UK law
Business and Trade Committee holds inquiry on AI, business and the future of the workforce
The House of Commons Business and Trade Select Committee is holding an inquiry into AI to better understand the opportunities and costs for businesses and the workforce, and to make recommendations on government priorities. It says that AI has advanced rapidly in recent years, supported by major improvements in computing power, data availability and the emergence of large language models. This has enabled AI to perform an expanding range of tasks. AI adoption has increased, but uptake remains uneven. As adoption accelerates, AI is expected to have significant impacts on UK business and the UK workforce, reshaping work. It will prove a growth industry in itself, enhance productivity, disrupt existing industries and business models, cost jobs, and create jobs. The Government’s AI Opportunities Action Plan includes a twentyfold expansion of public AI hardware by 2030 and seeks to leverage private investment through initiatives such as the US–UK Tech Prosperity Deal (with £30 billion committed by major technology firms). Evidence is sought until 3 April 2026.
ICO fines Police Scotland £66k and issues reprimand following serious data mishandling
The ICO has issued a £66,000 fine and a reprimand to Police Scotland for serious failures in the handling of sensitive personal information. The ICO’s investigation found that Police Scotland extracted the entire contents of a person’s mobile phone after they reported an alleged crime, without making sure that there were sufficient safeguards to prevent access to irrelevant personal information. As a result, officers collected a substantial volume of highly sensitive information, much of which had no bearing on the investigation. Police Scotland subsequently included the full unredacted content into a misconduct disclosure bundle and shared it with a third party who should not have received it. The ICO determined that appropriate review, redaction and security procedures were not in place, and that staff were neither adequately guided nor supported by effective organisational controls. It concluded that Police Scotland failed to implement appropriate organisational and technical measures to ensure data security; limit personal information sharing to what was strictly necessary; ensure staff handling sensitive information were following clear guidance and procedures; and report the personal data breach to the ICO within the legally required 72‑hours timeframe.
Online Advertising Taskforce issues progress report for 2025
The Online Advertising Taskforce has published its progress report for 2025. In November 2025, the Taskforce membership agreed that transparency should be a key focus of the Taskforce, recognising a need to focus on fraudulent advertising using the online advertising ecosystem. The Terms of Reference were refreshed accordingly, and a new working group is being established – the Ad Fraud and Standards working group. This will focus specifically on fraudulent advertising and standards, and will support the government’s wider Fraud Strategy.
Ofcom issues statement on designation of radio selection services
The Media Act 2024 introduced rules which aim to secure the availability of online streams of broadcast radio services via voice-activated devices. It defines these services as radio selection services (RSS) and requires designated RSS (DRSS) to reliably provide the online stream of a UK broadcast radio service in response to a user’s voice command, amongst other requirements. Before deciding which services to designate, the Secretary of State must first receive a report from Ofcom setting out its recommendations. Ofcom has issued its report which recommends the following three RSS should be designated by the Secretary of State: Amazon’s Alexa, Google Assistant, and Apple’s Siri. Following this report, Ofcom will consult on a Code of Practice setting out how DRSS can comply with their new duties under the Media Act. It will also provide information for internet radio services (IRS) about how they can notify Ofcom that they wish to benefit from the new regime.
EU law
EDPB and EDPS issues report on European Biotech Act
The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted a joint opinion on the European Commission’s proposal for a European Biotech Act. The proposal aims to strengthen Europe’s biotechnology and biomanufacturing sectors, particularly around health, by streamlining the regulatory framework and updating the rules for clinical trials. Among other things, the report says that while promoting the use of AI in biotechnology, the Biotech Act should ensure that obligations for sponsors complement the existing requirements under the AI Act to ensure a consistent regulatory environment.
EDPB launches coordinated enforcement action on transparency and information obligations under the GDPR
The EDPB has launched its Coordinated Enforcement Framework (CEF) action for 2026. Following a CEF on the right to erasure in 2025, the CEF’s focus this year will shift to compliance with the obligations of transparency and information under the GDPR. The GDPR requires individuals to be informed when their data is being processed (under Articles 12, 13 and 14). This right to be informed is a core element of transparency and ensures that individuals have more control over their data. During 2026, 25 data protection authorities across Europe will assess the compliance of controllers with their transparency obligations under the GDPR. Participating regulators will soon contact controllers from different sectors across Europe, either through enforcement actions or fact-finding exercises. They might also decide to undertake additional follow-up actions if needed. During the second half of the year, participating regulators will share and discuss their findings, with a view to aggregate the results of their national actions and generate deeper insight into the topic. A consolidated report will then be drafted and submitted for adoption by the EDPB, allowing for targeted follow-ups on both national and EU level.
EDPB and EDPS support strengthening EU’s cybersecurity and easing compliance while protecting individuals’ personal data
The EDPB and the EDPS have adopted a Joint Opinion on the European Commission’s proposal for a Cybersecurity Act 2 (CSA2) and the proposal on amendments to the Network and Information Security 2 (NIS2) Directive. On the CSA2, the EDPB and the EDPS say that if he Management Board of ENISA decides to adopt additional measures necessary to apply the EU Data Protection Regulation, such decisions should be limited to very technical (practical) details related to the processing of personal data. The Proposal should also provide for a prior consultation with the EDPS before adopting such rules. The joint opinion recommends adding an explicit reference to the EDPS as an EU body with which ENISA would cooperate. The EDPB and EDPS also say that the scope of the European Cybersecurity Certification Framework and its relationship with GDPR certification should be further clarified. To ensure consistency, ENISA should consult with the EDPB before adopting a certification scheme relating to the security of processing of personal data. Furthermore, certification schemes for products, services and processes that are likely to be used in data processing operations, should take into account security controls that can help to demonstrate the fulfilment of GDPR requirements, to the extent possible. The EDPB and the EDPS recommend that the European Cybersecurity Skills Framework is not only limited to cybersecurity professionals, but also includes a general workforce profile. Following their recent opinion on the Digital Omnibus Regulation Proposal, the EDPB and EDPS express their support for the establishment of a single-entry point for notifying personal data breaches, as it would reduce the administrative burden for notifying organisations without affecting the level of protection for individuals. When it comes to the amendments to the NIS2 Directive, the EDPB and the EDPS welcome the designation of European Digital Identity Wallets and European Business Wallets providers as ‘essential entities’.
PEGI expands age rating criteria with interactive risk categories
PEGI, the Pan-European system for the age classification of video games, is adding new categories to its classification criteria to address online interaction risks. From June 2026, newly submitted games will be classified with a broader set of criteria that will focus on content and functionality, such as purchases of in-game content, paid random items, communication features, and features that incentivise players to continue playing. The new criteria mean that PEGI can assess to what extent the presence of such elements in a game requires a higher PEGI age rating. This aims to improve online safety and meet the concerns and questions of today’s parents. Games with time-limited or quantity-limited offers will be classified with a PEGI 12, games with NFTs or blockchain-related mechanisms will be PEGI 18. The default rating will be PEGI 16 if the game contains paid random items (and in some cases they can be a PEGI 18). Mechanisms that reward returning to the game (e.g. daily quests) will get a PEGI 7. If these mechanisms punish players for not returning (e.g. by losing content or reducing progress) they will become PEGI 12. If games contain entirely unrestricted communication features (e.g. no blocking or reporting), they will be PEGI 18.
