The Draft ePrivacy Regulation (which is subject to further changes) aims to improve on the existing ePrivacy Directive in several ways, including:

  1. expanding the scope of ePrivacy laws to include OTT providers that provide services functionally equivalent to traditional telecoms providers, and apply to organisations worldwide as long as they are providing services to end users in the EU;
  2. reviewing the rules on the use of cookies and other tracking technologies to establish when consent should be required, and whether the standard of consent should be equivalent to that in the GDPR (e.g., it has been proposed that consent would not be necessary for cookies used for the purposes of analytics);
  3. tightening rules in relation to direct marketing (including business-to-business marketing);
  4. restricting use of content and metadata by communications providers. However, the scope of these restrictions is hotly debated, and one of the key topics responsible for the delay in the agreement of the proposed regulation text;
  5. alignment of sanctions to the GDPR: for example, breach could bring liability of up to €20 million or four per cent of annual worldwide turnover; and
  6. unifying the ePrivacy Regulation's enforcement under GDPR enforcement bodies.

While the Commission's original intention was for the ePrivacy Regulation to come into force simultaneously with the GDPR in May 2018, the draft has been subject to intense scrutiny and debate and remains under review through the European legislative process. At the time of writing, the next step in this process is the release of the Council's final position on the regulation. Once the Council's position is published, the ongoing trialogue process between the Parliament, Council and Commission will continue in order to agree the final wording of the regulation. According to the most recent drafts (the latest Council proposal was released on 26 July 2019), the ePrivacy Regulation is expected to come into force two years after its finalisation and publication date. Given the criticism of the proposal, companies should be prepared to see further changes to the draft before its passage, even at these later stages of the process, and the development of this law should be tracked to ensure ongoing compliance.


The ICO is responsible for the enforcement of the GDPR and DPA, the ePrivacy Directive and UK ePrivacy Regulations, the IPA, the NISD and NIS Regulations (NIS enforcement is discussed in more detail below), as well as the Freedom of Information Act 2000 (which provides individuals with the ability to request disclosure of information held by public authorities).

The ICO is increasingly focusing on enforcement generally, and on the use of monetary penalties in particular (under the GDPR, penalties of up to a maximum of 4 per cent of global annual turnover or €20 million, whichever is the higher, may be applied, and equivalent penalties are contemplated in the latest draft ePrivacy Regulation).

According to the ICO's Annual Report for 2018 and 2019,68 2018–2019 was a record-breaking year for monetary penalties in relation to data protection breaches, and also saw the first proposed fines under the GDPR and DPA. The majority of the ICO's actions in the past year proceeded under the Data Protection Act 1998, rather than the DPA, due to the time taken to conduct and conclude the relevant investigations. The ICO issued 22 monetary penalty notices under the DPA 1998 in 2018–19 Report period, imposing fines totally just over £3 million. In two of these cases, the ICO imposed the maximum available financial sanction under the DPA 1998 (£500,000); these fines represent the highest data protection fines imposed by the ICO at the time of writing. The first of these fines was served on Facebook in July 2018 for failing to safeguard the personal data of millions of users and for failing to be transparent with those users about how their data was in turn being harvested by third parties, including by political consulting firm Cambridge Analytica. The second of these fines was imposed on Equifax Ltd in September 2018 for failing to protect the personal data of up to 15 million UK individuals during a cyberattack which compromised the company's US systems.

In parallel with the ongoing conclusion of legacy DPA 1998 investigations, the ICO has more recently started to take action under the DPA, though no monetary penalties have been imposed at the time of writing. The ICO has, however, announced its intention to impose two significant fines under the GDPR/DPA (these investigations are ongoing and the final level of fines imposed is not expected to be known until later in 2019). On 8 July, the ICO announced a notice of intent to fine British Airways £183.39 million under the GDPR in relation to a cyberattack and resulting data breach, impacting approximately 500,000 customers. This proposed fine is the largest to date under the GDPR. Then on 9 July 2019, the ICO announced a notice of intent to fine Marriott International £99.2 million for GDPR infringements stemming from a data breach at Starwood, which Marriott acquired in 2016. These latest actions from the ICO are part of a European-wide trend of data protection supervisory authorities starting to utilise their increased powers under the GDPR to impose significant fines, and indicating a sea change in the level of fines organisations can expect for data protection failings.

While the level of monetary penalties for data protection breaches is expected to increase dramatically compared with previous years, the most common grounds for fines and enforcement action remain the loss of data, other major data security breaches and, to a lesser extent, automated marketing calls and other complaints under the ePrivacy UK Regulations. In relation to the latter, the ICO received 138,368 complaints under the ePrivacy UK Regulations in 2018–2019 and issued 23 monetary penalty notices totalling just over £2 million in fines. This represents an increase in the number of complaints received compared to 2017–2018, but a decrease in the number of monetary penalties issued and the total level of fines imposed (in 2017–2018, the ICO issued 26 penalties under the ePrivacy UK Regulations, totalling £3.28 million in fines for that period). The majority of fines imposed under the ePrivacy UK Regulations relate to automated marketing calls.

In May 2017, the ICO issued the highest-ever nuisance calls fine of £400,000 to Keurboom Communication Ltd, which was responsible for 99.5 million nuisance calls.69 In January 2018, Barrington Claims Ltd was fined £250,000 for making automated marketing calls to individuals whom it could not prove had consented to receiving such calls.70 Finally, Tax Returned Limited was fined £200,000 in December 2018 for sending out millions of unsolicited marketing text messages.71

Data breach notification

The GDPR introduces a new personal data breach notification obligation on data controllers requiring notification to the supervisory authorities without undue delay and not later than 72 hours after becoming aware of a breach, unless the data security breach is unlikely to result in a risk to the rights and freedoms of a data subject. If a personal data breach results in a high risk to the rights and freedoms of a natural person, a data controller must inform the natural person of the data breach without undue delay.72 The GDPR also requires a data processor to notify a data controller if it becomes aware of a personal data breach. An infringement of these provisions can lead to an administrative fine up to €10 million or, in the case of an undertaking, up to two per cent of the total worldwide annual turnover of the preceding financial year, whichever is higher.73 As a result of this strengthening of the requirements to report personal data breaches, the ICO has seen a significant increase in the number of personal data breaches reported to it: up from 3,311 notifications in 2017–2018 to 13,840 notifications in 2018–2019.74 The ICO reports that in 82 per cent of those reported cases, the relevant organisation had taken adequate steps to address the breach and no further action was required by the ICO. In the vast majority of the remaining cases, the ICO required the organisation to take further action but did not take enforcement or formal action against the organisation: enforcement action (e.g., monetary penalty or imposition of a mandatory improvement plan) was taken in less than 1 per cent of reported breach cases.75

Under the ePrivacy UK Regulations, providers of public ECSs (mainly telecom providers and ISPs) are required to inform the ICO within 24 hours of a personal data security breach and, where that breach is likely to adversely affect the personal data or privacy of a customer, that customer must also be promptly notified. The Draft ePrivacy Regulations intend to align this deadline with the time period set out under the GDPR (72 hours) for consistency. This should be kept under review as the Draft ePrivacy Regulation is finalised.

In addition, organisations to which the NIS Regulations apply will have to comply with its notification requirements, as set out below.

Data retention, interception and disclosure of communications data

The legislation in this area has been the subject of much change and controversy over the past few years. The powers of government authorities (and, in a more limited capacity, private organisations) to intercept communications, acquire communications data and interfere with communications equipment was previously regulated by a patchwork of legislation, including the Regulation of Investigatory Powers Act 2000 (RIPA), and, until 2016, the Data Retention and Investigatory Powers Act 2014 (DRIPA). The Investigatory Powers Act 2016 (IPA) overhauls, and in some cases extends, the scope of RIPA. It has largely, but not yet entirely, amended or repealed RIPA.

On 8 April 2014, the CJEU held in Digital Rights Ireland76 that the Data Retention Directive77 was invalid as it violated an individual's right to privacy and was disproportionate in its aims. Under the Data Retention Directive, public communications providers (e.g., providers of fixed-network telephony, mobile telephony and internet access, internet email or internet telephony) had to retain traffic, subscriber and, where relevant, location data (but excluding content data) for a period of 12 months.78 The declaration of invalidity meant that the UK's implementing subordinate legislation, the Data Retention (EC Directive) Regulations 2009, no longer had a basis in primary law and was itself vulnerable to a finding of illegality. The government decided to reintroduce data retention laws as primary legislation by passing DRIPA. In this regard, the UK stood in stark contrast to the rest of Europe, where Germany, the Czech Republic, Romania, Austria, Cyprus, Belgium, Ireland and Bulgaria had already deemed similar provisions unlawful.

DRIPA came into force on 17 July 2014 (with a sunset clause forcing automatic expiry of its provisions on 31 December 2016), and addressed two key issues: the obligation to retain communications data by communications providers and the extraterritorial expansion of powers under RIPA.79 DRIPA also clarified that interception capability notices under RIPA may be issued to telecommunications providers outside the UK in relation to conduct outside the UK.

