Recent developments and future prospects
Trends and developments
Have there been any notable recent trends or developments concerning the conduct of online and digital business (both business to business and business to consumer) in your jurisdiction, including any regulatory changes or case law?
The most recent trend in the digital economy has been the rise of cryptocurrency and initial coin offerings. The volatile – and for some, lucrative – fluctuations in the price of bitcoin has brought cryptocurrency onto centre stage in the United Kingdom. While digital currencies remain unregulated, there is currently a treasury committee and separate Financial Conduct Authority inquiry into distributed ledger technology that may result in significant regulatory changes.
What are the future prospects for digital business in your jurisdiction, including any proposed or potential regulatory reforms and future technological/market developments?
The future for digital business in the United Kingdom is bright. The UK government's positive attitude towards digital business is indicative of the importance the digital economy will have in the future UK economy.
While there are no major digital business-specific examples of UK legislation on the horizon, the imminent arrival of the EU General Data Protection Regulation (2016/679) will have significant implications for digital businesses in respect of how they handle personal data.
The spectre of Brexit continues to loom large over the UK economy. The terms of the deal reached between the United Kingdom and the European Union will have a substantial impact on all UK businesses, including digital ones.
What primary and secondary legislation governs the conduct of digital business in your jurisdiction?
There are multiple examples of primary and secondary legislation that specifically regulates digital businesses in the United Kingdom. There is also primary and secondary legislation that applies generally to all businesses, including digital businesses. Much of the digital business-centric legislation in effect in the United Kingdom emanates from the European Union. The continuing effect of these EU laws after Brexit remains undecided and the situation should be monitored by anyone seeking to conduct digital business in the United Kingdom.
The most significant primary legislation governing the conduct of digital business in the United Kingdom is:
- the Data Protection Act 1998, which sets out the data protection principles with which organisations, businesses or governments making use of personal information must comply; and
- the Consumer Rights Act 2015, which introduced new laws on the supply of digital content.
The following items of secondary legislation are more specific to digital business:
- The Electronic Commerce (EC Directive) Regulations 2002 were created to harmonise and clarify the rules relating to digital business throughout the European Union. They also impose a raft of new obligations on the maintainers of commercial websites;
- The Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013 introduced rules for commercial websites that relate to the cancellation of digital downloads and pre-ticked boxes, among other things;
- The Consumer Protection From Unfair Trading Regulations 2008 were introduced to prevent consumers from suffering unfair, misleading or aggressive selling practices;
- The Provision of Services Regulations 2009 set out the rules that prevent unjustifiable discrimination between EEA residents; and
- The Privacy and Electronic Communications (EC Directive) Regulations 2003 give individuals specific privacy rights regarding electronic communications and are also relevant to direct marketing and cookies.
The General Data Protection Regulation (2016/679) became effective in the United Kingdom on May 25 2018. This regulation:
- brings new rights to individuals;
- extends the scope of responsibilities for data controllers and processors; and
- enhances the regime for enforcement to include fines of up to 4% of an organisation's worldwide annual turnover.
Which authorities regulate the conduct of digital business and what is the extent of their powers?
There is no designated regulator specifically governing the conduct of digital business in the United Kingdom.
Parliament has the ultimate power to pass legislation. The Department for Business, Energy and Industrial Strategy is the government ministry with more specific oversight of the conduct of business. However, the secretary of state for digital, culture, media and sport has ministerial oversight of the UK technology sector.
The Advertising Standards Agency is the UK advertising regulator and certain aspects of digital business therefore fall within its remit.
Government policy and regulatory approach
How would you describe the government’s policy and regulatory approach to digital business?
The government's attitude towards digital business is positive. Digital took pride of place in the chancellor's last budget and the government has taken positive steps to establish a clear digital business-specific strategy.
The government's UK Digital Strategy, published on March 1 2017, sets out the government's aims in respect of making Britain into "a world-leading digital economy". The digital strategy is formed of the following seven strands:
- building world-class digital infrastructure for the United Kingdom;
- giving everyone access to the digital skills they need;
- making the United Kingdom the best place to start and grow a digital business;
- helping every UK business become a digital business;
- making the United Kingdom the safest place in the world to live and work online;
- maintaining the UK government as a world leader in serving its citizens online; and
- unlocking the power of data in the UK economy and improving public confidence in its use.
