The Office of Communications (Ofcom) and the Communications Act 2003 (Act) regulate the UK communications landscape. Ofcom's current priorities are set out in its 2018–19 Annual Plan.2 They include completing the integration of Ofcom's new responsibilities for regulating the BBC, such as publishing its first Annual Report on the BBC and preparing for future awards of spectrum for new 5G services. European Commission (Commission) Digital Single Market (DSM) proposals promise to make significant changes to the UK communications landscape, if adopted in their current form and subject to longer-term changes to national legislation as a result of Brexit.

European law and standards currently govern the UK data protection framework and impose compliance obligations on organisations that process personal data. These rules apply broadly to, inter alia, the collection, use, storage and disclosure of personal data. In general, personal data is defined as information relating to an identified or identifiable natural person who can be identified directly or indirectly from that data (e.g., names, contact information, or sensitive personal data such as health data).

These laws and regulations have undergone substantial change as a result of the General Data Protection Regulation (GDPR), which came into force on 25 May 2018 across Europe, and the UK government's implementing legislation – the Data Protection Act 2018 (DPA) – which came into force on 23 May 2018. The legal landscape in this sector has also been impacted by the Network and Information Security Directive (NISD)3 (adopted by the European Parliament in July 2016 and implemented in the UK by the Network and Information Systems Regulations 2018 (NIS Regulation), effective as of 10 May 2018), which is the first EU-wide legislation on cybersecurity. The GDPR and NISD introduce significant fines based on a percentage of global turnover, similar to the regime imposed for antitrust violations. The government has committed to achieve equivalent standards for data protection in the UK post-Brexit. However, at the time of writing it is unclear exactly what type of arrangement the EU and UK will reach regarding the UK's data protection regime in the post-Brexit period.


i The regulators and key legislation

Ofcom is the independent communications regulator in the UK. The Department for Culture, Media and Sport (DCMS) remains responsible for certain high-level policy, but most key policy initiatives are constructed and pursued by Ofcom. Ofcom has largely delegated its duties in respect of advertising regulation to the Advertising Standards Authority (ASA). The Committee of Advertising Practice is responsible for writing and updating the Non-broadcast Code and the Broadcast Committee of Advertising Practice is responsible for the Broadcast Code. On 1 November 2014, Ofcom renewed its 10-year contract with the ASA for broadcast advertising regulation until 2024.4

Ofcom's principal statutory duty (pursuant to the Act) is to further the interests of citizens in relation to communications matters and to further the interests of consumers in relevant markets, where appropriate by promoting competition.5 This is enshrined in Ofcom's three main objectives: 'to promote competition and ensure that markets work effectively for consumers;6 to secure standards and improve quality; and to protect consumers from harm'.7

Ofcom's priorities and major work areas for 2018 and 2019 are set out below:8

  1. to promote competition and ensure that markets work effectively for consumers by:
    • supporting investment in full-fibre network infrastructure;
    • monitoring and reporting progress on arrangements for the legal separation of Openreach from BT;
    • preparing for upcoming market reviews;
    • helping consumers and small and medium-sized enterprise (SME) businesses to engage with communications providers;
    • preparing for future awards of spectrum bands; and
    • conducting a competition assessment on the BBC's proposals to launch a new BBC Scotland TV service;
  2. secure standards and improve quality by:
    • consulting on implementation of the broad USO as provided for in secondary legislation;
    • improving mobile coverage, including consulting on proposals for new 700MHz spectrum licence obligations and requiring operators to deliver improvements in rural areas;
    • publishing Ofcom's first Annual Report on the BBC;
    • reviewing guidance to public service broadcasters (PSBs) for production outside London;
    • conducting a review of children's content;
    • promoting diversity and equality of opportunity in broadcasting: Ofcom will publish its second Annual Report on the UK TV industry and its first report on the UK radio industry; and
    • reviewing the Electronic Programme Guide (EPG) Code and PSB prominence within EPGs;
  3. protect consumers from harm by:
      • reviewing the cost of calling directory enquiry services;
      • identifying and addressing issues raised by migration to VoIP; and
      • ensuring network operators design and operate networks in line with Ofcom's guidance and good security and resilience practice.

    Ofcom's specific statutory duties fall into five main areas:

    1. ensuring the optimal use of the radio spectrum;
    2. ensuring that a wide range of ECSs – including high-speed data services – are available throughout the UK;
    3. ensuring plurality in the provision of broadcasting and a wide range of TV and radio services of high quality and broad appeal;
    4. securing the USO on postal services within the jurisdiction; and
    5. applying adequate protection for audiences against offensive or harmful material, and unfairness or the infringement of privacy.

    On 25 February 2016, Ofcom published the initial conclusions of its overarching review of the UK's digital communications first announced on 11 March 2015.9 The review encompassed two discrete phases. Phase one focused on evidence-gathering and understanding experiences of digital communications. Ofcom started the first phase in July 2015 by publishing a discussion paper.10 The second phase resulted in initial conclusions focusing on six fundamental measures intended to facilitate the development of the UK communications market:

    1. universal availability of fixed and mobile services;
    2. a strategic shift to large-scale fibre deployment;
    3. a step change in the quality of service;
    4. significantly strengthening the independence of Openreach;
    5. empowering and protecting consumers; and
    6. simplifying and removing unnecessary regulation.

    The next steps set out in phase two were to implement the proposed measures through the usual mechanism of regular reviews of individual markets and likewise to implement specific dedicated projects. Specific dedicated projects that have been envisaged or undertaken include:

    1. Ofcom working with the government to introduce the new universal right to broadband. This culminated in the introduction of legislation for a broadband USO in March 2018, which came into force on 23 April 2018 and which Ofcom is responsible for implementing. The USO provides a legal right to request a broadband connection of at least 10Mbps download speed (discussed further in Section III.ii);
    2. Ofcom continuing to provide accurate, comparable, accessible and increasingly granular coverage information, published in its annual Connected Nations reports;
    3. Ofcom using its power to require operators to improve mobile coverage, for example by including licence conditions on population and geographic coverage for new spectrum releases;
    4. Ofcom working with BT and industry to make BT's underground duct system more easily accessible to competitors. Ofcom implemented these changes through the Civil Infrastructure Directive and UK transposition legislation, which came into effect on 31 July 2016. Ofcom has also made specific proposals for improving access in its Wholesale Local Access Market Review. Ofcom will also use this Review to implement regulated access and pricing policies to support investment in access networks;
    5. Ofcom setting tough minimum standards for Openreach in the business market with rigorous enforcement and fines for underperformance. Ofcom fined Openreach £42 million in March 2017 for breaching contracts with telecoms providers;
    6. Ofcom published the first annual Report of Service Quality in 2017, and published a second Report in 2018;
    7. Ofcom extending minimum standards and introducing rules to incentivise Openreach to go beyond minimum standards and deliver better service. These rules were introduced in 2016, and have been consulted on throughout Ofcom's Wholesale Local Access Market Review, which took place from March 2017 until June 2017. The results of this Review were published on 28 March 2018, as modified, with new measures resulting from this taking effect in April 2018;
    8. Ofcom setting up a working group with the communications industry to coordinate better service quality;
    9. Ofcom consulting on the introduction of automatic compensation for consumers and small businesses. Upon conclusion of the consultation period, Ofcom published a statement in November 2017 that confirms that there is a need for such an automatic compensation scheme and sets out the manner in which it will be put into effect. The scheme will come into effect in January 2019, following a 15-month implementation period;
    10. Ofcom developed detailed proposals on Openreach independence and discussed these proposals with the Commission in 2016. In response to Ofcom's competition concerns, BT agreed in 2017 to Ofcom's requirements to make Openreach a distinct company with its own staff, management and strategy, and a legal purpose to serve all of its customers equally. Ofcom published its first progress report on the legal separation of Openreach from BT in June 2018;
    11. Ofcom consulted on mobile switching in the first half of 2016, and completed a qualitative research piece on switching triple-play services (phone line, TV, broadband), in July 2016. Following a consultation in 2017, Ofcom published a statement in December 2017 that the process of switching of mobile communications services requires reform. Service providers will be required to implement the reforms detailed in Ofcom's statement by no later than 1 July 2019; and
    12. Ofcom consulted on proposals to streamline and update the General Conditions throughout 2016 and 2017, and set out its conclusions in statements published in September 2017, March 2018 and July 2018. All of the revised conditions came into force on 1 October 2018. Ofcom will also consider the scope for deregulation in one out of every four market reviews.
    13. Ofcom working with industry and third parties (e.g., price comparison sites) to improve the level of information available to consumers, and exploring a requirement for providers to publish a standard cost comparison measure alongside their tariffs;

    In terms of other regulators, the Body of European Regulators for Electronic Communications (BEREC), formed after the adoption of Regulation (EC) 1211/2009,11 is now playing an increasingly significant role at a European level. BEREC replaced the European Regulators Group, and acts as an exclusive forum and vehicle for cooperation between NRAs and between NRAs and the Commission.

    The prevailing regulatory regime in the UK is contained primarily in the Act, which entered into force on 25 July 2003. Broadcasting is regulated under a separate part of the Act in conjunction with the Broadcasting Acts of 1990 and 1996. Other domestic legislation also affects this area, including:

    1. the Wireless Telegraphy Act 2006;
    2. the Digital Economy Act 2010;
    3. the GDPR and the Data Protection Act 2018;
    4. the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011);
    5. European Regulation 2017/003 (e-Privacy Regulation), once it takes effect;
    6. the NISD and the NIS Regulation;
    7. the Freedom of Information Act 2000;
    8. the Regulation of Investigatory Powers Act 2000;
    9. the Investigatory Powers Act 2016;
    10. the Enterprise Act 2002;
    11. the Copyright, Designs and Patents Act 1988;
    12. the Digital Economy Act 2017 (DEA) (although some sections of the DEA are in force, the remainder are subject to staggered commencement dates); and
    13. the Competition Act 1998.

    The European data protection regime has undergone wholesale reform with the introduction of the GDPR, which became applicable on 25 May 2018, and the UK implementing legislation, the Data Protection Act 2018, which came into effect on 23 May 2018. This legislation replaces the previous Data Protection Directive12 and the corresponding UK implementing legislation, the Data Protection Act 1998, and introduces more stringent standards and an enhanced enforcement regime.

    In July 2013, the DCMS published a policy paper titled 'Connectivity, content and consumers – Britain's digital platform for growth' (Strategy Paper).13 In line with the government's view that a large-scale overhaul of the existing legislation was unnecessary, the Strategy Paper focused on specific and incremental legislative changes to a number of areas, including the following:

    1. a consumer rights bill introducing a new category of digital content in consumer law, together with a set of statutory rights for the quality standards that this content should meet and the remedies available to consumers when digital content does not meet these standards;
    2. changes to improve spectrum management and amendments to the Wireless Telegraphy Act 2006; and
    3. amending the Electronic Communications Code (ECC) to make it easier for communications companies to use land for broadband infrastructure.

    Following on from the above, the Consumer Rights Act 2015 introduced rights in respect of the quality of digital content and digital services. The Act received royal assent on 26 March 2015 and came into force in stages; it is now fully in force. The main provisions of the Act, including those relating to goods, services and digital content, came into force on 1 October 2015.

    In April 2018, the government announced in the Modernising Consumer Markets Green Paper14 that it would review the regulatory model for providing various consumer-facing services, including utilities, telecoms and financial services, with a particular focus on ensuring that consumers benefit from new technology while ensuring that personal data is protected. It simultaneously launched a call for evidence on the review of competition law. The consultation closed on 4 July 2018. The government has since appointed an expert panel to examine competition in the data economy and explore what steps the government can take to ensure that new technology markets support healthy competition. The panel will run from September 2018 to early 2019 and will culminate in a final report of recommendations to the government, which will inform the development of the UK's Data Strategy.

    The DCMS issued its spectrum management strategy in March 2014, recognising the need for, among other things:

    1. a uniform system for the valuation of spectrum to set licence fees;
    2. the government to work with Ofcom to encourage efficient use of spectrum, in particular in the release of spectrum, transfer of spectrum and assignment of spectrum to new users;
    3. encouragement of innovation; and
    4. a strategy to address increased demands on spectrum that will evolve from the growth of the IoT, M2M communication and 5G.

    The DCMS's strategy was followed in April 2014 by Ofcom's spectrum management strategy, discussed in more detail below.

    In August 2014, the DCMS issued a consultation paper15 seeking input on the goals and policies set out in a July 2013 report entitled 'Connectivity, content and consumers – Britain's digital platform for growth', which was explored further within a framework published in February 2014. The results of this consultation were used to develop the government's digital communications infrastructure strategy, which was published on 18 March 2015.16 For the past few years, the government has made commitments in relation to broadband infrastructure, in particular superfast broadband, connectivity in rural areas and the delivery of mobile broadband connectivity. One step towards this objective came in the form of the DEA, which received royal assent in April 2017. This provided the statutory basis for the development of the new broadband USO (discussed above).

    The DEA, among other things, reformed the ECC by introducing a range of measures to make it easier for network operators to deploy infrastructure (phone masts, exchanges, etc.) on public and private land. Ofcom was obliged to publish a new Code of Practice to accompany the proposed changes, to create a number of templates to be used by Code operators and landowners or occupiers, and to create standard terms that may be used by Code operators and landowners or occupiers when negotiating agreements to confer Code rights. Ofcom published final versions of these documents on 15 December 2017.17

    ii Regulated activities

    Ofcom oversees and administers the licensing for a range of activities, including, broadly speaking, mobile telecommunications and wireless broadband, broadcast TV and radio, postal services, and the use of radio spectrum.

    The Act replaced the system of individual licences with a general authorisation regime for the provision of ECNs and ECSs. Operators of ECNs and ECSs must comply with the general conditions of entitlement as specified in the Act. As well as the general conditions, individual ECN and ECS operators may also be subject to further conditions specifically addressed to them. These fall into four main categories: universal service conditions, access-related conditions, privileged supplier conditions, and conditions imposed as a result of a finding of significant market power (SMP) of an ECN operator or an ECS provider in a relevant economic market.

    Use of radio spectrum requires a licence from Ofcom under the Wireless Telegraphy Act 2006 (subject to certain exemptions).

