The regulation of data and digital services in the TMT space is a rapidly evolving area with a host of moving parts. Key pieces of regulation include the Digital Services Act (DSA) and Digital Markets Act (DMA) in the EU; while the UK is finalising a Data Protection and Digital Information Bill (a post-Brexit overhaul of data protection rules) as well as an Online Safety Bill. With so much happening simultaneously, it is challenging for businesses to ensure they’re positioning themselves to comply and thrive.
It was very timely therefore to discuss the latest developments and what they mean for the sector in our latest TMT webinar. I was delighted to be joined by Alastair Masson, Head of Telco at Quantexa (a decision intelligence software company), Isabel Simpson from KPMG Law, and Henry Smith from KPMG’s economics consulting practice.
What’s happening, when?
Where should TMT businesses start when assessing all this change? Perhaps the first thing is timings – most of the EU’s DSA and DMA obligations are due to come into effect next year, so the clock is ticking. Some rules will come into effect even earlier, from this summer for Big Tech players. Online platforms with customers in the EU have already had to declare how many active monthly users they have, with the most stringent requirements due to apply to the biggest players.
The UK’s DPDI Bill meanwhile is in the closing stages of finalisation (although there is still time to comment on the proposals) – and we may see it published in the summer. The Online Safety Bill is also far-advanced as it works its way through the legislative process.
So what implications do all these unfolding requirements have? And should UK-based TMT businesses be focusing on the EU or UK legislation?
EU and UK – similarities and differences
The answer to that question is, inevitably… both. The EU legislation is extra-territorial and will apply to all businesses that have customers or sell digital services and products into the region – meaning that most UK TMT businesses of any size or reach will be affected.
As far as the scope of the pieces of regulation goes, the DMA is mainly focused on competition issues (thereby being of significant relevance to the Big Tech firms), while the DSA is more orientated around consumer protection. This makes it perhaps more relevant to a wider number of businesses.
As Isabel Simpson summarised it: “The DSA governs how online platforms advertise, moderate content and use algorithms. As well as consumer protection and online content regulation, it is also focused on the prevention of illegal content and the illegal trade of goods.”
The UK’s pending legislation is broadly aligned with the EU’s regulations – but there are some differences. The Online Safety Bill for example focuses not only on illegal content but also on content that is harmful, especially for children. It will therefore introduce stricter requirements around age verification. This can be a challenging area, of course, as it can be difficult to truly verify who is on the end of someone’s digital ID – we could see a greater onus falling on Big Tech here. There is still an open question on whether directors will be criminally liable for any aspects of non-compliance.
Business model impacts
Clearly, these regulations are going to have a significant impact. We’re already seeing some changes to business models as a result. For example, in relation to the DSA, Henry Smith observed that: “It calls advertising-funded models into question. We’ve seen some major players like Meta and Twitter introducing subscription-based services a result (outside the UK for now).”
More operationally, gearing up for compliance involves workstreams on many levels – around data collection processes, controls, governance, documentation, and even target operating models.
Knowing your customer and the key importance of data
A crucial aspect running through this is also the necessity of KYBC (know your business customer). The regulations make it essential to know the real-world entities, whether businesses or individuals, that you are dealing with or who are doing business via your networks. This means compiling an accurate registry, and also taking account of international embargoes and sanctions.
As Alastair Masson described it: “There is an emphasis not just on banned services but also banned places. This means that companies will need to ensure they are safeguarding the source of services or products that come into the EU or UK’s digital infrastructure. Businesses therefore need to see beyond their immediate supplier, all the way through to the ultimate beneficial owner.”
Really knowing your supplier base is a complex task that relies on having effective analytical models and tools. Leading players are making use of AI-based algorithms that can automate the process. These can also bring down the number of false positives, reducing the amount of time spent on follow-up investigation.
Another key point here is that so much of compliance with the new regulations will depend on having data. But the fact is that many businesses struggle to obtain the data quality they need. This means two things. Firstly, as Alastair Masson put it, companies have to “accept the inevitability of poor data”. Don’t let this stop you in your tracks. You simply have to learn how to create workarounds and do as much as you can with what you’ve got. But secondly, it’s this issue that makes it really important to bring in (buy) third party data where needed to supplement and fill in the gaps.