COMPARATIVE GUIDE
19 February 2025

Digital Business Comparative Guide

SM
Slaughter & May

Contributor

Slaughter & May logo

Slaughter and May is regarded as one of the most prestigious law firms in the world. We advise on high profile and groundbreaking international transactions and have an excellent and varied international client list.

We have a diverse and extensive international practice providing a full range of legal services. Mergers and Acquisitions, Corporate and Commercial and Financing represent our core practice areas. We also have leading practitioners in more specialist areas including Tax, Competition, Dispute Resolution, Commercial Real Estate, Pensions and Employment, Financial Regulation, Information Technology and Intellectual Property.

Our expertise covers the full spectrum of industry sectors to service a diverse range of clients from leading private equity boutiques to investment banks; start-up businesses to governments; retailers to entertainment companies; and diversified industrial conglomerates to premier league football clubs.

Explore Firm Details
Digital Business Comparative Guide for the jurisdiction of United Kingdom, check out our comparative guides section to compare across multiple countries
United Kingdom Technology
Rebecca Cousin and Laura Houston

1 Legal framework

1.1 Which key legislative and regulatory provisions govern digital business in your jurisdiction?

A wide range of legislative and regulatory provisions govern digital business in England and Wales.

A number of cross-sectoral rules (e.g, around data privacy, intellectual property, consumer protection and competition law) are highly relevant to digital businesses. However, more recently, there has been a focus on introducing rules which are aimed at those in the tech sector. For example:

  • tech firms with strategic market status will be governed by the Digital Markets, Competition and Consumers Act 2024 (see question 12);
  • those undertaking a regulated activity or supplying certain critical services into the financial sector may face financial regulation (see questions 1.2 and 3.1); and
  • the United Kingdom has plans to expand the Network and Information Systems Regulations, which aim to increase the level of security of network and information systems for the provision of essential services and certain key digital services around cyber to cover a wider range of technology providers (see question 5).

For organisations using digital technologies, whether in the tech sector or not, there are also specific rules which may apply. For example:

  • the United Kingdom's artificial intelligence (AI) framework (which leverages existing sector regulation) may apply (see question 3.1(b));
  • there are new rules to increase the security of connected devices (see question 5); and
  • the Online Safety Act covers more than just the tech sector (although that is seen as its main aim).

There are also provisions in the UK consumer protection legislation that deal with digital content (see question 7) and rules which apply to e-commerce (see question 2.3(a)).

1.2 Do any special regimes apply (eg, in specific sectors or to certain types of products)?

Many sector regulators have taken a particular interest in digital technologies which impact on their sector. The financial, data and medical regulators, for example, all have specific rules and guidance which relate to particular types of technology or digital products or services.

By way of example, fintech players will need to comply with financial regulation where they offer traditional financial services such as banking, insurance and consumer credit. In addition, the regulatory perimeter has evolved to capture innovative fintech markets such as crowdfunding and (while the legislation/regulatory rules are still in development) 'buy now, pay later' products and most crypto-assets.

There are also some specific laws and regulations which relate to those operating in the technology sector, which are discussed in question 1.1.

Typically, United Kingdom legislation tends to be technology neutral, addressing the risk/harm instead. However, as mentioned in question 1.1, the UK does have a range of rules which apply to particular types of technology. For example, it has:

  • suggested that it may introduce new legislation regulating those developing the most powerful AI models (see question 3.1(b));
  • introduced rules which aim to increase security around connected devices (see question 5); and
  • drafted new legislation specifically designed to regulate automated vehicles.

1.3 Which bodies are responsible for implementing and enforcing the digital business regime in your jurisdiction? What is their general approach in doing so and what are their key areas of focus?

Within the United Kingdom government, the Department for Science, Innovation and Technology takes the lead on many digital initiatives.

In terms of regulators, there is no one 'digital' sector regulator, although the United Kingdom does have a Digital Regulation Cooperation Forum which was established to ensure greater cooperation on online regulatory matters. It is made up of four key regulators involved in managing the risks around digital business, as follows:

  • Data regulator: Data is a key asset for digital businesses and the Information Commissioner's Office is also very focused on emerging technologies such as AI.
  • Financial regulator: The Financial Conduct Authority, alongside other UK financial regulators, supports technological innovation in financial services while recognising the potential risks posed by certain digital technologies (eg, crypto-assets and large language models) to consumers and financial markets.
  • Competition regulator: The Competition and Markets Authority manages the new digital markets regime (through its Digital Markets Unit) and is interested in how digital sectors operate.
  • Communications regulator: The Office of Communications regulates (among other things) the new online harms regime.

A 'Regulatory Innovation Office' was introduced in 2024, bringing together existing functions across government to help reduce the burden for businesses hoping to bring new products and services to market in fast-growing sectors through innovations (like Artificial Intelligence). Its remit includes supporting regulators to update regulation and coordinate issues that cross boundaries.

2 Market snapshot

2.1 How embedded is digital business in your jurisdiction?

Digital business is an intrinsic part of United Kingdom society, interwoven into its economy, culture and politics.

On an economic level, digital business has been booming. The UK digital sector grew by 9% from 2019 to 2022, outpacing the wider economy, which grew at just under 2%. Seven of the top 10 fastest-growing companies in the United Kingdom in this period were in the digital sector, illustrating that digital businesses are playing a central role in the UK economy.