    Television and radio broadcasting requires a licence from Ofcom under the Broadcasting Act 1990 or 1996. Providers of on-demand programme services have to notify Ofcom of their services in advance.

    iii Ownership and market access restrictions

    No foreign ownership restrictions apply to authorisations to provide telecommunications services, although the Act directs that the Secretary of State for Culture, Media and Sport (Secretary of State) may require Ofcom to suspend or restrict any provider's entitlement in the interests of national security.

    In the context of media regulation, although the Act and the Broadcasting Acts impose restrictions on the persons that may own or control broadcast licences, there are no longer any rules that prohibit those not established or resident in the EEA from holding broadcast licences. At the end of 2011, Ofcom was asked by the Secretary of State to report on measuring media plurality in light of the proposed acquisition of British Sky Broadcasting Group Plc by News Corporation. In 2012, Ofcom submitted two reports to the Secretary of State advising on approaches to measure media plurality. Ofcom gave evidence and provided advice to the Leveson Inquiry, including advice on models of media regulation. In February 2014, the House of Lords Select Committee on Communications produced a report into media plurality, including advice on the scope and flexibility of any assessment of media plurality.18 The report included a recommendation that Ofcom should conduct a review of media plurality every four or five years, that there be a higher threshold for intervention and that there be a reform of the system for reviewing mergers in the media sector. The DCMS produced a Media Ownership and Plurality Consultation Report on 6 August 2014 setting out a framework to assess media plurality and commissioning Ofcom to develop a suitable set of indicators.19 Following on from this, Ofcom published a consultation proposing a framework for media plurality on 11 March 2015.20 The proposed framework built on the advice Ofcom gave to the Secretary of State in 2012, but there have been no updates since then from either the DCMS or Ofcom.

    In March 2017, the Secretary of State intervened in connection with media plurality when it asked Ofcom to review the anticipated acquisition by Twenty-First Century Fox, Inc (21st Century Fox) of 100 per cent of the shares in Sky plc (Sky), a British pay-TV operator. The Secretary of State's stated potential concerns were twofold: whether there would be sufficient plurality of persons with control of the media enterprises and whether the parties would have genuine commitment to the attainment of standard objectives in relation to broadcasting. Ofcom published its report in June 2017 and found that the anticipated transaction raised potential public interest concerns relating to media plurality due to a risk of increased influence by members of the Murdoch Family Trust over the UK news agenda and political process, with its unique presence on radio, television, in print and online.21 Ofcom recommended a reference by the Secretary of State to the CMA.

    In January 2018, the CMA provisionally found that 21st Century Fox's anticipated acquisition was not in the public interest due to media plurality concerns, but not due to a lack of commitment to meeting broadcasting standards. The CMA sent its final report to the DCMS in May 2018, following which the Secretary of State accepted the CMA's recommendation that the anticipated acquisition was not in the public interest due to media plurality concerns and that the most effective and proportionate remedy would be for the Sky News channel to be divested to a suitable third party.22 21st Century Fox then agreed to divest Sky News to the Walt Disney Company,23 a move the newly appointed UK Culture Secretary Jeremy Wright said 'could potentially remedy the public interest concerns identified'.24 However, Comcast has since outbid Disney for a majority interest in Sky.

    iv Transfers of control and assignments

    For transactions that do not fall within EU merger control jurisdiction, the UK operates a merger regime in which the parties to a transaction can choose whether to notify a transaction prior to closing. The UK CMA monitors transactions prior to closing and has the power to intervene in un-notified transactions prior to closing or up to four months from the closing of a transaction being publicised. Where the CMA intervenes in a closed transaction it is policy to impose a hold-separate order.25

    The administrative body currently responsible for UK merger control is the CMA. The CMA consults Ofcom when considering transactions in the broadcast, telecommunications and newspaper publishing markets.26

    The Secretary of State also retains powers under the Enterprise Act 2002 to intervene in certain merger cases, which include those that involve public interest considerations. In the context of media mergers, such considerations include the need to ensure sufficient plurality of persons with control of media enterprises serving UK audiences; the need for the availability throughout the UK of high-quality broadcasting calculated to appeal to a broad variety of tastes and interests; and the need for accurate presentation of news, plurality of views and free expression in newspaper mergers. In such cases, the Secretary of State may require Ofcom to report on a merger's potential impact on the public interest as it relates to ensuring the sufficiency of plurality of persons with control of media enterprises (as was the case, for example, in relation to the recent attempted acquisition of Sky by 21st Century Fox discussed in Section II.iii). Ofcom is also under a duty to satisfy itself as to whether a proposed acquirer of a licence holder would be fit and proper to hold a broadcasting licence pursuant to Section 3(3) of each of the 1990 and 1996 Broadcasting Acts.27

    Following the 2017 National Security and Infrastructure Investment Review Green Paper,28 amendments to the UK's merger control regime for transactions in the defence and technology sectors came into force on 11 June 2018. The aim of the amendments is to provide greater powers for the Secretary of State to intervene in transactions on public interest grounds. Among other changes, under the new rules, the target turnover threshold has been lowered from £70 million to £1 million for transactions between parties operating in either the design and maintenance of aspects of computing hardware or the development of quantum technology.29

    v DSM: e-commerce, online platforms, geo-blocking and telecoms


    On 6 May 2015, the Commission published a Communication on a DSM Strategy for Europe. This Strategy aims to make the EU's single market fit for the digital age through three pillars: better online access for consumers and businesses across Europe; creating the right conditions and a level playing field for advanced digital networks and innovative services; and maximising the growth potential of the digital economy. The Strategy includes legislative proposals in a range of areas with a view to make cross-border e-commerce easier, end unjustified geo-blocking, reform the copyright regime and reduce burdens due to different VAT regimes.

    The UK government published a response to the Commission's initial 2015 DSM proposals in January 2016,30 and the Commission's legislative proposals will be discussed by the European Parliament and the Council (to the extent they have not already been agreed). In certain areas, it is not expected that the Commission's proposals will become binding on Member States for several years. However, in other areas, the proposals are well progressed. For instance, the new regulation on cross-border portability of online content services has applied across the EU since 1 April 2018 and allows consumers to access their online content services while travelling within the EU (discussed further in Section V.ii). This can be seen as complementary to the new data roaming rules of June 2017, which enable consumers to use their domestic mobile data allowance and rates when roaming in other Member States.

    In May 2017 the Commission published its mid-term review on the implementation of the DSM, which identifies three main areas where further EU action is needed: the development of the European data economy to its full potential; the protection of Europe's assets by tackling cybersecurity challenges; and the promotion of online platforms as responsible players in a fair internet ecosystem.31 The mid-term review also clearly emphasises the necessity to rapidly adopt the proposals for the Electronic Communications Code. As a direct response to the challenges identified in the mid-term review, the Commission announced in April 2018 that revisions are being made to Directive 2003/98/EC, which governs the use of public sector information. The aim is to tap into the huge resource of data that is currently held in the public sector, thought to be worth approximately €52 billion, and reuse it to help address a range of different societal problems such as healthcare, public transport and even artificial intelligence.32


    On 10 May 2017, the Commission published a report on the e-commerce sector enquiry. One of the main points the Commission raised was that, with the growth of e-commerce, business practices have emerged that may raise competition concerns, such as pricing restrictions and online marketplace (platform) bans. The Commission noted that it is important to avoid diverging interpretations of the EU competition rules in e-commerce markets, which may in turn create obstacles for companies to the detriment of a DSM. One significant development has been the abolition of retail roaming charges throughout the EU, effective from 15 June 2017, as part of the ongoing focus on promoting cross-border e-commerce.

    Online platforms

    The Commission has emphasised the role of online platforms, with one million businesses already selling goods and services via online platforms and more than 50 per cent of SMEs that operate through online marketplaces selling cross-border.33 In May 2016, it published a communication that proposed ways to foster development of such platforms and identified two specific issues for further investigation: safeguarding a fair and innovation-friendly business environment; and ensuring that illegal content online is timely and effectively removed, with proper checks and balances, from online platforms.34 In its mid-term review, the Commission identified online platforms as one of three emerging challenges, and proposed the implementation of actions to tackle these challenges.35 The result, announced by the Commission on 26 April 2018, is a proposed suite of new standards on transparency and fairness in relation to online platforms. Small businesses using online platforms had raised concerns surrounding unfair trading practices of online platforms as intermediaries of business–customer relationships (such as a business' position in search results); therefore, the aim of these rules is to create a fair, transparent and predictable business environment for smaller businesses when using online platforms. The proposed rules include measures seeking to increase transparency, resolve disputes more effectively and establish an EU Observatory to monitor the impact of the new rules.36


    On 27 February 2018, the EU adopted the Geo-blocking Regulation, which will apply from 3 December 2018. The Regulation prohibits unjustified geo-blocking, and other forms of discrimination, based on customers' nationality, place of residence or place of establishment. The Regulation tackles the concern that geo-blocking potentially limits online shopping and cross-border trade, and leads to undesirable geographical market segmentation. Importantly, electronically supplied services offering copyright-protected content are excluded from the Regulation: territorial exclusivity is essential for the creative industries to monetise and exploit their content, and the Commission argues that facilitating access to audiovisual services across borders is part of other initiatives under the DSM Strategy.37 For this reason, the Regulation does not affect online television, films, streamed sports, music, e-books or games. However, the Commission will evaluate the Regulation's impact two years after its entry into force to assess the possibility of an extension of the new rules to online services related to non-audiovisual copyright-protected content.


    On 14 September 2016, the Commission announced its proposals for telecoms regulation reform and plans to modernise and improve connectivity across the EU (a proposal to modernise the EU's copyright rules was also announced: see Section V.iii). The telecoms and connectivity proposals included:

    1. recasting the Framework, Authorisation, Access and Universal Services Directives as one directive, the European Electronic Communications Code (Code);
    2. upgrading BEREC to a fully fledged EU agency;
    3. a 5G Action Plan for the development and deployment of 5G networks in Europe; and
    4. a WiFi4EU initiative to aid European villages and cities roll out free public Wi-Fi.

    Generally, the proposed Code aims to address and harmonise spectrum policy and regulation, including spectrum auction timing, across the single market in part to stimulate competition and investment in 5G networks. It also tries to address new technologies and services that are not clearly contemplated by current legislation. In the UK, the rules and timelines for the spectrum auctions were announced by Ofcom in July 2017 and the auctions were expected to begin in October 2017. BT and Three commenced judicial review proceedings challenging, inter alia, the legality of the spectrum cap proposed by Ofcom as part of the spectrum auction. This challenge was unsuccessful, however, and the auctions took place. The results of the principal bidding stage were announced on 5 April 2018.38

    OTT services would be classified a sub-class of ECS and subject to regulations concerning security (including security audits) and interconnectivity (among end users and to emergency services). Other amendments regarding number allocation have been made to address potential competition issues with the expected advent of the IoT and M2M communication: national regulators would be allowed (but not required) to assign numbers to undertakings other than providers of ECNs and services. The Code also proposes to sweep away universal service access requirements to legacy technologies (e.g., public payphones) and replace them with a requirement to ensure end users have access to affordable, functional internet and voice communication services, as defined by reference to a dynamic basket of basic online services delivered via broadband. In addition, the Code contains additional consumer protections via proposed regulations requiring telecoms providers to provide contract summaries and improved comparison tools.

    It is also proposed that the regulatory role of BEREC be enhanced with a view to improving regulatory consistency across the single market. For example, it is proposed that decisions on spectrum assignment be subject to a peer review process whereby BEREC would issue an opinion on whether a decision should be amended or withdrawn to ensure consistent spectrum assignment. BEREC would also issue an opinion on any remedy proposed by an NRA in relation to maintaining the Code's objectives. These opinions are proposed to be persuasive rather than binding, but the Code requires that NRAs and the Commission (as relevant) take BEREC opinions into account. BEREC would also be granted legally binding powers, including a double-lock system in relation to any draft remedy proposed by an NRA (i.e., where BEREC and the Commission agree on a position regarding such draft remedy, the NRA could be required by the Commission to amend or withdraw the draft measure).

    In terms of policy proposals, the 5G Action Plan proposes to bring uninterrupted 5G coverage to all major European urban areas and transportation corridors by 2025, with several interim deadlines relating to, inter alia, spectrum assignment and development of global 5G standards (2019). In December 2017, Urve Palo, Minister of Entrepreneurship and Information Technology, set out the deployment road map and detailed commitments, for example to transpose the Code into national law by mid-2020. The specifics of the 5G Action Plan, such as the development of 5G standards, are still evolving. There is limited guidance on funding for the 5G Action Plan, although the Code itself has stimulated to an extent such investment, and the Commission has launched the European Broadband Fund (combining private and public investments) to support network deployment throughout the EU. The Commission has also committed to exploring a proposal by a telecoms industry group to provide a venture-financing facility (jointly funded by public and private sources) for start-ups developing 5G technologies and applications.

    The WiFi4EU initiative intends to assist local authorities to offer free Wi-Fi connections in parks, libraries and other public spaces by providing local authorities with small grants of up to €60,000 (from a total initial budget of €120 million) for equipment and installation costs. In May 2017, the European Parliament, Council and Commission reached a political agreement on the initiative and its funding, and as of May 2018, local communities have been able to apply for WiFi4EU vouchers to set up free public Wi-Fi networks. It is intended that this will develop into a more harmonised telecoms regulatory regime, with an advanced 5G network that could be in place by 2025.


    i Internet and internet protocol regulation

    As previously noted, the Act is technology-neutral, and as such there is no specific regulatory regime for internet services. ISPs are also ECNs or ECSs depending on whether they operate their own transmission systems, and are entitled to provide services under the Act in compliance with the general conditions and, where applicable, specific conditions.

    VoIP and VoB are specifically subject to a number of general authorisation conditions under the Act, such as those related to emergency call numbers.

    In the context of the net neutrality debate, the Revised EU Framework adopted a range of internet traffic management provisions allowing NRAs such as Ofcom to adopt measures to ensure minimum quality levels for network transmission services, and to require ECN and ECS operators to provide information about the presence of any traffic-shaping processes operated by ISPs. These provisions were implemented into UK law.

    Prior to the Regulation on Open Internet Access coming into force in 2016, the Broadband Stakeholders' Group published a voluntary industry code of practice on traffic management transparency in March 2011. In July 2012, major ISPs published the Open Internet Code of Practice, which commits ISPs to providing full and open internet access. The latest Open Internet Code was published on 8 June 2016. The Code preserves the concept of an open internet while clarifying the context in which some innovative services, which could become more prevalent as the IoT becomes a reality, could be provided alongside the open internet. The Code added three new commitments: ISPs promise open and full access to the net across their range of products; firms cannot market a subscription package as including internet access if certain kinds of legal content or services are barred; and members must not target and degrade content or applications offered by a specific rival.39 Notably, Everything Everywhere (EE) opted out of signing the Code.