Establishing digital businesses
What regulatory and procedural requirements govern the establishment of digital businesses in your jurisdiction? To what extent do these requirements and procedures differ from those governing the establishment of brick-and-mortar businesses?
There are distinct commercial and practical factors to consider when establishing a digital business, but there are no regulatory or procedural requirements specific to the establishment of a digital business in the United Kingdom. Anyone who wishes to establish a digital business need only comply with the general requirements for establishing a business in the United Kingdom.
If the digital business wishes to deal in online and distance selling then it must comply with the primary and secondary legislation that governs this type of transaction.
Electronic contracts and signatures
Electronic contract availability
Are electronic contracts legally valid in your jurisdiction? If so, what rules and restrictions govern their formation (including any mandatory or prohibited provisions and contract formats)?
Electronic contracts are legally valid in the United Kingdom, provided that they comply with the usual rules as to the formation of contracts.
In order for a valid contract to exist under English and Welsh law, the essential elements of a contract must exist. These elements are:
- agreement (ie, offer and acceptance);
- intention to create legal relations;
- consideration; and
- certainty of terms.
When forming a contract electronically, special attention should be paid to the agreement and certainty of terms elements of the contract.
To avoid an electronic contract being unenforceable by virtue of a lack of a valid agreement, it is often stipulated within a digital business's terms and conditions that an offer is made by the customer to the trader upon the submission of an order. It is also frequently stipulated that the trader is deemed to have accepted that offer at a specific moment (eg, the delivery of a confirmation email).
In order to form a contract, the offer must be complete (ie, it must contain all of the information intended to form part of the contract). This requirement can present difficulties in relation to the incorporation of terms into an electronic contract. Digital businesses have developed various techniques to manage this risk, including:
- including an ‘I accept’ button close to a link to the terms and conditions;
- requiring the customer to scroll down the entire terms and conditions before being able to click the ‘I accept’ button. This is known as a ‘click-wrap’ contract;
- notifying users of software that they will be bound by certain terms and conditions without the requirement of a positive action to be taken by the customer. This is known as a ‘browse-wrap’ contract. However, there are doubts as to whether browse-wrap contracts are enforceable, due to lack of positive acceptance by the consumer; and
- packaging a physical item in such a manner that includes the terms and conditions and forces the customer to open such terms and conditions during the opening of the packaging. This is known as a ‘shrink-wrap’ contract.
The Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013 set out further requirements for traders:
- The trader must provide consumers with certain prescribed information listed in Schedule 2 of the regulations. This includes, among other things:
- the main characteristics of the goods and services;
- the identity of the trader; and
- the total price of the goods or services, inclusive of taxes;
- If the consumer must press a button to make an order, the trader must ensure that the button is labelled in an easily legible manner with the words "order with obligation to pay" or a corresponding unambiguous formulation indicating that placing the order entails an obligation to pay the trader (Regulation 14); and
- The trader must give the consumer confirmation of the contract on a durable medium. This confirmation must be provided within a reasonable time after the conclusion of the contract – in any event, not later than the delivery of the goods or before the start of the services (Regulation 16).
Are there any limitations or restrictions on transactions that can be concluded through electronic contracts?
English law takes a relaxed approach to electronic contracts. There is no requirement as to form in respect of simple contracts and it is the Law Society's opinion that the statutory requirement for a contract to be ‘in writing’ is satisfied by an electronic contract, including deeds and guarantees.
However, there is still some uncertainty around documents that are under a statutory obligation to be created by deed. Her Majesty’s Land Registry issued guidance on February 8 2017 in which it said that it will not accept an e-document with an e-signature as a dispositionary deed for registration unless the document complies with the Land Registration Act 2002 and the Land Registration (Electronic Conveyancing) Rules 2008. It is therefore advisable to check that the statutory requirements in respect of any document are met before attempting to execute via an electronic contract.
Do any data retention requirements apply to electronic contracts?
Regulation 9(1) of the Electronic Commerce (EC Directive) Regulations 2002 provides that where a contract is to be concluded by electronic means, the trader must provide to the customer:
- the different technical steps to follow to conclude the contract;
- confirmation of whether the concluded contract will be filed by the service provider and whether it will be accessible;
- the technical means for identifying and correcting input errors prior to the placing of the order; and
- the languages offered for the conclusion of the contract.
Businesses should retain data only so long as is necessary.
Are any special remedies available for the breach of electronic contracts?