At a more granular level, statistics reveal that digital tools have become essential to society. Twenty per cent of UK businesses use cloud-based financing or accounting software, while 25% UK workers recently stated that the inability to use a search engine would either make their job impossible or significantly impact on their ability to do their job. Similarly, a recent survey found that UK consumers are more receptive to digitally enhanced shopping features than consumers in other nations, with 41% of UK shoppers classed as 'digital enthusiasts'.

The importance of digital business to the United Kingdom is reflected by the political focus on the sector. Both the current and previous governments have shown an eagerness to facilitate digital development: the former through its Digital Development Strategy 2024–2030 policy paper and the latter through a manifesto commitment to change the planning regime to make it easier to build digital infrastructure. The government has also expressed an ambition to make the United Kingdom a science and technology superpower by 2030.

2.2 Are the main players domestic, foreign and/or international?

The dominant players in the United Kingdom are large multinationals, which have developed the 10 most popular mobile applications. The mobile applications which consumers spend the most money on are also developed and owned by international companies. Global tech companies are also pre-eminent in e-commerce, with Amazon's online marketplace being the most popular in the UK.

Amid this foreign-dominated landscape, however, there are some notable sectors in which domestic players are more central. One such sector is fintech, which is often touted as a UK success story and which is discussed in further detail in question 2.3(b). In particular, digital banking – where consumers use online-only bank accounts managed via smartphone apps – is an area of strength. The largest digital bank in the UK is Revolut, a company founded in London in 2015, which boasted 45 million users globally as of November 2024, of which 10 million users are in the UK. Revolut's largest competitors are also domestic digital banks, with Monzo and Starling Bank used by millions of UK customers. The digital goods and services sector also has a more domestic flavour: in 2024, UK supermarket giant Tesco had the most downloaded app in the sector, with over 12 million downloads, with UK start-up Deliveroo not far behind with more than 2 million downloads.

The UK is also very strong in research and development and in certain digital areas, such as artificial intelligence (AI), thanks to thriving home-grown businesses such as DeepMind (which became Google DeepMind in 2023).

2.3 Describe the key features of the following digital business sectors in your jurisdiction: (a) E-commerce; (b) Fintech and (c) Digital health.

(a) E-commerce

The United Kingdom has the most lucrative e-commerce market in Europe, with United Kingdom consumers willing to embrace new technologies and engage in a market underpinned by:

  • reliable consumer protection laws/regulations;
  • safe payment options; and
  • established distribution networks.

Key features of e-commerce in the UK include major advances in technology, particularly in payment options, and increasing personalisation supported by a shift to omnichannel services and AI capability.

The online payment sector has expanded significantly, offering customers a wide variety of convenient and secure payment options, encompassing:

  • the most popular options of PayPal/Apple Pay:
  • digital wallets with multi-currency capabilities;
  • tailored solutions for small and medium-sized enterprises; and
  • cryptocurrency integration.

The shift from multichannel to omnichannel services, focused on providing customers with seamless integrated shopping experiences, has been embraced by key UK retailers such as Argos, Next, John Lewis and Tesco. These companies have adopted features such as:

  • click-and-collect integrated with physical stores;
  • improved user experience on websites; and
  • integrated digital sales and marketing efforts.

Finally, UK companies are increasingly adopting AI-forward approaches to personalise customer journeys by conducting sophisticated data analytics and machine learning to facilitate:

  • personalised product recommendations;
  • chatbot/virtual assistant support;
  • dynamic pricing optimisation;
  • automated marketing;
  • fraud detection; and
  • efficient inventory management and supply chain optimisation.

Together, these features are driving significant growth in the sector, with online retail sales forecast by some to accelerate by 4.5% in 2025 to £128.8bn, the strongest annual growth since 2021.

(b) Fintech

The United Kingdom has a mature and world-leading fintech sector with a high rate of consumer adoption. It consistently attracts more fintech investment than any country other than the United States. The sector has strong support across the political spectrum, with an ongoing focus on implementing the recommendations of the Kalifa Review of Fintech (an independent strategic review) which concluded in 2021. The current government has placed fintech at the heart of its vision for UK financial services.

Fintech players must comply with financial regulation where they offer traditional financial services such as banking, insurance and consumer credit; but the UK financial regulators are seen as pragmatic and open to innovation. Significant reforms to the UK listing rules and the establishment of the Fintech Growth Fund have cemented the United Kingdom's fintech-friendly status. Ongoing confidence in the UK fintech market was underscored by Monzo Bank's announcement in March 2024 that its latest funding round had increased its valuation from £3.5 billion in 2021 to £4 billion.

The Open Banking initiative facilitates data sharing between major players in the retail banking market and trusted third-party application and service providers. Its success is part of the UK's fintech success story and one in seven UK digital customers now has an active open banking connection or has made a payment using open banking. Equally (if not more) important is regulatory support for growing fintechs through initiatives such as:

  • the Financial Conduct Authority's Regulatory Sandbox;
  • tech sprints; and
  • the Bank of England's Fintech Hub.

(c) Digital health

The United Kingdom government has been supporting the digital transformation of the healthcare sector for many years.

The National Health Service (NHS), which provides publicly funded medical and social care services across the United Kingdom, has digitised a number of its services. For example, the NHS app has enabled a range of NHS services to be provided digitally, including:

  • managing appointments, hospital referrals and prescriptions; and
  • allowing patients to access their health records.

More broadly, m-health (or the use of mobile technology to support healthcare delivery) plays a key role in enabling the delivery of care to patients in their homes, through services such as remote monitoring, diagnostics and rehabilitation.

