UK digital regulation - what impact could trade negotiations with the US have?
As UK-US trade negotiations are likely to focus in on technology, how might regulation get thrown into the mix and what options could be on the table?
(Usual disclaimer: this blog represents my personal viewpoint and not any of the organisations I work with)
In this blog I set up some of the key questions and challenges for UK digital regulation if UK-US digital trade negotiations commence, particularly for online safety.
Following the meeting between Keir Starmer and Donald Trump on February 27, further momentum is moving towards a new UK-US Trade deal. Interestingly, the language used by the two leaders at the press conference differed, Trump referred to a new trade deal, whereas Starmer rerferred to a “new economic deal with advanced technology at its core”.
Are there any examples of previous US agreements that may give an indication of what their approach may be?
Under the Trump Administration the US signed the U.S.-Japan Digital Trade Agreement (DTA), though it is difficult to know much the new Administration will regard this as a useful precent.
It is worth noting that trade agreements do not typically have direct binding effect in that they automatically become law within a country’s domestic legal system. Their enforcement depends on how each country incorporates them into its national laws.
Governments will often seek to protect existing laws through exceptions or carve outs. It may be that that the biggest risks for UK digital regulation are towards prospective policy changes rather than impacts on existing laws. But given the negotiating style and tactics of the Trump Administration we cannot rule out what demands could be made in negotiations.
Transparency from the UK Government, at relevant stages of the process, will be vital in allowing evidence from civil society, business and academics to inform the UK position and assessment of the impacts of any deal.
Free speech and digital trade deals with the US
Comments from Vice President JD Vance indicate that the US have free speech in their sights as a key issue in any trade/economic deal. Citing their concern (with no objective evidence) that UK regulation could impact US technology companies, free speech, and in turn US citizens. Kier Starmer did push back against this and highlighted the importance of free speech to the UK.
On 21 February President Trump issued a Memorandum “Defending American Companies and Innovators From Overseas Extortion and Unfair Fines and Penalties” which contains the following statement: “the Secretary of the Treasury, the Secretary of Commerce, and the United States Trade Representative shall investigate whether any act, policy, or practice of any country in the European Union or the United Kingdom has the effect of requiring or incentivizing the use or development of United States companies’ products or services in ways that undermine freedom of speech and political engagement or otherwise moderate content, and recommend appropriate actions to counter such practices under applicable authorities.”
(The Memorandum also targets the use of Digital Services Taxes, a measure the UK introduced in 2020).
Turning to the example of the US-Japan DTA (and the US-Mexico-Canada Trade Agreement) we can see that the US has already made moves to place free speech provisions into these agreements. For example, the US-Japan DTA has a provision under Article 18 entitled “Interactive Computer Services” (ICS) which includes provision focused on protecting online platforms’ liability:
“neither Party shall adopt or maintain measures that treat a supplier or user of an interactive computer service as an information content provider in determining liability for harms related to information stored, processed, transmitted, distributed, or made available by the service, except to the extent the supplier or user has, in whole or in part, created or developed the information.” (taken from 18(2)”
The provisions in Article 18 are drawn from Section 230 of the 1996 Communications Decency Act (CDA), that provides for intermediary liability. Although they predate social media, the companies in that sector see the s.230 provision as a key protection for their operating model, hence a desire to export the provision via traded agreements.
The A.18 provision does come with a footnoted exception for “measures necessary to protect public morals”. Such a provision could be important to the UK in positioning protection for our existing online safety legislation.
A blog by Han-Wei Liu (a Senior Lecturer at Monash University, Australia) highlights the difference in the additional exceptions that have been used. Japan has counteracted any potential effects of Article 18 using a side letter, while Mexico has conditioned its commitments with points such as the consistency with its constitutional law.
Use of ICS provisions has raised considerable debate about the potentially wide reaching impacts and Han-Wei Liu also reaches the following conclusions:
“…the ICS should not be globally normalized through its diffusion in trade deals. It is unclear to what extent the CDA 230 clause could emerge as a new global standard, nor is it desirable as a template for future trade agreements…”
Each country is entitled to achieve the fundamental right of free speech through its own economic, social, and political pathways towards an optimal balance—and rebalance—against other interests. The clause should be dropped from future trade negotiations while policymakers worldwide grapple with the challenges posed by online platforms and reconfigure their regulatory frameworks in the digital era. Ultimately, it is incompatible with many nations’ legal frameworks as it extends beyond trade into the balance between free speech and other competing social values.
