In house legal teams are seeing a rapid evolution of the regulatory landscape in areas driven by technology, data and governance. Artificial Intelligence remains a central concern, with ongoing uncertainty around copyright and training data. In the UK, Getty has been granted permission to appeal the High Court’s ruling in its case against Stability Artificial Intelligence on the dismissal of its secondary infringement of copyright claim, and the Court of Appeal will now consider how the concept of an “infringing copy” in the CDPA should apply in the context of an Artificial Intelligence model. At the same time, the UK government has issued only a “statement of progress” on its consultation on the use of copyright material in developing Artificial Intelligence systems, with responses strongly favouring stronger copyright protection in tension with the ambition to put Artificial Intelligence at the heart of economic growth. Divergence with the EU is widening, highlighted by the Munich Regional Court’s more protectionist GEMA v OpenAI ruling and the extraterritorial reach of the EU Artificial Intelligence Act, which may capture UK businesses even where they do not sell Artificial Intelligence systems directly into the EU.
Data protection and privacy frameworks are also shifting. The UK adequacy decision has been renewed until 27 December 2031, and the European Commission has formally confirmed the UK adequacy decision for a further six years, preserving frictionless personal data flows between EU member states and the UK. Domestically, key provisions of the Data (Use and Access) Act 2025 came into force on 5 February 2026, signalling further UK divergence from the EU regime by combining greater flexibility with tougher enforcement. The Information Commissioner’s Office is now able to impose fines of up to £17.5 million, or up to four percent of global worldwide turnover for breaches of the PEC Regulations 2003, and the Act clarifies that controllers can “stop the clock” when seeking further information on complex or unclear DSARs. Restrictions on purely automated decision making by Artificial Intelligence systems are relaxed where appropriate safeguards exist, while organisations offering online services likely to be accessed by children must be able to evidence how their measures protect users across age groups, with further guidance from the regulator expected.
Alongside this, EU institutions are pursuing a Digital Omnibus Regulation package comprising two Omnibus proposals: one to amend the EU Artificial Intelligence Act and one to revise existing data, cyber and privacy laws including the GDPR and ePrivacy Directive. These proposals seek to streamline extensive digital legislation in response to competitiveness concerns flagged in the 2024 Draghi report, but have drawn criticism from privacy advocates worried about narrowing the definition of “personal data”, easing Artificial Intelligence developers’ use of personal data without consent and adding a new DSAR exemption. Changes to the Artificial Intelligence Act’s implementation timeline have also raised concerns about legal certainty. In the UK employment sphere, the Employment Rights Act 2025, which came into force at the end of last year, represents the most significant overhaul of employment law in over a generation. Corporate governance practice is evolving too, with GC100’s recent position supporting fully virtual AGMs in anticipation of government amendments to the Companies Act 2006 to confirm virtual meetings are permitted, while signalling that companies may still need to update their articles of association to gain flexibility to hold virtual only meetings.
