KHQ Lawyers: digital businesses

Essential update for Australian digital businesses trading in the UK and Europe

Articles

Data Privacy, Cyber & Digital

Posted By on 22/01/25 at 12:58 PM

Australian businesses providing B2C or B2B digital services in the United Kingdom (UK) or the European Union (EU) should consider their new as well as upcoming obligations and risk relating to data privacy, design of digital products, data access, online harms and cyber security.

Significant 2024/2025 legal developments include:

  • An obligation to train your staff under the EU’s Artificial Intelligence Act (AIA) effective in February 2025.
  • An obligation to appoint a representative and impose and enforce content guidelines under the EU’s Digital Services Act (DSA). The UK’s Online Safety Act 2023 (OSA) goes one step further by imposing content moderation obligations.
  • An obligation of Australian B2B technology providers to directly comply with the UK General Data Protection Regulation (UK GDPR), following the UK’s Clearview decision[1] last year.
  • Increased regulatory risk for technology providers in the UK, following last year’s draft decision[2] by the Information Commissioner’s Office (ICO), holding the provider responsible where a customer failed to activate optional security features.
  • Increased risk of claims for compensation under the General Data Protection Regulation (GDPR) for non-compliant international data transfers, following the recent Bindl v European Commission decision by the Court of Justice of the European Union (CJEU).[3]
  • Data sharing obligations if you provide services to the public sector bodies, which under the EU’s Data Governance Act (DGA) must share data with private sector requestors.
  • New product design, data access obligations, data use restrictions and implied contractual terms under the EU’s Data Act (DA) if you provide connected products or related services in the EU.
  • New cyber security obligations in the UK and EU aimed at connected devices and critical infrastructure providers and their supply chains.
AI Act

Australian businesses that develop, use, import, or distribute an AI system in the EU, will likely be caught by the AIA’s obligations effective on 2 February 2025.

These include:

  • a ban on AI systems which pose unacceptable risk including manipulative, social scoring, biometric categorisation and other AI systems; and
  • an obligation to ensure “a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf“.

Australian organisations should assess their AI usage, existing skills and supply chain vulnerabilities, and implement a training and audit programme to equip their workforce with risk-evaluation and decision-making skills.

Digital Services Act

Services provided by Australian businesses to a client, customer or user in the EU may be caught by the EU’s Digital Service Act (DSA) if there is a substantial connection to the EU. Such connection may exist if a significant number of EU customers are served or if EU member states are targeted.

Effective since 17 February 2024, the DSA applies to all “intermediary services”. Despite the deceptive label, this definition is very broad and will include most B2C and B2B digital services, including ‘mere conduit’, ‘caching’ or ‘hosting’ services. The ‘hosting’ category captures any physical, network, or application layer hosting services, including any cloud computing, web hosting or any peer-to-peer service.

Australian providers which are in scope must:

  • Designate a single point of contact for users and authorities in the EU.
  • Appoint a legal representative and notify the Digital Services Coordinator authority.
  • Regulate content in the service through terms and conditions, a takedown procedure and enforcing the terms in a diligent, objective and proportionate manner.
  • Implement technical capability to block or remove content.
  • Publish an annual transparency report on content moderation and enforcement.

Further obligations apply to online ‘platforms’, ‘very large online platforms’ (VLOPs) and ‘very large online search engines’ (VLOSEs). The European Board for Digital Services is expected to release guidance and codes of conduct. Simultaneously, the Digital Markets Act (DMA) applies to very large platforms, so called “gatekeepers”, and helps establish a level playing field in the digital space.

Online Safety Act 2023

Australian businesses that provide “user-to-user services” will be caught by OSA if they have a significant number of UK users, target the UK market or if the service availability poses a material risk of significant harm to users.

On 16 December 2024, UK’s Office of Communications (Ofcom) published its Code of Practice for user-to-user services.[4] Australian businesses have duties in relation to illegal content, reporting and complaints. These include, among others:

  • Appointing an accountable individual.
  • Implementing a content moderation function, including ability to review, assess and remove content.
  • Implementing systems and processes for receipt and handling of user complaints.
UK GDPR could directly apply to Australian B2B technology providers

Even services that do not directly offer goods or services to UK consumers or monitor their behaviour and thereby do not trigger the UK GDPR’s extraterritoriality provisions, could be subject to the UK GDPR if B2B services provided by Australian data processors ‘relate to’ such activities.

In Clearview’s successful appeal against the ICO fine,[5] the tribunal emphasised that for the processor’s activities to ‘relate’ to the controller’s activities, there must be a “very close relationship” between the two parties’ activities.[6]  With the increasing amount of add-on services, AI-powered tools, API integrations with third party services such as payment facilities, it is more likely that such ‘close connection’ could be established.

Australian organisations should consider their risk in potentially having statutory obligations under UK GDPR and update their terms and conditions if necessary.

Increased regulatory risk for data processors

If there is a data breach, even if caused in the supply chain, the regulator typically pursues the data controller. However, the ICO’s provisional fine of £6M[7] last year represents a shift in this position, and a data processor within the supply chain was held accountable.

