There is no single regulatory regime that governs software in the UK.

A number of laws and regulations across various sectors are, however, relevant to software. These include general regulations covering consumer protection, advertising, employment, intellectual property and data protection, amongst others.

In certain limited circumstances, there are specific regulations for software, such as use of software in medical devices, and those around harm caused by software and computer systems.

In the UK, the main form of protection for software is through copyright, which applies to the software code (whether source code or any compiled version), any algorithms, graphics, video and audio recordings, and any documents, specifications, user manuals and other materials associated with it. Copyright arises automatically in the UK on creation of an original work, and there is no need to register this. Copyright generally protects against copying – there is no protection against independent creation of similar software or materials, where actual copying is not reasonably evident.

The functional aspects of any software application are not generally protectable in the UK unless it can be shown that a software with similar functionality came about as a result of copying of any code, specification or design materials.

Software code “as such” is not patentable in the UK, but a software-related invention might be patentable depending on the context, i.e. where the contribution made by the software-related invention has a technical effect (such as where software is used to drive equipment, or improve performance of a computing system).

The “look and feel” of any software application may be protected by registered design in the UK, which can be a quick and cost-effective way to protect unique aspects of the user interface.

Software is often exploited in such a way that the source code and design materials are not disclosed to any licensee or user of the software. To the extent source code and design materials are kept confidential and reasonable steps have been taken to prevent disclosure to third parties, the laws of confidence and/or trade secrets will allow the software owner to protect and enforce their rights in that confidential information.

In the UK, the first owner of copyright is the author or creator of the copyright works. Where a software developer, consultant or contractor creates software for a customer, then the software developer, consultant or contractor will own the copyright in the software code and any documents, specifications, graphics or other materials in the software.

The same is true for any invention or concept which may give software its technical effect. Rights to any invention will remain with the software developer, consultant or contractor, who will own the rights to the invention, and will be entitled to apply for patent protection.

If it is the intention that the customer owns all rights in software, it is, therefore, important to ensure that such rights, including in any inventions, concepts or ideas, and any software code, documentation or materials, are assigned to the customer under a written agreement which is signed by the software developer, consultant or contractor.

The position is made more complex where, for example, a software developer will use its own proprietary code, templates or specifications to build software for its customer for efficiency and to control costs. The software developer is unlikely to agree to assign its own proprietary materials to the customer, in which case, the customer should seek an assignment of any software and materials created specifically for it, together with a non-exclusive, perpetual licence to use the software developer’s own proprietary software and materials insofar as is necessary for the use and exploitation of the newly created software.

Liability for harm caused by software and computer systems is governed predominantly by either contract law or the law of negligence. Where a business provides software to a consumer, chapter 3 of the Consumer Rights Act 2015 sets out various implied contractual terms that govern such supply of software, including that it is of satisfactory quality, fit for purpose and as described. Chapter 3 of the Consumer Rights Act 2015 also provides various remedies if those statutory rights are not adhered to.

The Computer Misuse Act 1990 is the main legislation that criminalises unauthorised access to computer systems and data. The Computer Misuse Act 1990 criminalises access to computer systems and data which has not been authorised by the owner of the computer system.

Generally speaking, there are no technology-specific laws that govern the provision of software between a software vendor and customer in the UK, and no specific laws that govern the use of cloud technology.

However, where the customer is a regulated financial services firm (hereafter referred to as a “regulated firm”), certain rules and guidance may apply in these circumstances.  Which rules and guidance apply in particular instances, and the extent to which they apply, will depend on factors such as: the vendor’s role in practice, what the regulated firm’s activities are, and the impact that the service may have on those regulated activities.

In general, the rules and guidance issued by the Financial Conduct Authority (“FCA”) and the Prudential Regulation Authority (“PRA”) are intended to be technology-neutral. As such, the rules and guidance are not “technology-specific”, but apply in situations where the services provided are supported by technology, including cloud services.

Specific rules and guidance apply in two circumstances: (1) outsourcing, and (2) activities which may affect a regulated firm’s operational resilience (i.e. the ability of a regulated firm and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions (these could include disruptions caused by the failure of technology on which the regulated firm depends)).  In such circumstances, one or more of the following may be relevant:

