Photo of Yunzhe Zhang

The UK Financial Services and Markets Bill (“FSMB”) and the accompanying explanatory notes were published on 20 July. The FSMB signals upcoming reforms to the regulatory landscape in the UK financial services sector, including issues and challenges brought about by the adoption of technologies and digital assets.Continue Reading UK Financial Services and Markets Bill – what it means to technology providers and users in the financial services sector

On 18 July 2022, the United Kingdom (UK) government set out its new proposals for regulating the use of artificial intelligence (AI) technologies while promoting innovation, boosting public trust, and protecting data. The proposals reflect a less centralised and more risk-based approach than in the EU’s draft AI Act.

The proposals coincide with the introduction to Parliament of the Data Protection and Digital Information Bill, which includes measures to use AI responsibly while reducing compliance burdens on businesses to boost the economy. Continue Reading UK government announces its proposals for regulating AI

The UK HM Treasury recently published its proposal for regulating critical third parties (“CTP”) to the finance sector, which was followed by the UK financial regulators’ joint Discussion Paper.

Why regulating CTPs is necessary
Regulating CTPs to the financial sector is by no means a new concept. The EU’s Digital Operational Resilience Act (“DORA”), which looks to regulate critical Information Communication Technologies (“ICT”) service providers to the financial sector, has been provisionally agreed.   Continue Reading UK announces plan to regulate critical third parties to the financial sector

On 28 April 2022, the UK Digital Regulation Cooperation Forum (DRCF) published two discussion papers on the benefits and harms of algorithms and on the landscape of algorithmic auditing and the role of regulators, respectively.

About DRCF

The DRCF consists of four UK regulators: the Competition and Markets Authority, Ofcom, the Information Commissioner’s Office and the Financial Conduct Authority, to support regulatory cooperation in digital markets.Continue Reading UK regulators publish two discussion papers on algorithmic systems

On 4 May 2022, the Department for Digital, Culture, Media and Sport (DCMS) launched a consultation (available here) to request views from the tech industry on potential interventions to enhance security and privacy requirements for firms running app stores and developers making apps.Continue Reading Department for Digital, Culture, Media and Sport launches consultation on app security

Following the recent adoption of a new draft EU cybersecurity directive (we wrote about it here), the UK government has now also launched a consultation on its proposal to reform the existing UK cybersecurity legislation  (see consultation here).

A recap of the current UK cybersecurity law: NIS Regulations

One of the key pieces of cybersecurity legislation in the UK is the Network and Information Systems Regulations 2018 (NIS Regulations), which implemented the EU Cybersecurity Directive 2016 prior to Brexit.

Under the NIS Regulations, businesses who provide certain essential services (referred to as operators of essential services, or OES) and relevant digital service providers (RDSP) are required to register with the relevant competent authorities; meet a baseline level of cybersecurity requirements; and report any incident which has a significant impact on the continuity of the essential services.Continue Reading Cybersecurity 2.0: the UK follows suit with the EU in launching cybersecurity law reform

Following a consultation in January 2021, the European Data Protection Board (EDPB) has published its finalised guidelines on examples of personal data breaches and whether they are notifiable. These guidelines supplement previous guidance on personal data breach notification: the Opinion on Personal Data Breach Notification (Opinion 03/2014) and the general Guidelines on Personal Data Breach Notification under the GDPR (WP 250), both issued by the EDPB’s predecessor, the Article 29 Working Party.

The new guidelines offer welcome clarification on when notifications are required given that some data protection authorities and commentators have acknowledged over-reporting.

In this article we recap on the key takeaways from the finalised guidelines, focussing on key changes made since the January 2021 consultation, and exploring the challenges of managing data breach notifications in multiple jurisdictions.Continue Reading New guidelines on personal data breach notifications

On 18 October 2021, the European Commission (the Commission) launched a public consultation on adapting the civil liability rules for the digital age, with a specific focus on challenges arising from the adoption of artificial intelligence (AI).

The consultation builds on the Commission’s inception impact assessment roadmap (IIA) on this topic and is part of the Commission’s wider effort to modernise EU regulations for the digital age.

Why the civil liabilities rules need to change

While Product Liability Directive 85/374/EEC (Directive) sets out rules aimed to ensure that injured parties are compensated for damage caused by defective products, the Commission has previously noted in a report in 2018 and the IIA that the Directive is no longer fit for the digital age. Challenges include:

  • Whether and how intangible digital elements such as software can be classified as products
  • The lack of clarity on who should be liable for defects after products are put into circulation
  • Significant obstacles for injured parties to obtain compensation, especially given the difficulties in establishing causal links where the behaviours of AI systems are partially or wholly opaque

Continue Reading Civil liability rules in the digital age: EC launches consultation