Generally, the remedies available for breach of an electronic contract are the same as those available for any other type of contract.
However, there may be specific consequences of breaching certain regulations – for example, under Regulation 15 of the Electronic Commerce (EC Directive) Regulations 2002, if the trader fails to give the consumer the means of allowing him or her to identify and correct errors then the consumer is entitled to rescind the contract.
Are electronic signatures legally valid in your jurisdiction? If so, what rules and restrictions govern their use?
Yes, electronic signatures are legally valid in the United Kingdom.
The eIDAS Regulation (910/2014) establishes an EU-wide legal framework for electronic signatures. The purpose of the eIDAS Regulation is to remove some of the variances between different member state laws regarding the effectiveness of electronic signatures across the European Union. It achieves this aim by setting a minimum standard for a ‘qualified electronic signature’ and then giving it equivalent effect to a handwritten signature. Nevertheless, Recital 49 of the eIDAS Regulation stipulates that, except for the qualified electronic signature, it is for national law to define the legal effects of electronic signatures.
The effect of Recital 49 of the eIDAS Regulation is that jurisdictions with a progressive approach to electronic signatures (eg, the United Kingdom) benefit less from the new rules, as it is within their gift to give types of electronic signatures with less stringent criteria than the qualified electronic signature the same legal effect as a handwritten signature. As such, the qualified electronic signature has not been widely used in the United Kingdom.
The Electronic Communications Act 2000 provides a legal framework for the admissibility of electronic signatures in the United Kingdom. Section 7(1) of the Electronic Communications Act provides that in any legal proceedings an electronic signature incorporated into or logically associated with a particular electronic communication or electronic data – and the certification by any person of such signature – is admissible as evidence in relation to any question as to the authenticity or integrity of the communication or data.
While the Electronic Communications Act addresses the admissibility of electronic signatures, it does not expressly deal with the validity of the same. In this regard, a Law Society note provides helpful guidance on the validity of electronic signatures in the United Kingdom. In the Law Society's opinion the following documents, among others, can be executed by electronic signature:
- simple contracts, by virtue of the absence of any statutory or common law requirement as to form;
- documents that are required by statute to be in writing, signed or under hand; and
- deeds, which can be validly signed and witnessed.
However, there remains some uncertainty around certain documents that are under a statutory obligation to be created by deed. For example, Her Majesty’s Land Registry issued guidance on February 8 2017 that responded to the Law Society's practice note on electronic signatures. In this guidance, Her Majesty’s Land Registry posits that it will not accept an e-document with an e-signature as a dispositionary deed for registration unless it complies with the Land Registration Act 2002 and the Land Registration (Electronic Conveyancing) Rules 2008. It is advisable to check the statutory requirements in respect of any document before attempting to execute via an electronic contract.
Electronic payment systems
Are there any rules, restrictions or other relevant considerations regarding the use of electronic payment systems in your jurisdiction?
The use of electronic payments in the United Kingdom is generally accepted. However, this area is heavily regulated and specific advice should be sought by any trader wishing to implement a system of electronic payments.
Are there any rules or restrictions on the use of virtual currencies (eg, Bitcoin)?
Virtual currencies are currently unregulated in the United Kingdom.
On September 12 2017 the Financial Conduct Authority (FCA) issued a consumer warning about the risks of Initial Coin Offerings (ICOs), describing them as "very high risk, speculative investments". In this consumer warning, the FCA explained that many ICOs will fall outside of "the regulated space" and that the FCA would consider ICOs on a case-by-case basis. The FCA warned that some ICOs may involve regulated investments and firms involved in an ICO may be conducting regulated activities.
On February 22 2018 the Treasury Committee launched an inquiry into digital currency and distributed ledger technology. This, coupled with wider concern about the potential for cryptocurrencies to contribute to increased market volatility and their potential for cybercrime and money-laundering, suggests that a regulatory regime may not be far away.
Data protection and cybersecurity
Collection, use and storage
What rules, restrictions and procedures govern the collection, use and storage of personal data in the course of digital business in your jurisdiction?
The Data Protection Act 1998 is the UK statute that implements the EU Data Protection Directive (95/46/EC). The Data Protection Act established a substantial data protection regime that imposed significant obligations on the collectors of personal data and conferred rights on the individuals about whom data is collected.