Following its passage into law, a legal challenge was mounted questioning the legality of DRIPA. In July 2015, the High Court declared DRIPA's data retention provisions to be incompatible with EU law on the basis that they interfered with Articles 7 and 8 of the EU Charter of Fundamental Rights (the public's rights to respect for private life and communications and to the protection of personal data).80 In November 2015, the Court of Appeal referred the case to the CJEU; the CJEU held on 21 December 2016 that the ePrivacy Directive and the Charter of Fundamental Rights preclude laws that require a general and indiscriminate retention of data. However, laws that place targeted data retention obligations on service providers for the purpose of fighting serious crime are permitted provided that the safeguards protecting Article 7 and 8 rights are maintained (as specified in Digital Rights Ireland). The CJEU held that national data retention laws fall within the scope of the ePrivacy Directive.

The CJEU referred the case back to the UK Court of Appeal, which delivered its final judgment on 30 January 2018.81 The Court of Appeal agreed that the DRIPA data retention provisions were incompatible with EU law. It declined to rule on various other issues that had been raised by the parties given the ongoing litigation relating to the IPA by civil rights groups, as described below.

Although DRIPA would itself have expired in accordance with its sunset clause, its spirit survives in the IPA, which received royal assent on 29 November 2016, just in time before DRIPA's scheduled expiry on 31 December 2016. The IPA is similar to RIPA in various respects. For example, like RIPA, the IPA imposes a general prohibition on the interception of communications unless the interceptor has lawful authority to carry out the interception, such as where a warrant has been issued by the Secretary of State (interception warrant). However, the IPA provides a new legal framework to govern the use and oversight of investigatory powers of the executive branch. Among other things, it:

  1. includes new powers for UK intelligence agencies and law enforcement to carry out targeted interception of communications, bulk collection of communications data and bulk interception of communications;
  2. introduces an Investigatory Powers Commission (IPC) to oversee the use of all investigatory powers, alongside oversight provided by the Intelligence and Security Committee of Parliament and the Investigatory Powers Tribunal;
  3. requires a judge serving on the IPC to review warrants authorised by the Secretary of State for accessing the content of communications and equipment interference before they come into force (commonly referred to as a double lock feature);
  4. widens the categories of telecommunications operators (TOs) that can be subject to most powers by including private as well as public operators;
  5. includes the power to require TOs to retain UK internet users' data, including internet connection records, for up to one year (although it remains to be seen how such powers may be amended following the court rulings described below);
  6. permits police, intelligence officers and other government department managers to see internet connection records as part of a targeted and filtered investigation without a warrant;
  7. imposes a legal obligation on TOs to assist with the targeted interception of data and communications and equipment interference in relation to an investigation (however, foreign companies are not required to engage in bulk collection of data or communications);
  8. places the Wilson Doctrine (a convention whereby police and intelligence services are restricted from intercepting communications of Members of Parliament) on a statutory footing for the first time, as well as safeguards for people such as journalists, lawyers and doctors involved in other sensitive professions;
  9. provides local government with some investigatory powers (e.g., to investigate someone fraudulently claiming benefits), but not access to internet connection records;
  10. creates a new criminal offence for unlawfully accessing internet data; and
  11. creates a new criminal offence for a TO or someone who works for a TO to reveal that data has been requested.

The provisions of the IPA are being enacted in stages via a series of statutory instruments (most recently through the Investigatory Powers Act 2016 (Commencement No. 11) Regulations 2019 (SI 2019/174) in force from 5 February 2019). To date, most portions of the IPA have been enacted. The equivalent provisions in the legacy RIPA legislation have been repealed or amended, but the remaining RIPA provisions (i.e., those that have not been expressly repealed or amended to date) continue to govern the UK interception statutory regime. The government's intention is to repeal RIPA in its entirety, if and when the equivalent, remaining IPA provisions are enacted. As a result, we have a rather complex regulatory landscape in which a patchwork of statutory instruments have largely, but not entirely, brought the IPA into force and amended or repealed the legacy RIPA legislation. Furthermore, in light of recent case law, it remains to be seen to what extent the IPA will survive as currently drafted: the outstanding provisions of the IPA remain under consideration by the government. In addition to Watson,82 civil liberties group Liberty has mounted a legal challenge to the IPA by way of judicial review. In April 2018, the UK High Court ruled that Part 4 of the IPA, which relates to the retention of communications data, was incompatible with EU law in two respects: in the context of criminal justice, the relevant provisions allowed access to retained data that was not limited to the purpose of combating serious crime, and that access was not subject to prior review by a court or independent body. The High Court decided against making an order of disapplication, but ordered that the government must replace the relevant provisions by 1 November 2018.83 In response, on 31 October 2018 the government introduced the Data Retention and Acquisition Regulations 2018. However, the Regulations have been criticised as not going far enough to address the human rights concerns raised by the High Court.

On 13 September 2018, the European Court of Human Rights ruled in the case of Big Brother Watch and Others v. the United Kingdom84 that certain aspects of the bulk interception regime under RIPA and the regime for obtaining communications data from communications and service providers violate Article 8 (the right to respect for private and family life and communications) and Article 10 (the right to freedom of expression) of the European Convention on Human Rights (ECHR). Big Brother Watch and the applicant campaign groups85 requested that the case be referred to the Grand Chamber at the European Court of Human Rights, where it was heard in July 2019:86 judgment is expected in early 2020, on the primary issues of the bulk interception of communications; intelligence sharing with foreign governments; and the obtaining of communications data from communications service providers.

Protection for children

Under the GDPR, children are defined as vulnerable natural persons who merit specific protection with regard to their personal data.87 The GDPR defines a 'child' as anyone below the age of 16, unless a Member State provides, as the UK has done, for a lower age (which cannot be lower than 13) – the DPA has set the age of children at the minimum permitted threshold (i.e., anyone younger than 13 years). Consent to the processing of personal data in connection with the provision of online services to children is required to be given by a person with parental responsibility.88 Data can also be processed based on legitimate business interests, but it is clear that it will be harder to argue that the interests of a company outweigh those of a child. The GDPR also introduces a right to be forgotten, which will make it necessary for certain service providers, such as social media services, to delete any personal data processed or collected when the user was a child.89

In May 2018, the government published a green paper titled Internet Safety Strategy.90 The paper discusses a series of proposed measures to increase the safety of the online environment in the UK, including a range of measures aimed at protecting children, such as laws related to cyberbullying and online child sexual exploitation and measures to develop children's digital literacy. Further details of the proposed measures will be set out in a white paper on the same topic, to be published later in 2018.

The Child Exploitation and Online Protection Centre (CEOP) works to prevent exploitation of children online; it is made up of a large number of specialists who work alongside police officers to locate and track possible and registered offenders. CEOP operates as a command of the National Crime Agency. CEOP also offers training, education and public awareness in relation to child safety online.

Internet safety for children in the UK is also monitored by the UK Council for Internet Safety (UKCIS) (previously the UK Council for Child Internet Safety (UKCCIS)), a forum consisting of government, technology and communications organisations and third sector organisations, collaborating to improve online safety. The UKCIS has most recently published a Digital Resilience Framework91 to assist, among other organisations, schools and child services providers to integrate digital resilience into education and other child settings.

Website and software operators may apply for the Kitemark for Child Safety Online. This has been developed through collaboration between the British Standards Institution (BSI) (the UK's national standards body), the Home Office, Ofcom, and representatives from ISPs and application developers. The BSI tests internet access control products, services, tools and other systems for their ability to block certain categories of websites (e.g., sexually explicit, violent or racist activity).


The Computer Misuse Act 2000 (as amended by the Police and Justice Act 2006) sets out a number of provisions that make hacking and any other forms of unauthorised access, as well as DoS attacks and the distribution of viruses and other malicious codes, criminal offences. Further offences exist where an individual supplies tools to commit the above-mentioned activities.

The government has consolidated its focus on cybersecurity through the establishment of the National Cyber Security Strategy, with a dedicated pool of funds stretching to £1.9 billion over five years until 2021.92 Cybercrime detection and response is primarily led by the National Crime Agency, working together with the National Cyber Security Centre (NCSC), a government body established in 2016 to act as a single national authority on cybersecurity. One of the NCSC's roles is to manage the Cyber-Security Information Sharing Partnership, which facilitates the sharing of real-time cyber threat information between the public and private sectors. In its National Cyber Security Strategy Progress Report,93 published in May 2019, the government reported on a total of 665 cybersecurity response actions carried out between 2017 and 2019, including many undertaken in coordination with international agencies.

At a European level, the European Parliament adopted the NISD in July 2016, which is the first EU-wide legislation on cybersecurity. The aim of the NISD is to enhance network and information system security in essential economic and digital services. It introduces, inter alia, mandatory breach notification requirements and minimum security requirements.94 While the GDPR's aim is to protect personal data, the NISD focuses on protecting essential infrastructure, and is therefore not limited to personal data.

The NISD imposes obligations on two types of organisations: essential service operators (ESOs) within the energy, transport, banking, financial market infrastructure, health, drinking water and digital infrastructure sectors; and digital service providers (DSPs), including entities such as online marketplaces, online search engines and cloud computing service providers. These companies must now report breaches of cybersecurity to the national competent authorities without undue delay where the relevant incident would have a significant impact on the core services provided by a company. The NISD had been stuck in negotiations between EU lawmakers and Member States over which sectors the Directive should cover; after months of negotiations, it was decided that digital platforms such as search engines, social networks and cloud computing service providers will be subject to the Directive's remit, albeit with lighter touch requirements. The Directive aims to ensure a uniform level of cybersecurity across the EU as part of the Commission's wider Digital Agenda for Europe.

