Following the UK government’s earlier proposals to reform the data protection regime, the Data Use and Access Act 2025 (DUAA) received Royal Assent on 19 June 2025. The DUAA amends the existing UK data protection framework—including the UK GDPR, the Data Protection Act 2018, and PECR—and forms part of the government’s wider strategy to create
European Data Protection Board guidance on safeguarding personal data in AI technologies
The European Data Protection Board (‘EDBP’) has published its 2024 annual report highlighting key milestones achieved throughout the year. Among these, the report includes reference to an opinion issued by the EDPB in December 2024 (the ‘Opinion’) which examines the use of personal data in AI models and the applicability of
The UK government’s AI growth agenda in 2025
In March 2025, the Information Commissioner’s Office (‘ICO’) announced a series of measures to support the UK government’s growth agenda while maintaining strong data protection standards. These measures include a commitment to introduce a statutory code of practice for businesses developing or deploying AI with a focus on data protection safeguards.
The above initiative
Direct marketing ad profiling: Recent fines
Data protection authorities across Europe have recently imposed significant fines on companies for violations of data protection laws. We bring to your attention decisions related to breaches of direct marketing and profiling below.
A telecommunications company fined €50 million by the French Supervisory Authority
On 23 January 2025, the French Supervisory Authority (CNIL) fined a
Cybersecurity law updates in the UK and the EU
UK NIS and critical national infrastructure updates
The UK government recently created a page on the new Cybersecurity and Resilience Bill updating the Network and Information Systems (NIS) Regulations 2018. There is no draft of the bill available yet, but it is confirmed the Bill will cover five sectors (transport, energy, drinking water, health, and
UK Government announces new Data Use and Access Bill
On 24 October 2024, the UK Department for Science Innovation and Technology announced new legislation to modernise the UK’s use of data and boost the UK economy.
The focus of the new Data Use and Access Bill (the “new Bill”) is not just on data protection – it covers wider topics, such as the rules
European Commission plans a public consultation for the new standard contractual clauses for international data transfers coming up in 2025
The European Commission (the “Commission”) announced its plans to open a public consultation on the new Standard Contractual Clauses (“SCCs”) in the fourth quarter of 2024. The new SCCs will address the scenario where the data importer (controller or processor) is based outside of the European Economic Area (“EEA”) but is directly subject to the
Online Safety Act – Keeping you updated
On 25 March 2024, Ofcom called for evidence for the third phase of its online safety regulations. This call for evidence will culminate in Ofcom’s third consultation paper, which will act as guidance for service providers to ensure compliance with the Online Safety Act (“OSA”).
The third phase of online regulations introduces further
Introduction of a UK BCR Addendum
On 19 December 2023, the Information Commissioner’s Office (ICO) published its updated guide on UK Binding Corporate Rules (BCRs), introducing the UK BCR Addendum for controllers and processors (the Addendum). It will enable organisations with existing EU BCRs to include data transfers from the UK.Continue Reading Introduction of a UK BCR Addendum
Cybersecurity preparedness: What guidance to follow?
With cybersecurity becoming a board-level issue, compliance officers, lawyers, board members, and business drivers are looking for official guidance or recommendations on cybersecurity measures to protect business, customers, and the wider economy.Continue Reading Cybersecurity preparedness: What guidance to follow?