Subscribe to regular updates:


DPA Digital Digest: United Kingdom

A close-up of the United Kingdom’s regulatory approach to data governance, content moderation, competition and more.

Report Image

This is the fourteenth issue of the “DPA Digital Digest” series based on the Digital Policy Alert database. This series provides concise summaries of each G20 nation’s recent policy changes in data governance, content moderation, competition and further domestic focal points.


Tommaso Giardini, Nils Deeg

Date Published

06 Jul 2023

The United Kingdom (UK) is attempting to leverage post-Brexit regulatory autonomy to boost its digital economy. According to the UK Digital Strategy, the digital sector contributed approx. GBP 151 billion (approx. USD 192 million) to the economy in 2019, growing almost three times faster than the total economy. In 2021, data-driven trade generated 85 per cent of the UK’s services exports, according to government estimates. The UK’s five-point plan for digital trade sets the focus on open digital markets, free data flows, enhanced consumer safeguards, improved digital trading systems, and increased international cooperation. 

But what do the UK’s domestic digital policies stand for? The fourteenth DPA Digital Digest provides a succinct overview of the latest policy and enforcement developments in major policy areas and UK-specific points of emphasis.

  • In data governance, the UK is revamping data protection rules, establishing cybersecurity regimes and attempting to harness global data flows, while maintaining EU adequacy. 

  • In content moderation, the UK is deliberating laws on online safety and media content.

  • In competition policy, the UK is deliberating specific rules for digital firms with strategic market status, while rigorously enforcing unilateral conduct and merger rules.

  • The UK’s points of emphasis include artificial intelligence, minor protection, public procurement blacklisting, and the taxation of the digital economy.

Jump directly to the section that interests you most:

Discover the details of the United Kingdom's regulatory approach on our dedicated country page.

Remain up-to-date on new and upcoming developments with our free notification service

Written by Tommaso Giardini and Nils Deeg. Edited by Johannes Fritz.

Data governance

Data protection policy developments

The UK is currently debating the second version of the Data Protection and Digital Information Bill, having rejected the first draft. The Bill amends the 2018 Data Protection Act and the UK General Data Protection Regulation, which transitionally implemented the EU GDPR. The Bill aims to reduce compliance burdens, rather than impose new obligations. It introduces cookie exemptions, reduces record-keeping obligations, allows longer response times and refusals for data access requests, expands the definition of “scientific research” to include commercial purposes and removes the local representative requirement for non-UK controllers. The Bill further replaces the Information Commissioner’s Office (ICO) with an Information Commission, to which the Secretary of State can appoint statutory board members.

Cybersecurity is a stated priority for the UK, enshrined in the 2022 National Cyber Strategy and the Government Cyber Security Strategy. The UK GDPR requires data processors and controllers to implement risk-appropriate cybersecurity measures and report data breaches to the ICO within 72 hours (as well as report high-risk breaches to data subjects). Regarding electronic communications, the Office of Communications (Ofcom) requires operators of essential services to report breaches that last over 15 minutes or cause network degradation of 25 per cent. Ofcom’s code of practice, implementing the Electronic Communications Regulations 2022, imposes risk minimisation measures on public electronic communications networks. From April 2024, manufacturers and distributors of connectable products must implement cybersecurity requirements. To facilitate cybersecurity compliance, the government developed a “check your cybersecurity” tool, outlined steps in responding to cyber threats and published a voluntary cybersecurity code of practice for app developers and app store operators. Currently, the government is deliberating regulations on software cybersecurity

Data transfer/localisation developments

Currently, the UK enables data transfers through 1) adequacy decisions, granted by the Secretary of State to “essentially equivalent” regimes, 2) appropriate safeguards, such as standard data protection clauses and binding corporate rules, subject to risk assessment, or 3) specific exceptions, such as consent and contractual necessity. The UK recently reached adequacy with South Korea and issued a shortlist of priority destinations. Regarding safeguards, the ICO issued guidance on the International Data Transfer Agreement (replacing EU Standard Contractual Clauses), binding corporate rules and risk assessments. The currently deliberated Data Protection and Digital Information Bill would allow the Secretary of State to approve transfers if foreign protection is not "materially lower" than in the UK.

At the international level, the UK aims to harness global data flows, while maintaining EU adequacy. In December 2022, the UK concluded negotiations to accede to the Comprehensive and Progressive Agreement for Trans-Pacific Partnership, which demands free data flows. In addition, data flows are subject of the recent UK-US Atlantic Declaration (establishing a “data bridge”), the UK-Singapore Digital Economy Agreement and the UK-Japan Digital Partnership, as well as negotiations to modernise free trade agrements with Canada and South Korea.