The provision of telemedicine services has increased meaningfully since the beginning of the COVID-19 pandemic. Since October 2021, general practitioners' practices have been required to offer:

  • online and video consultation tools;
  • a secure electronic communication method; and
  • online personal information management functionality.

The UK also has a thriving community of medtech startups and university spinouts (particularly in Cambridge, Oxford and London) working on digital health innovation.

The UK medical regulator, the Medicines and Healthcare Products Regulatory Agency (MHRA), is actively monitoring and regulating digital health developments. The MHRA's remit covers any software (including AI) which is used for a medical purpose under the UK's medical devices regulations. Specifically on the regulation of 'AI as a medical device' offerings, the MHRA is expected to take a proportionate approach which seeks to balance the risks involved with the offerings' transformative potential. The MHRA announced, at the beginning of December 2024, the selection of five AI technologies for its regulatory sandbox, or pilot scheme, the AI Airlock.

3 Technologies

3.1 How are the following digital business technologies regulated in your jurisdiction and what key issues should be borne in mind in relation to each? (a) Online payments (including cryptocurrencies and digital wallets); (b) Artificial intelligence; (c) Connected devices/Internet of Things and (d) Other (eg, cloud services, quantum technology, chip technology).

(a) Online payments (including cryptocurrencies and digital wallets)

The Payment Services Regulations 2017 (PSRs) are the regulatory bedrock for payment service providers (PSPs), both bank and non-bank, that facilitate online payments. The PSRs:

  • impose authorisation and registration requirements on most non-bank PSPs;
  • support the emergence of new market entrants; and
  • establish how payment services are to be provided.

Competition in payment services is further supported through the Open Banking initiative, which facilitates data sharing between major players in the retail banking market and trusted third-party application and service providers.

The type of payment will also determine the regulatory nexus. Where e-money is involved, the Electronic Money Regulations 2011 are engaged. The regulatory perimeter is in the process of expanding to capture most crypto-asset activities within the Financial Services and Markets Act 2000, and secondary legislation detailing how this will be achieved is forthcoming. This new regime heralds the phaseout of an interim crypto-asset registration regime under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017.

Payments is a rapidly evolving landscape. Derived from the Second EU Payments Services Directive 2015/2366, the PSRs have been subject to review and will be replaced where necessary with United Kingdom-tailored regulation in the wake of Brexit. These will be informed by a recent review of the 'Future of Payments' in the United Kingdom, which called for reduced regulatory complexity. Meanwhile, digital wallets are a developing area of regulatory focus, as their rapid adoption raises questions as to whether technology firms will 'bypass' banks.

(b) Artificial intelligence

Artificial intelligence (AI) is regulated in the United Kingdom through existing legal and regulatory regimes, such as those governing:

  • intellectual property;
  • consumer protection;
  • data protection;
  • employment;
  • financial services; and
  • medical devices.

There is also already related case law and regulatory guidance in these areas which specifically cover AI.

In addition, the previous UK government published a 'Pro-Innovation Approach to AI Regulation' white paper in March 2023, which set out a context and sector-specific approach to AI regulation. This utilises the existing regulatory regimes but is underpinned by:

  • a set of five overriding principles that all regulators should have regard to (covering topics such as fairness and accountability); and
  • a suite of centralised functions (eg, a central risk register and the Regulatory Sandbox).

Both the previous and current UK governments have also discussed introducing legislation regulating those developing the most powerful AI models and so this is expected in the future.

In terms of key issues, AI raises a wide range of legal considerations, including issues pertaining to:

  • the potential infringement of IP and data privacy laws;
  • security risks;
  • the use of AI in cyber-attacks;
  • bias;
  • a lack of transparency;
  • inaccurate outputs (hallucinations); and
  • where liability sits within the AI supply chain.

(c) Connected devices/Internet of Things

In the United Kingdom, the cybersecurity of consumer connectable products is regulated by Part 1 of the Product Security and Telecommunications Infrastructure Act 2022 (PSTIA).

Most of the obligations specified in Part 1 of the PSTIA apply to consumer connectable products such as smartphones, smart TVs, connected baby monitors and connected alarm systems (i.e, internet or network-connectable products which have not been excepted) which:

  • are or have been made available to consumers in the United Kingdom; or
  • are identical to products made available to consumers in the United Kingdom.

The PSTIA imposes obligations on manufacturers, importers and distributors of consumer connectable products. Broadly speaking, they must:

  • comply with certain fundamental cybersecurity requirements;
  • make products available in the UK only if accompanied by a statement of compliance; and
  • investigate potential compliance failures (manufacturers and importers only).

The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (SI 2023/1007), adopted by the secretary of state under the PSTIA, came into force on 29 April 2024. These regulations set out the security requirements that manufacturers of relevant connectable products must comply with – namely:

  • meeting minimum password requirements – for example, ensuring that any passwords are unique per product;
  • implementing a means to manage reports of vulnerabilities, including:
    • providing at least one point of contact to report security issues to; and
    • providing regular status updates regarding security issues; and
  • providing transparency on the minimum length of time for which the product will receive security updates.

