- in Asia
- in Asia
- in Asia
- within Government and Public Sector topic(s)
1 No solution to the AI and copyright conundrum yet
It has been a busy summer in the AI copyright debate but still no solution in sight: the respective positions of copyright owners (who want to protect their work from being scraped by AI) and AI providers (who need vast amounts of material to train their models) still appear to be polarised.
The many attempts to address the copyright issue in the Data (Use and Access) Act 2025 (DUAA) – with proposals "ping-ponging" between the House of Lords and the House of Commons - failed. Instead, the DUAA only promises a Government report on the issue by March 2026, with a progress report in January 2026. The Government has also delayed the unveiling of an 'AI Bill' until at least summer 2026.
Will the courts provide an answer to the copyright issue?
There is no sign that the courts will provide an answer in the short term either, which places even greater importance on a legislative solution.
In June 2025, Getty Images dropped its High Court claims of primary copyright infringement and database rights infringement against Stability AI, in a trial that could have provided some clarity for the UK AI sector and creative industries alike. The decision to drop these allegations is largely due to the difficulty in establishing that the infringing acts (in relation to Stable Diffusion's training data and outputs) took place in the UK. The claims of trade mark infringement, passing off and secondary copyright infringement (as regards importing an "article" into the UK) remain, but these do not go to the heart of the hotly contested issue of training data and AI outputs infringing copyrighted works.
2 EU AI Act – obligations on new General Purpose AI (GPAI) models now apply
The EU AI Act's obligations for GPAI model providers took effect from 2 August 2025, with the associated guidance published only shortly beforehand. The General-Purpose AI Code of Practice (10 July), guidelines on the scope of the GPAI obligations (18 July), and a template for training data summaries (24 July) - arrived just weeks in advance. Nonetheless, the AI Office's promise of a "collaborative, staged, and proportionate" enforcement approach, and no fines before 2 August 2026, provides some reassurance to providers. Notably, models launched before 2 August 2025 – including those making headlines in recent years - benefit from a two-year grace period to comply and needn't be retrained if technically unfeasible or disproportionately burdensome, provided this is disclosed and justified.
Many businesses will be gearing up for the obligations on new high-risk systems which begin to apply next year, from 2 August 2026. Our briefing on the EU AI Act provides more details on what is happening under the EU AI Act and when.
What AI training have you rolled out?
The EU AI Act demands that providers and deployers of AI systems take measures to ensure a sufficient level of AI literacy of their EU staff and anyone else using AI systems in the EU on the organisation's behalf. This obligation began to apply on 2 February 2025. Our AI literacy briefing looks at the EU Commission's FAQs on AI literacy and the steps that organisations should be taking to meet this requirement.
3 The Data (Use and Access) Act (DUAA) is finally here!
The DUAA, with its package of data protection and e-privacy reforms, introducing frameworks for smart data and digital verification schemes and putting the National Underground Asset Register on a statutory footing, finally made it to the statute book in June 2025 after a stop-start legislative journey that lasted several years (including various incarnations proposed by the previous government).
The legislation has a staged application, with most of its provisions requiring secondary legislation to be brought into effect.
Limited data protection reforms
A wholesale reform of UK GDPR this is not, which is undoubtedly a relief to most businesses who have already invested heavily in GDPR compliance – changes to data subject rights, for example, largely codify existing regulatory guidance. There have, however, been some limited relaxations to the rules in relation to automated decision-making, data transfers and cookies. Our briefing on the data protection aspects of the DUAA provides some key takeaways for businesses.
The DUAA is unlikely to negatively impact the EU's adequacy decision in favour of the UK, the review deadline for which was postponed until 27 December 2025 to allow the DUAA first to pass.
4 The EU's Data Act begins to apply
Key data-sharing obligations in relation to connected products (IoT devices such as connected cars, smartphones, medical devices, connected TVs and health trackers) and cloud switching requirements began to apply from 12 September 2025 under the EU's Data Act.
Our briefing, EU Data Act: compliance countdown for connected products, as well as our earlier briefing, discuss the significant compliance burden imposed on connected product businesses. The EDA requires manufacturers and other data holders to share data (both personal and non-personal data) generated by the use of connected products with product users and, at the user's request, with third parties (as well as with government bodies for emergencies). There are also substantial contractual and transparency requirements.
