UK law
Online Safety Act 2023 (Category 1, Category 2A and Category 2B Threshold Conditions) Regulations 2025 made
The Online Safety Act 2023 (Category 1, Category 2A and Category 2B Threshold Conditions) Regulations 2025 SI 2025/226 have been made. The Regulations stipulate threshold conditions which the Secretary of State must set under paragraph 1 of Schedule 11 to the Online Safety Act 2023. These are threshold conditions which a regulated user-to-user service, search service or combined service under Part 3 of the OSA must meet to be designated by Ofcom as a Category 1, Category 2A, or Category 2B service in a published register and thereby be subject to additional duties under the OSA.
Artificial Intelligence (Regulation) Bill re-introduced to House of Lords
Lord Holmes of Richmond has re-introduced his Artificial Intelligence (Regulation) Bill to the House of Lords. The Bill aims to make provision for the regulation of artificial intelligence and for connected purposes. The Public Authority Algorithmic and Automated Decision-Making System Bill already continues to pass through the parliamentary process. Both Bills are private members bills but could gain traction.
CAP issues guidance on dark patterns
Sometimes referred to as Online Choice Architecture or Deceptive Design Patterns, Dark Patterns are a range of design decisions implemented to manipulate consumer behaviour in online spaces. There is concern that these practices cross the line beyond persuasion by exploiting human cognitive biases, confusing and coercing consumers into making decisions they may not have intended to make. Many of the practices considered ‘Dark Patterns’ have long been regulated under the CAP Code. Their use in advertising is not inherently problematic. However, there are some considerations advertisers should bear in mind to ensure they do not mislead. CAP has issued guidance with a few examples which have come up in ASA rulings over the years.
Two cross-party select committees respond to UK government consultation on AI and copyright
The Culture, Media and Sport Committee and the Science, Innovation and Technology Committee have said that the principle that everyone should receive fair remuneration for their creative work should underpin the relationship between the AI sector and rights holders. The Committees made a joint response to the government’s consultation on AI and copyright. The submission follows a joint evidence session held this month with representatives from AI start-ups and the creative industries. The Committees call on the government to introduce practical measures to improve transparency around the data used to train AI models and not to press ahead with its preferred option, centred around increased transparency requirements for AI developers and the introduction of an exception to copyright law for “text and data mining”, without a technical solution that works and is accessible to all. The Committees also say that the UK government should also publish a full impact assessment for each option proposed in the consultation, with robust mechanisms to ensure compliance, enforcement and redress when it comes to copyright.
EU law
EDPS issues supervisory opinion about using data subjects’ consent for processing health data
The EDPS has published a Supervisory Opinion on the European Economic and Social Committee and the European Committee of the Regions use of data subjects’ consent for processing health data by using a software connected with a national healthcare system.
EDPB launches coordinated enforcement on the right to erasure
The European Data Protection Board (EDPB) has launched its Coordinated Enforcement Framework (CEF) action for 2025. Following a year-long coordinated action on the right of access in 2024, the CEF’s focus this year will shift to the right to erasure or the “right to be forgotten” (Article 17 GDPR). The Board selected this topic as it is one of the most frequently exercised GDPR rights and one about which regulators frequently receive complaints from individuals. During 2025, 32 data protection authorities across Europe will take part in this initiative. Participating regulators will soon contact data controllers from different sectors across Europe, either by opening new formal investigations or doing fact-finding exercises. In the latter case, they might also decide to undertake additional follow-up actions if needed. Regulators will check how controllers handle and respond to the requests for erasure that they receive and, in particular, how they apply the conditions and exceptions for the exercise of this right. DPAs will also stay in close contact to share and discuss their findings throughout this year. The results of these national actions will be aggregated and analysed together to generate deeper insight into the topic, allowing for targeted follow-ups on both national and EU levels.
European Commission proposes adequacy decision for data flows with EPO
The European Commission has started the process to allow data to flow freely and safely between the EU and European Patent Organisation. This is the first-ever EU adequacy decision for an international organisation. Under the GDPR, the Commission may decide if a country or an international organisation outside the EU ensures an adequate level of data protection. The draft adequacy decision reflects the Commission’s assessment of the EPO’s legal framework and data protection rules: the Commission finds that the EPO provides comparable data safeguards to those of the EU. The draft adequacy decision will be transmitted to the European Data Protection Board as part of the adoption procedure. The Commission will seek approval from a committee composed of representatives of the EU Member States. In addition, the European Parliament has a right of scrutiny over adequacy decisions. When this procedure is completed, the Commission can proceed to adopting the final adequacy decision. The functioning of the adequacy decision will be subject to periodic reviews once it is in place. These checks will be carried out by the Commission together with European data protection authorities and, in this case, the EPO.
Irish government designates competent authorities under EU AI Act
The Irish government has designated eight organisations as competent authorities responsible for implementing and enforcing the AI Act within their respective sectors. The eight authorities are the Central Bank of Ireland, the Commission for Communications Regulation, the Commission for Railway Regulation, the Competition and Consumer Protection Commission, the Data Protection Commission, the Health and Safety Authority, the Health Products Regulatory Authority, and the Marine Survey Office of the Department of Transport. Additional authorities, and a lead regulator who will coordinate enforcement of the Act and provide several centralised functions, will be designated by a future Government decision to ensure comprehensive implementation of the Act. This follows October’s list of nine public authorities responsible for protecting fundamental rights under the Act. For example, the authorities will have the power to access documentation that developers and deployers of AI systems are required to hold under the AI Act.