As of 9 May 2018, the NISD should have been implemented in each EU Member State. In the UK it has been implemented by way of the NIS Regulation, which came into force on 10 May 2018. The NIS Regulation:

  1. applies to ESOs and DSPs with thresholds designed to capture the most important operators in their sector due to, for example, their size;
  2. is regulated by the ICO in respect of DSPs and, in respect of ESOs, the competent industry-specific regulator, such as the Department for Business Energy and Industrial Strategy, Ofcom and NHS Digital. GCHQ acts as the UK's single point of contact as required by the NISD;
  3. requires operators to develop minimum levels of security, as well as evidence that these higher standards have been met, and notify incidents meeting specific thresholds to the relevant regulator. Notifications should be made without undue delay and within 72 hours of becoming aware of the incident where feasible. The NIS Regulation notification obligations are separate from the personal data breach notification obligations under the GDPR and DPA – depending on the specific circumstances, an organisation may be required to report a cybersecurity incident to both its NIS competent authority under the NIS Regulations (i.e., the ICO for DSPs, or relevant industry regulator for ESOs), and to the ICO under the DPA (if the incident also constitutes a relevant personal data breach, and the organisation is acting as a data controller); and
  4. imposes harsher penalties to mirror the GDPR, with fines up to the higher of £17 million or 4 per cent of annual worldwide turnover.

While the NISD applies to certain financial institutions, the NIS Regulation does not apply to entities that fall within the remit of the regulatory authority of the Financial Conduct Authority, the Bank of England or the Prudential Regulation Authority, as these institutions have been deemed to impose requirements on financial institutions that meet the obligations under the NISD.

In respect of DSPs, the NIS Regulation does not apply to small and micro businesses (i.e., companies employing fewer than 50 people whose annual turnover or balance sheet total, or both, is less than €10 million). However, if a DSP is part of a larger group, the group's size may need to be taken into account in determining whether the provider is excluded from the application of the NIS Regulation (depending on the level of control exercised over the provider by other group entities).

In respect of ESOs, certain sectors are exempt from some aspects of the NISD where they are obliged to comply with equivalent provisions within existing regulations (e.g., the finance and civil nuclear sectors). The competent authority has a discretion to deem a particular organisation to be an ESO even if the threshold conditions are not met. In addition, ESOs are required to register with their competent authority.

Following the implementation of the NIS Regulations, the ICO reports that it received approximately 2,500 cybersecurity notifications under the NIS Regulations in 2018–2019,95 the majority of which related to phishing attaches and unauthorised access.


i Development

The current EU regulatory framework for spectrum has been in force since 2003 following the introduction of the Telecoms Reform Package. This regulatory framework, in particular the Framework Directive96 and the Authorisation Directive,97 requires the neutral allocation of spectrum in relation to the technology and services proposed by users (e.g., MNOs and radio broadcasters). Following on from the Telecoms Reform Package, the Commission required Member States to adopt measures including greater neutrality in spectrum allocation, the right of the Commission to propose legislation to coordinate radio spectrum policy, and to reserve part of the spectrum from the digital dividend (from the switchover to digital television services) for mobile broadband services through the Better Regulation Directive and the Citizens' Rights Directive. In 2016, Ofcom developed a framework for spectrum sharing, highlighting the importance of considering the circumstances of each potential opportunity, covering its costs and benefits.

In the UK, Ofcom is responsible under the Act for the optimal use of the radio spectrum in the interests of consumers. This includes, inter alia, monitoring the airwaves to identify cases of interference, and taking action against illegal broadcasters and the use of unauthorised wireless devices. The 2016 framework established three key elements when identifying potential sharing opportunities in certain bands: characteristics of use for all users that inform the initial view of the potential for sharing, and what tools may be relevant; barriers that may limit the extent of current or future sharing, despite the liberalisation of licences and existing market tools such as trading or leasing; and regulatory tools and market and technology enablers that match the characteristics of use and barriers to facilitate new and more intense sharing.98

ii Flexible spectrum use

As the uses of the radio spectrum have increased, the allocation of spectrum by the regulator has developed from a centralised system, where use was determined by the regulator, to a market-based approach, where users compete for spectrum. Currently, auctions are the primary market tool used to implement the allocation.

Spectrum trading was introduced in the UK for the first time in 2004, and is permitted under the Wireless Telegraphy Act 2006 and associated regulations. Originally, the trading of spectrum was subject to a multi-stage process that, inter alia, required a decision by Ofcom about whether to consent to the trade. However, the Wireless Telegraphy (Mobile Spectrum Trading) Regulations 2011, directed at making more efficient use of the available spectrum, and improvements in mobile services to meet the demand for faster and more reliable services for consumers, made significant changes to this process, removing the need to obtain Ofcom's consent for proposed trades in most cases. In addition, under these Regulations, a licensee can transfer all or part of the rights and obligations under its licence. A partial transfer, or spectrum leasing, can be limited to a range of frequencies or to a particular area. Ofcom also plans to simplify the process for time-limited transfers in line with the Revised Framework Directive.

In December 2018, Ofcom published a report regarding shared access to spectrum and supporting mobile technology.99 In its report, Ofcom outlines a series of aims and proposals to ensure users have suitable spectrum access. Further, in July 2019, Ofcom published a document setting out proposals relating to local licences for particular spectrum bands in order to support mobile technology for customers.100 To facilitate this, Ofcom has proposed three shared access bands which support mobile technology, each of which is adjacent to bands available (or being considered) for national mobile use.101

iii Broadband and next-generation mobile spectrum use

Ofcom issued a call for information on spectrum above 6GHz that ended in February 2015.102 Following on from this, in April 2016 Ofcom consulted on improving spectrum access for consumers in the 5GHz band. Ofcom subsequently set out plans to open up a sub-band within the 5GHz frequency range for Wi-Fi, which would increase the number of 80MHz channels available for Wi-Fi from four to six to accommodate data-hungry applications and ease congestion. These extra channels, which are already being used in the US, could be opened up within the next few years.103 In March 2017, Ofcom published its Statement on improving spectrum access for consumers in the 5GHz band, and in July 2017 published its Decision to make Wireless Telegraphy Exemption Regulations 2017; this was predominantly due to increasing demand for Wi-Fi and the role of spectrum in addressing such demand.104 The technology has provided more capacity at faster speeds for mobile services on smartphones such as video streaming, email and social networking sites.

iv White space

Free spectrum, or 'white space', left over from the UK's switch from analogue to digital TV and radio, has been available for mobile broadband and enhanced Wi-Fi since 2011. A white space device will search for spectrum that is available and check a third-party database to find out what RFs are available to ensure that it does not interfere with existing licensed users of the spectrum. New white space radios use frequencies that are allocated for certain uses elsewhere but are empty locally. Flawless management of spectrum is required to avoid interferences.

Since February 2015, Ofcom has allowed the commercial use and deployment of white space broadband technology, harnessing the unused parts of the radio spectrum in the 470MHz to 790MHz frequency band.

Ofcom is in the relatively early stages of developing spectrum sharing. White space spectrum with a frequency in the spectrum bank 470MHz to 790MHz, which is not being used at particular times, is the key to developing such sharing. This would be enabled by location-aware wireless devices or databases that provide information on white space availability. Likewise, Ofcom set out in its spectrum management strategy that it would place particular emphasis on spectrum sharing. In July 2015, Ofcom published a consultation in an attempt to identify barriers to sharing, include regulatory tools to facilitate further sharing and set out how sharing would be considered on a case-by-case basis. In December 2017, Ofcom published its Review of the authorisation regime for spectrum access in which it detailed several key initiatives aimed at enabling spectrum sharing, such as the licence exemption (mentioned above) and geographic licences as well as dynamic spectrum access (DSA). DSA was first implemented with TV white spaces where valuable, unused, low frequency spectrum in the 470–790MHz band was made available to devices meeting a minimum technical specification.105

In July 2019, the UK published a consultation paper in relation to the proposed approach to implementation of the European Electronic Communications Code Directive.106 Member States have until 21 December 2020 to implement its provisions into domestic law. The UK took an active role in negotiating this directive to ensure it supports the UK's aim to improve connectivity. Implementation of this directive will support a stable regulatory framework which incentivises competitive network investment. Implementation of the spectrum provisions will also support 5G deployment by allowing for the release of additional spectrum and supporting spectrum sharing, and is anticipated to support the extension of mobile coverage in rural areas.

v Spectrum auctions

The first 5G spectrum auction to be completed by Ofcom took place in April 2018, with O2, EE, Three and Vodafone all winning spectrum. O2 acquired all 40MHz of the 2.3GHz spectrum being auctioned, as well as 40MHz of the 3.4GHz spectrum, making it the biggest winner in the auction. Some of the spectrum was auctioned because it was recently freed up by the government to make it available for civil use, having been previously used by the Ministry of Defence.

Another 5G spectrum auction is expected to take place in 2020, as the 2018 5G auction will not cover the anticipated demand for 5G once it is commercially available.

