Guest editorial - Claire Edwards

 

We are now in Q2 of 2025 and continuing to see lots of rapid developments in the data, cyber and AI space. In the UK, we are closely monitoring the progress of the Data (Use and Access) Bill and announcements regarding the forthcoming Cyber Security and Resilience Bill, as well as news from the ICO about its approach to adtech regulation. Together with our colleagues in the EU, we are advising clients on the phased entry into application of the EU AI Act and international transfers in the light of developments casting doubt on the future of the EU-US Data Privacy Framework.

I hope that you enjoy our bulletin – please get in touch with me or another member of our data team if you would like more information about any of the topics covered.

Claire Edwards is a partner in Addleshaw Goddard's Commercial and Data team, based in our Manchester office.

Click on the links below to read more:

• Data (Use and Access) Bill - update
• EU-US Data Privacy Framework - update
• Cyber Security Update: The forthcoming Cyber Security and Resilience Bill, UK government ransomware consultation and Cyber Governance Code of Practice
• Adtech update - ICO online tracking strategy and pledges to support economic growth
• AI updates: EU AI Act, EU AI Continent Action Plan and UK developments

---

 

Data (Use and Access) Bill - Update

In the UK, the Data (Use and Access) Bill has completed its passage through the House of Lords and is currently awaiting a date to start its Report stage in the House of Commons. It is expected to receive Royal Assent in spring 2025 and become law in summer 2025. However, it has been reported that disagreements between the government, MPs and members of the House of Lords over attempts to add provisions relating to the scraping of copyright materials are delaying progress.

Key changes

The Bill amends the UK GDPR, Data Protection Act 2018 and Privacy and Electronic Communications Regulations (PECR). Its text is not yet finalised, but the key changes to be aware of include:

• Complaints – organisations must put in place a process to enable individuals to make complaints about breaches of data protection law.
• Data subject access requests (DSARs) - the Bill confirms rules that were previously set out in ICO guidance, which make it slightly easier to comply with DSARs.
• Cookies - the Bill relaxes the rules on cookies, providing that consent is not required for certain low-risk cookies, provided that the controller gives the user clear information and the right to opt out.
• PECR fines – the Bill brings the maximum fine for breaches of PECR's marketing rules into line with UK GDPR fines, by increasing it from £500,000 to £17,500,000 or 4% of the undertaking's total annual worldwide turnover in the preceding financial year, whichever is higher.
• Automated decision-making - the Bill relaxes the rules on automated decision-making that does not involve the processing of special category data. Controllers must put in place safeguards for all significant decisions based solely on automated processing.
• International transfers - the amendments relax the "data protection test" for international transfers. While the current rule is that the standard of protection for personal data processing in the destination country must be "essentially equivalent" to that under UK law, the new rule is that it is "not materially lower". When making a transfer, the controller or processor, acting reasonably and proportionately, must consider that the data protection test is met in relation to the transfer.
• Smart Data and Digital Verification Services – the Bill gives the government powers to make regulations in connection with "smart data" and digital verification services. While the Bill's provisions are high-level, its explanatory notes, together with factsheets published by DSIT, provide more details about how the government intends to use these powers. In relation to smart data, DSIT says that it plans to support the future of open banking and the growth of new smart data schemes to allow consumers and businesses to share information safely with regulated and authorised third parties, for example to generate personalised market comparisons and financial advice to cut costs. Digital verification is intended to enable individuals to identify themselves without presenting physical documents. An Office for Digital Identities and Attributes will be set up to manage a new "trust mark" scheme for digital identity providers.

Link to the UK adequacy decision

There were concerns that the Bill would not be finalised in time to enable the European Commission to conduct its review of the revised UK legislation in order to renew the UK adequacy decision, which was due to expire on 27 June 2025. However, the Commission has recently proposed a six-month extension of the adequacy decision until 27 December 2025, allowing more time for finalisation of the Bill and the Commission's review.

