The Technology, Media and Telecommunications Review: United Kingdom


The Office of Communications (Ofcom) and the Communications Act 2003 (Act) regulate the UK communications landscape. Ofcom's current priorities are set out in its 2020–21 Annual Plan (updated in September 2020).2 They include improving broadband and mobile coverage across the UK, protecting consumer rights, supporting UK broadcasting by maintaining a media environment that supports society, protection of consumers online, enabling strong and secure networks, sustaining the universal postal service during the covid-19 pandemic, and increasing diversity and inclusion. Legislation and government guidance on changes to law with effect from 1 January 2021 should also be noted.

European and national law and standards currently govern the UK data protection framework (and equivalent standards will continue to apply following Brexit) and impose compliance obligations on organisations that process personal data. These rules apply broadly to, inter alia, the collection, use, storage and disclosure of personal data. In general, personal data is defined as information relating to an identified or identifiable natural person who can be identified directly or indirectly from that data (e.g., names, contact information, or special categories of personal data such as health data).

These laws and regulations have undergone substantial change as a result of the General Data Protection Regulation (GDPR), which came into force on 25 May 2018 across Europe, and the UK government's implementing legislation – the Data Protection Act 2018 (DPA) – which came into force on 23 May 2018. The legal landscape in this sector has also been impacted by the Network and Information Security Directive (NISD)3 (adopted by the European Parliament in July 2016 and implemented in the UK by the Network and Information Systems Regulations 2018 (NIS Regulation), effective as of 10 May 2018), which is the first EU-wide legislation on cybersecurity. The GDPR and NISD introduce significant fines based on a percentage of global turnover, similar to the regime imposed for antitrust violations. In relation to Brexit implications, both the GDPR and NISD have been implemented into UK national law, as a result of which equivalent standards for data protection and cybersecurity have already been established in the UK and will continue to apply post-Brexit (at least in the short and medium terms).


i The regulators and key legislation

Ofcom is the independent communications regulator in the UK. The Department for Digital, Culture, Media and Sport (DCMS) remains responsible for certain high-level policy, but most key policy initiatives are constructed and pursued by Ofcom. Ofcom has largely delegated its duties in respect of advertising regulation to the Advertising Standards Authority (ASA). The Committee of Advertising Practice is responsible for writing and updating the Non-broadcast Code and the Broadcast Committee of Advertising Practice is responsible for the Broadcast Code. On 1 November 2014, Ofcom renewed its 10-year contract with the ASA for broadcast advertising regulation until 2024.4

Ofcom has concurrent powers to apply competition law along with the primary UK competition law authority, the Competition and Markets Authority (CMA). Enhanced concurrency arrangements came into effect on 1 April 2014 with the objective of increasing the enforcement of competition law in the regulated sectors by strengthening cooperation between the CMA and sector regulators, including Ofcom.

Ofcom's principal statutory duty (pursuant to the Act) is to further the interests of citizens in relation to communications matters and to further the interests of consumers in relevant markets, where appropriate by promoting competition.5 Ofcom's main duties include:

  1. ensuring optimal use is made of the radio spectrum;
  2. ensuring the UK has a wide range of electronic communications services;
  3. ensuring a wide range of high-quality television and radio services are provided by a range of different organisations, appealing to a range of tastes and interests;
  4. ensuring people are protected from harmful or offensive material, unfair treatment and invasion of privacy on television and radio;
  5. ensuring the BBC is held to account on its compliance with appropriate content standards, its performance against its mission and public purposes, and the impact of its activities on fair and effective competition; and
  6. ensuring the universal service obligation on postal services is secured in the UK.

Ofcom's priorities and major work areas for 2020 and 2021 were published on 30 April 2020,6 and updated on 29 September 2020.7

The prevailing regulatory regime in the UK is contained primarily in the Act, which entered into force on 25 July 2003. Broadcasting is regulated under a separate part of the Act in conjunction with the Broadcasting Acts of 1990 and 1996. Other domestic and European legislation also affects this area, including:

  1. the Wireless Telegraphy Act 2006;
  2. the Digital Economy Act 2010;
  3. the Consumer Rights Act 2015;
  4. the GDPR and the Data Protection Act 2018, and following the end of the Brexit transition period, the UK-GDPR;
  5. the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011);
  6. European Regulation 2017/003 (e-Privacy Regulation), once it takes effect;
  7. the NISD and the NIS Regulation;
  8. the Freedom of Information Act 2000;
  9. the Investigatory Powers Act 2016;
  10. the Enterprise Act 2002;
  11. the Copyright, Designs and Patents Act 1988 (CDPA);
  12. the Digital Economy Act 2017 (DEA);
  13. the Competition Act 1998;
  14. the Consumer Rights Act 2015;
  15. the European Electronic Communications Code Directive,8 establishing the European Electronic Communications Code; and
  16. the European Union (Withdrawal) Act 2018.

The European data protection regime has undergone wholesale reform with the introduction of the GDPR, which became applicable on 25 May 2018, and the UK implementing legislation, the Data Protection Act 2018, which came into effect on 23 May 2018. This legislation replaces the previous Data Protection Directive9 and the corresponding UK implementing legislation, the Data Protection Act 1998, and introduces more stringent standards and an enhanced enforcement regime.

In April 2018, the government announced in the Modernising Consumer Markets Green Paper10 that it would review the regulatory model for providing various consumer-facing services, including utilities, telecoms and financial services, with a particular focus on ensuring that consumers benefit from new technology while ensuring that personal data is protected. It simultaneously launched a call for evidence on the review of competition law. The consultation closed on 4 July 2018. Following this, the UK government appointed an expert panel to examine competition in the data economy and explore what steps were possible to ensure that new technology markets support healthy competition. The panel ran from September 2018 to March 2019 and culminated in a final report of recommendations to the government (the Furman Report).11 The recommendations in the Furman Report included:

  1. the establishment of a digital markets unit, with three functions: developing a code of competitive conduct with the participation of stakeholders, enabling greater personal data mobility and systems with open standards, and advancing data openness. This unit would have links to the Competition and Markets Authority (CMA) and Ofcom and a strong relationship with the Information Commissioner's Office (ICO);
  2. a revision of merger assessment in digital markets. The revisions would entail the CMA taking more frequent, and firmer, action on mergers that could be detrimental to consumer welfare through reducing future levels of innovation and competition;
  3. updates to the CMA's enforcement tools against anticompetitive conduct to protect and promote competition in the digital economy. The Report notes that existing tools have been used infrequently in a digital markets context, and that cases have moved slowly;
  4. the government, the CMA and the Centre for Data Ethics and Innovation continuing to monitor how use of machine learning algorithms and artificial intelligence evolves to ensure it does not lead to anticompetitive activity or consumer detriment, in particular to vulnerable consumers;
  5. the CMA conducting a market study into the digital advertising market encompassing the entire value chain, using its investigatory powers to examine whether competition is working effectively and whether consumer harms are arising. On 1 July 2020, the CMA published its final report concluding the market study into online platforms and advertising. The CMA concluded that it will not be launching a market investigation, as a market investigation would risk cutting across broader regulatory reform and that launching a market investigation at this time would be inappropriate given the disruption caused by the covid-19 pandemic. The CMA also concluded that existing laws are not suitable for effective regulation and recommended that the UK government introduce legislation for what the CMA described as 'a new ex ante pro-competition regulatory regime to govern the behaviour of major platforms funded by digital advertising'. The CMA has launched a Digital Markets Taskforce in conjunction with Ofcom and the ICO to advise the UK government on designing the regulatory regime. The Taskforce will focus on the test that might be used to identify firms with strategic market status (SMS), which online activities may be regulated, and the remedies that could be applied for harm. Stakeholders were invited to send their responses and complete questionnaires by 31 July 2020. The Taskforce intends to provide advice to the UK government by the end of 2020; and
  6. the government engaging internationally on the recommendations it chooses to adopt, encouraging closer cross-border cooperation between competition authorities in sharing best practice and developing a common approach to issues across international digital markets. The CMA acknowledged in its final report published on 1 July 2020 that many of the concerns identified in digital markets are international in nature and, as such, has engaged with other international competition authorities with a view to developing a consensus. The CMA has stated that it intends to advocate proactively for ex ante regulation for platforms.

ii Regulated activities

Ofcom oversees and administers the licensing for a range of activities, including, broadly speaking, mobile telecommunications and wireless broadband, broadcast TV and radio, postal services, and the use of radio spectrum.

The Act replaced the system of individual licences with a general authorisation regime for the provision of ECNs and ECSs. Operators of ECNs and ECSs are able to provide networks or services to the public without the need for prior authorisation from Ofcom where they have complied with the general conditions of entitlement. A revised version of the general conditions came into force on 1 October 2018. As well as the general conditions, individual ECN and ECS operators may also be subject to further conditions specifically addressed to them. These fall into four main categories: universal service conditions, access-related conditions, privileged supplier conditions, and conditions imposed as a result of a finding of significant market power (SMP) of an ECN or ECS operator in a relevant economic market.

Use of radio spectrum requires a licence from Ofcom under the Wireless Telegraphy Act 2006 (subject to certain exemptions).

Television and radio broadcasting requires a licence from Ofcom under the Broadcasting Act 1990 or 1996. Providers of on-demand programme services have to notify Ofcom of their services in advance.

iii Ownership and market access restrictions

No foreign ownership restrictions apply to authorisations to provide telecommunications services, although the Act directs that the Secretary of State for DCMS may require Ofcom to suspend or restrict any provider's entitlement in the interests of national security.

In the context of media regulation, although the Act and the Broadcasting Acts impose restrictions on the persons that may own or control broadcast licences, there are no longer any rules that prohibit those not established or resident in the EEA from holding broadcast licences.

iv Transfers of control and assignments

For transactions that do not fall within EU merger control jurisdiction, the UK operates a merger regime in which the parties to a transaction can choose whether to notify a transaction prior to closing. The UK CMA monitors transactions prior to closing and has the power to intervene in un-notified transactions prior to closing or up to four months from the closing of a transaction being publicised. Where the CMA intervenes in a closed transaction it is policy to impose a hold-separate order.12

The administrative body currently responsible for UK merger control is the CMA. The CMA consults Ofcom when considering transactions in the broadcast, telecommunications and newspaper publishing markets.13

The Secretary of State also retains powers under the Enterprise Act 2002 to intervene in certain merger cases, which include those that involve public interest considerations. In the context of media mergers, such considerations include the need to ensure sufficient plurality of persons with control of media enterprises serving UK audiences; the need for the availability throughout the UK of high-quality broadcasting calculated to appeal to a broad variety of tastes and interests; and the need for accurate presentation of news, plurality of views and free expression in newspaper mergers. Importantly, the Secretary of State is subject to the same four-month time limit to intervene in un-notified transactions as the CMA, as confirmed by the Competition Appeal Tribunal.14 In such cases, the Secretary of State may require Ofcom to report on a merger's potential impact on the public interest as it relates to ensuring the sufficiency of plurality of persons with control of media enterprises. Ofcom is also under a duty to satisfy itself as to whether a proposed acquirer of a licence holder would be fit and proper to hold a broadcasting licence pursuant to Section 3(3) of each of the 1990 and 1996 Broadcasting Acts.15

Following the 2017 National Security and Infrastructure Investment Review Green Paper,16 amendments to the UK's merger control regime for transactions in the defence and technology sectors came into force on 11 June 2018. The aim of the amendments is to provide greater powers for the Secretary of State to intervene in transactions on public interest grounds. Among other changes, under the new rules, the target turnover threshold has been lowered from £70 million to £1 million for transactions between parties operating in either the design and maintenance of aspects of computing hardware or the development of quantum technology.17

In June 2020, in the context of the covid-19 pandemic, the UK government announced that it would introduce a new public interest consideration under the Enterprise Act 2002 under which the UK Secretary of State can intervene in transactions on public health emergencies grounds.18

In July 2020, the UK's merger regime for transactions in the defence and technology sectors was further amended to include three additional categories of enterprises (artificial intelligence, advanced materials and cryptographic authentication) to which the lower £1 million threshold and lower share of supply threshold apply.19

v DSM: e-commerce, online platforms, geo-blocking and telecoms


On 6 May 2015, the Commission published a Communication on a DSM Strategy for Europe. This Strategy aims to make the EU's single market fit for the digital age through three pillars: better online access for consumers and businesses across Europe; creating the right conditions and a level playing field for advanced digital networks and innovative services; and maximising the growth potential of the digital economy. The Strategy includes legislative proposals in a range of areas with a view to make cross-border e-commerce easier, end unjustified geo-blocking, reform the copyright regime and reduce burdens due to different VAT regimes. Twenty-eight of these proposals have been agreed or finalised by the European Parliament and the Council of the European Union, and an update on progress was provided in a DSM factsheet published by the Commission in July 2019.20

A further initiative as part of the European Digital Strategy is the Digital Services Act package announced by the European Commission to strengthen the Single Market for digital services and foster innovation and competitiveness of the European online environment, based on two main pillars: framing the responsibilities of digital services and ex ante rules covering large online platforms acting as gatekeepers. In June 2020, the Commission initiated a public consultation to identify specific issues that may require EU-level intervention that closed on 8 September 2020.21


On 10 May 2017, the Commission published a report on the e-commerce sector enquiry. One of the main points the Commission raised was that, with the growth of e-commerce, business practices have emerged that may raise competition concerns, such as pricing restrictions and online marketplace (platform) bans. The Commission noted that it is important to avoid diverging interpretations of the EU competition rules in e-commerce markets, which may in turn create obstacles for companies to the detriment of a DSM. One significant development has been the abolition of retail roaming charges throughout the EU, effective from 15 June 2017, as part of the ongoing focus on promoting cross-border e-commerce. Since the roaming charges developments, the Commission's focus for e-commerce reforms has been preventing unjustified geo-blocking (discussed in more detail below), as well as revised general consumer protection rules.

