The guidance includes more than 40 measures for tech firms to meet their duties under the Online Safety Act. These will apply to sites and apps used by UK children in areas such as social media, search and gaming. The steps include preventing minors from encountering the most harmful content relating to suicide, self-harm, eating disorders and pornography. Online services must also act to protect children from misogynistic, violent, hateful or abusive material, online bullying and dangerous challenges.

Ofcom’s Codes demand a ‘safety-first’ approach in how tech firms design and operate their services in the UK. The measures include:

• Safer feeds. Personalised recommendations are children’s main pathway to encountering harmful content online. Any provider that operates a recommender system and poses a medium or high risk of harmful content must configure their algorithms to filter out harmful content from children’s feeds.
• Effective age checks. The riskiest services must use highly effective age assurance to identify which users are children. This aims to ensure that they can protect them from harmful material, while preserving adults’ rights to access legal content. That may involve preventing children from accessing the entire site or app, or only some parts or kinds of content. If services have minimum age requirements but are not using strong age checks, they must assume younger children are on their service and ensure they have an age-appropriate experience.
• Fast action. All sites and apps must have processes in place to review, assess and quickly tackle harmful content when they become aware of it.
• More choice and support for children. Sites and apps are required to give children more control over their online experience. This includes allowing them to indicate what content they don’t like, to accept or decline group chat invitations, to block and mute accounts and to disable comments on their own posts. There must be supportive information for children who may have encountered, or have searched for harmful content.
• Easier reporting and complaints. Children must have straightforward ways to report content or complain, and providers should respond with appropriate action. Terms of service must be clear so children can understand them.
• Strong governance. All services must have a named person accountable for children’s safety, and a senior body should annually review the management of risk to children.

Providers of services likely to be accessed by UK children now have until 24 July to finalise and record their assessment of the risk their service poses to children, which Ofcom may request. They should then implement safety measures to mitigate those risks, From 25 July 2025, they should apply the safety measures set out in our Codes to mitigate those risks.

If companies fail to comply with their new duties, Ofcom has the power to impose fines and – in very serious cases – apply for a court order to prevent the site or app from being available in the UK.

In recent weeks, it has been suggested that the UK government is coming under pressure from the US government to reduce the protections in the Online Safety Act as part of a UK-US trade deal. In addition, the government has been keen that regulators prioritise growth. However, the Times reported on 24 April that Peter Kyle, the technology secretary, said that he was not afraid to encourage Ofcom to use their powers to fine technology companies over breaches.

Ofcom has also announced that it is consulting on proposals that seek to expand blocking and muting user accounts and disabling comments measures in the Illegal Content Codes to a wider range of services. This is because it now considers that it would be proportionate for these measures to apply to certain smaller services that are likely to be accessed by children. The consultation ends on 22 July.

The post Ofcom publishes final guidance on protecting children under Online Safety Act 2023 appeared first on Society for Computers & Law.

Closure of investigation into Apple’s user choice obligations

The Commission closed the investigation against Apple regarding the DMA obligation that gives users in the EU the opportunity to easily uninstall any software applications and change default settings on iOS, as well as choosing their default web browser from a choice screen. This follows what the European Commission describes as a constructive dialogue between the Commission and Apple. As a result, Apple changed its browser choice screen, streamlining the user experience of selecting and setting a new default browser on iPhone. Apple also made it easier for users to change default settings for calling, messaging, call filtering, keyboards, password managers, and translation services on iPhones. A new menu now allows users to adjust their default settings in one centralised location, streamlining the customisation process. In addition, users can now uninstall several Apple pre-installed apps, such as Safari, a functionality which was previously unavailable. The Commission will keep monitoring Apple’s measures and continue its regulatory dialogue to ensure full and effective user choice, as required by the DMA.

Commission’s fine regarding Apple’s steering rules

Under the DMA, app developers distributing their apps via Apple’s App Store should be able to inform customers, free of charge, of alternative offers outside the App Store, steer them to those offers and allow them to make purchases.

The Commission has found that Apple fails to comply with this obligation. Due to several restrictions imposed by Apple, app developers cannot fully benefit from the advantages of alternative distribution channels outside the App Store. Similarly, consumers cannot fully benefit from alternative and cheaper offers as Apple prevents app developers from directly informing consumers of such offers. It has failed to demonstrate that these restrictions are objectively necessary and proportionate. The Commission has ordered Apple to remove the technical and commercial restrictions on steering and to refrain from perpetuating the non-compliant conduct in the future, which includes adopting conduct with an equivalent object or effect.

The fine imposed on Apple takes into account the gravity and duration of the non-compliance. Apple has indicated that it will appeal the fine.

Preliminary findings on Apple’s contract terms

Under the DMA, Apple is required to allow for the distribution of apps on its iOS operating system by means other than through the Apple App Store. In practical terms, this means that Apple should allow third party app stores on iOS and apps to be downloaded to the iPhone directly from the web.