1. The FCA’s rules and guidance in chapter 8 of the Senior Management Arrangements, Systems and Controls handbook (“SYSC”) within the FCA Handbook. SYSC 8.1 applies to outsourcing, meaning it can apply to SaaS. Depending on what activities the regulated firm carries out, SYSC 8 applies either as guidance or as rules.
2. The FCA’s Finalised Guidance FG16/5 for firms outsourcing to the cloud and other third-party IT services.
3. The European Banking Authority (“EBA”) Guidelines on Outsourcing Arrangements dated 25 February 2019 (EBA/GL/2019/02). The FCA and the PRA expect firms to continue to comply with the Guidelines, to the extent they remain relevant post-Brexit.
4. The PRA’s Supervisory Statement of March 2021 (SS2/21) on Outsourcing and Third Party Risk Management. Although directed to PRA-regulated firms such as banks, building societies, PRA-designated investment firms, insurance and reinsurance firms, the PRA’s drafting was reviewed by the FCA and the FCA’s approach aligns with the PRA’s. The Supervisory Statement is a useful tool in understanding how the EBA Guidelines are likely to be interpreted and applied by the UK regulators.
5. The FCA’s rules and guidance relating to operational resilience, in SYSC. The main rules appear in SYSC 15A.
6. The PRA’s rules and guidance relating to operational resilience, in the Operational Resilience sections of the PRA Rulebook. This is supplemented by PRA guidance in its Supervisory Statement of March 2022 (SS1/21) on Impact Tolerances for Important Business Services.
7. A shared policy summary on operational resilience, from the Bank of England, PRA and FCA, dated March 2021.

In some instances, a regulated firm may have to consider the impact of technology on its activities even where the provision of services does not amount to outsourcing, or is not considered relevant to the regulated firm’s operational resilience. For example, the PRA’s SS2/21 also discusses third party arrangements which do not involve outsourcing. Moreover, where a regulated firm is subject to the FCA’s Consumer Duty, it will have to consider the impact of the services it receives from third parties on its ability to comply with the Consumer Principle and deliver good outcomes for retail customers.

In addition, sector-specific conduct rules may affect the services the regulated firm receives. For example, if a regulated mortgage lender uses a technology platform to support the provision of documentation to applicants and potential borrowers, it will have to ensure that the documentation produced complies with requirements set out in the Mortgages and Home Finance: Conduct of Business sourcebook. Similarly, a consumer credit lender who outsources tracing of debtors or debt recovery activity must take account of the rules on data accuracy and outsourced activities in the Consumer Credit sourcebook.

In short, where the service recipient is a regulated firm then, depending on the services and the impact of those services of the firm’s activities, a complex and varied tapestry of rules and guidance could apply. Regulated firms should seek specialist guidance in this area, as there is no one-size-fits-all roadmap or solution for determining how to comply with the requirements.

Cloud service providers should be especially conscious of the extraterritorial effect of certain EU laws, including Regulation (EU) 2023/2854 (EU Data Act). The Act, which entered into force on 11 January 2024, contains provisions designed to avoid situations where customers become “locked in” to vendors’ cloud services. From 12 September 2025, certain provisions become directly applicable that will require cloud service providers to support their customers in switching service providers in certain scenarios, and to reflect these terms into their customer contracts.

Yes, it is typical for a software vendor to cap its maximum financial liability to a customer in a software transaction in the UK, although there may be certain areas of liability that are excluded from this cap (please see the response to Question 8 for further information on these excluded areas of liability).

There is no market standard level of cap in the UK, as a liability cap will depend on a range of factors unique to each transaction, including the respective negotiating positions of the customer and software vendor. That said, it is not unusual for the level of cap to range between 100% to 150% of the annualised or total value of the contract.

1. Confidentiality breaches – No typical position – deal specific. A customer will generally push for this area of liability to be excluded from any financial cap, whereas a software vendor will typically resist this position and will require confidentiality breaches to either be subject to the general cap on liability or to a separate enhanced cap.
2. Data protection breaches – Same as for confidentiality breaches (covered at (a)).
3. Data security breaches (including loss of data) – Same as for confidentiality breaches (covered at (a)).
4. IPR infringement claims – In the absence of unique deal-specific reasons that require a contrary position, this area of liability is typically excluded from any financial cap (usually linked to the IPR infringement indemnity).
5. Breaches of applicable law – Same as for confidentiality breaches (covered at (a)); although it is not uncommon for breaches, specifically of the Bribery Act 2010 and/or Modern Slavery Act 2015, by the software vendor to be excluded from any financial caps.
6. Regulatory fines – Same as for confidentiality breaches (covered at (a)).
7. Wilful or deliberate breaches – In the absence of unique deal-specific reasons that require a contrary position, this area of liability is typically excluded from any financial cap. Please note, however, although there is English case law to aid interpretation, there is no single, settled legal definition of what constitutes a “wilful or deliberate breach”, so the customer and software vendor may wish to consider including an agreed definition of these terms within the contract.

It is not uncommon in the UK for source codes to be held in escrow for the benefit of the software licensee, particularly where the software is either bespoke (and the software licensor has retained ownership of IP in the software) or performs critical operations for the software licensee.