Online platforms

The Commission has emphasised the role of online platforms, with one million businesses already selling goods and services via online platforms and more than 50 per cent of SMEs that operate through online marketplaces selling cross-border.22 In May 2016, it published a communication that proposed ways to foster development of such platforms and identified two specific issues for further investigation: safeguarding a fair and innovation-friendly business environment; and ensuring that illegal content online is timely and effectively removed, with proper checks and balances, from online platforms.23 In its mid-term review, the Commission identified online platforms as one of three emerging challenges, and proposed the implementation of actions to tackle these challenges.24 The result, announced by the Commission on 26 April 2018, was a proposed suite of new standards on transparency and fairness in relation to online platforms, which were agreed by the Commission, Parliament and Council in February 2019 and adopted on 14 June 2019. The aim of these new rules is to take an initial step in regulating online platforms, and to create a fair, transparent and predictable business environment for smaller businesses when using online platforms. The new Regulation (Regulation on promoting fairness and transparency for business users of online intermediary services, or the Platform to Business Regulation25) includes measures seeking to reduce unfair trading practices, increase transparency, resolve disputes more effectively as well as establishing an EU Observatory on the Online Platform Economy to monitor the impact and implementation of the new rules.26 The new Regulation came into force on 20 June 2020, and will be subject to a review within 18 months of that date.


On 27 February 2018, the EU adopted the Geo-blocking Regulation, which applies from 3 December 2018. The Regulation prohibits unjustified geo-blocking, and other forms of discrimination, based on customers' nationality, place of residence or place of establishment. The Regulation tackles the concern that geo-blocking potentially limits online shopping and cross-border trade, and leads to undesirable geographical market segmentation. Importantly, electronically supplied services offering copyright-protected content are excluded from the Regulation: territorial exclusivity is essential for the creative industries to monetise and exploit their content, and the Commission argues that facilitating access to audiovisual services across borders is part of other initiatives under the DSM Strategy.27 For this reason, the Regulation does not affect online television, films, streamed sports, music, e-books or games. However, the Commission has stated its intention to evaluate the Regulation's impact two years after its entry into force to assess the possibility of an extension of the new rules to online services related to non-audiovisual copyright-protected content; this review is expected to be released in 2021.


The current European Commission telecoms and connectivity proposals include:

  1. recasting the Framework, Authorisation, Access and Universal Services Directives as one directive, the European Electronic Communications Code;
  2. upgrading BEREC to a fully fledged EU agency;
  3. a 5G Action Plan for the development and deployment of 5G networks in Europe; and
  4. a WiFi4EU initiative to aid European villages and cities roll out free public Wi-Fi.

In December 2018, the Commission adopted the European Electronic Communications Code (the Code) and a revised remit for the Body of European Regulators for Electronic Communication (BEREC). The Commission implemented these changes as a step towards modernising and improving connectivity.

The Code aims to address and harmonise spectrum policy and regulation, including spectrum auction timing, across the single market in part to stimulate competition and investment in 5G networks. It also tries to address new technologies and services that are not clearly contemplated by current legislation. In the UK, the rules and timelines for the spectrum auctions were announced by Ofcom in July 2017. The results of the principal bidding stage were announced on 5 April 2018.28 Ofcom confirmed in August 2020 that it would auction more airwaves through a bidding process due to start in January 2021.29

OTT services would be classified a sub-class of ECS and subject to regulations concerning security (including security audits) and interconnectivity (among end users and to emergency services). Other amendments regarding number allocation have been made to address potential competition issues with the expected advent of the IoT and M2M communication: national regulators would be allowed (but not required) to assign numbers to undertakings other than providers of ECNs and services. The Code moves away from universal service access requirements to legacy technologies (e.g., public payphones) and replaces them with a requirement to ensure end users have access to affordable, functional internet and voice communication services, as defined by reference to a dynamic basket of basic online services delivered via broadband. In addition, the Code contains additional consumer protections via proposed regulations requiring telecoms providers to provide contract summaries and improved comparison tools.

The regulatory role of BEREC has been enhanced with a view to improving regulatory consistency across the single market. For example, decisions on spectrum assignment are subject to a peer review process whereby BEREC issues an opinion on whether a decision should be amended or withdrawn to ensure consistent spectrum assignment. BEREC can also issue an opinion on any remedy proposed by an NRA in relation to maintaining the Code's objectives. BEREC has also been granted legally binding powers, including a double-lock system in relation to any draft remedy proposed by an NRA. New rules on cheaper intra-EU calls are also intended to cap the retail price of mobile or fixed calls from the customer's home Member State to another EU Member State. There will also be a cap for intra-EU text messages. The new caps started to apply as early as 15 May 2019.

In terms of policy proposals, the 5G Action Plan proposes to bring uninterrupted 5G coverage to all major European urban areas and transportation corridors by 2025, with several interim deadlines relating to, inter alia, spectrum assignment and development of global 5G standards (2019). In December 2017, Urve Palo, Minister of Entrepreneurship and Information Technology, set out the deployment road map and detailed commitments, for example to transpose the Code into national law by 21 December 2020. The specifics of the 5G Action Plan, such as the development of 5G standards, are still evolving. There is limited guidance on funding for the 5G Action Plan, although the Code itself has stimulated to an extent such investment, and the Commission has launched the European Broadband Fund (combining private and public investments) to support network deployment throughout the EU. The Commission has also committed to exploring a proposal by a telecoms industry group to provide a venture-financing facility (jointly funded by public and private sources) for start-ups developing 5G technologies and applications.

The WiFi4EU initiative intends to assist local authorities to offer free Wi-Fi connections in parks, libraries and other public spaces by providing local authorities with small grants of up to €60,000 (from a total initial budget of €120 million) for equipment and installation costs. In May 2017, the European Parliament, Council and Commission reached a political agreement on the initiative and its funding, and as of May 2018, local communities have been able to apply for WiFi4EU vouchers to set up free public Wi-Fi networks. There have been two calls for members of the public to apply for funding in connection with WiFi4EU (in November 2018 and April 2019 respectively). To date a combined total budget of over €130 million has been allocated to implement free Wi-Fi across the EU, and 29,195 municipalities have registered to the initiative.30 It is intended that this will develop into a more harmonised telecoms regulatory regime, with an advanced 5G network that could be in place by 2025.

Telecommunications & internet access

i Internet and internet protocol regulation

As previously noted, the Act is technology-neutral, and as such there is no specific regulatory regime for internet services. ISPs are also ECNs or ECSs depending on whether they operate their own transmission systems, and are entitled to provide services under the Act in compliance with the general conditions and, where applicable, specific conditions.

VoIP and VoB are specifically subject to a number of general authorisation conditions under the Act, such as those related to emergency call numbers.

In the context of the net neutrality debate, the Revised EU Framework adopted a range of internet traffic management provisions allowing NRAs such as Ofcom to adopt measures to ensure minimum quality levels for network transmission services, and to require ECN and ECS operators to provide information about the presence of any traffic-shaping processes operated by ISPs. These provisions were implemented into UK law.

From April 2016, the Regulation on Open Internet Access31 put in place EU-wide rules for net neutrality, and granted end users rights to access and distribute information and content, use and provide applications and services, and use terminal equipment of their choice, irrespective of such end user's or provider's location (Article 3(1)). The aim is that users will have access to online content that is not subject to discrimination or interference. Likewise, companies may not pay for prioritisation, so access to an SME's website will not be unjustly slowed down to allow access for larger companies. The requirement that all internet traffic be treated equally is subject to exceptions to:

  1. comply with EU or national legislation related to the lawfulness of content or with criminal law;
  2. preserve the security and integrity of the network such as to combat viruses;
  3. minimise network congestion that is temporary or exceptional; and
  4. filter spam (i.e., to filter unsolicited communications and allow parents to set up parental filters).

In terms of the latter, such measures need to be transparent, non-discriminatory and proportionate, and must not be maintained for longer than is necessary. Likewise, providers of internet access services must publish information on traffic-management measures in end user contracts, along with details on the privacy of end users and the protection of their personal data. Notably, NRAs are required to monitor and enforce the open internet rules, although it is for Member States to lay down rules on the penalties applicable for infringements of the net neutrality provisions. Ofcom's latest annual report on its approach to assessing compliance with the Regulation on Open Internet Access was published in July 2020.32 Ofcom's report covers monitoring the quality of internet access services; safeguarding open internet access; transparency measures; and complaints and remedies. The Regulation on Open Internet Access requires NRAs, such as Ofcom, to issue such reports annually.

ii Universal service

Universal service is provided under the Act by way of the Universal Service Order. Effective from April 2018, the Secretary of State published an order for a minimum affordable broadband connection to be available throughout the UK providing, inter alia, a download sync speed of at least 10Mbps and the capability to allow data usage of at least 100GB per month.33 The Order in the UK covers ECNs and ECSs and activities in connection with these services. Ofcom designated BT and KCOM as universal service providers in the geographical areas they cover; in June 2019, Ofcom published a statement setting conditions for the delivery of Universal Service Order connections and services by the universal service providers.34 Consumers and businesses are now able to request connections since 20 March 2020.35

Access and interconnection are regulated in the UK by EU competition law and specific provisions in the Act aimed at increasing competition. The General Conditions require all providers of public ECNs to negotiate interconnection with other providers of public ECNs. Specific access conditions may also be imposed on operators with SMP. Although prices charged to end users are not regulated, Ofcom may regulate wholesale rates charged by certain operators to alternative operators for network access. This is the case, inter alia, for wholesale fixed termination rates, wholesale mobile call termination rates, wholesale broadband access rates, local loop unbundling and wholesale line rental services.

iii Restrictions on the provision of service

The Digital Economy Act 2010 (DEA 2010) includes provisions that were aimed at tackling online copyright infringement as a result of file sharing. Among the provisions of the DEA is a maximum penalty for online copyright infringement of 10 years. It empowers the Secretary of State to impose obligations on ISPs to limit the internet access of subscribers who engage in online copyright infringement. Under the DEA 2010, Ofcom proposed a code of practice governing the initial obligations on ISPs. A second draft was published in June 2012. However, this version, and legislation on cost sharing in relation to the new obligations on ISPs, have not been finalised, and it is unclear whether they will ever come into force. Instead, the government has looked to industry to develop voluntary measures. In July 2014, the DCMS announced a scheme, Creative Content UK, spearheaded by ISPs and media industry leaders, to raise awareness of copyright infringement and warn internet users whose accounts are used to illegally access and share copyright material. The subscriber alert programme, which was initially known as the Voluntary Copyright Alert Programme (VCAP), evolved to encompass the Get it Right from a Genuine Site campaign launched in January 2017.

In March 2018, the government launched the Creative Industries Sector Deal, which included various specific commitments of interest concerning the tackling of online infringement of copyright. As part of the deal, funding was committed to extend the Get it Right from a Genuine Site campaign.36

The availability of defences for online intermediaries in respect of unlawful content is currently governed primarily at a European level by the E-Commerce Directive,37 as implemented into UK law by the Electronic Commerce (EC Directive) Regulations 2002 and applicable case law (although the implementation of the new Copyright Directive will bring changes to the current EU regime). The E-Commerce Directive sets out defences for intermediary information society service providers.

iv Security

Privacy and consumer protection overview

In the UK, consumers' personal data is primarily protected by the GDPR and DPA; the Privacy and Electronic Communications (EC Directive) Regulations 2003 as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (ePrivacy UK Regulations), which implement the EU Directive on Privacy and Electronic Communication,38 as amended by the ePrivacy Directive;39 and the NISD and NIS Regulation. The GDPR has significantly changed the current UK – and broader European – data protection framework. In line with the Commission's DSM Strategy and the reforms brought in by the GDPR, the ePrivacy Directive is also undergoing reform. In 2017, the Commission proposed a draft ePrivacy Regulation (Draft ePrivacy Regulation),40 which is currently partway through the European legislative review process. However, no draft has yet been agreed by the Member States in the Council, and negotiations on the latest draft are ongoing.

The GDPR continues to be directly applicable in the UK during the Brexit transition period (31 January 2020 to 31 December 2020), alongside the DPA. Following the end of that transition period, the DP Brexit Regulations41 will come into force to put in place the UK's post-Brexit data protection regime. The retained EU GDPR and the UK's 'applied GDPR' (i.e., the EU GDPR as applied via the DPA in areas otherwise outside the scope of the EU GDPR) are effectively merged to create the UK-GDPR. The DPA continues to apply, subject to amendments made by the DP Brexit Regulations to ensure the proper functioning of the DPA in conjunction with the UK-GDPR. In effect, the UK regime will therefore retain the standards of the EU GDPR following Brexit, but the UK-GDPR will not automatically incorporate any changes made to the EU GDPR in the future. Following the end of the transition period, in certain circumstances an organisation in the UK may need to comply with both the EU GDPR and the UK-GDPR/DPA. This would be the case if the UK organisation is either processing personal data about European individuals prior to 31 December 2020 (in which case the EU GDPR will continue to apply to that ongoing processing), or if it has operations in or provides services to individuals in the EU and is caught by the EU GDPR's extraterritorial application.