Action points

• Put in place and follow a procedure for data protection complaints that complies with the Act's requirements.
• Review your DSAR procedure to consider whether you can update it to reflect the relaxed rules that were previously only set out in ICO guidance.
• Review the relaxed rules on cookies and consider whether to update your cookie banner/notice to reflect these. The ICO has been focusing on enforcement of the existing rules on cookie notices, so compliance with the revised rules remains extremely important.
• Note the increased fines for breach of PECR's marketing rules. This has been a key enforcement area for the ICO, so the increased risk makes compliance more important than ever.
• If your organisation uses automated decision-making, consider whether you can benefit from the relaxed rules, ensuring that you put the required safeguards in place. Watch out for the publication of any regulations that supplement or clarify the requirements.
• Review your procedures for international data transfers to ensure that they meet current requirements. While the Bill relaxes the test for the destination country's standard of protection for personal data processing and does not introduce new requirements, you should take this opportunity to check that you have implemented the changes required following the Schrems II decision and Brexit.
• Keep abreast of developments in relation to Smart Data and Digital Verification and how these may impact your organisation.

---

 

EU-US Data Privacy Framework - update

While challenges to the DPF had already been brought (by Philippe Latombe) and threatened (by Max Schrems) before President Trump returned to office, subsequent developments have made the DPF's future more uncertain. Trump has removed Democratic members from the US Privacy and Civil Liberties Oversight Board (PCLOB) and the Federal Trade Commission, which both play important roles in the functioning of the DPF. This has left the PCLOB unable to start any new investigations of alleged breaches of the DPF principles. The European Commission's adequacy decision for the DPF emphasised the importance of the oversight provided by the PCLOB and the FTC, so the fact that these bodies are no longer independent or fully functioning has raised questions about the DPF's validity.

Philippe Latombe originally filed his challenge to the DPF in 2023, and his application for an interim injunction was dismissed. His claim for invalidation of the DPF was heard by the EU General Court on 1 April but at the time of publication no further details are available. Latombe will need to overcome a number of procedural obstacles to succeed, and any decision will be subject to appeal. Max Schrems has stated that he does not at present intend to launch "Schrems III" proceedings to challenge the DPF, but he expects it to collapse at any time.

The agenda for the European Data Protection Board (EDPB) plenary on 8 April included "state of play of the EU-U.S. Data Privacy Framework (DPF) under the new U.S. administration". At the time of publication, the EDPB has not published any information about its discussion on the issue.

Action point 

While the DPF remains a valid transfer mechanism as at the date of Data Diaries' publication, due to the ongoing uncertainty about the DPF's validity, if you are transferring personal data from the EU to the USA, we recommend taking legal advice about the most appropriate safeguards for your transfers. While the UK-US Data Bridge is an independent mechanism, so will not automatically be invalidated if the DPF is, in those circumstances it would be difficult to argue that it should remain valid, and keeping it in place it could affect the UK's own adequacy decision.

---

 

Cyber security update: the forthcoming Cyber Security and Resilience Bill, UK government ransomware consultation and Cyber Governance Code of Practice

Cyber Security and Resilience Bill

The UK government is due to introduce a Cyber Security and Resilience Bill later this year. On 1 April the UK government published a policy statement setting out more details about what the Bill will include. As predicted, it will align UK law more closely with the EU NIS2 Directive. The policy statement says that the Bill will:

• Bring more entities into scope including managed service providers
• Enable the government to set stronger supply chain duties
• Establish the principles and objectives of the NCSC (National Cyber Security Centre) Cyber Assessment Framework (CAF) on a firmer footing, making it essential, but easier, for firms to follow best practice
• Extend reporting requirements to a wider range of incidents
• Introduce a two-stage reporting structure which will require regulated entities to notify their regulator and NCSC of a significant incident no later than 24 hours after becoming aware of that incident, followed by an incident report within 72 hours
• Require firms that provide digital services and data centres that experience a significant incident to alert affected customers

It also says that other measures are under consideration, including bringing data centres into scope of the regulatory framework.

Ransomware consultation

In connection with the forthcoming Bill, on 14 January the government published a consultation on three proposals relating to ransomware:

1. a targeted ban on ransomware payments for all public sector bodies and critical national infrastructure

2. a ransomware payment prevention regime

3. a mandatory reporting regime for ransomware 

The consultation closed on 8 April. The government has not yet published its response to the consultation, but we will monitor and report on developments.