    From April 2016, the Regulation on Open Internet Access40 put in place EU-wide rules for net neutrality, and granted end users rights to access and distribute information and content, use and provide applications and services, and use terminal equipment of their choice, irrespective of such end user's or provider's location (Article 3(1)). The aim is that users will have access to online content that is not subject to discrimination or interference. Likewise, companies may not pay for prioritisation, so access to an SME's website will not be unjustly slowed down to allow access for larger companies. The requirement that all internet traffic be treated equally is subject to exceptions to:

    1. comply with EU or national legislation related to the lawfulness of content or with criminal law;
    2. preserve the security and integrity of the network such as to combat viruses;
    3. minimise network congestion that is temporary or exceptional; and
    4. filter spam (i.e., to filter unsolicited communications and allow parents to set up parental filters).

    In terms of the latter, such measures need to be transparent, non-discriminatory and proportionate, and must not be maintained for longer than is necessary. Likewise, providers of internet access services must publish information on traffic-management measures in end user contracts, along with details on the privacy of end users and the protection of their personal data. Notably, NRAs are required to monitor and enforce the open internet rules, although it is for Member States to lay down rules on the penalties applicable for infringements of the net neutrality provisions. On 30 August 2016, BEREC published guidelines41 for NRAs on the implementation of net neutrality under the Regulation on Open Internet Access, in particular covering obligations to monitor closely and ensure compliance with the EU net neutrality rules to ensure equal treatment of traffic in the provision of internet access services and related end user rights.

    ii Universal service

    Universal service is provided under the Act by way of the Universal Service Order. The Order in the UK covers ECNs and ECSs and activities in connection with these services. Ofcom designated BT and KCOM as universal service providers in the geographical areas they cover; however, the designation of a single universal service provider and the design of an industry cost-sharing fund are among the factors that still need to be finalised.42

    Effective from April 2018, the Secretary of State published an order for a minimum affordable broadband connection to be available throughout the UK providing, inter alia, a download sync speed of at least 10Mbps and the capability to allow data usage of at least 100GB per month.43 This marks a major step forward in implementing a universal service in the UK.

    In September 2012, as part of a scheme to create super-connected cities, the government announced £144 million in investment across 10 of the UK's largest cities to help provide them with superfast broadband. However, following legal challenges by two of the UK's biggest networks, the government withdrew the state-aid application relating to the scheme. Consequently, public funds for the scheme had to be withdrawn in July 2013, before the DCMS diverted the allocated sums to a scheme that allowed SMEs to apply for vouchers to install faster internet connections in August 2013.44 As part of the government's 2014 autumn statement, this scheme was extended by 12 months to March 2016 with a further £40 million of funding. In January 2014, the DCMS announced a £10 million fund for a pilot programme to extend superfast broadband to hard-to-reach areas, and in February 2014, a further £12 million was allocated to provide superfast broadband to Wales. An August 2014 report from the DCMS confirmed that the rollout of superfast broadband to 95 per cent of UK homes and businesses was on track for completion by 2017. In a Parliament briefing paper published in March 2017, it was stated that this would be completed by December 2017. As part of the Commission's state aid clearance decision, the UK committed to undertake an ex post facto evaluation of the National Broadband Scheme. This was published by Oxera in March 2015.45 The Commission has approved an extension on materially the same terms, and the scheme will now be valid until December 2020. The government is committing further funds to 'put the UK at the forefront of the global technology revolution',46 investing £200 million to fund local projects with the aim of testing ways to accelerate the market for the delivery of new full-fibre broadband.

    In June 2015, Ofcom published a report setting out its assessment and recommendations on the provision and availability of communications services for SMEs in the UK.47 Ofcom found that the availability of superfast broadband to SMEs is significantly lower than to residential premises. In its annual review for 2017 to 2018, Ofcom noted that it was key to continue to help SMEs engage in the communications market, and in 2018 it identified a lack of ICT specialism within SMEs and adequate assistance from providers as contributing factors to this lack of engagement.48

    Access and interconnection are regulated in the UK by EU competition law and specific provisions in the Act aimed at increasing competition. The General Conditions require all providers of public ECNs to negotiate interconnection with other providers of public ECNs. Specific access conditions may also be imposed on operators with SMP. Although prices charged to end users are not regulated, Ofcom may regulate wholesale rates charged by certain operators to alternative operators for network access. This is the case, inter alia, for wholesale fixed termination rates, wholesale mobile call termination rates, wholesale broadband access rates, local loop unbundling and wholesale line rental services.

    Ofcom imposed specific conditions on BT and KCOM in certain areas where they enjoy SMP so as to allow alternative operators to compete in the retail broadband market.49 These include an obligation to provide general and non-discriminatory network access to BT and KCOM's wholesale broadband products to alternative operators on reasonable request; an obligation to maintain separate accounts between services to alternative operators and its own retail division as well as other related transparency obligations; and a charge control on BT to ensure that charges for its broadband wholesale products are based on the costs of provision. Network access obligations included virtual access to new fibre lines laid by BT (through its access service division, Openreach), allowing alternative operators to combine their own electronics with physical infrastructure rented from BT. Furthermore, in June 2015, Ofcom proposed a charge control on the wholesale prices BT charges for products using leased telecoms lines, which provide vital high-speed links for businesses and providers of superfast broadband and mobile services.50 In 2016, Ofcom also stated that Openreach must become more independent from BT, and proposed that Openreach become a distinct company with its own board and accountable executives. Likewise, in February 2016, Ofcom committed to making it easier for telecoms providers to invest in advanced, competing infrastructure by improving access to Openreach's network of telegraph poles and ducts, allowing competitors to connect their own fibre-optic cables directly to homes and businesses.51

    Ofcom's aim to promote the restructuring of BT and Openreach came to fruition in March 2017, when BT agreed that Openreach should become a distinct company with its own staff, management, strategy and legal purpose. This separation will likely take some time to be fully reflected in the market. Indeed, Ofcom noted in April 2018 that many SMEs still perceive BT as having specialist access to the Openreach network for installation and fault-finding, which deters switching between providers. However, significant progress has occurred already.

    iii Restrictions on the provision of service

    The Digital Economy Act 2010 (DEA 2010) includes provisions that were aimed at tackling online copyright infringement as a result of file sharing. It empowers the Secretary of State to impose obligations on ISPs to limit the internet access of subscribers who engage in online copyright infringement. Under the DEA 2010, Ofcom proposed a code of practice governing the initial obligations on ISPs. A second draft was published in June 2012. However, this version, and legislation on cost sharing in relation to the new obligations on ISPs, have not been finalised, and it is unclear whether they will ever come into force. Instead, the government has looked to industry to develop voluntary measures. In July 2014, the DCMS announced a scheme, Creative Content UK, spearheaded by ISPs and media industry leaders and supported by a government contribution of £3.5 million, to raise awareness of copyright infringement and warn internet users whose accounts are used to illegally access and share copyright material. The subscriber alert programme, which was initially known as the Voluntary Copyright Alert Programme, has now evolved to encompass the Get it Right from a Genuine Site campaign launched in January 2017. This involves copyright owners sending evidence of copyright infringement to ISPs, which will in turn issue letters of warning to their subscribers. Rather than being threatening, these letters are intended to be educational.52 A number of organisations such as Sky, BT, TalkTalk and Virgin Media have signed a memorandum of understanding that will underpin the Creative Content programme.

    On 28 March 2018, the government launched the Creative Industries Sector Deal, which includes various specific commitments of interest concerning the tackling of online infringement of copyright. More than £150 million will be jointly invested by the government and industry to assist the UK's cultural and creative businesses thrive in the digital age. As part of the deal, £2 million is being committed to extend the Get it Right from a Genuine Site campaign, and rights holders and intermediaries will hold discussions to consider codes of practice on social media and user uploaded platforms, digital advertising and online marketplaces to crack down on copyright infringement.53

    Among the provisions of the DEA is an increased maximum penalty for online copyright infringement of 10 years.

    The availability of defences for online intermediaries in respect of unlawful content is governed primarily at a European level by the E-Commerce Directive,54 as implemented into UK law by the Electronic Commerce (EC Directive) Regulations 2002 and applicable case law. The Directive sets out defences for intermediary information society service providers.

    iv Security

    Privacy and consumer protection overview

    In the UK, consumers' personal data is primarily protected by the GDPR and the Data Protection Act 2018; the Privacy and Electronic Communications (EC Directive) Regulations 2003 as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (ePrivacy UK Regulations), which implement the EU Directive on Privacy and Electronic Communication,55 as amended by the ePrivacy Directive;56 and the NISD and NIS Regulation. The GDPR has significantly changed the current UK – and broader European – data protection framework. In line with the Commission's DSM Strategy and the reforms being brought in by the GDPR, proposals for reform of the ePrivacy Directive are also currently under consideration. In 2017, the Commission proposed a draft ePrivacy Regulation (Draft ePrivacy Regulation), which is currently part way through the European legislative review process. The Draft ePrivacy Regulation is expected to come into force in 2020 at the earliest following a minimum transition period of one year.

    Data protection

    The GDPR imposes strict controls on the processing (including disclosure) of personal data, including:

    1. providing one or more listed conditions that must be met to ensure personal data is processed fairly, lawfully and in a transparent manner, such as that the individual has consented or that the processing is necessary for the purposes of fulfilling a contract;
    2. the requirement that data can generally only be processed for the purpose for which it was obtained, must be kept accurate and up to date and for no longer than is necessary, and must not be excessive;
    3. the requirement that data be kept secure (i.e., be protected against unlawful processing and accidental loss, destruction or damage);
    4. the restriction that data cannot be transferred to countries outside the EEA unless certain conditions are met, such as with the EU–US Privacy Shield (see 'Litigation and EU–US transfers of personal data' for more details), whereby personal data can be transferred to US entities that have undertaken a process of self-certification to determine that they meet an adequate standard of privacy protection and commit to seven privacy principles; and
    5. personal data must be processed in accordance with the rights of the data subject under the GDPR, including that individuals have a right to access the personal data held about them, and a right in certain circumstances to have inaccurate personal data rectified or destroyed, among various other rights.

    As noted above, the GDPR has significantly changed the current UK – and broader European – data protection framework. The key changes under the GDPR include:

    1. the implementation of the new rules as a regulation, rather than a directive, such that it is directly applicable in every Member State;
    2. the removal of the requirement to notify or register data processing activities with national regulators; however, controllers and processors will need to keep their own record of processing;
    3. the introduction of an extraterritorial effect, resulting in the regulation applying not only to organisations established within the EEA, but also to organisations established outside the EEA but offering goods or services to, or monitoring the behaviour of, individuals in the EEA (although it remains unclear how this will operate in practice);
    4. a tightening of the requirements for valid consent, with the effect that consent will only be deemed to be valid if it is freely given, specific, informed and unambiguous;
    5. a stricter approach to the export of data outside the EEA, resulting from the general standards of data protection being raised throughout the Regulation as a whole;
    6. the introduction of mandatory data breach notification requirements (including notification to both national regulators and, in certain circumstances, to data subjects affected by a breach). On the occurrence of a breach, organisations must now inform the UK Information Commissioner's Office (ICO) without undue delay and, where feasible, not later than 72 hours after becoming aware of a data breach;
    7. a right to data portability that will require the data controller to provide information to a data subject in a machine-readable format so that it may be transferred to another controller;
    8. maximum fines of the higher of up to €20 million or four per cent of an organisation's annual global turnover for breaches;
    9. certain categories of online identifiers such as internet cookies and IP addresses may be classified as personal data;57 and
    10. new definitions termed genetic data and biometric data, which include data relating to characteristics obtained during foetal development and data that allows the unique identification of a person to be confirmed through facial images or dactyloscopic data – now categorised as special categories of personal data (i.e., sensitive personal data).

    The GDPR permits certain derogations by Member States, and the DPA seeks to provide for these accordingly to accommodate various existing UK statutes. For instance:

    1. it includes exemptions for journalists, research organisations, financial services firms (for anti-money laundering purposes) and employers (to process special categories of personal data and criminal conviction data without consent to comply with employment law obligations);
    2. certain actions (with some exceptions for actions necessary for preventing crime, etc.) relating to data will be criminal offences (subject to a fine), for example obtaining, procuring, retaining or selling data against a controller's wishes (even where lawfully obtained); intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data (or knowingly processing such data); and altering records with the intent to prevent disclosure following a subject access request; and
    3. a parent's or guardian's consent will be required to process the personal data of a child who is under 13 years old (the GDPR permits Member States to set this age between 13 and 16 years old).

    Litigation and EU–US transfers of personal data

    There are several valid legal bases for the transfer of personal data from the EU to countries outside the EU, of which two are subject to ongoing litigation: the Privacy Shield (successor to the Safe Harbor) and standard contractual clauses (also known as model clauses).

    Under the historic Safe Harbor agreement, if a US recipient of personal data was self-certified under the US Safe Harbor regime, data transfers could be made to that recipient in the US, notwithstanding the general prohibition on transfer under the European data protection legislation in place at that time, because such a recipient was deemed to have adequate protection in place. The Safe Harbor regime was challenged in Schrems v. Data Protection Commissioner. This case was brought by privacy activist Max Schrems, who argued that the EU–US Safe Harbor agreement did not provide adequate security for EU citizens in light of the revelations exposed by Edward Snowden about PRISM and United States National Security Agency surveillance programmes. The CJEU invalidated the legal basis for the Safe Harbor Framework on 6 October 2015 with the immediate effect that the agreement was no longer considered to provide adequate protection under the eighth data protection principle.