Following an investigation, the Commission takes the preliminary view that Apple failed to comply with this obligation in view of the conditions it imposes on app (and app store) developers. Developers wanting to use alternative app distribution channels on iOS are disincentivised from doing so as this requires them to opt for business terms which include a new fee (Apple’s Core Technology Fee). Apple also introduced overly strict eligibility requirements, hampering developers’ ability to distribute their apps through alternative channels. Finally, according to the Commission, Apple makes it overly burdensome and confusing for end users to install apps when using such alternative app distribution channels.

Therefore, the Commission has preliminarily found that Apple has failed to demonstrate that the measures put in place are strictly necessary and proportionate. Apple can now respond.

The post European Commission issues Apple with fine under Digital Markets Act appeared first on Society for Computers & Law.

This includes the repealed and replaced Consumer Protection from Unfair Trading Regulations 2008, which update the provisions about unfair commercial practices, as well as new powers for the CMA, including GDPR-style fines, and new rules about fake reviews and drip pricing.

The CMA has published guidance as follows:

• A short guide  for businesses about how to treat consumers fairly.
• Full updated guidance on unfair commercial practices.
• How the CMA will use its direct consumer enforcement powers.
• Guidance about consumer enforcement.
• Guidance on fake reviews (with a short guide for businesses).

In March, Sarah Cardell of the CMA gave a speech in which she described how the CMA would approach enforcement during the first few months of the new consumer law regime. She also said that the CMA would be carrying out a further consultation about its guidance on drip pricing.

To start with, it plans to take a light touch to enforcement and focus on the most serious breaches. These might include aggressive sales practices that prey on vulnerability; providing information to consumers that is objectively false; or contract terms that are very obviously imbalanced and unfair. In addition, the Advertising Standards Authority has she ASA has also said that it will take into account the CMA’s guidance and approach.

The CMA has published an “Approach to Consumer Protection” which sets out:

• likely priority areas of enforcement and compliance activity
• how the CMA will reflect the government’s strategic steer and its own planned improvements to key aspects of the way it works (pace, predictability, proportionality and process – the ‘4Ps’ framework)
• what stakeholders can expect from the CMA.

The CMA and the UK government have also published a joint statement, reinforcing the CMA’s intended approach and the role of robust consumer protection in helping to grow the economy by promoting trust and confidence, while deterring poor corporate practices.

The subscriptions rules are due to come into force in the spring of 2026, while the provisions about digital markets and competition came into force on 1 January 2025.

The post Consumer aspects of the Digital Markets, Competition and Consumers Act in force appeared first on Society for Computers & Law.

Secretaries of State reply to Select Committees’ joint response to copyright and AI consultation

The Secretaries of State for Science, Innovation and Technology and for Culture, Media and Sport have replied to the February 2025 CMS and SIT Committees’ joint response to the government’s consultation on AI and copyright. They have shared the Committees’ joint response with officials at the Intellectual property Office to ask them to consider the Committee’s comments.  They also said that there have been over 11,500 responses to the consultation.  The government is carefully reviewing responses and has not made any decisions yet. The implementation of any text and data mining exception depends on having workable technical solutions in place for rights reservation. The government will not proceed with legislation unless and until these technical requirements are met.

Ofcom sets out 2025/26 Plan of Work and longer-term blueprint to support economic growth

Ofcom has issued its Plan of Work for 2025/26 which outlines its strategic priorities aimed at enhancing communication services, ensuring online safety, and promoting competition in the media and telecommunications sectors across the UK. The plan focuses on four main priorities: ‘Internet and post we can rely on’, ‘Media we trust and value’, ‘We live a safer life online’, and ‘Enabling wireless in the UK economy’. Key initiatives include supporting investment in gigabit-capable broadband, improving telecoms network security, reforming the universal postal service, implementing the Media Act, enforcing content standards, establishing the Online Safety regime, managing radio spectrum efficiently, and facilitating innovation in mobile and satellite services. Ofcom also says that it will address the unique needs of each home nation, ensuring tailored approaches and stakeholder engagement. The plan emphasizes collaboration with domestic and international partners, investing in data and technology capabilities, and using evidence-based regulation to inform policy decisions.

Adult sites start rolling out age assurance

Ofcom has indicated that providers of online pornography are implementing highly effective age assurance across thousands of sites, in response to Ofcom’s enforcement programme in this area. Earlier this year, Ofcom wrote to hundreds of providers, collectively covering thousands of sites that publish their own pornographic content, telling them about their new obligations under Part 5 of the Online Safety Act to implement highly effective age assurance to prevent children from accessing this material. So far, it says that it has had positive engagement from across the sector and several providers have implemented highly effective age assurance in response to its enforcement programme. It is currently reviewing compliance plans and implementation timescales for other services in scope of these duties. It is also assessing the age assurance measures of providers who have not responded, and several services have been referred to Ofcom’s enforcement team, who will consider in the coming weeks whether formal enforcement action is appropriate. Details of any new investigations will be published on the Ofcom website. By July 2025, all services that allow pornography, including sites that allow user-generated pornographic content, will need to have highly effective age-checks in place to protect children from accessing it.