Escrow providers now offer escrow services for cloud-based software as well as for traditional “on premise” software. Options available for cloud may include access continuity for single-tenanted environments, where access credentials and documentation may be deposited in escrow, to allow the licensee continued access to the cloud environment in the event of a software vendor failure. Where the cloud environment is a “one to many” unrestricted cloud environment, the escrow provider may hold a separately hosted, mirrored instance of the cloud production environment (including source codes, deployment scripts and databases) to allow temporary continuity in the environment if the software vendor no longer supports the original service environment.

Commonly used escrow providers in the UK include Escrow London, Iron Mountain, LE&AS, NCC Group, and SES.

The UK controls the export of software that is used in the military and where the software may be considered “dual use” where it can be adapted for military use.  The UK Government website lists items that are restricted by category. Anyone looking to export restricted items will require an export licence. It is a criminal offence to breach the export regulations. Businesses looking to export less obvious “dual use” items (in particular) should, if unsure, check the Government’s “consolidated list of strategic military and dual-use items that require export authorisation”, available on the Government website (and which can change from time to time), or take legal advice on interpretation.

Separately, there are complex issues that arise when dealing with the export of software to certain countries, especially China and Russia, in respect of sanctions rather than export controls. It should be noted that sanctions can be applied against individuals, activities, states and organisations and can vary in nature from being asset freezes, to bans on dealing, to bans on providing financial support and banking facilities.  Anyone looking to export to a country where there are sanctions in place should consult the relevant regulations for that jurisdiction. Several jurisdictions besides the UK (including the US and EU) have their own sanctions lists and export controls which may vary from those in the UK.

Many global businesses with trade or employees in certain jurisdictions (e.g. China) have ‘Overseas IT Policies’ which may restrict the taking and use of work and personal mobile devices, laptops, etc. when entering the country, so this should also be borne in mind when considering software transactions.

There are no specific technology laws governing IT outsourcing in the UK.

The Transfer of Undertakings (Protection of Employment) Regulations 2006 (“TUPE”) provide the following significant protection for employees in an IT outsourcing situation:

• The primary purpose of TUPE is to automatically transfer the employment of individual staff from their current employer to a third party IT outsource provider on the same date that the service they perform is transferred to the third party IT outsourcing provider.
• The starting point under TUPE is that the individual employees transfer to the third party IT outsource provider on the same terms and conditions of employment (the name of their employer will change and they will also join or have the option of joining the pension scheme offered by the third party IT provider).
• The transfer of employment takes place automatically by operation of law under TUPE and is not something that parties can choose to ignore.
• TUPE provides enhanced protection to employees in outsourcing situations as the dismissal of an employee with at least 2 years’ continuous service where the sole or principal reason for the dismissal is the transfer itself is automatically unfair. The third party IT outsource provider must be able to show the dismissal was for an economic, technical or organisational reason that entailed a change in the workforce to avoid an automatic unfair dismissal finding, and even then, the dismissed employee can still challenge the fairness of their dismissal under general unfair dismissal law.
• The third party IT outsource provider is prevented from changing the terms and conditions of employees that transfer to it under TUPE if the sole or principal reason for the change is the transfer itself.  Again, the third party IT outsource provider must be able to show that any changes to terms and conditions of employment are made for an economic, technical or organisational reason entailing changes in the workforce or the employment contract permits the change in question.
• TUPE requires the current employer to inform the employees about the proposed transfer and to consult with appropriate representatives of the employees if the third party IT outsource provider is proposing to take any measures/make changes to their employment terms after the transfer. The penalty for failing to comply with this obligation is a protective award of up to 13 weeks’ uncapped pay to each affected employee.

The primary legislation governing the UK telecommunications sector is the Communications Act 2003, as supplemented by the Wireless Telegraphy Act 2006.

The Communications Act 2003 established Ofcom as the independent regulatory body responsible for overseeing the telecommunications industry in the UK, and set out Ofcom’s duties. Together with the Wireless Telegraphy Act 2006, the Communications Act 2003 provides Ofcom with powers within the UK, such as the right to grant licences to providers who wish to provide telecommunications services, and the enforcement of compliance with legislation and guidelines. Both Acts provide a regulatory framework which seeks to protect consumers, ensure there is fair competition, and uphold standards of content.