    Following the decision in Schrems v. Data Protection Commissioner, the Commission and the US government entered into lengthy negotiations as to a new means of EU–US data transfers. The new EU–US Privacy Shield came into effect on 1 August 2016 following approvals by the Commission and EU Member States. Under the new Privacy Shield, US organisations commit to seven privacy principles to ensure that adequate protections are in place: the notice principle, the data integrity and purpose limitation principle, the choice principle, the security principle, the access principle, the recourse, enforcement and liability principle, and the accountability for onward transfer principle (Principles). To join the Privacy Shield, an organisation must publicly commit to and implement the Principles through a self-certification process, be subject to the authority of US law by the relevant enforcement authority and publicly disclose its privacy policy.58

    The most significant changes from the Safe Harbor framework to the Privacy Shield include the following:

    1. individuals affected by non-compliance with the Principles can seek redress (from the organisation itself, from an independent dispute resolution body and from the national DPA) and non-compliance can be enforced by various bodies (the Federal Trade Commission (FTC), a newly created privacy shield panel and judicial redress);
    2. there are tighter controls on transfers of personal data;
    3. annual joint reviews by the Commission, the FTC and the Department of Commerce on whether the Privacy Shield meets the adequacy finding that entitles companies to transfer personal data overseas legally; and
    4. written assurances by the US government that any access to personal data by public authorities will be subject to clear limitations, safeguards and oversight mechanisms.

    In April 2017, the European Parliament passed a non-legislative resolution stating that the Commission should review the Privacy Shield to ensure it does not undermine the EU Charter on Fundamental Rights and the GDPR. In September 2017, the first joint review of the Privacy Shield took place between the EU and US. In a report59 published following the review, the Commission concluded that the Privacy Shield continues to ensure an adequate level of protection for personal data, but that there is room for improvement. The report sets out a number of recommendations to the US authorities on how to improve the functioning of the Privacy Shield, including, for example, that the Department of Commerce should proactively search for and investigate false claims of participation in the Privacy Shield, conduct regular compliance checks and swiftly appoint a Privacy Shield Ombudsman, in addition to increasing its cooperation with the Commission on relevant legal developments in the US. The Article 29 Working Party (which has now been replaced by the European Data Protection Board) also issued a report60 on the joint review in November 2017 that highlighted commercial issues and issues relating to access by US public authorities to data transferred to the US under the Privacy Shield. The report demands that an action plan be set up immediately (or at latest at the second joint review), and threatens to bring claims regarding the Privacy Shield adequacy decision before EU national courts if the issues are not addressed by the time of the second joint review.

    In the wake of the revelation that Facebook had improperly shared the data of approximately 2.7 million European citizens with political consultancy Cambridge Analytica, despite the fact that both entities are signatories to the Privacy Shield, the European Parliament issued a resolution on 5 July 2018.61 The resolution notes the findings of both the Commission report and the Article 29 Working Party report, and takes the view that the current Privacy Shield arrangement does not provide an adequate level of protection. The resolution stated that, unless the US was fully compliant by 1 September 2018, the EU Commission should suspend the Privacy Shield until the US authorities comply with its terms. On 25 October 2018, the European Parliament issued a resolution in which it renewed its call to suspend the Privacy Shield.62 However, at the time of writing no further action has been taken, although we note that on 18 October 2018, senior officials from the Commission, EU supervisory authorities and the US government began their second annual review of the Privacy Shield. The Commission will publish a report on its findings later in 2018.

    The Privacy Shield is also under scrutiny from privacy campaigners who have brought claims before the General Court (the lower court of the CJEU) contesting the Commission's adequacy finding for the Privacy Shield on the grounds that it still does not provide a level of data protection equivalent to the level required by European data protection law.

    In May 2016, Max Schrems filed a complaint with the Irish Data Protection Commissioner concerning the legal status of data transfers under Facebook's standard contractual clauses. The Irish Data Protection Commissioner referred the case to the CJEU to determine the legal status of the use of standard contractual clauses to transfer personal data outside the EU.63 The CJEU will need to consider if personal data transfer using model clauses is legal. However, on 31 July 2018, the Irish Supreme Court granted leave to Facebook to appeal the case, and, in light of the referral to the CJEU, stated that it would hear the case before the end of 2018. It is expected to take effect in 2020, following an implementation period of at least one year.

    ePrivacy Regulation

    The Draft ePrivacy Regulation would introduce further rules for the electronic communications sector, including controls on unsolicited direct marketing, restrictions on the use of cookies, and rules on the use of traffic and location data. As with the existing ePrivacy Directive, the intent with the ePrivacy Regulation is to complement the GDPR, and establish a modern, comprehensive and technologically neutral framework for electronic communications.

    The Draft ePrivacy Regulation (which is subject to further changes) aims to improve on the existing ePrivacy Directive in several ways, including:

    1. expanding the scope of ePrivacy laws to include OTT providers who provide services functionally equivalent to traditional telecoms providers, and apply to organisations worldwide as long as they are providing services to end users in the EU;
    2. reviewing the rules on the use of cookies and other tracking technologies to establish when consent should be required, and whether the standard of consent should be equivalent to that in the GDPR (e.g., it has been proposed that consent would not be necessary for cookies used for the purposes of analytics);
    3. tightening rules in relation to direct marketing (including business-to-business marketing);
    4. restricting use of content and metadata by communications providers. However, the scope of these restrictions is hotly debated, and one of the hot topics responsible for the delay in the agreement of the proposed regulation text;
    5. alignment of sanctions to the GDPR: for example, breach could bring liability of up to €20 million or four per cent of annual worldwide turnover; and
    6. unifying the ePrivacy Regulation's enforcement under GDPR enforcement bodies.

    The final Draft ePrivacy Regulation will likely arrive in the spring of 2019. It is not clear whether it will become law before the UK's planned departure from the EU; a cautious approach would be to assume it will take effect (in its eventual form) in the UK. Given the criticism of the proposal, companies should also be prepared to see substantial changes to the draft before its passage, and the development of this law should be tracked to ensure ongoing compliance. The Draft ePrivacy Regulation must be approved by the European Parliament and European Council prior to taking effect.


    The ICO is responsible for the enforcement of the GDPR, DPA and the ePrivacy Directive as well as the Freedom of Information Act 2000 (which provides individuals with the ability to request disclosure of information held by public authorities).

    The ICO is increasingly focusing on enforcement generally, and on the use of monetary penalties in particular (under the GDPR, penalties of up to a maximum of 4 per cent of global turnover or €20 million, whichever is the higher, may be applied).

    According to the ICO's Annual Report for 2017 and 2018,64 the ICO issued the most civil monetary penalties for Privacy and Electronic Communications Regulation breaches, with 26 penalties totalling £3.28 million for a range of prohibited marketing activities. A total of 11 civil monetary penalties cumulating at £1.29 million were issued across public and private spheres for breaches of data protection principles. Prior to July 2018, the largest of these was a £400,000 fine on Carphone Warehouse following a serious cyberattack, which at the time was the joint-highest fine ever served (the other being the £400,000 fine served on TalkTalk Telecom Group Plc (TalkTalk) for security failures that permitted a cyberattacker to obtain customer data).65 The ICO served the maximum possible fine under the Data Protection Act 1998 (£500,000) on Facebook in July 2018 for failing to safeguard the personal data of millions of users and for failing to be transparent with those users about how their data was in turn being harvested by third parties, including by political consulting firm Cambridge Analytica. Other large fines include the £250,000 fine served against Yahoo! UK Services Ltd in May 2018 for a 2014 cyberattack incident involving approximately 500 million Yahoo! user accounts worldwide. In July 2018, the Independent Inquiry into Child Sexual Abuse was fined £200,000 for revealing identities of abuse victims in a mass email.

    The most common grounds for large fines and enforcement action are loss of data, other major data security breaches and, to a lesser extent, automated marketing calls. The ICO takes a serious view of the loss of data. Humberside Police were fined £130,000 in April 2018 after three disks containing footage of interviews with an alleged rape victim, plus accompanying notes and details of the alleged perpetrator, were lost.66 The Crown Prosecution Service was fined £325,000 in May 2018 after it lost unencrypted DVDs containing recordings of police interviews.67 Larger fines were issued against private companies for unsolicited marketing calls and messages. In May 2017, the ICO issued the highest-ever nuisance calls fine of £400,000 to Keurboom Communication Ltd, which was responsible for 99.5 million nuisance calls.68 In January 2018, Barrington Claims Ltd was fined £250,000 for making automated marketing calls to individuals whom it could not prove had consented to receiving such calls.69 Finally, the Energy Saving Centre Ltd was fined £250,000 in April 2018 for making unsolicited calls to subscribers who had registered with the Telephone Preference Service.70

    Individual data subjects have the right under the GDPR to notify a data controller to cease or not to begin processing their personal data for the purposes of direct marketing. Under the ePrivacy UK Regulations, an organisation must obtain prior consent before sending a marketing message by automated call, fax, email, SMS text message, video message or picture message to an individual subscriber. There is a limited exemption for marketing by electronic mail (both email and SMS) that allows businesses to send electronic mail to existing customers provided that they are marketing their own goods or services, or goods and services that are similar to those that were being purchased when the contact information was provided; and the customer is given a simple opportunity to opt out free of charge at the time the details were initially collected and in all subsequent messages. The same maximum fine (of £500,000) also applies to breaches of the ePrivacy UK Regulations.

    Under the ePrivacy UK Regulations, location data (any data that identifies the geographical location of a person using a mobile device) can be used to provide value-added services (e.g., advertising) only if the user cannot be identified from the data or the customer has given prior consent. To give consent, the user must be aware of the types of location data that will be processed, the purposes and duration of the processing of that data, and whether the data will be transmitted to a third party to provide the value-added service.

    The consent of users of the relevant terminal equipment for the placement of cookies is required, unless a cookie is strictly necessary to provide an online service requested by a user (such as online shopping basket functionality, session cookies for managing security tokens throughout the site, multimedia flash cookies enabling media playback or load-balancing session cookies). In practice, steps have been taken by most reputable UK websites to comply with these consent requirements, ranging from banner notices with tick boxes, boxes that require an active step to make them disappear, to one-time banners or pop-overs giving brief information and allowing the user to take steps to disable the site's cookies if they wish to do so before continuing to use the site.71 Between April 2016 and March 2017, the ICO received 195 reports regarding breaches of cookies rules via their website, a slight decrease from 210 received in the previous financial year ending March 2016.72 Its current approach is to focus on sites that are not doing enough to raise awareness of cookies or to obtain their users' consent, particularly those most-visited sites in the UK. However, according to the ICO, cookies remain a low consumer threat, as the number of reported concerns about cookies was 195 compared to 167,018 concerns received about nuisance calls, text messages and emails.73 A variety of different approaches can be seen across those countries that have implemented the consent rules, although before the GDPR came into effect there was a general trend towards an implied consent approach rather than a strict express consent approach.

    It remains to be seen whether the ICO's approach towards cookies will shift given the higher standards imposed by the GDPR and the proposed ePrivacy Regulation. The GDPR introduces a higher level of consent, stating that consent should be a clear affirmative act establishing a freely given, informed and unambiguous indication of the data subject's agreement to the processing of personal data. Silence or inactivity does not constitute consent, and consent needs to be obtained for each processing purpose.74 Further, the data subject must have the right to withdraw consent at any time.75 This means companies that use banners that do not interrupt a user's interaction with a website (rather than those that provide notice and infer consent from continued use, for example) or that rely on implied consent (i.e., consent obtained by means of a pre-ticked opt-in box or an opt-out tick box) may need to revise this approach. Now, only opt-in consent is sufficient to demonstrate that the standard has been met. Other than functional, strictly necessary cookies, no cookies should be applied before such consent has been sought. Further, such consent should be sought on an unbundled basis (i.e., setting out, and obtaining consent for, each purpose for which cookies are used).

    Data breach notification

    The GDPR introduces a new data breach notification obligation on data controllers requiring notification to the supervisory authorities without undue delay and not later than 72 hours after becoming aware of a breach, unless the data security breach is unlikely to result in a risk to the rights and freedoms of a data subject. If a personal data breach results in a high risk to the rights and freedoms of a natural person, a data controller must inform the natural person of the data breach without undue delay.76 The GDPR also requires a data processor to notify a data controller if it becomes aware of a personal data breach. An infringement of these provisions can lead to an administrative fine up to €10 million or, in the case of an undertaking, up to two per cent of the total worldwide annual turnover of the preceding financial year, whichever is higher.77

    Under the ePrivacy UK Regulations, providers of public ECSs (mainly telecom providers and ISPs) are required to inform the ICO within 24 hours of a personal data security breach and, where that breach is likely to adversely affect the personal data or privacy of a customer, that customer must also be promptly notified. The Draft ePrivacy Regulations intend to align this deadline with the time period set out under the GDPR (72 hours) for consistency. This should be kept under review as the Draft ePrivacy Regulation is finalised.

    In addition, organisations to which the NIS Regulations apply will have to comply with its notification requirements, as set out below.

    Data retention, interception and disclosure of communications data

    The legislation in this area has been the subject of much change and controversy over the past few years. The powers of government authorities to intercept communications, acquire communications data and interfere with communications equipment was previously regulated by a patchwork of legislation, including the Regulation of Investigatory Powers Act 2000 (RIPA), and, until 2016, the Data Retention and Investigatory Powers Act 2014 (DRIPA). The Investigatory Powers Act 2016 (IPA) overhauls, and in some cases extends, the scope of RIPA. It has largely, but not yet entirely, amended or repealed RIPA.

    On 8 April 2014, the CJEU held in Digital Rights Ireland 78 that the Data Retention Directive79 was invalid as it violated an individual's right to privacy and was disproportionate in its aims. Under the Data Retention Directive, public communications providers (e.g., providers of fixed-network telephony, mobile telephony and internet access, internet email or internet telephony) had to retain traffic, subscriber and, where relevant, location data (but excluding content data) for a period of 12 months.80 The declaration of invalidity meant that the UK's implementing subordinate legislation, the Data Retention (EC Directive) Regulations 2009, no longer had a basis in primary law and was itself vulnerable to a finding of illegality. The government decided to reintroduce data retention laws as primary legislation by passing DRIPA. In this regard, the UK stands in stark contrast to the rest of Europe, where Germany, the Czech Republic, Romania, Austria, Cyprus, Belgium, Ireland and Bulgaria had already deemed similar provisions unlawful.

    DRIPA came into force on 17 July 2014 (with a sunset clause forcing automatic expiry of its provisions on 31 December 2016) following a fast-tracked procedure that saw it pass all stages of Parliament within four days (a process that often takes months or even years) on the basis that its enactment was required for continued national security. DRIPA addressed two key issues: the obligation to retain communications data by communications providers and the extraterritorial expansion of powers under RIPA.81 DRIPA also clarified that interception capability notices under RIPA may be issued to telecommunications providers outside the UK in relation to conduct outside the UK.