The last spectrum auction was initially proposed to be in 2015, when licences were to be awarded in the 2.3GHz and 3.4GHz spectrum bands. The auction was postponed to 2016, and a total of 190MHz of high-capacity spectrum was to be made available in two bands, 2.3GHz and 3.4GHz, which are those particularly suited to high-speed mobile broadband services. Ofcom planned to set reserve prices totalling £70 million for the spectrum. Most notably, there was to be no cap on the amounts bidders could buy, as Ofcom believes that buying large blocks has the potential to support fast download speeds, helping pave the way for 5G.107 However, following the Commission's decision to block the proposed acquisition of O2 by CK Hutchison (H3G), Ofcom published a further consultation in November 2016 on competition measures and on specific aspects of auction design for the award of the 2.3GHz and 3.4GHz spectrum bands.108 Ofcom subsequently announced the following spectrum caps in July 2017 to satisfy competition concerns: no operator would be able to hold more than 255MHz of immediately usable spectrum, and no operator would be able to hold more than 340MHz of the total amount of spectrum following the auction. In January 2018, UKGI (which administers the Public Sector Spectrum Release Programme through the Central Management Unit) reported that the programme has led to nearly 400MHz having been released so far, with plans to release 750MHz of spectrum from the public to the private sector by 2022 to stimulate economic growth. In December 2018, Ofcom published a report relating to its consultation on the award of the spectrum in the 700MHz and 3.6–3.8GHz bands.109 As a result of stakeholder responses to the consultation, Ofcom considered that it may be appropriate for certain measures to be included in the 2020 5G auction. These proposals were published on 11 June 2019.110 Ofcom considered the possibility of imposing a restriction on winners of less than 20MHz of the 3.6–3.8GHz spectrum, so they could bid only for the top or bottom of the 3.6–3.8GHz band in the assignment stage of the auction. In addition, Ofcom considered the inclusion of a negotiation phase, within the assignment stage of the auction, during which winners of 3.6–3.8GHz spectrum would have the opportunity to agree the assignment of frequencies in the 3.6–3.8GHz band among themselves.

To ensure competition between the national operators, Ofcom introduced a floor and cap on the amount of spectrum that each operator can win, and imposed safeguard caps to prevent an operator from holding too much spectrum. To diversify the market, Ofcom also reserved parts of the spectrum for a fourth national wholesaler. The reserved lots were won by Hutchison 3G UK.

Despite the fact that the government budgeted a surplus of £3.5 billion for the auctioned spectrum, it only raised a total of £2.34 billion;111 however, the principal stage of the 2018 spectrum auction has already raised over £1.3 billion.112

vi Emergency services bandwidth prioritisation

The Universal Services Directive, a further part of the Telecoms Reform Package, introduces several extended obligations in relation to access to national emergency numbers and the single European emergency call number (112). Prior to the Universal Services Directive, obligations to provide free and uninterrupted access to national and European emergency numbers applied to providers of publicly available telephone services only. Under this Directive, however, these obligations are extended to all undertakings that provide to end users 'an electronic communication service for originating national calls to a number or numbers in a national telephone numbering plan', and the UK has mirrored this wording in its revisions to General Condition 4 under the Act. Such electronic service providers are therefore required to ensure that a user can access both the 112 and 999 emergency call numbers at no charge and, to the extent technically feasible, make caller location information for such emergency calls available to the relevant emergency response organisations. Ofcom's revised general conditions for emergency services network (ESN) provider compliance came into force on 1 October 2018, amending the obligations relating to access to emergency services. The changes include extending the current requirements to ensure end users can access emergency organisations through eCalls.

In 2013, the Home Office announced the Emergency Services Mobile Communications Programme for a dedicated ESN that would provide the next-generation communication system for emergency services. However, one of the lots, relating to a contracted agreement for an MNO to extend guaranteed signal coverage to ensure mobile coverage, was withdrawn in January 2015. The remaining contracts for the operation of the ESN were won by EE, which provides the network, and Motorola Solutions, which supplies the user services (supported by Kellogg Brown Root as a delivery partner). Together they work to provide the UK's emergency services with a 4G LTE mobile network, replacing the existing private terrestrial trunked radio (Tetra) system. According to the Home Office, the UK is first in the world to deliver critical voice and data for emergency services over an enhanced and more resilient commercial 4G network.113 The new system has the key advantage of allowing emergency services traffic to be prioritised ahead of communications by the general public, and this was successfully tested in February 2018 for the first time between an EE mobile mast site in Bristol and a location in Basingstoke.114 In July 2019, the Commons Select Committee published a progress review in relation to the implementation of ESN, finding that the costs of crucial communications systems continue to rise, while the benefit to the emergency services is still unclear.115 The report recommended that by October 2019, the Home Office should agree specific and detailed criteria which will determine when ESN is ready to replace the airwave radio system. The report also recommended that the risks presented by Motorola's position (as supplier to ESN and owner of the airwave radio system) and the possible need to extend the airwave radio system until it can be replaced by ESN should be considered and presented to the Parliamentary Committee. A revised business plan in relation to ESN should be completed by the end of 2019.


The transition from traditional forms of media distribution and consumption towards digital converged media platforms continues to disrupt and change the commercial foundations of the entertainment and media industry in the UK. Members of the industry are all grappling with new business models to monetise content and control frameworks to provide sufficient protection for the rights of content creators and consumers alike. The Commission's DSM Strategy has wide-ranging implications for the UK media sector (subject to changes to national law as a result of Brexit). Areas of particular relevance to the media sector include the regulation on cross-border portability of online content services, amendments to the Audiovisual Media Services Directive and updates to the European copyright law regime, including in the form of the recent EU Copyright Directive.

i Superfast broadband and media

Fast broadband underpins the accessibility to consumers of internet-delivered content services. The Commission has highlighted that the global internet video share in consumer internet traffic is expected to increase from 64 per cent in 2014 to 80 per cent by 2019.116

By the end of March 2018, the government's rollout of superfast broadband had reached 4.85 million homes and businesses across the UK. This means that the government delivered on its commitment to extend superfast broadband to 95 per cent of UK homes and businesses by the end of 2017, and at the time of writing is pushing beyond 96 per cent with an ambition to reach at least 97 per cent coverage by March 2020. The focus is now shifting to exploring ways to take superfast broadband to the most remote and hardest-to-reach places in the UK. Seven market test pilots ran between June 2014 and March 2016 to test ways to take broadband to remote communities. The government published its findings in February 2016.117 This is consistent with the DEA, which provides for a USO whereby consumers may request a minimum download speed of 10Mbps by 2020. On 19 May 2019, the government launched the Rural Gigabit Connectivity programme, which will trial a model to deliver full fibre broadband to premises in rural and remote areas.118

ii European DSM Strategy and media

Audiovisual Media Services Directive

As part of the DSM Strategy, in May 2016, the Commission adopted a legislative proposal to revise the Audiovisual Media Services Directive (AVMSD), which coordinates national legislation on all audiovisual media including both TV broadcasts and on-demand services. In June 2018, the European Parliament, the Council and the Commission confirmed the preliminary political agreement reached on the proposed revisions. On 6 November 2018, the Council adopted the revised text, marking the final step in the legislative process.119 The revised Directive entered into force on 19 December 2018.120 Following its entry into force, Member States will then have a 21-month period to transpose the changes into national law. The revisions include:

  1. extending the AVMSD's application to video-sharing platforms where the principal purpose of the service is the provision of programmes or user-generated videos, or both, to the public , and which organise content in a way determined by the provider of the service (e.g., by algorithmic means);
  2. clarifications to the establishment test (i.e., which determines which Member State has jurisdiction over a linear or on-demand service provider);
  3. changes to place linear and on-demand services on an equal footing when it comes to measures to protect minors from harmful content;
  4. offering broadcasters more flexibility in television advertising – in particular, the advertising limit of 20 per cent of broadcasting time will apply between 6am and 6pm, and the same share will be permitted during prime time (i.e., 6pm to midnight) (rather than 20 per cent per clock hour); and
  5. an obligation on on-demand audiovisual media services to ensure 30 per cent of the works in their catalogues are European works and to ensure prominence of those works. Furthermore, Member States will have the option to require linear and on-demand service providers to invest in European works, including via direct investment in content and contributions to national funds.

The Commission and UK government have each published notes on the implications of Brexit on the audiovisual media sector.121 Subject to any agreement that the UK may reach with the EU, post-Brexit, the AVMSD, including the country of origin principle122 and the rule on freedom of reception and retransmission,123 will cease to benefit services under UK jurisdiction, and the UK will be treated as a third country. According to the recitals to the earlier version of the AVMSD, Member States are free to take whatever measures they deem appropriate with regard to audiovisual media services that come from third countries, provided they comply with EU law and the international obligations of the EU.124 Under the AVMSD, a complex test applies to determine which country has jurisdiction over a media service provider (largely based on the location of the head office, editorial decision making and the workforce). Post-Brexit, it would be possible for a media service provider to keep a UK head office but be subject to the jurisdiction of a Member State (and therefore continue to benefit from the country of origin principle within the EU), provided a significant part of the workforce operates in that Member State.

The UK government's consultation on its proposed approach to implementing the AVMSD ended on 22 August 2019, with feedback at the time of writing yet to be published. The consultation document sets out the UK's proposed approach to enshrining the AVMSD into national law.

In light of Brexit, the extent to which the UK is legally obliged to implement the AVMSD is currently unclear. The Withdrawal Agreement of November 2018 included a transition period that would extend through to 31 December 2020. During this time, EU law would still apply to the UK, therefore the UK would be obliged to implement the AVMSD into national law. Any deal negotiated with the EU would likely enshrine a similar transition period, which in turn would likely extend beyond the deadline for Member States to implement the AVMSD into national law.

In the event of the UK leaving the EU without a deal, the government's 'no-deal' Brexit technical note on broadcasting and video-on-demand confirms the AVMSD will no longer apply to the UK. In this scenario, the UK would be free to determine the extent to which elements of the AVMSD are implemented into national law.