Further laws that supplement the governance of the telecommunications sector in the UK include:

1. The European Electronic Communications Code (“EECC”), which was transposed into UK law in late 2020. The EECC looks to improve service quality by making investment in infrastructures more attractive to companies, and to protect consumers by placing price limits on international calls, providing affordable services, and promoting better security;
2. The Telecommunications (Security) Act 2021, which seeks to enhance the security of telecommunications networks across the UK by requiring providers to have measures in place to identify and then reduce the risk of security breaches;
3. The Online Safety Act 2023 was given Royal Assent on 26 October 2023 and aims to protect the public online. The Act obliges technology companies to be more responsible for users’ safety online including duties to implement processes and systems to reduce the overall risks that can occur. Additionally, the Act provides more control for users as to the content that users wish to see online and finding the best ways to report issues when they arise. Ofcom has been provided with extra enforcement powers such as the ability to fine companies up to £18 million or 10% of qualifying worldwide revenue (whichever is greater) and to take criminal action against senior managers who fail to ensure compliance;
4. The UK General Data Protection Regulation, which sets out how organisations must collect, store, and use individuals’ data (see also Question 18); and
5. The Privacy and Electronic Communications Regulations, which protects individuals’ privacy (see also Question 18).

To facilitate interoperability in a multi-vendor and multi-network environment but also across geographical borders, the principal standard development organisations (“SDOs”) governing the development of technical standards are necessarily international, rather than specific to the UK.

For companies or individuals in the UK implementing wireless communication technologies or keen to participate in the development of the relevant standards, there are several key SDOs to consider:

• The European Telecommunications Standards Institute (“ETSI”) is recognised by the EU as a European Standards Organisation (“ESO”) but is global in its reach. ETSI supports the development, ratification and testing of standards for ICT-enabled systems, applications and services, including 4G and 5G mobile communications.
• The International Telecommunication Union (“ITU”) whose Telecommunication Standardization Sector (ITU-T) defines standards for ICT networks and devices including the Optical Transport Network and advanced broadband access technologies such as Fibre to the Home and G.fast. In collaboration with IEC and ISO, ITU is also responsible for developing standards for video coding, with video accounting for the vast majority of all Internet traffic.
• The Institute of Electrical and Electronics Engineers (“IEEE”) Standards Association develops global standards in a broad range of technologies including computer networking standards for both wired and wireless networks.

These SDOs are also developing new standards specifically for the Internet of Things (“IoT”), digital health and connected vehicles. For example, there is a working group within IEEE for wireless speciality networks (“WSNs”) such as wireless personal area networks (“WPANs”), Bluetooth, IoT networks, body area networks and wearables. Meanwhile ETSI developed new standards for connectivity within vehicles.

In addition, other organisations have developed new standards for particular connected technologies that implementers in the UK should also be aware of. For example, the Society of Automotive Engineer’s Standard J2735 covers standardised messages to facilitate emergency breaking.

In the UK as in other jurisdictions, technical standards which facilitate interoperability between connected devices mean that parties developing connected technologies which utilise a technology such as 5G or Bluetooth will need to consider patents which have been declared “essential” to those technologies – so-called standard essential patents (“SEPs”).

Any member of an SDO such as ETSI is required to declare any patent which it owns which is essential or potentially essential to one or more of the SDO’s technical standards. A patent will generally be ‘essential’ either if the claimed invention of the patent must be used in order to comply with the standard or if commercially and practically it is the only way to comply.

If a patented technology becomes part of a technical standard and it is mandatory to implement the particular feature, the resulting SEP will be infringed by anyone implementing a solution which complies with the standardised technology.

Balancing the patent holder’s monopoly rights against the need to ensure technologies can be implemented and prevent ‘hold up’ by a patent owner, the members of an SDO such as ETSI, in declaring their patent as standard essential, undertake to grant a licence to the SEP to any ‘willing licensee’ on ‘fair, reasonable and non-discriminatory’ (“FRAND”) terms.

Implementers of services or manufacturers of devices in the UK which use wireless connectivity technologies such as 5G or Bluetooth therefore need a licence to those patents declared essential to the relevant standard and which they must necessarily implement to comply with the standard.

Such licensing may be negotiated with patent holders individually, as has been the model for the mobile phone industry, or through patent pools where those are available, for example in the automotive industry or for IoT. As car manufacturers incorporate more cellular technology into vehicles, they are increasingly using technologies such as 5G or Bluetooth so that vehicles can communicate with the external environment, other vehicles and devices within them. In response to these changes, Avanci LLC has developed a licensing program whereby, for a fixed price per vehicle, it offers a licence to a ‘pool’ of patents owned by multiple patent holders and covering various core patents for wireless communications.

When negotiating agreements which involve mobile communications or other connected technologies, there are different considerations in respect of liabilities/warranties relating to standard essential patents (“SEPs”).

Clauses in collaboration agreements which deal with IPR need to take account of SEPs just as any other patents. Indemnities need to take account of the risk of SEP infringement, as it will be difficult for a third party to have rights to use all SEPs which may be relevant to the technology, given the number of different SEP holders from whom licences need to be obtained. Depending on the technology used, the level of indemnity should take account of the threat of assertions, whether by established telco and tech companies which hold core patents for mobile communications or by ‘non-practising entities’ (“NPEs”) which hold relevant SEPs and engage in licensing campaigns to exploit those rights.