Secondary legislation and enforcement developments

The ICO regularly issues privacy guidelines concerning specific technologies, such as generative AI and privacy-enhancing technologies, and specific topics, such as data access requests and data protection by default. Currently, the ICO is deliberating guidance on employee health data and monitoring, and journalism, where it is also considering a code of practice. Regarding enforcement, the ICO issued one data protection fine in 2023: TikTok was fined GBP 12.7 million (approx. USD 16.2 million) for processing the data of children under 13 years without parental consent and not adequately informing users on data collection and sharing practices. 

Content moderation

Content moderation developments

The UK is deliberating the Online Safety Bill, a comprehensive regulatory framework against harmful online content under the purview of the Office of Communications (Ofcom). The Act differentiates between user-to-user services and search services and requires providers of both to conduct content risk assessments, reduce harm from illegal content and implement complaint mechanisms. If services are “likely to be accessed by children”, additional duties regarding children’s risks assessments and online safety apply. Finally, if services exceed certain user thresholds, to be determined by the Secretary of State, additional duties apply. 

The original version required the largest platforms to remove, restrict, and limit the recommendation of “legal but harmful” content, to be specified in secondary legislation. Amendments proposed in December 2022 introduce a “triple shield”, which requires providers to 1) remove content that is illegal, 2) remove content that violates platforms’ own terms of service, and 3) provide adult users with content control functions, e.g. regarding content on self-harm and abuse. In June 2023, the Ministry of Justice announced new amendments to criminalise the sharing of intimate images without consent, including “deep fakes”. Recently, messaging providers and security researchers raised privacy and security concerns regarding requirements to technologically prevent the dissemination of child sexual abuse material.  

Audiovisual and media content is a policy priority since 2020, when the UK withdrew from the EU’s Audiovisual and Media Services Directive and video-sharing platform framework. The draft Media Bill would require “on-demand programme service providers”, such as streaming platforms, to install measures to protect their audience from harmful content through content warnings, parental controls and age verification. The Bill applies to foreign providers that target UK audiences. Ofcom, the statutory regulator of video-sharing platforms since October 2021, has published guidance on protective measures and notification requirements.

Enforcement developments

There are no public, official sources on the UK government’s online content enforcement.


Competition policy developments

Since April 2023, Parliament is deliberating the Digital Markets, Competition and Consumers Bill. The Bill introduces an ex-ante regulatory regime for companies with strategic market status in digital markets. The Competition and Markets Authority (CMA) can designate companies with substantial market power and a position of strategic significance regarding a digital activity, if their annual turnover exceeds GBP 25 billion (global) or GBP 1 billion (local) (approx. USD 31.8 / 1.3 billion). Designated firms are subjected to conduct requirements and structural remedies. 

In addition, the Bill imposes new merger rules. Designated firms must notify the intention of UK acquisitions if the transaction value exceeds GBP 25 million (approx. USD 31.8 million) and the acquired equity stake exceeds specified thresholds, e.g. 15 per cent. For all acquiring firms, mandatory merger notification is triggered by a UK share of supply exceeding 33 per cent and UK turnover exceeding GBP 350 million (approx. USD 445.2 million). In addition, the Bill grants the Competition and Markets Authority (CMA) sanctioning powers, prohibits certain unfair commercial practices, such as fake reviews, and regulates anti-competitive agreements

Enforcement developments

The CMA is equipped with a Digital Markets Unit and rigorously investigates digital markets. Regarding unilateral conduct, the CMA is investigating both Apple and Google regarding abuse of market power in their app stores. In parallel, Google is currently under investigation regarding abuse of market power in advertising technology and header bidding services. The case previously also scrutinised the Jedi Blue agreement with Meta to exclude Google’s competitors from the advertising market. In addition, Google and Amazon are under investigation for fake and misleading reviews. Amazon is also under investigation for disadvantaging third-party sellers in its marketplace. In March 2022, Amazon was designated to the Groceries Supply Code of Practice, requiring the fair treatment of suppliers. 