    Following its passage into law, a legal challenge was mounted questioning the legality of DRIPA on the basis that the data retention provisions in the first part of the Act were introduced following the CJEU's declaration that similar provisions in the Data Retention Directive were declared invalid.

    In July 2015, the High Court declared DRIPA's data retention provisions to be incompatible with EU law on the basis that they interfered with Articles 7 and 8 of the EU Charter of Fundamental Rights (the public's rights to respect for private life and communications and to the protection of personal data).82 There was particular criticism about the emergency nature of the legislation as well as its fast-tracked path through Parliament. In November 2015, the Court of Appeal referred the case to the CJEU as to whether the CJEU's judgment in Digital Rights Ireland laid down mandatory requirements of EU law with which Member States must comply.

    The CJEU held on 21 December 2016 that the ePrivacy Directive and the Charter of Fundamental Rights preclude laws that require a general and indiscriminate retention of data. However, laws that place targeted data retention obligations on service providers for the purpose of fighting serious crime are permitted provided that the safeguards protecting Article 7 and 8 rights are maintained (as specified in Digital Rights Ireland). The CJEU held that national data retention laws fall within the scope of the ePrivacy Directive.

    The CJEU referred the case back to the UK Court of Appeal, which delivered its final judgment on 30 January 2018.83 The Court of Appeal agreed that the DRIPA data retention provisions were incompatible with EU law. It declined to rule on various other issues that had been raised by the parties given the ongoing litigation relating to the IPA by civil rights groups, as described below.

    Although DRIPA would itself have expired in accordance with its sunset clause, its spirit survives in the IPA, which received royal assent on 29 November 2016, just in time before DRIPA's scheduled expiry on 31 December 2016. The IPA is similar to RIPA in various respects. For example, like RIPA, the IPA imposes a general prohibition on the interception of communications unless the interceptor has lawful authority to carry out the interception, such as where a warrant has been issued by the Secretary of State (interception warrant). However, the IPA provides a new legal framework to govern the use and oversight of investigatory powers of the executive branch. Among other things, it:

    1. includes new powers for UK intelligence agencies and law enforcement to carry out targeted interception of communications, bulk collection of communications data and bulk interception of communications;
    2. introduces an Investigatory Powers Commission (IPC) to oversee the use of all investigatory powers, alongside oversight provided by the Intelligence and Security Committee of Parliament and the Investigatory Powers Tribunal;
    3. requires a judge serving on the IPC to review warrants authorised by the Secretary of State for accessing the content of communications and equipment interference before they come into force (commonly referred to as a double lock feature);
    4. widens the categories of telecommunications operators (TOs) that can be subject to most powers by including private as well as public operators;
    5. includes the power to require TOs to retain UK internet users' data, including internet connection records, for up to one year (although it remains to be seen how such powers may be amended following the court rulings described below);
    6. permits police, intelligence officers and other government department managers to see internet connection records as part of a targeted and filtered investigation without a warrant;
    7. imposes a legal obligation on TOs to assist with the targeted interception of data and communications and equipment interference in relation to an investigation (however, foreign companies are not required to engage in bulk collection of data or communications);
    8. places the Wilson Doctrine (a convention whereby police and intelligence services are restricted from intercepting communications of Members of Parliament) on a statutory footing for the first time, as well as safeguards for people such as journalists, lawyers and doctors involved in other sensitive professions;
    9. provides local government with some investigatory powers (e.g., to investigate someone fraudulently claiming benefits), but not access to internet connection records;
    10. creates a new criminal offence for unlawfully accessing internet data; and
    11. creates a new criminal offence for a TO or someone who works for a TO to reveal that data has been requested.

    The provisions of the IPA are being enacted in stages via a series of statutory instruments. To date, most portions of the IPA (other than those relating to authorisations for obtaining communications data (i.e., Part 3 of the IPA)) have been enacted. The equivalent provisions in the legacy RIPA legislation have been repealed or amended, but the remaining RIPA provisions (i.e., those that have not been expressly repealed or amended to date) continue to govern the UK interception statutory regime. The government's intention is to repeal RIPA in its entirety in accordance with a yet-to-be-released implementation timetable. As a result, we have a rather complex regulatory landscape in which a patchwork of statutory instruments have largely, but not entirely, brought the IPA into force and amended or repealed the legacy RIPA legislation. Furthermore, in light of recent case law, it remains to be seen to what extent the IPA will survive as currently drafted. In addition to Watson,84 civil liberties group Liberty has mounted a legal challenge to the IPA by way of judicial review. In April 2018, the UK High Court ruled that Part 4 of the IPA, which relates to the retention of communications data, was incompatible with EU law in two respects: in the context of criminal justice, the relevant provisions allowed access to retained data that was not limited to the purpose of combating serious crime, and that access was not subject to prior review by a court or independent body. The High Court decided against making an order of disapplication, but ordered that the government must replace the relevant provisions by 1 November 2018.85 In response, on 31 October 2018 the government introduced the Data Retention and Acquisition Regulations 2018. However, the Regulations have been criticised as not going far enough to address the human rights concerns raised by the High Court. It remains to be seen whether any further legal challenges to the UK's data retention regime will be mounted.

    Most recently, on 13 September 2018 the European Court of Human Rights ruled in the case of Big Brother Watch and Others v. the United Kingdom86 that the bulk interception regime under RIPA and the regime for obtaining communications data from communications and service providers violate Article 8 (the right to respect for private and family life and communications) and Article 10 (the right to freedom of expression) of the European Convention on Human Rights (ECHR). The government has stated that the IPA provides better privacy protections than RIPA, but that it would give careful consideration to the Court's ruling.

    Protection for children

    Under the GDPR, children are defined as vulnerable natural persons who merit specific protection with regard to their personal data.87 Consent to the processing of personal data in connection with the provision of online services to children (below the age of 16, unless a Member State provides, as the UK has done, for a lower age (which cannot be lower than 13). The DPA has set the age of children at the minimum permitted threshold (i.e., anyone younger than 13 years)) is required to be given by a person with parental responsibility.88 Data can also be processed based on legitimate business interests, but it is clear that it will be harder to argue that the interests of a company outweigh those of a child. The GDPR also introduces a right to be forgotten, which will make it necessary for certain service providers, such as social media services, to delete any personal data processed or collected when the user was a child.89

    In May 2018, the government published a green paper titled Internet Safety Strategy.90 The paper discusses a series of proposed measures to increase the safety of the online environment in the UK, including a range of measures aimed at protecting children, such as laws related to cyberbullying and online child sexual exploitation and measures to develop children's digital literacy. Further details of the proposed measures will be set out in a white paper on the same topic, to be published later in 2018.

    The Child Exploitation and Online Protection Centre (CEOP) works to prevent exploitation of children online; it is made up of a large number of specialists who work alongside police officers to locate and track possible and registered offenders. CEOP was previously affiliated with the Serious Organised Crime Agency; however, following its abolishment under the Crime and Courts Act 2013, the Centre became part of the National Crime Agency.91 CEOP also offers training, education and public awareness in relation to child safety online.

    Internet safety for children in the UK is also monitored by the UK Council for Child Internet Safety (UKCCIS), a group of more than 200 organisations collaborating to keep children safe online. Established in 2010, the UKCCIS, inter alia, provides advice for schools and colleges and creates guides for parents whose children are using social media.92 It has published a Child Internet Safety Strategy for children in the UK.93

    Website and software operators may apply for the Kitemark for Child Safety Online. This has been developed through collaboration between the British Standards Institution (BSI) (the UK's national standards body), the Home Office, Ofcom, and representatives from ISPs and application developers. The BSI tests internet access control products, services, tools and other systems for their ability to block certain categories of websites (e.g., sexually explicit, violent or racist activity).


    The Computer Misuse Act 2000 (as amended by the Police and Justice Act 2006) sets out a number of provisions that make hacking and any other forms of unauthorised access, as well as DoS attacks and the distribution of viruses and other malicious codes, criminal offences. Further offences exist where an individual supplies tools to commit the above-mentioned activities.

    The government has consolidated its focus on cybersecurity through the establishment of the National Cyber Security Strategy, with a dedicated pool of funds stretching to £1.9 billion over five years until 2021.94 Following the passage of the Crime and Courts Act 2013, the government brought the National Cyber Crime Unit (NCCU) under the remit of the National Crime Agency. The NCCU brings together cybercrime response operations and uses information on cybersecurity threats collected from the private sector via the Cyber-Security Information Sharing Partnership. The government has put an increasing emphasis on cyber skills, education and research to enhance its future cybersecurity strategy. This includes ensuring that school children leave their education with a basic understanding of cybersecurity, supporting a Cyber Higher Apprenticeship programme and launching Cyber First, which aims to identify and educate individuals to become cybersecurity experts.95 In addition, in October 2016 the government opened the NCSC, which now forms part of GCHQ and offers an authoritative voice on information security in the UK,96 with one of its mandates being to produce advice in conjunction with the Bank of England to enable financial institutions to improve their management of cybersecurity. The government also began offering cybersecurity advice directly to businesses through publications such as 10 Steps to Cyber Security, and by establishing an information-sharing partnership whereby the government and industry can exchange information about cybersecurity threats, in 2016.97 In 2017, 55 per cent of all businesses and 40 per cent of all charities undertook five or more of the 10 Steps to Cyber Security, which is similar to findings of previous years' surveys.98

    At a European level, the European Parliament adopted the NISD in July 2016, which is the first EU-wide legislation on cybersecurity. The aim of the NISD is to enhance network and information system security in essential economic and digital services. It introduces, inter alia, mandatory breach notification requirements and minimum security requirements.99 While the GDPR's aim is to protect personal data, the NISD focuses on protecting essential infrastructure, and is therefore not limited to personal data.

    The NISD imposes obligations on two types of organisations: essential service operators (ESOs) within the energy, transport, banking, financial market infrastructure, health, drinking water and digital infrastructure sectors; and digital service providers (DSPs), including entities such as online marketplaces, online search engines and cloud computing service providers. These companies must now report breaches of cybersecurity to the national competent authorities without undue delay where the relevant incident would have a significant impact on the core services provided by a company. The NISD had been stuck in negotiations between EU lawmakers and Member States over which sectors the Directive should cover; after months of negotiations, it was decided that digital platforms such as search engines, social networks and cloud computing service providers will be subject to the Directive's remit, albeit with lighter touch requirements. The Directive aims to ensure a uniform level of cybersecurity across the EU as part of the Commission's wider Digital Agenda for Europe.

    As of 9 May 2018, the NISD should have been implemented in each EU Member State. In the UK it has been implemented by way of the NIS Regulation, which came into force on 10 May 2018. The government has confirmed that the NIS Regulation will continue to apply irrespective of Brexit. As anticipated by a consultation released by the DCMS in August 2017, the NIS Regulation:

    1. applies to ESOs and DSPs with thresholds designed to capture the most important operators in their sector due to, for example, their size;
    2. is regulated by the ICO in respect of DSPs and, in respect of ESOs, the competent industry-specific regulator, such as the Department for Business Energy and Industrial Strategy, Ofcom and NHS Digital. GCHQ acts as the UK's single point of contact as required by the NISD;
    3. requires operators to develop minimum levels of security, as well as evidence that these higher standards have been met, and notify incidents meeting specific thresholds to the relevant regulator; and
    4. imposes harsher penalties to mirror the GDPR, with fines up to the higher of £17 million or four per cent of annual worldwide turnover.

    While the NISD applies to certain financial institutions, the NIS Regulation does not apply to entities that fall within the remit of the regulatory authority of the Financial Conduct Authority, the Bank of England or the Prudential Regulation Authority, as these institutions have been deemed to impose requirements on financial institutions that meet the obligations under the NISD.

    In respect of DSPs, the NIS Regulation does not apply to small and micro businesses (i.e., companies employing fewer than 50 people whose annual turnover or balance sheet total, or both, is less than €10 million). However, if a DSP is part of a larger group, the group's size may need to be taken into account in determining whether the provider is excluded from the application of the NIS Regulation (depending on the level of control exercised over the provider by other group entities).

    In respect of ESOs, certain sectors are exempt from some aspects of the NISD where they are obliged to comply with equivalent provisions within existing regulations (e.g., the finance and civil nuclear sectors). The competent authority has a discretion to deem a particular organisation to be an ESO even if the threshold conditions are not met. In addition, ESOs are required to register with their competent authority.


    i Development

    The current EU regulatory framework for spectrum has been in force since 2003 following the introduction of the Telecoms Reform Package. This regulatory framework, in particular the Framework Directive100 and the Authorisation Directive,101 requires the neutral allocation of spectrum in relation to the technology and services proposed by users (e.g., MNOs and radio broadcasters). Following on from the Telecoms Reform Package, the Commission required Member States to adopt measures including greater neutrality in spectrum allocation, the right of the Commission to propose legislation to coordinate radio spectrum policy, and to reserve part of the spectrum from the digital dividend (from the switchover to digital television services) for mobile broadband services through the Better Regulation Directive and the Citizens' Rights Directive. In 2016, Ofcom developed a framework for spectrum sharing, highlighting the importance of considering the circumstances of each potential opportunity, covering its costs and benefits.

    In the UK, Ofcom is responsible under the Act for the optimal use of the radio spectrum in the interests of consumers. This includes, inter alia, monitoring the airwaves to identify cases of interference, and taking action against illegal broadcasters and the use of unauthorised wireless devices. The 2016 framework established three key elements when identifying potential sharing opportunities in certain bands: characteristics of use for all users that inform the initial view of the potential for sharing, and what tools may be relevant; barriers that may limit the extent of current or future sharing, despite the liberalisation of licences and existing market tools such as trading or leasing; and regulatory tools and market and technology enablers that match the characteristics of use and barriers to facilitate new and more intense sharing.102

    ii Flexible spectrum use

    As the uses of the radio spectrum have increased, the allocation of spectrum by the regulator has developed from a centralised system, where use was determined by the regulator, to a market-based approach, where users compete for spectrum. Currently, auctions are the primary market tool used to implement the allocation.

    Spectrum trading was introduced in the UK for the first time in 2004, and is permitted under the Wireless Telegraphy Act 2006 and associated regulations. Originally, the trading of spectrum was subject to a multi-stage process that, inter alia, required a decision by Ofcom about whether to consent to the trade. However, the Wireless Telegraphy (Mobile Spectrum Trading) Regulations 2011, directed at making more efficient use of the available spectrum, and improvements in mobile services to meet the demand for faster and more reliable services for consumers, made significant changes to this process, removing the need to obtain Ofcom's consent for proposed trades in most cases. In addition, under the Regulations, a licensee can transfer all or part of the rights and obligations under its licence. A partial transfer, or spectrum leasing, can be limited to a range of frequencies or to a particular area. Ofcom also plans to simplify the process for time-limited transfers in line with the Revised Framework Directive.