Agreements with suppliers therefore need to be clear as to which party bears the risk for royalty payments. This is particularly relevant in the case of connected and autonomous vehicles, where Avanci’s licence program (see Question 15 above) is open only to vehicle manufacturers and not to suppliers.

Other clauses in agreements may need to reflect the likelihood that intellectual property rights (“IPR”) are likely to include SEPs. For example, in collaborations where there may be joint R&D and/or joint IPR, strategic decisions may need to be made as to the parties’ appetite to engage with SDOs and seek to develop patents which may be declared standard essential.

Data protection is primarily regulated in the UK by The Information Commissioner’s Office (ICO), an executive non-departmental public body.

PRESENT

IMPENDING (as of June 2024)

In addition, the DPA 2018 includes provisions for criminal offences related to data protection, including:

• unlawful obtaining, disclosing, or selling of personal data. It is a criminal offence to intentionally or recklessly obtain, disclose, or sell personal data without lawful authority. This offence can be punishable by a fine or imprisonment.
• re-identification of de-identified personal data. Re-identifying previously de-identified personal data without lawful authority is a criminal offence, subject to fines or imprisonment.
• alteration of personal data to prevent disclosure. Knowingly altering, defacing, blocking, erasing, or destroying personal data with the intention of preventing its disclosure is an offence under the DPA 2018.

Offences committed by a person in an organisation

The DPA 2018 introduces the concept of “offences by bodies corporate.” This means that if an offence under the DPA 2018 is committed by an organisation, such as a company, partnership, or government body, the organisation can be held criminally liable. This includes offences related to data protection principles, appointment of a data protection officer, etc. Criminal penalties in the DPA 2018 apply to processing under the LED by competent law enforcement authorities.

In relation to the EU GDPR, yes, especially as a result of the extraterritorial effect of the EU GDPR.

References to other third country data protection laws (such as the CCPA) are not typically included in contracts, unless they are directly applicable to the processing carried out as part of the services provided under the contract.

As of June 2024, there is no single body responsible for the regulation of artificial intelligence (AI) in the UK.

The AI Policy Directorate, which sits within the Department for Science, Innovation & Technology, issues papers and guidance on the UK approach to AI regulation, but is not responsible for regulation. Instead, the Government will rely on existing regulators to manage AI development and deployment within their sector, to ensure (through existing powers) that AI is used safely and ethically. The Department for Science, Innovation & Technology issued Initial Guidance for Regulators in February 2024, which mentioned several key regulators who have already issued guidance on AI, including:

• The Advertising Standards Agency, which has issued guidance confirming that existing regulation on how advertisements are made applies to advertisements using AI;
• The Competition and Markets Authority, which has issued guidance detailing how end users need to be informed of the limitations of AI foundational models to maintain an environment of healthy competition;
• The Information Commissioner’s Office, which has issued best practice guidance on data protection-compliant AI, and is engaging with the Government on further proposals for regulatory reform that will support the Government’s pro-innovation approach to AI regulation;
• The Financial Conduct Authority, which in April 2024 issued a response to the Government’s AI White Paper, outlining its strategy for promoting the safe and responsible use of AI in UK financial markets; and
• The Medicines and Healthcare products Regulatory Agency, which has published guidance on how AI systems can be used in healthcare and medical devices.

Certain other organisations in the UK are also working to develop standards and best practices for the use of AI, including the Alan Turing Institute. Such organisations may play an advisory role in future regulation of AI in the UK.

As of June 2024, there are no laws dealing directly with artificial intelligence in the UK comparable with, for example, the EU’s AI Act. Instead, the principal laws governing the deployment and use of AI are existing laws relating to issues such as data protection, equality and discrimination, intellectual property ownership and unfair competition, as well as certain sector-specific guidelines issued by existing regulators, as discussed in Question 21.

It seems likely that new laws and regulations, or modifications to existing laws and regulations, will be promulgated as the regulation of AI develops and evolves.

No. However, the Department for Science, Innovation & Technology’s recent White Papers have made extensive reference to Large Language Models (LLMs), and “Frontier AI” (which the Government defines as “highly capable general-purpose AI models that can perform a wide variety of tasks and match or exceed the capabilities present in today’s most advanced models”) was a key focus of the UK’s AI Safety Summit in November 2023. The Government has made clear that it will not place any of the principles outlined in its White Papers so far on a statutory footing, to preserve a “pro-innovation approach” to AI, however it has indicated that position could change where the current framework requires supplementing in order to address issues arising from the development of Frontier or other highly capable AI systems. The UK position may change following the July 2024 General Election.

