UK regulators outline roadmap for cooperation in the regulation of digital and online services in 2021/2022

United Kingdom

On 10 March 2021, the Digital Regulation Cooperation Forum (DRCF) published its first annual plan of work for 2021/2022 for cooperation, coordination and a coherent regulatory approach to digital and online services (available here). This policy paper is the first insight into the strategic work and priorities of the DRCF since its formation by the UK Information Commissioner’s Office (ICO), the Office of Communications (Ofcom) and the Competition and Markets Authority (CMA) on 1 July 2020 following the CMA’s recommendations in its Online Platforms and Digital Advertising Market Study (covered previously in our Law-Now here).

Along with publishing the workplan, the DRCF announced that the Financial Conduct Authority (FCA) will join the DRCF as a full member in April 2021 which will coincide with the operational go-live date of the Digital Markets Unit (DMU) under the CMA. Although the FCA participated as an observer member from launch, full membership to the DRCF will bring the regulation of financial services more clearly into the frame of the DRCF’s remit.  

The DRCF paper sets out three priority areas and a workplan for 2021/2022, which includes most notably the establishment of joint strategic projects. It also describes additional work to strengthen wider stakeholder engagement and transparency, and to develop the functioning of the DRCF and build operational capabilities. The DRCF invites comments and discussion on the workplan and priorities for 2021/2022 which can be submitted by emailing DRCF@ofcom.org.uk.

If you are interested in reading more about the latest developments in online platform regulation as further context to the DRCF’s workplan, see our Law-Now on this topic (available here).

2021/2022 DRCF Priorities 

The DRCF workplan outlines three priority areas for 2021 and 2022: (1) responding strategically to industry and technological developments; (2) developing joined-up regulatory approaches; and (3) building skills and capabilities. In addition to these priority areas, the workplan sets out the DRCF’s longer term plans to (4) strengthen wider stakeholder engagement and transparency through collective engagement and (5) develop the functioning and operational capabilities of the DRCF.

Priority areas 1 and 2 above are particularly noteworthy and we consider them in more detail below. For workstreams 4 and 5 above, we can expect to see a revised approach to information sharing among DRCF members and for the DRCF to seek to increase its presence in international forums in the coming months.

  1. Responding strategically to industry and technological developments

Key components of this priority area will be the establishment of joint strategic projects and horizon scanning for potential and future regulatory gaps. The DRCF identifies four emerging trends and technological developments in online services which it considers have implications for the regulatory objectives of its respective members and for which a coordinated approach to regulation is required. A coordinated approach means the DRCF regulatory authorities will as far as possible for each priority area work together to create single project teams, share resources and expertise, engage once with stakeholders not separately and publish findings jointly.

The identified emerging trends and technological developments in online services are: (a) design frameworks; (b) algorithmic processing; (c) digital advertising technologies; and (d) end-to-end encryption. We expand on what work the DRCF plans to do and the previous and ongoing regulatory work the DRCF will leverage below.

  1. Design frameworks

The DRCF aims to collaborate with government, stakeholders and other regulators (including by establishing working groups and a repository of existing research and best practices) to develop coherent design frameworks and approaches. Further, the DRCF plans to engage with technology and developer communities and industry to develop, pilot and assess practical methods and tools to achieve compliance with design framework requirements and promote transparency with users.

To illustrate progress in this area and the need to bring greater clarity for industry and thereby make compliance more efficient, the DRCF identifies numerous, varied and often overlapping design frameworks which already or are proposed to apply to the regulatory remit of the ICO, Ofcom and the CMA. These include ‘data protection by design and default’ under the UK General Data Protection Regulation, the Safety by Design framework in the UK Government’s response to the 2019 Online Harms White Paper and the CMA’s ‘fairness by design’ to encourage free and informed consumer choice on online platforms.

  1. Algorithmic processing

The DRCF identifies a real need to strengthen shared understanding of and expertise in algorithmic systems among regulators. It recognises the expertise and recent studies in algorithmic systems and artificial intelligence (AI) of its members. These include the CMA’s Analysing Algorithms Programme, Ofcom’s work on the use of AI in online content moderation, the FCA’s ongoing collaboration with the Alan Turing Institute on AI transparency in financial services and creation of the AI Public Private Forum with the Bank of England and the ICO’s guidance on data protection and AI and work on an AI auditing framework (as well as the Centre for Data Ethics and Innovation’s review of algorithmic bias).

To improve the regulatory approach, the DRCF will seek to identify areas where common practical approaches in different regulatory regimes can be streamlined and drive efficiencies for industry by developing solutions, such as in relation to regulatory requirements for impact assessments for algorithmic systems.

For this priority area, the DRCF intends to jointly host stakeholder events in Q3 2021. In Q4 2021, the DRCF intends to publish reports on the events and its shared vision on regulatory tools and approaches to assessing and auditing algorithms, including standards on auditing algorithms and use of personal data in choice architecture (for example consent and dark patterns).