Data protection

The GDPR and DPA impose strict controls on the use or 'processing' (including disclosure) of personal data, including:

  1. providing specific conditions that must be met to ensure personal data is processed fairly, lawfully and in a transparent manner, such as that the individual has consented or that the processing is necessary for the purposes of fulfilling a contract;
  2. the requirement that data can generally only be processed for the purpose for which it was obtained and for no longer than is necessary, must be kept accurate and up to date, and must not be excessive;
  3. the requirement that data be kept secure (i.e., be protected against unlawful processing and accidental loss, destruction or damage);
  4. the restriction that data cannot be transferred to countries outside the EEA unless certain conditions are met, such as signing the European Commission-approved Standard Contractual Clauses for personal data export; and
  5. personal data must be processed in accordance with the rights of the data subject under the GDPR, including that individuals have a right to access the personal data held about them, and a right in certain circumstances to have inaccurate personal data rectified or destroyed, among various other rights.

As noted above, the GDPR has significantly changed the current UK – and broader European – data protection framework. The key changes under the GDPR include:

  1. the implementation of the new rules as a regulation, rather than a directive, such that it is directly applicable in every Member State (though Member States are permitted certain derogations in a number of areas);
  2. the removal of the requirement to notify or register data processing activities with national regulators; however, controllers and processors will need to keep their own record of processing which is disclosable to national regulators;
  3. an expanded extraterritorial effect, resulting in the regulation applying not only to organisations established within the EEA, but also to organisations established outside the EEA but offering goods or services to, or monitoring the behaviour of, individuals in the EEA. Such non-EEA organisations are required to appoint a legal representative within the EEA, to enable national regulators to effectively communicate with, and take enforcement action against, those organisations without an EEA presence;
  4. a tightening of the requirements for valid consent, with the effect that consent will only be deemed to be valid if it is freely given, specific, informed and unambiguous;
  5. a stricter approach to the export of data outside the EEA, resulting from the general standards of data protection being raised throughout the Regulation as a whole;
  6. the introduction of mandatory data breach notification requirements (including notification to both national regulators and, in certain circumstances, to data subjects affected by a breach). On the occurrence of a breach that is likely to result in harm to individuals, organisations must now inform the ICO without undue delay and, where feasible, not later than 72 hours after becoming aware of a data breach;
  7. a right to data portability that will require the data controller to provide information to a data subject in a machine-readable format, in certain circumstances, so that it may be transferred to another controller;
  8. maximum fines of the higher of up to €20 million or 4 per cent of an organisation's annual global turnover for breaches. The GDPR relies on the European antitrust concept of 'undertaking' for the purposes of calculating fines, which encompasses wider corporate groups rather than looking solely at specific legal entities;
  9. certain categories of online identifiers such as internet cookies and IP addresses may be classified as personal data;42 and
  10. new definitions termed genetic data and biometric data, which include data relating to characteristics obtained during foetal development and data that allows the unique identification of a person to be confirmed through facial images or dactyloscopic data – now categorised as special categories of personal data (i.e., sensitive personal data).

The GDPR permits certain derogations by Member States, and the DPA seeks to provide for these accordingly to accommodate various existing UK statutes. For instance:

  1. it includes exemptions for journalists, research organisations, financial services firms (for anti-money laundering purposes) and employers (to process special categories of personal data and criminal conviction data without consent to comply with employment law obligations);
  2. certain actions (with some exceptions for actions necessary for preventing crime, etc.) relating to data will be criminal offences (subject to a fine), for example obtaining, procuring, retaining or selling data against a controller's wishes (even where lawfully obtained); intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data (or knowingly processing such data); and altering records with the intent to prevent disclosure following a subject access request; and
  3. a parent's or guardian's consent will be required to process the personal data of a child who is under 13 years old (the GDPR permits Member States to set this age between 13 and 16 years old).

Litigation and EU–US transfers of personal data

There are several legal bases for the transfer of personal data from the EU and the UK (following the end of the Brexit Transition Period) to countries outside the EU/UK, of which one has recently been invalidated (the Privacy Shield, successor to the Safe Harbor) and another is subject to ongoing challenge (standard contractual clauses, also known as model clauses).

Under the historic Safe Harbor agreement, if a US recipient of personal data was self-certified under the US Safe Harbor regime, personal data transfers could be made to that recipient in the US, notwithstanding the general prohibition on transfer under the European data protection legislation in place at that time, because such a recipient was deemed to have adequate protection in place. The Safe Harbor regime was challenged in Schrems v. Data Protection Commissioner. This case was brought by privacy activist Max Schrems, who argued that the EU–US Safe Harbor agreement did not provide adequate security for EU citizens in light of the revelations exposed by Edward Snowden about PRISM and United States National Security Agency surveillance programmes. The CJEU invalidated the legal basis for the Safe Harbor Framework on 6 October 2015 with the immediate effect that the agreement was no longer considered to provide adequate protection under the eighth data protection principle.

Following the decision in Schrems v. Data Protection Commissioner, the Commission and the US government entered into lengthy negotiations as to a new means of EU–US data transfers. The new EU–US Privacy Shield came into effect on 1 August 2016 following approvals by the Commission and EU Member States, and included additional safeguards for the protection of personal data.

In the meantime, in May 2016, Max Schrems filed a complaint with the Irish Data Protection Commissioner concerning the legal status of data transfers to the US under Facebook's standard contractual clauses. The Irish High Court referred the case to the CJEU to determine the legal status of the use of standard contractual clauses to transfer personal data outside the EU.43 The CJEU heard the reference for a preliminary ruling on 9 July 2019 (the Schrems II case), not only in relation to the validity of the standard contractual clauses, but also on the legal status of the Privacy Shield. By July 2019, the Privacy Shield had undergone two joint reviews by the US and European authorities: both of which ultimately concluded that the Privacy Shield remained an effective mechanism for the transfer of personal data to the US, though made several proposals for improvement. In the Schrems II case, the Advocate General delivered his non-binding opinion on 19 December 2019,44 which questioned the validity of the Privacy Shield and also challenged the adequacy of the standard contractual clauses to transfer personal data to the US. In its judgement of 16 July 2020,45 the CJEU invalidated the Privacy Shield with immediate effect, meaning that it can no longer be relied on to ensure compliance with the GDPR for relevant existing or future data exports to the US. The CJEU held that the standard of protection afforded to personal data under the GDPR and European fundamental rights laws could not be guaranteed by the Privacy Shield, primarily due to what it held to be a lack of proportionality of specific US national security laws, as well as a lack of effective and enforceable rights for data subjects.

In relation to the standard contractual clauses, the CJEU held that the model clauses remain valid as a mechanism for personal data transfer outside the EU/UK, but that they cannot be used if the legislation in the third country does not enable the recipients to comply with their obligations. Further, the CJEU found that reliance on the standard contractual clauses alone was not necessarily sufficient in all circumstances, and that each data transfer (to any third country, including onwards transfers) must be assessed on a case-by-case basis to ensure adequate protection for the data. If, in the relevant context, the standard contractual clauses are assessed to insufficiently protect individuals' data, additional safeguards should be put in place. Finally, the CJEU made clear that, if a competent supervisory authority believes that the standard contractual clauses cannot, in relation to a specific data transfer, be complied with in the recipient country and the required level of protection cannot be secured by other means, such supervisory authority is under an obligation to suspend or prohibit that transfer (unless the data exporter has already done so itself).

Following the CJEU's decision, the Irish Data Protection Commissioner is required to consider the specific case of Facebook's relevant transfers of data to the US: proceedings are ongoing.

This decision of the CJEU applies to data transfers from the UK to third countries outside of the EEA during the Brexit transition period, and is binding on UK courts. The government and ICO are expected to release further guidance on the UK approach to data transfers to the US and more widely following the end of the transition period. After 1 January 2021, the UK will become a third country for the purposes of data transfers from the EEA, and the third country transfer restrictions under the GDPR will apply, unless and until an adequacy decision is granted by the European Commission in favour of the UK; this is currently under negotiation, during which a number of potential issues have been raised around the UK's surveillance and communications interception regimes.

ePrivacy Regulation

The Draft ePrivacy Regulation is set to replace the existing ePrivacy Directive, and to amend the Directive's current controls on unsolicited direct marketing, restrictions on the use of cookies, and rules on the use of traffic and location data. The intent with the ePrivacy Regulation is to complement the GDPR, and establish a modern, comprehensive and technologically neutral framework for electronic communications.

In relation to cookies and similar tracking technologies, the ePrivacy Directive, and ePrivacy UK Regulations, prescribe that the consent of users of the relevant terminal equipment for the placement of cookies is required, unless a cookie is strictly necessary to provide an online service requested by a user (such as online shopping basket functionality, session cookies for managing security tokens throughout the site, multimedia flash cookies enabling media playback or load-balancing session cookies).

The GDPR introduces a higher level of consent, stating that consent should be a clear affirmative act establishing a freely given, informed and unambiguous indication of the data subject's agreement to the processing of personal data. Silence or inactivity does not constitute consent, and consent needs to be obtained for each processing purpose.46 Further, the data subject must have the right to withdraw consent at any time.47 The ePrivacy UK Regulations apply the GDPR standard of consent for the purposes of those Regulations, including in relation to cookies. In July 2019, the ICO updated its guidance on cookies,48 to clarify the interplay between the GDPR, DPA and ePrivacy UK Regulations and the standard of consent required for cookies. The ICO's guidance confirms that consents for cookies should meet the GDPR standard for consent (i.e., consent mechanisms must seek clear, unbundled, express acceptance for each category of cookies (other than those that are strictly necessary to provide the online service; this is narrowly interpreted)). This means that a number of common market practices in this area, including the use of banners that do not interrupt a user's interaction with a website (rather than those that provide notice and infer consent from continued use, for example) or that rely on implied consent (i.e., consent obtained by means of a pre-ticked opt-in box or an opt-out tick box) will need to be revised to meet the GDPR's consent standards this approach. Other than functional, strictly necessary cookies, no cookies should be applied before such consent has been sought. Further, such consent should be sought on an unbundled basis (i.e., setting out, and obtaining consent for, each purpose for which cookies are used).

Individual data subjects have the right under the GDPR to notify a data controller to cease or not to begin processing their personal data for the purposes of direct marketing. Under the ePrivacy UK Regulations, an organisation must obtain prior consent before sending a marketing message by automated call, fax, email, SMS text message, video message or picture message to an individual subscriber. There is a limited exemption for marketing by electronic mail (both email and SMS) that allows businesses to send electronic mail to existing customers provided that they are marketing their own goods or services, or goods and services that are similar to those that were being purchased when the contact information was provided; and the customer is given a simple opportunity to opt out free of charge at the time the details were initially collected and in all subsequent messages.

Under the ePrivacy UK Regulations, location data (any data that identifies the geographical location of a person using a mobile device) can be used to provide value-added services (e.g., advertising) only if the user cannot be identified from the data or the user has given prior consent. To give consent, the user must be aware of the types of location data that will be processed, the purposes and duration of the processing of that data, and whether the data will be transmitted to a third party to provide the value-added service. The Code acts to expand the scope of the ePrivacy Directive to OTT communications providers, who will therefore come within the remit of the various restrictions on uses of content, traffic and location data set out in the ePrivacy Directive (and national implementing legislation such as the ePrivacy UK Regulations).

The Draft ePrivacy Regulation (which is not yet in final form and therefore subject to further changes) aims to develop the existing ePrivacy Directive in several ways, including:

  1. expanding the scope of ePrivacy laws to include OTT providers that provide services functionally equivalent to traditional telecoms providers (as already achieved in effect by the Code), and apply to organisations worldwide as long as they are providing services to end users in the EU;
  2. reviewing the rules on the use of cookies and other tracking technologies to establish when consent should be required, and establishing that the standard of consent should be equivalent to that in the GDPR (e.g., it has been proposed that consent would not be necessary for cookies used for the purposes of analytics);
  3. tightening rules in relation to direct marketing (including business-to-business marketing);
  4. restricting use of content and metadata by communications providers. However, the scope of these restrictions is hotly debated, and one of the key topics responsible for the delay in the agreement of the proposed regulation text;
  5. alignment of sanctions to the GDPR: for example, breach could bring liability of up to €20 million or four per cent of annual worldwide turnover; and
  6. unifying the ePrivacy Regulation's enforcement under GDPR enforcement bodies.