(d) Other (eg, cloud services, quantum technology and chip technology)

As for other technologies, each comes with its own set of issues to be considered:

  • Cloud: Cloud services are widely used in the United Kingdom and the UK government has a 'cloud first' policy for the public sector. The security around cloud services is primarily regulated by the Network and Information System Regulations (2018), which impose security and incident notification obligations on them. The previous government also consulted on whether to introduce tougher security and resilience measures for data centres operating in the United Kingdom to protect against potential disruption; and the Cyber Security and Resilience Bill proposed by the current government (see question 5) will also be relevant to providers. Additionally, the Competition Markets Authority is investigating the supply of public cloud infrastructure services following concerns about the difficulty of switching suppliers.
  • Quantum: The National Quantum Strategy (published in 2023) outlines guiding principles for the regulation of quantum technologies, currently subject to:
    • the Academic Technology Approval Scheme;
    • the National Security and Investment Act 2021; and
    • the UK export control regime.
  • The Regulatory Horizons Council – an independent expert committee which identifies the implications of technological innovation and advises the government on potential related regulatory reform – published a report in February 2024 that advocated a pro-innovation regulatory approach to quantum technologies. It recommended that regulation be led by standards and guidance rather than premature laws, until there is greater clarity on quantum technologies' benefits and risks. The government published a response in October 2024 that was supportive of the RHC's recommendations but emphasised the need for sustained action to facilitate a sector- and application-specific regulatory model in future. Recognising the need for a cohesive regulatory approach, the Office for Quantum in the Department for Science, Innovation and Technology will convene a cross-sector regulatory Forum for Quantum Technologies, and the UK will continue to participate in international standards through the Quantum Standards Network.
  • Chips: The UK's National Semiconductor Strategy (published in 2024) introduced regulatory changes – for example, by including chips under the current export control regime. The government is concerned that the United Kingdom has a minor share in global chip manufacturing capacity and the concentration of chip manufacturing in East Asia (particularly Taiwan) could render the global supply chain vulnerable in the event of disruption.

4 Data

4.1 What is the regime in your jurisdiction for regulating the processing of personal data and what specific implications does this have for digital business?

The processing of personal data is governed by:

  • the United Kingdom General Data Protection Regulation (UK GDPR); and
  • the Data Protection Act 2018 (DPA 2018).

Additionally, in future the provisions of the Data (Use and Access) Bill (Data Bill) will also be relevant as these, once passed and in force, will amend the provisions of the UK GDPR and the DPA 2018.

The UK GDPR is closely aligned with the EU GDPR, but the DPA 2018 includes certain provisions tailoring the regime for the United Kingdom. Of particular relevance to digital businesses is that these laws apply to UK as well as non-UK businesses if they:

  • offer their goods/services to individuals in the United Kingdom; or
  • monitor the behaviour of individuals in the United Kingdom.

The UK GDPR sets out principles, rights and obligations in relation to personal data – for instance, requiring:

  • a legal processing basis for data processing;
  • the implementation of appropriate technical and organisational measures to safeguard personal data; and
  • the provision of privacy notices to individuals including mandated information in a clear and comprehensible manner.

Digital businesses operating in the United Kingdom must appoint a data protection officer if they:

  • process large volumes of special category data (eg, health data); or
  • undertake high-risk data processing activities.

They must also conduct data protection impact assessments – a form of risk assessment specified by the UK GDPR – for processing activities that could pose a high risk to individuals' privacy.

Non-compliance with the UK GDPR can result in regulatory action, including fines of up to 4% annual worldwide turnover. The Information Commissioner's Office enforcement action (including fines) currently focuses on processing which poses the highest risk to data subjects.

The Privacy and Electronic Communications (EC Directive) Regulations 2003 operate alongside the UK GDPR to determine when consent is required for direct marketing and the use of cookies. The Data Bill will bring the maximum fines for breach of these provisions in line with those for the UK GDPR.

4.2 What is the regime in your jurisdiction for regulating the processing and sharing of non-personal data and what specific implications does this have for digital business?

There is currently no specific framework for regulating the processing and sharing of non-personal data in the United Kingdom. However, building on the success of the Open Banking initiative, the UK government has proposed introducing "smart" data-sharing schemes for open banking and finance under the Data (Use and Access) Bill (Data Bill).. Once the Data Bill is passed and the relevant provisions in force, these schemes will help with the secure sharing of customers' data, upon their request, with third-party providers, beyond the portability right under the UK General Data Protection Regulation.

Digital businesses must also ensure compliance with sector-specific regulations – such as those in finance, healthcare and telecommunications – which may impose specific requirements for data handling and sharing.

Finally, organisations must also ensure that restrictions or requirements imposed in data-sharing agreements do not lead to anti-competitive practices.

5 Cybersecurity

5.1 Does your jurisdiction have specific cybersecurity legislation and what implications does this have for digital business?

There are a number of laws which manage cyber risk, including the following:

  • The United Kingdom General Data Protection Regulation (see question 4) contains security and breach notification obligations where personal data is involved.
  • The Network and Information Systems (NIS) Regulations contain measures (including security and incident notification obligations) to increase the level of security of NIS for the provision of essential services and certain key digital services:
    • Essential services include operators in sectors such as energy, transport and health; and
    • Digital services cover cloud computing services, online search engines and online marketplaces (subject to exemptions for small and micro enterprises).
  • The UK government plans to introduce the Cyber Security and Resilience Bill which, among other things, will expand the NIS Regulations to protect more digital services and supply chains.
  • The Computer Misuse Act 1990 creates a number of offences where there has been unauthorised access or interference with a computer or a distributed denial of service attack.
  • The Product Security and Telecommunications Infrastructure Act 2022 and related regulations have established a new regulatory regime to increase the security of consumer connectable devices and products (see question 3).

