As always, the world of data protection and AI continues to evolve rapidly, with numerous legal and regulatory developments happening around the globe. While there are too many changes to cover in detail, here’s a concise roundup of some of the most notable recent updates:
European Union
EU GDPR Simplification Proposal
On 28 May, the European Commission released a proposal aimed at simplifying certain GDPR obligations for small and mid-cap enterprises. The proposal applies to organizations with fewer than 750 employees, a balance sheet total not exceeding EUR 129 million, and an annual net turnover below EUR 150 million. While intended to ease compliance burdens, the proposed adjustments are relatively modest compared to what some had anticipated.
New EU Data Protection Guidelines and Reports
The European Data Protection Board (EDPB) adopted final guidelines on 5 June regarding the transfer of personal data to authorities in third countries. Additionally, two reports were published by the EDPB’s Support Pool of Experts, covering AI security and associated data protection risks – Fundamentals of Secure AI Systems with Personal Data, and Law & Compliance in AI Security & Data Protection. This reflects growing regulatory attention on AI governance, and the significant overlap between AI and privacy laws and obligations.
EU AI Act Timeline Remains Intact
On 4 July, the European Commission confirmed that there would be no delay in the implementation of the EU AI Act, despite significant lobbying efforts. It remains possible that the EU AI Act may be subject to targeted amendments as part of the EU’s current program of deregulation and simplification. However, the European Commission is focused on simplifying implementation rather than the legislation itself.
EU Guidance on General-Purpose AI
Ahead of the EU AI Act obligations on General-Purpose AI (GPAI) providers becoming applicable on 2 August 2025, the European Commission has published its General-Purpose AI Code of Practice, and Guidelines on the scope of obligations for providers of general-purpose AI models. Providers of GPAI models placed on the market before 2 August 2025 must comply with the obligations by 2 August 2027.
Although they overlap in their application, the guidelines are non-binding and designed to clarify the scope of the EU AI Act obligations on GPAI providers, whereas the Code of Practice is a voluntary code which providers can choose to sign up to. While several GPAI providers (including OpenAI and Anthropic) have announced their intention to sign the Code, Meta has announced they will not be signing it. Both documents aim to assist organizations developing and deploying GPAI systems to comply with the EU AI Act requirements, including ensuring transparency, accountability, and safety in high-impact systems.
Copyright and Generative AI: European Parliament Study Suggests New Approach
In another notable move, the European Parliament has released a study examining the intersection of Generative AI and Copyright Law. The study recommends a novel policy concept: introducing an EU-level statutory exception for the training of generative AI systems on copyrighted works.
Crucially, it suggests coupling this exception with an unwaivable right to equitable remuneration – ensuring that creators are paid fairly for the use of their work, even if consent wasn’t explicitly obtained. The proposal acknowledges the impracticality of seeking individual consent from thousands (or millions) of rightsholders during AI model training, while still respecting the rights of creators.
While this recommendation is not current EU policy, it offers a thought-provoking glimpse into possible future frameworks that balance innovation with creator rights.
United Kingdom
UK Data (Use and Access) Act Receives Royal Assent
On 19 June, the UK’s Data (Use and Access) Act 2025 (“DUAA”) was formally enacted. This legislation introduces a range of updates to the UK data protection framework, as well as provisions around digital verification services, smart data initiatives, and asset registers.
Amongst other things, the Act includes an increase of the maximum fines for direct marketing and cookies breaches to match the GDPR maximum, changes to the obligations regarding automated decision-making to restrict their application from all personal data to sensitive (“special category”) data, the introduction of “recognized legitimate interests” as a new lawful basis for processing personal data, a change to the basis on which UK adequacy decisions are made, and an expansion of the technologies caught by cookie rules (plus an expansion of the exceptions).
The UK’s data protection regulator, the Information Commissioner’s Office, is being replaced by an Information Commission which will be structured differently. Previously the ICO was a “corporation sole” in the name of the individual Commissioner, whereas now it will be a more typical UK regulator with a board. This is not expected to make much practical difference, particularly as the board is chaired by the existing Commissioner until the end of his agreed term.
EU-UK Adequacy Decision Extended; New Adequacy Decision In Progress
To allow time for review in light of the UK’s recent legal changes, the European Commission has extended the UK’s adequacy decision from 27 June to 27 December 2025. This extension allows the EU to assess whether the UK’s new legislative reforms maintain an adequate level of protection under EU standards.