Patents Court considers patent validity and infringement and FRAND terms claims validly served out of jurisdiction

In Mediatek Inc and others v Huawei Technologies Co Ltd and another [2025] EWHC 649 (Pat), the Patents Court decided that the court had validly permitted service on a defendant out of the jurisdiction regarding actions concerning validity and infringement of telecommunications patents, and the fair, reasonable and non-discriminatory (FRAND) terms for a global cross-licence. Huawei wanted to license its SEPs at the chipset rather than device level. MediaTek brought proceedings against Huawei in the Patents Court, and among other things wanted determination of a global FRAND licence. Huawei pointed to fact that the relevant acts took place around China as well as the existence of parallel proceedings brought by Huawei and MediaTek in China.

The post This Week’s Techlaw News Round-Up appeared first on Society for Computers & Law.

What is Software Testing?

Suppliers test systems to assess whether they do what they should do (functional testing) in a way that meets the customer’s need (non-functional testing). As such, it is the principal approach used to assure quality. Consideration of testing is useful both to transactional lawyers seeking to draft agreements that protect their clients’ interests and to contentious lawyers seeking to establish a claim.

If you have developed a spreadsheet and want to check whether it adds correctly, you may enter input data of 2 and 3, expecting to get the answer 5. If the actual result is what was expected, you call it a “pass.” If not, it is a “defect.” A useful “test report” contains details of the steps taken in testing by reference to the “test case,” of the input data, the result, and the deviation that leads you to believe it to be defective. In this way, when a developer is passed the defect for resolution, they may replicate the test as an early step in their triage, diagnosis, and fix.

Why Test?

The fundamental assumption is that if one looks for trouble before launching a product, one can address it before it harms anyone. Thus, the product is more likely to be satisfactory for users than if testing is inadequate.

Software engineers have long been aware that if they identify defects early in the process of development, they can fix them more cheaply than if the work has advanced. The reason is that the process of delivery involves bringing many components together. When a defect is discovered early on, just one component (that being developed) is affected. When found later, many others have been closely crafted to fit with the first, so each of these needs to be adapted and re-tested, first in isolation, then in combination. So, the impact is magnified. This is not a linear increase. If a fault is found only in live operation, the user population, support staff, documentation, data for processed transactions may all be affected. There can also be commercial fall-out as compensation or reputation are damaged. In this way, good testing is related to commercial success and profitability for the developing organisation and customer.

Risk and Testing

The aim of testing is to give reasonable assurance to those charged with developing and launching the system that it is ready for use and is likely to deliver greater benefit than it is harm.

This does not assure that the system is free of defects. No such guarantee can be given. Because of this, there is a residual level of risk. Managers decide whether testing has been appropriately rigorous to reduce the risk of harm to an acceptable level. If they delay launch to conduct more testing, there can be competitive and commercial consequences from this. So there are trade-offs to be made.

The conscious assessment and containment of risk is at the heart of good test design. This is assisted by the test managers’ having a good understanding of the intended business context of use, so that they focus their efforts on what is most important. The place to look for this is an over-arching document describing the project’s approach to testing, often called the “test strategy.”

In the most egregious cases, a system may be launched with little, or inadequate testing. The press, social media, customers, and regulators can be brutal in response.[1]

Some industries have developed sophisticated methods to address risks. Nuclear, aerospace and pharmaceuticals feature prominently. Such methods combine advanced management of the delivery process with considerations of risk and rigorous testing. West-Coast software developers have typically taken this on-board, moderated by methods such as progressive deployment and real-time monitoring of early responses to detect, react to and contain defects when they do occur.[2]

Types of Testing

There is a variety of types of testing with differing objectives. This results in each component being tested many times. When introducing a change, it is normal to repeat many of these. Types of testing that you may encounter include:

Functional

Unit – This is a set of tests normally performed by the person developing the component to validate that it performs the required function, such as the spreadsheet example above. One component may need to deliver several functions, each of which should have an associated test case. The unit is tested in isolation. Anything else the unit relies upon to function is simulated by programmes called “stubs” that deliver the result required from interfacing units and systems.

System – A system normally consists of more than one unit. In system testing, all the units are gathered and tested together, rather than relying on stubs. So, this encompasses looking at the interaction between component units.

Integration – A major system may have multiple elements, some from other suppliers or already in place within the customer’s environment. So, a finance system may interact with payroll and HR systems. Integration testing is a technical validation of the interactions and data flows.

Regression – Sometimes, when changing an element to fix one defect, it has unintended consequences, breaking another part of the system. Regression testing looks for such defects.