No. Although template clauses to address AI clauses are emerging, they are not yet established. Issues or risks to consider when approaching such types of provisions include broader intellectual property licensing and ownership (including related warranty or indemnity protection), whether the AI will be consumer-facing, whether there is a sector-specific regulatory angle, and whether emerging regulatory frameworks (potentially including overseas regulation with extraterritorial application such as the EU AI Act) apply, and (where the contract relates to generative AI), what rights or prohibitions apply to the information that can be inputted to or used in conjunction with the relevant generative AI platform .

Not as standard. As in Question 24, template clauses are emerging, but are not yet established. However, where contracting for AI systems, particularly ones which create outputs which may be subject to further commercial exploitation by either party, or be shared or published externally, the rights in and ownership of any materials generated should be carefully considered in contracting for the relevant AI systems.

In principle, any person can launch a protocol, smart contract, ledger or blockchain in the UK. This is a technological endeavour which is currently completely unregulated in the UK.

When taking a broader interpretation of the question, the issue at stake is the use and application of blockchain and associated digital asset technology.

In the UK, the regulatory regime specifically covering digital assets (including tokens, cryptocurrencies, NFTs and new forms of organisational structures (e.g. Decentralised Autonomous Organisations (“DAOs”)) is different to the EU’s Markets in Crypto Assets (“MiCA”) Regulation. MiCA treats “crypto assets” as an entirely new asset-class. In contrast, the UK’s approach has been to treat some digital assets as within scope of the existing rules and others outside its perimeter. The Financial Services and Markets Act 2023 (and statutory instruments promulgated under it) will bring some digital assets within the perimeter in 2025, with others to follow later. In order to offer products and services in those assets inside the existing regulatory perimeter, a firm would need to be authorised and regulated in the usual way. The perimeter of current rules is blurred to an extent: it is possible that some firms which offer products and services outside the scope of traditional regulation still operate their business in a way which requires them to become authorised and regulated under, for example, Payment Services Regulation or the Electronic Money rules, or registered with the FCA for money laundering purposes (sometimes known as a VASP registration).

The FCA has focused its efforts on publishing information for consumers about the risks of dealing with digital assets and with unauthorised firms (e.g. those based outside the UK).

In the meantime, the Bank of England is in the final stages of launching a new “Digital FMI Sandbox”. This will permit firms which want to provide depository services for digital assets (other than unbacked spot cryptocurrencies) to do so within a ring-fenced regulatory environment. This environment will permit firms to conduct (some) business while the regulatory authorities determine what rules (a) need to be changed to permit that business to be conducted outside the Sandbox and (b) will be deemed not to apply to the firms while they are in the Sandbox. This project requires input from HM Treasury, the Bank of England, the PRA and the FCA.

A notable absentee from any current proposal is an update to the market abuse rules to cover digital assets specifically. In March 2024, the FCA announced that its strategy included amending the market abuse regime to include manipulation on and abuse of digital assets markets. This is likely to go hand-in-hand with bringing digital assets within the regulatory perimeter.

On the horizon, we can see the requirement for some brokers of crypto/digital assets to become authorised and regulated in the UK as trading venue operators. That process is something about which firms which may be affected should consider in short order, as obtaining those permissions is a lengthy process.

Currently, search engines and marketplaces in the United Kingdom are primarily governed by general laws that apply to online services and information providers. Whilst there are no specific laws dedicated to search engines and marketplaces, the following legal frameworks are relevant:

