Database

Browse Database

UNITED KINGDOM

N/A

Pillar Online sales and transactions  |  Sub-pillar Adoption of United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Signatures
Lack of adoption of UNCITRAL Model Law on Electronic Signatures
The UK has not adopted national legislation based on or influenced by the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Signatures.
Coverage Horizontal

UNITED KINGDOM

Since November 2016, entry into force in December 2016, last amended in 2018

Pillar Domestic data policies  |  Sub-pillar Minimum period for data retention
Investigatory Powers Act 2016
Section 4 of the Investigatory Powers Act 2016 gives the UK police, security services, and other public bodies the power to require telecommunications companies to retain communications data for any citizen. Retention notices cannot require data to be retained for more than 12 months, and these notices can only be issued under specific circumstances relating to national security and serious crime.
Coverage Telecommunications and postal operators

UNITED KINGDOM

Since May 2018, entry into force in January 2021

Pillar Domestic data policies  |  Sub-pillar Requirement to perform a Data Protection Impact Assessment (DPIA) or have a data protection officer (DPO)
Data Protection Act 2018
The UK Data Protection Act 2018 requires that the appointment of a data protection officer (DPO) is mandatory if the organisation is a public authority; the organisation’s core activities consist of data processing operations that require regular and systematic monitoring of data subjects on a large scale, and/or the organisation’s core activities consist of large-scale processing of special categories of data (sensitive data such as personal information on health, religion, race or sexual orientation) and/or personal data relating to criminal convictions and offences. Similarly, data protection impact assessments are required in situations where processing is likely to result in a high risk to individuals.
Coverage Horizontal

UNITED KINGDOM

Since November 2016, entry into force in December 2016, last amended in 2018
Since October 2018

Pillar Domestic data policies  |  Sub-pillar Requirement to allow the government to access personal data collected
Investigatory Powers Act 2016

Data Retention and Acquisitions Regulations 2018
The Investigatory Powers Act 2016 gives the UK government, including the police, security services, and other public bodies, the power to intercept targeted or bulk communications as well as collect bulk communications data. The Data Retention and Acquisitions Regulations 2018 amended certain pieces of the 2016 Act, raising the threshold for data interception or collection to apply to serious crimes. However, a court order is not necessary in all cases for public bodies to intercept communications data.
Coverage Horizontal

UNITED KINGDOM

Since August 2002

Pillar Intermediary liability  |  Sub-pillar Safe harbour for intermediaries for copyright infringement
Electronic Commerce Regulations 2002
The Electronic Commerce Regulations 2002, which transposed the EU's e-Commerce Directive into UK Law, provides the legal basis governing internet service provider (ISP) liability, including a conditional safe harbour. The Directive covers any type of infringement of third-party rights, including intellectual and industrial property rights and personality rights.
The limitations on liability in the Regulations apply to clearly delimited activities (mere conduit, caching and hosting) carried out by internet intermediaries rather than to categories of service providers or types of information. The eCommerce Regulations implement the eCommerce Directive into the UK law in an almost mirrored manner with one potentially noteworthy difference in the language. While the EU Directive uses the expression “should not be liable” (in relation to intermediaries), the Regulations expand this phrase into protection from liability “for damages or for any other pecuniary remedy or for any criminal sanction”. As a result, various forms of injunctive relief are excluded from the implemented provision.While the EU e-Commerce Directive is no longer applied to the UK, the latest government guidance states that "the government is committed to upholding the liability protections now that the transition period has ended. For companies that host user-generated content on their online services, there will continue to be a ‘notice and takedown’ regime where the platform must remove illegal content that they become aware of or risk incurring liability."
Coverage Internet intermediaries

UNITED KINGDOM

Since August 2002

Pillar Intermediary liability  |  Sub-pillar Safe harbour for intermediaries for any activity other than copyright infringement
Electronic Commerce Regulations 2002
The Electronic Commerce Regulations 2002, which transposed the EU's e-Commerce Directive into UK Law, provides the legal basis governing internet service provider (ISP) liability, including a conditional safe harbour. The Directive covers any type of infringement of third-party rights, including intellectual and industrial property rights and personality rights.
The limitations on liability in the Regulations apply to clearly delimited activities (mere conduit, caching and hosting) carried out by internet intermediaries rather than to categories of service providers or types of information. The eCommerce Regulations implement the eCommerce Directive into the UK law in an almost mirrored manner with one potentially noteworthy difference in the language. While the EU Directive uses the expression “should not be liable” (in relation to intermediaries), the Regulations expand this phrase into protection from liability “for damages or for any other pecuniary remedy or for any criminal sanction”. As a result, various forms of injunctive relief are excluded from the implemented provision.While the EU e-Commerce Directive is no longer applied to the UK, the latest government guidance states that "the government is committed to upholding the liability protections now that the transition period has ended. For companies that host user-generated content on their online services, there will continue to be a ‘notice and takedown’ regime where the platform must remove illegal content that they become aware of or risk incurring liability."
Coverage Internet intermediaries

UNITED KINGDOM

Reported in 2022, last reported in 2024

Pillar Content access  |  Sub-pillar Blocking or filtering of commercial web content
Blocking of Sputnik and RT
Reports indicate that the Russian state media outlets Sputnik and RT began to exhibit signs of being blocked in the United Kingdom around March 2022, shortly after Russia launched its full-scale invasion of Ukraine. By the end of 2023, these sites continued to display indications of being blocked within the UK. Furthermore, in March 2022, the government formally requested that social media platforms, including Facebook, X, and TikTok, restrict access to content from these outlets in the UK. Later that same month, the Office of Communications (Ofcom) revoked RT's broadcasting licence.
Coverage Sputnik and RT