UK Online Safety
In a more detailed paper “Exporting the First Amendment through trade: The global 'constitutional moment' for online platform liability 'constitutional moment' for online platform liability” Han-Wei Liu also highlights the previous attempts to lobby for an ICS provision in a UK-US trade deal. In 2021 the BSA (the Software Alliance) supported the addition of an ICS clause in ongoing U.K- U.S. trade negotiations, urging policymakers to “ensure that internet intermediaries are protected against liability for unlawful content posted or shared by third parties.”
The discussion about a new UK-US deal will take place while the UK Online Safety Act (OSA) is at a crucial stage of implementation, with major requirements for illegal content and children’s safety taking effect this year and Ofcom, the UK regulator for the OSA, in the process of finalising key codes of practice and guidance. The OSA could clearly clash with an ICS clause in a trade deal.
Canada is also subject to an ICS clause in the US-Mexico-Canada Trade Agreement (USMCA) and currently have an Online Safety Bill before Parliament. It seems unclear how the Canadian Government have squared the Bill with the USMCA, though some commentators seemed to think Canada need not feel that constrained in regulating social media content, also noting the exceptions to the clause. This article quoted a government source indicating that their approach could be compatible: “… it can require platforms to remove content within a certain time frame and impose financial penalties if they don’t, rather than imposing fines for the mere fact that the content was posted in the first place.” The UK OSA also focuses on responsibilities to assess and mitigate risks related content rather than removal of individual pieces of content.
This all suggests a nuanced discussion will be needed and we don’t know whether UK negotiators will able to engage the US in a balanced approach between free speech and wider risks and harms.
(**update 18/3** - Graham Smith, longstanding legal expert on the OSA, corresponded to flag that it should be possible to argue that the OSA imposes regulatory responsibilities rather than intermediary liability. See more here. This article also highlights some of the relevant differences between the USMCA and s.230 CDA)1. He Also flagged para 167 of a Canadian Court case which considered Google’s reliance on the USMCA)2.
Instead, Article 19.17 precludes liability as an “information content provider,” defined as “a person or entity that creates or develops, in whole or in part, information provided through the Internet or another interactive computer service” That aptly describes a primary publisher. But if that language does not cover secondary publishers, then if it were to appear in a UK-US trade agreement it would seem not to preclude a hosting liability regime akin to the existing ECD Article 14.
Free speech issues are not top of mind to the debate about online safety in the UK right now. Ofcom are already under significant pressure to act effectively in regulating the major social media platforms (including from the Government following the role of social media in last’s years riots and very high levels of public concern about risks to children online). Significant concerns have been raised about Ofcom’s draft Codes of Practice (for example see here from the Online Safety Network and this debate in the UK House of Commons in February) and whether they will deliver the effective protections that legislation seeks to deliver.
The UK Government will want to stress that considerable changes were made to the OSA to address free speech concerns during its passage through the UK Parliament - when Rushi Sunak became Prime Minister in 2022 the Bill was paused and reviewed during its passage and requirements related to ‘illegal but harmful’ content for adults were removed (but were retained for children). The Act also contains duties to protect content of democratic importance, news publisher and journalistic content for the largest platforms and a cross cutting duty for freedom of expression.
An important component of the OSA is regulating how recommender systems address illegal content and content that may be harmful to children. The question as to whether recommender systems are covered by s.230 of the CDA is a live issue before the courts at present, whether the systems themselves are protected (see here for more).
What risks could a UK-US trade or economic deal pose for the OSA? - perhaps the most likely risk is more nuanced. A trade deal might have an exception that recognises the OSA’s validity but such a deal could create concerning pressure on the policy approach that is developed to update or further develop the UK’s regime in response to new evidence or risks to the public.
We are likely to learn a lot about how the OSA operates in practice in the next few years and it is quite possible the the OSA or the statutory Codes will need to develop further as evidence emerges about how platform safety features have changed in practice and whether harms and risks are substantively addressed. A trade deal could have a significant policy impact, for example on the area of disinformation, where some believe the Act needs to be strengthened or risks to children from Generative AI.
Lastly, recent YouGov polling from the MollyRose Foundation found that “by a 9 to 1 margin, the public supports policies that prioritise children’s safety, even if this means tech firms invest significantly less in the UK”.