    In April 2014, Ofcom published its Spectrum Management Strategy setting out the approach to, and priorities for, spectrum management over the following 10 years.103 The Strategy notes, in particular, the increasing use of wireless services across the UK and the need to meet the increased demands with which the spectrum is faced. Ofcom proposes that it use a combination of market forces and regulations to support its strategic goals, including increasing the quality of RF performance, providing greater information on spectrum use, repurposing some spectrum bands and providing for shared access to spectrum. As part of this, in September 2015 Ofcom published a consultation on using 10MHz of existing spectrum for new applications to be utilised for the IoT enabling M2M communications. Ofcom's aim was to encourage M2M applications to use spectrum that would enable them to connect wirelessly over longer distances. Following on from the consultation, on 23 March 2016 Ofcom released a statement confirming that spectrum within the 55–68MHz, 70.5–71.5MHz and 80.0–81.5MHz bands could be used for IoT services and M2M applications.104

    iii Broadband and next-generation mobile spectrum use

    Ofcom issued a call for information on spectrum above 6GHz that ended in February 2015.105 Following on from this, in April 2016 Ofcom consulted on improving spectrum access for consumers in the 5GHz band. Ofcom subsequently set out plans to open up a sub-band within the 5GHz frequency range for Wi-Fi, which would increase the number of 80MHz channels available for Wi-Fi from four to six to accommodate data-hungry applications and ease congestion. These extra channels, which are already being used in the US, could be opened up within the next few years.106 In March 2017, Ofcom published its Statement on improving spectrum access for consumers in the 5GHz band, and in July 2017 published its Decision to make Wireless Telegraphy Exemption Regulations 2017; this was predominantly due to increasing demand for Wi-Fi and the role of spectrum in addressing such demand.107 The technology has provided more capacity at faster speeds for mobile services on smartphones such as video streaming, email and social networking sites. In addition to the spectrum auctions mentioned in Section IV.v, UK Government Investments (UKGI) has announced that approximately 190MHz of spectrum will shortly be auctioned by Ofcom for mobile phones.108

    iv White space

    Free spectrum, or 'white space', left over from the UK's switch from analogue to digital TV and radio, has been available for mobile broadband and enhanced Wi-Fi since 2011. A white space device will search for spectrum that is available and check a third-party database to find out what RFs are available to ensure that it does not interfere with existing licensed users of the spectrum. New white space radios use frequencies that are allocated for certain uses elsewhere but are empty locally. Flawless management of spectrum is required to avoid interferences.

    Since February 2015, Ofcom has allowed the commercial use and deployment of white space broadband technology, harnessing the unused parts of the radio spectrum in the 470MHz to 790MHz frequency band.

    Ofcom is in the relatively early stages of developing spectrum sharing. White space spectrum with a frequency in the spectrum bank 470MHz to 790MHz, which is not being used at particular times, is the key to developing such sharing. This would be enabled by location-aware wireless devices or databases that provide information on white space availability. Likewise, Ofcom set out in its spectrum management strategy that it would place particular emphasis on spectrum sharing. In July 2015, Ofcom published a consultation in an attempt to identify barriers to sharing, include regulatory tools to facilitate further sharing and set out how sharing would be considered on a case-by-case basis. In December 2017, Ofcom published its Review of the authorisation regime for spectrum access in which it detailed several key initiatives aimed at enabling spectrum sharing, such as the licence exemption (mentioned above) and geographic licences as well as dynamic spectrum access (DSA). DSA was first implemented with TV white spaces where valuable, unused, low frequency spectrum in the 470–790MHz band was made available to devices meeting a minimum technical specification.109

    The DSM proposals include proposals relating to spectrum management that would, if adopted in their current form, have a significant impact in the UK (see Section II.v for more details).

    v Spectrum auctions

    The first 5G spectrum auction to be completed by Ofcom took place in April 2018, with O2, EE, Three and Vodafone all winning spectrum. O2 acquired all 40MHz of the 2.3GHz spectrum being auctioned, as well as 40MHz of the 3.4GHz spectrum, making it the biggest winner in the auction. Some of the spectrum was auctioned because it was recently freed up by the government to make it available for civil use, having been previously used by the Ministry of Defence.

    Another 5G spectrum auction is expected to take place in 2020, as the 2018 5G auction will not cover the anticipated demand for 5G once it is commercially available.

    The last spectrum auction was initially proposed to be in 2015, when licences were to be awarded in the 2.3GHz and 3.4GHz spectrum bands. The auction was postponed to 2016, and a total of 190MHz of high-capacity spectrum was to be made available in two bands, 2.3GHz and 3.4GHz, which are those particularly suited to high-speed mobile broadband services. Ofcom planned to set reserve prices totalling £70 million for the spectrum. Most notably, there was to be no cap on the amounts bidders could buy, as Ofcom believes that buying large blocks has the potential to support fast download speeds, helping pave the way for 5G.110 However, following the Commission's decision to block the proposed acquisition of O2 by CK Hutchison (H3G), Ofcom published a further consultation in November 2016 on competition measures and on specific aspects of auction design for the award of the 2.3GHz and 3.4GHz spectrum bands.111 Ofcom subsequently announced the following spectrum caps in July 2017 to satisfy competition concerns: no operator would be able to hold more than 255MHz of immediately usable spectrum, and no operator would be able to hold more than 340MHz of the total amount of spectrum following the auction. In January 2018, UKGI (which administers the Public Sector Spectrum Release Programme through the Central Management Unit) reported that the programme has led to nearly 400MHz having been released so far, with plans to release 750MHz of spectrum from the public to the private sector by 2022 to stimulate economic growth.

    Prior to this postponed auction, the most prominent auction took place in February 2013, where Ofcom announced the results for the auction of the 800MHz and 2.6GHz bands. The auctioned spectrum, which was previously used for digital TV and wireless audio devices, was cleared by retuning TV signals in July 2013 and is now used for further 4G mobile services. After more than 50 rounds of bidding, Vodafone, O2 (Telefónica), EE and Hutchison 3G UK secured various bands of the newly released spectrum. Consequently, all major mobile networks in the UK started to provide 4G services from September 2013 in addition to EE.

    As Ofcom's auction process is designed to promote competition and coverage, Ofcom attached a coverage obligation to one of the 800MHz lots that was won by O2. The provider accepted the obligation to widen the coverage of its mobile broadband for indoor reception to at least 95 per cent of the population by the end of 2017, and in March 2018, Ofcom completed its assessment and confirmed that this requirement was complied with by O2.112

    To ensure competition between the national operators, Ofcom introduced a floor and cap on the amount of spectrum that each operator can win, and imposed safeguard caps to prevent an operator from holding too much spectrum. To diversify the market, Ofcom also reserved parts of the spectrum for a fourth national wholesaler. The reserved lots were won by Hutchison 3G UK.

    Despite the fact that the government budgeted a surplus of £3.5 billion for the auctioned spectrum, it only raised a total of £2.34 billion;113 however, the principal stage of the 2018 spectrum auction has already raised over £1.3 billion.114

    vi Emergency services bandwidth prioritisation

    The Universal Services Directive, a further part of the Telecoms Reform Package, introduces several extended obligations in relation to access to national emergency numbers and the single European emergency call number (112). Prior to the Universal Services Directive, obligations to provide free and uninterrupted access to national and European emergency numbers applied to providers of publicly available telephone services only. Under this Directive, however, these obligations are extended to all undertakings that provide to end users 'an electronic communication service for originating national calls to a number or numbers in a national telephone numbering plan', and the UK has mirrored this wording in its revisions to General Condition 4 under the Act. Such electronic service providers are therefore required to ensure that a user can access both the 112 and 999 emergency call numbers at no charge and, to the extent technically feasible, make caller location information for such emergency calls available to the relevant emergency response organisations. In a January 2015 report entitled Citizens and communications services, Ofcom stated that it was monitoring the effectiveness of steps by the industry to improve emergency caller location information on mobile calls.115 This monitoring led Ofcom to commence an own-initiative investigation into Hutchison 3G UK's compliance. Ofcom decided to impose a fine of £1.98 million as set out in Ofcom's confirmation decision concluding the investigation.116 It should be noted that Ofcom's revised general conditions for emergency services network (ESN) provider compliance came into force on 1 October 2018, amending the obligations relating to access to emergency services. The changes include extending the current requirements to ensure end users can access emergency organisations through eCalls.

    In 2013, the Home Office announced the Emergency Services Mobile Communications Programme for a dedicated ESN that would provide the next-generation communication system for emergency services. However, one of the lots, relating to a contracted agreement for an MNO to extend guaranteed signal coverage to ensure mobile coverage was withdrawn in January 2015. The remaining contracts for the operation of the ESN were won by EE, who will provide the network, and Motorola Solutions, who will supply the user services (supported by Kellogg Brown Root as a delivery partner). Together they will now work to provide the UK's emergency services with a 4G LTE mobile network, replacing the existing private terrestrial trunked radio (Tetra) system. According to the Home Office, the UK will be first in the world to deliver critical voice and data for emergency services over an enhanced and more resilient commercial 4G network.117 The new system has the key advantage of allowing emergency services traffic to be prioritised ahead of communications by the general public, and this was successfully tested in February 2018 for the first time between an EE mobile mast site in Bristol and a location in Basingstoke.118


    The transition from traditional forms of media distribution and consumption towards digital converged media platforms continues to disrupt and change the commercial foundations of the entertainment and media industry in the UK. Politicians, lawyers, economists and members of the industry are all grappling with new business models to monetise content and control frameworks to provide sufficient protection for the rights of content creators and consumers alike. The Commission's DSM Strategy has wide-ranging implications for the UK media sector (subject to changes to national law as a result of Brexit). Proposals of particular relevance to the media sector include the proposal for a regulation on cross-border portability of online content services, the proposal for amendments to the Audiovisual Media Services Directive and the Commission's September 2016 proposals concerning updates to the European copyright law regime.

    i Superfast broadband and media

    Fast broadband underpins the accessibility to consumers of internet-delivered content services. The Commission has highlighted that the global internet video share in consumer internet traffic is expected to increase from 64 per cent in 2014 to 80 per cent by 2019.119

    By the end of March 2018, the government's rollout of superfast broadband had reached 4.85 million homes and businesses across the UK. This means that the government delivered on its commitment to extend superfast broadband to 95 per cent of UK homes and businesses by the end of 2017. The focus is now shifting to exploring ways to take superfast broadband to the most remote and hardest-to-reach places in the UK (i.e., the remaining five per cent).120 Seven market test pilots ran between June 2014 and March 2016 to test ways to take broadband to remote communities. The government published its findings in February 2016.121 This is consistent with the DEA, which provides for a USO whereby consumers may request a minimum download speed of 10Mbps by 2020.

    ii European DSM Strategy and media

    Audiovisual Media Services Directive

    As part of the DSM Strategy, in May 2016, the Commission adopted a legislative proposal to revise the Audiovisual Media Services Directive (AVMSD), which coordinates national legislation on all audiovisual media including both TV broadcasts and on-demand services. In June 2018, the European Parliament, the Council and the Commission confirmed the preliminary political agreement reached on the proposed revisions that will apply. On 6 November 2018, the Council adopted the revised text, marking the final step in the legislative process.122 The revised Directive will enter into force on the twentieth day after publication in the Official Journal. Member States will then have a 21-month period to transpose the changes into national law. The revisions include:

    1. extending the AVMSD's application to video-sharing platforms where the principal purpose of the service is the provision of programmes or user-generated videos, or both, to the public in order to inform, entertain or educate, and which organise content in a way determined by the provider of the service (e.g., by tagging and sequencing);
    2. introducing an obligation to ensure that audiovisual media service providers implement measures to protect minors from access to harmful content and protect the public from incitements to violence and hate speech;
    3. offering broadcasters more flexibility in television advertising – in particular, the advertising limit of 20 per cent of broadcasting time will apply between 6am and 6pm, and the same share will be permitted during prime time (i.e., 6pm to midnight) (rather than 20 per cent per clock hour); and
    4. an obligation on on-demand audiovisual media services to ensure 30 per cent of the works in their catalogues are European works. Furthermore, Member States will have the option to require on-demand service providers to invest in local content.

    The Commission and UK government have each published notes on the implications of Brexit on the audiovisual media sector.123 Subject to any agreement that the UK may reach with the EU, post-exit, the AVMSD, including the country of origin principle124 and the rule on freedom of reception and retransmission,125 will cease to benefit services under UK jurisdiction, and the UK will be treated as a third country. According to the recitals to the current version of the AVMSD, Member States are free to take whatever measures they deem appropriate with regard to audiovisual media services that come from third countries, provided they comply with EU law and the international obligations of the EU.126 Under the AVMSD, a complex test applies to determine which country has jurisdiction over a media service provider (largely based on the location of the head office, editorial decision making and the workforce). Post-Brexit, it would be possible for a media service provider to keep a UK head office but be subject to the jurisdiction of an Member State (and therefore continue to benefit from the country of origin principle within the EU), provided a significant part of the workforce is located in that Member State. Separately, and along with 20 other EU countries,127 the UK is party to the Council of Europe Convention on Transfrontier Television,128 which provides for freedom of reception and retransmission.129 This is also relevant to the European works test, which is satisfied if a programme originates from a non-EU country that is party to the Convention.130 The AVMSD takes precedence among EU Member States, but the UK's position as a party to the Convention will not be affected by its exit from the EU. Therefore, in the absence of a Brexit deal, the Convention could be relied upon as between the UK and the 20 Member States who have signed up to it.

    For the seven non-Convention countries, additional licences and consents will be required, subject to local law requirements. Works originating in the UK will continue to be classed as European works. However, VOD services are outside of the scope of the Convention and, if subject to UK jurisdiction according to the AVMSD test, would need to comply with the local law requirements in each Member State in which they are offered.

