Home | Legal Tech | Projects | Writings

Outline of the Digital Economy Act 2017

or how I learned to stop worrying and love guidance

Notes

These are the notes for a presentation at an event for the Scottish Society of Computers and Law, at Brodies LLP, Edinburgh on 20.06.2019. I present them here in their raw form, so there may be typos, errors, and variations from what was actually presented at the event itself.

Intro

Good evening everyone, my name is Craig McIntyre, and I'm a legal counsel at Skyscanner. Thanks etc…

The content of my talk this evening doesn't terribly overlap with my day to day work - which might be comment enough itself given we very much consider ourselves to be a 'digital economy' company. Consequently, I must emphasise that the views expressed may be amateurish and are certainly not purported to be the views of my employer, at least to my knowledge.

So why give a presentation on this at all, then? Well, basically it sounded very relevant so I read it and found it to be weird, wonderful and enlightening on the legal, political and dare I say jurisprudential issues of today. That said, in our busy lives, I find it difficult to recommend that you take time to read this particular piece of law out of all the others that are undoubtedly competing for your attention. This presentation will be a whistle-stop tour of the Act to hopefully either save you the trouble (after all you can always dig deeper into any topics that interest you), but also because I think the overall aims and subject matter of the Act are of interest in themselves - I really think there's something for everyone here.

The Digital Economy Act, 2017, unsurprisingly follows a similar vein to its 2010 namesake. Some of the areas are the same, like we see new measures in combating online copyright infringement. However, the 2010 Act much more recognisably handled matters pertaining to the digital economy. In addition to revisiting some of the areas covered in the 2010 Act, one of the other clear aims is to sweep up some of the policies and amendments that needed to be picked up somewhere. Some in fewer words, and some in labyrinthine trails of amendments, but it seems like mainly by updating existing and mandating new codes and guidance for regulators in the digital space who are afforded much discretion under the Act. We have now reached a point where most of the act is in force or pending, which is why there's been a recent flurry in media coverage of the changes precipitated by the act such as BBC license fee changes and access to online pornography.

Disclaimer!

As you'll see, this is a long and varied piece of legislation. I am not an expert on any of these areas, but I hope you'll find this to be an interesting tour!

Aims of the Act

Here are the stated goals of the Act, from its own explanatory notes:

"The Act aims to enable access to fast digital communication services for citizens and businesses, to enable investment in digital communications infrastructure, to shape the emerging digital world for the benefit of children, consumers and businesses, and to support the digital transformation of government, enabling the delivery of better public services, world leading research and better statistics."

Lofty goals indeed. If anyone here isn't a child or a consumer, then this might not be the talk for you.

Well, the proof of the pudding is in the eating, so let's have a look at the menu.

Overview of the Act

Although I remain to be convinced about this 'shotgun' approach to legislation, overall the Act has a clear structure and today we will be paying a flying visit to each of the Parts presented.

Part 1 - Access to Digital Services

The first few sections of the act deal with broadband speeds, easy switching and auto compensation. Good, clean, consumer-minded.

Part 2 - Digital Infrastructure

The main accomplishment of part 2 is renewing the Electronic Communications Code, but it also tweaks timings around warrants and penalty notices under the Wireless Telegraphy Act.

Part 3 - Online Pornography

Sex sells, so if there's one part of this act which you've probably heard of it's the access restrictions and new definitions relating to online and extreme pornography.

These have been subject to some recent developments, so even if you did read the articles which came out there should be something new to titillate you.

Part 4 - Intellectual Property

Moving swiftly on to the topic of intellectual property, there's some nice changes on ebooks. Which really lulls you in to a false sense of security before hitting you with the updated criminal penalties relating to copyright infringement that we'll discuss later.

Part 5- Digital Government

Part 5 gives in my view fairly ambiguous bases for sharing data in the delivery of public services, especially utilities providers. Then again for fraud prevention, research, and Revenue Authorities.

Part 6 - Miscellaneous

This final part, part 6, is the real gem of the Act in my view, and gives an insight into the issues considered a priority by Government and lawmakers. It comes in the form of a number of mainly unrelated and free-standing items, which together make interesting bedfellows.

But all that is to be revealed, as we start at the beginning with Part 1, Access to Digital Services.

Access to Digital Services

Access to digital services was a key part of the Conservative's "digital manifesto", and these provisions give consumers basic rights in relation to online connectivity.