Switching between cloud providers should get easier
As well as opening up access to data for connected products, the Data Act imposes new obligations on cloud services providers operating within the EU to make it easier for customers to switch and transfer their data between competing providers. Providers may now only charge for costs directly incurred as a result of switching and must phase out all switching charges by January 2027.
Cloud service providers should have also updated their terms and conditions and existing customer contracts to reflect the Data Act's mandatory content requirements - see our briefing on the Data Act's changes to cloud services contracts.
From a UK perspective, the new Data (Use and Access) Act contains a framework for the UK Government to legislate for smart data schemes, but secondary legislation will be needed to flesh out the details. The Government has not made any specific proposals in relation to cloud switching.
5 A new EU milestone for accessibility
Businesses across a broad range of sectors will be affected by the accessibility requirements of The European Accessibility Act (EAA), which came into effect in June 2025. The EAA applies to many categories of consumer products and services, particularly digital technologies, ranging from payment terminals and smartphones to consumer banking services and online shops. The aim is to make all these products and services accessible to everyone, including people with disabilities. See our briefing for an overview of the European Accessibility Act's impact.
What's the UK position on accessibility?
The EAA applies to products and services provided in the EU (including by UK-based businesses). There has been no suggestion from the UK Government that EAA-equivalent legislation will be introduced in the UK. However, businesses operating exclusively in the UK market also cannot afford to be complacent about accessibility.
UK businesses are still required to comply with the Equality Act 2010 which aims to protect people with certain protected characteristics from direct and indirect discrimination, victimisation and harassment. Under the Equality Act, businesses are required to: (i) make reasonable adjustments to ensure disabled individuals have equal access to its services, including websites and mobile apps; and (ii) address any substantial disadvantage faced by disabled users.
It is also possible that an EAA-compliant standard may become the market norm, even in the UK, once the EAA takes effect, therefore businesses operating in the UK should be on the front foot with ensuring the products and services they provide are accessible.
6 Data breach? There is no threshold for seriousness for data protection claims
A recent Court of Appeal decision may make it more difficult for defendants to dispose of low-value claims at an early stage. In the Farley case, the Court confirmed that there is no seriousness threshold for data protection claims (choosing to follow the approach of the European Court of Justice).
The Court also found that the actual disclosure to a third party was not an "essential ingredient" of an allegation of processing or infringement. Businesses can therefore be liable under data protection law for administrative errors that they may categorise as "near-misses, such as sending data to the wrong address, where no third party accesses the data.
Does this decision open the floodgates to low-value claims for data breaches?
No, we do not expect this to be the case.
It is clear from the decision that the courts will give short shrift to hypothetical or speculative claims of harm that are not "well-founded". The test is whether a reasonable person in the claimant's position, knowing what they knew at the time, would have had a genuine reason to fear that their data might be misused.
The decision also provides further support for low-value claims to be pushed down the County Court's Small Claims Track.
Moreover, nothing in the Farley case reverses the position in respect of collective claims following Lloyd v Google (see our briefing here). Lloyd v Google burst the bubble of opt-out representative actions, making mass data protection claims less attractive and more difficult to pursue in the UK. The CoA in Farley simply made the point in relation to collective claims that the mere fact that a large number of low-value claims are brought together does not make them automatically abusive or justify striking them out in bulk.
See our briefing on Farley v Paymaster for 3 key takeaways for businesses.
7 Spate of high-profile cyber-attacks underscores the need for vigilance
In the wake of the recent high-profile cyber-attacks, from Marks & Spencer, Harrods and the Co-op in the spring, through to Jaguar Land Rover and Heathrow in September, incident response and supply chain attack preparedness should be treated as board-level priorities to limit the significant business disruption, cost and impact on customer confidence which these incidents can entail.
A number of these attacks were targeted at supply chains. Our briefing on cyber risks in the supply chain focuses on these supply chain risks and how to mitigate them.
UK's Cybersecurity and Resilience Bill is yet to emerge
Recent cyber legislation has generally targeted financial services, critical national infrastructure or essential services. However, new obligations in respect of cyber resilience already apply in the EU to IT managed service providers (under NIS2) or will apply to them in the UK (pursuant to the UK's forthcoming Cyber Security and Resilience Bill, due to appear later this year).
It is currently unclear whether the Bill will reflect the Government's proposals aimed at curbing ransomware attacks by banning some ransomware payments and increasing reporting around ransomware attacks.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
