Our Knowledge Team looks at what lies ahead for business law
Our Knowledge Lawyers have picked out particular legal developments affecting business, as certain already legislated-for regulatory changes and rules come into effect, new legislation passes, and long-awaited litigation on complex points continues to progress through the courts.
Digital regulation
Online safety
2023 saw the UK's Online Safety Act (OSA) finally receive Royal Assent and 2024 will see much work by Ofcom, the designated online safety regulator, to bring it into effect. Ofcom is taking a phased approach to implementation. Consultations on draft guidance and codes of practice for the first phase (covering illegal harms) are already under way and should be finalised in the autumn of 2024.
In fact, 2024 will be "the year of the consultation" in online safety in the UK. Ofcom plans to begin consulting on the second phase of implementation (covering child safety duties) by launching consultations in the spring, and will kick start the third phase (covering transparency, user empowerment and other duties on "categorised services") with a call for evidence in early 2024, followed by a consultation on draft transparency guidance in the middle of the year. This is unlikely to start happening until the beginning of 2025. However, it is possible that the three-month period within which in-scope businesses must complete their illegal content risk assessments (part of the first phase of implementation) might begin in the last quarter of 2024.
New legislation to be passed
2023 also saw the reintroduction to Parliament of the Data Protection and Digital Information Bill (which aims to make data protection law simpler and more flexible as well as providing a statutory foundation for smart data regimes, and for digital identify verification services) and the Digital Markets, Competition and Consumer Bill (which makes substantial changes to UK consumer protection law and gives the CMA stronger enforcement powers).
We also saw the introduction to Parliament of the Media Bill, which will reform public service broadcasting and video-on-demand laws. The government expects all three bills to become law during 2024. On 29 April 2024, we will also see secondary legislation under the Product Security and Telecommunications Infrastructure Act 2022 come into force, which will set out specific security requirements for "internet of things" products.
New EU obligations
Meanwhile, in the EU, while "designated" services have been obliged, since August 2023, to comply with the Digital Services Act (which, like the OSA, aims to protect online users from illegal and harmful content and applies to services received by users in the EU, regardless of where the provider is located), obligations will come into force for most providers on 17 February 2024. In addition, the Digital Markets Act, which applies to large providers designated as "gatekeepers" that operate in the EU (again, regardless of where they are based), will come into full effect on 6 March 2024.
2024 will also see the enactment of the EU's Data Act, which becomes law on 11 January 2024. This new legislation will introduce extensive new rules around data sharing, going far beyond personal data. In particular, it will create new rights of access to data, particularly Internet of Things and machine-generated data. Such data is often controlled by the business that gathered it but is inaccessible to the entity whose activities generated it. The Data Act will also introduce new rules in other areas including fairness in data contracts between businesses, switching between cloud services providers, and for smart contracts used to execute data contracts. Most provisions will come into effect on 12 September 2025.
As for data protection and privacy, the EU Commission should publish its review of the GDPR in 2024. As technology continues to evolve at speed, particularly in relation to AI, we are likely to see a continued focus on privacy issues throughout the year, with the balance between innovation and privacy presenting an ongoing challenge for regulators and lawmakers.
The EU's Cyber Resilience Act (which introduces cyber security requirements for products with digital elements) is also likely to become law in 2024, although manufacturers will not have to comply for a further 36 months.
Preparation for compliance
There will be much for businesses offering digital products, services and platforms in the UK to get to grips with in terms of compliance in 2024 and beyond, and businesses operating in both the UK and the EU will face the additional, tricky task of having to comply with two distinct regimes in certain areas, and with intentional divergence by the UK in certain areas (many of which concern platforms, software and hardware). Compliance will therefore need to be considered in good time, with appropriate planning for the resources required to understand, design and implement any necessary changes to software, hardware, data collection or storage, or compliance with new standards issued to support the new regulations.
To view the full article, click here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