While the Commission's original intention was for the ePrivacy Regulation to come into force simultaneously with the GDPR in May 2018, the draft has been subject to intense scrutiny and debate and remains under review through the European legislative process. At the time of writing, the next step in this process is for the Council to reach agreement on a proposed text; the latest draft under discussion was published by the Croatian Council presidency in February 2020. Once the Council's position is published, the ongoing trialogue process between the Parliament, Council and Commission will continue in order to agree the final wording of the regulation. According to the most recent drafts (including the latest draft released in February 2020), the ePrivacy Regulation is expected to come into force two years after its finalisation and publication date. Given the criticism of the current proposal, companies should be prepared to see further changes to the draft before its passage, even at these later stages of the process, and the development of this law should be tracked to ensure ongoing compliance. As the ePrivacy Regulation will not enter into force prior to the end of the Brexit transition period (30 December 2020), the Regulation will not be directly applicable in the UK; the ePrivacy UK Regulations will continue to apply as UK national law, subject to amendments introduced by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019/419 (which primarily ensure the proper functioning of the ePrivacy UK Regulations alongside the amended DPA and UK-GDPR from 1 January 2021).


The ICO is responsible for the enforcement of, amongst other legislation, the GDPR and DPA, the ePrivacy Directive and UK ePrivacy Regulations, the IPA, the NISD and NIS Regulations (NIS enforcement is discussed in more detail below), as well as the Freedom of Information Act 2000 (which provides individuals with the ability to request disclosure of information held by public authorities). As a result of Brexit, the ICO remains responsible for the enforcement of these UK regimes, but is outside the scope of any related European associations (for example, the European Data Protection Board).

The ICO is increasingly focusing on enforcement generally, and on the use of monetary penalties in particular (under the GDPR, penalties of up to a maximum of 4 per cent of global annual turnover or €20 million, whichever is the higher, may be applied, and equivalent penalties are contemplated in the latest draft ePrivacy Regulation).

According to the ICO's Annual Report for 2019 and 2020,49 the ICO has particularly focussed its investigation and enforcement efforts on the following topics: improving data security practices, reducing unlawful access, and addressing compliance concerns about the use of new surveillance technology. The ICO's actions in the past year were a mix of Data Protection Act 1998 (DPA 1998) and DPA matters. Under the DPA 1998, the ICO has issued a number fines in recent years at the level of the maximum available financial sanction (£500,000). The most recent of these fines was imposed against Cathay Pacific Airways, in March 2020, for information security failings resulting in the exposure of customer personal data.50 Prior to that, in January 2020, the ICO issued a £500,000 fine against DSG Retail Limited following a cyberattack impacting its point-of-sale system that affected over 14 million people.51 The ICO issued two similar fines at this level in 2018. The first of these fines was served on Facebook in July 2018 for failing to safeguard the personal data of millions of users and for failing to be transparent with those users about how their data was in turn being harvested by third parties, including by political consulting firm Cambridge Analytica. Facebook subsequently appealed the fine, and Facebook and the ICO ultimately reached a settlement in October 2019, with Facebook agreeing to pay the £500,000 fine with no admission of liability.52 The second of these fines was imposed on Equifax Ltd in September 2018 for failing to protect the personal data of up to 15 million UK individuals during a cyberattack which compromised the company's US systems.

In parallel with the ongoing conclusion of legacy DPA 1998 investigations, the ICO is also taking action under the DPA. The ICO issued its first (and only, to date) monetary penalty notice under the DPA in December 2019, imposing a fine of £275,000 against Doorstep Dispensaree Ltd for failing to properly secure health information. The ICO's proposed fines under the GDPR/DPA against British Airways and Marriott International, both announced in July 2019, remain its most significant proposed sanctions. These investigations are ongoing and the final level of fines imposed is not yet known. On 8 July 2019, the ICO announced a notice of intent to fine British Airways £183.39 million under the GDPR in relation to a cyberattack and resulting data breach, impacting approximately 500,000 customers. This proposed fine is the largest to date under the GDPR. Then on 9 July 2019, the ICO announced a notice of intent to fine Marriott International £99.2 million for GDPR infringements stemming from a data breach at Starwood, which Marriott acquired in 2016. These latest actions from the ICO are part of an ongoing, European-wide trend of data protection supervisory authorities starting to utilise their increased powers under the GDPR to impose significant fines, and indicate a sea change in the level of fines organisations can expect for data protection failings.

While the level of monetary penalties for data protection breaches is expected to increase dramatically compared with previous years, the most common grounds for fines and enforcement action remain the loss of data, other major data security breaches and, to a lesser extent, automated marketing calls and other complaints under the ePrivacy UK Regulations. In relation to the latter, the ICO received 127,940 complaints under the ePrivacy UK Regulations in 2019–2020 (down from 138,368 in 2018–2019). The majority of fines imposed under the ePrivacy UK Regulations relate to automated marketing calls. In March 2020, the ICO issued the highest-ever nuisance calls fine of £500,000 to CRDNN Limited, which was responsible for more than 193 million automated nuisance calls.53

Data breach notification

The GDPR introduces a new personal data breach notification obligation on data controllers requiring notification to the supervisory authorities without undue delay and not later than 72 hours after becoming aware of a breach, unless the data security breach is unlikely to result in a risk to the rights and freedoms of a data subject. If a personal data breach results in a high risk to the rights and freedoms of a natural person, a data controller must inform the natural person of the data breach without undue delay.54 The GDPR also requires a data processor to notify a data controller if it becomes aware of a personal data breach. An infringement of these provisions can lead to an administrative fine up to €10 million or, in the case of an undertaking, up to two per cent of the total worldwide annual turnover of the preceding financial year, whichever is higher.55 As a result of this strengthening of the requirements to report personal data breaches, the ICO has seen a significant increase in the number of personal data breaches reported to it: up from 3,311 notifications in 2017–2018 to 13,840 notifications in 2018–201956 and 11,854 notifications in 2019–2020.57 The ICO reports that in 95 per cent of the reported cases in 2019–2020, the relevant organisation had taken adequate steps to address the breach and no further action was required by the ICO. In the vast majority of the remaining cases, the ICO required the organisation to take further action but did not take enforcement or formal action against the organisation: enforcement action (e.g., monetary penalty or imposition of a mandatory improvement plan) was taken in less than 1 per cent of reported breach cases.58

Under the ePrivacy UK Regulations, providers of public ECSs (mainly telecom providers and ISPs) are required to inform the ICO within 24 hours of a personal data security breach and, where that breach is likely to adversely affect the personal data or privacy of a customer, that customer must also be promptly notified. The Draft ePrivacy Regulations intend to align this deadline with the time period set out under the GDPR (72 hours) for consistency. This should be kept under review as the Draft ePrivacy Regulation is finalised.

In addition, organisations to which the NIS Regulations apply will have to comply with its notification requirements, as set out below.

Data retention, interception and disclosure of communications data

The legislation in this area has been the subject of much change and controversy over the past few years. The powers of government authorities (and, in a more limited capacity, private organisations) to intercept communications, acquire communications data and interfere with communications equipment was previously regulated by a patchwork of legislation, including the Regulation of Investigatory Powers Act 2000 (RIPA), and, until 2016, the Data Retention and Investigatory Powers Act 2014 (DRIPA). DRIPA included a sunset clause which provided for automatic expiry of its provisions on 31 December 2016, though it was subject to a number of legal challenges prior to (and following) that date. In July 2015, the High Court declared DRIPA's data retention provisions to be incompatible with EU law on the basis that they interfered with Articles 7 and 8 of the EU Charter of Fundamental Rights (the public's rights to respect for private life and communications and to the protection of personal data).59 The Court of Appeal referred the case to the CJEU, which held, on 21 December 2016, that the ePrivacy Directive and the Charter of Fundamental Rights preclude laws that require a general and indiscriminate retention of data. The CJEU ultimately referred back to the Court of Appeal, which agreed that the DRIPA data retention provisions were incompatible with EU law (in its final judgment delivered on 30 January 2018).60

The current regime is governed primarily by the Investigatory Powers Act 2016 (IPA) and RIPA. The IPA overhauls, and in some cases extends, the scope of RIPA, and also repeals Part One of RIPA (which covered the interception and acquisition of communications data). The IPA has been rolled out by various different statutory instruments, the latest of which brought all remaining provisions into force on 22 July 2020.61 The remaining provisions of RIPA (i.e., those not repealed by the IPA) remain effective, and broadly cover direct surveillance, covert human intelligence, and obtaining electronic data protected by encryption. The IPA is similar to RIPA in various respects. For example, like RIPA, the IPA imposes a general prohibition on the interception of communications unless the interceptor has lawful authority to carry out the interception, such as where a warrant has been issued by the Secretary of State (interception warrant). However, the IPA provides a new legal framework to govern the use and oversight of investigatory powers of the executive branch. Among other things, it:

  1. includes new powers for UK intelligence agencies and law enforcement to carry out targeted interception of communications, bulk collection of communications data and bulk interception of communications;
  2. introduces an Investigatory Powers Commission (IPC) to oversee the use of all investigatory powers, alongside oversight provided by the Intelligence and Security Committee of Parliament and the Investigatory Powers Tribunal;
  3. requires a judge serving on the IPC to review warrants authorised by the Secretary of State for accessing the content of communications and equipment interference before they come into force (commonly referred to as a double lock feature);
  4. widens the categories of telecommunications operators (TOs) that can be subject to most powers by including private as well as public operators;
  5. includes the power to require TOs to retain UK internet users' data, including internet connection records, for up to one year (although it remains to be seen how such powers may be amended following the court rulings described below);
  6. permits police, intelligence officers and other government department managers to see internet connection records as part of a targeted and filtered investigation without a warrant;
  7. imposes a legal obligation on TOs to assist with the targeted interception of data and communications and equipment interference in relation to an investigation (however, foreign companies are not required to engage in bulk collection of data or communications);
  8. places the Wilson Doctrine (a convention whereby police and intelligence services are restricted from intercepting communications of Members of Parliament) on a statutory footing for the first time, as well as safeguards for people such as journalists, lawyers and doctors involved in other sensitive professions;
  9. provides local government with some investigatory powers (e.g., to investigate someone fraudulently claiming benefits), but not access to internet connection records;
  10. creates a new criminal offence for unlawfully accessing internet data; and
  11. creates a new criminal offence for a TO or someone who works for a TO to reveal that data has been requested.

Both the RIPA and IPA have been subject to legal challenges in recent years (following the claims brought against DRIPA). In April 2018, the UK High Court ruled that the then-current provisions of Part 4 of the IPA, which relates to the retention of communications data, was incompatible with EU law in two respects: in the context of criminal justice, the relevant provisions allowed access to retained data that was not limited to the purpose of combating serious crime, and that access was not subject to prior review by a court or independent body. The High Court decided against making an order of disapplication, but ordered that the government must replace the relevant provisions by 1 November 2018.62 In response, on 31 October 2018 the government introduced the Data Retention and Acquisition Regulations 2018. However, the Regulations have been criticised as not going far enough to address the human rights concerns raised by the High Court. In Privacy International v. UK,63 the CJEU recently reiterated that national law derogations from European fundamental rights of privacy must be strictly necessary and proportionate. It determined that UK legislation64 authorising the acquisition and use of bulk communications data by the UK security and intelligence agencies for national security purposes did not meet the required proportionality standards or provide for sufficiently objective criteria to define how those authorities exercise their powers. Following this preliminary ruling from the CJEU, proceedings have been referred back the UK courts.

On 13 September 2018, the European Court of Human Rights ruled in the case of Big Brother Watch and Others v. the United Kingdom65 that certain aspects of the bulk interception regime under RIPA and the regime for obtaining communications data from communications and service providers violate Article 8 (the right to respect for private and family life and communications) and Article 10 (the right to freedom of expression) of the European Convention on Human Rights (ECHR). Big Brother Watch and the applicant campaign groups66 requested that the case be referred to the Grand Chamber at the European Court of Human Rights, where it was heard in July 2019:67 judgment is expected before the end of 2020, on the primary issues of the bulk interception of communications; intelligence sharing with foreign governments; and the obtaining of communications data from communications service providers.

Protection for children

Under the GDPR, children are defined as vulnerable natural persons who merit specific protection with regard to their personal data.68 The GDPR defines a 'child' as anyone below the age of 16, unless a Member State provides, as the UK has done, for a lower age (which cannot be lower than 13) – the DPA has set the age of children at the minimum permitted threshold (i.e., anyone younger than 13 years). Consent to the processing of personal data in connection with the provision of online services to children is required to be given by a person with parental responsibility.69 Data can also be processed based on legitimate business interests, but it is clear that it will be harder to argue that the interests of a company outweigh those of a child. The GDPR also introduces a right to be forgotten, which will make it necessary for certain service providers, such as social media services, to delete any personal data processed or collected when the user was a child.70 The ICO published its Age Appropriate Design Code71 in January 2020, and it came into force on 2 September 2020 with a 12-month transition period. The Code is a statutory Code of Practice under the DPA, setting out guidance on the application of the GDPR and DPA in the context of children's personal data and children's use of digital services. It is made up of 15 standards focussing on providing default settings which ensure an automatic high level of data protection safeguards for online services likely to be accessed by children. The standards cover topics such as: data sharing; data minimisation; transparency; parental controls; nudge techniques; and profiling.