Broadband speeds and easy switching

The first of these is the right to demand baseline broadband speeds. The previous scheme, a non-statutory 2mbps download speed, is now ditched in favour of a statutory 10mbps minimum through an amendment to the Communications Act 2003. What this essentially means is you have a right to demand a connection of at least 10mbps, though if the installation cost is over a few thousand pounds you may have to assist with the payment). The House of Lords did cause a bit of fuss at one point, favouring 30mbps, but compromise was reached. At the moment, the average broadband speed in the UK is about 40mbps, but in rural areas alone this is obviously much lower at under 20mbps. At home in the 'burbs, I'm advertised at 300. You can see then why there was a political debate between 10 and 30, with 10 representing guaranteed base levels, while 30 represented a significant push for rural areas, and as a result significant potential costs to providers.

Auto-compensation

Auto-compensation in the energy sector is implemented via a set of SLAs which apply to energy distribution companies, namely OFGEM's Quality of Service Guaranteed Standards. This section empowers OFCOM to operate an similar system for communications equipment, with the intention of bringing it on to par with other essential utilities.

The new scheme was rolled out in April, and will result in an automatic credit on your bill within 30 days where the SLAs on the slide here are missed. A provider can put a cap on the compensation, and after 30 days of an automatic payment occuring they can serve a cease notice for a further 30 day period. Then they have a go of taking reasonable steps to provide a suitable alternative service, failing which you are entitled to compensation again.

Initial complaints for non-payment are through the provider, but can ultimately be escalated to the OFCOM approved ADR service more fully described in the OFCOM guidance.

Digital Infrastructure

Updating the rules around digital infrastructure is a key element of the Act's stated aims. Again, the purpose as legislators saw it was to bring the communications infrastructure rules into line with those for other essential utilities such as water and electric.

Electronic Communications Code

The Electronic Communications Code is concerned with regulating the relationships between landowners (they don't make it any more) and network operators. It grants network operators rights to install and maintain physical equipment like antennae and cables. As you can imagine, this can be a fraught relationship at times.

Updates to the code were considered long overdue, with the previous code dating from the 80s. The new code can be found in the schedules and puts requirements on arrangements between landowners/occupiers and operators, meaning they must be in writing and state the duration and any notice period. This prevents operators latching on to long term rights to access without full disclosure of the term and implications for the landowner. OFCOM have published standard terms for this relationship but these are not mandatory.

The general consensus is that operators get most of the goodies - such as an automatic unconditional right to assign the agreement (but which can be subject to undertakings to require the first new operator to respect the terms). They also get certain rights to share access to apparatus and carry out works to facilitate that. Perhaps most significantly, the method of land valuation is to be changed to 'no scheme' - rights valued on the benefit to the landowner rather than the ongoing value to the operator.

Again, without going in to too much detail it also formalises the termination and dispute resolution process.

Dynamic Spectrum Access

An interesting piece here, which paves the way for proper OFCOM registration of (and registration fees for) Dynamic Spectrum Access technology providers. DSA is a set of advanced networking techniques combined with newer approaches to machine learning and pure processing power, used to manage radio networks in real time to allow simultaneous shared use. The hope is this can be continually better applied to automatically filter noises, detect or accurately guess the optimum channels, and generally optimise networking primarily by using gaps in the spectrum that are currently reserved for licensed or specific uses. This could promote new forms of commercial agreements between networks, prompt opening up of bands to secondary users, and support the 5g network by allowing lots of small nodes to communicate across a wide potential UHF spectrum. With the radio spectrum under huge demand, any ability to make more efficient, coordinated use is progress.

Online pornography

Online pornography, and I am assured it does exist, is to be restricted from access by under 18s. The act prohibits making pornographic material available on the internet on a commercial basis unless, at any given time, the material is not normally accessible by persons under the age of 18. And new powers have been issued to a new regulator, who turned out to be the extremely hesitant BBFC, who must have thought that Lars von Trier was about as bad as things could possibly get.

Let's dive in, definition first.

Definition of Pornography

As elucidated in the full description in the explanatory notes:

Section 15: Meaning of “pornographic material” This section defines ‘pornographic material’.

It's a fairly lengthy definition in the Act itself, but I think it can be summed up best by reference to perhaps the most widely drafted criteria:

Essentially the definitions rely on the 18, R18 (sex shop only) and uncertifiable classifications from the BBFC, which give some insight in to why they are considered the regulator of choice.

In addition, a definition is provided for "extreme pornographic material". This has an interesting definition, being material produced principally for arousal "which is extreme". So make sure you do your flies up next time you go ski-jumping. In addition, existing obscenity definitions are imported and applied.

