This month in review:
July has seen multiple data protection and digital regulation-related developments across the EU and the UK. In the UK, the Information Commissioner’s Office (“ICO”) has launched two significant consultations. The first consultation is focused on updating itsguidance for storage and access technologies introduced by the new Data (Use and Access) Act 2025 (“DUAA”), specifically highlighting user consent. The second consultation is focused on a risk-based approach to regulating online advertising under PECR.
In the EU, the European Data Protection Board (“EDPB”) and European Data Protection Supervisor (“EDPS”) welcomed the European Commission’s (“EC”) proposal to simplify GDPR obligations for small and medium enterprises (“SME”), particularly regardingrecord-keeping obligations.
In relation to AI, the EC has confirmed the requirement for prompt compliance to the obligations regarding the use of general-purpose AI (“GPAI”) models under the EU AI Act, taking effect from 2 August 2025. The EU AI Office also released the final version of the GPAI Code of Practice, providing structured guidance on transparency, safety, and copyright.
European Union Agency for Cybersecurity’s (“ENISA”) annual cybersecurity development report highlighted a 20.5% increase in telecom security incidents in 2024 in comparison to 2023. Additionally, the European Central Bank (“ECB”) finalised its guidance on outsourcing cloud services under the Digital Operational Resilience Act (“DORA”), outlining effective practices to manage risks.
Our contents this month:
- Meet our Data Protection Extend & Accelerate Team
- Our events and articles
- General updates
- Adtech and direct marketing
- AI and innovation
- Cyber, breach and ransomware
- Data transfers
Meet our Data Protection Extend & Accelerate Team
DWF's DPEA service is an innovative solution that offers rapid, flexible access to high-quality resources to support our clients with their data protection needs – all at a low cost. If you're experiencing a 'crunch', needing to upscale your data protection resources or wanting to find out more about how your organisation could benefit from this service, you can read about the service here or contact your usual DWF data protection contact or one of the authors of this article.
We'd like to introduce you to one of our DPEA team members
Dipti is a CIPP/E-certified Assistant Manager in DWF’s Pune office, and a member of the DPEA programme. With over 10 years of experience in legal operations, she specialises in contract management, litigation support, and cyber incident response. Since joining the DPEA programme in February 2025, she has completed extensive GDPR training, including OneTrust’s course suite, and earned her certification in April 2025. As part of her development, she created and presented a session on Lawful Data Processing (Consent) to colleagues, which helped strengthen both team learning and her client presentation skills. She regularly attends partner-led clinics and our Breakfast Briefings to stay ahead on developments in data protection.
Additionally, she conducted due diligence on Data Privacy for a client and has drafted various insights related to current trends in Data Protection. She has also been involved with DSAR matters including response letter drafting and research on DSAR related laws. Dipti is known for her structured approach, communication skills, and ability to work in high-performing teams across complex legal delivery projects.
Our events and articles
Trojan enforce: How third parties can tap into your tech agreements
DWF has published an article which dissects the recent UK High Court decision which emphasises the importance of carefully considering the potential for third party rights to arise unexpectedly. This article discusses how suppliers should be aware that their liability may increase when entering into IT outsourcing agreements and how this liability risk may be mitigated.
Data Protection and Cyber Security Breakfast Briefing
On 2 July 2025, we hosted our Breakfast Briefing on key developments in May and June, which provided an in-depth overview of the DUAA. In case you missed this session, a link to the session can be found here.
Our most recent Breakfast Briefing took place on 31 July 2025 and explored a range of relevant matters, some of the topics included the launch of impact assessment for the Internet of Things (“IOT”) products and services and the newly published guidance on cyber security cultures. A link to the session can be found here.
If you are interested in attending our next Breakfast Briefing, please reach out to your DWF contact, or email us at DPCS@DWF.law.
General updates
UK: ICO launches consultation on Privacy and Electronic Communications Regulations (“PECR”) guidance for device data access exceptions
On 7 July 2025, the ICO launched a public consultation on a new chapter of its updated guidance for storage and access technologies, formerly known as the “detailed cookies guidance”, under the PECR. This update reflects changes brought in by the DUAA. It outlines specific exceptions to the general rule that websites and apps must obtain user consent before storing or accessing information on their devices. The new chapter clarifies the exceptions only apply when the use of storage and access technologies strictly matches their intended purposes, otherwise, user consent is required.
You can read the press release here.