Cyber Governance Code of Practice

On 8 April DSIT and NCSC published a finalised version of the Cyber Governance Code of Practice, plus a toolkit and training intended to support organisations to comply with the Code's principles.

DSIT's press release refers (indirectly) to the forthcoming Cyber Security and Resilience Bill, which it says will be introduced "later this year". The Code's principles are high-level, but are apparently intended to help organisations make progress towards compliance with the forthcoming legislation, and are also relevant to NIS2 compliance.

The Cyber Governance Code of Practice is aimed at medium and large organisations and is intended to support boards to improve their cyber governance. It lists 22 actions that boards should take, grouped under 5 principles:

A.    Risk management
B.    Strategy
C.    People
D.    Incident planning, response and recovery
E.    Assurance and oversight

Action point

• While the Cyber Security and Resilience Bill has not yet been published, the policy statement provides details about the changes to expect, which are similar to those introduced by NIS2. In the meantime, you should review your organisation's compliance with the Cyber Governance Code to help you to prepare for the forthcoming changes.

---

 

Adtech update - ICO online tracking strategy and pledges to support economic growth

Online tracking strategy

In January 2025 the ICO published its online tracking strategy, which will focus on online advertising. The four key areas and the steps you need to take are:

1. Deceptive or absent choice – present users with an option to opt out of non-essential data processing, and do not set cookies regardless of users' wishes.

2. Uninformed choice – provide users with clear information about the purposes for which they're agreeing to share their data.

3. Undermined choice – process information in line with your privacy notice.

4. Irrevocable choice – provide users with a meaningful way to change their mind about the purposes they've agreed to.

ICO pledges to support economic growth

On 17 March the UK government published a policy paper: A new approach to ensure regulators and regulation support growth, which states that the current regulatory landscape too often holds back growth. This sets out pledges from a number of regulators, including the ICO, whose pledges include "relaxing enforcement of consent rules for privacy-preserving online advertising, ahead of exemptions to these legal requirements being introduced by government. This is intended to support growth in the advertising sector whilst making privacy enhancing online advertising viable in the market."

On the same date the ICO published further details on its commitments. These include:

"Privacy-friendly advertising review - the ICO is reviewing the PECR consent requirements to enable a shift towards privacy-preserving online advertising models. In autumn 2025, the ICO will publish a statement identifying low-risk advertising activities which in its view are unlikely to cause harm or trigger enforcement action. It will consider safeguards it would expect to reduce risks to users and devices. The aim is to provide legal clarity for businesses while safeguarding user privacy."

Action points

• Review your organisation's use of cookies and other tracking technologies to ensure compliance with the current law and guidance.
• Consider whether you can update your cookie banner as a result of the changes being introduced in the Data (Use and Access) Bill (see above).
• Watch out for further news from the ICO about its enforcement strategy and consider whether your organisation can benefit from any relaxations announced.
• As part of the broader move away from third-party cookies, establish your current reliance on them and take advice from marketing agencies and legal specialists about potential alternatives.

---

 

AI updates: EU AI Act, EU AI Continent Action Plan and UK developments

While the EU AI Act entered into force on 1 August 2024, its requirements are becoming applicable in stages. The Act is EU law, but applies to non-EU providers, importers and distributors of AI systems that are placed on the EU market, put into service or used in the EU.

The first tranche of the EU AI Act's provisions - those prohibiting certain AI practices and introducing AI literacy requirements - became applicable on 2 February 2025.

Prohibited AI practices

The practices that are prohibited include:

• AI systems that use subliminal, manipulative or deceptive techniques to distort behaviour
• AI systems that exploit people's vulnerabilities, eg their age or disability
• Social behavioural scoring systems
• Emotion recognition systems in the workplace or educational institutions
• Untargeted scraping of facial images to create or expand facial recognition databases
• Biometric categorisation systems based on specified characteristics

AI literacy

The AI literary provision requires providers and deployers of AI systems to take measures to ensure a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf, taking into account their technical knowledge, experience, education and training and the context the AI systems are to be used in, and considering the persons or groups of persons on whom the AI systems are to be used.

