UK law
Data Protection (Charges and Information) (Amendment) Regulations 2025 made
The Data Protection (Charges and Information) (Amendment) Regulations 2025 SI 2025/63 have been made. They amend the Data Protection (Charges and Information) Regulations 2018, SI 2018/480, to increase the annual data protection fees payable to the Information Commissioner across all tiers of the charge structure by 29.8%. These Regulations come into force on 17 February 2025.
ICO publishes updated response to Data Use and Access Bill
The Data (Use and Access) Bill was introduced to Parliament on 24 October 2024. The Bill has now completed its passage through the House of Lords, where it has been subject to several amendments and significant debate. The ICO has provided its comments on the amendments that have been made in the House of Lords and on some key areas of the debate.
GDS publishes comprehensive AI Playbook for UK Government use
The Government Digital Service has published an AI Playbook which offers guidance on using AI safely, effectively and securely for civil servants and people working in government organisations. The previous government’s white paper on a pro-innovation approach to AI regulation sets out five principles for regulators to inform AI development in all sectors. The playbook builds on those principles and defines ten core principles for AI use in government and public sector organisations.
UK government publishes guidelines about enforcing designated vendor directions under the Communications Act 2003
The Department for Science, Innovation and Technology has published guidelines on the government’s approach to the enforcement powers in the Communications Act 2003 to ensure the security of the public telecoms network.
HMRC and DBT consult on electronic invoicing across UK businesses and the public sector
E-invoicing is the digital exchange of invoice information directly between buyers’ and suppliers’ financial systems, even if these systems are different. The outcome is an invoice which is automatically written into the buyer’s financial system without manual processing. E-invoicing automates the exchange of invoices between buyers and suppliers. Increased e-invoicing uptake may support economic growth, business productivity, improve business cashflow and reduce errors in tax returns. It has the potential to both support businesses and tax administration. With this in mind, HMRC and the Department for Business and Trade (DBT) are publishing a joint consultation to understand how e-invoicing may align with businesses. The government is interested in exploring different models of e-invoicing; whether to take a mandated or voluntary approach to e-invoicing; what scope of mandate might be most appropriate in the UK and for businesses; and if e-invoicing should be complemented by real time digital reporting, The consultation ends on 7 May 2025.
EU law
Advocate General Szpunar clarifies the responsibilities of the operator of an online marketplace
The Advocate General has delivered an opinion in Case C-492/23 | Russmedia Digital and Inform Media Press. In 2018, an advertisement was published on Publi24.ro (a website of Russmedia), an online marketplace, stating that a person (X) was offering sexual services. The advertisement contained photos and a telephone number taken from the victim’s accounts on social networking sites, used without her consent. Russmedia quickly deleted the advertisement, but it was reproduced on other websites. X brought an action against Russmedia. The Romanian courts referred the matter to the CJEU, seeking clarification about the responsibilities of the operator of an online marketplace in this case. Advocate General Maciej Szpunar has analysed the link between the Directive on electronic commerce and the GDPR Regarding the Directive on electronic commerce. He said that the operator of an online marketplace, such as Russmedia, may be exempt from liability regarding the content of advertisements published on its marketplace as long as its role remains neutral and purely technical. The exemption does not apply if that operator is actively involved in the management, modification or promotion of content. On the GDPR, he said that the operator of an online marketplace acts as a processor of the personal data contained in advertisements. As a result, it is not obliged to check the content of those advertisements systematically before publication. However, it must adopt organisational and technical measures to protect that personal information. Regarding the personal data of user advertisers registered on that online marketplace, the operator of that marketplace acts as a controller and, in that context, must verify the identity of the user advertisers.
European Commission welcomes new European Board for Media Services
The new European Board for Media Services (the Media Board) has held its constitutive meeting, marking a milestone in the implementation of the European Media Freedom Act. The Media Board replaces the European Regulators Group for Audiovisual Media Services. As such, the Board will promote the consistent implementation of the Audiovisual Media Services Directive while providing expertise and assistance on media regulation to the Commission. The Media Board will have new tasks under the Media Freedom Act. It will provide opinions on national measures that could significantly affect the operation of media providers, on media market concentrations, and on common measures to protect the internal market from non-EU media providers that pose threats to public security, for example, when it comes to foreign information manipulation and interference. This aims to reduce barriers to providing media services across the EU, and to safeguard media pluralism and independence in the internal market. In addition, a media service provider can request the Media Board’s opinion on the outcome of the dialogue concerning repeated unjustified restrictions or suspension of the media provider’s content based on terms of service with Very Large Online Platforms designated under the Digital Services Act.
European Commission and EBDS integrate Disinformation Code into EU DSA framework
The European Commission and the European Board for Digital Services have endorsed the integration of the voluntary Code of Practice on Disinformation into the framework of the Digital Services Act from 1 July 2025. This makes the Code a benchmark for determining platforms’ compliance with the DSA. The Commission says that with its integration, full adherence to the Code may be considered as an appropriate risk mitigation measure for signatories designated as VLOPs and VLOSEs under the DSA. As such, the Code will become a significant and meaningful benchmark for determining DSA compliance. Compliance with the commitments under the Code will also be part of the annual independent audit, which these platforms are subject to under the DSA. The Commission and the EDPS encourage the signatory platforms to follow several recommendations when implementing the Code of Conduct on Disinformation. This includes promptly finalising the Rapid Response System to cover all national elections and crisis and implementing it effectively; a swift Taskforce discussion and follow-up regarding their commitments; and providing all the necessary data to fill the gaps in their reporting and to allow the further development and efficient measurement of structural indicators, including new ones. The Commission and the EBDS will monitor and evaluate the achievement of the Code’s objectives under Article 45 of the DSA.
European Parliament approves update of VAT rules to make them fit for digital times
The updated rules will require that VAT be paid for services provided through online platforms. By 2030 online platforms must pay VAT for services provided through them in most cases where the individual service providers do not charge VAT. MEPs say that this will end the distortion of the market because similar services provided in the traditional economy are already subject to VAT. This distortion has been most significant in the short-term accommodation rental sector and the road passenger transport sector. Member states may exempt SMEs from this rule. The new rules will also fully digitalise VAT reporting obligations for cross-border transactions by 2030 with businesses issuing e-invoices for cross-border business-to-business transactions and automatically reporting the data to their tax administration. This aims to make it easier for the tax authorities to tackle VAT fraud. To simplify the administrative burden for businesses, the online VAT one-stop-shops will be improved.
Data protection authorities sign joint declaration on AI
Data protection authorities from Ireland, Australia, Korea, France and the United Kingdom have signed a joint declaration to reaffirm their commitment to implementing data governance that promotes innovative and privacy-protecting AI. The declaration was signed in Paris, at an OECD hosted event organised by the Commission nationale de l’informatique et des libertés (CNIL) and the Data Protection Authority of South Korea.