On 8 April 2019, the Home Office and DCMS published an Online Harms White Paper72 for public consultation, which builds on the proposed measures set out in the government's Green Paper titled Internet Safety Strategy, published in May 2018.73 The White Paper proposes a new compliance and enforcement regime intended to combat online harms, including measures aimed at protecting children. The regime is designed to force online platforms to move away from self-regulation and sets out a legal framework to tackle users' illegal and socially harmful activity. The proposals extend to all organisations that provide online platforms allowing user interaction or user-generated content. The government issued its initial response to the White Paper consultation on 11 February 2020, which set out preliminary details of the proposed new regulatory regime to govern content posted on online platforms, and confirmed that an active 'duty of care' will be introduced, requiring organisations to prevent certain content from appearing on their platforms. The governments initial response also indicated that it is minded to appoint Ofcom as the new regulator of harmful content and conduct online. A full government response is expected in 2020.

The Child Exploitation and Online Protection Centre (CEOP) works to prevent exploitation of children online; it is made up of a large number of specialists who work alongside police officers to locate and track possible and registered offenders. CEOP operates as a command of the National Crime Agency. CEOP also offers training, education and public awareness in relation to child safety online.

Internet safety for children in the UK is also monitored by the UK Council for Internet Safety (UKCIS) (previously the UK Council for Child Internet Safety (UKCCIS)), a forum consisting of government, technology and communications organisations and third sector organisations, collaborating to improve online safety. The UKCIS has most recently published a Digital Resilience Framework74 and an Education for a Connected World Framework,75 which together aim to assist, among other organisations, schools and child services providers to integrate digital resilience into education and other child settings and to identify the specific skills children need to manage online risks. Website and software operators may apply for the Kitemark for Child Safety Online. This has been developed through collaboration between the British Standards Institution (BSI) (the UK's national standards body), the Home Office, Ofcom, and representatives from ISPs and application developers. The BSI tests internet access control products, services, tools and other systems for their ability to block certain categories of websites (e.g., sexually explicit, violent or racist activity).


The Computer Misuse Act 2000 (as amended by the Police and Justice Act 2006) sets out a number of provisions that make hacking and any other forms of unauthorised access, as well as DoS attacks and the distribution of viruses and other malicious codes, criminal offences. Further offences exist where an individual supplies tools to commit the above-mentioned activities.

The government has consolidated its focus on cybersecurity through the establishment of the National Cyber Security Strategy, with a dedicated pool of funds stretching to £1.9 billion over five years until 2021.76 Cybercrime detection and response is primarily led by the National Crime Agency, working together with the National Cyber Security Centre (NCSC), a government body established in 2016 to act as a single national authority on cybersecurity. One of the NCSC's roles is to manage the Cyber-Security Information Sharing Partnership, which facilitates the sharing of real-time cyber threat information between the public and private sectors. In its National Cyber Security Strategy Progress Report,77 published in May 2019, the government reported on a total of 665 cybersecurity response actions carried out between 2017 and 2019, including many undertaken in coordination with international agencies.

At a European level, the European Parliament adopted the NISD in July 2016, which is the first EU-wide legislation on cybersecurity. The aim of the NISD is to enhance network and information system security in essential economic and digital services. It introduces, inter alia, mandatory breach notification requirements and minimum security requirements.78 While the GDPR's aim is to protect personal data, the NISD focuses on protecting essential infrastructure, and is therefore not limited to personal data.

The NISD imposes obligations on two types of organisations: essential service operators (ESOs) within the energy, transport, banking, financial market infrastructure, health, drinking water and digital infrastructure sectors; and digital service providers (DSPs), including entities such as online marketplaces, online search engines and cloud computing service providers. These companies must now report breaches of cybersecurity to the national competent authorities without undue delay where the relevant incident would have a significant impact on the core services provided by a company. The NISD had been stuck in negotiations between EU lawmakers and Member States over which sectors the Directive should cover; after months of negotiations, it was decided that digital platforms such as search engines, social networks and cloud computing service providers will be subject to the Directive's remit, albeit with lighter touch requirements. The Directive aims to ensure a uniform level of cybersecurity across the EU as part of the Commission's wider Digital Agenda for Europe.

As of 9 May 2018, the NISD should have been implemented in each EU Member State. In the UK it has been implemented by way of the NIS Regulation, which came into force on 10 May 2018. The NIS Regulation:

  1. applies to ESOs and DSPs with thresholds designed to capture the most important operators in their sector due to, for example, their size;
  2. is regulated by the ICO in respect of DSPs and, in respect of ESOs, the competent industry-specific regulator, such as the Department for Business Energy and Industrial Strategy, Ofcom and NHS Digital. GCHQ acts as the UK's single point of contact as required by the NISD;
  3. requires operators to develop minimum levels of security, as well as evidence that these higher standards have been met, and notify incidents meeting specific thresholds to the relevant regulator. Notifications should be made without undue delay and within 72 hours of becoming aware of the incident where feasible. The NIS Regulation notification obligations are separate from the personal data breach notification obligations under the GDPR and DPA – depending on the specific circumstances, an organisation may be required to report a cybersecurity incident to both its NIS competent authority under the NIS Regulations (i.e., the ICO for DSPs, or relevant industry regulator for ESOs), and to the ICO under the DPA (if the incident also constitutes a relevant personal data breach, and the organisation is acting as a data controller); and
  4. imposes harsher penalties to mirror the GDPR, with fines up to the higher of £17 million or 4 per cent of annual worldwide turnover.

While the NISD applies to certain financial institutions, the NIS Regulation does not apply to entities that fall within the remit of the regulatory authority of the Financial Conduct Authority, the Bank of England or the Prudential Regulation Authority, as these institutions have been deemed to impose requirements on financial institutions that meet the obligations under the NISD.

In respect of DSPs, the NIS Regulation does not apply to small and micro businesses (i.e., companies employing fewer than 50 people whose annual turnover or balance sheet total, or both, is less than €10 million). However, if a DSP is part of a larger group, the group's size may need to be taken into account in determining whether the provider is excluded from the application of the NIS Regulation (depending on the level of control exercised over the provider by other group entities).

In respect of ESOs, certain sectors are exempt from some aspects of the NISD where they are obliged to comply with equivalent provisions within existing regulations (e.g., the finance and civil nuclear sectors). The competent authority has a discretion to deem a particular organisation to be an ESO even if the threshold conditions are not met. In addition, ESOs are required to register with their competent authority.

Following the implementation of the NIS Regulations, the ICO reports that it received approximately 2,500 cybersecurity notifications under the NIS Regulations in 2018–2019,79 the majority of which related to phishing and unauthorised access.

Spectrum policy

i Development

The current EU regulatory framework for spectrum has been in force since 2003 following the introduction of the Telecoms Reform Package. This regulatory framework, in particular the Framework Directive80 and the Authorisation Directive,81 requires the neutral allocation of spectrum in relation to the technology and services proposed by users (e.g., MNOs and radio broadcasters). Following on from the Telecoms Reform Package, the Commission required Member States to adopt measures including greater neutrality in spectrum allocation, the right of the Commission to propose legislation to coordinate radio spectrum policy, and to reserve part of the spectrum from the digital dividend (from the switchover to digital television services) for mobile broadband services through the Better Regulation Directive and the Citizens' Rights Directive. In 2016, Ofcom developed a framework for spectrum sharing, highlighting the importance of considering the circumstances of each potential opportunity, covering its costs and benefits.

In the UK, Ofcom is responsible under the Act for the optimal use of the radio spectrum in the interests of consumers. This includes, inter alia, monitoring the airwaves to identify cases of interference, and taking action against illegal broadcasters and the use of unauthorised wireless devices. The 2016 framework established three key elements when identifying potential sharing opportunities in certain bands: characteristics of use for all users that inform the initial view of the potential for sharing, and what tools may be relevant; barriers that may limit the extent of current or future sharing, despite the liberalisation of licences and existing market tools such as trading or leasing; and regulatory tools and market and technology enablers that match the characteristics of use and barriers to facilitate new and more intense sharing.82

ii Flexible spectrum use

As the uses of the radio spectrum have increased, the allocation of spectrum by the regulator has developed from a centralised system, where use was determined by the regulator, to a market-based approach, where users compete for spectrum. Currently, auctions are the primary market tool used to implement the allocation.

Spectrum trading was introduced in the UK for the first time in 2004, and is permitted under the Wireless Telegraphy Act 2006 and associated regulations. Originally, the trading of spectrum was subject to a multi-stage process that, inter alia, required a decision by Ofcom about whether to consent to the trade. However, the Wireless Telegraphy (Mobile Spectrum Trading) Regulations 2011, directed at making more efficient use of the available spectrum, and improvements in mobile services to meet the demand for faster and more reliable services for consumers, made significant changes to this process, removing the need to obtain Ofcom's consent for proposed trades in most cases. In addition, under these Regulations, a licensee can transfer all or part of the rights and obligations under its licence. A partial transfer, or spectrum leasing, can be limited to a range of frequencies or to a particular area. Ofcom also plans to simplify the process for time-limited transfers in line with the Revised Framework Directive.

iii Broadband and next-generation mobile spectrum use

In March 2017, Ofcom published its Statement on improving spectrum access for consumers in the 5GHz band, and in July 2017 published its Decision to make Wireless Telegraphy Exemption Regulations 2017; this was predominantly due to increasing demand for Wi-Fi and the role of spectrum in addressing such demand.83 The technology has provided more capacity at faster speeds for mobile services on smartphones such as video streaming, email and social networking sites. On 24 July 2020, Ofcom announced that it is reviewing its existing regulations further to support growing demand from UK customers.84

iv White space

Free spectrum, or 'white space', left over from the UK's switch from analogue to digital TV and radio, has been available for mobile broadband and enhanced Wi-Fi since 2011. A white space device will search for spectrum that is available and check a third-party database to find out what RFs are available to ensure that it does not interfere with existing licensed users of the spectrum. New white space radios use frequencies that are allocated for certain uses elsewhere but are empty locally. Flawless management of spectrum is required to avoid interferences.

Since February 2015, Ofcom has allowed the commercial use and deployment of white space broadband technology, harnessing the unused parts of the radio spectrum in the 470MHz to 790MHz frequency band.

In July 2019, the UK published a consultation paper in relation to the proposed approach to implementation of the European Electronic Communications Code Directive.85 Member States have until 21 December 2020 to implement its provisions into domestic law. The UK took an active role in negotiating this directive to ensure it supports the UK's aim to improve connectivity. Implementation of this directive will support a stable regulatory framework which incentivises competitive network investment. Implementation of the spectrum provisions will also support 5G deployment by allowing for the release of additional spectrum and supporting spectrum sharing, and is anticipated to support the extension of mobile coverage in rural areas. The UK government conducted a consultation on the implementation of the Code in mid-2019, and published its response in July 2020.86 The response after the consultation confirmed that the UK government will ensure that UK law remains operable after implementing the Code, and that it would grant a 12-month period for the telecoms industry to implement the most onerous measures. Ofcom is due to publish a statement setting out the detailed approach in autumn 2020.

v Spectrum auctions

The first 5G spectrum auction to be completed by Ofcom took place in April 2018, with O2, EE, Three and Vodafone all winning spectrum. O2 acquired all 40MHz of the 2.3GHz spectrum being auctioned, as well as 40MHz of the 3.4GHz spectrum, making it the biggest winner in the auction. Some of the spectrum was auctioned because it was recently freed up by the government to make it available for civil use, having been previously used by the Ministry of Defence.

Ofcom confirmed on 3 August 2020 that another 5G spectrum auction will take place in January 2021, as the 2018 5G auction will not cover the anticipated demand for 5G once it is commercially available.87

Ofcom announced the following spectrum caps in July 2017 to satisfy competition concerns: no operator would be able to hold more than 255MHz of immediately usable spectrum, and no operator would be able to hold more than 340MHz of the total amount of spectrum following the auction. In January 2018, UKGI (which administers the Public Sector Spectrum Release Programme through the Central Management Unit) reported that the programme has led to nearly 400MHz having been released so far, with plans to release 750MHz of spectrum from the public to the private sector by 2022 to stimulate economic growth. In December 2018, Ofcom published a report relating to its consultation on the award of the spectrum in the 700MHz and 3.6–3.8GHz bands.88 As a result of stakeholder responses to the consultation, Ofcom considered that it may be appropriate for certain measures to be included in the 2020 5G auction. These proposals were published on 11 June 2019.89 Ofcom confirmed in its report published on 13 March 2020 the inclusion of a negotiation phase, within the assignment stage of the auction, during which winners of 3.6–3.8GHz spectrum would have the opportunity to agree the assignment of frequencies in the 3.6–3.8GHz band among themselves.90 To ensure competition between the national operators, Ofcom introduced a floor and cap on the amount of spectrum that each operator can win, and imposed safeguard caps to prevent an operator from holding too much spectrum. To diversify the market, Ofcom also reserved parts of the spectrum for a fourth national wholesaler. The reserved lots were won by Hutchison 3G UK.

vi Emergency services bandwidth prioritisation

The Universal Services Directive, a further part of the Telecoms Reform Package, introduces several extended obligations in relation to access to national emergency numbers and the single European emergency call number (112). Prior to the Universal Services Directive, obligations to provide free and uninterrupted access to national and European emergency numbers applied to providers of publicly available telephone services only. Under this Directive, however, these obligations are extended to all undertakings that provide to end users 'an electronic communication service for originating national calls to a number or numbers in a national telephone numbering plan', and the UK has mirrored this wording in its revisions to General Condition 4 under the Act. Such electronic service providers are therefore required to ensure that a user can access both the 112 and 999 emergency call numbers at no charge and, to the extent technically feasible, make caller location information for such emergency calls available to the relevant emergency response organisations. Ofcom's revised general conditions for emergency services network (ESN) provider compliance came into force on 1 October 2018, amending the obligations relating to access to emergency services. The changes include extending the current requirements to ensure end users can access emergency organisations through eCalls.