UAT – User Acceptance Testing is usually a late phase and is designed to address the question “is the system ready for business use?” It is not an exhaustive set of functional tests but is normally based on a few end-to-end scenarios.

It is normally required that functional testing should assure that the system does do what it should, or “positive testing.” It is wise also to check that it does not do what it should not, or “negative testing.” So, if you expect an input to the earlier spreadsheet example to be a positive integer, and the entry is either “-3” or “Friday” what does the system do? A helpful error message suggesting what is required is a good reaction; crashing is less good; producing an irrational answer is worse.

A complex system is likely to support many processes. Each may have an expected path and various exceptional cases. Each should be tested to assure it works as expected. It is likely to be infeasible to test all combinations, hence the use of risk to prioritise what are selected.

Non-Functional

Security – The project’s security lead should have conducted a security risk assessment. This will assess the value of the system’s function and data, consider vulnerability, the risks of attack and the means these may occur. From that, counter-measures may be constructed and their efficacy tested. One commonly adopted type of security test is “penetration” or “pen” testing. In this, hire a trusted person to attempt to penetrate the system’s defences and review its construction.

Performance – Express non-functional requirements as testable performance parameters. These can include elements such as response time; languages supported; support to disabled users; availability; capacity. Each parameter will have its own test.

User

Useability – Many systems need to operate effectively on a range of platforms such as mobile, PC, tablet. It is wise to validate that the system works effectively for the intended users, that they find the flow of interaction to be understandable and that it is effective in supporting them in their “jobs to be done.” [3] Useability testing explores aspects of the user experience.

Operational

Data Migration – If the new system is to take over from an existing one, there is likely to be data on historic transactions and assets that the new will need access to. Assume that existing data has faults such as missing or corrupt fields. Permitted values may also differ between the old and the new. Data migration testing runs along-side iterative cleansing of the data and its treatment to prepare it for the new and validates that transactions that are in-flight can be handled.

Deployment – Users of the new system may need material such as documentation and training to prepare them for the new system. Assess the efficacy of such preparation before rolling it out.

Support – Conduct “Operational Acceptance Test” or “OAT” through the repeated review of checklists. Questions may include “do we have a set of knowledge articles prepared to support the service desk with known issues?” It validates that the support organisation is ready for the system’s launch.

Code Inspection

It used to be widespread practice to require developers to submit code for human review. Whilst this is still used, it is normally now by exception and based on small sample sizes once a developer has established competence. Automated tools have taken over the bulk of the work.

Static Test – Automated tools are used to test the code for its ability to compile and for conformance to coding standards. The best organisations take this a long way into promoting the use of good practices in areas such as making code readable and declaring classes. Some tools automatically correct non-conformances.

The Limitations of Testing

Testing should be risk-based. It can assure within the scope of considered risks. It can say nothing of un-imagined “black swan” combinations of behaviour and data modes.

The aim of testing is to establish “does the system behave as intended?” A frequent source of contention is that what applies to the design of test is the designers wish. This may differ from that of the user and of the commissioning customer, especially where the expression is inarticulate. Most software testing is silent on the quality of the specification and of associated design until user testing.[4] The modern use of iterative design brings this process forward to avoid unwelcome surprises later.

Managers may consciously or ignorantly limit the scope of test. Often, they do this to accelerate launch. Sometimes the bet pays off. Sometimes not.[5]

Test Systems, Data, Environments

Setting up systems that replicate the production environment, or a part of it, can be expensive in labour, hosting, and maintenance charges. This is less of an issue in these days of virtualised and containerised systems than it was when everything was physical. But it still has costs.

For a test to operate, it must have access to:

The system – at the appropriate release level for every component required (or stubs).

An environment – loaded with the system to be evaluated, all pre-requisites and data.

Test data – Getting hold of enough of the right data can be a real problem. The contract often defines this as a customer obligation, one that can be difficult, causing delay. Then the customer’s security staff object to putting sensitive live customer data into an unsecured environment.

Modern software engineering promotes “test driven development” (TDD). Under this approach a developer first writes the test cases, then develops the code to satisfy them. This puts testing at the heart of the development process. Automated testing assists greatly.

So What? For Transactional Lawyers

Transactional lawyers are rightly reluctant to impose schedules defining detailed operational methods on the supplier. The tendering and selection process should have asked the customer to describe what they will do and the ways in which they will assure quality. An informed advisor with operational experience of testing should review the submission and raise the right awkward clarification questions during negotiations. Then upload the combined method statement, questions, and responses to become a schedule of the agreement. I hope to assist the drafting lawyer by providing introductory context and understanding to detect distracting waffle and to focus on what matters to the client.

The diligence of risk assessment heavily influences the level of assurance provided by test, making risk an area to prioritise. It is also worth considering how to report the progress and outcome of test. A key measure is test coverage, being the proportion of planned cases that are assessed.