The Molly Rose Foundation also uses the UK Government’s own economic impact assessment on the OSA (from 2024) to highlight the evidence that “recent analysis from the Department for Science, Innovation and Technology showing that every time exposure to online harms is reduced by 1.3%, according to conservative estimates the UK stands to receive an annualised economic benefit of £345 million.”
Age Appropriate Design Code
We also have the Age Appropriate Design Code (AADC), a statutory data protection code developed by the Information Commissioner’s Office (ICO), that sets 15 standards focused on data protection by design and default settings for online platforms likely to be accessed by children. The AADC has been in effect since 2021 (disclosure - I led the work at the ICO to develop the Code between 2018 and 2020).
The UK AADC has inspired a number of US states (and Australia) to legislate for a similar approach. The California AADC Act has met with significant legal challenge from the technology industry and a current case involving a legal injunction against the CAADC is still ongoing (an appeal rejected the first instance court’s broad injunction, which means many aspects can come into force). There is a similar challenge to the Maryland Age Appropriate Design Code Act (filed in 2025). The appeal court judgment does illustrate that data protection codes on children’s privacy are not squarely against the First Amendment and it depends in how data provisions intersect with content and how companies digital services are constrained.
At the heart of the challenge against the CAADC are questions about compatibility with freedom of speech and the first amendment. In light of the legal challenge myself and the former UK Information Commissioner Elizabeth Denham set out our approach as to how the AADC was compatible with freedom of speech in a UK context - see the article we published for IAPP in 2023. You can also read our amicus curaie brief to the California 9th Circuit Appeals Court.
Is the AADC itself at risk in these negotiations? I doubt its existence will come under direct challenge, it is too well established and it was laid before the UK Parliament by an independent regulator. The greater risk could lie with the impact of trade deal provisions on the process for updating the code. It seems quite likely that the AADC may need to be updated to cover Generative AI for example.
Research I conducted for the Centre of Digital Futures for Children at the London School of Economics last year set out the impact of the AADC (and also the early impact of the UK and EU Digital Services Act) in terms of changes to the design and practices of online platforms. For example, see the graph showing the peak of changes made in 2021 when the AADC took effect, these include changes such as social media accounts being private by default. Many of these changes have been implemented globally, design features that US children have also benefited from.
AI regulation
It appears that the UK government is already trying to create more headway for the trade talks - having a draft AI Bill published ahead of that process seems to be regarded as unhelpful. The Guardian reported this week that the Government is now seeking to delay their AI regulation plans, at least until after the summer. At the back end of 2024 there were many reports that an announcement was nearly ready.
The government’s plans on AI were already far more focused than the comprehensive EU AI Act, with the UK planning to create statutory requirements for safety testing of the most powerful AI models and putting the AI Safety Institute (AISI) on a statutory footing. At the moment the AISI is currently housed within the Department for Science and Technology (DSIT) and has no operational independence.
It is already clear that the Trump administration is no fan of the AI Safety Institute model and the US AISI, set up following President Biden’s Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence from 2023 is likely to be closed down.
In 2024 the Council of Europe adopted the first international treaty on artificial intelligence. As Member of the Council (an entire separately international; organisation to the EU) the UK decided to sign at its launch. The question is now whether the UK will ratify and trigger its commitment to implement, which would probably require legislation. The US also signed under the Biden administration given the strong intersection with Biden’s Executive Order on AI. Trump has now reversed the EO on AI and we can be certain they will not ratify.
The path towards any dedicated AI legislation in the UK therefore seems likely to be a very carefully picked route and with many stages of consultation with industry. The UK is already heavily invested in a world leading approach to AI safety testing and it seems to difficult to imagine that a trade deal will prevent that ongoing investment but we’ll need to see whether wording of a trade deal could constrain legislation.
Ultimately, the UK government needs to retain the ability to react to objective evidence about emerging AI risks, and whether existing regulation leaves gap that needs to be addressed by a dedicated AI legislation.
UK GDPR
The Vice President has already signalled his dislike of the EU GDPR in his Munich Speech back in February. What risks could a trade deal pose for the UK GDPR?
Although the UK has essentially the same law as the EU I think the position is more straightforward for the UK Government on this area - the Data Use and Access Bill (DUA) is currently progressing through Parliament and the UK can point to the ICO’s outcome based regulatory approach as distinct from the EU.