The transition from traditional forms of media distribution and consumption towards digital converged media platforms continues to disrupt and change the commercial foundations of the entertainment and media industry in the UK. Members of the industry are grappling with new business models to monetise content and frameworks to provide sufficient protection for the rights of content creators and consumers alike. The Commission's DSM Strategy has had implications for the UK media sector (subject to changes to national law as a result of Brexit). covid-19 has caused huge disruption to content production, but has helped to drive uptake of new digital media offerings.

i Superfast broadband and media

Fast broadband underpins the accessibility to consumers of internet-delivered content services. As demand for internet data in the UK accelerates, so do calls for the UK's broadband infrastructure to be upgraded.

In January 2020, Ofcom proposed new regulations to assist in fuelling full-fibre infrastructure for the whole of the UK. As part of this, Ofcom opened a consultation which closed on 1 April 2020, with results to be published in early 2021. As part of the UK's commitment to superfast broadband, the government announced that 96 per cent of UK households now have access to superfast broadband (speeds of 24Mbps or more) coverage and plans have been announced to develop the Superfast Broadband Programme until 2026 as part of the UK Next Generation Network Infrastructure Deployment Plan.91

Since 2017, full-fibre coverage in the UK has trebled.92 The focus has now shifted to exploring ways to take superfast broadband to the most remote and hardest-to-reach places in the UK. On 19 May 2019, the government launched the Rural Gigabit Connectivity programme, established to trial a model to deliver full-fibre broadband to premises in rural and remote areas.93 This is consistent with the DEA, which provided for a USO whereby consumers may request a minimum download speed of 10Mbps by 2020. In August 2020 the government announced that almost half a million premises now have access to gigabit technology.94 In March 2020, the government announced a £5 billion commitment through to March 2021 to fund gigabit-capable deployment to the remaining 20 per cent of the UK (representing up to 6 million households).95

ii European DSM Strategy and media

Audiovisual Media Services Directive

As part of the DSM Strategy, in May 2016, the Commission adopted a legislative proposal to revise the Audiovisual Media Services Directive (AVMSD), which coordinates national legislation on all audiovisual media including both TV broadcasts and on-demand services. The revised Directive entered into force on 19 December 201896 and Member States and the UK (during the UK/EU transitional period) were due to implement the revisions to the AVMSD into national law by 19 September 2020, although a number of Member States and the UK missed the deadline. In the UK, the Audiovisual Media Services Regulations 2020 (UK AVMS Regulations) were made on 30 September 2020 and amend the existing UK Broadcasting Acts and the Act.97 Most of the regulations come into force on 1 November 2020, with the remainder to come into force on 6 April 2021.

The revisions to the AVMSD (which are largely reflected in the new UK regulations) include:

  1. extending the AVMSD's application to video-sharing platforms where the principal purpose of the service is the provision of programmes or user-generated videos, or both, to the public, and which organise content in a way determined by the provider of the service (e.g., by algorithmic means);
  2. clarifications to the establishment test (i.e., which determines which Member State has jurisdiction over a linear or on-demand service provider);
  3. changes to place linear and on-demand services on an equal footing when it comes to measures to protect minors from harmful content;
  4. offering broadcasters more flexibility in television advertising – in particular, the advertising limit of 20 per cent of broadcasting time will apply between 6am and 6pm, and the same share will be permitted during prime time (i.e., 6pm to midnight) (rather than 20 per cent per clock hour); and
  5. an obligation on on-demand audiovisual media services to ensure 30 per cent of the works in their catalogues are European works and to ensure prominence of those works.

Furthermore, Member States have the option to require linear and on-demand service providers to invest in European works, including via direct investment in content and contributions to national funds.98

In July 2020, the Commission published non-binding guidelines on (1) video-sharing platforms (VSPs); and (2) European works.99 The guidelines intend to help Member States and the UK implement the AVMSD revisions, and offer a practical toolkit to ensure the promotion of European works and to help Member States and the UK assess which online services would fall under the scope of the AVMSD. The guidelines encourage cooperation between the national authorities, especially to gather relevant data, and to limit the risks of divergent interpretations of the tests referred to in the AVMSD. Such cooperation is to be facilitated through the European Regulators Group for Audiovisual Media Services (ERGA) and national authorities should keep ERGA informed in the areas covered by the guidelines. The UK was an active member of ERGA prior to leaving the EU, and Ofcom has said that it will continue to cooperate with ERGA as appropriate under the terms of the Brexit withdrawal agreement and to collaborate with European counterparts to exchange best practices for dealing with common challenges.100

Also in July 2020, Ofcom published a 'call for evidence' in relation to the UK's regulation of VSPs and to gather information on the practical and proportionate application of the measures included in the AVMSD.101 The 'call for evidence' closed on 24 September 2020.

The UK AVMS Regulations define VSPs in accordance with the AVMSD criteria, defining a VSP as a service or dissociable section of a service which meets certain criteria and where the provision of videos to members of the public is (1) the principal purpose of the service; or (2) an essential functionality of the service.

Ofcom is appointed as the regulator for VSPs although Ofcom is given the power to designate another body as regulator should it choose to do so and subject to certain conditions. Pursuant to the UK AVMS Regulations, VSP providers are to notify Ofcom to confirm that they provide a VSP service and Ofcom must maintain a list of VSPs that it regulates and document its reasons for determining jurisdiction. Failure of a VSP provider to notify Ofcom may result in Ofcom imposing a financial penalty on such VSP provider. Ofcom may also require VSP providers to pay a regulatory fee provided that the amount of any such fee (1) represents the appropriate contribution of the VSP provider towards meeting Ofcom's costs as regulator each financial year; and (2) is justifiable and proportionate in respect of each VSP provider.

Regarding enforcement, the UK AVMS Regulations grant Ofcom a range of formal enforcement powers (broadly, issuing binding enforcement notifications and/or imposing financial penalties). Any enforcement notification must specify a reasonable period during which the VSP provider is required to take the action specified and include reasons for the decision. A financial penalty may be an amount up to five per cent of the offending VSP provider's applicable qualifying revenue or £250,000 (whichever is greater), as Ofcom determines to be appropriate and proportionate.

It is anticipated that Ofcom will also issue its own guidance to (1) help service providers understand whether they meet the definition of VSP and fall under UK jurisdiction; and (2) on the applications of the protective measures as set out by the AVMSD.

With regards to European works, the AVMSD establishes that providers of on-demand audiovisual media services must secure at least a 30 per cent share of European works in their catalogues and ensure prominence of those works. The definition of European works under the AVMSD includes works of countries that are part of the Council of Europe's Convention on Transfrontier Television (ECTT), of which the UK, along with 20 other EU countries, is a member. Therefore, UK-originated works continue to be classified as European works after Brexit. The AVMSD takes precedence among EU Member States, but the UK's position as a party to the ECTT will not be affected by its exit from the EU.

The Commission and the UK government have each published guidance notes on the AVMSD amendments and on the implications of Brexit on the audiovisual media sector.102 On 1 January 2021, the AVMSD, including the country of origin principle,103 will cease to benefit services under UK jurisdiction made available in the EU, and the UK will be treated as a third country. However, under the AVMSD, a complex test applies to determine which country has jurisdiction over a media service provider (largely based on the location of the head office, editorial decision making and the workforce). From 1 January 2021, it would be possible for a media service provider to keep a UK head office but be subject to the jurisdiction of a Member State (and therefore continue to benefit from the country of origin principle within the EU), provided a significant part of the workforce operates in that Member State. Furthermore, the ECTT framework will still apply, which provides for freedom of reception and retransmission.104 This means that, broadly, the EU countries that have signed up to the ECTT must allow freedom of reception to services under UK jurisdiction. The same applies to reception in the UK of services originating from countries that are party to the ECTT. For the seven non-ECTT countries, additional licences and consents will be required, subject to local law requirements. Further, VOD services are outside of the scope of the ECTT and, if subject to UK jurisdiction according to the AVMSD test, would need to comply with the local law requirements in each Member State in which they are offered.

Portability Regulation

On 9 December 2015, the Commission proposed a regulation to enable the cross-border portability of online content services.105 The resulting Portability Regulation was published in the Official Journal on 30 June 2017106 and came into force on 1 April 2018.107 It allows Europeans who purchase or subscribe to audiovisual content (such as films, sports broadcasts, music, e-books and games) in their home Member State to access this content when they travel or stay temporarily in another Member State. Providers of online content services that are provided for payment (it is optional for free services) must ensure the cross-border portability of their services such that subscribers may access and use the services when temporarily present in another Member State.

However, the Portability Regulation will cease to apply to UK–EEA travel from 1 January 2021. The Regulation relies on a legal fiction whereby the provision of and access to the relevant service is deemed to take place in the subscriber's country of residence, effectively disapplying the local law of the country of temporary presence. The Regulation only applies to EEA Member States and its effects do not extend to third countries. In the UK, the Regulation will be revoked.

From 1 January 2021, content service providers will therefore not be obliged under the Regulation to provide cross-border portability for customers travelling between the UK and EEA. Content service providers will be free to continue providing cross-border portability to their customers on a voluntary basis. The practical effect of this change is that, dependent on the terms of a service and licences in place between the service provider and the rights holders, UK customers in the EEA (and vice versa) may note restrictions on the content ordinarily available to them in their home country.108

Copyright reform

Satellite and Cable Directive

On 14 September 2016, the Commission adopted new proposals for copyright reform as part of its DSM Strategy. The Commission released proposals for a regulation laying down rules on the exercise of copyright and related rights applicable to certain online transmissions of broadcasting organisations and retransmissions of television and radio programmes (such regulation proposals have since been passed as the Satellite and Cable Directive (as opposed to a directly applicable regulation), amending the 1993 Directive of the same name); a directive on copyright in the DSM (Copyright Directive); and proposals for an additional directive and regulation to implement the Marrakesh Treaty to Facilitate Access to Published Works for Persons who are Blind, Visually Impaired, or Otherwise Print Disabled (Marrakesh Treaty).

The new Satellite and Cable Directive109 entered into force on 7 June 2019, with Member States having two years (until 7 June 2021) to transpose the Directive into national law.

The Commission's initial proposal was aimed at introducing a cross-border clearance mechanism for digital broadcasting and broadening retransmission rights. This was to be achieved through a combination of extending the country of origin principle110 to cover online services and amending the collective approach to the exercise of cable retransmission rights, so that they applied to other similar means of retransmission (but excluding transmission via the open internet) as well as cable retransmission.

After a full legislative process, the new Satellite and Cable Directive did indeed extend the country of origin principle – which has been in place for decades in respect of cable and satellite communications – to online simulcasts and catch-up services ('ancillary online services'). This means that, in respect of ancillary online services, broadcasters will only need to clear rights once, in the Member State in which the broadcasting organisation has its principal establishment. However, the Directive's clearance regime applies only in respect of (1) radio programmes; and (2) broadcasters' TV programmes that are news and current affairs programmes, or broadcasters' own fully financed productions – it does not for example extend to coverage of sports events or programming acquired or commissioned from third parties.

The new Satellite and Cable Directive also extends the current system of mandatory collective management for retransmissions by cable of television and radio broadcasts from other Member States to wire or over-the-air means (including, e.g., satellite, DTT, IPTV and internet), provided that where such retransmission takes place over an internet access service, it is carried out in a managed environment (i.e., in which the operator of the service provides a secure retransmission to authorised users). Furthermore, Member States can apply the principle in instances where both the broadcast and the retransmission take place in the same Member State. This means that instead of negotiating individually with every rights holder, operators of retransmission services benefit from collective management of rights and so are able to obtain licences from collective management organisations.

Further, the new Satellite and Cable Directive clarifies the principle of 'direct injection' by confirming that when a broadcaster transmits programmes to a distributor or platform (without the broadcaster itself simultaneously transmitting the programmes to the public), and the distributor or platform then transmits those programme-carrying signals to the public, the broadcaster and distributor or platform are deemed to have singularly participated in communicating the programmes to the public. As such, this will require the relevant rights holders' authorisation, therefore ensuring that rights holders are remunerated for the same.

From 1 January 2021, the extent to which UK-based media companies can rely upon the provisions of the Satellite and Cable Directive (whether in the context of existing satellite and cable services' use of country of origin and cable retransmission rights, or in the new online or digital extensions) in respect of broadcasts into the EEA will depend on the nature and terms of the arrangements agreed between the UK and the EU and on how the domestic legislation of each EEA Member State treats broadcasts originating in non-EEA countries. Following the transition period, and as noted in UK government guidance, absent additional agreement these provisions may no longer apply and as such UK-based media companies may need additional rights holders' permissions to access the EU market.111 In its guidance, the UK government indicates that in the UK, the country of origin principle will continue to be applied to broadcasts from any country, except where the broadcast is commissioned or uplinked to a satellite in the UK and it originates from a country that provides lower levels of copyright protection. The government guidance also states that UK law will continue to apply existing rules to cable retransmissions of broadcasts originating in an EEA Member State.112

Copyright Directive

The Copyright Directive came into force on 7 June 2019 and Member States have until 7 June 2021 to transpose the Directive into national law.