The CMA has recently focused on online gaming and the intersection between competition and data protection. The CMA’s investigation into Apple and Google’s “effective duopoly” over mobile browser and cloud gaming is currently under appeal, because it was initiated after the 12-month time limit since the CMA published its market report. In April 2022, the CMA concluded its investigation into console video gaming online services following amendments to the subscription auto-renewal practices of Nintendo Switch, Playstation and Xbox. In February 2022, the CMA similarly concluded an investigation into Google’s Privacy Sandbox, aiming to remove third-party cookies from the Chrome browser, following (amended) commitments. Google must include the CMA and the Information Commissioner’s Office in the development and testing of the Sandbox and can-not self-preference its advertising services, including through data sharing with its subsidiaries. In September 2023, the CMA decides on Meta’s commitments regarding the use of data obtained through digital display advertising in its Facebook Marketplace

The CMA strictly enforces merger rules in the digital economy. In April 2023, the CMA blocked the Microsoft/Activision Blizzard merger due to the substantial lessening of competition in the cloud gaming market (under appeal). Currently, the CMA is investigating the Adobe/Figma and the Broadcom/VMware mergers. Previously, the CMA blocked and ordered divestment in the Dye & Durham/TM Group merger and the Facebook/Giphy merger. The latter blocking gained prominence because Giphy had no sales in the UK and the investigation was conducted ex-post, including a record fine of GBP 50 million (approx. USD 63.6 million) for non-compliance with the initial enforcement order. In June 2023, the CMA approved Meta’s sale of Giphy to Shutterstock. Previously, the CMA raised concerns regarding the NVIDIA/Arm merger but terminated the investigation when the transaction was annulled. The CMA has also approved mergers, including Amazon/iRobot, Facebook/KustomerMicrosoft/Nuance, NortonLifeLock/Avast and Viasat/Inmarsat

Further points of emphasis

Artificial Intelligence

The UK is striving for a pro-innovation approach in regulating artificial intelligence (AI). Ensuring the right national and international governance of AI is one of three pillars of the UK AI strategy and its subsequent action plan, along with investments and support for the AI transition. In June 2023, the government announced investments of GBP 54 million (approx USD 68.7 million) into trustworthy AI research.

The government is developing guardrails for AI across policy areas. Currently, the House of Commons is deliberating a Bill on the use of AI in the workplace and the Competition and Markets Authority is reviewing competition concerns in artificial intelligence models. Previously, the Information Commissioner’s Office published several guidelines on AI data protection, including on generative AI, and analysed AI bias in recruitment. Finally, the Bank of England consulted on the regulation of AI in financial services, while the Intellectual Property Office consulted on AI’s impact on copyright and patents

Minor protection

Minor protection is central to the UK’s digital policy and spans across several policy areas. Since September 2021, the Age Appropriate Design Code (Children’s Code) applies to providers of online services that are likely to be accessed by children under 18. The Code contains 15 standards that require reduced minor data collection, privacy by default and age-verification, among others. The ICO published guidelines, including on the definition of "likely to be accessed" and compliance measures for game designers

In the context of the Online Safety Bill, the Office of Communications and the ICO have consulted on how to address children’s online risks and how to balance children’s online safety and privacy. Regarding gaming, the Department for Digital, Culture, Media & Sport concluded from a consultation that children should not have access to loot boxes in video games without parental supervision. Finally, in April 2023, the government published a White Paper on gambling law reforms to protect users from online casino games, requiring operators to ensure that minors cannot gamble online. Previously, the UK Gambling Commission fined online betting provider Betway for marketing on the children’s pages of a football club’s website.

Public procurement blacklisting

In March 2023, the government banned TikTok on government devices as a precautionary measure, citing concerns over access to sensitive information. Previously, the government banned Huawei technology from 5G networks. The ban proceeds in several phases until the end of 2027, beginning with the removal of equipment from sites significant to national security.

Legislative developments underline national (cyber-)security concerns. Amendments to the Procurement Bill, introduced in June 2023, aim to establish a National Security Unit for Procurement with powers to ban certain suppliers in sectors relevant to national security. Since January 2022, the National Security and Investment Act requires mandatory notification for foreign investments in 17 sectors, including data infrastructure and AI. Transactions without clearance are deemed void.


The UK has advanced rules on both direct and indirect taxation of the digital economy. In October 2021, the UK announced that it would repeal its Digital Service Tax (DST) in view of international negotiations on the OECD/G20 Inclusive Framework. Adopted in 2020, the DST of 2 per cent applied to revenues derived from specific "digital services activities", e.g. social media, online marketplace platforms and search engines, that were attributable to UK users. The DST targeted companies that generated revenues of GBP 500 million (global) and GPB 25 million (local) (approx. USD 636 / 31.8 million) through such services. The DST prompted an investigation by the United States (US) Trade Representative, which announced punitive tariffs. In 2021, the US reached a political agreement under which the UK withdraws the DST upon entry into force of Pillar 1 of the Inclusive Framework, while the US defers its tariffs. 

In November 2022, the government decided not to introduce an Online Sales Tax due to its elevated complexity and risks of evasion and market distortion. The government previously consulted on a tax of 1-2 per cent on online sales to decrease disparities with in-store retailers. Since January 2021, online marketplaces facilitating sales of overseas goods to UK customers are responsible for collecting value-added-tax.