Various sector-specific rules are also relevant. For example:

  • telecoms operators or internet service providers must follow security and breach notification obligations under the Privacy and Electronic Communications Regulations 2003; and
  • cyber continues to be a regulatory priority for the financial regulators.

In addition, standards may be relevant (eg, the Payment Card Industry Data Security Standard or Cyber Essentials).

6 Financial crime prevention

6.1 What provisions govern money laundering and other forms of financial crime in your jurisdiction and what specific implications do these have for digital businesses?

The Proceeds of Crime Act 2002 (POCA) sets out the principal money-laundering offences that apply to all businesses, which include concealing, transferring and handling criminal property. POCA sets out further offences which apply only if the business operates in the 'regulated sector' (which will include many fintech businesses), such as tipping off and failure to disclose.

The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs) impose additional requirements – such as risk assessments and customer due diligence – on financial institutions and professional industries that are at higher risk of enabling illicit finance. Authorised firms in the financial services sector will also need to pay attention to Prudential Regulation Authority and Financial Conduct Authority (FCA) rules which mandate robust governance arrangements and systems and controls to counter money laundering and terrorist financing.

Amendments to POCA broaden the circumstances in which seizure powers can be used for crypto-assets. In addition, the MLRs contain a bespoke FCA registration regime for crypto-asset exchange providers and custodian wallet providers – although this is in the process of being phased out, as discussed in question 3.1(a) – and impose information requirements on crypto-asset transfers.

Finally, all digital businesses must comply with the Bribery Act 2010, which creates the offences of:

  • offering or receiving bribes;
  • bribing foreign public officials; and
  • failing to prevent a bribe being paid on an organisation's behalf.

They must also comply with financial sanctions regimes stemming from the Sanctions and Anti-Money Laundering Act 2018, which do not differentiate between crypto-assets and other forms of assets.

7 Consumer protection

7.1 Do the consumer protection measures in your jurisdiction have specific implications for digital business?

A range of consumer protection laws apply to digital businesses. For example, those supplying digital content must specifically refer to the Consumer Rights Act, which gives enhanced rights to consumers buying digital content.

The Digital Markets, Competition and Consumer Act 2024 (DMCC) has introduced major reforms to United Kingdom consumer protection law, including areas of specific relevance to digital businesses. In particular, it:

  • replaces the UK Consumer Protection from Unfair Trading Regulations 2008, including:
    • extending practices considered automatically unfair (and therefore prohibited) to include publishing or hosting fake reviews online; and
    • widening restrictions on countdown timers and false urgency claims;
  • prohibits drip pricing (online and offline), mandating that headline prices incorporate fixed mandatory fees that must be paid by all consumers, with clear disclosure of variable mandatory fees and their calculation;
  • reforms the subscription contracts rules, requiring businesses to (among other things):
    • provide key pre-contract information and reminder notices;
    • offer a 14-day cooling-off period for cancelling the subscription; and
    • provide simple and clear methods for terminating the subscription; and
  • empowers the UK Competition and Markets Authority (alongside its continuing powers to enforce UK consumer law via the courts) to directly impose turnover-based fines on companies of up to 10% of global annual turnover for UK consumer law breaches.

The government has said that the provisions on subscription contracts will not come into force until April 2026 at the earliest, but those on the consumer aspects and the related new enforcement regime will apply from April 2025.

Where digital businesses are operating in the financial services sector, the Financial Conduct Authority's Consumer Duty:

  • sets higher and clearer standards of consumer protection and
  • requires firms to put their customers' needs first.

8 Taxation

8.1 Does your jurisdiction impose a digital services or similar tax; and/or in light of digital business structures, has it introduced rules to modify the level of presence or connection required to fall under the tax regime? If so, to what extent has your jurisdiction committed to removing these taxes or measures should the Organisation for Economic Co-operation and Development-negotiated Multilateral Convention on a new taxing right (Amount A of Pillar 1) come into effect?

Since 1 April 2020, the United Kingdom has imposed a digital services tax (DST) of 2% on digital services revenues (ie, revenues arising from social media services, internet search engines or online marketplaces) to the extent that such revenues derive from UK users (or UK accommodation or land).

To be within scope, a group's worldwide and UK-derived digital services revenues must exceed £500 million and £25 million respectively. The first £25 million of a group's UK-derived digital services revenues is DST free.

The DST was introduced as a temporary measure (as underscored by the requirement for it to be reviewed before the end of 2025) "to be replaced by a global solution".

Under a 2021 joint statement:

  • Austria, France, Italy, Spain and the United Kingdom agreed to continue applying their DSTs pending agreement of a global solution but to credit excess DST (over a notional amount that could have been collected under the global solution) against future tax under that global solution; and
  • the United States agreed to remove DST-related trade sanctions.

This statement originally expired on 31 December 2023, but was extended until 30 June 2024, by which date the Organisation for Economic Co-operation and Development had planned to reach agreement on the global solution. At the time of writing, agreement is still outstanding and the statement has not been further extended.

8.2 What are the main tax measures, trends and developments in your jurisdiction with implications for digital businesses?

Diverted profits tax (DPT) is charged at 31% (six percentage points above the main corporation tax rate) in certain circumstances where there are:

  • transactions shifting profits to a related party in a low-tax jurisdiction; or
  • arrangements to avoid a United Kingdom permanent establishment.

