UK law
CMA publishes final guidance on new direct consumer enforcement powers
The CMA has published its final Direct Consumer Enforcement Guidance which sets out how it plans to use its direct consumer enforcement powers under the Digital Markets, Competition and Consumers Act 2024, which come into force on 6 April 2025. The CMA has drafted the guidance having regard to the need to balance pace of the CMA’s investigations with proportionality for businesses, ensuring a clear and robust process and predictability for parties in terms of what they can expect from the CMA. This guidance may be revised from time to time, including to reflect changes in best practice, the law or the CMA’s approach to investigations.
CMA consults about replacing technology transfer block exemption
The Competition and Markets Authority is consulting about its proposed recommendation to replace the Assimilated Technology Transfer Block Exemption Regulation (TTBER) with a new UK block exemption order. The current regulation, which automatically exempts certain technology transfer agreements from competition law restrictions, expires on 30 April 2026. The CMA proposes to recommend that the Secretary of State make a block exemption order of 12 years duration that exempts the categories of technology transfer agreements currently exempted by the TTBER, and which includes the same definitions, conditions and obligations as the TTBER (adapted as necessary for UK purposes), but with the following variations: removing “utility models” from the definition of “technology rights”, adding “copyright in a database” and “database rights” to the definitions of “technology rights” and “intellectual property rights”, adding definitions of “active sales” and “passive sales”; and replacing the market share thresholds in respect of technology markets with a condition that there be at least three independently controlled substitutable technologies in addition to the technologies held by the parties to the agreement. The consultation ends on 11 April.
ICO unveils measures to drive economic growth
The ICO has set out new measures aimed at supporting the UK government’s growth agenda. It will publishing a free data essentials training programme for small businesses. It will also pilot an experimentation regime to enable businesses to trial innovative new data-driven solutions under rigorous oversight. It will also introduce a statutory code of practice for private and public sector businesses developing or deploying AI, allowing them to unleash the possibilities of the technology while safeguarding the public’s privacy – and strengthening the UK’s position as a global AI leader. It will also carry out a regulatory review of online advertising by reviewing the Privacy and Electronic Communications Regulations consent requirements to enable a shift towards privacy-preserving online advertising models. Finally, it will publish new guidance on international transfers of data, which underpin around 40 per cent of UK exports and 20 per cent of imports – and making it easier for UK businesses to access new markets and partners.
CMA clears software company merger
The CMA has been investigating the completed acquisition by MRI Software LLC of Capita One Limited. It has now cleared the acquisition.
DSIT launches call for evidence on data brokers
DSIT is calling for evidence on data brokers. It concerns the activities involved in facilitating access to UK data (including data on UK persons, businesses, infrastructure etc.) This is via data brokerage, where pre-packaged or bespoke datasets can be obtained at speed and scale. Organisations undertaking such activities are referred to as data brokers (also known as information brokers or data providers). Whilst these organisations can support the benefits of data sharing, the government recognises the potential for hostile actors, such as cyber criminals, to acquire UK data on the open market. Hostile actors could exploit this opportunity and data brokers themselves, tainting an otherwise important market, to access large amounts of UK data. This data could include potentially sensitive information a hostile actor may use for malign purposes, resulting in potential national security harms, as set out in part 2 of this call for views. Other countries have also identified data related national security risks and are taking steps to mitigate this. The UK government is seeking views to understand more about organisations that take part in data broking and the wider industry. In particular, the government would like to understand the operations, security practices and customers of data brokers, to support policy development. The call for evidence ends on 12 May 2025.
DSIT launches call for evidence on data intermediaries
DSIT has also launched a call for evidence on data intermediaries. It is seeking information to inform policy design, promote trusted data access and sharing, and help manage potential harms from third-party data control. It concerns the exercise of data subject rights, the delegation of those rights to third parties, and the activity of data intermediaries, as well as the wider regulatory framework for these activities. The call for evidence also ends on 12 May 2025.
EU law
European Commission proposes to extend adequacy decisions for the UK by six months for free and safe data flows
The Commission has proposed adopting an extension of the two 2021 adequacy decisions with the UK for a period of six months. This means that the free flow of personal data with the UK would be maintained until 27 December 2025. Once concluded, the Commission will assess the new legal framework and decide on its adequacy. In the meantime, the UK data protection rules that were found adequate in 2021 remain in place and continue to apply to data transferred from the EU. The draft extension decisions will now be transmitted to the European Data Protection Board for its opinion, as part of the adoption procedure. Once approved, the extension will be valid until 27 December 2025. Once the UK’s legislative process on the Data (Use and Access) Bill concludes, the Commission will assess whether the UK continues to provide an adequate level of protection for personal data. If that assessment is positive, the Commission will propose to renew the UK adequacy decisions. The Minister of State for Data Protection and Telecoms recently indicated that the Bill was in its final stages and anticipated its completion around Easter and said that he believes that the new Bill will meet the EU’s adequacy requirements.