So What? For Contentious Lawyers

Should the quality of testing or the treatment of defects become the subject of dispute, the contentious lawyer will be working along-side an expert who they need to instruct. There may be issues of breach and of tortious negligence, along-side consideration of associated loss. I hope that this article provides a guide to areas of test and their relation to the case that support the lawyer in their management of the matter.

Once test detects a defect, those investigating the case will be interested in whether the rate of fix is consistent with the planned schedule. They also look at whether defects accumulated in an uncontrolled manner or were simply and effectively despatched. Your expert should roll-up their sleeves and mine it for patterns that indicate systematic trends, so bringing clarity on the issues to the court.

If experts differ, it is likely that the supplier’s expert will seek to give the impression that overall, quality was good despite obstacles erected by the customer. The supplier was heroic. The customer’s expert may bemoan the manifold and serious failings encountered across delivery and the accumulated defects that took months to resolve.

Conclusions

A good and diligent programme of testing gives useful assurance that software is likely to be dependable. It complements good design, resourcing, and delivery methods. Where testing is appropriate in coverage and diligence, strong assurance follows and decisions are sound. Where testing is unreliable, so are its results.

Good delivery organisations embrace thorough testing and weave it into their development plans. The poor postpone the day of reckoning. Is your head high, scanning for threats, or buried in the sand?

William Hooper acts as an expert witness in IT and Outsourcing disputes and a consultant in service delivery. He is a member of the Society of Computers and Law and a director of Oareborough Consulting. He may be reached on +44 7909 958274 or William@Oareborough.com

[1] https://www.bbc.co.uk/news/business-50471919

[2] Software Engineering at Google, Titus Winters, Tom Manshreck, Hyrum Wright, 2020, O’Reilly Pages 301-303

[3] Know your customers’ “Jobs to be done”, Clayton M. Christensen, Taddy Hall, Karen Dillon, David S. Duncan, Harvard Business Review, September 2016 https://hbr.org/2016/09/know-your-customers-jobs-to-be-done

[4] https://oareborough.com/Insights/assessing-design-quality/

[5] https://www.fca.org.uk/news/press-releases/tsb-fined-48m-operational-resilience-failings and

https://www.forbes.com/sites/kateoflahertyuk/2024/08/07/crowdstrike-reveals-what-happened-why-and-whats-changed

The post Software Quality and Testing: A Primer appeared first on Society for Computers & Law.

In June 2022 and June 2023, Ofcom sought information from Fenix on the age assurance measures it had in place on OnlyFans. This included asking how the platform was implementing age checks and, specifically, about the effectiveness of OnlyFans’ third-party facial estimation technology. This was part of an information gathering exercise by Ofcom using its powers under the video sharing platform regulations that pre-date the Online Safety Act – to monitor how video-sharing platforms were keeping children safe online. The information was published in a report on Ofcom’s first year of regulating VSPs in October 2022.

As part of its submission, Fenix stated that it had directed its third-party provider to set a “challenge age” for its facial age estimation technology at 23 years old. The technology works by requiring a prospective user to upload a live selfie, which it then uses to estimate their age. If the tool estimates the prospective user’s age as being above the challenge age, they can continue to create an account on the OnlyFans platform. Any user not estimated to be above the challenge age is required to verify that they are over 18 via a secondary method.

On 4 January 2024, Fenix learned from its technology provider that the challenge age for OnlyFans was in fact set at 20 years old, not 23 years old. Fenix later confirmed it had been set to 20 since 1 November 2021. After discovering this, Fenix raised the challenge age to 23 on 16 January 2025, but changed it back to 21 years old on 19 January 2025. Fenix did not inform Ofcom about the error until 22 January 2024.

Given this disclosure and following engagement with the company to clarify the impact of the potential breach, Ofcom launched an investigation on 1 May 2024 to review whether Fenix had failed to comply with its duties to provide complete and accurate information to it.  It concluded that Fenix contravened its duties to provide accurate and complete information to Ofcom in response to two statutory information requests.

Ofcom expects that robust checks are in place to ensure information is properly interrogated, crosschecked, and reviewed through appropriate channels, before it is submitted in response to a formal information request.

Its investigation raised several concerns, including that it took the company over 16 months to discover that it had provided Ofcom with inaccurate information. Ofcom said that robust fact checking processes would have meant that the incorrect submission would have come to light sooner.

Due to these failings, Ofcom has imposed a financial penalty on Fenix of £1.05 million, which will be passed on to HM Treasury. This includes a 30% reduction from the penalty it would otherwise have imposed, due to resource savings achieved through Fenix accepting Ofcom’s findings and settling the case.