Access restrictions and Guidance

Now that we know what under 18s should not be allowed to normally access, let's take a look at how those restrictions are to operate in practice. Implementation has already been delayed, bear in mind this is the first such measure introduced anywhere in the world, but are now slated for release on 15th July note - further delays announced today, ~6months?. Thereafter there will be a grace period prior to enforcement. The maximum penalties are quite severe, at 250k or 5% turnover , but are not intended to be introduced for a time. These are enforceable against pornographic services providers and 'ancillary service providers' such as ISPs.

Guidance has been submitted by the BBFC to the Secretary of State, along with draft regulations, but these are fairly unsatisfactory as they are lacking in detail on the practical/technical implementation.

The BBFC guidance does deal with its approach to enforcement, essentially it will seek a amicable resolution of non-compliance before penal action which is the general approach of UK regulators. Notably though, the Regulations exclude sites where less than 30% of the content is pornographic, which excludes action by sites like Twitter, Facebook and Reddit.

Sadly, as I say technical details are a bit lacking, though methods relating to submitting credit card, passports, and driving licenses are proposed, as well as mobile phone verification (anyone remember the TalkTalk breach?). There is a clear acceptance on as yet undefined solutions provided by third parties. They seem to be open to a range of measures as yet undetermined, but we are assured that no more data will be collected than necessary.

New Powers

There are new powers granted to the regulator, such as financial penalties. Two of these are worth digging in to a little more.

The section 18 power to to request information necessary to enforce the provisions of the Digital Economy Act against pornography services, and also ISPs. This caused some concerns around the requirements that the regulator might have for maintaining an audit trail. This would be a very attractive data pool for bad actors, like we saw in the Ashley Madison breach. In the guidance however, the BBFC state that in the interests of data minimisation the age-verification arrangements themselves will not require publishers to maintain data for these purposes by default. Regardless, the UN has expressed concerns about the lack of safeguards, particularly when we are mindful of the data sharing powers we will cover later in the talk.

The ultimate power though is the ability to power to require ISPs to block access to materials. To hand this power of to the BBFC is a huge step in the regulation of the internet and the jurisdictional questions that raises, but for better or worse, but the BBFC does seem to consider it a remedy of last resort, and takes pains to assure that compliance is "case-by-case" and that all enforcement action will cease upon their becoming compliant. Beyond that, it makes provisions in the guidance that they will inform any ISP when a pornographic service becomes compliant.

Intellectual Property

The provisions relating to intellectual property make interesting neighbours. There are four provisions, 3 for copyright and one for registered designs.

eBooks and Libraries

This is a straightforward and pleasant change which reads e-books and e-audio-books in to the Public Lending Right Act 1979 and lending infringement exception under CDPA 88. I expect a bump in the readership for 50 Shades of Gray, but this is a nice step forward for accessibility.

Designs

The Registered Designs Act 1949 was updated to allow rights holders to protect their work from the innocent infringement defence by adding a link to a web-page as an alternative to the number of the design. In fairness to the robustness of the original Act, that was a tough development to predict back then.

Retransmission by Cable

The exception to copyright infringement for broadcasts retransmitted by cable was explicitly repealed, after being considered contrary to EU law by the CJEU in ITV v TVCatchup. This means that streaming public service broadcasting channels without a license is officially maybe copyright infringement. This complicates matters for cable providers like Virgin who prior to this could retransmit qualifying channels like ITV for free, and the explanatory notes to the Act suggest that was the intention of the repeal, though I believe a decision is yet to be made on that as the latest I'm aware of is OFCOM stating that it was open to fees but might rather shift things about in the back-room so that the net 0 fee position is retained.

In a further complication, a later decision in AKM v Zurs.net, seemed to soften the blow of ITV v TVCatchup or at least distinguished it, based on a sort of implied license / consent since the broadcaster retransmitted by the same technical means (cable) to a subset of the audience that the rightsholder had permitted to broadcast to in the first place, so there was no 'new audience' to retransmit to.

New penalties

For me, this provision makes quite a profound legal statement.

The penalty for online copyright infringement, communicating a work to the public, and infringement of the making available right are increased from two years, which already feels significant, to ten years.

Mens rea is that the offender must intend to make a financial gain for himself or others, or know or have reason to believe that his actions will cause loss to the owner of the right or expose the owner to a risk of loss. This also redefines the actus reus of the offence around 'gain' and 'loss' in monetary terms rather than having a 'prejudicial effect' which is a change from the 2010 version. Of course, what will be considered a financial gain or loss is yet to be seen.