• Electronic Commerce (EC Directive) Regulations 2002 (amended through the Electronic Commerce (Amendment etc.) (EU Exit) Regulations 2019 following Brexit) (“E-Commerce Regulations”): The E-Commerce Regulations apply to virtually every commercial website, including marketplaces which are considered “information society services”. The E-Commerce Regulations impose certain obligations on marketplace operators, including the requirement to provide mandated information to users and have prescribed features and functions of the site relating to contract formation.
• Platform to Business Regulations (Retained Regulation (EU) 2019/1150 on promoting fairness and transparency for business users of online intermediation services and corporate website users of online search engines (also known as the UK Platform-to-business Regulation or UK P2B Regulation) as amended by the Online Intermediation Services for Business Users (Amendment) (EU Exit) Regulations 2020, SI 2020/796 (“P2B Regulations”): The focus of the P2B Regulations is to regulate the relationship between business users and search engines and online intermediation services (such as marketplaces) that use them to sell products or services. The P2B Regulations seek to ensure that the platforms operated by these types of intermediaries deal with their business users fairly and in a transparent manner. The rules ban certain unfair practices, such as changing online terms and conditions without cause, and mandate transparency over the ranking of search results.
• Online Safety Bill (currently on its second reading passing through the report stage of the House of Lords): The Bill will make search engines legally responsible for protecting the online safety of their users, requiring that they remove harmful or illegal content quickly or prevent it from appearing in the first place.
• Advertising Standards: Those search engines or marketplaces that display advertisements must comply with advertising standards and endure that adverts on the platform meet the regulations set by the Advertising Standards Authority, such as the UK Code of Non-broadcast Advertising and Direct & Promotional Marketing, which is the rule book for non-broadcast advertisements, sales promotions and direct marketing communications.
• Data Protection Law: Those search engines or marketplaces that process personal data of users must comply with all applicable laws and regulations in the UK relating to privacy and the processing of personal data relating to data subjects located in the UK, including the UK General Data Protection Regulation (as defined in The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019), the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003).
• Consumer Protection Laws (including the Consumer Rights Act 2015 (“CRA”) and Consumer Protection From Unfair Trading Regulations 2008 (“CPRs”):Search engines and marketplaces must comply with the requirements set out in the CRA, including ensuring any consumer terms and notices comply with the requirements of fairness and transparency (this would include any “buyer” terms and conditions or rules that feature on a marketplace). In addition, platforms must comply with the requirements set out under the CPRs, which prohibit certain commercial practices (including the prohibition on acting contrary to the requirements of professional diligence and prohibitions on misleading actions or omissions and aggressive practices, as well as the list of practices that are in all circumstances considered unfair set out in Schedule 1 to the Consumer Protection from Unfair Trading Regulations 2008 and Schedule 18 of the Digital Markets Competition and Consumers Bill (DMCC) – which is yet to receive Royal Assent. These apply during the whole lifetime of a consumer-to-trader transaction (i.e. advertising, marketing, entry into the contract, performance and enforcement). The prohibition on acting contrary to the requirements of professional diligence requires traders to act with reasonable skill and care, commensurate with honest market practice and the general principle of good faith in their field of activity. The Government has begun a consultation to understand how both traders and consumers consider this general standard to apply across all consumer transactions on online platforms. Consumers also benefit from specific protections in areas like product safety and advertising standards, where the Government is also acting to ensure consumers are protected. For example, the UK Product Safety Review consultation (UKPSR) included proposals for ensuring online platforms take due care to identify and remove unsafe products, provide consumers with accurate information on higher risk products and cooperate with regulators. The Government intends that the practical application of the professional diligence requirements should complement area-specific obligations such as those proposed in the UKPSR.

Social media platforms in the UK are primarily governed currently by general laws that apply to online services and information providers. Whilst there are no specific laws dedicated to social media platforms, the following legal frameworks are relevant:

• The Statutory Code of Practice (“Code”): The Code for providers of online social media platforms was published in accordance with Section 103 of the Digital Economy Act 2017. The Code provides guidance for social media platforms. It sets out actions that the Government believes social media platforms should take to prevent bullying, insulting, intimidating and humiliating behaviours on their sites. The Code is directed at social media platforms, but is also relevant to any sites hosting user-generated content and comments, including review websites, gaming platforms, online marketplaces and the like. The Code does not affect how illegal or unlawful content or conduct is dealt with.
• Online Safety Bill (“Bill”): The Bill, currently on its second reading passing through the report stage of the House of Lords, will makes social media platforms legally responsible for protecting the online safety of their users, in particular minors. It will protect users by requiring social media platforms to: remove illegal content quickly or prevent it from appearing in the first place, enforce age limits and age-checking measures, and provide parents and children with clear and accessible ways to report problems online when they do arise. The Bill will also empower adult internet users with tools so that they can tailor the type of content they see and avoid potentially harmful content. Ofcom, as regulator, will have powers to take action against companies who do not follow their new duties.
• Electronic Commerce (EC Directive) Regulations 2002 (amended through the Electronic Commerce (Amendment etc.) (EU Exit) Regulations 2019 following Brexit) (“E-Commerce Regulations”): The E-Commerce Regulations apply to virtually every commercial website including social media platforms (which are considered “hosting services”, since they typically host and display user generated content). The E-Commerce Regulations impose certain obligations on social media platforms, including the requirement to provide mandated information. The E-Commerce Regulations seek to protect social media platforms from liability caused by content posted by users.
• Platform to Business Regulations (Retained Regulation (EU) 2019/1150 on promoting fairness and transparency for business users of online intermediation services and corporate website users of online search engines (also known as the UK Platform-to-business Regulation or UK P2B Regulation) as amended by the Online Intermediation Services for Business Users (Amendment) (EU Exit) Regulations 2020, SI 2020/796 (“P2B Regulations”)): The focus of the P2B Regulations is to regulate the relationship between business users and online intermediation services (e.g. marketplaces, social media platforms etc) and search engines. The P2B Regulations seek to ensure that the platforms operated by these types of intermediaries deal with their business users fairly and in a transparent manner. The rules ban certain unfair practices, such as changing online terms and conditions without cause, and mandate transparency over the ranking of search results.
• Advertising Standards: Social media platforms that display advertisements must comply with advertising standards and ensure adverts meet the regulations set by the Advertising Standards Authority, such as the UK Code of Non-broadcast Advertising and Direct & Promotional Marketing (“CAP Code”), which is the rule book for non-broadcast advertisements, sales promotions and direct marketing communications. The CAP Code covers many different types of advertising in social media, from the more traditional ‘paid-for’ ads to advertorials and affiliate marketing. The CAP Code requires that all marketing, including that on social media, is legal, decent, honest and truthful, and contains general rules and sector-specific rules that marketers must comply with. The CAP Code also requires that marketing communications are obviously identifiable as such and sets out further rules around influencer marketing.
• Data Protection Law: Social media platforms that process personal data of users must comply with all applicable laws and regulations in the UK relating to privacy and the processing of personal data relating to data subjects located in the UK, including the UK General Data Protection Regulation (as defined in The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019), the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003).
• Consumer Protection Laws (including the Consumer Rights Act 2015 (“CRA”): Social Media platforms must comply with the requirements set out in the CRA, including ensuring any consumer terms and notices comply with the requirements of fairness and transparency (this would include any platform terms of use, for example).