During a ransomware incident in August 2022, hackers accessed numerous health and care systems via a customer account that did not have multi-factor authentication (MFA). Despite offering MFA as an optional feature to customers, the ICO suggested that by not enabling it the data processor failed to comply with its data security obligations. Various regulators in the EU have previously fined data processors for information security failures.

This increases the risk for Australian providers and it should be reflected in liability caps under terms and conditions.

Damages for data transfers

Most Australian businesses will host data of their UK/EU clients. If servers are located outside of the client’s country, the client and the service provider may be engaging in an international data transfer. If the GDPR rules on international data transfers are not followed, affected individuals could claim damages.

In Bindl v European Commission, the CJEU held that putting the user “in a position of some uncertainty” about whether their data may have been processed, was actionable. The court awarded $400 in damages.[8]

Data Governance Act

Effective from 24 September 2023, the DGA establishes a harmonised framework for public authorities to share their personal and non-personal data (even confidential or otherwise protected data which can be shared if anonymised or otherwise secured) for commercial or non-commercial purposes. A ‘single information point’ will help data users find relevant information which they might want to request. Data users can make a request for the re-use of data which the authority must decide within no later than 2 months.

The DGA establishes a framework for data intermediation services (e.g. data marketplaces, data pools and data cooperatives) which are commercial services for data sharing between people and data holders on the one hand and data users on the other. Data intermediation services providers must comply with Chapter III from 24 September 2025, including an obligation to appoint a legal representative if established abroad, being neutral and transparent, and notifying the type of intermediation services to relevant authorities. In addition, not-for-profit data altruism organisations can license data donated by individuals and organisations for general interest use.

Overseen by the European Data Innovation Board, the DGA is intended to offer an alternative to the dominance of US Big Tech in data ownership and unlock data value for innovation.

Data Act

Effective from 12 September 2025, the DA is intended to increase fairness in the allocation of data value. It imposes an obligation on operators of connected products and related services, including Australian operators in this space.

Providers will have to make data available free of charge to their consumer or business users or a third party designated by the user. The DA expands the user’s right to portability to not only actively provided data but also passively observed data.

Services must be designed for easy access by the user. This will apply to all personal data, non-personal data and underlying raw data, for example, user commands, transactions, movement in app, access logs, security scans, metadata, search queries, results returned, time stamps, login and password reset logs, SQL logs, time spent on page, virtual assistant data collected when on, on standby and off, diagnostic data. Excluded are derived data and analytics outputs.

The DA imposes significant restrictions on data holders, who must not use data to derive insights about the economic situation, assets and production methods of the user or to undermine the user’s commercial position on the markets.

Further, the DA regulates cloud, edge and other service providers by prohibiting lock-in contracts, unilateral degradation of service during contract term and enables the seamless porting of data to a new provider.

Cyber security obligations

Australian businesses manufacturing, importing or distributing connected devices in the UK, must comply with the UK’s Product Security and Telecommunications Infrastructure Act 2022 (PSTIA).[9] The requirements in force since April 2024 include rules about password, channels for notifying the manufacturer, software update periods, statements of compliance, etc. The requirements do not apply to excluded products such as smart meters.

Further, the EU’s Cyber Resilience Act (CRA) passed in October 2024 and effective on 11 December 2027 prescribes certain cybersecurity obligations in relation to products with digital elements made available in the EU. This will include security measures, design, vulnerability handling and market surveillance. Vulnerability reporting duties of manufacturers start from 11 September 2026 and provisions about conformity assessment bodies from 11 June 2026.

The EU’s second Network and Information Security Directive (NIS 2)[10] became effective on 18 October 2024. Many member states missed its transposition deadline, but NIS 2 imposes significant new requirements on critical services and infrastructure providers. Australian businesses providing services to such providers may be subject to new requirements relating to supply chain (including third and fourth party) risk assessments.

KHQ is here to help!

KHQ can help you address these new requirements by advising on their applicability, helping to source a representative, providing compliance advice, advising on product features and risk mitigation, helping implement processes, preparing client-facing documentation, suggesting appropriate contractual changes, and providing presentations, workshops and training.

Want Data Privacy, Cyber & Digital updates delivered straight to your inbox? Click here to subscribe. 

[1] Clearview AI Inc v ICO [2023] UKFTT 819 (GRC) (link).

[2] Provisional decision to impose £6m fine on software provider following 2022 ransomware attack that disrupted NHS and social care services (link).

[3] Case T‑354/22, Bindl v European Commission (link).

[4] Draft Illegal content Codes of Practice for user-to-user services, Ofcom, 16 December 2024 (link).

[5] Clearview wins appeal against ICO fine in tribunal (link).

[6] In the Clearview case, the creation, maintenance and operation of Clearview’s database of faces was closely related to the monitoring of behaviour undertaken by Clearview’s law enforcement clients carrying on investigations.

[7] ICO’s proposed fine on Advanced Computer Software Group Ltd (link).

[8] Case T‑354/22, Bindl v European Commission (link).

[9] Product Security and Telecommunications Infrastructure Act 2022 (link).

[10] DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive)

KHQ Lawyers - Alex Dittel

Alex Dittel Principal Solicitor - practising English law

Alex leads our Data Privacy, Cyber and Digital practice. He brings 15 years of experience in data protection, information security and technology commercial matters acquired during his time working... Read More