This month in review:
In this issue we look back at August: Developments in data protection legislation, principles and guidance.
In the UK, the Government responded to the Data Intermediaries’ call for evidence, noting legal ambiguity, low awareness, and technical friction as key barriers. It plans to shape future policy to support trust and accountability. The Information Commissioner’s Office (“ICO”) launched consultations on Data Use and Access Act (“DUAA”) amendments, including a new lawful basis and mandatory complaints procedures.
We have also seen stage 1 of the DUAA come into force, introducing rules on data access, sensitive data, and the Commissioner’s role. The ICO clarified that facial recognition technology (“FRT”) must comply with data protection law and confirmed its role in audits and guidance. The Law Commission published a paper on AI and the law, raising concerns about liability gaps and suggesting AI could gain legal personality.
We have also seen several updates from the EU, where the European Commission (“EC”) published a study on AI in healthcare, identifying barriers and recommending standards, funding, and catalogues. It listed GPAI Code of Practice signatories, including major tech firms, noting reduced burdens and legal certainty. The EC also launched a consultation to assess the Whistleblower Protection Directive’s effectiveness. We have seen this month the consultation on the Biotech Act which was launched to standardise regulation and integrate AI.
In the US, NIST published a concept paper on securing AI systems, proposing control overlays. The UK’s National Cyber Security Centre (“NCSC”) updated its Cyber Assessment Framework (“CAF”), adding guidance on attacker methods and AI risks. The European Banking Authority (“EBA”) opened a consultation on governance guidelines under Capital Requirements Directive (“CRD”) VI, aligned with Digital Operational Resilience Act (“DORA”). The Court of Justice of the European Union (“CJEU”) ruled that employee data laws must comply with GDPR.
Our contents this month:
- Meet our Data Protection Extend & Accelerate Team
- Our events and articles
- General updates
- AI and innovation
- Cyber, breach and ransomware
- Employment and data subject rights
Meet our Data protection extend & accelerate team: Michael Flathers
DWF's DPEA service is an innovative solution that offers rapid, flexible access to high-quality resources to support our clients with their data protection needs – all at a low cost. If you're experiencing a 'crunch', needing to upscale your data protection resources or wanting to find out more about how your organisation could benefit from this service, you can read about the service here or contact your usual DWF data protection contact or one of the authors of this article.
Michael is a CIPP/E certified Paralegal who joined DWF after graduating with a Master's degree in Law and Legal Practice. Michael has experience in drafting enforcement notices, preparing trial bundles for court hearings and undertaking data subject access requests for multiple clients. He has also been a speaker on a number of data protection breakfast briefings. He is adept at learning new skills and undertakes multiple responsibilities within the firm.
Our events and articles
Data Protection and Cyber Security Breakfast Briefings
On 31 July 2025, we hosted our monthly Breakfast Briefing where we delved into some recent developments in data protection across Europe and the UK. Key updates cover the EC Generative AI outlook report, the implementation timeline for the DUAA and the status of the EC’s UK Adequacy renewal process. In case you missed this webinar, you can watch the recording here.
Our next Breakfast Briefing will take place on Thursday 25 September from 9am to 10am, where we will be discussing some of the latest developments, including ICO’s consultation on online advertising and AI Office’s final version of GPAI code of practice. If you would like to join this session live, please RSVP here, or contact your usual DWF contact or send an email to dpcs@dwf.law.
General updates
UK: Government publishes response to consultation on data intermediaries
On 1 August 2025, the UK Government responded to the Data Intermediaries’ call for evidence, highlighting the barriers organisations face in the uptake of data rights and in performing data intermediation services, the interaction of different laws, the taxonomy of data intermediaries, potential risks and best practice, and examples of success factors. While data intermediaries have potential to empower individuals and support innovation, barriers such as legal ambiguity, low public awareness and technical friction remain significant. Respondents called for clearer governance, standards, and safeguards to ensure trust and accountability. The Government is looking into how it can best support these priorities and will provide an update in due course. You can read the response here.
UK: ICO launches consultations for DUAA amendments
The ICO has launched consultations to help it finalise its guidance for organisations on two key amendments under the DUAA:
- The new lawful basis called “recognised legitimate interest”; and
- The requirement for organisations to have a data protection-related complaints procedure.
These changes aim to give businesses more confidence in using personal data for specific pre-approved public interest purposes and ensure individuals can raise concerns effectively. The consultations run until 30 and 19 October 2025 respectively.
You can read the press release here.
UK: The first provisions of the DUAA enter into force
On 20 August 2025, Stage 1 of the UK Government’s implementation of the DUAA commenced through the Commencement No.1 Regulations 2025. Following the Act receiving Royal Assent on 19 June 2025, several key provisions came into force on 20 August. These include measures to improve access to business and customer data, clarify rules around processing sensitive personal and law enforcement data, and enhance the Information Commissioner’s role through new statutory duties and codes of practice. The government is also now required to report on how AI systems use copyright-protected works, and new deadlines have been introduced for issuing emergency alerts and notifying data breaches.