However, on May 25 2018 the EU General Data Protection Regulation (2016/679) replaced the EU Data Protection Directive (95/46/EC). The General Data Protection Regulation brings new legal rights for individuals, extends the scope of responsibilities for data controllers and processors and enhances the regime for enforcement to include the risk of fines at up to 4% of an organisation's worldwide annual turnover.
The United Kingdom is scheduled to leave the European Union on March 29 2019. This gave rise to uncertainty regarding the United Kingdom's data protection regime post-Brexit, but the UK government has endeavoured to clarify the position. In her speech on June 21 2017, the queen confirmed the UK government's intention to introduce a new data protection bill in order to "ensure that the United Kingdom retains its world-class regime protecting personal data". It is important that the United Kingdom's post-Brexit data protection regime harmonises with that of the European Union so that personal data may continue to be freely transferred between the United Kingdom and European Union post-Brexit. This is by virtue of the broad territorial application of the General Data Protection Regulation.
The new Data Protection Bill was published on September 14 2017 and is currently working its way through Parliament. The key features of the bill include:
- the widening of the definition of ‘personal data’ in comparison to the definition in the Data Protection Act 1998;
- easier methodology for individuals to access their personal data held by organisations and for these individuals to withdraw their consent to the use of their personal data; and
- heightened pecuniary penalties for those in breach of its provisions. The maximum fine shall be the greater of £17 million or 4% of global turnover.
International data transfers
What rules and restrictions apply to the cross-border transfer of personal data collected in the course of digital business?
Under the current regime (ie, the regime governed by the Data Protection Act), transfers of data to other jurisdictions within the European Economic Area can be made without any extra restrictions. However, the position is different when the data transfer is to a country outside of the European Economic Area.
The eighth principle of the Data Protection Act provides that personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
However, on May 25 2018 the EU General Data Protection Regulation came into force in the United Kingdom and the Data Protection Act will be replaced by the new Data Protection Bill that is making its way through the legislature.
Under the General Data Protection Regulation, personal data may only be transferred outside of the European Union in compliance with the conditions for transfer set out in Chapter V of the regulation. The main two situations in which it is permissible for personal data to be transferred outside of the European Union are:
- transfers on the basis of an adequacy decision (ie, where the European Commission has decided that a third country, a territory or one or more specified sectors within that third country, or the international organisation in question, ensures an adequate level of protection). Such a transfer shall not require any specific authorisation; and
- transfers subject to appropriate safeguards. That is, if the European Commission has not made a relevant adequacy decision, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.
The appropriate safeguards are set out in Article 46(2) of the General Data Protection Regulation.
What rights are afforded to consumers in relation to their personal data?
There are no special data protection rights afforded to consumers in the United Kingdom. The main rights afforded to individuals generally under the General Data Protection Regulation are:
- the right to be informed – individuals have the right to be informed about the collection and use of their personal data;
- the right of access – individuals have the right to access their personal data and supplementary information. This right allows individuals to be aware of and verify the lawfulness of the processing;
- the right to rectification – individuals have the right to have inaccurate personal data rectified, or completed if it is incomplete;
- the right to erasure – individuals have the right to have personal data erased;
- the right to restrict processing – individuals have the right to request the restriction or suppression of their personal data;
- the right to data portability – individuals have the right to obtain and reuse their personal data for their own purposes across different services; and
- the right to object – individuals have the right to object to:
- processing based on legitimate interests or the performance of a task in the public interest/exercise of an official authority;
- direct marketing; and
- processing for the purposes of scientific or historical research and statistics.
Regulation 6 of the Privacy and Electronic Communications Regulations sets out the basic rules in relation to cookies. These are that the user of the terminal equipment onto which the cookie is intended to be placed:
- must be provided with clear and comprehensive information about the purposes of the storage of or access to that information; and
- is given the opportunity to refuse the storage of or access to that information.
What rules and standards govern digital operators’ response to data breaches? Are they subject to any notification requirements in the event of a data breach? What precautionary measures should be taken to avoid data breaches?
The General Data Protection Regulation came into force in the United Kingdom on May 25 2018. The regulation obliges all organisations to report certain types of personal data breach to the relevant supervisory authority. Organisations must do this within 72 hours of becoming aware of the breach, where feasible. If the breach has a high risk of adversely affecting individuals’ rights and freedoms, the organisation must also inform those individuals without undue delay. A record of any personal data breaches must be kept, regardless of whether there is a corresponding requirement to notify.
