UK law
UK government issues call for views on enterprise connected device security
The government is asking for views on the security of enterprise connected devices. It is a priority for the government to ensure all new and existing technologies are safely developed and deployed across the UK. “Enterprise connected device (or IOT devices) are devices used by businesses and organisations such as office printers, internet-connected telephones, building entry systems and room booking systems. The government is concerned about the security of these products as vulnerable devices can provide a route for hostile parties to attack the IT systems used by businesses. As part of the government’s work to address this issue and improve cyber resilience across the UK economy, the government is seeking views on what interventions would be appropriate to tackle this issue. The call for views ends on 7 July 2025. The government will review the feedback provided and then publish a response with a summary of key themes.
Ofgem launches new guidance on AI in the energy sector
Ofgem has published its first guidance on using AI in the energy sector for licensees, other industry stakeholders and consumer groups. It is encouraging all energy companies to use the good practice guidance as they roll out AI-enabled systems. Ofgem says that AI technology is innovative and rapidly evolving. It is already in use in many parts of the energy sector. Its guidance aims to help to make sure that use of the technology is safe, secure, sustainable and fair. AI will support transformation and modernisation of the energy sector. For example, AI can enhance customers’ experience, in billing and customer service. When it comes to AI use, customers will remain protected under their existing consumer rights. The new guidance sets out good practice for companies to adopt, making sure customers are protected and not disadvantaged. Ofgem will keep reviewing the guidance and updating it as necessary as AI develops. It also plans to publish separate guidance for consumers later this year.
London council reprimanded by ICO for exposing personal details of 6,528 people for almost two years
The ICO has reprimanded the London Borough of Hammersmith and Fulham (the council) after it left exposed the personal information of 6,528 people for almost two years. The personal data breach occurred when the council responded to a freedom of information (FOI) request made via the WhatDoTheyKnow.com (WDTK) website in October 2021. The response, published on the council’s website and WDTK, contained ten workbooks which included personal information. The council’s response included an Excel spreadsheet which contained 35 hidden workbooks. Almost two years later in November 2023, following a review of information on its site, WDTK informed the council the response included personal information. The information was immediately removed from both sites. In total 6,528 people were affected, with 2,342 being children. The personal information relating to the children was classed as sensitive as it included details of looked after children, 96 of whom were unaccompanied asylum-seeking children. In reaching its final decision, the ICO took into account a number of mitigating factors including the published personal information was almost three years old and there was no evidence that it had been inappropriately accessed or used. It also considered the remedial action the council took to contain the impact of the breach notably updating guidance and procedures and ensuring staff undertook training.
EU law
European Commission proposes simplification measures under GDPR
The European Commission has made proposals to simplify the record-keeping obligation in the GDPR, taking into account the specific needs and challenges of small and medium-sized companies and organisations, while ensuring that the rights of individuals are protected. The proposal exempts small mid-cap enterprises (SMC) and organisations with fewer than 750 employees, in addition to SMEs. SMEs, SMCs and organisations with fewer than 750 employees will only be required to maintain records when the processing of personal data is “high risk” under the GDPR. By focusing record-keeping requirements on high-risk activities, the Commission says that organisations can devote their resources to areas where data protection is most critical, while maintaining high standards of data protection. The proposal will accelerate the digital transition, eliminating cumbersome paper-based requirements in product legislation. Current EU rules still require companies to provide paper-based declarations of conformity, instructions for use, and others. By digitising these requirements, companies can submit and distribute information more easily and national authorities can verify compliance more efficiently. In addition, the proposal aims to accelerate the digital transition, eliminating cumbersome paper-based requirements in product legislation. Current EU rules still require companies to provide paper-based declarations of conformity, instructions for use, and others. By digitising these requirements, companies can submit and distribute information more easily and national authorities can verify compliance more efficiently.
European Commission calls for evidence on digital business wallet
The EU has called for evidence about a digital business wallet. Building on the European digital identity framework, the EU Business Wallet aims to enable secure digital identification, data sharing and legally valid notifications across the EU. It will help economic operators manage regulatory requirements, cutting administrative burdens and compliance costs. By ensuring interoperability with national systems, it aims to support cross-border business, boost SME competitiveness, foster trust in digital interactions and advance the EU’s digital single market. The call for evidence ends on 12 June 2025.
European Commission seeks feedback on commitments offered by Microsoft
The European Commission invites comments on commitments offered by Microsoft to address competition concerns over tying its communication and collaboration product Teams to its popular productivity applications included in its suites for businesses Office 365 and Microsoft 365, such as Microsoft Word and Microsoft Outlook. Under the proposed commitments, Microsoft would (i) make available versions of these suites without Teams and at a reduced price; (ii) allow customers to switch to suites without Teams, including in the framework of existing contracts; (iii) offer Teams’ competitors increased interoperability with other Microsoft products; and (iv) allow customers to move their data out of Teams to facilitate the use of competing solutions. Interested parties are invited to submit their views on Microsoft’s proposed commitments. If feedback (known as a market test) indicates that the commitments are a satisfactory way of addressing the Commission’s competition concerns, the Commission may adopt a decision making them legally binding on Microsoft. Such a decision would not conclude that there is an infringement of EU antitrust rules but would legally bind Microsoft to respect the commitments it has offered. If Microsoft does not honour such commitments, the Commission could impose a fine of up to 10% of the company’s worldwide turnover, without having to prove an infringement of EU antitrust rules.
EUIPO issues study on generative AI and copyright
The EU Intellectual Property Office has issued a study on generative AI and copyright. It centres on three interconnected areas: the use of copyright-protected works as training data for GenAI models, the generation of new content by these systems, and the legal questions this raises, and the wider implications for creators, AI developers, and the copyright ecosystem. Access to high-quality content is central to the development of GenAI services. The AI training process is complex and uses content as input at different stages. However, as GenAI models are “specialised” for certain functionalities they need access to high quality and up-to date content, which is reflected in emergence of a direct licensing market, with some GenAI developers licensing access and use of high-quality content from copyright holders. The capacity for copyright holders to effectively reserve their rights a pre-requisite for the licensing market to develop. No ‘one-size-fits all’ solution for copyright holders to protect their rights has emerged yet. Instead, different approaches and solutions are developing for copyright holders to protect their rights, and for AI developers to respect their regulatory obligations: On the one side, the rights reservation mechanisms for the input phase (related to training AI models), whereby rightsholders can express their opt out from the ‘text and data mining’ (TDM)-exception. On the other side, transparency measures exist for the output phase that allow the indication and recognition of AI generated content. Public authorities, such as national IP authorities and the EUIPO, may play a role by providing technical support (for copyright holders to reserve their rights, and for AI developers to effectively respect such reservations) as well as non-technical support (eg public awareness, forums for technical information sharing, providing information to the public on available solutions, trends and developments).
