UK law
Data (Use and Access) Act 2025 (Commencement No 3 and Transitional and Saving Provisions) Regulations 2025 made
The Data (Use and Access) Act 2025 (Commencement No 3 and Transitional and Saving Provisions) Regulations 2025 SI 2025/996 have been made. Regulation 2 brings into force sections 79, 88, 89 and 90 of the Data (Use and Access) Act 2025 (DUAA )which amend the Data Protection Act 2018. Sections 79 (legal professional privilege exemption) and 88 (national security exemption) come into force on the day after the day on which the Regulations are made. Sections 89 (joint processing by intelligence services and competent authorities) and 90 (joint processing: consequential amendments) come into force on 17th November 2025. Regulation 3 makes transitional and saving provision. The new legal professional privilege exemption does not apply where someone made a request to a data controller under the 2018 Act before section 79 of the DUAA came into force. Regulation 4 makes transitional and saving provision. The national security exemptions in Part 3 of the 2018 Act – before they were changed by the DUAA – still apply in certain cases. These include situations where a person made a request to a data controller before section 88 of the DUAA came into force. It also covers cases where the controller had a duty or obligation before section 88 came into force.
Data (Use and Access) Act 2025 (Commencement No 2) Regulations 2025 made
The Data (Use and Access) Act 2025 (Commencement No 2) Regulations 2025SI 2025/982 have been made They bring certain provisions of Data (Use and Access) Act 2025 (DUAA) into force on 30 September 2025. Regulation 2 commences section 124 of the DUAA which amends the Online Safety Act 2023 to include provision in the Online Safety Act about the retention of information by providers of certain regulated services (for example, social media providers) or any other relevant person in connection with an investigation into the death of a child. ‘Regulated service’ is defined in section 4(4) of the Online Safety Act and these provisions apply only in relation to those regulated services that are within section 101(E1) of the Online Safety Act (as inserted by section 124 of the DUAA). ‘Relevant person’ is defined in section 101(7) of the Online Safety Act
Ofcom consults on draft guidance for super-complaints under Online Safety Act 2023
Ofcom was appointed the online safety regulator under the Online Safety Act in October 2023. The Act allows expert organisations representing users or the public to raise a ‘super-complaint’ with Ofcom. Ofcom has a fixed period to consider each super-complaint and publish a response. Ofcom is required to publish guidance on super-complaints and is currently consulting on a draft version. It explains what super-complaints are; the role of super-complaints in Ofcom’s regulatory approach to online safety; which organisations are eligible to bring a super-complaint; how organisations can demonstrate their eligibility; the rules and procedures for making a super-complaint; and the steps Ofcom will typically take in relation to a super-complaint. The consultation ends on 3 November 2025.
Ofcom investigates 22 more porn sites under new age-check rules
Ofcom has opened formal investigations into whether the following providers have highly effective age checks in place to protect children from encountering pornography across 22 websites: Cyberitic, LLC, Web Prime Inc, Youngtek Solutions Ltd, ZD Media s.r.o and the provider of xgroovy. If it identifies any further sites run by these companies, it will add them to its investigations. Ofcom has prioritised these websites based on the risk of harm they pose and their user numbers, including where there have been significant increases in their user numbers since the 25 July deadline. Collectively, it says that these sites have over eight million unique monthly UK visitors. These new cases add to the 47 other sites and apps Ofcom is currently investigating. Ofcom is also expanding the scope of its existing investigations into 8579 LLC and Itai Tech. As well as investigating their compliance with the requirement to introduce age checks for pornographic content, it is now also investigating whether they have failed to respond adequately to statutory information requests from Ofcom. Where it identifies compliance failures, Ofcom can require platforms to take specific steps to come into compliance. It can also impose fines of up to £18m or 10% of qualifying worldwide revenue, whichever is greater. Where appropriate, in the most serious cases, it can seek a court order for ‘business disruption measures’, such as requiring payment providers or advertisers to withdraw their services from a platform or requiring ISPs to block access to a site in the UK.
UK government to issue regulations to strengthen online safety laws
The UK government has announced that it will be strengthening the Online Safety Act by imposing stricter legal requirements on tech companies to find and remove material that encourages or assists serious self-harm. While platforms are already required to take specific steps to protect children harmful content, the government recognises that adults battling mental health challenges are equally at risk from exposure to material that could trigger a mental health crisis or worse. The new regulations mean that content encouraging or assisting serious self-harm will be treated as a priority offence for all users. The change will require platforms to use cutting-edge technology to actively seek out and eliminate this content before it can reach users and cause irreparable harm, rather than simply reacting after someone has already been exposed to it. The regulations will come into force 21 days after they are made, following approval by both Houses of Parliament. The government expects the relevant Statutory Instrument to be laid in the autumn.
UK government issues new regulations for cryptoasset firms
The UK government has announced draft regulations which will amend registration and change in control thresholds for cryptoasset firms to ensure alignment with thresholds in the Financial Services and Markets Act (FSMA) as part of the draft Money Laundering and Terrorist Financing (Amendment and Miscellaneous Provision) Regulations 2025. The policy aims to ensure consistency and a more robust oversight, particularly in cases of complex ownership structures. Under the updated Money Laundering Regulations (MLRs), the Financial Conduct Authority (FCA) will assess whether a firm’s “controller”, defined by the FSMA, is fit and proper, which replaces the previous focus on “beneficial owners”. The change will take effect once the FSMA cryptoasset authorisation regime is implemented, although beneficial owners will still be assessed for firms registered under the MLRs before the introduction of the new regime if cancellation is being considered. Firms authorised under the FSMA will no longer require separate MLR registration, reducing duplication. The rules of change in control will expand the category of individuals required to notify the FCA, with pre-FSMA firms which include beneficial owners and those with significant influence or shareholding, while post-FSMA firms following the FSMA’s controller definition to ensure alignment with regulation.