Effective data protection policies and practices should be developed with the advice of qualified professional advisers in order to avoid data breaches.
What cybersecurity regulations and/or standards apply to the conduct of digital business?
There are cybersecurity laws at both national and EU level that apply in the United Kingdom.
The relevant statutes relating to cybersecurity are:
- the Communications Act 2003, which implemented Article 13 of the EU Framework Directive (2002/21/EC) into UK law. It states, among other things, that public electronic communications network providers and public electronic communications service providers must take technical and organisational measures appropriately to manage risks to the security of both, including to prevent or minimise the impact of security incidents on end users and on the interconnection of public electronic communications networks;
- the Privacy and Electronic Communications (EC Directive) Regulations 2003, which implements the EU e-Privacy Directive (2002/58/EC) into UK law. The regulations oblige traders to take appropriate technical and organisational measures to safeguard the security of their services;
- the Data Protection Act 1998, which indirectly imposes cybersecurity obligations on businesses that collect or process personal data. The seventh principle of the Data Protection Act requires data controllers to take "appropriate technical and organisational measures… against unauthorised or unlawful processing and against accidental loss or destruction of or damage to personal data"; and
- the Computer Misuse Act 1990, which establishes various cybercrime offences, including:
- unauthorised access to computer material; and
- unauthorised access to computer material with intent to commit or facilitate commission of further offences.
Ofcom and the Information Commissioner’s Office are responsible for the enforcement of cybersecurity obligations in the United Kingdom.
Is cybersecurity insurance available and commonly purchased?
Cybersecurity insurance is available in the United Kingdom.
The policy paper “2010 to 2015 government policy: cyber security” states:
Cyber insurance is an increasingly widely available product that can provide cover for a variety of themes. However, not all risks can be insured against, and businesses must take steps to prevent cyber breaches. Insurers can help guide and incentivise improvements in cyber security practice, including asking whether a Cyber Essentials badge is held during the cyber insurance application process.
Are there regulations or restrictions on the use of encryption?
English law does not prohibit the use of encryption.
Principle 7 in Part 1 of the Data Protection Act 1998 states: "appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data." While the Data Protection Act does not expressly refer to the use of encryption, it is a common "technical or organisational measure" deployed by those processing personal data to protect that data.
Going forward, the EU General Data Protection Regulation (2016/679) expressly references the use of encryption:
In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected.
Under the Regulation of Investigatory Powers Act 2000, the authorities are empowered to force the disclosure of encryption keys.
What rules and procedures govern the authorities’ interception of communications and access to consumer data?
Interceptions of communications may be authorised by the secretary of state under Section 5(1) of the Regulation of Investigatory Powers Act 2000.
The secretary of state may issue such a warrant only when he or she believes that, among other things, it is in the interests of national security or for the purposes of preventing or detecting serious crime.
The Investigatory Powers Act 2006, which is not yet in force, reforms the way in which intelligence agencies and law enforcement bodies conduct interception of communications.
The Investigatory Powers Act's main changes include:
- introducing a requirement for judicial commissioners to approve warrants and notices issued by the secretary of state;
- expanding the secretary of state's powers to compel telecoms operators to install permanent interception capabilities; and
- widening the remit of the regime to include private as well as public telecoms operators.
The act, known as the ‘snoopers' charter’, has been the subject of much controversy due to the significant expansion of the government's power to collect communications data in bulk.
Advertising and marketing
What rules govern digital advertising and marketing in your jurisdiction?
The specific regulations governing online marketing are:
- the UK Code of Non-Broadcast Advertising, Sales Promotion and Direct Marketing, which governs advertising and marketing contained in all non-broadcast media; and
- the Electronic Commerce (EC Directive) Regulations 2002 (SI 2002/2013) – in particular, the information requirements.
Are there any specific regulations governing the use of targeted advertising?
Appendix 3 to the UK Code of Non-Broadcast Advertising, Sales Promotion and Direct Marketing sets out the rules relating to the collection and use of web-viewing behaviour in relation to online behavioural advertising.
Principally, advertisers must be transparent in the ads they serve, as well as on their own websites, and consumers must be given an opt-out mechanism.
Are there any restrictions or limitations on goods and services that can be advertised, marketed and sold online?
Industry-specific regulation exists in certain key areas (eg, alcohol, tobacco and pharmaceuticals), which may restrict the content of an ad.
