UK law
Changes to be made to Online Safety Act to include cyberflashing as priority offence
The UK government has set out plans to place stricter legal requirements on tech companies to actively prevent unsolicited nude images from being shared on their platforms (and not to just react to it after the fact). This means that “cyberflashing” will become classified as one of the most serious types of online offences under the Online Safety Act 2023. Companies could tackle these images for example by using automated systems that pre-emptively detect and hide the image, implementing moderation tools or stricter content policies. Under the laws, failing to proactively implement measures to protect users could lead to fines of up to 10% of the companies’ qualifying worldwide revenue and potentially blocking their services in the UK. Cyberflashing became a criminal offence in England and Wales in January 2024, under the Online Safety Act 2023. It is illegal to send unsolicited sexual images with intent to cause alarm, distress, or for sexual gratification. Sentences can include up to two years in prison. The regulations will come into force 21 days after they are made, following approval by both Houses of Parliament. The regulations will be laid this autumn.
CMA publishes responses to consultation on recommendation on the Assimilated TTBER
The CMA has published the responses to its consultation about its recommendation on the Assimilated Technology Transfer Block Exemption (Assimilated TTBER). Having considered the various issues, the CMA has recommended that the Secretary of State for Business and Trade replace the Assimilated TTBER with a UK block exemption order. The Assimilated TTBER automatically exempts certain types of technology transfer agreements from the Chapter I prohibition of the Competition Act 1998. The Assimilated TTBER is aimed at facilitating the licensing of technology rights. This recognises that such agreements can often be procompetitive and can significantly benefit innovation, investment and growth.
ICO makes statement on changes to Meta advertising model
The ICO has issued a statement about the changes Meta has made to its advertising model. It says that it welcomes Meta’s decision to ask users for consent to use their personal information to target them with ads. This moves Meta away from targeting users with ads as part of the standard terms and conditions for using its Facebook and Instagram services, which does not comply with UK law. The ICO recognises that online platforms, like every business, need to operate commercially. There are several ways in which online platforms can do this in compliance with UK law and the ICO’s guidance. Meta is using a consent or pay model. During the ICO’s engagement with Meta, it significantly lowered the starting price point at which users would be offered a subscription. As a result, users in the UK will be able to subscribe at a price point close to half that of EU users. In updating its services in this way, Meta has taken steps to address its non-compliance. Meta has also responded to the ICO’s request that the price set provides UK consumers with a fair choice between consenting to targeted ads using their data or paying to subscribe to no ads. The ICO now expects Meta to assess the impact of implementing this new model, specifically understanding the choices made by its users in response to the changes, to ensure Meta continues to comply with UK law. The ICO will also continue to monitor the roll-out of Meta’s service changes, as well as the broader impacts of consent or pay models in online markets.
ICO fines energy firms fined £550,000 for unlawful marketing calls using avatars
The ICO has fined two energy companies a total of £550,000 for making automated marketing calls. Both firms used an avatar software, which gave the call recipients the impression they were talking to “Jo, Helen or Ian” from the UK – but were in fact scripted lines recorded by voice actors and played by call agents abroad. It has fined Home Improvement Marketing Ltd £300,000 and issued it with an enforcement notice ordering it to stop its unlawful practices. The ICO has also fined Green Spark Energy Ltd £250,000 for making 9.5 million automated marketing calls. It has also been issued with an enforcement notice.
EU law
European Commission issues AI systems guidance issued for serious incident reporting
Following consultation, the European Commission has published draft guidance alongside a template for reporting serious incidents involving high-risk AI systems under the EU AI Act. In addition, it has published a targeted stakeholder consultation. From 2 August 2026, providers of high-risk AI systems must report serious incidents to their national market surveillance authority in accordance with Article 73. The Commission says the guidance will help providers decide if an incident is serious. The template contains a standard reporting format. The consultation seeks practical examples of the type of incidents that must be reported and feedback about the guidelines. The guidelines for reporting serious incidents do not apply to general-purpose AI models, which have their own rules. The consultation ends on 7 November 2025.