The Copyright Directive focuses on three areas. First, it introduces measures to achieve a well-functioning marketplace for copyright. These include provisions for:

  1. a new related right in publication that will allow publishers to charge fees for digital uses of the copyright works they have invested in the distribution of (not extending to mere hyperlinks or to the use of individual words or very short extracts of a press publication). This Article does not prevent legitimate private or non-commercial uses of press publications by individual users, nor does its application extend to blog posts or scientific/academic publications (Article 15);
  2. a requirement for online content-sharing service providers (OCSSP) to obtain authorisation from rights holders. If no authorisation is granted, OCSSP will be liable for unauthorised acts of communication to the public of copyright-protected works, unless they can show they (1) used best efforts to obtain authorisation; (2) used their best efforts (in accordance with high industry standards of professional diligence) to ensure the unavailability of specific works identified by rights holders; and (3) acted expeditiously to remove or disable access to any unauthorised content after being notified (Article 17); and
  3. an obligation to ensure authors and performers are entitled to receive 'appropriate and proportionate' remuneration for exclusive licences of their works, and a mechanism for increasing the transparency to rights holders of the exploitation of their works and performances, with an alternative contract adjustment mechanism to allow authors and performers to rebalance contracts (Articles 18, 19 and 20).

Secondly, it introduces measures to improve licensing practices and ensure wider access to content by:

  1. implementing a legal mechanism to facilitate easier licensing of out-of-commerce works (which are works that are not available to the public through customary channels of commerce after a reasonable effort has been made to determine whether they are available to the public) by cultural institutions to aid cultural institutions in making these works, which have significant cultural and educational value, available to the public (Article 8);
  2. allowing Member States to extend collective licensing to cover rights holders within a class who are not members of the relevant collective management organisation (CMO). The CMO will be presumed to be representing such rights holders, but such rights holders must be able to opt out at any time in order to exclude their works from the collective licences (Article 12);
  3. requiring Member States to set up impartial bodies to assist in the negotiation of licensing agreements between audiovisual rights holders and VOD platforms (Article 13); and
  4. ensuring that when the term of protection of a work of visual art has expired, any material reproduced from that work is not subject to copyright, unless the reproducer has added something original to the reproduction (Article 14).

Thirdly, the Directive introduces measures to adapt exceptions and limitations to the digital and cross-border environment in relation to research and other organisations conducting text and data mining; the digital use of works and other subject matter for distance-learning educational purposes; and cultural heritage organisations making digital copies of their permanent collections for preservation purposes (Articles 3–6 inclusive).

On 21 January 2020, the UK government confirmed that the UK will not be required to implement the Directive and that it has no plans to do so. Furthermore, the UK government confirmed that any future changes to the UK copyright framework will be considered as part of the usual domestic policy process. Following the EU-wide implementation of the Copyright Directive by 7 June 2021, there may be a significant rift between the EU regime and the UK national regime (e.g., given the implications of Article 17 and its interplay with the existing safe harbour regime as implemented into national UK law), creating a potentially challenging regulatory environment. Companies with an EU and UK presence, such as UK-headquartered companies with operations in the EU or global companies with operations in both the EU and UK, could experience a significant impact.

Implementation of the Marrakesh Treaty

The directive designed to implement the Marrakesh Treaty introduces a new mandatory exception to the copyright rights harmonised under EU law, allowing people who are blind or otherwise print-disabled to access books and other content in formats that are accessible to them, including across borders. The regulation governs exchanges of accessible format copies between the European Union and third countries that are parties to the Marrakesh Treaty. The regulation and directive implementing the Marrakesh Treaty were published in the Official Journal on 20 September 2017. The regulation applied from 12 October 2018,113 and Member States had to implement the directive by 11 October 2018.114 Accordingly, the Copyright and Related Rights (Marrakesh Treaty etc.) (Amendment) Regulations (2018/995) came into force on 11 October 2018 and amended the UK's copyright law to make the UK's laws compatible with the Marrakesh Directive.

The UK government has confirmed that the regulation and the UK's implementation of the directive will be retained in UK law from 1 January 2021. However, the UK is party to the Treaty through its membership of the EU. Until the UK government ratifies the Treaty in its own right following Brexit, the cross-border exchange of accessible format copies with the UK may be restricted. The latest government guidance at the time of writing indicates that the government is on track to ratify the Treaty into national legislation by 1 January 2021.115

Changes to copyright law from 1 January 2021

In addition to country of origin issues, the revocation of the Portability Regulation, and the continued implementation of the Marrakesh Treaty (each as discussed above), a government guidance note published on 30 January 2020116 identifies changes to copyright law that will come into effect following the end of the transition period for the UK's exit from the EU. The guidance sets out how UK copyright law will change, subject to any changes under the future UK–EU relationship, and introduces the Intellectual Property (Copyright and Related Rights) (Amendment) (EU Exit) Regulations 2019 (the IP Exit Regulations) under the powers of the European Union (Withdrawal) Act 2018, due to come into force on 1 January 2021. The IP Exit Regulations remove or correct references to the EU, EEA or Member States in existing UK copyright legislation to preserve the effect of UK law where possible. Reciprocal cross-border arrangements will be amended or brought to an end, as appropriate. The government guidance note does state that, depending on the outcome of any further negotiations between the UK and the EU, the IP Exit Regulations may be amended. The guidance reiterates that most UK copyright works (such as books, films and music) will still be protected in the EU because of the UK's participation in the international treaties on copyright. For the same reason, EU copyright works will continue to be protected in the UK. This applies to works made before and after 1 January 2021. However, note the following changes to copyright law which are relevant to the media sector and in respect of which the government has published guidance:

  1. Sui generis database rights.117 Sui generis database rights prevent the unauthorised copying or extraction of data from databases which involve a substantial investment in time, money or effort and were created by an EEA national, resident or business. Following Brexit, UK citizens, residents and businesses will no longer be eligible to receive or hold sui generis database rights in the EEA for databases created on or after 1 January 2021. UK owners of databases created on or after 1 January 2021 will need to consider whether they can rely on alternative means of protection in the EEA – for example licensing arrangements or copyright protection. The government's guidance states that UK legislation will be amended so that only UK citizens, residents and businesses are eligible for database rights in the UK for databases created on or after 1 January 2021. The government's guidance further states that pre-existing sui generis database rights (whether held by UK or EEA persons) will continue to exist for the remainder of their duration.
  2. Collective rights management.118 EU CMOs are required by the EU Collective Rights Management (CRM) Directive to represent, on request, rights holders of any EEA Member State. UK government guidance confirms that from 1 January 2021, EEA CMOs will not be required by the CRM Directive to represent UK rights holders or to represent the catalogues of UK CMOs for online licensing of musical rights. UK rights holders and CMOs will still be able to request representation, but EEA CMOs may refuse those requests depending on the national law of Member States. The guidance further states that in the UK, existing obligations on UK CMOs will be maintained following 1 January 2021 (including those specific to multiterritorial licensing of musical works for online services).
  3. Orphan works.119 The EU Orphan Works Directive provides an exception to copyright infringement of orphan works (works where the rights holder is unknown or cannot be found), enabling cultural heritage institutions (CHIs) established in the EEA to digitise and make orphan works available online across EEA Member States. According to the government's guidance, UK CHIs will not be able to make use of the orphan works exception from 1 January 2021 and UK CHIs may face claims of copyright infringement if they make orphan works available online in the UK or EEA, including works they had made available online before 1 January 2021. As such, UK CHIs will need to remove any orphan works currently made available under the exception, or consider seeking a licence under the UK's orphan works licensing scheme.

iii OTT delivery of content and broadcast TV

Over-the-top internet delivery (OTT) is utilised by a range of content providers in the UK, including public service broadcasters (PSBs) (i.e., BBC iPlayer, ITV Hub, All4 and My5), cable and satellite platforms (e.g., both Virgin Media and Sky offer VOD products) and standalone VOD platforms (e.g., Netflix, Amazon Prime Video and NowTV). To further facilitate user access to internet-delivered services, the BBC, ITV, Channel 4, Channel 5, BT, TalkTalk and Arqiva have collaborated on an open-technology offering called YouView, which enables viewers to access free-to-air channels and catch-up and on-demand programming via their televisions (along with the ability to add access to pay-TV channels and on-demand services). Disney+ launched in the UK in March 2020 and quickly became the third-most-subscribed-to SVoD service (behind Netflix and Amazon Prime Video) according to Ofcom data.

The industry is transforming as the take-up of superfast broadband and connected televisions changes the way in which people watch audiovisual content. People's total television and audiovisual viewing in 2019 was four hours and 52 minutes per day, a figure which remains similar to the levels of total viewing in 2018. Of this, live TV made up 53 per cent (a decrease of 3 per cent since 2018), while the remaining 47 per cent was composed of viewing non-broadcast content such as content available via standalone VOD platforms and YouTube. Despite the variety of devices available and the increased use of smartphones in the UK, the TV set is still the most popular way to view audiovisual content, with 98 per cent of UK homes having a working TV set in 2020.

Additionally, the covid-19 pandemic has changed consumer viewing behaviour significantly with people spending more time at home viewing content. According to Ofcom, 2020 has seen an accelerated growth in the viewing of online video, particularly OTT subscription services, with people in the UK watching an average 37 minutes per day more than in 2019. Even as lockdown measures eased, people's total viewing time in the UK was on average 11 per cent higher than in the same week in 2019. People's total television viewing in April 2020 (at the peak of lockdown restrictions), was an average per day (across all devices) of 6 hours 25 minutes – a significant increase on the 2019 figures.

The change in viewing habits is also in part driven by younger viewers, who watch more non-broadcast than broadcast content. SVoD viewing is far more pronounced in this age group, with large content libraries supporting heavy usage. The daily average for 2019 is split into three main parts: live TV (55 minutes - 21 per cent); YouTube (76 minutes – 30 per cent); and SVoD (59 minutes – 23 per cent). Viewing of SVoD by adults aged 16–34 has increased by a total of 12 minutes per day, continuing similar growth trends of previous years.

The continued growth of online video has ensured that total commercial revenue, encompassing TV and online, remained flat compared to 2019. Before the outbreak of covid-19, traditional commercial TV revenues were continuing the downward trend of previous years, with both digital multichannel and commercial PSBs seeing a decline in total revenue in 2019. Revenue from pay-TV subscription services remained flat comparatively to 2018 levels.

The covid-19 pandemic has also reinforced the importance of PSBs as trusted providers of news information, helping PSBs to achieve their highest combined monthly viewing share in more than six years in March 2020 when they captured 58 per cent of broadcast viewing. The BBC, ITV and Channel 4 were each rated as trusted sources of news and information by more than eight in ten people at the start of lockdown, with the BBC services in particular being the most-used source of news and information about covid-19. During the first week of lockdown in the UK, 82 per cent of people said that they used BBC services for covid-19 related information, well ahead of other broadcasters, social media channels and other sources.120

iv PSBs

As part of its responsibility as regulator, in February 2020 Ofcom published a review of how public service broadcasting has delivered for UK audiences over a five-year period to 2018. The review found that audiences continue to highly value the purposes of public service broadcasting, including trustworthy news and programmes that show different aspects of UK life and culture. The review establishes that the PSBs have generally fulfilled the public service broadcasting remit pursuant to the Act. Investment by the PSBs has also played an important role in supporting the UK's creative economy, including an increasingly vibrant production sector across the nations and regions. However, Ofcom wrote that maintaining the current level and range of programmes is a challenge for the PSBs, particularly when, at the same time, other providers such as Sky and Netflix are offering both a large volume and wide range of high-quality content to UK audiences.121

In July 2020, Ofcom published a report discussing people's relationship with public service broadcasting, with a particular focus on the views of young people. The report finds that, in exploring media habits and attitudes, it is apparent that consumption behaviours differ across the generations as does the use and relevance of the PSBs. Younger audiences tend to feel they are using streaming services more than public service channels, with some claiming to use public services rarely. However, analysis of media diaries suggested that the amount of public service broadcasting content being consumed can often be significantly underestimated, in part due to young people often watching 'hero' content (referring to programming that is particularly noteworthy and talked about, for example, at the time of publication of the report, programmes such as Peaky Blinders and 13 Reasons Why). Importantly, while younger generations may only recall watching one or two public service shows at any given time, they do acknowledge that these shows are often highly valued. The report also found that the PSBs' master brands (i.e., BBC, ITV and C4) seem to have distinct identities across all age groups and all can describe their characteristics relative to one another.

The DEA added a requirement under the Act for Ofcom to periodically review and report on the provision by EPGs of information on and access to the public service channels and content via the PSBs' VOD services. Ofcom published its first such report on 27 July 2018.122 The DEA also required Ofcom to review the EPG Code prior to 1 December 2020. Pursuant to this, on 14 August 2020, Ofcom published a consultation on its review of competition rules in the EPG Code. The closing date for responses was 25 September 2020.

