UK law
Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026 made
The Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026 SI 2016/425 have been made. They require the Information Commissioner to prepare a code of practice on the processing of personal data under relevant data protection legislation in relation to developing and using artificial intelligence and automated decision-making. Relevant data protection legislation is defined in regulation 2 as the UK GDPR and the Data Protection Act 2018 (the 2018 Act), except Part 4 (intelligence services processing). Regulation 3 modifies the requirements under section 124B of the 2018 Act for the Commissioner to establish a panel of individuals to consider the code of practice by providing that the panel must not consider or report on any aspect of the code of practice relating to national security.
Electronic Commerce (Amendment and Consequential Provision) Regulations 2026 made
The Electronic Commerce (Amendment and Consequential Provision) Regulations 2026 SI 2026/407 have been made. They amend five pieces of UK secondary legislation and two pieces of Scottish secondary legislation in relation to electronic commerce. They have been made under the Retained EU Law (Revocation and Reform) Act 2023 (REUL(RR)A 2023) in connection to assimilated law and come into force on 7 May 2026. The Regulations repeal the Country-of-Origin Principle from the various regulations. The removal of this principle, which currently gives EU businesses limited preferential market access to the UK, but which is not reciprocated for UK businesses in the EEA aims to make sure that the statute book is unambiguous and does not include exemptions for EEA businesses which have no substantial effect. It also removes the statutory post-implementation review requirement in the Electronic Commerce (Miscellaneous Provisions) Regulations 2018/477.
Investigatory Powers (Communications Data) (Relevant Public Authorities) Regulations 2026 made
The Investigatory Powers (Communications Data) (Relevant Public Authorities) Regulations 2026 SI 2016/246 have been made. The Regulations amend Schedule 4 to the Investigatory Powers Act 2016. Schedule 4 sets out the public authorities, other than local authorities, who may exercise powers under Part 3 of the Act to obtain communications data as defined in section 261(5). It sets out the requirements for authorisations for obtaining communications data, including: the relevant statutory purposes, the types of communications data, the kinds of senior officer capable of providing an authorisation and the circumstances in which they can provide an authorisation. Regulation 2(2) removes the relevant ambulance services in England and Northern Ireland from Schedule 4 so that they no longer have powers to obtain communications data.
Ofcom seeks views on transparency reporting information under Online Safety Act 2023
Ofcom is inviting input on what information it should require certain tech firms to publish about their sites and apps. Under the OSA, “categorised services”, which Ofcom expects to include some of the most widely used social media and search platforms, will be required to publish annual transparency reports. Ofcom’s overall approach to transparency reporting was set out in its final guidance in 2025, and the nature of the information it can require is set out in the OSA. The information it will oblige companies to publish may vary from platform to platform, depending on the type of service it is, its number of users and how many are children, as well as other factors. Ofcom could, for example, ask a company to publish data about how prevalent illegal content is on a site or app, how many people have seen such content, or what its child safety features are. This aims to help people make informed decisions about what platforms they are comfortable for themselves and their children to use, and drive safety improvements on services. After Ofcom publishes the register of categorised services in summer, it will issue “transparency notices” to those platforms, which will set out the information they must publish in their transparency reports. It is currently developing these transparency notices and is seeking views on the type of information it should require services to publish until 30 April 2026.
Ofcom investigates Telegram and teen chat sites
Ofcom has launched an investigation into Telegram under the Online Safety Act, to examine whether it is complying with its duties to prevent child sexual abuse material being shared. In addition, Ofcom is investigating Teen Chat and Chat Avenue to examine whether they are meeting their duties to prevent children from the risk of being groomed by predators. As well as that, Ofcom has updated on file-sharing services that are now either using hash-matching technology to detect and swiftly remove child sexual abuse material (CSAM) or have taken steps to prevent people in the UK from accessing their sites.
