UK law
UK government publishes progress report on copyright and AI
The government has published a progress statement about its work to date on copyright and AI. The statement also explains the steps it is taking to prepare a report on the use of copyright works in the development of AI systems; and an economic impact assessment. These two documents are required by sections 135 and 136 of the Data (Use and Access) Act. The government intends to lay the documents before Parliament before 18 March 2026. The government consulted on potential changes to UK copyright law between 17 December 2024 and 25 February 2025. It says it is continuing to consider all options and will provide a detailed summary of consultation responses on each of the options and the specific technical areas as part of its report. In addition, the Department for Science, Innovation & Technology (DSIT) has published terms of reference for a Copyright and AI Technical Working Group. The working group aims to inform copyright and AI policy development.
Password manager provider fined £1.2m by ICO for data breach affecting up to 1.6 million people in the UK
The ICO has have fined password manager provider LastPass UK Ltd £1.2 million following a 2022 data breach that compromised the personal information of up to 1.6 million of its UK users. It found that LastPass failed to implement sufficiently robust technical and security measures, which ultimately enabled a hacker to gain unauthorised access to its backup database. There is no evidence that hackers were able to unencrypt customer passwords as these are stored locally on customer devices and not by LastPass. The incidents occurred in August 2022 when a hacker gained access first to a corporate laptop of an employee based in Europe and then to a US-based employee’s personal laptop on which the hacker implanted malware and then was able to capture the employee’s master password. The combined detail from both incidents enabled the hacker to access LastPass’ backup database and take personal information which included customer names, emails, phone numbers, and stored website URLs. The ICO’sinvestigation found no evidence that encrypted passwords and other credentials were able to be unencrypted by the hacker. This is due to LastPass’ use of a ‘zero knowledge’ encryption system, whereby the master password required to access a password vault is stored locally on a customer’s own device and never shared with LastPass.
Ofcom updates on designation of television selection services under Media Act 2024
Following consultation, Ofcom is recommending that 15 connected TV platforms, known as television selection services, should be designated by the Secretary of State. Ofcom says that it is critical that viewers can easily find and discover the content that public service broadcasters (PSBs) offer for UK audiences, including trusted and accurate news. As part of this, the Media Act 2024 introduced a new online availability and prominence regime for how PSB TV players are distributed on connected TV platforms. Under Part 2 of the Media Act, the designated television selection services must ensure that BBC iPlayer and other PSB TV players designated by Ofcom are available, prominent, and easily accessible. Next year, Ofcom will continue its work to implement the Media Act. In January, it will be consulting on the new rules that will apply to these services.
Ofcom fines file-sharing service £20,000
Ofcom has fined a file-sharing service £20,000 under the UK’s Online Safety Act for not responding to legally binding requests for information. It also confirmed that AVS Group Ltd, which was recently fined £1 million by Ofcom for not having robust age checks in place on 18 adult websites, has now introduced a new age assurance process on all sites that were the subject of its investigation. Ofcom is also seeking views on proposed industry Guidance relating to how tech firms respond to requests from bereaved parents about their child’s use of a service in the event of their death. It has also updated its guidance on Coroner Information Notices based on its early experience of processing requests from coroners.
Regulatory regime for cryptoassets incoming
In October 2023, HM Treasury published detailed proposals for creating a UK financial services regulatory regime for cryptoassets, including stablecoin. On 21 November 2024, the government confirmed that it will proceed with introducing this regime, broadly in line with the previously published proposals. On 29 April 2025 the government published draft statutory provisions associated with the new regime, accompanied by an explanatory policy note. On 15 December 2025, the government laid final legislation in Parliament. This will see the creation of new regulated activities for cryptoassets, such as operating a cryptoasset trading platform, and issuing stablecoin, as well as admissions and disclosures, and market abuse regimes. In addition, the FCA has launched a consultation on its regulatory regime for cryptoassets which ends on 12 February 2026. It aims for clear information for consumers, proportionate requirements for firms, and flexibility to support innovation.
EU law
European Commission renews UK data adequacy decision
The European Commission has renewed the two 2021 adequacy decisions for the free flow of personal data with the UK. The decisions aim to make sure that personal data can continue flowing freely and safely between the EEA and the UK, as the UK legal framework contains data protection safeguards that are essentially equivalent to those provided by the EU. In June 2025, the Commission adopted a technical extension of the 2021 adequacy decisions with the UK, one under the GDPR and the other concerning the Law Enforcement Directive – for a limited period of six months, as they were set to expire on 27 December this year. This extension allowed the Commission to conduct a thorough assessment of the legal framework in the UK as amended by the Data (Use and Access) Act 2025. The adoption of the renewal decisions follows the European Data Protection Board’s opinion and the Member States’ green light in the so-called comitology procedure. The new decisions are subject to a sunset clause of six years, running until 27 December 2031, when it can be renewed. The Commission and the EDPB will review the adequacy decisions in four year’s time
Regulation (EU) 2025/2518 introducing additional GDPR enforcement procedures published in Official Journal
Regulation (EU) 2025/2518 of 26 November 2025 laying down additional procedural rules on the enforcement of Regulation (EU) 2016/679 has been published in the Official Journal. It introduces additional procedural rules to speed up the cross-border enforcement of the GDPR and clarify the relevant procedures and rights. Regulation (EU) 2025/2518 enters into force on 1 January 2026 and will apply from 2 April 2027.