Currently in the UK, regulations guarantee the PSBs' prominence on the traditional Ofcom-licensed linear EPGs, but no such protections are afforded to PSBs in respect of other search functionality (e.g., on connected devices and searches via voice) or in respect of the PSBs' VOD services. While public service VOD and catch-up services are currently generally well-positioned, this is due to commercial negotiation rather than regulation. Ofcom is implementing changes to the existing linear EPG Code,123 which will come into force on 4 January 2021 with 18 months for EPG providers to implement the new rules. The amendments to the EPG Code124 include:

  1. the five main PSB channels (BBC One, BBC Two, Channel 3 licensees, Channel 4 and Channel 5) being guaranteed their current positions in the top five EPG slots (subject to regional variations for Wales);
  2. BBC Four being guaranteed a slot within the first 24 slots of any licensed EPG;
  3. BBC News, BBC Parliament, CBBC and CBeebies being guaranteed slots within the first eight slots of the relevant EPG genre or section; and
  4. local TV services being located in the first 24 slots on digital terrestrial television of any EPG.125

Ofcom's recommendations to the government for a new framework to keep public service TV prominent in an online world analysed options for the future regulation of prominence in the context of VOD services (including the position of the PSBs' VOD players and the availability of their content on a VOD basis elsewhere within platforms and via devices). Any such changes would be the subject of future legislation. Ofcom has stated that it would support new legislation to address the prominence of internet-delivered public service content to secure the health of the public service broadcasting system and, accordingly (following consultation), has set out the following recommendations:

  1. new legislation is needed to keep PSBs prominent and support the sustainability of the PSBs;
  2. these new rules should specify which PSB content is given prominence, and on which platforms;
  3. the initial focus should be on connected TVs;
  4. viewers should be able to find PSB content easily on the homepage of connected TVs;
  5. on-demand services should only be given prominence if the service is clearly delivering PSB content;
  6. PSB content should also be given protected prominence within TV platforms' recommendations and search results;
  7. the new framework should protect the prominence of PSB content that is made available without charge; and
  8. there may need to be new obligations to ensure the continued availability of PSB on-demand content to viewers.126

v Impact of covid-19

The media sector has been significantly impacted by the covid-19 pandemic. Production arrangements have been severely disrupted. Sports and other live entertainment ground to halt for a period and, while at the time of writing UK sports have generally resumed, they are largely being played behind closed doors. Cinemas were also closed, with many releases delayed. On the flip side, covid-19 is seemingly resulting in some positives for the VOD industry. Lockdown prompted a surge in TV viewing in the UK that amplified the shift from broadcast to on-demand. During April 2020's full lockdown, viewing time per person per day averaged an estimated six hours 25 minutes, an increase of approximately an hour and a half on the average figure for 2019. Of this, approximately 40 minutes was attributed to SVoD services and viewing of YouTube increased by an average of nine minutes per person per day. SVoD subscriptions also grew.127

At the time of writing, we have seen some production resume. Industry guidelines have been published concerning covid-19-safe procedures.128 The government has announced a new UK-wide £500 million Film and TV Production Restart Scheme. The Scheme has been instigated with the aim of helping productions that are halted or delayed by an inability to obtain insurance to cover covid-19 related risks.129

Additionally, the government has provided a Culture Recovery Fund to help Britain's culture, arts and heritage organisations including cinemas, impacted by the pandemic. General cross-sector aid measures that may assist businesses in the media sector are also available.

The year in review

i Brexit

On 23 June 2016, the UK voted to leave the EU by a vote of 51.9 per cent in favour of leave to 48.1 per cent in favour of remain. The government invoked Article 50 of the Treaty on European Union on 29 March 2017, thereby starting the period of negotiation between the UK and the EU on the terms of the UK's exit. The UK left the EU on 31 January 2020 (exit day), and entered a transition period that ends on 31 December 2020.

The UK's legal framework giving effect to Brexit during, and following, the transition period is governed by the European Union (Withdrawal) Act 2018 (Withdrawal Act), as amended by the European Union (Withdrawal Agreement) Act 2020. This framework provides that:

  1. the European Communities Act (ECA) 1972 was repealed on exit day;
  2. all existing EU legislation (including EU-derived legislation, such as national implementing legislation) was enshrined into British law on exit day;
  3. the jurisdiction of the CJEU over the UK continues during the transition period, and shall end on 31 December 2020 (subject to certain exceptions in which jurisdiction continues); and
  4. the government shall be permitted to remove or amend EU laws that apply to the UK (whether directly effective or enshrined in UK law by a separate Act of Parliament) with primary legislation and, in some cases, secondary legislation via the Henry VIII clauses.

Following the end of the transition period on 31 December 2020, the following key events will occur:

  1. The Withdrawal Act savings for the ECA 1972 and any EU-derived domestic legislation are repealed;
  2. Material Withdrawal Act provisions take effect (mostly automatically);
  3. 'Retained EU law' is created by the Withdrawal Act, which effectively captures the EU law that applied to the UK at the end of the transition period (and which will be amended by UK legislation as appropriate in order to operate effectively within the UK legal regime); and
  4. The majority of Brexit-related regulations and statutory instruments will come into force, in order to give effect to the complex framework of post-EU UK legislation (for example, to implement required UK standards and policies in previously EU-governed areas, and to amend retained EU law to operate in a UK context).

The full picture of the future UK–EU relationship is still developing as negotiations continue, which will go beyond the end of the transition period.

ii Towards regulated digital services?

On 1 July 2020, the CMA published its final report concluding the market study into online platforms and digital advertising. The CMA's key recommendations focused on search advertising and display advertising and aligned with the recommendations set out in the Furman Report published in 2019. The CMA recommended to the UK government that it introduce a new regulatory regime to monitor large platforms. The CMA's report recommended that this new regulatory regime should include:

  1. Provision for a Digital Markets Unit (DMU): a body authorised to implement the new regulation, which could be a new or an existing institution, or several bodies sharing relevant functions.
  2. An enforceable code of conduct to govern the behaviour of platforms that are designated as having SMS. The code would aim to ensure: (1) fair trading, (2) open choices, and (3) trust and transparency.
  3. A requirement for a DMU to designate businesses that have SMS, maintain the code of conduct, and produce detailed guidance.
  4. Authorising the DMU to enforce the principles of the code on a timely basis, and amend the code's principles in line with evolving market conditions.
  5. Authorising the DMU to intervene so that platforms give appropriate data access, offer sufficient consumer choice, and implement ownership separation and operational separation.

With the publication of the final report, the CMA has now launched the Digital Markets Taskforce to advise the government on how to design a new ex ante regulatory regime. To inform this work, the CMA published a new call for information and is writing to relevant businesses to seek their views and information. The scope of the Taskforce encompasses all online platforms, including those that are not funded by digital advertising. The Taskforce intends to deliver advice to the UK government by the end of 2020. The CMA will lead the Digital Markets Taskforce and also work with Ofcom and the ICO to examine the impact of privacy regulation, with the three bodies establishing a new Digital Regulation Cooperation Forum to support broader UK regulatory coordination in online services.

Competition authorities and several governments in other jurisdictions are also considering further regulation in digital markets. For example:

  1. the European Commission is currently consulting on a proposal to develop a new competition tool to address structural competition problems, as well as a Digital Services Act, including an ex ante regulatory instrument for online platforms;
  2. the US Department of Justice announced in July 2019 that it is reviewing the practices of a number of platforms that may create or maintain structural impediments to greater competition;130
  3. the ACCC is currently conducting an inquiry in Australia into adtech and ad agencies, which builds on the ACCC's previous work examining digital advertising markets more generally in a digital platforms inquiry; and
  4. the BKartA is currently conducting a sector inquiry in Germany into market conditions in the online advertising sector.

Conclusions and outlook

Recent years have seen privacy debates continued both inside and outside the courtroom, highlighting the ever-evolving regulatory landscape and the ongoing legal controversies about the scope and extent of a citizen's right to privacy. The implementation of the GDPR was a milestone in the area of data protection law, and the developments introduced in the drafts of the ePrivacy Regulation could have significant implications (though the text if not yet finalised and timings for implementation remain unclear).

The invalidation of the EU–US Privacy Shield in July 2020 in the Schrems II litigation, and the caveats imposed on the use of the standard contractual clauses as an alternative mechanism for the transfer of personal data to the US (and other countries outside the EU and UK), was a further controversial development. It remains to be seen what the long-term implications of this decision will be.

With regard to the media and entertainment industry in the UK, the rise in popularity of SVoD services has seen further OTT services launched in the UK in the past year, including Apple TV+ and Disney+ which has quickly established itself as the third-most-subscribed-to SVoD service. The proliferation of OTT services and their need for high-quality content to drive subscriber numbers continue to reshape the industry. From a regulatory perspective, we have seen further platform regulation which impacts on internet-delivered content services whether standalone OTT platforms or social media. We have outlined above the key legislative changes effective 1 January 2021 in the media and entertainment sector – we now have greater clarity over the changes and industry is preparing for this date. However, we have seen huge disruption caused by the covid-19 pandemic. Production arrangements have been severely disrupted. Sports and other live entertainment ground to halt for a period and cinemas were closed, with many releases delayed. On the flip side, lockdown prompted a surge in TV viewing in the UK that amplified the shift from broadcast to on-demand. The government has made available certain industry-specific support, as well as general cross-sector aid measures that may assist businesses in the media sector. It remains to be seen how the media and entertainment sector will be impacted by the pandemic on a longer-term basis.

Brexit will undoubtedly continue to have an influence on the policy and regulatory landscape in the UK and the EU27. The extent and nature of this will become clearer as more specific details emerge from the UK's Brexit negotiations with the EU27 in the run-up to, and following, the end of the transition period on 31 December 2020.


1 John D Colahan, Gail Crawford and Lisbeth Savill are partners at Latham & Watkins LLP. The authors would like to acknowledge the kind assistance of their colleagues Rachael Astin, Alexandra Luchian, Amy Smyth, Sarah Miller, Katie Henshall and Emma Pianta in the preparation of this chapter.

3 Directive (EU) 2016/1148.

4 See Ofcom statement, Renewal of the co-regulatory arrangements for broadcast advertising, 4 November 2014, available at

5 Section 3(1) of the Act.

8 Directive 2018/1972 establishing the European Electronic Communications Code.

9 Directive 95/46/EC.

12 Note, however, that changes in control of certain radio communications and TV and radio broadcast licences arising as a result of mergers and acquisitions may in certain circumstances require the consent of Ofcom.

13 The CMA and Ofcom have signed a memorandum of understanding in respect of their concurrent competition powers in the electronic communications, broadcasting and postal sectors. This is available at

14 Lebedev Holdings Limited and Another v. Secretary of State for Digital, Culture, Media and Sport [2019] CAT 21, judgment available at

15 There is also the power to take appropriate measures nationally to protect the plurality of the media under Article 21(4) of the EU Merger Regulations (Regulation 139/2004/EC).

17 The CMA's guidance to the changes is available at A recent example where the Secretary of State decided to intervene under the new rules on the basis that the interests of national security (one of the specified public interest considerations) are relevant is the proposed acquisition of Inmarsat plc by Connect Bidco Ltd (CMA case page available at:

37 Directive 2000/31/EC.

38 Directive 2002/58/EC.

39 Directive 2009/136/EC.

41 The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419).

42 In Patrick Breyer v. Bundesrepublik Deutschland (C-582/14), the CJEU ruled in October 2016 that where a website operator holds IP addresses and has 'the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person', then these will be classified as personal data.

45 Data Protection Commissioner v. Facebook Ireland Ltd and Maximillian Schrems [2020] C-311/18.

46 General Data Protection Regulation: Recitals 26, 30 and 32.

47 General Data Protection Regulation: Article 7(3).

54 General Data Protection Regulation: Articles 33 and 34.

55 General Data Protection Regulation: Article 83(4)(a).

59 R (Davis & Watson) v. Secretary of State for Home Department [2015] EWHC 2092.

60 Secretary of State for the Home Department v. Watson [2018] EWCA Civ 70.

61 The Investigatory Powers Act 2016 (Commencement No. 12) Regulations 2020 (SI 2020/766).

62 R (on the application of National Council for Civil Liberties (Liberty)) v. Secretary of State for Home Department [2018] EWHC 975.

63 Privacy International (case C-623/17).

64 The Telecommunications Act 1984 and RIPA.

65 ECHR 299 (2018).

66 The Court heard three cases simultaneously: (1) Big Brother Watch and Others v. United Kingdom (Case No. 58170/13); (2) 10 Human Rights Organisations and Others v. United Kingdom (Case No. 24960/15); and (3) Bureau of Investigative Journalism and Alice Ross v. United Kingdom (Case No. 62322/14).

68 General Data Protection Regulation: Recitals 38 and 75.

69 General Data Protection Regulation: Article 8.

70 General Data Protection Regulation: Article 17.

80 Directive 2002/21/EC.

81 Directive 2002/20/EC.

100 Ofcom, Content (international work),

101 Available at Ofcom, call for evidence, video-sharing platform regulation,

103 The AVMSD (Directive 2010/13/EU) is based on the country of origin principle, whereby service providers are subject to the regulations in their country of origin only and are not subject to regulation in the destination country, except in limited circumstances (Article 2(1)).

104 Article 4 of Council of ECTT.

110 Under the Satellite and Cable Directive (Directive 98/83/EEC), this principle effectively allows broadcasters to clear rights for satellite broadcasting in one Member State and allows them to then make their satellite transmissions available in other Member States.

Get unlimited access to all The Law Reviews content