This area is heavily dependent on the type of goods or services that is proposed to be advertised, marketed or sold online; as such, specific legal advice should be sought.
What rules and restrictions govern the sending of spam messages?
The sending of marketing emails is within the remit of the Privacy and Electronic Communications Regulations 2003. The Privacy and Electronic Communications Regulations provide that organisations may send marketing emails only to individuals that have agreed to received them, except where there is a clearly defined customer relationship.
The Information Commissioner's Office (ICO) is responsible for enforcing the rules on spam messages. The most common way in which businesses fall foul of these rules is to send spam messages to someone without their consent. The ICO can issue hefty fines on those businesses failing to comply with the rules in relation to spam messages.
The ICO has issued helpful guidance for firms engaged in direct marketing.
Digital content and IP issues
Are websites and any other digital content required to display certain legal notices or other information in your jurisdiction?
There is no general requirement for UK websites to have any legal notices. However, there are certain topics in respect of which it is advisable that a website include legal statements, including:
- privacy policies;
- IP protection;
- terms and conditions of use;
- disclaimers; and
- complaints procedures.
Liability for content
What rules govern liability for online or other digital content that is defamatory or infringes another party’s IP rights?
A digital business trader should:
- comply with all relevant consumer protection rules to prevent intervention by a government body; and
- avoid infringing a third party's IP rights so as to avoid any liability. There is no special liability regime in respect of IP rights breached by digital businesses.
A victim of defamation may be able to rely on the rights contained within the Defamation Acts of 1952 and 1996 to defend themselves.
There are also certain categories of content that carry with them serious criminal law liability, such as certain types of obscene material and racially inflammatory material.
How can liability be excluded or limited?
Liability for online content is assessed in the normal way. There are no special legal tools available to limit liability for online content for digital businesses. In practical terms, there are various means by which a digital business can exclude liability, including disclaimers and contractual provisions within terms of business.
Which parties can be held liable for defamatory or infringing content? Can contingent liability be extended to internet service providers (ISPs)?
Section 10 of the Defamation Act 2003 provides that the English and Welsh courts do not have jurisdiction to hear and determine an action for defamation brought against a person who was not the author, editor or publisher of the statement, except where the court is satisfied that it is not reasonably practicable for an action to be brought against the author, editor or publisher.
However, Section 5 of the Defamation Act provides a defence for website operators against whom a claim for defamation is brought in respect of a statement posted on their website. Section 5(2) stipulates that "it is a defence for the operator to show that it was not the operator who posted the statement on the website". However, this defence can be defeated if the claimant can show that:
- it was not possible for the claimant to identify the person that posted the statement;
- the claimant gave the operator a notice of complaint in relation to the statement; and
- the operator failed to respond to the notice of complaint in accordance with any provision contained in regulations.
This defence will be defeated if the claimant demonstrates that the operator of the website has acted with malice in respect of the statement’s posting.
This defence will not be defeated merely because the operator of the website moderates the statements posted on it by others.
Regulation 19 of the Electronic Commerce (EC Directive) Regulations 2002 stipulates that an information society service provider (eg, a website operator) will not be liable for any content provided by a third party if:
- the website operator:
- does not have actual knowledge of the unlawful activity or information; or
- on obtaining knowledge of unlawful information, acts expeditiously to remove or disable access to it; and
- the third party that provided the content was not acting under the authority or control of the website operator.
What rules and procedures govern content takedowns? Can ISPs remove defamatory or infringing content without permission?
The ability of an ISP to initiate a takedown of infringing materials from websites that utilise its service will be governed by the relevant contractual agreements. The vast majority of ISPs will reserve the right to remove infringing content without the consent of the content owner (eg, the website operator).
This contractual right is also intended to enable the ISP to rely on the hosting defence contained in Regulation 19 of the Electronic Commerce (EC Directive) Regulations 2002.
The High Court is empowered by Section 97A of the Copyright, Designs and Patents Act 1988 to grant an injunction against a service provider where that service provider has actual knowledge of another person using its service to infringe copyright.
What rules, restrictions and procedures govern the licensing of domain names?
The general principles of contract law apply to the licensing of domain names in the United Kingdom. No domain name-specific regulations are currently in force in the United Kingdom.
If the domain name is a registered trademark, the Trademarks Act 1994 provides that a licence is not effective unless it is in writing and signed by or on behalf of the grantor.
How are domain name disputes resolved in your jurisdiction?