  1. Digital advertising technologies

In relation to adtech, the DRCF acknowledges ongoing regulatory activity including the ICO’s investigation into real time bidding and the adtech industry which resumed on 22 January 2021, the CMA’s investigation into Google’s Privacy Sandbox proposals to remove third-party cookies from Chrome and Chromium and the CMA’s Online Platforms and Digital Advertising Market Study. The DRCF also notes that a deeper understanding of the adtech industry, in particular advertising-funded business models and the supply of online content, will be imperative to Ofcom’s regulation of online safety in future.

To this end, the DRCF plans to develop a more holistic view of how the digital advertising sector interacts with users’ rights and may create potential competition, consumer and privacy harms, which will include working with the Advertising Standards Authority (ASA). Further, the DRCF will host cross-regulator workshops to develop a framework to support this holistic approach to better inform its evaluation of future developments in the adtech industry.

  1. End-to-end encryption

The DRCF highlights that although encryption technologies are increasingly present in online services and provide enhanced security and privacy protection for users, regulators are concerned with the impact of end-to-end encryption on transparency, supervision and monitoring of how services are used and the interoperability of technologies to the possible detriment of users’ choice and incentives for service providers to innovate.

For this priority area, the DRCF will build on previous regulatory work in this area, including Ofcom’s findings on the use of online messaging and calling in its Online Nation 2020 Report, by holding a joint workshop to define future joint work and then publish its findings. The limited detail around the plan for work on end-to-end encryption technologies suggests that this priority area is relatively underdeveloped and we can expect to see more concrete thinking from the DRCF on this topic in the coming year.

  1. Joined-up regulatory approaches

The DRCF highlights that identifying and assessing areas of regulatory intersection and considering these from a range of perspective across different regulatory regimes is key to developing coherent regulatory outcomes. In 2021/2022, the DRCF’S main areas for joint work will be as follows:

  1. data protection and competition regulation (led by the CMA and the ICO)

At the intersection of data protection and pro-competition measures, the CMA’s investigation into Google’s Privacy Sandbox proposals to remove third-party cookies from Chrome and Chromium will take centre stage. The DRCF plans to complement this investigation and explore how to balance competition and consumer privacy issues in future. Of particular note, the DRCF will publish a statement on the shared views of the relationship between competition and data protection in digital markets and how the DRCF will reconcile tensions between the two areas in H1 2021. This statement will underpin the DRCF’s future work on the interface between competition and data protection in digital markets so it will provide important clarity to the industry on the future direction of policy.

  1. the Age Appropriate Design Code and the regulation of video-sharing platforms and online safety (led by Ofcom and the ICO)

At the intersection of data protection and online safety, the DRCF’s focus will be on the ICO’s Age Appropriate Design Code and the video-sharing platform regulation overseen by Ofcom which requires providers to take appropriate measures to protect under-18s from content which might impair their physical, mental or moral development. Building on the ICO’s and Ofcom’s previous work to make the internet a safe place for children, the DRCF plans to complete joint public engagement to educate the public and stakeholders on the differences and overlaps between the two regimes, which might include joint guidance on online safety for children, and support cooperation between regulators as nascent elements of the data protection and online safety regulatory regimes become operational. 

  1. Interactions in the wider digital regulation landscape

The DRCF acknowledges that there are a wider range of regulators with responsibilities covering digital and online services and hints that DRCF membership might expand further. The DRCF plans to establish a mechanism to cooperate with other authorities on areas of mutual interest and indicates that it will continue to engage with regulators to identify joint work (including the ASA, the Prudential Regulation Authority, the Payment Systems Regulator, the Intellectual Property Office and the Gambling Commission). Although there are no mentions of specific joint work despite references to ‘existing discussion with regulators with a mutual interest in the regulation of digital services’, we can expect to see greater regulatory collaboration in more online sectors from now.

Comment

As the first update from the DRCF since it announced its creation and six high-level objectives on 1 July 2020, the 2021/2022 workplan provides long-awaited clarity on how the DRCF intends to foster and facilitate greater collaboration and alignment in the regulation of digital and online services and specifically what regulatory activity stakeholders in the UK digital economy can expect to see in the coming year. The DRCF’s workplan is ambitious in scope and represents a step change in how UK regulators will seek to develop expertise, design policy and shape the online environment.

The DRCF intends to provide various opportunities for stakeholders to participate in dialogue with regulators and other industry stakeholders through events, workshops and roundtables which will present a new opportunity for online players to engage with multiple regulators in the same forum on industry-wide topics. Those interested in AI, adtech, online safety for children, encryption technologies and nascent design frameworks should pay particular attention to upcoming publications on these issues following stakeholder engagement to gain insight on the future direction of UK digital policy. 

With the FCA joining the DRCF next month (fintechs take note that financial services regulation is in scope on a more solid basis!) and the workplan stating that additional regulatory authorities may join the forum, the DRCF will likely grow in members and importance in the coordination of online regulation across an increasing range of sectors in future.