ICO issues new encryption guidance
The ICO has issued new encryption guidance. It says that it has seen numerous incidents where personal information has been lost, stolen, or subject to unauthorised access. Many of these cases involved data being inadequately protected or the devices the data was stored on being left in inappropriate places, or both. It says that organisations may face regulatory action in line with its regulatory action policy, if they do not implement appropriate technical and organisational measures, such as encryption. The guidance deals with encryption in the context of the UK GDPR and how organisations can use it in different contexts. It includes several scenarios where organisations can use encryption to protect personal information, as well as the residual risks of doing so. It does not cover things like end-to-end encryption (E2EE), privacy-enhancing technologies (PETs), encryption and ransomware, or the potential impact of quantum computing.
EU law
European Commission launches consultation to develop guidelines and Code of Practice on transparent AI systems
The European Commission says that it wants to help deployers and providers of generative AI systems to detect and label AI generated or manipulated content. This aims to make sure users are informed when they are interacting with an AI system. Consequently, the Commission has launched a consultation to develop guidelines and a code of practice on AI transparency obligations, based on the provisions of the EU’s AI Act. The AI Act obliges deployers and providers of generative AI to inform people when they are interacting with an AI system, as well as when they are exposed to emotion recognition or biometric categorisation systems, and to content generated or manipulated by an AI system. The consultation is accompanied by a call for expression of interest, open until 2 October, for stakeholders to participate in the creation of the Code of Practice. The transparency obligations in the AI Act will be applicable from 2 August 2026. The consultation on the guidelines also ends on 2 October 2025.
European Commission proposes to create area of free and safe data flows between the EU and Brazil
The European Commission has begun the process towards the adoption of a data protection adequacy decision with Brazil. The Commission has determined that Brazil ensures an adequate level of data protection – comparable to that of the EU. Once adopted, the decision would allow for free data flows for businesses, public authorities, and research projects between the EU and Brazil. The Brazilian authorities have also initiated a process to adopt an equivalent decision to allow for Brazilian data to flow freely to the EU. The draft decision will now be transmitted to the European Data Protection Board for its opinion. As part of the adoption procedure, the Commission will also seek approval from a committee composed of representatives of EU member states. In addition, the European Parliament has a right of scrutiny over adequacy decisions. When this procedure is complete, the Commission can proceed to adopting the final adequacy decision. Once in place, the functioning of the adequacy decision will be subject to periodic reviews carried out by the Commission, together with European data protection authorities.
European Commission consults on and calls for evidence on the evaluation and review of the Chips Act
The European Commission seeks feedback on the current functioning of the Chips Act and on possible future adaptations to ensure the Act is fit for purpose in light of changing market, technological and geopolitical realities. It aims to ensure that the legislation is effective, efficient, relevant, coherent, and brings clear EU added value. At the same time, the public consultation and call for evidence look forward: it asks stakeholders to share views on how the Chips Act could be adapted to support Europe’s semiconductor ecosystem in the years ahead, including through simplification where appropriate. In line with the Commission’s Better Regulation approach, the Commission particularly welcomes scientific evidence and research contributions (including quantitative analysis and data if available) that can strengthen the evidence base for the evaluation and review. The consultation ends on 28 November 2025. The feedback received will support the Commission in preparing the evaluation report of the Chips Act and in identifying potential adjustments.
Advocate General says retirement home operator retransmitting TV and radio programmes to residents’ rooms did not make communication to public
It is now settled EU case-law that a communication to the public, under EU copyright law, is made by a user who intentionally gives access to protected works – which have been broadcast by radio or by television – to members of the public who, without that user’s intervention, would not have been able to access those broadcasts. The Court was called upon to answer the question as to whether the same logic can be applied to an establishment in which the recipients concerned are permanently resident. In Gesellschaft für musikalische Aufführungs- und mechanische Vervielfältigungsrechte (GEMA) v VHC 2 Seniorenresidenz und Pflegeheim GmbH (Case C‑127/24) Advocate General Szpunar gave the opinion that the operator of a retirement home did not make a communication to the public under Article 3(1) of the Copyright Directive (2001/29/EC) when it simultaneously retransmitted via its cable network, unaltered and unabridged, to television and radio connections installed in the residents’ rooms, broadcast programmes received by a satellite reception system.
General Court upholds Zalando’s VLOP designation under Digital Services Act and clarifies user calculation
In Zalando v Commission Case T-348/23, the EU’s General Court confirmed the European Commission’s designation of Zalando as a very large online platform (VLOP) under the Digital Services Act. In the ruling, it provided guidance about how to count users when a platform sells its own products as well as third party products. The Court also said that the DSA expressly confirms that a platform can adapt information that its sellers provide. It also said that a platform could come within the scope of the DSA if it just lists a third-party product. The definition of active recipients in the DSA includes users exposed to third party information. Zalando argued that the definition of average monthly active recipients in the DSA is not clear and so breaches the principle of legal certainty. Zalando also referred to the different approaches taken by intermediaries in practice. The Court accepted that there was some inherent uncertainty in the definition due to the variety of in-scope intermediary services but stated that certain practices are clearly not allowed and it was possible to carry out an assessment. Zalando has reportedly confirmed that it intends to appeal to the Court of Justice.