Since January 1 2000, the Uniform Domain Name Dispute Resolution Policy is the mandatory domain name-related dispute resolution system to be followed by all Internet Corporation for Assigned Names and Numbers-accredited registrars and the main generic top-level domains.
What special measures and safeguards should rights holders consider in protecting their online/digital content?
A broad range of measures are available to digital business owners that wish to protect their online or digital content. These include:
- the use of copyright to protect any original work (eg, blog posts or articles). UK copyright law is set out in the Copyright, Designs and Patents Act 1988;
- the use of registered trademarks to protect the brand (eg, name, straplines and logos); and
- the use of watermarks to help distinguish any unique pictorial content produced.
The measures that a digital business should take largely depend on the nature of the business.
How are online sales taxed?
Online sales fall within the scope of value added tax (VAT). In the United Kingdom, VAT is generally charged on supplies of goods and services in the United Kingdom at a rate of 20% of the consideration for the supply, although supplies of certain goods and services may be:
- charged at a reduced rate of 5%;
- charged at a rate of 0% (ie, exempt but with a right to recover VAT on costs); or
- exempt (ie, with no right to VAT recovery).
The applicability of UK VAT largely depends on where the supply is deemed to take place:
- The place of supply for goods depends on the physical location of the goods. For example, if goods are located in – and dispatched to a customer in – the United Kingdom, the place of supply will be the United Kingdom;
- In relation to cross-border supplies of business-to-business services, the place of supply of the services is generally the place where the customer belongs, and VAT is accounted for by the customer. Where the services are "used and enjoyed" by a business customer in a third jurisdiction, the place of supply may be treated as being in that jurisdiction; and
- In relation to business-to-consumer services, the place of supply of the services is generally the place where the supplier belongs. However, since January 1 2015 the place of supply of ‘electronically supplied services’ is the place where the consumer belongs. The supplier must register for VAT in each EU member state where it has customers or register in one member state for the VAT Mini One Stop Shop, which is a simplified way of accounting for VAT across the European Union.
Electronically supplied services are services which are electronically provided over the Internet or a similar network and involve minimal or no human intervention. They include:
- website supply, web hosting and distance maintenance of programmes and equipment;
- the supply and updating of software;
- the supply of images, text and information and the making available of databases;
- the supply of music, films and games (including games of chance and gambling games);
- the supply of political, cultural, artistic, sporting, scientific and entertainment broadcasts (including broadcasts of events); and
- the supply of distance teaching.
Specific rules applying to online marketplaces and auction websites can make the providers of these sites liable for unpaid VAT and non-compliance with other VAT obligations of online sellers who use them.
What other tax liabilities arise in respect of the conduct of digital business in your jurisdiction?
The UK corporation tax system generally applies to the conduct of digital business in the same way as to other businesses.
However, taxation of the digital economy is a topic which is very much at the forefront of the tax policy agenda, including in the United Kingdom, the European Union and the Organisation for Economic Cooperation and Development. Proposals include:
- introducing a definition of a ‘digital permanent establishment’, allowing businesses to be taxed in jurisdictions where user participation creates value for the business in question; and
- introducing an interim tax on the revenue of a digital business deriving significant value from UK user participation.
The UK tax authority has proposed an extension of withholding tax on royalty payments (including by non-UK companies) to connected parties in low-tax jurisdictions, where the relevant intellectual property is exploited to make UK sales. Under the proposal, UK withholding tax would apply even where the payer is not resident in the United Kingdom and does not have a UK taxable presence. This measure is targeted primarily at digital businesses making sales into the United Kingdom. The UK tax authority is also currently consulting on the role of online platforms to ensure tax compliance by their users.
Jurisdiction, governing law and dispute resolution
Jurisdiction and governing law
How do the courts determine jurisdiction and governing law in relation to online/digital transactions and disputes?
There is no substantive difference in this regard between online or digital contracts and other contracts. In the absence of a binding jurisdiction clause, the courts will seek to determine the jurisdiction.
Are there any specialist courts in your jurisdiction which deal with online/digital issues and disputes?
Alternative dispute resolution
What alternative dispute resolution (ADR) methods are available for online/digital disputes? How common is ADR for online/digital disputes in your jurisdiction?
Any form of ADR is potentially available for online disputes, and ADR as a whole is widely used in the United Kingdom. Mediation in particular is being pushed by the court system, since it must be actively considered.