While the DUA Bill is making relatively nuanced changes to the UK GDPR the UK Government can point to AI focused reforms clarifying the concept of research and changes to the provisions on automated decision making.
International personal data transfers
There is real concern that the validity of the EU GDPR adequacy decision covering EU-US Data Privacy Framework (DPF) could be placed under serious pressure. This is due to recent decisions made by the Trump Administration, such as removing Democrats members from the Privacy and Civil Liberties Oversight Board (PCLOB), leaving it inquorate. (The Board is a key oversight body in the DPF package.
Although not official Trump Administration policy, the “Project 2025” report that has influenced many early actions makes clear the need for US pushback on the EU approach to international data flows:
“The United States has never seriously pushed back against the EU; now is the time. An incoming President should ask for an immediate study of the implementation of Executive Order 14086 and suspend any provisions that unduly burden intelligence collection. At the same time, in negotiations with the Europeans, the United States should make clear that the continued sharing of intelligence with EU member states depends on successful resolution of this issue within the first two years of a President’s term.” (Project 2025 report page 225)
Most importantly, Trump could revoke Biden’s Executive Order that underpins the oversight mechanisms and other safeguards related to the uses of personal data for national security and law enforcement purposes. A 45 day deadline was set for the review of the Biden era national security EOs, which runs out on 6 March.
This Euroactiv article explains the issues in more detail and the European Commission’s reaction so far (the PCLOB issue is not seen as fatal to the decision so far).
In January 2025 Cameron Kerry (Distinguished Visiting Fellow in Governance Studies at the Brookings Institution) made the case as to why the Trump Administration should not mess with the EU-U.S. Data Privacy Framework. Kerry notes that the Administration agreed the EU-US Privacy Shield in 2017 as the “The economic calculus was simple: The cost of the Privacy Shield was low for the U.S., and undoing it would have handed the EU a trade barrier against U.S. businesses seeking to compete in European markets and reduced U.S. exports.”.
This could turn into a tricky for the UK Government as they have mirrored the EU approach and have also recognised the DPF under an UK GDPR adequacy decision.
Would the UK follow suit if the EU annuls the US adequacy decision?
The DUA Bill will change the UK GDPR test for assessing the adequacy of third countries and whether they can receive transfers of personal data with no additional safeguards. Under the current UK and EU GDPR the test is one of “essential equivalence”, the Bill will change this to “not materially lower”.
If the DUA Bill passes the UK can the therefore apply this test. I’m not sure whether this would should really make a difference if the main planks for the DPF have fallen away, but it may give the UK some space to take a more measured approach in terms of negotiating replacement safeguards (if this is even possible). There could also be the risk of a civil society challenge in the UK Courts if the UK takes an approach of accepting safeguards that the EU has not recognised or does not annul the decision. There could also be a knock on effects for the UK’s own EU adequacy decision if it decides not to annul to appease the US. The EU could then regard the UK regime as not essentially equivalent.
All this could play in the context of trade negotiations where the US may propose a clause on the free flow of personal data.
The above scenario is based on a chain of events so it shouldn’t be regarded as the most likely scenario but I would hope UK Government contingency and planning is considering it.
To finish
There is some (hopefully measured) speculation in this blog but it will be important that the wider digital policy community starts to think through the possible scenarios, prepares evidence and argument to the UK Government. To inform the debate as to how to chart a path through the negotiations, that leaves the UK the ability the set the levels of regulation needed to protect the UK public from digital risks, while enabling innovation.
** The blog was updated on 12/3 to add further references to the Trump Memorandum, the project 2025 report and the Molly Rose Foundation YouGov survey. and on 18/3 to reference some additional materials provided by Graham Smith**)
Graham Smith (2020). Intermediary Liability And Responsibilities Post-Brexit. Tech Policy Greenhouse. “Although the USMCA agreement uses language that tracks S.230, it does not fully replicate it. Notably, it does not use the magic word ‘publisher’ that appears in S.230 and which Zeran v America Online interpreted in 1997 as embracing both strict primary publisher liability and knowledge-based secondary publisher (a.k.a. distributor) liability”.
A.B. c. Google, 2023 QCCS 1167 (CanLII), <https://canlii.ca/t/jwp64>, retrieved on 2025-03-18: Paragraph 182: “Article 19.17.2 CUSMA does not require Canada to have an immunity provision that is identical to the expansiveness of the American provision, section 230(c)(1) CDA.”