You can access the regulations here.
AI and innovation
UK: ICO highlight clarifies how data protection law applies to FRT
On 13 August 2025, the ICO clarified that FRT “does not operate in a legal vacuum” and is subject to data protection law – this means that its use must be lawful, fair, proportionate and respectful to individuals’ rights and freedoms, with appropriate safeguards in place. Additionally, the ICO highlighted that it is a priority and the importance of providing clear guidance and undertaking regular audits of its use by law enforcement agencies.
The statement can be found here.
UK: Law Commission publishes a discussion paper on AI and the law
On 31 July 2025, the Law Commission released a discussion paper on how AI challenges existing legal frameworks. Key concerns that were raised include increased autonomy leading to “liability gaps” for harms caused by an AI system, the inability of AI systems to understand “mental states” (for example, where criminal liability requires proving intent or knowledge, and over-reliance that risks accuracy.
The press release can be found here and the paper here.
EU: Commission publishes study on the deployment of AI in healthcare
European healthcare systems are increasingly challenged by sustainability concerns, driven by a rapidly aging population (the proportion of population aged 65 and above is projected to reach nearly 30% by 2050), staff shortages and testing and treatment inefficiencies. Whilst AI technology has the potential to transform the provision of healthcare, its deployment in clinical practice remains limited due to technological issues (such as interoperability across different platforms and systems and available infrastructure), legal and regulatory frameworks, organisational hurdles (such as difficulties securing investment) and social and cultural challenges (such as the fear of overreliance on technology).
You can read more about it here.
EU: Commission publishes list of signatories to GPAI Code of Practice
On 2 August 2025, the EC released a list of companies that signed the GPAI Code of Practice, including Google and OpenAI. The Code is a voluntary framework supporting alignment with the EU AI Act, which consists of three chapters: Transparency, Copyright, and Safety & Security. According to the EC, the signatories benefit from reduced administrative burdens and greater legal certainty.
The full list is available here.
EU: Commission opens consultation on Biotech Act
The EC launched a public consultation on the Biotech Act on 4 August 2025, following an earlier call for feedback in May. The Act seeks to improve regulatory clarity in the biotech sector by standardising regulations, promoting balanced data sharing aligned with the Data Act, and integrating artificial intelligence. It aims to enhance access to high-quality anonymised datasets and AI tools, supporting drug discovery and responsible biotechnology use. The EC is particularly interested in feedback on AI Factories, access to real-world health data, and computing resources. The Biotech Act will build on existing legal frameworks such as the European Health Data Space. Stakeholders are encouraged to submit comments via the EU Survey portal by 10 November 2025.
You can access the Biotech Act page here and the public consultation here.
USA: National Institute of Standards and Technology ("NIST") publishes Concept Paper for Control Overlays for Securing AI Systems
On 14 August 2025, the NIST released a concept paper and proposed action plan for developing a series of control overlays for securing AI concept paper. The concept paper aims to create a cybersecurity framework profile for AI and NIST SP 800-52 controls. The paper may enable organisations familiar with NIST SP 800-53 to customise controls for a certain technology and environment.
You can read the press release here and the concept paper here.
Cyber, breach and ransomware
UK: NCSC publishes updated CAF
On 6 August 2025, NCSC has published v4.0 of its CAF, enhancing guidance for essential service providers. Some of the key changes introduced include a new section on building a deeper understanding of attacker methods and motivations and an improved coverage of AI-related cyber risks.
The press release can be found here and the CAF here.
EU: EBA requests comments on revised guidelines on internal governance
On 7 August 2025, the EBA opened a consultation on updated Guidelines on internal governance under the CRD. Reflecting changes introduced by CRD VI and aligning with the DORA, the Guidelines include requirements for third-country branches such as ICT risk management, documentation and registry of third-party arrangements, as well as sound business continuity planning.
The consultation is open for comments until 7 November 2025.
You can access the press release and the draft Guidelines here.
Employment and data subject rights
EU: CJEU publishes judgment on processing of employee personal data
On 2 July 2025, the CJEU within Case C-65/23 MK v K GmbH, published a significant judgment regarding the processing of employee personal data. The case involved a company which processed personal data of its employees using SAP software and then transferred the data to a server of its parent company in the United States. The CJEU held that Articles 88(1) and 88(2) of the GDPR require national law concerning processing personal data for employee relationships to comply with Articles 5, 6(1), 9(1) and 9(2) of the GDPR.
You can read the CJEU’s full judgment here.
EU: Commission announces call for evidence on the Whistleblower Protection Directive
On 21 August 2025, the EC announced that it had opened a consultation process for Directive (EU) 2019/2937 on the protection of persons who report breaches of the Whistleblower Protection Directive. The EC is looking for feedback from a range of stakeholders, including the general public, to evaluate the Directive’s relevance, effectiveness in achieving its objectives and whether the benefits of the Directive were proportional to the costs.
You can read the call for evidence here.
If you have any questions relating to this article, please reach out to our authors below.