As of 22 July, the European Commission has launched the process to adopt new adequacy decisions for the UK, after concluding that the UK’s legal framework post DUAA continues to provide data protection safeguards that are essentially equivalent to those provided by the EU. Before the adequacy decisions are final, they will be sent to the EDPB for its opinion, as well as seeking approval from a committee of EU Member State representatives. The European Parliament also has a right of scrutiny.
United States
Major Changes to Connecticut’s Privacy Law
On 25 June, Connecticut enacted substantial amendments to its privacy law as SB 1295 was signed into law. The threshold for applicability was significantly lowered from 100,000 to 35,000 Connecticut consumers’ data. Organizations “offering [Connecticut] consumers’ personal data for sale in trade or commerce”, and entities that control or process Connecticut consumers’ sensitive data, are subject to the law regardless of volume (unless the sensitive data is used solely for the purposes of completing a payment transaction). The definition of sensitive data has been expanded, along with individuals’ rights to object to automated decision-making.
Connecticut Announces First Settlement Under Privacy Law
The Connecticut Attorney General has taken its first big enforcement action under the state’s Data Privacy Act (CTDPA). TicketNetwork, Inc. has agreed to a settlement with the Office of the Attorney General, including:
- An $85,000 payment,
- A requirement to comply with the CTDPA moving forward,
- An obligation to maintain metrics related to consumer rights requests, and
- Submission of reports of these metrics to the Attorney General.
TicketNetwork was first sent a “cure notice” by the Office of the Attorney General in November 2023, and under the CTDPA it had 60 days to resolve each deficiency they identified. The announcement states that almost all the other companies which were contacted under the Attorney General’s four “privacy notice sweeps” to date had taken prompt steps to become compliant, but that TicketNetwork was unique in having repeatedly claimed to have resolved deficiencies, yet failing to do so and not responding promptly to follow-ups.
This action echoes early enforcement trends under California’s Consumer Privacy Act (CCPA), where initial cases have focused heavily on website privacy notice and cookie compliance. It underscores that regulators are placing a strong emphasis on transparency and user rights in digital environments. It is also a good example of why it is important to cooperate with regulators – they would often rather induce organizations into compliance than issue fines, and therefore cooperation may avoid receiving publicized enforcement action.
CCPA Enforcement Action Results in $1.55 Million Settlement
On 1 July, California’s Attorney General announced a settlement with Healthline Media LLC over alleged violations of the California Consumer Privacy Act (CCPA). This was the fourth enforcement action completed under the CCPA, all of which have focused on selling personal information (particularly in the context of targeted advertising) and consents/opt-out requirements. Healthline’s non-compliance included failure to offer consumers an opt-out for data sharing with third parties, non-compliant contracts, and a misleading cookie consent banner that did not function as claimed. In particular, Healthline used cookies and pixels to communicate data about website users to advertisers and other third parties, which uniquely identified users and provided the title of the article they were reading. Some such titles could indicate the users’ diagnoses with serious health conditions, for example “You’ve Been Newly Diagnosed with MS. What’s Next?” In the settlement, Healthline agreed to a prohibition on continuing this practice, in addition to being required to maintain a CCPA compliance program mandating contract audits for mandatory privacy terms, maintaining accurate online disclosures and privacy policy, and ensuring opt-out mechanisms function correctly. This shows the importance of understanding the information you are collecting via your website and how it interacts with each other.
Proposed US AI Enforcement Pause Rejected
Also on 1 July, the US Senate removed a proposed enforcement moratorium on AI legislation from a budget reconciliation bill. If passed, the moratorium would have prevented state-level enforcement of AI regulations, highlighting the ongoing tension between federal and state approaches to AI governance. AI-related Bills continue to proliferate at the state level, mostly focused on specific sectors and AI use cases.
This is by no means an exhaustive list – there are many more developments underway in both data protection and AI regulation, which we are keeping under review and are happy to discuss.
Need Guidance on Data Protection or AI Compliance?
If your organization is navigating evolving privacy laws or preparing for upcoming AI regulations, our experienced data protection and technology attorneys are here to help. We provide strategic, practical legal advice tailored to your business.
Contact us today to discuss how we can support your compliance efforts and help you stay ahead of regulatory change.