EU: EC publishes guidelines on GPAI models
The EC has published non-binding guidelines to help providers of general-purpose AI models comply with the EU Artificial Intelligence Act (“EU AI Act”) and the enforcement of its provisions that take effect on 2 August 2025. These guidelines define GPAI models based on computational power and capabilities like language or image generation, and outline their lifecycle, compliance expectations, and exemptions for open-source models. The European AI Office will support providers in achieving full compliance by 2 August 2027. Providers facing challenges, especially those with systemic risk, are encouraged to proactively engage with the European AI Office.
You can read the press release here and the guidelines here.
EU: ENISA releases annual report on telecom security incidents 2024
On 15 July 2025, the ENISA released its annual report concerning telecom security incidents for 2024. The report revealed a 20.5% increase in reported cases compared to 2023, with 188 incidents submitted by 26 EU Member States and two European Free Trade Association countries. the most common causes for incidents were: i) service outages; ii) system failures iii) Human error (which had a significantly greater impact than the previous year); and iv) natural phenomena. However, there was also a decline from 2023 with only 15 incidents resulting from malicious actions. You can read the press release here and the annual report here.
EU: Easing Compliance for SMEs While Safeguarding Data Rights
The EC has proposed amendments to the GDPR to ease regulatory burdens on SMEs, raising the exemption threshold for maintaining processing registers from 250 to 750 employees. The European Data Protection Board(“EDPB”) and European Data Protection Supervisor support simplification, but stress that it must not compromise fundamental rights. They have called for clarity that government bodies are excluded and that only high-risk processing must be registered by SMEs. The European Parliament and the EC will now consider the proposal, with further GDPR amendments expected.
You can read the press release here.
EU: Action plan for lawful access to digital evidence
Law enforcement across the EU faces growing challenges in accessing digital evidence due to fragmented laws, widespread encryption, and outdated forensic tools. The lack of harmonised rules and cooperation mechanisms often leaves critical data out of reach, hindering investigations into serious and organised crime. The EC established the High-Level Group (“HLG”) to address challenges faced by law enforcement in accessing digital evidence. The HLG recommends an EU framework focused on building forensic capacity, improving industry cooperation, and introducing harmonised laws for data retention and lawful interception.
You can read the EC briefing here, the HLG’s report here and the HLG’s recommendations here.
Adtech and direct marketing
UK: ICO launches consultation on regulatory approach to online advertising
On 7 July 2025, the ICO launched a public consultation on its proposal to review its enforcement of Regulation 6 of PECR, which governs consent for technologies accessing user devices in online advertising. The ICO is exploring whether certain low-risk ad practices such as ad billing, fraud detection, and frequency capping could be exempt from consent requirements. The ICO has reaffirmed that targeted advertising involving profiling will always require consent. This public consultation covers six key advertising capabilities and the responses to the consultation will help inform the ICO’s updated enforcement approach. The public consultation closes on 29 August 2025.
You can read the press release here and the consultation here.
EU: ECB publishes Guide on outsourcing cloud services under DORA
On 16 July 2025, and following its 2024 public consultation, the ECB has published a guide on outsourcing cloud services under DORA to clarify its supervisory expectations. While this guide does not impose new legal obligations or requirements, it does outline good practices for managing IT third-party risks. The ECB has advised banks to adopt strong IT risk frameworks and clear exit strategies to align with their DORA requirements.
You can read the press release here.
AI and innovation
EU: Commission confirms absence of grace period for EU AI Act implementation
On 4 July 2025, the EC spokesperson confirmed that the EU AI Act obligations will be enforced according to the legally established timelines without delay or transitional relief. This marks a pivotal moment for all organisations deploying or developing AI within the EU or regulated by the EU AI Act. As a result, organisations will need to assess their AI systems, classify risks, and implement governance measures to ensure compliance. To support implementation, the EC are developing several non-legislative initiatives, which include a Code of Practice, a dedicated Service Desk, and a simplification package. These tools are still in development and are expected to be available later this year.
You can watch the recording of the press briefing here.
EU: AI Office publishes final version of GPAI code of practice
On 10 July 2025, the EC announced that it had received the final version of the general purpose Artificial Intelligence Code of Practice. This voluntary code, consisting of three chapters—Transparency, Copyright, and Safety and Security—is designed to assist providers of GPAI models in complying with the EU AI Act.
You can read the press release here.