The current government's "Corporate Tax Roadmap" envisages a consultation in spring 2025 on reforms of DPT and related areas which will likely include rolling DPT into corporation tax while maintaining the rate differential (as had been proposed by the previous government).

The Offshore Receipts in Respect of Intangible Property (ORIP) Rules may impose tax on non-UK resident IP holders' gross receipts from use of the intellectual property in providing goods or services in the United Kingdom. The government has confirmed that it will implement its predecessor's proposal to repeal the ORIP Rules on the enactment of the Undertaxed Profits Rule under Pillar 2 from 31 December 2024.

UK royalty withholding tax can also apply to payments between non-UK residents where the relevant intellectual property is used by the payer's UK permanent establishment.

The UK has a patent box regime which lowers the corporation tax rate on eligible profits to 10%. From April 2023, data licence and cloud computing services costs may qualify for research and development tax relief. Businesses in the videogames or animation sphere may benefit from creative industry relief.

9 Cross-border trade

9.1 Have any legal measures been implemented to facilitate digital cross-border trade in your jurisdiction?

In July 2024, the United Kingdom joined the E-Commerce Joint Initiative at the World Trade Organization (WTO) along with 90 other countries. This is the first global digital trade agreement negotiated under the WTO.

The UK government has also entered into a number of trade agreements with other countries which cover digital trade. For example, the UK-EU Trade and Cooperation Agreement:

  • aims to facilitate cross-border data flows by preventing either party from imposing certain restrictions, such as:
    • requiring the use of computing facilities in a party's territory for processing; or
    • requiring the localisation of data in a party's territory; and
  • requires the parties to exchange information on regulatory matters relating to digital trade.

The Centre for Digital Trade and Innovation was launched in 2022 to accelerate the digitalisation of UK trade through initiatives such as campaigns, education and research. Although this is not solely focused on cross-border trade, its aims include ensuring that "borders are frictionless ... and information flows in common, standardised formats across jurisdictions".

In addition, some legislation specifically addresses cross-border issues. For example, the UK General Data Protection Regulation contains provisions on cross-border data transfers where personal data is involved (see questions 4 and 9.2).

The Electronic Trade Documents Act 2023 was also enacted to boost the use of electronic trade documents in global trade. The act gives electronic trade documents the same legal effect as equivalent paper documents so that they are capable of 'possession' if they satisfy the relevant criteria.

9.2 What specific challenges or concerns does digital cross-border trade present in your jurisdiction that digital businesses should bear in mind?

Cross-border trade raises a number of challenges, such as the following:

  • Digital businesses undertaking international transfers of personal data must comply with the United Kingdom General Data Protection Regulation, which sets out certain requirements. Digital businesses may make an international transfer of personal data only if the receiver is located in a country covered by UK adequacy regulations (ie, a country which has been assessed as providing adequate protections for personal data). Failing this, businesses must make the transfer:
    • subject to appropriate safeguards (eg, incorporating standard data protection clauses into the contract governing the transfer or using binding corporate rules); or
    • in reliance on an exception.
  • Post-Brexit, the UK is no longer part of the European Union's Digital Single Market. The European Union's four freedoms (which state that goods, services, capital and persons can move without restriction within the bloc) are the cornerstone of the single market. The European Union also had specific legislation which aimed to remove barriers to cross-border online activity (eg, around geo-blocking and cross-border portability of online content). The UK no longer benefits from these freedoms and rules. However, the wide territorial reach of many EU laws means that UK businesses operating in the European Union could still be bound by them.
  • Cross-border trade can also raise issues around:
    • intellectual property (given its territorial nature – see question 10);
    • tax (see question 8); and
    • in certain circumstances, export control concerns.

10 Brand protection

10.1 How are brands protected in your jurisdiction? Are there any specific challenges or considerations for digital businesses to bear in mind?

Brands for digital businesses, as well as individual products and services, are protected in the United Kingdom primarily through registered and unregistered trademarks.

Registered trademarks are most commonly used to protect things such as words and logos, but – theoretically at least – they can also be used to protect other aspects of brands, such as shapes, colours and sounds. A UK registered trademark gives a statutory monopoly and can provide protection indefinitely, provided that the rules are followed – for example:

  • the renewal fees are paid; and
  • the mark is used and enforced against third parties.

Protection is not, however, available for everything. Trademarks are granted only in respect of specific classes of goods and/or services.

UK registered trademarks can be applied for:

  • at the UK Intellectual Property Office; or
  • through the World Intellectual Property Organization using the international Madrid System (designating the United Kingdom).

Unregistered trademark rights may be enforceable through the English courts under the law of passing off.

It is particularly important for digital businesses to bear in mind the jurisdiction and enforcement challenges presented by the use of brands online, which are complicated by the territorial nature of trademark rights. This can have an impact from both:

  • a rights holder perspective (eg, affecting trademark filing strategy); and
  • a user perspective (eg, when considering cross-border infringement risk).

11 Innovation

11.1 How is innovation in the digital business space protected in your jurisdiction? What key issues should digital businesses bear in mind in this regard?