Separately, and along with 20 other EU countries,125 the UK is party to the Council of Europe Convention on Transfrontier Television (ECTT),126 which provides for freedom of reception and retransmission.127 This is also relevant to the European works test, which is satisfied if a programme originates from a non-EU country that is party to the Convention.128 The AVMSD takes precedence among EU Member States, but the UK's position as a party to the Convention will not be affected by its exit from the EU. Therefore, in the absence of a Brexit deal, the Convention could be relied upon as between the UK and the 20 Member States that have signed and ratified it.

For the seven non-Convention countries, additional licences and consents will be required, subject to local law requirements. Works originating in the UK will continue to be classed as European works. However, VOD services are outside of the scope of the Convention and, if subject to UK jurisdiction according to the AVMSD test, would need to comply with the local law requirements in each Member State in which they are offered.

The UK government has published the Broadcasting (Amendment) (EU Exit) Regulations 2019,129 which will come into force on exit day in the event of a no-deal Brexit. The regulations change the authorisation system in the UK to a country-of-destination system, thus requiring broadcasts into the UK (and accessible via a licensed electronic programme guide) to be licensed and regulated by Ofcom, irrespective of the origin of the broadcast. An important exception to these regulations is broadcasts originating from countries that are signatories to, and have ratified, the ECTT (including non-EU Member States). Broadcasters in states that are members of the ECTT will not need a licence from Ofcom to broadcast into the UK, meaning that in effect, the country of origin principle would be retained in respect of these countries.

Portability Regulation

On 9 December 2015, the Commission proposed a regulation to enable the cross-border portability of online content services.130 The resulting Portability Regulation was published in the Official Journal on 30 June 2017131 and came into force on 1 April 2018.132 It allows Europeans who purchase or subscribe to audiovisual content (such as films, sports broadcasts, music, e-books and games) in their home Member State to access this content when they travel or stay temporarily in another Member State. Providers of online content services that are provided for payment (it is optional for free services) must ensure the cross-border portability of their services such that subscribers may access and use the services when temporarily present in another Member State. When verifying the subscriber's Member State of residence, service providers must limit the means to verify residence to two means of verification in a list (such as, for example, an identity card and payment details).

However, the Portability Regulation will cease to apply to UK–EEA travel post-Brexit in the absence of a reciprocal agreement with the EU. This is because the Regulation relies on a legal fiction whereby the provision of and access to the relevant service is deemed to take place in the subscriber's country of residence, effectively disapplying the local law of the country of temporary presence. The Regulation only applies to EEA Member States and its effects do not extend to third countries. In the UK, the Regulation will be revoked on exit.

Post-Brexit, content service providers will not be obliged under the Regulation to provide cross-border portability for customers travelling between the UK and EEA. Content service providers will be free to continue providing cross-border portability to their customers on a voluntary basis. The practical effect of this change is that, dependent on the terms of a service and licences in place between the service provider and the rights holders, UK customers in the EEA (and vice versa) may note restrictions on the content ordinarily available to them in their home country.133

Copyright reform

Satellite and Cable Directive

On 14 September 2016, in addition to the telecoms proposals outlined in Section II.v, the Commission adopted new proposals for copyright reform as part of its DSM Strategy. The Commission released proposals for a regulation laying down rules on the exercise of copyright and related rights applicable to certain online transmissions of broadcasting organisations and retransmissions of television and radio programmes (such regulation proposals have since been passed as the Satellite and Cable Directive (as opposed to a directly applicable regulation), amending the 1993 Directive of the same name);134 a directive on copyright in the DSM (Copyright Directive);135 and proposals for an additional directive and regulation to implement the Marrakesh Treaty to Facilitate Access to Published Works for Persons who are Blind, Visually Impaired, or Otherwise Print Disabled (Marrakesh Treaty).136

The Satellite and Cable Directive137 entered into force on 7 June 2019, following which date Member States have two years (until 7 June 2021) to transpose the Directive into national law. The Commission's initial proposal was aimed at introducing a cross-border clearance mechanism for digital broadcasting by broadcasters and retransmission of broadcasts online. Broadcasters transmit programmes on their services that they have licensed from others or produced themselves, but programmes will inevitably contain content that is protected by copyright and needs to be cleared for use. The Satellite and Cable Directive extends the country of origin principle – which has been in place for decades in respect of cable and satellite communications – to online simulcasts and catch-up services ('ancillary online services') in respect of (1) radio programmes; and (2) broadcasters' TV programmes which are news and current affairs programmes, or broadcasters' own fully financed productions. This means that, in respect of ancillary online services, broadcasters will only need to clear rights once, in the Member State in which the broadcasting organisation has its principal establishment. However, the Directive does not extend to TV broadcasts of sports events and TV productions acquired or commissioned from third parties. The Satellite and Cable Directive also extends the current system of mandatory collective management for retransmissions by cable of television and radio broadcasts from other Member States to wire or over-the-air means (including, e.g., satellite, DTT and IPTV), provided that the original transmission was not purely online. This means that instead of negotiating individually with every rights holder, operators who offer packages of channels will be able to obtain licences from collective management organisations.

Further, the Satellite and Cable Directive clarifies the principle of 'direct injection' by confirming that when a broadcaster transmits programmes to a distributor (without the broadcaster itself simultaneously transmitting the programmes to the public), and the distributor then transmits those programme-carrying signals to the public, the broadcaster and distributor are deemed to have singularly participated in communicating the programmes to the public. As such, this will require the relevant rights holders' authorisation, therefore ensuring that rights holders are remunerated for the same.

Copyright Directive

The Commission's original proposal for the Copyright Directive was the subject of extensive lobbying by digital platforms and content creators. On 12 September 2018, the European Parliament adopted amendments to the proposed text (particularly to Articles 15 and 17 (originally Articles 11 and 13 respectively), which proved to be the most controversial) and referred it for informal trilogue negotiations with the Council and Commission. On 15 April 2019, the European Council voted to adopt into EU law the amended Copyright Directive.

The Copyright Directive focuses on three areas. First, it introduces measures to achieve a well-functioning marketplace for copyright. These include provisions for:

  1. a new related right in publication that will allow publishers to charge fees for digital uses of the copyright works they have invested in the distribution of (not extending to mere hyperlinks or to the use of individual words or very short extracts of a press publication) This Article does not prevent legitimate private or non-commercial uses of press publications by individual users, nor does its application extend to blog posts or scientific/academic publications (Article 15);
  2. a requirement for online content-sharing service providers (OCSSP) to obtain authorisation from rights holders. If no authorisation is granted, OCSSP will be liable for unauthorised acts of communication to the public of copyright-protected works, unless they can show they (1) used best efforts to obtain authorisation; (2) used their best efforts (in accordance with high industry standards of professional diligence) to ensure the unavailability of specific works identified by rights holders; and (3) acted expeditiously to remove or disable access to any unauthorised content after being notified (Article 17); and
  3. an obligation to ensure authors and performers are entitled to receive 'appropriate and proportionate' remuneration for exclusive licences of their works, and a mechanism for increasing the transparency to rights holders of the exploitation of their works and performances, with an alternative contract adjustment mechanism to allow authors and performers to rebalance contracts (Articles 18, 19 and 20).

Secondly, it introduces measures to improve licensing practices and ensure wider access to content by:

  1. implementing a legal mechanism to facilitate easier licensing of out-of-commerce works (which are works that are not available to the public through customary channels of commerce after a reasonable effort has been made to determine whether they are available to the public) by cultural institutions to aid cultural institutions in making these works, which have significant cultural and educational value, available to the public (Article 8);
  2. allowing Member States to extend collective licensing to cover rights holders within a class who are not members of the relevant CMO. The CMO will be presumed to be representing such rights holders, but such rights holders must be able to opt out at any time in order to exclude their works from the collective licences (Article 12);
  3. requiring Member States to set up impartial bodies to assist in the negotiation of licensing agreements between audiovisual rights holders and VOD platforms (Article 13); and
  4. ensuring that when the term of protection of a work of visual art has expired, any material reproduced from that work is not subject to copyright, unless the reproducer has added something original to the reproduction (Article 14).

Thirdly, the Directive introduces measures to adapt exceptions and limitations to the digital and cross-border environment in relation to research and other organisations conducting text and data mining; the digital use of works and other subject matter for distance-learning educational purposes; and cultural heritage organisations making digital copies of their permanent collections for preservation purposes (Articles 3–6 inclusive).

