Digital business regulation: what’s coming up in the next 12 months


Written on 9 May 2016

The Digital Business sector is being subject to increasing levels of regulation. Below are some of the regulatory developments to watch, taken from Osborne Clarke’s UK Regulatory Timeline, which also covers upcoming developments across a wide range of other sectors and regulatory regimes. Please click here for the full Timeline.

30 April 2016: net neutrality

A number of provisions of the EU Net Neutrality Regulation came into force on 30 April 2016.

The Regulation is designed to ensure that users have access to online content and services without discrimination or interference by internet service providers. All internet traffic must be treated equally, subject to limited exceptions. This means that network-level blocking of specific content is highly restricted and the ability of telecoms operators and ISPs to apply traffic management measures will be much more limited. Likewise, the ability to negotiate preferred speeds or quality of service deals will be limited to so-called ‘specialised services’ whose delivery requires a guaranteed service level – think IPTV, connected cars, telemedicine and certain cloud services.

Ofcom will be the body that enforces the Regulation within the UK.

Q2 2016: data protection reforms:

The European Parliament and the European Council have reached agreement on a package of data protection reforms which includes the General Data Protection Regulation and the Data Protection Directive. The reforms have been passed by the Parliament and will come into EU law once they have been formally approved by the Council and published in the EU Official Journal.

The GDPR introduces fundamental changes to data protection law, including the harmonisation of regimes across the EU, significant increase in fines (up to EUR 20 million or 4% of worldwide turnover) and extension of the regime to non-EU businesses that operate in the EU.

The Data Protection Directive will govern the processing of personal data to prevent, investigate, detect or prosecute criminal offences or enforce criminal penalties, and the free movement of such data.

Q2/Q3 2016: Cyber Security Directive to be passed

The European Council, Parliament and Commission have reached agreement on the text of the Cyber Security, or “NIS”, Directive. The NIS Directive requires, amongst other things, that operators of essential services (such as critical infrastructure in sectors such as energy, banking, transport and health) take appropriate security measures and report security incidents to national authorities. A lighter touch regulatory regime will, however, apply to certain digital / technology businesses.

The NIS Directive will likely see the creation of a new regulator in the UK to whom certain network security breaches will need to be reported, raising the spectre of yet more (potentially competing) reporting obligations for businesses hit by a major cyber security incident.

We expect the Directive to come into force during spring 2016. Once in force, Member States will have 21 months to implement the necessary national legislation and another six months to identify the “operators of essential services” to whom the new rules will apply. Businesses potentially caught by the Directive need to start planning now.

For more information on the NIS Directive see here.

June 2016: EU/US Privacy Shield

With Safe Harbor having been declared invalid, on 29 February 2016 the European Commission published the draft legal text for a new framework for transatlantic data flows – the EU/US Privacy Shield.

The Article 29 Working Party has raised a number concerns about a number of aspects of the proposed new framework, and how it will interact with the GDPR. Its opinion is not binding, but its views will be taken into account by the Commission and a committee representing all of the Member States, before any “adequacy decision” is adopted by the Commission. Once it has been finalised and adopted, businesses will be able to rely on the EU/US Privacy Shield for transatlantic transfers of personal data.

For more information on the EU/US Privacy Shield see here.

2016/2017: Digital Single Market

The DSM is a major initiative that will affect almost all digital businesses in the EU. It has the potential to impact on everyone, from traditional telecoms providers, over-the-top service providers, platforms and content providers.

On 9 December 2015 the European Commission published its first three legislative proposals under the DSM initiative:

  • a directive on certain aspects of the supply of digital content; 
  • a directive seeking to harmonise contract laws for the online sale of goods; and 
  • a regulation for the reform of copyright and cross-border portability of online content, to allow consumers to access content whilst temporarily in another EU Member State.

These proposals aim to tackle what the Commission perceives as the main obstacles to cross-border e-commerce in the EU: the fragmentation of laws across the EU and lack of trust by consumers when buying online from another country. We are expecting draft texts to be prepared during 2016, although none of the changes are likely to take effect until 2017 at the earliest.

As well as these legislative changes, on 19 April 2016 the Commission announced plans to use its policy instruments, financial support and legislative powers to support further investment in the digitising of industrial sectors. The plans will include coordination of national initiatives, public-private partnerships and the investment by the Commission of €500 million into digital innovation hubs.

For more information, see our dedicated DSM hub.

Like this article?

Register now for more insights, news and events from across Osborne Clarke, or to receive our dedicated newsletters for US companies expanding overseas.

*This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Connect with one of our experts