Tips from the Top: A conversation with the UK's tech regulators

The panel comprised Claudia Berg (GC at the ICO), Elizabeth Holloway (Legal Director at Ofcom), Dr Liza Lovdahl Gormsen (Senior Advisor at the FCA), and Shin-Shin Hua (Assistant Director at the CMA Digital Markets Unit) and was hosted by A&O Counsel Karishma Brahmbhatt. Throughout the session the speakers navigated a range of tech law-related issues ranging from challenges in the tech regulatory landscape to key insights on enforcement action.

What is the DRCF?

The DRCF was established in July 2020 with the aim of promoting collaboration across the four regulatory bodies and their sectors to deliver a coherent approach to digital regulation for businesses and individuals. Since its inception the DRCF has published a number of reports and joint statements, setting out the key synergies and tensions between the regulators' respective areas. The DRCF published its 2023/2024 Workplan on 3 May 2023, prioritising coherence across regulatory regimes, collaboration, in particular with the UK government on the delivery of an AI governance framework and building its capabilities knowledge and expertise via its networks.  

Key messages 

The session was held under Chatham House rules so, sadly, if you missed it, you missed out! All is not lost, though, as we have set out below a few of the key take-aways gleaned from our esteemed panel:

The evolving tech regulatory landscape poses challenges for regulators too

Against the backdrop of the complex tech landscape, each panellist cited the operationalisation of upcoming legislation as one of the key challenges faced by regulators and organisations alike, in particular:

• Online Safety Bill (OSB) for Ofcom: The panel discussed Ofcom’s preparations for its new role under the OSB. The OSB is designed to improve the online safety for users of search services and user-to-user services with links to the UK. See our blog and podcast on the OSB;
• Data Protection and Digital Information Bill (DPDI) for the ICO: The panel discussed the ICO’s careful monitoring of the progress of the DPDI. The DPDI aims to reform the UK’s data protection regime to create new efficiencies, reduce regulatory burden and encourage innovation. While the DPDI is not expected to be a radical departure from the UK GDPR, it will nonetheless impact the ICO’s relevant structure and powers and may affect the way that companies comply with UK data protection laws. See our blog on the DPDI here.
• Digital Markets, Competition and Consumers Bill (DMCC) for the CMA: The panel discussed the CMA’s engagement with the recently published draft of the DMCC, and its bid to help organisations to understand the DMCC’s requirements. Changes to the competition framework, including revised merger control thresholds, under the DMCC will impact digital and non-digital firms alike. The DMCC also gives the UK’s consumer regime more bite. See our blog on the DMCC here.

One of the aims of the DRCF regulators is to clarify these regimes in accessible ways and to be in a position to engage with stakeholders on approaches to those bills.

Yes, there can be both synergies and perceived tensions across the various regimes governing tech in the UK

The DRCF regulators are aware that there can be pinch points between the various data protection, competition, financial services and consumer protection laws. However, you only need to look at the various joint-statements issued by the DRCF – e.g. Online safety and data protection: A joint statement by Ofcom and the ICO, the Online safety and competition in digital markets: a joint statement between the CMA and Ofcom, and Competition and data protection in digital markets: a joint statement between the CMA and the ICO – to see that they are working to ease these tensions and align their respective approaches where practicable. 

Different scenarios call for different types of regulatory action

The panel agreed that regulatory measures sit on a spectrum, with a graduating response to non-compliance. For example, the ICO seeks to deter non-compliance through a range of tools, including audits and engagement to enable businesses to improve their internal compliance structures. Nevertheless, the ICO is willing to take strategic enforcement action where, for example, an organisation’s processing activities may pose a high risk to individuals, especially where personal data is processed on a large scale. The same is true for the other DRCF regulators who, while prepared to impose tough sanctions where required, are more concerned with promoting compliance and engaging with companies to help them implement best practice. A key priority for the DRCF regulators is to achieve better outcomes for individuals, and in any given scenario enforcement action may or may not be the most appropriate means to achieve that.

AI will disrupt the tech landscape

Organisations looking to exploit AI technologies should monitor the activities of the DRCF regulators in this space. All four DRCF regulators are closely following AI developments, and are playing an active role in the oversight of AI technologies; indeed, the DRCF was recently name-checked in the UK’s A pro-innovation approach to AI regulation. Each of these regulators has published guidance, papers and/or consultations on the use of AI systems, e.g. the ICO’s guidance on AI, the FCA’s discussion paper on Artificial Intelligence and Machine Learning with the Bank of England, and the CMA’s initial review of AI models.  Additionally, having published a report on the benefits and harms of algorithms, in response to the UK Government’s AI White Paper, the DRCF’s 2023/2024 workplan will see them continuing to support effective governance of algorithmic systems.

Three top tips to takeaway…

The panellists concluded the session with a few words of advice for in-house counsel: 

1. Engage with the DRCF regulators, and help them to help you: the DRCF regulators want to foster constructive and collaborative relationships with organisations, and are just as keen to understand new technologies and processes as you are. Help your regulator to understand your market, and provide them with access to technical engineers and experts where practicable. 
2. Be succinct in your submissions: when communicating or engaging with regulators, remember that short and well-considered submissions are the most effective; better to make a few good points rather than supplementing (and undermining) them with several mediocre ones. 
3. There’s only so much a DRCF regulator can do …: Regulators will give you the tools and guidance to enable you to design and enable your own compliance with laws; but only you are best placed to assess what the various laws and regulatory guidance mean for your organisation and commercial scenarios in practice!

Talking Tech Together is an A&O initiative, founded by A&O women across seven jurisdictions, to give senior women lawyers in tech a safe platform and trusted forum to share their knowledge, expertise, ideas and vision on the tech ambitions of their business. The group hosts a series of webinars and intimate roundtables throughout the year designed to enable members to broaden their network, get inspired by their peers and to use them as a sounding board.

If you wish to join our Talking Tech Together events, please contact talkingtechtogether@allenovery.com.