EU: EC calls for applications to join EU AI Act Advisory Forum
On 17 July 2025, the EC launched its call for applications to join the EU AI Act Advisory Forum, seeking expertise on the implementation of AI regulation. The key aims of the Advisory Forum is to act as a general advisory body to the Commission and advise the European AI Office, and when required the national market surveillance authorities, on GPAI. The key responsibilities of the Advisory Forum include providing technical advice to the EC and European AI Board regarding the EU AI Act, further investigating specific issues at the request of the EC or European AI Board, as well as assisting the EC on implementation.
You can read the press release here.
USA: USA Unveils America’s AI Action Plan
The USA’s AI Action Plan outlines a bold strategy to secure U.S. leadership in artificial intelligence through three key pillars: accelerating innovation, building robust AI infrastructure, and leading in global diplomacy and security. The plan includes over 90 federal actions, such as streamlining regulations, promoting open-source AI, and expanding data centre capacity. It also emphasises protecting free speech in frontier models and exporting secure AI technologies to allies. This initiative reflects a strong national commitment to harness AI for economic growth, scientific advancement, and geopolitical influence.
You can read the press release from the White House here.
EU: European Parliament publishes study on AI and civil liability.
On 24 July 2025, the European Parliament published their study “Artificial Intelligence and Civil Liability: A European Perspective”, calling for a revision of the EU’s approach to AI-related civil liability. The study critiqued the current legal frameworks governing AI, claiming that the AI Liability Directive (“AILD”) was found particularly inadequate. The study recommended to revise the AILD to implement a strict liability regime. The study concluded that this approach would ensure fair compensation, lower legal costs, encourage insurers to manage AI risks and align AI-related laws across the EU.
You can read the study here.
France: CNIL publishes GDPR compliance recommendations for AI system development
On 22 July 2025, the French data protection authority CNIL released a set of recommendations to guide the development of AI systems in line with the GDPR. The guidance applies to machine learning and general-purpose AI systems that process personal data during the development phase, including design, database creation, and training. The CNIL outlined 11 steps to ensure compliance, such as defining purpose, securing data, and enabling data subject rights, as well as recommending the preparation of a data protection impact assessment when appropriate to do so. The CNIL’s recommendations highlight risks such as bias, misinformation, and ethical concerns in AI use and development.
You can access the publication here.
EU: Strengthening Global Collaboration on AI Safety Through Agentic System Evaluation
On 17 July 2025, the European Commission announced that the EU AI Office is contributing to the third joint testing exercise of the International Network of AI Safety Institutes, focusing on the evaluation of agentic AI systems - —advanced models capable of autonomous reasoning and task execution. This round concentrated on two high-risk areas: cybersecurity and the leakage of sensitive information. Traditional testing methods proved inadequate, prompting members to work together to improve methodologies.
You can read the full statement here.
Cyber, breach and ransomware
EU: Regulatory Technical Standard (“RTS”) on Subcontracting Pursuant Under DORA published in Official Journal of EU
On 2 July 2025, the EC published the RTS on Subcontracting, specifying the elements a financial entity must assess when subcontracting IT services supporting critical functions under the DORA. The RTS established several rules on topics such as proportionality, application for groups of undertakings, due diligence and risk assessment, material changes to subcontracting arrangements, and which IT supporting a critical function may be subcontracted, This RTS entered into force on the 22 July 2025.
You can access the RTS here.
EU: EC seeks feedback on Digital Fairness Act
On 17 July 2025, the EC launched a consultation for the upcoming Digital Fairness Act (“DFA”), aiming to strengthen online consumer protection. The initiative invites feedback from consumers, businesses, influencers, NGOs, and other stake holders to address legal gaps and build trust in digital markets. The EC published the call for evidence highlighting the DFA’s focal points are to address identified gaps and any areas of uncertainty. The DFA will explore targeting measures to tackle issues such as dark patterns, unfair pricing, problematic digital product features, influencer misconduct, and digital contract concerns, while enhancing consumer control over their online experiences.
You can read both the press release and the call for evidence here.
Data transfers
International: EU expresses concern regarding China data transfers and security
The EU and China held their 25th summit in Beijing on 24 July 2025. The EC discussed the need to foster reciprocity in the digital sphere and underlined the issue of European companies facing limited access to China. The EC also expressed ongoing concerns about the ambiguity surrounding Chinese data security regulations, cross-border data transfers from China, and the detection of malicious cyber activities originating from the country.
You can read the EC’s press release here.
If you have any questions relating to this article, please reach out to our authors below.