    Portability Regulation

    On 9 December 2015, the Commission proposed a regulation to enable the cross-border portability of online content services.131 The resulting Portability Regulation was published in the Official Journal on 30 June 2017132 and came into force on 1 April 2018.133 It allows Europeans who purchase or subscribe to audiovisual content (such as films, sports broadcasts, music, e-books and games) in their home Member State to access this content when they travel or stay temporarily in another Member State. Providers of online content services that are provided for payment (it is optional for free services) must ensure the cross-border portability of their services such that subscribers may access and use the services when temporarily present in another Member State. When verifying the subscriber's Member State of residence, service providers must limit the means to verify residence to two means of verification in a list (such as, for example, an identity card and payment details).

    However, the continued application of the Portability Regulation in the UK post-Brexit will require a reciprocal agreement with the EU. This is because the Regulation relies on a legal fiction whereby the provision of and access to the relevant service is deemed to take place in the subscriber's country of residence, effectively disapplying the local law of the country of temporary presence.

    Copyright reform

    On 14 September 2016, in addition to the telecoms proposals outlined in Section II.v, the Commission adopted new proposals for copyright reform as part of its DSM Strategy. The Commission released proposals for a regulation laying down rules on the exercise of copyright and related rights applicable to certain online transmissions of broadcasting organisations and retransmissions of television and radio programmes (Copyright Regulation);134 a directive on copyright in the DSM (Copyright Directive);135 and proposals for an additional directive and regulation to implement the Marrakesh Treaty to Facilitate Access to Published Works for Persons who are Blind, Visually Impaired, or Otherwise Print Disabled (Marrakesh Treaty).136

    The Copyright Regulation introduces a cross-border clearance mechanism for digital broadcasting by broadcasters and retransmission of broadcasts online. Currently, broadcasters transmit programmes on their services that they have licensed from others or produced themselves, but programmes will inevitably contain content that is protected by copyright and needs to be cleared for use. Through the Copyright Regulation, the Commission proposes to extend the country of origin principle – which has been in place for decades in respect of cable and satellite communications – to specific online services, including simultaneous online transmissions of a broadcast, catch-up television services and associated ancillary services such as 'making of ' programmes. This means that broadcasters will only need to clear rights once, in the Member State from which their broadcast originates. However, it only applies to online broadcasts and does not apply generally to VOD services. The Copyright Regulation also proposes to extend the current system of mandatory collective management for retransmissions by cable of television and radio broadcasts from other Member States to other closed electronic communication networks, such as IPTV. This means that instead of negotiating individually with every rights holder, operators who offer packages of channels will be able to obtain licences from collective management organisations.137

    The Copyright Directive focuses on three areas. First, it introduces measures to achieve a well-functioning marketplace for copyright. These include proposals for:

    1. a new related right in publication that will allow publishers to charge fees for digital uses of the copyright works they have invested in the distribution of (including short extracts of the same) (Article 11);
    2. a requirement on online user-uploaded content platforms to take measures to ensure the protection of user-uploaded works (e.g., by implementing content recognition software) to address rights holders' concerns as to the value gap (between the ease with which popular content is accessed online and the arguably meagre profit that rights holders reap from it) (Article 13); and
    3. a mechanism for increasing the transparency to rights holders of the exploitation of their works, with an alternative dispute resolution procedure to allow authors and performers to rebalance contracts (Articles 14 to 16).

    Secondly, it introduces measures to improve licensing practices and ensures wider access to content by:

    1. implementing legal mechanisms to facilitate easier licensing of out-of-commerce works (which are works that are not available to the public through customary channels of commerce and cannot be reasonably expected to become available) by cultural institutions to aid cultural institutions in making these works, which have significant cultural and educational value, available to the public (Articles 7–9); and
    2. requiring Member States to set up impartial bodies to assist in the negotiation of licensing agreements between audiovisual rights holders and VOD platforms (Article 10).

    Thirdly, the Directive introduces measures to adapt exceptions and limitations to the digital and cross-border environment in relation to research organisations conducting text and data mining; the digital use of works and other subject matter for distance-learning educational purposes; and cultural heritage organisations making digital copies of their permanent collections for preservation purposes.

    The Commission's original proposal has been the subject of extensive lobbying by digital platforms and content creators, and the original text has been revised heavily by the European Parliament. The revised text was rejected by the Parliament's first plenary vote on 5 July 2018. On 12 September 2018, the Parliament adopted further amendments to the proposed text (particularly to Articles 11 and 13, which have proved to be controversial) and referred it for informal trialogue negotiations with the Council and Commission.138 As such, it is unlikely that these proposals will become binding in Member States ahead of the UK's exit from the EU.

    The directive designed to implement the Marrakesh Treaty introduces a new mandatory exception to the copyright rights harmonised under EU law, allowing people who are blind or otherwise print-disabled to access books and other content in formats that are accessible to them, including across borders. The regulation governs exchanges of accessible format copies between the European Union and third countries that are parties to the Marrakesh Treaty. The regulation and directive implementing the Marrakesh Treaty were published in the Official Journal on 20 September 2017. The regulation applied from 12 October 2018,139 and Member States had to implement the directive by 11 October 2018.140 Accordingly, the Copyright and Related Rights (Marrakesh Treaty etc.) (Amendment) Regulations (2018/995) came into force on 11 October 2018 and amended the UK's copyright law to make the UK's laws compatible with the Marrakesh Directive.

    The Commission has noted that, subject to any transitional agreement that the UK may reach with the EU, the European rules in the field of copyright will no longer apply to the UK following Brexit.141 While technically correct, the practical implications of this are relatively limited (see, for instance, the section above on the Portability Regulation), because copyright essentially remains a national right, reliant on international treaties.

    Commission investigation into US film studios

    The Commission has also investigated the practices of six major US film studios (Disney, NBCUniversal, Paramount Pictures, Sony, Twentieth Century Fox and Warner Bros) with respect to clauses in their licensing agreements with telecommunications company Sky UK. On 26 July 2016, the Commission accepted commitments from Viacom-owned Paramount to end a probe into potentially anticompetitive film licensing contracts, but confirmed that it is continuing to investigate five other studios and Sky UK. As a result, Paramount has agreed to stop enforcing contractual clauses that prevent European consumers outside the UK and Ireland watching Paramount films on Sky's UK satellite and online channels, and prevent rival broadcasters from airing its pay-TV content in the UK. In practice, this means that Paramount will no longer insert geo-blocking restrictions in its licensing contracts with broadcasters. The current probe deals only with Sky UK in the UK and Ireland, but the Commission is also investigating the British pay-TV operator's approach to consumers in France, Italy and Germany. Likewise, Paramount will not introduce or renew similar geo-blocking clauses in film licensing contracts with other broadcasters that operate in other European countries. Paramount will run the commitments package for five years, and it will cover both standard pay-TV and on-demand services, both online and by satellite. The effect of the Commission accepting the commitments is that the studio will not be required to pay a fine, nor to admit liability. Notably, the five other studios have not offered similar undertakings. On 6 February 2017, details were published of an appeal by Canal+ against the Commission's decision to accept commitments from Paramount.142 On 12 January 2018, the Commission extended its investigation to a subsidiary of NBCUniversal following changes to NBCUniversal's corporate structure.143

    The case is ongoing. It is, as yet, unclear what effect a final decision against the studios will have on consumers, but it could have a profound effect on the film industry in Europe. However, in spite of these commitments and the ongoing investigations, broadcasters will be under no obligation to offer packages outside their territories following the decision.

    iii OTT delivery of content and broadcast TV

    An OTT platform is typically a platform that allows users to stream audiovisual content using the internet or mobile telephone networks. The key benefit of OTT delivery is that it allows users to interact with content because data can flow both ways in an IP network.

    OTT delivery is utilised by a range of content providers in the UK, including PSBs (i.e., BBC iPlayer, ITV Hub, All4 and My5), cable and satellite platforms (e.g., both Virgin Media and Sky offer VOD products), mobile operators, online aggregators and standalone VOD platforms (e.g., Netflix, Amazon Prime Video and NowTV). To further facilitate user access to internet-delivered services, the BBC, ITV, Channel 4, Channel 5, BT, TalkTalk and Arqiva have collaborated on an open-technology offering called YouView, which enables viewers to access free-to-air channels and catch-up and on-demand programming via their televisions (along with the ability to add access to pay-TV channels and on-demand services).

    The industry is being transformed as the take-up of superfast broadband and connected televisions change the ways in which people watch television. According to Ofcom's Media Nations: UK 2018 report, across all devices, people's total television and audiovisual viewing in 2017 was five hours and one minute per day. Broadcast television made up 71 per cent of this, while the remaining 29 per cent was composed of viewing non-broadcast content such as content available via standalone VOD platforms and YouTube. On average, people view three hours and 23 minutes of broadcast television a day (including seven day catch-up) (this has fallen by nine minutes (4.2 per cent) since 2017). However, time spent watching TV sets overall remains constant as viewing of non-broadcast content increases. The change in viewing habits is in part driven by younger viewers, who watch more non-broadcast than broadcast content. In 2017, 16 to 34 year olds watched an average of two hours and 37 minutes of non-broadcast content a day across all devices, and two hours and 11 minutes of broadcast content. As a result, the average age of the demographic of broadcast TV viewers is increasing.144

    Ofcom has also highlighted a decline in pay-TV revenues in 2017 which indicates the challenge that pay-TV operators such as Virgin Media and Sky are facing from subscription VOD services. Figures show that the number of pay-TV subscriptions in the UK in Q1 2018 totalled 15.1 million, whereas the total number of subscriptions to Netflix, Amazon Prime Video and NowTV was 15.4 million. Subscribers have indicated that the high level of investment in original content is a key reason for signing up with these VOD services.145

    PSBs face challenges in light of this drastically changing landscape. While PSBs command half of all broadcast viewing, they are investing less money in first-run UK originals as increasingly they utilise third-party funding (such as co-production arrangements with third parties). However, Ofcom reports that the majority of viewers are either very or quite satisfied with PSB broadcasting, and that PSBs still provide a vital news service to viewers, with 84 per cent stating that a trustworthy news source is a PSB's most important purpose.146

    The consumption of sport viewing also looks set to change, with online streaming services such as Amazon Prime Video and Eleven Sports beginning to acquire sports rights.

    iv PSBs

    The BBC Royal Charter was renewed in early 2017 and runs to the end of 2027. From 3 April 2017, a unitary board has replaced the two-tier structure of the BBC Trust and the BBC's Executive Board as the BBC's governing body. The Board is responsible for ensuring that the BBC fulfils its mission and promotes its public purposes, including by setting the strategic direction for the BBC within the framework of the Charter and the accompanying Framework Agreement between the BBC and the Secretary of State for Culture, Media and Sport, and by setting the BBC's creative remit.147 Ofcom also became the BBC's first external regulator, developing an operating framework for the BBC that covers regulation of the BBC's performance, compliance with content standards and impact on competition. In October 2017, Ofcom published a new operating licence for the BBC. The licence requires the BBC to broadcast more original UK programmes, and also requires more BBC content to be made across the UK's nations and regions.148

    In November 2017, the BBC announced its decision to bring together two of its commercial subsidiaries, BBC Studios and BBC Worldwide, to trade as a single entity known as BBC Studios. The newly created BBC Studios launched on 3 April 2018. It is the primary entity for the BBC's commercial production and distribution activities globally.149

    Ofcom published the findings of its PSB Annual Research Report on 7 July 2017.150 Many of the headline findings are reiterated in the Media Nations: UK 2018 report (discussed above).

    Further, on 8 March 2018, Ofcom published a report that discusses the challenges facing PSBs in the context of increased media consumption via internet-delivered services and competition from global OTT services.151 Ofcom's findings include:

    1. the level of competition from global VOD platforms, along with the likes of Apple and Facebook, is creating a 'rush to scale' that is resulting in further market consolidation;
    2. public service broadcasting has so far held up well to increased global competition. The main PSB channels still account for half of all viewing and TV advertising has been fairly resilient, although Ofcom states that this is 'softening'. The reasoning for this is unclear, although Ofcom cites macroeconomic uncertainty and weakened consumer confidence as key drivers. While ITV has reduced its reliance on TV advertising revenues, Channel 4 is heavily reliant on advertising and sponsorship;
    3. young people are watching less scheduled TV, and brand awareness of the BBC among them is lower than Netflix and YouTube;
    4. Ofcom intends to support PSBs by strengthening its EPG Code through a consultation; and
    5. PSBs should continue to have access to digital terrestrial television (DTT) for at least the next 10 years, as mobile demand for the relevant spectrum has diminished due to 5G requiring spectrum at higher frequencies.

    The DEA added a requirement under the Act for Ofcom to periodically review and report on the provision by EPGs of information on and access to PSB channels and content via PSB VOD services. Ofcom published its first such report on 27 July 2018.152 The DEA also required Ofcom to review and revise the EPG Code prior to 1 December 2020. Pursuant to this, alongside its first EPG prominence report, Ofcom published a consultation on proposed changes to the linear EPG Code and options for the future regulation of prominence for VOD services.153 The closing date for responses was 5 October 2018. In the UK, regulations guarantee the PSBs' prominence on the traditional Ofcom-licensed linear EPGs, but no such protections are afforded to PSBs in respect of other search functionality (e.g., on connected devices and searches via voice) or in respect of PSB VOD services. While PSB VOD and catch-up services are currently generally well-positioned, this is due to commercial negotiation rather than regulation. Ofcom's proposals in respect of changes to the existing linear EPG Code154 include:

    1. the five main PSB channels (BBC One, BBC Two, Channel 3 services, Channel 4 and Channel 5) being guaranteed their current positions in the top five EPG slots (subject to regional variations for Wales);
    2. BBC Four being guaranteed a slot within the first three pages of any licensed EPG;
    3. BBC News, BBC Parliament, CBBC and CBeebies being guaranteed slots on the first page of the relevant EPG genre or section; and
    4. local TV services being located in the top three pages of any EPG.

    Additionally, Ofcom has analysed options for the future regulation of prominence in the context of VOD services (including the position of PSB VOD players and the availability of PSB content on a VOD basis elsewhere within platforms and via devices). Any such changes would be the subject of future legislation. Ofcom has stated that it would support new legislation to address the prominence of internet-delivered PSB content to secure the health of the PSB system and, accordingly, has invited responses in this area.


    i Brexit

    On 23 June 2016, the UK voted to leave the EU by a vote of 51.9 per cent in favour of leave to 48.1 per cent in favour of remain. The government invoked Article 50 of the Treaty on European Union on 29 March 2017, thereby starting the period of negotiation between the UK and the EU on the terms of the UK's exit, with exit taking effect once those negotiations have concluded or after two years (if sooner), irrespective of what terms have been agreed.