UNITED KINGDOM

Since November 2021

Pillar Quantitative trade restrictions for ICT goods and online services  |  Sub-pillar Import ban applied on ICT goods or online services
Telecommunications Security Act 2021
In July 2020, the UK announced a ban on new purchases of equipment from Chinese telecommunications company Huawei as well as a requirement for operators to remove any Huawei components from their 5G networks by 2027. The ban was subsequently added to the Telecommunications Security Act 2021, giving it legal enforceability from November 2021.
Coverage Huawei

UNITED KINGDOM

Since April 1997

Pillar Telecom infrastructure & competition  |  Sub-pillar Signature of the World Trade Organization (WTO) Telecom Reference Paper
WTO Telecom Reference Paper
The United Kingdom has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.
Coverage Telecommunications sector

UNITED KINGDOM

N/A

Pillar Telecom infrastructure & competition  |  Sub-pillar Presence of an independent telecom authority
Lack of an independent telecom authority
The United Kingdom has a telecommunications authority: The Office of Communications (Ofcom). However, it is reported that the decision making process of this entity is not fully independent from the government.
Coverage Telecommunications sector

UNITED KINGDOM

Since November 2006

Pillar Cross-border data policies  |  Sub-pillar Local storage requirement
Companies Act 2006
According to Section 388 of the Companies Act 2006, if accounting records are kept at a place outside the United Kingdom, accounts and returns must be sent to and kept at a place in the United Kingdom and must at all times be open to such inspection. In addition, records must be sent back to the UK at intervals of not more than six months.
Coverage Horizontal

UNITED KINGDOM

Since April 2016, entry into force in May 2018
Since May 2018, entry into force in January 2021

Pillar Cross-border data policies  |  Sub-pillar Conditional flow regime
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation)

Data Protection Act 2018
Under Art. 44 of the United Kingdom General Data Protection Regulation (UK GDPR), it is required that any international data transfer of personal data to a third country or international organisation should only take place under certain conditions and/or with certain safeguards in place. These are further set out in Arts. 45 to 49 of the UK GDPR.
The 2018 Data Protection Act allows personal data to flow from the UK to third countries on the basis of an adequacy decision, appropriate safeguards (such as standard data protection clauses and binding corporate rules), or other conditions specified under the Data Protection Act. The UK has granted adequacy to countries within the European Economic Area, countries covered by European Commission adequacy decisions (as of 31 December 2020), and South Korea.
Coverage Horizontal

UNITED KINGDOM

Since December 2020, entry into force in April 2021
Since February 2019, entry into force in January 2021
Since December 2021, entry into force in May 2023
Since February 2022, entry into force in May 2023
Since February 2022 , entry into force in June 2022

Pillar Cross-border data policies  |  Sub-pillar Participation in trade agreements committing to open cross-border data flows
Trade and Cooperation Agreement between the European Union and the European Atomic Energy Community, of the One Part, and the United Kingdom of Great Britain and Northern Ireland, of the Other Part

Agreement between the United Kingdom of Great Britain and Northern Ireland and Japan for a Comprehensive Economic Partnership

Australia-United Kingdom Free Trade Agreement

Free Trade Agreement between the United Kingdom of Great Britain and Northern Ireland and New Zealand

Digital Economy Agreement between the United Kingdom of Great Britain and Northern Ireland and the Republic of Singapore

Free Trade Agreement between Iceland, the Principality of Liechtenstein and the Kingdom of Norway and the United Kingdom of Great Britain and Northern Ireland
The United Kingdom has joined several agreements with binding commitments to open transfers of data across borders, including the Trade and Cooperation Agreement between the European Union and the European Atomic Energy Community, of the One Part, and the United Kingdom of Great Britain and Northern Ireland, of the Other Part (Art. 201), the Agreement between the United Kingdom of Great Britain and Northern Ireland and Japan for a Comprehensive Economic Partnership (Art. 8.84), the Australia-United Kingdom Free Trade Agreement (Art. 14.10), the Free Trade Agreement between the United Kingdom of Great Britain and Northern Ireland and New Zealand (Art. 15.14), the Digital Economy Agreement between the United Kingdom of Great Britain and Northern Ireland and the Republic of Singapore (Art. 8.61-F), and the Free Trade Agreement between Iceland, the Principality of Liechtenstein and the Kingdom of Norway and the United Kingdom of Great Britain and Northern Ireland (Art. 4.11).
Coverage Horizontal
Sources

UNITED KINGDOM

Since May 2018, entry into force in January 2021

Pillar Domestic data policies  |  Sub-pillar Framework for data protection
Data Protection Act 2018
The Data Protection Act 2018 (DPA 2018), which replaced the Data Protection Act 1998, incorporates the UK General Data Protection Regulation (GDPR), which strictly governs the processing and sharing of personal data. The UK GDPR came into force on January 1, 2021, following the UK's official departure from the EU. In the UK, a child can consent to the transfer of data at the age of 13, whereas this age of consent is 16 in the EU. There are further differences regarding how personal data is defined (the UK has a more limited definition), how criminal data is processed, how data subject rights are handled, and how administrative fines are handled.
Coverage Horizontal

UNITED KINGDOM

Since November 2006

Pillar Foreign Direct Investment (FDI) in sectors relevant to digital trade  |  Sub-pillar Maximum foreign equity share
Companies Act 2006
There are no restrictions on maximum foreign equity share for investors in digital trade sectors in the UK. While in practice, it may be difficult for foreign investors to buy large equity shares in state-controlled companies in the UK, there are no formal rules on maximum foreign equity shares.
Coverage Horizontal

Report issue     Report new measure