In order to decide whether they are caught by the AI literacy obligations and identify what they need to do to comply, organisations should:

• Identify whether they are a provider or deployer of AI systems (within the Act's definitions)
• Identify their workers who are operating or using AI systems
• Identify the training needed by each group of workers
• Ensure each group completes suitable training
• Measure the training’s effectiveness and provide updates and refreshers when necessary

General-purpose AI

The next provisions to become applicable are the obligations for providers of general-purpose AI (GPAI) models, which will apply from 2 August 2025.

GPAI models are AI models trained with a large amount of data using self-supervision at scale, that display significant generality, are capable of competently performing a wide range of distinct tasks, and can be integrated into a variety of downstream systems or applications.

The EU AI Act requires providers of general-purpose AI models to:

• Prepare and maintain technical documentation, including its training and testing process
• Make technical documentation available to AI system providers
• Put in place a policy to comply with EU copyright law
• Publish information about the content used to train the model using a template provided by the EU AI Office
• (Providers based outside the EU) appoint an authorised representative in the EU

Providers of GPAI models with systemic risk (meaning those with high impact capabilities and significant impact on the EU market due to their reach or actual or reasonably foreseeable negative effects on public health, safety, public security, fundamental rights, or society as a whole) are required to:

• Perform model evaluation in accordance with standardised protocols and tools, including conducting and documenting testing to identify and mitigate systemic risks
• Assess and mitigate possible systemic risks at EU level
• Track, document and report to the AI Office and national competent authorities information about serious incidents and possible corrective measures
• Ensure an adequate level of cybersecurity protection for the GPAI model and its physical infrastructure

On 11 March 2025 the European Commission published the third draft of the GPAI Code of Practice under the EU AI Act. The Code is due to be finalised by 2 May to give providers sufficient time before the AI Act's GPAI rules become applicable on 2 August. The draft is based on a list of high-level commitments and provides more detailed measures to implement each commitment.

AI Continent Action Plan

On 9 April the European Commission published the AI Continent Action Plan, which is intended to boost the EU's AI innovation capabilities through actions and policies around five key principles:  

1. Building a large-scale AI data and computing infrastructure

• The EU will create a network of AI Factories and help set up AI Gigafactories (large-scale, high-power factories).
• The Commission will propose a Cloud and AI Development Act, with the goal of at least tripling the EU's data centre capacity.

2. Increasing access to large and high-quality data

• The EU will create Data Labs, bringing together large volumes of high-quality data in AI Factories. 
• It will launch a comprehensive Data Union Strategy this year to create an internal market for data that can scale up AI solutions.

3. Developing algorithms and fostering AI adoption in strategic EU sectors

• The Commission will launch an Apply AI Strategy to boost adoption of AI.

4. Strengthening AI skills and talents

• The Commission will facilitate international recruitment of highly skilled AI experts and researchers and develop educational and training programmes on AI and Generative AI in key sectors.

5. Regulatory simplification

• The Commission will launch an AI Act Service Desk to help businesses comply with the AI Act.
• It has launched two public consultations: one on its proposed Cloud and AI Development Act, and the other to identify stakeholder priorities and challenges to the uptake of AI.
• It will launch a third consultation in May on the Data Union Strategy.

UK developments

Speaking at the IAPP Data Protection Intensive: UK 2025 in March, DSIT minister Chris Bryant suggested that the government could introduce draft AI legislation in the next 18 months. In the meantime, Lord Holmes has reintroduced his AI Regulation private member's bill into the House of Lords. As a private member's bill, this is unlikely to become law, but when he introduced the bill for the first time in 2023 it received plenty of support in the Lords, who have more recently attempted to introduce provisions regulating AI into the Data (Use and Access) Bill.

Action points

• Identity whether any of your organisation's activities fall within the scope of the EU AI Act.
• If so, identify whether any of these activities are now prohibited practices.
• Put in place appropriate AI literacy training.
• Prepare for the obligations which will apply from 2 August 2025 by identifying whether you are a provider of a GPAI model and, if so, whether it has systemic risk. Identify the required obligations and create a compliance plan.
• Monitor developments in this space, including any further announcements from the EU about its AI Continent Action Plan or from the UK government about a possible AI Bill.