UK law
Property (Digital Assets etc) Bill passes to House of Commons
The Property (Digital Assets etc) Bill has completed its passage through the House of Lords and had its first reading in the House of Commons on 12 May 2025. It was referred to a second reading committee, who will debate the Bill and report to the House. A date for the Bill’s second reading is yet to be announced. The Bill makes provision about the types of things that are not prevented from being objects of personal property rights.
ICO consults on updated encryption guidance
The ICO is consulting on its encryption guidance, covering encryption in the context of the UK GDPR and how you can use it in different contexts. It includes several scenarios where you can use encryption to protect personal information, as well as the residual risks of doing so. It does not cover things like end-to-end encryption (E2EE), privacy-enhancing technologies (PETs), encryption and ransomware, or the potential impact of quantum computing. The ICO has updated the guidance to follow its “must, should, could” framework to give greater clarity on which encryption measures it expects organisations to implement. This change aims to improve consistency across the ICO guidance notes. It has also updated the “encryption in practice” section of the guidance to reflect the current state of technology, especially Hypertext Transfer Protocol Secure (HTTPS) which the ICO expects all organisations to use. The consultation ends on 24 June 2025.
ICO fines sole trader £50,000 for making over 194,000 unlawful marketing calls
The ICO has fined a Newcastle based sole trader £50,000 for making over 194,000 unlawful marketing calls to people on the Telephone Preference Service. The calls related to grants for new boilers and solar panels, with the inference made during the calls that he was connected to a government scheme. The trader was previously investigated in 2015 for making persistent sales calls and misleading people into believing they would receive a free boiler under the “Green Deal” scheme. As well as the fine, the ICO has issued an enforcement notice.
Ofcom launches further investigations under Online Safety Act
Ofcom is investigating if Kick Online Entertainment has failed in its duties to complete, and keep a record of, a suitable and sufficient illegal content risk assessment and; respond to a statutory information request. In addition, it has received complaints about the potential for illegal content and activity on the site, including child sexual abuse material and extreme pornography. As a result, Ofcom will also be considering whether the provider has put appropriate safety measures in place to protect its UK users from illegal content and activity and may launch an additional investigation into its compliance with this duty if appropriate. It has also opened investigations into Itai Tech Ltd, which runs the nudification site Undress.cc, and Score Internet Group LLC, which runs the site Scoreland.com. Ofcom says that neither site appears to have highly effective age assurance in place and so they are potentially in breach of the Online Safety Act and their duties to protect children from pornography.
EU law
European Commission issues draft guidance under DSA
The European Commission is consulting on draft guidance under Article 28 of the Digital Services Act, setting out how online platforms can protect children. The guidance includes requirements such as age assurance controls, private-by-default settings for children’s accounts, and modified recommender systems. The measures apply to all platforms except micro and small enterprises. The Commission’s guidance sits alongside work on an EU age-verification application, which is scheduled for release in summer 2025, before the EU Digital Identity Wallet is implemented in 2026. The consultation ends on 10 June 2025, and the Commission expects to publish the final version of theguidance in summer 2025.
European Commission launches European Vulnerability Database to strengthen digital security
The European Commission has launched the European Vulnerability Database (EUVD), which is managed by the EU Agency for Cybersecurity. The EUVD aims to improve digital security across the EU by helping organisations comply with supply chain and vulnerability management requirements under Directive 2022/2555 (the NIS2 Directive). In addition, it supports the implementation of the Cyber Resilience Act to safeguard products with digital elements, such as software and smart devices, from cyber threats. It collects vulnerability information from trusted sources and provides tools to help identify and manage cybersecurity risks. It will give organisations the ability to disclose and register, on a voluntary basis, publicly known vulnerabilities in ICT products or services.
Council of EU sets out its priorities for EU audiovisual media sector in approved conclusions
The Council of the EU has set out its priorities for the audiovisual media sector. It said that EU-wide rules are needed to cater the rapid changes happening in the sector, which include influencers, disinformation; and AI. It has also emphasised the importance of a robust and adaptable legal framework to protect people from harmful content as well as promoting a diverse, fair, and competitive market. The priorities include broadening the EU Audiovisual Media Services Directive’s scope to cover all relevant media content. This would be designed to help to protect children, regulate video-sharing platforms, combat disinformation, and safeguard access to culturally important events. The document will feed into the Commission’s 2026 review of the Directive.
European Commission publishes FAQs on EU AI Act literacy requirements
The European Commission has published frequently asked questions about literacy requirements under Article 4 of the EU AI Act. Among other things, the FAQs cover the definitions in Article 4 and the EU AI Act, compliance with, and enforcement of Article 4, and the AI Office’s approach to AI literacy.
European Commission preliminarily finds TikTok’s ad repository in breach of the Digital Services Act
The Commission has informed TikTok that it believes that it does not fulfil the obligation in the Digital Services Act to publish an advertisement repository. It says that such an advertising repository is critical for researchers and civil society to detect scam advertisements, hybrid threat campaigns, as well as coordinated information operations and fake advertisements, including in the context of elections. The Commission has found that TikTok does not provide the necessary information about the content of the advertisements, the users targeted by the ads, and who paid for the advertisements. As well as this, TikTok’s advertisement repository does not allow the public to search comprehensively for advertisements, so limits its usefulness. TikTok can now respond. The Commission will also consult the European Board for Digital Services. If the Commission’s preliminary views were to be ultimately confirmed, the Commission may issue a non-compliance decision, which may trigger a fine of up to 6% of TikTok’s total worldwide annual turnover as well as an enhanced supervision period to ensure compliance with the measures TikTok intends to take to remedy the breach. The Commission can also impose periodic penalty payments.