Ofcom considers that the penalty is appropriate and proportionate to the contravention because Fenix is a large, well-resourced company, which is aware of its regulatory obligations. Ofcom says that with this in mind, Fenix should have taken steps to ensure the data supplied was properly reviewed and verified through appropriate governance channels before being submitted to Ofcom. The data inaccuracy undermined Ofcom’s ability to carry out its regulatory function, as it led to Ofcom publishing inaccurate data. It also caused Ofcom additional work to issue a note of correction for the error. After Fenix identified the error, it took more than two weeks to report the issue to Ofcom. While Ofcom acknowledges that Fenix ultimately self-reported the issue to it, it expects companies to inform it about any possible contraventions as soon as possible.  This did not happen in this case.

The case offers a glimpse of how Ofcom might treat similar cases under the Online Safety Act 2023.

The post Ofcom fines provider of OnlyFans £1.05 million appeared first on Society for Computers & Law.

Focus areas

The CMA plans to target its markets work toward unlocking investment in critical infrastructure and identifying opportunities for key horizontal enablers (like access to data or technology adoption) which could have a multiplier effect on growth. It will also give particular focus to priority sectors in the Industrial Strategy including advanced manufacturing, clean energy, creative industries, defence, digital and technologies, financial services, life sciences, and professional and business services.

The CMA plans to use its anti-bid rigging expertise and AI capabilities to help the government identify and tackle bid rigging in public procurement.

The plan also describes the CMA’s approach to its new powers under the Digital Markets, Competition and Consumers Act. This includes the CMA’s planned early activity in both the new digital markets and new consumer protection regimes. The CMA particularly emphasises the value of effective consumer protection to both business and consumer confidence, signalling that it will use its enforcement powers proportionately to put money back into people’s pockets and protect the level-playing field for fair-dealing businesses.

Improving how the CMA works

The plan restates the CMA’s commitment to its ongoing programme of rapid, meaningful changes based around four key principles: pace, predictability, proportionality and process (business engagement). Following feedback, the CMA committed to implementing the ‘4Ps’ last year, starting with merger control.

The CMA also emphasises the importance of continued, constructive engagement with a diverse range of stakeholders, particularly through the CMA Growth and Investment Council and through deeper relationships with startups and investors.

The post CMA issues final Annual Plan appeared first on Society for Computers & Law.

Digital Markets, Competition and Consumers Act 2024 (Consequential Amendments) Regulations 2025 made

The Digital Markets, Competition and Consumers Act 2024 (Consequential Amendments) Regulations 2025 SI 2025/381 have been made. They amend primary and secondary legislation following the implementation of Parts 3, 4, and Chapter 2 of Part 5 of the Digital Markets, Competition and Consumers Act 2024. They come into force on 6 April 2025. They replace references to the enforcement regime under Part 8 of the Enterprise Act 2002, which Part 3 of the Act supersedes, and replaces references to the Consumer Protection from Unfair Trading Regulations 2008 (CPUTRs) and EU Directive 2005/29/EC concerning unfair business-to-consumer commercial practices (which the CPUTRs implemented), which Chapter 1 of Part 4 supersedes. They also update various pieces of legislation which restrict the disclosure of information. Under section 252(3)(a) of the Act, Part 4A of the CPUTRs continues to govern consumers’ rights of redress for unfair trading until regulations under section 233 (“section 233 regulations”) come into force. As it is not proposed to make section 233 regulations before Chapter 1 of Part 4 of the Act commences for other purposes, paragraph 32 of the Schedule amends Part 4A of the CPUTRs to allow it to function after that commencement. When the section 233 regulations come into force, paragraphs 2, 5 and 22 of the Schedule will replace references to Part 4A of the CPUTRs in other legislation.

Online Safety Act 2023 (Commencement No 5) Regulations 2025 made

The Online Safety Act 2023 (Commencement No 5) Regulations SI 2025/371 have been made.  They bring certain provisions of the Online Safety Act 2023 into force on 3 November 2025. They bring into force duties on providers of regulated user-to-user services to report Child Sexual Exploitation and Abuse (CSEA) content to the National Crime Agency (NCA) and other provisions, such as the offence relating to CSEA reporting and provisions relating to Ofcom’s enforcement powers and the information offences, as they relate to the CSEA reporting requirement.

Online Safety (CSEA Content Reporting by Regulated User-to-User Service Providers) Regulations 2025 made

The Online Safety (CSEA Content Reporting by Regulated User-to-User Service Providers) Regulations 2025 SI 2025/368 have been made.  They require providers who are obliged to report child sexual abuse and exploitation (CSEA) content to the National Crime Agency (NCA) to register with the NCA. If providers have entered into arrangements with another person to moderate the content on the provider’s services, that person is also required to register with the NCA. They come into force on 3 November 2025.

CMA responds to the UK government’s consultation on the resale of live events tickets

The CMA has responded to the UK’s government’s consultation about the resale of live events tickets. It sets out considerations to help government take forward its proposal for a resale price cap for live events tickets, and outlines a model for efficient, targeted enforcement that would help to ensure that any cap met the government’s objectives.

