UK law
Property (Digital Assets etc) Act 2025 receives Royal Assent
The Property (Digital Assets etc) Act 2025 received Royal Assent on 2 December 2025. The Law Commission had carried out a study and concluded that certain digital assets, including crypto-tokens and non-fungible tokens (NFTs), can be regarded as “property” and should be recognised and protected as such. However, the Commission said that such digital assets are fundamentally different both from physical assets, and from rights-based assets like debts and financial securities. This means that they do not fit easily within the categories of personal property traditionally recognised by the law in this jurisdiction: things in possession and things in action. The Commission recommended that legislation should confirm the existence of a “third” category of personal property, into which crypto-tokens and potentially other assets could fall. The Commission published a draft bill to implement this recommendation in July 2024. The Property (Digital Assets etc) Act 2025, based closely on that draft bill, makes clear that a thing is not prevented from being the object of personal property rights merely because it does not fit into either of the existing categories. This reflects the trajectory of recent case law, but removes the lingering uncertainty that remains in the absence of a definitive statement from an upper court. The Act leaves it to the courts to develop this “third category” of personal property by delineating its boundaries and the rights that attach to “third category” things. The Commission’s recommendations on other matters including collateral arrangements for crypto-tokens are still under consideration.
UK government consults on legal framework for using facial recognition in law enforcement
The government has launched a consultation which aims to ensure that the law keeps pace with technological developments and provides clear, consistent rules that the public can understand more easily, and that law enforcement can rely on as they increasingly use facial recognition technologies. The consultation seeks views on a wide range of issues, including which technologies should be covered by the new framework – such as biometric, inferential, and object recognition tools – and which organisations it should apply to. It also explores when and how these technologies should be used, what safeguards are necessary to protect privacy and other rights, and how to ensure their use is demonstrably proportionate to the seriousness of the harm being addressed. The consultation ends on 12 February 2026.
UK government consults on Online Procedure (Core Rules and Pilot Schemes) Rules 2026
The UK government is consulting on the Online Procedure (Core Rules and Pilot Schemes) Rules 2026. The Online Procedure Rule Committee (OPRC) is responsible, under the provisions of the Judicial Review and Courts Act 2022, for making rules for online procedure in the civil, family and tribunals jurisdictions. These rules are to be for specific kinds of online proceedings, as agreed by Parliament. The consultation seeks views and comments on the first Online Procedure Rules to be made by the OPRC. These rules will, in the future, apply to all proceedings where there are Online Procedure Rules. To begin with, they will apply only to possession proceedings. The consultation ends on 15 January 2026.
UK government consults on automated vehicles regulatory framework
The UK government has launched a call for evidence on the regulatory framework for automated vehicles. It seeks views on several sections of the Automated Vehicles Act to support development of the regulatory framework. This framework will include rules, guidance and principles. It is also seeking to strengthen its understanding of accessibility, environmental and cost-benefit considerations.
Ofcom fines porn company £1 million for not having robust age checks
Ofcom has fined AVS Group Ltd, which runs 18 adult websites £1 million for not having robust age checks in place, plus £50,000 for failing to respond to information requests. While AVS has implemented what it refers to as age verification, Ofcom does not consider it to be highly effective, and so has fined the company £1,000,000. AVS must now implement highly effective age assurance within 72 hours of the decision (published on 4 December), or face a daily penalty of £1,000 per day. Ofcom continues to investigate other services’ compliance with age check requirements and will take action where necessary. Ofcom also fined AVS £50,000 for failing to respond to its legally binding information request. It will impose a daily penalty on the company of £300 per day, starting from 5 December, until it responds or for 60 days, whichever is sooner. If a provider fails to pay a fine, Ofcom can seek recovery of those penalties. Where appropriate, it can also seek a court order for “business disruption measures£, such as requiring payment providers or advertisers to withdraw their services from a platform, or requiring Internet Service Providers to block a site in the UK. The BBC has reported that it contacted a company called TubeCorporate, the adult content publishing platform behind AVS group Ltd sites, for a response. The address which the firm uses is in the central American country Belize, and appears to be the registered address of a large number of companies: although they do not have physical offices there.
Post Office reprimanded over Horizon IT scandal victims’ “entirely preventable” data breach
The ICO has issued a reprimand to Post Office Limited following a data breach that resulted in the unauthorised disclosure of personal information belonging to hundreds of postmasters involved in the Horizon IT scandal. The breach occurred when the Post Office’s communications team mistakenly published an unredacted version of a legal settlement deed on its corporate website. The document contained the names, home addresses and postmaster status of 502 people who were part of a group litigation against the organisation. It remained publicly accessible from 25 April to 19 June 2024, before being removed following notification from an external law firm. When investigating the circumstances of this data breach, the ICO found that the Post Office failed to implement appropriate technical and organisational measures to protect people’s information. It found there to be a lack of documented policies or quality assurance processes for publishing documents on the corporate website, as well as insufficient staff training, with no specific guidance on information sensitivity or publishing practices. The ICO had initially considered imposing a fine of up to £1.094 million. However, the ICO did not consider that the data protection infringements identified reached the threshold of “egregious” under its public sector approach, and a reprimand has been issued instead. Following the breach, the Post Office took a number of steps to mitigate the impact on affected people, including offering compensation to all people named on the deed and affected by the publication, with payments made to the majority; providing identity protection services, including 24 months of fraud monitoring and dark web surveillance; contacting search engines and archives to remove cached versions of the document; establishing an emergency working group to review the incident and improve internal controls and creating a new documented policy for publishing information on its corporate website.
EU law
EUIPO publishes first EU study on influencers and intellectual property rights
The European Union Intellectual Property Office (EUIPO) has published a study about how social media influencers engage with intellectual property rights. Half of influencers are concerned that their content might be altered and repurposed by AI for others’ benefit, while two-thirds are aware of the possibility that AI-generated outputs may infringe existing IP rights.
Strengthening data protection worldwide: EDPB meets with the countries and organisation with an adequacy decision
As part of its December’s plenary meeting, the European Data Protection Board (EDPB) held a meeting with Commissioners and representatives of Data Protection Authorities (DPAs) from the countries and the organisation (the EPO) with an EU adequacy decision. This meeting marked the second of its kind, following the first gathering in October 2024. Following that meeting, the EDPB and the DPAs from the countries and the EPO strengthened their cooperation by sharing information on some advisory works and gathering experiences on international data protection enforcement cooperation.
EU seeks feedback on AI regulatory sandbox rules
The European Commission has requested feedback on a draft Implementing Regulation setting out rules for AI regulatory sandboxes required to be established under the EU AI Act. The feedback period ends on 30 December 2025.
European Commission adopts Implementing Regulation on technical description of categories of important and critical products under Cyber Resilience Act
The European Commission has adopted an implementing regulation which lays down the technical and the methodological requirements of the measures referred to in NIS2 with regard to DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online market places, of online search engines and of social networking services platforms, and trust service providers (the relevant entities). After entering into force in January 2023, member states must implement the NIS2 Directive into national law by 17 October 2024. The NIS2 Directive lays down the technical and the methodological requirements of cybersecurity risk management measures for critical entities and networks.
European Commission launches major package to fully integrate EU financial markets
The European Commission has proposed legislation designed to remove barriers and unlock the full potential of the EU single market for financial services. Among other things, it focuses on removing regulatory barriers to innovation related to distributed ledger technology (DLT). It adapts the regulatory framework to support these technologies and amends the DLT Pilot Regulation (DLTPR) to relax limits, increase proportionality and flexibility, and provide legal certainty, thus encouraging the adoption of new technologies in the financial sector. The proposals must now be negotiated and approved by the European