Innovations can be protected in the United Kingdom by IP rights. Copyright and patents are of particular relevance to the digital sector, but database rights and confidentiality can also play a part:

  • Patents: Patents are the most common way to protect inventions in the UK and provide the owner with a 20-year monopoly right. To be patentable, an invention must:
    • be new;
    • involve an inventive step;
    • be capable of industrial application; and
    • not be excluded from protection under the Patents Act 1977.
  • Computer programs are not patentable in the UK, unless they possess a technical character. While technical character can be difficult to determine, the English courts have provided guidance to assist with the analysis.
  • Copyright: Copyright is an unregistered right which protects various different categories of 'works' in the UK. These include literary, dramatic, musical and artistic works – with computer programs being protected as literary works. Other elements that are produced when a computer program is running – such as screen displays, graphics and sound effects – are also protectable by copyright. However, software function alone is not.
  • Database right: Databases can be protected in the UK through copyright or the 'sui generis' database right.
  • Confidentiality: Almost any type of information can be protected by the law of confidentiality, provided that it remains confidential. This includes details of inventions that may not be patentable (eg, computer programs), as well as things such as software source code.

12 Competition

12.1 Does the applicable competition regime in your jurisdiction have specific implications for digital business?

Digital markets are an area of focus for the Competition and Markets Authority (CMA), which continues to probe the conduct and transactions of companies in these markets under the general United Kingdom competition rules and merger control rules. It is closely monitoring the development of artificial intelligence, including recent partnerships in this sector.

In addition, the Digital Markets, Competition and Consumers Act 2024 introduces a new digital markets regime from 1 January 2025.

The regime will empower the CMA to designate tech firms as having strategic market status (SMS) in respect of a digital activity where it establishes through an investigation that the following criteria are met:

  • The digital activity carried out by the undertaking is linked to the UK;
  • The undertaking has, in respect of that digital activity, both:
    • substantial and entrenched market power; and
    • a position of strategic influence; and
  • The undertaking's global turnover in the relevant period exceeds £25 billion or its UK turnover exceeds £1 billion.

Following designation, the CMA will be able to:

  • impose tailored conduct requirements on an SMS undertaking; and
  • make 'pro-competitive interventions' where this would help to remedy an adverse effect on competition.

SMS firms will also be required to report certain possible mergers to the CMA ahead of completion.

13 Employment

13.1 Does the applicable employment regime in your jurisdiction have specific implications for digital business?

There are no specific implications of the United Kingdom employment regime for digital business. Although there are some specific rules which apply to certain sectors – such as healthcare and financial services – no such specific rules apply for digital businesses.

Those working in digital businesses will generally be classed as:

  • employees;
  • self-employed; or
  • 'workers'.

The UK currently affords the full suite of employment rights (including unfair dismissal protection and redundancy rights) to those categorised as employees. Self-employed individuals generally enjoy very few statutory employment protections; their rights are essentially determined by their contractual arrangements with the business that they are working for. There is also an intermediate category of 'workers', who benefit from some but not all of the rights available to employees – including:

  • protection from discrimination and for whistleblowing;
  • the right to working time limits; and
  • the right to the national minimum/living wage.

The current government has proposed a significant reform of the UK employment regime, although so far none of its proposals would have implications solely for digital businesses.

13.2 What rules and restrictions apply to remote working in your jurisdiction?

Generally, where an employee works is a matter for agreement between the employer and employee (and is usually governed by the contract of employment). Employees benefit from the same rights and protections when they are working remotely as they would at the employer's workplace.

All United Kingdom employees have the legal right to request flexible working. Employees can request a change to:

  • the number of hours that they work;
  • when they start or finish work;
  • the days that they work; and
  • where they work (including remote working).

Employers must deal with such requests in a reasonable manner, which will typically involve considering and discussing with the employee:

  • the feasibility of the application for the business; and
  • the implications for the employee.

An employer can refuse an application if it has a good business reason for doing so (which is relatively easy to establish in practice).

The Employment Rights Bill will also require that the employer acts reasonably in determining the reason for refusal of the request. The employer must then communicate to the employee both the reason for the refusal and why it has determined that it is reasonable to refuse on that basis The government has also pledged to introduce a 'right to disconnect', whereby employers would be unable to contact employees outside of their normal working hours. What form this will take is currently unclear, although the government appears to favour a code of practice over a legislative approach.

13.3 How can digital business attract specialist talent from overseas where necessary?

Following Brexit, the free movement rights of European Economic Area (EEA) and Swiss nationals ended on 1 January 2021. EEA and Swiss nationals (as well as qualifying family members) residing in the United Kingdom before 1 January 2021 may remain and work in the UK if they have secured their immigration status under the EU Settlement Scheme. A new points-based immigration scheme was introduced in the United Kingdom on 1 December 2020 and has applied to EEA and Swiss nationals since 1 January 2021. The most popular immigration route used by digital businesses to acquire talent from overseas is likely to be the 'global talent' route. This route is for exceptionally talented or promising individuals in certain fields (including digital technology) who wish to come to the United Kingdom to work. This route does not require the employer to hold a sponsor licence. In addition, the 'scale-up' route, which opened in August 2022, allows a broader range of workers to come to the United Kingdom to work for fast-growing digital businesses.

14 Environmental, social and governance (ESG)

14.1 What specific challenges or concerns does digital business present from an environmental perspective? What key considerations should be borne in mind in this regard?

Digital businesses have environmental impacts in the same way as other businesses, but resource use and e-waste (electronic waste) are two specific areas of concern.

Digital businesses are often heavily dependent on data centres. Their significant environmental impacts arise from their vast electricity consumption – about 1% of global electricity demand according to the International Energy Agency – and the heat they expel, as their cooling systems use large quantities of water. These create significant carbon emissions and can impact on biodiversity. Since February 2024, environmental impacts must be considered in data centre development, including biodiversity net gain requirements. Artificial intelligence (AI) and crypto-assets have also received negative publicity for their high energy use.