Implementation of the Marrakesh Treaty

The directive designed to implement the Marrakesh Treaty introduces a new mandatory exception to the copyright rights harmonised under EU law, allowing people who are blind or otherwise print-disabled to access books and other content in formats that are accessible to them, including across borders. The regulation governs exchanges of accessible format copies between the European Union and third countries that are parties to the Marrakesh Treaty. The regulation and directive implementing the Marrakesh Treaty were published in the Official Journal on 20 September 2017. The regulation applied from 12 October 2018,138 and Member States had to implement the directive by 11 October 2018.139 Accordingly, the Copyright and Related Rights (Marrakesh Treaty etc.) (Amendment) Regulations (2018/995) came into force on 11 October 2018 and amended the UK's copyright law to make the UK's laws compatible with the Marrakesh Directive. The UK government has confirmed that the regulation and the UK's implementation of the directive will be retained in UK law post-Brexit. However, the UK is party to the Treaty through its membership of the EU. Until the UK government ratifies the Treaty in its own right after Brexit, the cross-border exchange of accessible format copies with the UK may be restricted.140

Changes to copyright law in the event of a 'no deal' Brexit

A government guidance note published on 5 September 2019 sets out a number of key changes to UK copyright law as a result of the UK's exit from the EU.141 In addition to country of origin issues, the revocation of the Portability Regulation, and the continued implementation of the Marrakesh Treaty (each as discussed above), the following points from the government's note are of relevance to the media sector:

  1. Sui generis database rights. Sui generis database rights prevent the unauthorised copying or extraction of data from databases which involve a substantial investment in time, money or effort and were created by an EEA national, resident or business. Following Brexit, UK citizens, residents and businesses will no longer be eligible to receive or hold sui generis database rights in the EEA. Pre-existing database rights will continue to exist in the UK for the remainder of their duration. Those in the UK who wish to use databases protected by these rights will continue to need the permission of the rights holder(s).
  2. Collective rights management. EU collective management organisations (CMOs) are required by the EU Collective Rights Management (CRM) Directive to represent, on request, rights holders of any EEA Member State. Post-Brexit, EEA CMOs will not be required by the CRM Directive to represent UK rights holders or to represent the catalogues of UK CMOs for online licensing of music rights.
  3. Orphan works. The EU Orphan Works Directive provides an exception to copyright infringement of orphan works (works where the rights holder is unknown or cannot be found), enabling cultural heritage institutions (CHIs) established in the EEA to digitise and make orphan works available online across EEA Member States. UK CHIs will not be able to make use of the orphan works exception after a no-deal Brexit and may face claims of copyright infringement if they make orphan works available online in the EEA.

Commission investigation into US film studios

The Commission has investigated the practices of six major US film studios (Disney, NBCUniversal, Paramount Pictures, Sony, Twentieth Century Fox and Warner Bros) with respect to clauses in their licensing agreements with telecommunications company Sky UK concerning absolute territorial exclusivity (preventing passive sales). On 26 July 2016, the Commission accepted commitments from Viacom-owned Paramount to end a probe into potentially anticompetitive film licensing contracts. As a result, Paramount agreed to stop enforcing contractual clauses that prevent European consumers outside the UK and Ireland watching Paramount films on Sky's UK satellite and online channels, and prevent rival broadcasters from airing its pay-TV content in the UK. The probe dealt only with Sky UK in the UK and Ireland, but the Commission also investigated the British pay-TV operator's approach to consumers in France, Italy and Germany. Likewise, Paramount will not introduce or renew similar clauses in film licensing contracts with other broadcasters that operate in other European countries. Paramount will run the commitments package for five years, and it will cover both standard pay-TV and on-demand services, both online and by satellite. The effect of the Commission accepting the commitments is that the studio will not be required to pay a fine, nor to admit liability. On 6 February 2017, details were published of an appeal by Canal+ against the Commission's decision to accept commitments from Paramount.142 In November 2018, the General Court ruled the Commission's decision to settle the probe was 'sufficiently grounded in law as regards whether the commitments offered by Paramount were suitable to resolve the competition concerns expressed by the Commission'.143

The European Commission closed its investigation in March 2019, following legally binding commitments from Disney,144 NBCUniversal, Sony Pictures and Warner Bros as well as from Sky UK, addressing the competition concerns raised by the Commission's investigations.145 The studios committed not to apply in respect of any broadcaster in the EEA, clauses in existing film licensing contracts for pay-TV that prevent EU consumers outside the UK and Ireland subscribing to pay-TV services to access films via satellite or online. The studios further committed to refraining from re-introducing similar clauses in film licensing contracts for pay-TV with any broadcaster in the EEA. The settlement commitments will apply throughout the EEA for a period of five years.

The Commission expressly stated that the commitments did not prejudice the studios rights under copyright law, thus ensuring the studios may still engage in licensing of their rights and enforcement of such rights under copyright laws. Additionally, the Commission clarified that the settlement does not prevent the rights of the studios or a pay-TV broadcaster to decide unilaterally to employ geo-filtering technology.

iii OTT delivery of content and broadcast TV

An OTT platform is typically a platform that allows users to stream audiovisual content using the internet or mobile delivery means. The key benefit of OTT delivery is that it allows users to interact with content because data can flow both ways in an IP network.

OTT delivery is utilised by a range of content providers in the UK, including PSBs (i.e., BBC iPlayer, ITV Hub, All4 and My5), cable and satellite platforms (e.g., both Virgin Media and Sky offer VOD products), mobile operators, online aggregators and standalone VOD platforms (e.g., Netflix, Amazon Prime Video and NowTV). To further facilitate user access to internet-delivered services, the BBC, ITV, Channel 4, Channel 5, BT, TalkTalk and Arqiva have collaborated on an open-technology offering called YouView, which enables viewers to access free-to-air channels and catch-up and on-demand programming via their televisions (along with the ability to add access to pay-TV channels and on-demand services).

The industry is being transformed as the take-up of superfast broadband and connected televisions changes the way in which people watch television. According to Ofcom's Media Nations: UK 2019 report,146 across all devices, people's total television and audiovisual viewing in 2018 was four hours and 54 minutes per day. Broadcast content made up 69 per cent of this, while the remaining 31 per cent was composed of viewing non-broadcast content such as content available via standalone VOD platforms and YouTube. On average, people view three hours and 22 minutes of broadcast television a day (including seven-day catch-up) (this has fallen by 11 minutes since 2018). Despite the variety of devices available and the increased use of smartphones in the UK, the TV set is still the most popular way to view audiovisual content, with 95.2 per cent of UK homes having a working TV set in the first quarter of 2019. This proportion has decreased slightly in recent years (in 2012 it was 96.3 per cent).

The change in viewing habits is in part driven by younger viewers, who watch more non-broadcast than broadcast content. In 2018, 16 to 34 year olds watched an average of four and a half hours of content a day across all devices. This daily average is split into three main parts: live TV (83 mins – 31 per cent); YouTube (64 mins – 23 per cent); and SVoD content (52 mins – 19 per cent). Viewing of SVoD by adults aged 16–34 has increased particularly steeply in the past year, up by 22 minutes to an average of 52 minutes a day.147

The total TV and online video industry revenue has grown, driven by the further expansion of the online sector, which continued its steep growth in 2018. Online subscription services were a key driver of growth; however, revenue from pay-TV subscription services also increased by 1.1 per cent during 2018. The increase was the result of pay-TV price hikes which offset a small decline in subscriber numbers.148

PSBs face challenges in light of this drastically changing landscape. While PSBs command half of all broadcast viewing, they are investing less money in first-run UK originals as increasingly they utilise third-party funding (such as co-production arrangements with third parties). However, Ofcom reports that the majority of viewers are either very or quite satisfied with PSB broadcasting,149 and that PSBs still provide a vital news service to viewers, with 73 per cent giving the provision of a trustworthy news source a 7–10 importance rating, where 10 means 'extremely important' and 1 is 'not at all important'.150

iv PSBs

The BBC Royal Charter was renewed in early 2017 and runs to the end of 2027. From 3 April 2017, a unitary board has replaced the two-tier structure of the BBC Trust and the BBC's Executive Board as the BBC's governing body. The Board is responsible for ensuring that the BBC fulfils its mission and promotes its public purposes, including by setting the strategic direction for the BBC within the framework of the Charter and the accompanying Framework Agreement between the BBC and the Secretary of State for DCMS, and by setting the BBC's creative remit.151 Ofcom also became the BBC's first external regulator, developing an operating framework for the BBC that covers regulation of the BBC's performance, compliance with content standards and impact on competition. In October 2017, Ofcom published a new operating licence for the BBC. The licence requires the BBC to broadcast more original UK programmes, and also requires more BBC content to be made across the UK's nations and regions.152

In November 2017, the BBC announced its decision to bring together two of its commercial subsidiaries, BBC Studios and BBC Worldwide, to trade as a single entity known as BBC Studios. The newly created BBC Studios launched on 3 April 2018. It is the primary entity for the BBC's commercial production and distribution activities globally.153

On 8 March 2018, Ofcom published a report that discusses the challenges facing PSBs in the context of increased media consumption via internet-delivered services and competition from global OTT services.154 Ofcom's findings include:

  1. the level of competition from global VOD platforms, along with the likes of Apple and Facebook, is creating a 'rush to scale' that is resulting in further market consolidation;
  2. public service broadcasting has so far held up well to increased global competition. The main PSB channels still account for half of all viewing and TV advertising has been fairly resilient, although Ofcom states that this is 'softening'. The reasoning for this is unclear, although Ofcom cites macroeconomic uncertainty and weakened consumer confidence as key drivers. While ITV has reduced its reliance on TV advertising revenues, Channel 4 is heavily reliant on advertising and sponsorship;
  3. young people are watching less scheduled TV, and brand awareness of the BBC among them is lower than Netflix and YouTube;
  4. Ofcom intends to support PSBs by strengthening its EPG Code through a consultation; and
  5. PSBs should continue to have access to digital terrestrial television (DTT) for at least the next 10 years, as mobile demand for the relevant spectrum has diminished due to 5G requiring spectrum at higher frequencies.