UK government announces modernisation of payment services
The UK government has published information about how it plans to modernise payment services regulation and update it to support new innovations in money and payments. It aims to improve the regulation of payment services and electronic money by integrating it with the UK’s core regulatory approach for financial services. This will mean establishing a single, coherent framework for both traditional and tokenised payments, including both stablecoins and tokenised deposits. It also plans to regulate stablecoins for their use in payments, where these stablecoins have been issued under the forthcoming new regulated activity for stablecoin issuance in the UK. It will explore how the regulation of payments services should adapt to payments conducted by AI agents. It will also provide the Financial Conduct Authority (FCA) with new powers to regulate the future of Open Banking that will include underpinning the development of new Open Banking payments within commercial schemes. It also plans to introduce legislation to cut administrative burdens for companies wanting to provide stablecoin payments. It will also issue its response to its consultation to bring the Payments Systems Regulator (PSR) into the FCA. The government will soon consult on how to reform the regulation of payment services and electronic money, with the aims of ensuring the framework is ready to support tokenised payments such as stablecoins, unlock the full potential of Open Banking, and explore how to enable the safe adoption of AI agents to conduct payments on behalf of consumers and businesses.
IPO publishes revised guidance on graphic symbols and GUI design registration
The Intellectual Property Office (IPO) has published Designs Practice Note (DPN) 01/26 which revises and clarifies IPO practice around graphic symbols/icons and graphical user interfaces (GUIs), including where these types of designs incorporate animation or movement. The IPO considers that graphical user interfaces fall within the definition of a design. The overall impression must be ascertained clearly, easily and unambiguously and that the overall impression must be for a single, unitary design.
EU law
Temu faces EU scrutiny for systemic sale of unsafe and illegal goods
The European Parliament’s Internal Market and Consumer Protection (IMCO) Committee is increasing scrutiny of major online marketplaces over the sale of unsafe or illegal products in the EU. As part of this work, it questioned representatives from Temu on 16 April 2026. The meeting followed earlier exchanges with other platforms and reflects growing concern about product safety, consumer protection, and the enforcement of EU rules online. Both SHEIN and AliExpress appeared separately before IMCO over the past months.
CJEU considers private copying exception in Directive 2001/29/EC
The CJEU has ruled inStichting Onderhandelingen Thuiskopie vergoeding and Stichting de Thuiskopie v HP Nederland BV and Others that offline streaming copies of protected works do not fall within the private copying exception in Article 5(2)(b) of the Copyright Directive 2001/29/EC. In a dispute over a private copying levy claimed from HP and Dell in relation to offline copies provided as part of an on‑demand streaming service, the Court held that such copies, created by the service provider on the user’s device at the user’s request, but remaining under the copyright holder’s control and inaccessible outside the service, constitute an act of communication to the public under Article 3(1), rather than reproduction under Article 2. The Court further found that, even if characterised as reproductions, the private copying exception would not apply because the copy is not made by the user, the user lacks control due to technological restrictions, and the copyright holder retains control and grants authorisation, such that no harm arises requiring fair compensation.
EDPB publishes opinions on Europrivacy certification criteria under the GDPR
The European Data Protection Board (EDPB) has published opinions 14/2026 and 15/2026 approving Europrivacy certification criteria under the GDPR. Opinion 14/2026 approves version 82 of the Europrivacy certification criteria as a European Data Protection Seal under Article 42(5) GDPR, enabling controllers and processors to demonstrate compliance with GDPR requirements. Opinion 15/2026 approves an additional set of certification criteria intended to be used as a tool for transfers under Articles 42 and 46 GDPR. This aims to help data importers to demonstrate the existence of appropriate safeguards for transfers of personal data to third countries or international organisations, subject to binding and enforceable commitments.
EDPB consults on Guidelines 1/2026 on processing of personal data for scientific research
The EDPB is also consulting on guidance about processing personal data for scientific research purposes, covering health, controller and processor roles, legal basis, consent and data subject rights. The guidance aims to clarify how the GDPR applies to scientific research, including the concept of scientific research, presumption of compatibility, storage limitation, applicable legal bases, processing of special categories of personal data, transparency obligations, data subject rights, attribution of responsibility and appropriate safeguards. The consultation ends on 25 June 2026.
ENISA publishes updated version of its national capabilities assessment framework
The EU Agency for Cybersecurity (ENISA) has published a report with an updated version of ENISA’s national capabilities assessment framework (NCAF). The NCAF aims to help Member States undertake a self-assessment of their level of maturity by assessing their National Cybersecurity Strategies objectives. This aims to help them enhance and build cybersecurity capabilities at both the strategic and the operational levels, thereby strengthening collective cybersecurity in the EU.