Conversely, the use of energy-inefficient technology can have negative environmental impacts. Businesses using computers, computer servers, data storage, smartphones, transformers and so on must use products that comply with:

  • legislation such as the Eco-design for Energy-Related Products Regulations 2010 and the 2021 eco-design amendment regulations; and
  • the relevant requirements in the Circular Economy Package.

Other concerns for digital businesses relate to hazardous substances in electronics. E-waste legislation such as the Waste Electrical and Electronic Equipment Regulations 2013 and the Restriction of the Use of Certain Hazardous Substances in Electrical and Electronic Equipment Regulations 2012 were introduced to ensure responsible production and disposal of technology. Currently, however, the United Kingdom is the second-largest producer of e-waste per person globally and the UK's e-waste recycling is low at around 30%.

14.2 What specific challenges or concerns does digital business present from a social perspective? What key considerations should be borne in mind in this regard?

Digital business technology can benefit society, but it also creates concerns ranging from the manufacture of technology products to their use.

Technology products are essential for infrastructure but their components require rare earth minerals and metals, which are often sourced and manufactured outside the United Kingdom using forced or child labour. Under the Modern Slavery Act 2015, all businesses operating in the UK with a turnover greater than £36m must publish a statement setting out the steps it takes to ensure that slavery and human trafficking is not taking place in its own organisation and supply chains.

Social impacts can also arise from their use. There are increasing concerns about impacts on:

  • privacy and freedom of expression; and
  • the dissemination of harmful content.

The Online Safety Act 2023 requires certain technology service providers to take steps to reduce the risk of illegal activity propagated through their services. Specific safeguards must:

  • prevent children from accessing harmful, age-inappropriate content; and
  • ensure transparency about potentially harmful content.

More broadly, digital businesses may have vast repositories of personal data and any misuse, unlawful surveillance or cyberattack could lead to social harms.

Meanwhile, AI:

  • may also amplify social risks if it is trained on biased or inaccurate data; and
  • could lead to discrimination and other social impacts where it is deployed, such as in recruitment, healthcare and policing.

Live facial recognition technology has raised particular concerns, as there have been instances of false positive results, leading to the arrest of individuals. The velocity of AI-driven decisions within a 'black box' can also result in sudden, significant impacts that might not be expected or clearly explainable or allow for accountability. There are also concerns about the potential impact of AI on jobs (and in particular, AI replacing certain jobs).

14.3 What specific challenges or concerns does digital business prevent from a governance perspective? What key considerations should be borne in mind in this regard?

Digital businesses that are new and rapidly developing may not have established governance mechanisms which address the many and often complex environmental and social considerations that such businesses present. Some of these challenges may not have been addressed by legislation, which often struggles to keep up with the pace of technological change. This can mean that digital businesses may have to make decisions with limited regulatory guidance.

Board competence will be essential to ensure effective oversight and address environmental and social impacts. Section 172 of the Companies Act 2006 requires directors to have regard to a broad set of stakeholders (including the community and environment) when acting to promote the success of the company; and changes to the Corporate Governance Code guidance and certain voting guidance reflect an increased corporate governance focus on specific digital issues such as AI and cyber risk.

Equally, existing sub-committees – such as those addressing compliance, audit and risk – may need upskilling to understand their responsibilities. Some digital businesses have put in place new bodies, such as ethics committees, to address risks, policies and processes which have the potential to create greater social impact.

Increased reporting requirements of environmental, social and governance impacts, such as the proposed United Kingdom Sustainability Disclosure Standards, will spotlight any governance inadequacies. As for any other business, those operating with a reliance on digital technology should take care to ensure that the verification and assurance procedures which underpin disclosures are robust, to avert the risk of greenwashing or ethics washing.

15 Trends and predictions

15.1 How would you describe the current landscape for digital business and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

The digital regulatory landscape in the United Kingdom is changing. A combination of factors – including a new government in 2024, heightened regulator engagement in digital issues and fast-paced, high-profile technological developments in areas such as artificial intelligence (AI) – means that businesses will need to keep abreast of changing laws and guidance, as well as technology, in the coming year.

We expect to see new laws in areas such as AI, data and cyber and new regimes such as the Digital Markets, Competition and Consumers Act 2024 will start to apply. Many UK businesses are also caught by EU legislation and there is a raft of new EU legislation in the digital area.

Despite the UK government and many key digital regulators having a pro-innovation approach, the regulatory landscape is still becoming more complex. While there are efforts both nationally and internationally to cooperate and coordinate regulatory developments, digital businesses will still have a web of new laws and regulation to navigate.

16 Tips and traps

16.1 What are your top tips for digital businesses in your jurisdiction and what potential sticking points would you highlight?

Digital business should ensure that they:

  • keep abreast of the changing digital regulatory landscape and the overlap of sector and general legislation;
  • understand where and how digital technologies are used in their business, as well as their risk appetite in relation to such use;
  • consider whether they may be operating across borders, even where this is not intended. If so, this may bring the digital business in scope of other laws; and
  • have good strong governance processes in place to ensure that:
    • the opportunities digital developments create are embraced; and
    • the associated risks are identified and mitigated where possible.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Rebecca Cousin
Rebecca Cousin
Photo of Laura Houston
Laura Houston
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More