CMA seeks changes to the way Ticketmaster labels tickets and provides pricing information to fans

The CMA has issued a progress update on its investigation into Ticketmaster following widespread complaints about the sale of Oasis concert tickets last year. The CMA is concerned that Ticketmaster, which sold more than 900,000 tickets during the Oasis ticket sale, may have breached consumer protection law by labelling certain seated tickets as “platinum” and selling them for near 2.5 times the price of equivalent standard tickets, without sufficiently explaining that they did not offer additional benefits and were often located in the same area of the stadium. This risked giving consumers the misleading impression that platinum tickets were better. The CMA is also concerned that Ticketmaster did not inform consumers that there were two categories of standing tickets at different prices, with all of the cheaper standing tickets sold first before the more expensive standing tickets were released, resulting in many fans waiting in a lengthy queue without understanding what they would be paying and then having to decide whether to pay a higher price than they expected. Many fans thought that Ticketmaster used an algorithmic pricing model during the Oasis sale, with ticket prices adjusted in real time according to changing conditions like high demand. The CMA has not found evidence that this was the case. Instead, Ticketmaster released a number of standing tickets at a lower price and, once they had sold out, then released the remaining standing tickets at a much higher price. Although prices were not adjusted in real time using an algorithm, the CMA is concerned that consumers were not given clear and timely information about how the pricing of standing tickets would work, particularly where many customers had to wait in lengthy online queues to see what tickets were available. Ticketmaster has since made changes to some aspects of its ticket sales process, but the CMA does not currently consider these changes are sufficient to address its concerns.  The CMA has provided Ticketmaster with details of the further steps required to address its concerns and is seeking changes to Ticketmaster’s processes – including to the information it provides to customers, when it provides that information, and how it labels some of its tickets. The CMA is now consulting on these changes with Ticketmaster.

Ofcom launches consultation on satellite-to-phone spectrum licensing framework

Ofcom is consulting on new spectrum licensing arrangements to enable direct satellite-to-phone services in the UK. The consultation sets out three potential authorisation approaches, with Ofcom’s preferred option being amendments to existing mobile operator licences. The proposals would make the UK the first European jurisdiction to establish a regulatory framework for commercial satellite-to-phone services. The consultation ends on 20 May 2025.  Subject to feedback, implementation is possible later in 2025.

CLA expands licences to support generative AI use in the workplace

The Copyright Licensing Agency (CLA) has announced the addition of new permissions to its commercial and public sector licences, enabling UK professionals to use copyright protected content to prompt generative AI (GAI) tools. These new permissions take effect from 1 May 2025.  They will allow the lawful copying of published content to prompt relevant GAI tools to generate outputs. As professionals increasingly use copyright-protected content in GAI tools at work, the new permissions from CLA will allow lawful use and peace of mind, while fairly remunerating rightsholders and creators for the reuse of their work.

CCAV issues guidance on Automated Vehicles Act implementation programme

The Centre for Connected and Autonomous Vehicles has published guidance about the implementation programme for the Automated Vehicles Act 2024. It covers the deployment of automated vehicles and the steps towards implementing the Automated Vehicles Act 2024.

ICO and CMA issue joint statement on AI foundation models

The ICO and CMA have issued a joint document which discusses the transformative potential of AI foundation models in driving innovation and growth across various sectors. It highlights the significant advancements in AI technology, particularly in the development of large-scale models that can perform a wide range of tasks with high accuracy and efficiency. The statement emphasises the importance of using these AI models to unlock new opportunities and improve productivity. It also addresses the need for regulatory frameworks to ensure the ethical and responsible use of AI technology. By adopting AI foundation models, organisations can stay competitive and drive economic growth while adhering to ethical standards and practices. The ICO and CMA welcome further engagement with stakeholders on their experiences of AI in general, and on the issues raised in the article in particular. They will continue to collaborate on a broad range of projects to identify the interactions between their regulatory remits and aim to ensure clarity for stakeholders. This includes working together on online advertising issues, as well as collaboration on Strategic Market Status investigations under the CMA’s new digital markets competition regime.

Software provider fined £3 million by ICO following 2022 ransomware attack

The ICO has fined Advanced Computer Software Group Ltd £3.07m for security failings that put the personal information of 79,404 people at risk.  Advanced provides IT and software services to organisations, including the NHS and other healthcare providers, and processes people’s personal information on their behalf. The fine relates to a ransomware incident in August 2022. Hackers accessed certain systems of Advanced’s health and care subsidiary via a customer account that did not have multi-factor authentication (MFA). The cyber-attack was widely reported at the time, with reports of disruption to critical services such as NHS 111, and other healthcare staff unable to access patient records. The investigation found that personal information belonging to 79,404 people was taken, including details of how to enter the homes of 890 people who were receiving care at home. The ICO’s investigation concluded that Advanced’s health and care subsidiary did not have the appropriate technical and organisational measures in place to keep its health and care systems fully secure before the 2022 incident, including gaps in the deployment of MFA, a lack of comprehensive vulnerability scanning and inadequate patch management.  Several factors led to a reduction in the fine, including Advanced’s proactive engagement with the National Cyber Security Centre, the National Crime Agency and the NHS in the wake of the attack and other steps taken to mitigate the risk to those affected.  The ICO and Advanced have now agreed a voluntary settlement. Advanced has acknowledged the ICO’s decision to impose a reduced fine and agreed to pay a final penalty of £3,076,320 without appealing. 