Commission launches consultation on repeal of cybersecurity Delegated Regulation
The European Commission is consulting on its proposal to repeal Delegated Regulation (EU) 2022/30 (RED Delegated Regulation on cybersecurity). It aims to repeal Delegated Regulation 2022/30 on cybersecurity once the Cyber Resilience Act becomes fully applicable on 11 December 2027. This aims to avoid any overlaps between the essential requirements of the Radio Equipment Directive that relate to cybersecurity and those of the Cyber Resilience Act. It also aims to ensure legal certainty. The consultation ends on 7 January 2026.
European Commission proposes new measures to improve health and the healthcare sector
The Commission has proposed a Biotech Act to support innovation and increase Europe’s biotechnology potential. Measures include a new EU investment facility to make it easier for biotech companies to access funding and targeted support for high-impact projects to boost bio-manufacturing. The new rules are also aimed at speeding up clinical trials approvals across countries, fast-track development of cutting-edge new therapies, and simplify EU rules to reduce costs for companies. It also aims to harness the use of artificial intelligence, data and digital solutions in the biotech sector, by implementing the European Health Data Space, creating trusted AI testing environments, facilitating data-sharing, and supporting small and medium enterprises, start-ups and scale-ups in using high performance technologies. Finally, it aims to simplify and accelerate regulatory procedures to reduce time-to-market for biotech products; for example, with harmonised requirements and the use of regulatory sandboxes, as controlled environments for companies to experiment and trial innovative solutions, regulatory procedures and technologies.
MEPs demand new measures to protect against algorithmic management at work
MEPs have presented recommendations to ensure the transparent, fair, and safe use of automated monitoring and decision-making systems (AM) in the workplace. They say that there must be human oversight of all decisions taken or supported by AM systems. Workers should have the right to request explanations on decisions taken or supported by algorithmic management. If a worker perceives their rights to have been infringed by the AM decision, they should have the right to ask for a review and the AM system in question could be modified or discontinued. MEPs want decisions on the initiation or termination of employment, the renewal or non-renewal of a contract, changes in remuneration, or disciplinary action to always be taken by a human and to be subject to human review. MEPs also recommend that workers are informed about how these systems affect working conditions, when they are used to take automated decisions, what type of data they collect or process, and how human oversight is ensured. Workers should be consulted when AM systems are used to take decisions affecting remuneration, evaluation, task allocation or working time AM must respect wellbeing and not put their safety or physical or mental health at risk. To protect workers’ privacy and data, the rules proposed by MEPs would prohibit the processing of data relating to the emotional, psychological or neurological states of employees, their private communications, geolocation outside working hours, the use of their data while off-duty, and the use of data relating to freedom of association and collective bargaining. Following the adoption of the legislative initiative report, the European Commission now has three months to reply to Parliament’s request for a proposal, by either informing Parliament on the steps it plans to take or by giving reasons for refusal to propose an initiative along the lines of Parliament’s request.
Commission launches Data Act legal helpdesk
The Commission has launched a Data Act Legal Helpdesk to assist stakeholders, in particular small and medium-sized enterprises (SMEs), which are not usually staffed with large departments, in getting answers to concrete questions about the new rules. The helpdesk, announced in the Data Union Strategy, will help to make sure that queries are answered swiftly and with dedicated attention. It is designed for anyone looking for clear and practical guidance on requirements, rights and obligations on the Data Act.
Regulators call for stronger measures against illegal online gambling
Last month, regulators of Austria, France, Germany, Great Britain, Italy, Portugal and Spain issued a joint statement. It said that the fight against illegal online gambling is one of the paramount tasks facing regulated jurisdictions. Its borderless nature and the speed of technological innovation make it easier for illegal operators to evade regulatory oversight. This creates significant risks for consumer and public health protection, endanger public order and harms the activity of legitimate operators. In short, illegal online gambling undermines the entire regulatory framework designed to protect the public interest. The regulators expressed their common concern regarding the increasing proliferation of advertising targeting the jurisdictions by unauthorised operators, particularly through digital channels such as social media, video platforms, and affiliate networks. These activities not only violate national laws but also expose citizens, including minors and vulnerable individuals, to significant risks associated with illegal gambling. The regulators will share information on illegal operators. They also call on digital platforms and social media networks to strengthen their control mechanisms to prevent the dissemination of advertising content from unauthorised operators, and reaffirm their commitment to share knowledge and better practices in identifying, investigating, and sanctioning operators acting outside the law.
