UK law
Courts and Tribunals Judiciary publishes updated AI guidance and introduces Copilot Chat for judges
The Courts and Tribunals Judiciary has published updated guidance to help judicial office holders to use AI. It updates and replaces the guidance document issued in December 2023. It sets out key risks and issues associated with using AI and some suggestions for minimising them. Examples of potential uses are also included. Any use of AI by or on behalf of the judiciary must be consistent with the judiciary’s overarching obligation to protect the integrity of the administration of justice. The guidance also introduces a private AI tool, Microsoft’s “Copilot Chat”, which is now available on judicial office holders’ devices through eJudiciary. This guidance applies to all judicial office holders under the Lady Chief Justice and Senior President of Tribunal’s responsibility, their clerks, judicial assistants, legal advisers/officers and other support staff.
Ofcom investigates misuse of telephone numbers
Ofcom is investigating if communications provider Primo Dialler has misused numbers sub-allocated to it, including to perpetrate scams. Ofcom allocates telephone numbers, usually in large blocks, to telecoms firms. They can then transfer the numbers to individual customers or other businesses. In line with Ofcom’s consumer protection rules and industry guidance, phone companies must not misuse numbers which have been sub-allocated to them. Services must also ensure numbers are being used correctly in accordance with the National Telephone Numbering Plan. Ofcom believes that the numbers sub-allocated to Primo Dialler are potentially being misused, including to facilitate scams. Its investigation will seek to establish whether Primo Dialler is complying with its obligations, specifically neral Conditions B1.8, B1.9(b), B1.9(c), and the Communications Act S128(5). The investigation falls under Ofcom’s enforcement programme, launched last year, looking specifically at phone and text scams. The aim of the programme is to protect customers by supporting best practice in the use of phone numbers and to ensure providers are following Ofcom’s rules. If Ofcom has reasonable grounds to suspect that rules have been broken, it may launch further investigations.
Ofcom takes action regarding “Global Titles” in mobile sector
Mobile operators use Global Titles as routing addresses for the exchange of signalling messages between 2G and 3G mobile networks and to support their provision of mobile services. Ofcom has now announced new rules to ban their leasing. This is because criminals can use Global Titles to intercept and divert calls and messages, and obtain information held by mobile networks. This could, for example, enable them to intercept security codes sent by banks to a customer via SMS message. In extreme cases they can be exploited to track the physical location of individuals anywhere in the world. The ban on entering new leasing arrangements is effective immediately. For leasing that is already in place, the ban will come into force on 22 April 2026. This will give legitimate businesses who currently lease Global Titles from mobile networks time to make alternative arrangements. Alongside this, Ofcom has published new guidance for mobile operators on their responsibilities to prevent the misuse of their Global Titles.
ICO fines law firm £60,000 following cyber attack
The ICO has fined Merseyside-based DPP Law Ltd (DPP) £60,000, following a cyber attack that led to highly sensitive and confidential personal information being published on the dark web. It found that DPP failed to put appropriate measures in place to ensure the security of personal information held electronically. This failure enabled cyber hackers to gain access to DPP’s network, via an infrequently used administrator account which lacked multi-factor authentication and steal large volumes of data. DPP specialises in law relating to crime, military, family fraud, sexual offences, and actions against the police. The very nature of this work means it is responsible for both highly sensitive and special category data, including legally privileged information. As the information stolen by the attackers revealed private details about identifiable individuals, the ICO highlights that DPP has a responsibility under the law to ensure it is properly protected. In June 2022, DPP suffered a cyber-attack which affected access to the firm’s IT systems for over a week. A third-party consulting firm established that a brute force attempt gained access to an administrator account that was used to access a legacy case management system. This enabled cyber attackers to move laterally across DPP’s network and take over 32GB of data, a fact DPP only became aware of when the National Crime Agency contacted the firm to advise information relating to their clients had been posted on the dark web. DPP did not consider that the loss of access to personal information constituted a personal data breach, so did not report the incident to the ICO until 43 days after they became aware of it.
ICO fines compensation company £90,000 for unlawful marketing calls
The ICO has also fined AFK Letters Co Ltd (AFK) £90,000 for making more than 95,000 unsolicited marketing calls to people registered with the Telephone Preference Service, in a clear breach of electronic marketing laws. AFK writes letters seeking compensation and refunds for its customers. Between January and September 2023, AFK used data collected through its own website and a third-party telephone survey company to make 95,277 marketing calls without being able to demonstrate valid and specific consent from the people contacted. Despite AFK claiming it could not provide evidence of consent because it deleted all customer data after three months, when challenged by the ICO, it was also unable to provide consent records for several calls made within a three-month timeframe. AFK’s third-party data supplier was using consent statements which did not specifically name AFK when asking the public for consent to be called. Additionally, AFK’s own privacy policy only mentioned contact by email, and did not state that people would also receive phone calls. The ICO’s investigation found that AFK failed to comply with Regulation 21 of the Privacy and Electronic Communications Regulations.
EU law
European Commission consults on revision of EU Cybersecurity Act
The European Commission is consulting about revising the 2019 EU Cybersecurity Act. The consultation focuses on the European Union Agency for Cybersecurity mandate, the European Cybersecurity Certification Framework, and ICT supply chain security. It aims to simplify cybersecurity rules and streamline reporting obligations. The consultation ends on 20 June 2025.
Irish Data Protection Commission announces inquiry into X
The DPC has announced an inquiry into the processing of personal data comprised in publicly-accessible posts posted on the ‘X’ social media platform by EU/EEA users, for the purposes of training generative AI models, in particular the Grok Large Language Models (LLMs). The inquiry will examine compliance with the GDPR, including the lawfulness and transparency of the processing. Grok is the name of a group of AI models developed by xAI. They are used, among other things, to power a generative AI querying tool/chatbot, which is available on the X platform. Like other modern LLMs, the Grok LLMs have been developed and trained on a wide variety of data. The DPC’s inquiry considers a range of issues concerning the use of a subset of this data which was controlled by X, that is, personal data in publicly accessible posts posted on the X social media platform by EU/EEA users. The purpose of the inquiry is to determine if the personal data was lawfully processed to train the Grok LLMs. The DPC has notified X of its decision to conduct the inquiry under Section 110 of the Irish Data Protection Act 2018.
Coimisiún na Meán publishes Strategy Statement and Work Programme
Coimisiún na Meán has published its first three-year strategy, which sets out its vision for the media landscape in Ireland. The Strategy Statement 2025-2027 is accompanied by a 2025 Work Programme, which lists priority projects across Coimisiún na Meán’s remit of online safety, media sector development and regulation. The Strategy Statement 2025-2027 is built on six key outcomes: children, democracy, trust, diversity and inclusion and public safety. Among the priority projects outlined in Coimisiún na Meán’s 2025 Work Programme are the development of a pilot programme for children at imminent risk of harm from online content, the development of an Election Integrity Strategy across all media sources, the creation of educational materials relating to online hate, the preparation of a new Broadcasting Services Strategy and a revised Media Plurality Policy, and the continuation of the Sound & Vision and Journalism funding Schemes.