Ofcom has since published a report entitled 'The Future of Public Service Media' in July 2019,155 which notes public service broadcasting is now at a critical juncture. Since the publication of its 2018 report, the challenges facing PSBs have significantly increased pace. In response to these challenges, PSBs have developed differing approaches to meet the demand for online and on-demand viewing. By way of example, the BBC and ITV have announced plans for a new subscription service, BritBox, to make available more recent and historic BBC and ITV content than any other platform. On 19 September 2019, Ofcom published its final determination that the BBC's involvement in BritBox did not constitute a material change to its commercial activities.156 Additionally, the BBC has put forward a series of changes to iPlayer, which have been formally approved by Ofcom.157 The changes centre on changing iPlayer from a service whereby programmes are available to 'catch-up' for 30 days after broadcast, to one in which programmes are available for 12 months as standard, with some available for longer. ITV and STV are now offering subscription versions of their online players. Channel 4 is trialling an ad-free version of its All4 service, and has also partnered with Sky to provide viewers with additional drama and comedy box sets.

The July 2019 report sets out the steps being taken by Ofcom with a view to establishing a new framework for public service media, to ensure its prominence and ongoing resilience in an increasingly online environment. Ofcom itself has taken the following steps, each of which are discussed in further detail below: (1) publishing a decision to update the rules on the prominence of PSB channels in electronic programme guides; (2) making recommendations to the government to ensure PSB content remains easy to find in an online and on-demand world; and (3) endorsing a range of commitments by ITV, Channel 4 and Channel 5 to invest more in original UK content for children, following an Ofcom review of this area.

The DEA added a requirement under the Act for Ofcom to periodically review and report on the provision by EPGs of information on and access to PSB channels and content via PSB VOD services. Ofcom published its first such report on 27 July 2018.158 The DEA also required Ofcom to review and revise the EPG Code prior to 1 December 2020. Pursuant to this, alongside its first EPG prominence report, Ofcom published a consultation on proposed changes to the linear EPG Code and options for the future regulation of prominence for VOD services.159 The closing date for responses was 5 October 2018, and subsequently on 4 July 2019, Ofcom published both its recommendations to the government,160 and its decision to update the EPG Code.161

Currently in the UK, regulations guarantee the PSBs' prominence on the traditional Ofcom-licensed linear EPGs, but no such protections are afforded to PSBs in respect of other search functionality (e.g., on connected devices and searches via voice) or in respect of PSB VOD services. While PSB VOD and catch-up services are currently generally well-positioned, this is due to commercial negotiation rather than regulation. Ofcom's changes to the existing linear EPG Code162 will come into force on 4 January 2021 with 18 months for EPG providers to implement the new rules. The amendments to the EPG Code163 include:

  1. the five main PSB channels (BBC One, BBC Two, Channel 3 licensees, Channel 4 and Channel 5) being guaranteed their current positions in the top five EPG slots (subject to regional variations for Wales);
  2. BBC Four being guaranteed a slot within the first 24 slots of any licensed EPG;
  3. BBC News, BBC Parliament, CBBC and CBeebies being guaranteed slots within the first eight slots of the relevant EPG genre or section; and
  4. local TV services being located in the first 24 slots on digital terrestrial television of any EPG.

Ofcom's recommendations to the government for a new framework to keep PSB TV prominent in an online world analysed options for the future regulation of prominence in the context of VOD services (including the position of PSB VOD players and the availability of PSB content on a VOD basis elsewhere within platforms and via devices). Any such changes would be the subject of future legislation. Ofcom has stated that it would support new legislation to address the prominence of internet-delivered PSB content to secure the health of the PSB system and, accordingly (following consultation), has set out the following recommendations:

  1. new legislation is needed to keep PSBs prominent and support the sustainability of the PSBs;
  2. these new rules should specify which PSB content is given prominence, and on which platforms;
  3. the initial focus should be on connected TVs;
  4. viewers should be able to find PSB content easily on the homepage of connected TVs;
  5. on-demand services should only be given prominence if the service is clearly delivering PSB content;
  6. PSB content should also be given protected prominence within TV platforms' recommendations and search results;
  7. the new framework should protect the prominence of PSB content that is made available without charge; and
  8. there may need to be new obligations to ensure the continued availability of PSB on-demand content to viewers.

The DEA further granted Ofcom power to publish criteria for the provision of children's programming and, if appropriate, to set related conditions (e.g., quotas) on the licensed public service channels. Following a review of the sector and a consultation with ITV, Channel 4 and Channel 5, Ofcom has published its view of the plans proposed by each channel and the appropriate next steps.164 Each channel has renewed its commitment to children's content and committed to creating and investing more in original UK programmes made for UK children and teenagers, including live action, entertainment and news. Ofcom will monitor the broadcasters' implementation of its plans and will continue to work with the industry to ensure children and teenagers enjoy a range of high-quality programmes from the PSBs.


i Brexit

On 23 June 2016, the UK voted to leave the EU by a vote of 51.9 per cent in favour of leave to 48.1 per cent in favour of remain. The government invoked Article 50 of the Treaty on European Union on 29 March 2017, thereby starting the period of negotiation between the UK and the EU on the terms of the UK's exit, with exit taking effect once those negotiations have concluded or after two years (if sooner), irrespective of what terms have been agreed.

The European Union (Withdrawal) Act 2018 (Withdrawal Act) received royal assent on 26 June 2018. It provides that, on exit day (31 October 2019, at the time of writing):

  1. the European Communities Act (ECA) 1972 shall be repealed;
  2. all existing EU legislation (including EU-derived legislation, such as national implementing legislation) shall be enshrined into British law;
  3. the jurisdiction of the CJEU over the UK shall end; and
  4. the government shall be permitted to remove or amend EU laws that apply to the UK (whether directly effective or enshrined in UK law by a separate Act of Parliament) with primary legislation and, in some cases, secondary legislation via the Henry VIII clauses.

Certain provisions came into force when the Withdrawal Act received royal assent. These include provisions relating to:

  1. the implementation of the Withdrawal Act itself;
  2. border arrangements with Northern Ireland;
  3. powers and restrictions relating to devolved authorities;
  4. Parliamentary approval of the outcome of negotiations with the EU;
  5. negotiations for a customs arrangement with the EU and family unity for asylum seekers in the EU;
  6. publication of a draft bill relating to maintenance of certain environmental principles; and
  7. the power to make secondary legislation under the Withdrawal Act, and the Parliament's and the devolved authorities' scrutiny of any such secondary legislation.

The remaining provisions, which relate to repeal of the ECA and the enshrining of existing EU legislation into national law (and the concurrent loss of jurisdiction of European courts over its interpretation as applied in the UK and the sovereignty of Parliament to amend such laws), shall come into force as specified in regulations made by the government.

The Withdrawal Act has been received with mixed feelings in the UK and in the EU. Within the UK, the Scottish government has refused to endorse the Withdrawal Act on the basis that it attempts to further centralise power within the UK Parliament to the detriment of the devolved regions. The Welsh government provided its endorsement only after months of negotiations. Critics within the EU query how the UK government can state that it provides equivalent protections to EU laws, for example in the context of personal data, while also retaining authority to amend at will any EU law that has been enshrined into national law. The European Parliament's report on transfers of personal data points to the sovereignty of the UK Parliament and the loss of jurisdiction of European courts as major stumbling blocks in the search for an alternative to the UK becoming a third country for the purposes of such data transfers after Brexit.165 As such, its status remains uncertain.

The Withdrawal Act does not make direct provision for a transition period following exit day, and the impact of any such transitional period on the provisions of the Act remains unclear.

ii Commission proposals for a DSM Strategy

The Commission's ambitious DSM Strategy proposals (announced 14 September 2016) signpost that Europe's approach to digital market access is likely to:

  1. change significantly;
  2. dramatically enhance Europe's connectivity;
  3. rationalise its telecoms regulatory regime;
  4. end certain geographical restrictions; and
  5. reform the European copyright regime in favour of European interests.

However, the proposals are ambitious both in terms of scale and cost: using the 5G Action Plan as an illustrative example, the Commission estimates that €500 billion in private investment will be required to deliver the Plan, of which it is projected there will be a €155 billion shortfall based on current investment trends. In February 2018, the Commission took a step forward regarding the Plan by establishing the 5G Observatory to monitor market developments in 5G technology and observe national strategies by EU Member States, particularly with regard to coverage and quality.166 The Commission, which appointed Mariya Gabriel to be responsible for the DSM as of July 2017, has indicated that part of the intent of the reforms, such as the 5G Observatory, is to stimulate competition and investment in the sector. To achieve this, the Connecting Europe Broadband Fund (comprising both private and public funds) has been established to help make up this shortfall. The fund aims to raise €500 million for broadband investment by 2020 and is expected to unlock total investments of €1–1.7 billion. While the WiFi4EU initiative will be funded by the EU (for installation and equipment costs only) for an initial budgeted amount of €120 million, €70 million of this is reallocated funding from the Connecting Europe Facility. Only €50 million will be previously unallocated funds.

In July 2019, the Commission published a fact sheet that includes a timeline of DSM Strategy actions that had been taken up to that date.167 Recent progress has included the January 2018 Regulation establishing the European High Performance Computing Joint Undertaking; the successful abolition of roaming charges for EU citizens travelling within the EU, which has been effective since June 2017; and the coming into force of the (directly effective) Portability Regulation on 1 April 2018.168 However, the continued application of the Portability Regulation in the UK post-Brexit will require a reciprocal agreement with the EU. It remains to be seen how the UK government will deal with data roaming surcharges post-Brexit – it has published a note indicating that, in the absence of a deal with the EU, the government would legislate to retain the requirement on mobile operators to apply a financial limit on mobile data usage while abroad.169 The government has also published a note on the impact on telecoms businesses in the event there is no Brexit deal. The government states that if the European Electronic Communications Code is adopted prior to exit day, but with a deadline for transposition into national law post-Brexit, the government would 'be minded to implement, where appropriate, its substantive provisions in UK law'.170


Recent years have seen privacy debates continued both inside and outside the courtroom, highlighting the ever-evolving regulatory landscape and the ongoing legal controversies about the scope and extent of a citizen's right to privacy. The implementation of the GDPR has been a milestone in the area of data protection law, and companies continue to take steps to adjust their policies as the ICO's and EU regulators' approach to, and appetite for, enforcement become clearer. A close eye should also be kept on the developments of the Draft ePrivacy Regulation as it continues through the legislative process.