Digital Government

Whether you like it or not, digital government requires data sharing. This is a large part of the Act, and permit the disclosure of information within and connected to the public sector, for specified purposes.

Data sharing

The most general powers and the only ones I think are now fully in force are sections 35-39 and are for sharing information, read personal data, by and between public authorities and public service providers. These were brought in to law by statutory instrument in 2018 with Digital Government (Disclosure of Information) Regulations. They operate by specifying persons, people like the Secretary of State for Justice, the Home Department, HMRC, councils, the proprietors of schools, and the chief of police for areas in England and Wales, to share information for specified objectives. Specified objectives are defined any objective specified by the appropriate authority. These are not specified in the Act, but by secondary legislation. Sadly, the provisions do not address any definitions of data sharing, or establish any platform, processes or guidance to regulate it, which some critics feel entrenches rather than relieves transparency issues which are arguably of higher public concern. OFCOM have stepped up and updated their data sharing guidance for ad-hoc and systematic sharing, but by their own admission it is 'inevitably written in general terms'.

One key point that I missed out is the final catch-all category for 'specified persons' - any person providing services to a public authority in connection with a specified objective. So, in a sense, the security of from meshing the two specified lists together is eroded somewhat. Taken at the widest, the data sharing can be boiled down to:

'A person providing services to a public authority may share information for objectives specified by a national authority.'

However, that is a little unfair since those objectives must meet one of the following criteria:

The second of those criteria, 'well being' is further defined:

Looking at the Regulations, we see the examples of these objectives:

Of these, multiple disadvantage is the least obvious in intent, and allows data sharing to and for the purposes of identifying households suffering two or more social disadvantages, including, non-exhaustively, anti-social behaviour, domestic violence and criminal offending, having a disability, ill-health, and unemployment. There is also an exception to those specified persons that allows personal information received for a different specified purpose to be shared for the purposes of detection of crime, anti-social behaviour, criminal investigations, avoiding serious harm and for the purposes of criminal and civil legal proceedings. Thinking back to those specified persons I think it can certainly be said that even if these powers are necessary, they are well open to abuse and must be minded carefully.

Just to touch on a couple of remaining powers which are more 'specific' in a sort of way - these include powers to share personal data to tackle debt to the public sector, prohibiting onward data sharing from information shared by HMRC under one of the general provisions, to tackle fraud against the public sector, and for research and statistical purposes.

Misc provisions

Finally, we are on to the last part of the Act. This section is the real hallmark of the act, and covers a wide range of areas and powers that just needed to be picked up somewhere.

Accessibility on Demand

This amends the 2003 Communications Act, to allow the Secretary of State to create regulations, to impose requirements on providers of on-demand programme services for the purpose of ensuring that their services are accessible to people with disabilities affecting their sight or hearing or both. Things like mandatory closed captions, audio description and sign-language.

It looks like OFCOM have chipped in, and we are now just awaiting the regulations, and in turn OFCOM will update their code. Here's what they had to say:

'We’ve recommended that the new rules for providers of video-on-demand services should be similar to those already in place for traditional broadcasters. This means providers would need to offer subtitling on at least 80% of their programmes, audio description on 10% and signing on 5% within four years of the rules coming into force. There will be some exemptions based on affordability, audience benefit, and technical difficulty.'

TV License Fee

Section 89 of the Act covers Concessions to the TV License fee based on Age.

It simply amends the Communications Act 2003, giving the power to the BBC to specify the terms of any age-based concessions. This is handy, because the Government announced that by 2020 the BBC is to cover the cost of the License Fee concessions.

Ultimately, the rules were changed after consulting with the public (of whom 52% were "in favour of reforming or abolishing free licenses"). You might say 'reforming or abolishing' is quite a wide group to claim a particular mandate, but I think we can agree that 52% is an overwhelming majority that demands swift action. As you may have seen in the news, they abolished the blanket concession for over 75s, but maintain eligibility where a member of the household receives pension credit.

As I understand these rules can be changed without new legislation, expect further changes in the coming years.

Phone Billing Limits

Any new or renewing mobile phone customer as of October last year should have been offered a billing cap.

I've not renewed myself.

That's all there is to this really. The law is enforced by OFCOM who, naturally, have produced guidance for the phone companies.

Drug dealing restrictions

More changes in the criminal law now, with updates to the Serious Crime Act 2015 to allow courts to order restriction of use of communication devices used for drug dealing. A change which I now expect has Michael Gove in cold sweats. I'm not familiar with the criminal practice behind this, but at least one of the criteria feels quite broad given the essential nature of communications devices like mobile phones today.

