UK Law and Practice Contributed by: Amélie Chollet, Hannah Curtis and David Dennis, CMS
are derived from EU law, specifically Directive 2002/58/EC, also known as the “e-privacy Direc- tive”. It is important to note that the e-privacy Directive is currently under review in the EU and will be replaced by a Regulation. This new Regu- lation will not form part of UK law; however, it will be applicable in NI due to the unique legal framework that applies there, as previously men- tioned. Cybersecurity Requirements and Data Protection Compliance Digital health products must comply with appli- cable cybersecurity and data protection require- ments, including the Product Security and Tel- ecommunications Infrastructure Act 2022 (GB), the Network and Information Systems (NIS) Regulations 2018 (UK-wide), and security obli- gations under the UK GDPR and the Data Pro- tection Act 2018. In NI, businesses should also consider the potential application of EU legisla- tion, such as the Network and Information Sys- tems Directive 2, due to the Protocol, and should ensure compliance with any local or EU-derived requirements. Consumer Protection Laws Most UK consumer protection and product safe- ty laws apply across both GB and NI. However, where these laws derive from EU legislation, NI may continue to follow EU amendments, while GB may diverge over time. The Consumer Protection Act 1987 (CPA) (England/Wales/Scotland)/Consumer Protection Order (CPO) (NI) Digital health software will generally constitute a “product” under the CPA/CPO 1987 where it is supplied as a distinct commercial offering. Courts have established that software can be subject to product liability principles, though the specific application depends on the nature of
the software and how defects arise. It should be noted that the new EU Product Liability Directive 2024/2853 will not be implemented in GB but will be relevant for NI. The Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013 and the Consumer Rights Directive (2011/83/EC) The 2013 Regulations implement most of the Consumer Rights Directive, which applies when a person purchases an app relating to lifestyle or well-being. The General Product Safety Regulations 2005/General Product Safety Regulation (EU) Digital health products that are not medical devices are still subject to general product safety obligations requiring producers to place only safe products on the market. The appli- cable framework in GB is the General Product Safety Regulations 2005 (SI 2005/1803) and, in NI, the EU General Product Safety Regulation 2023/988. The E-Commerce Regulations, Amended by the Electronic Commerce (Amendment etc.) (EU Exit) Regulations 2019 This is retained EU law for all four nations of the UK (England, Wales, Scotland and NI), which imposes the “country of origin” rule. This rule means that a UK-established e-commerce oper- ator will no longer be able to benefit from the previous principle allowing an information soci- ety service provider to comply with the laws of the country in which it is based. Instead, it will have to comply with the specific requirements of each jurisdiction in which it is active. A UK- based provider will therefore need to: • account for different contracting arrange- ments/requirements/information provision
125 CHAMBERS.COM
Powered by FlippingBook