    The European Union (Withdrawal) Act 2018 (Withdrawal Act) received royal assent on 26 June 2018. It provides that, on exit day (11.00pm on 29 March 2019):

    1. the European Communities Act (ECA) 1972 shall be repealed;
    2. all existing EU legislation (including EU-derived legislation, such as national implementing legislation) shall be enshrined into British law;
    3. the jurisdiction of the CJEU over the UK shall end; and
    4. the government shall be permitted to remove or amend EU laws that apply to the UK (whether directly effective or enshrined in UK law by a separate Act of Parliament) with primary legislation and, in some cases, secondary legislation via the Henry VIII clauses.

    The Withdrawal Act includes a number of significant changes from the initial bill, many of which were recommended by the House of Lords Select Committee. For example, the Withdrawal Act now:

    1. provides the government with the discretion to amend the definition of 'exit day';
    2. requires Parliamentary approval of the terms of the UK's withdrawal from the EU for the withdrawal agreement to be ratified by the government and implemented in domestic legislation;
    3. provides that certain legal actions relating to a breach of the general principles of EU law that occurred before exit day will remain actionable, and can be brought, after exit day; and
    4. provides that returning EU powers that are technically within the legislative competence of the devolved authorities shall be exercised by the relevant devolved authorities, rather than reverting to the UK Parliament by default.

    Certain provisions came into force when the Withdrawal Act received royal assent. These include provisions relating to:

    1. the implementation of the Withdrawal Act itself;
    2. border arrangements with Northern Ireland;
    3. powers and restrictions relating to devolved authorities;
    4. Parliamentary approval of the outcome of negotiations with the EU;
    5. negotiations for a customs arrangement with the EU and family unity for asylum seekers in the EU;
    6. publication of a draft bill relating to maintenance of certain environmental principles; and
    7. the power to make secondary legislation under the Withdrawal Act, and the Parliament's and the devolved authorities' scrutiny of any such secondary legislation.

    The remaining provisions, which relate to repeal of the ECA and the enshrining of existing EU legislation into national law (and the concurrent loss of jurisdiction of European courts over its interpretation as applied in the UK and the sovereignty of Parliament to amend such laws), shall come into force as specified in regulations made by the government.

    The Withdrawal Act has been received with mixed feelings in the UK and in the EU. Within the UK, the Scottish government has refused to endorse the Withdrawal Act on the basis that it attempts to further centralise power within the UK Parliament to the detriment of the devolved regions. The Welsh government provided its endorsement only after months of negotiations. Critics within the EU query how the UK government can state that it provides equivalent protections to EU laws, for example in the context of personal data, while also retaining authority to amend at will any EU law that has been enshrined into national law. The European Parliament's report on transfers of personal data points to the sovereignty of the UK Parliament and the loss of jurisdiction of European courts as major stumbling blocks in the search for an alternative to the UK becoming a third country for the purposes of such data transfers after Brexit.155 As such, its status remains uncertain.

    The Withdrawal Act does not make direct provision for a transition period following exit day, and the impact of any such transitional period on the provisions of the Act remain unclear. The term of any such transition period is currently under negotiation between the UK and the EU; per the draft withdrawal agreement156 published on 19 March 2018, it is envisioned to last from 11.00pm on 29 March 2018 until 31 December 2020.

    ii Commission proposals for a DSM Strategy

    The Commission's ambitious DSM Strategy proposals (announced 14 September 2016) signpost that Europe's approach to digital market access is likely to:

    1. change significantly;
    2. dramatically enhance Europe's connectivity;
    3. rationalise its telecoms regulatory regime;
    4. end certain geographical restrictions on content; and
    5. reform the European copyright regime in favour of European interests.

    However, the proposals are ambitious both in terms of scale and cost: using the 5G Action Plan as an illustrative example, the Commission estimates that €500 billion in private investment will be required to deliver the Plan, of which it is projected there will be a €155 billion shortfall based on current investment trends. In February 2018, the Commission took a step forward regarding the Plan by establishing the 5G Observatory to monitor market developments in 5G technology and observe national strategies by EU Member States, particularly with regard to coverage and quality.157 The Commission, which appointed Mariya Gabriel to be responsible for the DSM as of July 2017, has indicated that part of the intent of the reforms, such as the 5G Observatory, is to stimulate competition and investment in the sector, but has also proposed the creation of a European Broadband Fund (to comprise both private and public funds) to help make up this shortfall. This proposal has yet to be tabled, but if the Commission's ambitions are to be met, it seems that a substantial amount of new or reallocated public funding for next-generation telecoms infrastructure is forthcoming. While the WiFi4EU initiative will be funded by the EU (for installation and equipment costs only) for an initial budgeted amount of €120 million, €70 million of this is reallocated funding from the Connecting Europe Facility. Only €50 million will be previously unallocated funds.

    On 22 June 2018, the Commission published a fact sheet that includes a timeline of DSM Strategy actions that had been taken up to that date.158 Recent progress has included the January 2018 Regulation establishing the European High Performance Computing Joint Undertaking; the successful abolition of roaming charges for travellers within the EU, which has been effective since June 2017; and the coming into force of the (directly effective) Portability Regulation on 1 April 2018.159 However, the continued application of the Portability Regulation in the UK post-Brexit will require a reciprocal agreement with the EU. It remains to be seen how the UK government will deal with data roaming surcharges post-Brexit – it has published a note indicating that, in the absence of a deal with the EU, the government would legislate to retain the requirement on mobile operators to apply a financial limit on mobile data usage while abroad.160 The government has also published a note on the impact on telecoms businesses in the event there is no Brexit deal. The government states that if the European Electronic Communications Code is adopted prior to exit day, but with a deadline for transposition into national law post-exit, the government would 'be minded to implement, where appropriate, its substantive provisions in UK law'.161

    Although many legislative proposals tabled as part of the DSM Strategy have now been agreed, it will be important to closely follow the progression of the outstanding proposals through the European Parliament and Council of the Member States' co-decision procedure, as it is likely that certain of these proposals will be softened before they are adopted. For example, the proposed Copyright Directive has been the subject of extensive lobbying, and the text approved by the European Parliament has been heavily revised when compared to the original proposal. It remains to be seen what form the final agreed version of the Directive will take.


    Recent years have seen privacy debates continued both inside and outside the courtroom, highlighting the ever-evolving regulatory landscape and the ongoing legal controversies about the scope and extent of a citizen's right to privacy. The implementation of the GDPR has been a milestone in the area of data protection law, and companies continue to take steps to adjust their policies as the ICO's and EU regulators' approach to, and appetite for, enforcement become clearer. A close eye should also be kept on the developments of the Draft ePrivacy Regulation as it continues through the legislative process.

    Following its fast-tracked introduction in 2014, the DRIPA legislation was declared incompatible with EU law on the basis that its data retention provisions violated the right of respect for private life and the protection of personal data, and its replacement, the IPA, will have to be amended in light of the UK High Court's findings in R (Liberty).

    An EU–US Privacy Shield is now in place to provide a legal basis for transfers of personal data to the US from the EU (replacing the Safe Harbor framework), but it is still the subject of further claims by privacy campaigners that it remains insufficient. Furthermore, standard contractual clauses are also being challenged in the courts. These solutions for transferring data will have to be updated to reflect the requirements of the GDPR in due course.

    Brexit will undoubtedly have an influence on the policy and regulatory landscape in the UK and the EU27. The extent and nature of this will become clearer as more specific details emerge from the UK's Brexit negotiations with the EU27.


    1 John D Colahan, Gail Crawford and Lisbeth Savill are partners at Latham & Watkins LLP. The authors would like to acknowledge the kind assistance of their colleagues Terese Saplys, Rachael Astin, Alexandra Luchian, Stewart Robinson, Pierre-Axel Aberg and Callum Rodgers in the preparation of this chapter.

    3 Directive (EU) 2016/1148.

    4 See Ofcom statement, Renewal of the co-regulatory arrangements for broadcast advertising, 4 November 2014, available at https://www.asa.org.uk/news/renewal-of-co-regulatory-arrangement-for-broadcast-advertising.html.

    5 Section 3(1) of the Act.

    6 Ofcom has concurrent powers to apply competition law along with the primary UK competition law authority, the Competition and Markets Authority (CMA). Enhanced concurrency arrangements came into effect on 1 April 2014 with the objective of increasing the enforcement of competition law in the regulated sectors by strengthening cooperation between the CMA and sector regulators, including Ofcom, referred to as concurrency. The most recent Annual Report on concurrency was published by the CMA on 30 April 2018, available at https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/703566/annual_concurrency_report_2018_cma79.pdf.

    11 Regulation (EC) No. 1211/2009 of the European Parliament and of the Council of 25 November 2009 establishing BEREC and the Office.

    12 Directive 95/46/EC.

    21 Public interest test on the proposed acquisition of Sky plc by Twenty-First Century Fox, Inc, available at www.ofcom.org.uk/consultations-and-statements/category-3/public-interest-test-sky-fox.

    22 The CMA's provisional findings and final report are available at https://www.gov.uk/cma-cases/twenty-first-century-fox-sky-merger-european-intervention-notice.

    25 Note, however, that changes in control of certain radio communications and TV and radio broadcast licences arising as a result of mergers and acquisitions may in certain circumstances require the consent of Ofcom.

    26 The CMA and Ofcom have signed a memorandum of understanding in respect of their concurrent competition powers in the electronic communications, broadcasting and postal sectors. This is available at www.gov.uk/government/uploads/system/uploads/attachment_data/file/502645/Ofcom_MoU.pdf.

    27 There is also the power to take appropriate measures nationally to protect the plurality of the media under Article 21(4) of the EU Merger Regulations (Regulation 139/2004/EC).

    37 Available at https://ec.europa.eu/digital-single-market/en/news/geo-blocking-regulation-questions-and-answers.

    44 See the DCMS's consultation on the Connection Vouchers Scheme, 25 June 2013. Available at www.gov.uk/government/uploads/system/uploads/attachment_data/file/239182/BDUK_vouchers.pdf.

    49 Review of the wholesale broadband access markets, Ofcom, 3 December 2010. Available at http://stakeholders.ofcom.org.uk/binaries/consultations/wba/statement/wbastatement.pdf.

    50 Business Connectivity Market Review: Leased lines charge controls and dark fibre pricing. Available at http://stakeholders.ofcom.org.uk/binaries/consultations/llcc-dark-fibre/summary/llcc-dark-fibre.pdf.

    53 Available at https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/695097/creative-industries-sector-deal-print.pdf.

    54 Directive (2000/31/EC.

    55 Directive 2002/58/EC.

    56 Directive 2009/136/EC.

    57 In Patrick Breyer v. Bundesrepublik Deutschland (C-582/14), the CJEU ruled in October 2016 that where a website operator holds IP addresses and has 'the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person', then these will be classified as personal data.

    73 Ibid.

    74 General Data Protection Regulation: Recitals 26, 30 and 32.

    75 General Data Protection Regulation: Article 7(3).

    76 General Data Protection Regulation: Articles 33 and 34.

    77 General Data Protection Regulation: Article 83(4)(a).

    78 Digital Rights Ireland and Seitlinger and o=Others, joined cases C-293/12 and 594/12, 8 April 2014.

    79 Directive 2006/24/EC.

    80 Judgment in joined cases C-293/12 and C-594/12, Digital Rights Ireland and Seitlinger and Others.

    81 Data Retention and Investigatory Powers Act 2014.

    82 R (Davis & Watson) v. Secretary of State for Home Department [2015] EWHC 2092.

    83 Secretary of State for the Home Department v. Watson [2018] EWCA Civ 70.

    84 Ibid.

    85 R (on the application of National Council for Civil Liberties (Liberty)) v. Secretary of State for Home Department [2018] EWHC 975.

    87 General Data Protection Regulation: Recitals 38 and 75.

    88 General Data Protection Regulation: Article 8.

    89 General Data Protection Regulation: Article 17.

    91 Crime and Courts Act 2013.

    93 Click Clever Click Safe: The first UK Child Internet Safety Strategy, available at http://webarchive.nationalarchives.gov.uk/20100409070351/http://www.dcsf.gov.uk/ukccis/download-link.cfm?catstr=research&downloadurl=UKCCIS%20Strategy%20Report-WEB1.pdf.

    96 National Cyber Security Centre prospectus available at www.gov.uk/government/publications/national-cyber-security-centre-prospectus.

    100 Directive 2002/21/EC.

    101 Directive 2002/20/EC.

    105 Laying the foundations for next generation mobile services, update on bands above 6GHz, Ofcom, 20 April 2015. Available at http://stakeholders.ofcom.org.uk/binaries/consultations/above-6ghz/5G_CFI_Update_and_Next_Steps.pdf.

    106 Available at http://media.ofcom.org.uk/news/2016/speeding-up-wi-fi.

    111 Ibid.

    124 The country of origin principle is found in two places: The AVMSD (Directive 2010/13/EU) is based on the country of origin principle, whereby service providers are subject to the regulations in their country of origin only and are not subject to regulation in the destination country, except in limited circumstances (Article 2(1)). Under the Satellite and Cable Directive (Directive 98/83/EEC), this principle effectively allows broadcasters to clear rights for satellite broadcasting in one Member State and allows them to then make their satellite transmissions available in other Member States.

    125 Article 3(1) of AVMSD.

    126 Recital 54 of AVMSD.

    127 Excluding Belgium, Denmark, Greece, Ireland, Luxembourg, the Netherlands and Sweden.

    129 Article 4 of Council of Europe Convention on Transfrontier Television.

    130 See Article 1(1)(n) of AVMSD.

    136 Proposal for a Regulation of the European Parliament and of the Council on the cross-border exchange between the Union and third countries of accessible format copies of certain works and other subject matter protected by copyright and related rights for the benefit of persons who are blind, visually impaired or otherwise print disabled – COM (2016) 595, 14 September 2016; and Proposal for a Directive of the European Parliament and of the Council on certain permitted uses of works and other subject-matter protected by copyright and related rights for the benefit of persons who are blind, visually impaired or otherwise print disabled and amending Directive 2001/29/EC on the harmonisation of certain aspects of copyright and related rights in the information society – COM (2016) 596, 14 September 2016; available at https://ec.europa.eu/digital-single-market/en/modernisation-eu-copyright-rules.

    149 For further information, see: https://www.bbcstudios.com/about/about-us/.