The post This Week’s Techlaw News Round-Up appeared first on Society for Computers & Law.

Interoperability enables a deeper and more seamless integration of third-party products with Apple’s ecosystem. It is therefore key to opening up new opportunities for third parties to develop innovative products and services on Apple’s gatekeeper platforms. The aim is that as a result, a wider choice of products will be available to consumers in Europe which are compatible with their Apple devices.

The Commission has set out the measures it says are needed for enabling interoperability with iOS for third-party connected devices and to streamline the process put in place by Apple to handle future requests for interoperability with iPhone and iPad devices.

Connected devices

The first set of measures concerns nine iOS connectivity features, predominantly used for connected devices such as smartwatches, headphones or TVs. The measures will grant device manufacturers and app developers improved access to iPhone features that interact with such devices (e.g. displaying notifications on smartwatches), faster data transfers (e.g. peer-to-peer Wi-Fi connections, and near-field communication) and easier device set-up (for example, pairing).

As a result, connected devices of all brands should work better on iPhones. Device manufacturers will have new opportunities to bring innovative products to the market, improving the user experience for consumers based in Europe. The Commission says this will respect users’ privacy and security as well as the integrity of Apple’s operating systems.

Effective process for interoperability requests

The second set of measures aims to improve the transparency and effectiveness of the process that Apple devised for developers interested in obtaining interoperability with iPhone and iPad features. It includes improved access to technical documentation on features not yet available to third parties, timely communication and updates, and a more predictable timeline for the review of interoperability requests.

Developers will benefit from a fast and fair handling of their interoperability requests. The measures will accelerate their ability to offer a wider choice to European consumers of innovative services and hardware that interoperate with iPhones and iPads.

Next steps

The specification decisions are legally binding. Apple is required to implement the specified measures in accordance with the conditions of the decisions. The specification decisions set out the timing for the implementation of the specified measures and the steps that Apple must take.

The post European Commission provides guidance under Digital Markets Act to facilitate development of innovative products on Apple’s platforms appeared first on Society for Computers & Law.

Firstly, the Commission has informed Alphabet of its preliminary view that certain features and functionalities of Google Search treat Alphabet’s own services more favourably compared to rival ones, and therefore do not ensure the transparent, fair and non-discriminatory treatment of third-party services as required by the DMA.

In addition, the Commission is of the view that the app marketplace Google Play does not comply with the DMA, as app developers are prevented from freely steering consumers to other channels for better offers.

Preliminary findings regarding self-preferencing in Google search

Under the DMA, gatekeepers must not treat their own services more favourably in ranking than similar services of third parties. Such ranking must be done in a transparent, fair and non-discriminatory way. Alphabet has implemented a series of changes to Google Search.

However, following the Commission’s investigation and feedback from interested third parties during several workshops, the Commission takes the preliminary view that Alphabet self-preferences its own services over those of third parties, thereby failing to comply with the DMA. In particular, Alphabet treats its own services, such as shopping, hotel booking, transport, or financial and sports results, more favourably in Google Search results than similar services offered by third parties. More specifically, Alphabet gives its own services more prominent treatment compared to others by displaying them at the top of Google Search results or on dedicated spaces, with enhanced visual formats and filtering mechanisms.

Preliminary findings on Alphabet’s steering rules for Google Play

Under the DMA, app developers that distribute their apps via Google Play should be able, free of charge, to inform customers of alternative cheaper options, to steer them to those offers and to allow them to make purchases.

The Commission preliminarily finds that Alphabet fails to comply with that obligation. It is concerned that Alphabet technically prevents certain aspects of steering, for instance, by preventing app developers from steering customers to the offers and distribution channels of their choice. Whilst Alphabet can receive a fee for facilitating the initial acquisition of a new customer by an app developer via Google Play, the Commission says that the fees charged by Alphabet go beyond what is justified. For example, Alphabet charges developers a high fee over an unduly long period of time for every purchase of digital goods and services. 

Next steps

These preliminary findings do not prejudge the outcome of the investigation. Alphabet can now reply to the findings, but if the Commission’s preliminary views are ultimately confirmed, the Commission would adopt a non-compliance decision. The Commission continues its engagement with Alphabet to identify effective solutions that comply with Articles 6(5) or 5(4) of the DMA.

The post European Commission sends preliminary findings to Alphabet under the Digital Markets Act appeared first on Society for Computers & Law.