It allows orders to restrict use of communication devices used in connection with a drug dealing offence if used in the course of:

'Drug offence' encapsulates Misuse of Drugs and Psychoactive Substances Acts.

Social Media

This section obligates the Secretary of State to issue a "code of practice" for social media platforms, setting out amongst other things guidance for handling online behaviour which involves bullying or insulting an individual, or other behaviour likely to intimidate or humiliate the individual. Explicitly, the guide should not deal with how unlawful conduct is handled.

The code was published and updated in April, and the summary pretty much covers exactly what the legislation mandates. It provides guidance for social media platforms, in advance of the new regulatory framework envisaged in the Online Harms White Paper. It sets out actions that the Government believes social media platforms should take to prevent bullying, insulting, intimidating and humiliating behaviours on their sites.

While the Code is directed at social media platforms, it is also relevant to any sites hosting user-generated content and comments, including review websites, gaming platforms, online marketplaces and the like. It is extremely short, at about a page and a half with pictures, which in the main are examples of complying with the new 'Key Principles for Online Safety for All'. These are:

Problem solved?

Well, be careful what you wish for. As I mentioned, the code itself is just a precursor to a new 'regulatory framework' envisaged in the Online Harms White Paper. The white paper reads like the person who wrote it was genuinely fearful for their life every time they opened internet explorer. Rival gangs, terrorists, disinformation, people getting addicted to digital services, live-streaming pedophiles, undermining civil discourse - the white paper pulls no punches and barely makes a distinction between the approaches for addressing these various harms. The words "horrific" and "horrifying" appear 4 or 5 times in the code, and one specific (albeit surely worthy) case they single out is online abuse of public figures. They make extremely confident assertions that online harms are a major contributor to rising knife crime and homicide rates. The concern is here that, online harms do surely exist and as asserted in the white paper there is evidence these disproportionately affect minorities and women, but presenting the approach to tackling these behaviours in such combative terms might not be the best way to build consensus around the way forward on this vital issue given the questions of free speech that are involved. This is not the topic of my presentation tonight, but unlike the digital economy act, if you haven't already I would seriously encourage you to make the time to read this white paper.

Direct Marketing Code

Now on to something that did pique my professional interest - section 96 introduces the direct marketing code, which amended the DPA 1998 but appears to have been carried over in to the 2018 Act.

Again, the Act is facilitating rather than directing rhe regulator. In essence it instructs the Information Commissioner to prepare guidance for direct marketing considering the Privacy and Electronic Communications Regulations and the Data Protection Act. This is subject to consultation, which was performed in Dec 2018 in the form of a relatively short questionnaire and now we wait to see what they come up with.

Note new PECD a way off.

This code will be of real interest to businesses, including my own. We are keen to see how firm or clear an approach the ICO take given the present hope for an adequacy decision post-Brexit, and in particular their views on direct marketing as it applies to cookies, tracking technologies and personalised ads. We're also always wishing for more examples of what constitutes negotiations for sale, particularly in the online marketplace context, for the purposes of the soft-opt in.

Ticket Touting

The original proposal for this was rejected at the Committee stage, but an amendnment was slipped in as section 106 which empowers the Secretary of State to make regulations concerning the new offence of ticket touting via the use "bots". Draft regulations were published in 2018, and passed as an SI shortly thereafter, which make it a criminal offence to overpurchase, for financial gain, where software is used to enable that. In Scotland the penalty is up to a £50,000 fine.

What is of note here is not only the quiet transfer of this kind of business practice from a civil to a criminal matter, (I'm not sure why it doesn't qualify as fraud anyway - maybe you can't deceive a machine) but the fact that it's such a limited offence - addressing only tickets for 'recreational, sporting or cultural events' and not to purchases of other goods 'where purchased with a view to obtaining financial gain'.

I finish on this provision to leave you with what I think is an interesting question - this section is making a criminal offence of efficient, albeit unfair and immoral, purely digital online practices, in order to protect an offline industry which presents itself by commercial necessity on the online marketplace. It pays no mind to the wider question of utilising bots or scrapers in violation of terms, for good or ill purposes. Like many of the provisions in the Act it is a sniper rifle aimed at a specific contemporary issue. My concern is that I'm not sure the approach makes for a satisfying body of law based on principles, in an area which is sure to develop as other unsavoury behaviours come into the public eye.

I leave you with this question - does this approach reflect our crisis of confidence in our ability to find new solutions for new digital problems, or is it proof of the assertion that the distinction between the digital and offline economy is increasingly irrelevant?

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.