Following its fast-tracked introduction in 2014, the DRIPA legislation was declared incompatible with EU law on the basis that its data retention provisions violated the right of respect for private life and the protection of personal data, and its replacement, the IPA, will have to be amended in light of the UK High Court's findings in R (Liberty).

An EU–US Privacy Shield is now in place to provide a legal basis for transfers of personal data to the US from the EU (replacing the Safe Harbor framework), but it is still the subject of further claims by privacy campaigners that it remains insufficient. Furthermore, standard contractual clauses are also being challenged in the courts.

With regard to the media and entertainment industry in the UK, the rise in popularity of SVoD services has led to announcements most notably from Apple and Disney with intentions to launch their own streaming services to rival established players such as Netflix and Amazon. Apple TV+ is set to launch later in the year and Disney+ is set to launch in early 2020. These launches seem set to further alter the film and TV landscape in the UK.

Brexit will undoubtedly continue to have an influence on the policy and regulatory landscape in the UK and the EU27. The extent and nature of this will become clearer as more specific details emerge from the UK's Brexit negotiations with the EU27.


1 John D Colahan, Gail Crawford and Lisbeth Savill are partners at Latham & Watkins LLP. The authors would like to acknowledge the kind assistance of their colleagues Rachael Astin, Alexandra Luchian, Amy Smyth, Anna Rainsford and Abigail Jacobs in the preparation of this chapter.

4 Directive (EU) 2016/1148.

5 See Ofcom statement, Renewal of the co-regulatory arrangements for broadcast advertising, 4 November 2014, available at https://www.asa.org.uk/news/renewal-of-co-regulatory-arrangement-for-broadcast-advertising.html.

6 Section 3(1) of the Act.

7 Ofcom has concurrent powers to apply competition law along with the primary UK competition law authority, the Competition and Markets Authority (CMA). Enhanced concurrency arrangements came into effect on 1 April 2014 with the objective of increasing the enforcement of competition law in the regulated sectors by strengthening cooperation between the CMA and sector regulators, including Ofcom, referred to as concurrency. The most recent Annual Report on concurrency was published by the CMA on 10 April 2019, available at https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/811431/ACR_PV2406.pdf.

9 KCOM is the designated provider for Hull area only; BT is the designated provider for the rest of the UK.

10 Regulation (EC) No. 1211/2009 of the European Parliament and of the Council of 25 November 2009 establishing BEREC and the Office.

11 Directive 2018/1972 establishing the European Electronic Communications Code.

12 Directive 95/46/EC.

20 Public interest test on the proposed acquisition of Sky plc by Twenty-First Century Fox, Inc, available at www.ofcom.org.uk/consultations-and-statements/category-3/public-interest-test-sky-fox.

21 The CMA's provisional findings and final report are available at https://www.gov.uk/cma-cases/twenty-first-century-fox-sky-merger-european-intervention-notice.

24 Note, however, that changes in control of certain radio communications and TV and radio broadcast licences arising as a result of mergers and acquisitions may in certain circumstances require the consent of Ofcom.

25 The CMA and Ofcom have signed a memorandum of understanding in respect of their concurrent competition powers in the electronic communications, broadcasting and postal sectors. This is available at www.gov.uk/government/uploads/system/uploads/attachment_data/file/502645/Ofcom_MoU.pdf.

26 Lebedev Holdings Limited and Another v. Secretary of State for Digital, Culture, Media and Sport [2019] CAT 21, judgment available at https://www.catribunal.org.uk/sites/default/files/2019-08/1328_Lebedev_Judgment_160819.pdf.

27 There is also the power to take appropriate measures nationally to protect the plurality of the media under Article 21(4) of the EU Merger Regulations (Regulation 139/2004/EC).

29 The CMA's guidance to the changes is available at https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/715167/guidance_on_changes_to_the_jurisdictional_thresholds_for_uk_merger_control.pdf. A recent example where the Secretary of State decided to intervene under the new rules on the basis that the interests of national security (one of the specified public interest considerations) are relevant is the proposed acquisition of Inmarsat plc by Connect Bidco Ltd (CMA case page available at: https://www.gov.uk/cma-cases/connect-bidco-inmarsat-merger-inquiry?utm_source=65f2270a-d8f3-472d-ae23-ed623f071cd0&utm_medium=email&utm_campaign=govuk-notifications&utm_content=immediate).

48 Review of the wholesale broadband access markets, Ofcom, 3 December 2010. Available at http://stakeholders.ofcom.org.uk/binaries/consultations/wba/statement/wbastatement.pdf.

49 Business Connectivity Market Review: Leased lines charge controls and dark fibre pricing. Available at http://stakeholders.ofcom.org.uk/binaries/consultations/llcc-dark-fibre/summary/llcc-dark-fibre.pdf.

53 Directive 2000/31/EC.

54 Directive 2002/58/EC.

55 Directive 2009/136/EC.

57 In Patrick Breyer v. Bundesrepublik Deutschland (C-582/14), the CJEU ruled in October 2016 that where a website operator holds IP addresses and has 'the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person', then these will be classified as personal data.

65 General Data Protection Regulation: Recitals 26, 30 and 32.

66 General Data Protection Regulation: Article 7(3).

72 General Data Protection Regulation: Articles 33 and 34.

73 General Data Protection Regulation: Article 83(4)(a).

76 Digital Rights Ireland and Seitlinger and Others, joined cases C-293/12 and 594/12, 8 April 2014.

77 Directive 2006/24/EC.

78 Judgment in joined cases C-293/12 and C-594/12, Digital Rights Ireland and Seitlinger and Others.

79 Data Retention and Investigatory Powers Act 2014.

80 R (Davis & Watson) v. Secretary of State for Home Department [2015] EWHC 2092.

81 Secretary of State for the Home Department v. Watson [2018] EWCA Civ 70.

82 ibid.

83 R (on the application of National Council for Civil Liberties (Liberty)) v. Secretary of State for Home Department [2018] EWHC 975.

84 ECHR 299 (2018).

85 The Court heard three cases simultaneously: (1) Big Brother Watch and Others v. United Kingdom (Case No. 58170/13); (2) 10 Human Rights Organisations and Others v. United Kingdom (Case No. 24960/15); and (3) Bureau of Investigative Journalism and Alice Ross v. United Kingdom (Case No. 62322/14).

87 General Data Protection Regulation: Recitals 38 and 75.

88 General Data Protection Regulation: Article 8.

89 General Data Protection Regulation: Article 17.

96 Directive 2002/21/EC.

97 Directive 2002/20/EC.

101 See Award of the 700MHz and 3.6–3.8GHz spectrum bands consultation, 18 December 2018, https://www.ofcom.org.uk/consultations-and-statements/category-1/award-700mhz-3.6-3.8ghz-spectrum.

102 Laying the foundations for next generation mobile services, update on bands above 6GHz, Ofcom, 20 April 2015. Available at http://stakeholders.ofcom.org.uk/binaries/consultations/above-6ghz/5G_CFI_Update_and_Next_Steps.pdf.

108 ibid.

122 The country of origin principle is found in two places: The AVMSD (Directive 2010/13/EU) is based on the country of origin principle, whereby service providers are subject to the regulations in their country of origin only and are not subject to regulation in the destination country, except in limited circumstances (Article 2(1)). Under the Satellite and Cable Directive (Directive 98/83/EEC), this principle effectively allows broadcasters to clear rights for satellite broadcasting in one Member State and allows them to then make their satellite transmissions available in other Member States.

123 Article 3(1) of AVMSD.

124 Recital 54 of AVMSD.

125 Excluding Belgium, Denmark, Greece, Ireland, Luxembourg, the Netherlands and Sweden.

127 Article 4 of Council of Europe Convention on Transfrontier Television.

128 See Article 1(1)(n) of AVMSD.

136 Proposal for a Regulation of the European Parliament and of the Council on the cross-border exchange between the Union and third countries of accessible format copies of certain works and other subject matter protected by copyright and related rights for the benefit of persons who are blind, visually impaired or otherwise print disabled – COM (2016) 595, 14 September 2016; and Proposal for a Directive of the European Parliament and of the Council on certain permitted uses of works and other subject-matter protected by copyright and related rights for the benefit of persons who are blind, visually impaired or otherwise print disabled and amending Directive 2001/29/EC on the harmonisation of certain aspects of copyright and related rights in the information society – COM (2016) 596, 14 September 2016; available at https://ec.europa.eu/digital-single-market/en/modernisation-eu-copyright-rules.

144 Commission press release available at https://europa.eu/rapid/press-release_IP-19-1590_en.htm.

149 Ofcom PSB tracker 2018, satisfaction of regular or occasional viewers with PSB channels.

153 For further information, see: https://www.bbcstudios.com/about/about-us/.