1. Further developments in laws and regulations governing the use of artificial intelligence.

Laws and regulations around AI are already developing rapidly in the UK and elsewhere. It is possible this trend will continue, particularly if there is a change of government following the July 2024 General Election. For example, the Labour Party has indicated it may be more amenable to additional intervention on AI compared with the incumbent Conservative administration, which has maintained a more laissez-faire “pro-innovation” approach.

It seems likely that future regulation will focus on the responsible use of highly capable generative AI and LLMs. There is likely to be further debate around the open source development of LLMs (which may run the risk of complicating or evading conventional regulatory oversight).

We are also likely to see increased international standardisation of AI regulation and standards, or the establishment of a body having international oversight, particularly as the EU’s AI Act comes into force, and/or through bodies such as the OECD, UN and initiatives such as the AI Safety Summits first initiated by the UK Government in London in 2023, and most recently hosted by South Korea.

The UK has already entered into bilateral agreements with the likes of the USA and South Korea around cooperation on AI model testing and controls, and further international agreements of this type may also feature in the UK’s approach.

2. Further developments in laws and regulations governing the “Web3” space, especially blockchain and cryptoassets.

As with AI, more regulation seems likely in the Web3 space to keep up with the rapid development of products in this area, particularly cryptoassets. Although some of the fervour around certain cryptoassets, for example NFTs, seems to have abated, Web3 and, in particular, the decentralisation of the Internet, is still an area into which a huge amount of investment is being poured, and which has significant complexity and accordant risk, making it ripe for further regulation. The UK Government (HM Treasury) set out its final proposals for a regulatory regime for cryptoassets in October 2023, confirming its intention to bring a number of crypto activities under regulatory scrutiny. The Financial Services and Markets Act 2023 (FSMA 2023), which will facilitate stablecoins and cryptoassets being brought into financial services regulation, received Royal Assent on 29 June 2023.

3. Developments in privacy law to keep pace with the greater use of technology by government bodies and law enforcement.

As government agencies and law enforcement make greater use of technology (in particular, AI, facial recognition, etc), it seems probable that there will be increased concerns around how these technologies (particularly AI) affect and potentially impinge on individuals’ privacy rights and civil liberties. This may lead to the UK Courts ruling on the legality of such use of technology by the Government and other public services as well as by corporations such as tech giants and/or social media companies.

It is increasingly common for customers to request sustainability provisions in their contracts, particularly when procuring business critical technology systems. In particular, UK Government entities, certain large UK corporates, and certain financial institutions (e.g. prominent banks) may be subject to extra regulatory scrutiny around their sustainability/net zero commitments.

Often, technology vendors’ public-facing websites have sections that outline their commitments to sustainability (sometimes as part of their ESG reporting), often containing extensive reporting data. For technology vendors with a global presence (e.g. cloud services ‘hyperscalers’), this data will usually be presented at a global operational level, so it may be difficult to glean UK-specific information from such websites without requesting further information from the vendors.

Technology vendors typically resist inserting sustainability commitments at a contractually binding level with individual customers. As an alternative, they may agree to provide more fulsome information than that contained on their public websites for review, including country-specific data and/or scorecards/reviews from external sustainability ratings agencies such as EcoVadis.

Where the customer is a public sector body, or a large corporate or financial institution, it may be more feasible to negotiate contractual level commitments around sustainability from technology vendors.