The evolution of digital regulation

Management

Laura Houston at Slaughter and May describes what to expect from digital regulation in 2025

Across the globe, we’ve witnessed a wave of new and sometimes overlapping digital regulation in recent years. Numerous pieces of legislation have resulted from the EU’s ambitious digital programme, while the UK navigates a careful balancing act between exploring post-Brexit divergence and maintaining certainty and consistency for global business.

Many of those new laws will start to bed down in 2025, prompting organisations to establish processes to ensure compliance. So, with the new year underway, what should businesses know about the latest developments in key areas like AI, data, competition, and digital regulation?

The evolving landscape of AI governance

In Europe and beyond, discussions around AI Regulation have been dominated by the EU AI Act for some time. Although the regulation is now in force, further developments are anticipated this year, suggesting this focus will persist. For instance, on 2nd February the first wave of the EU AI Act’s requirements took effect (banning certain AI uses), while those rules concerning general purpose AI will apply from August.

When EU regulators and legislators discuss the implementation of the Act, it’s evident that they understand the challenge of ensuring regulation does not stifle innovation in the highly competitive global AI market. This issue has received heightened attention following the publication of the Draghi report on EU competitiveness. By recognising the need to balance regulation with fostering innovation, this tension is becoming increasingly apparent in global discussions around digital regulation.

While the UK is also planning to introduce an AI Bill, this is only expected to regulate those developing the most powerful AI models.

However, new AI-specific safety laws are not the only area demanding attention. AI technology raises unique challenges for intellectual property law, where we await either case law or government intervention to clarify whether AI training methods comply with IP law and whether generative AI outputs can be protected. Ultimately, this will require balancing the interests of AI developers and content providers.

Privacy is another area of regulatory focus in relation to AI. Businesses are still digesting new guidance from both the UK and the EU. For instance, the European Data Protection Board (EDPB) published its foundation models paper on 18th December 2024, while the UK’s data regulator, the Information Commissioner’s Office (ICO), published its response to its consultation on Generative AI in late December, with more developments anticipated later this year. This includes a proposed single set of guidance from the ICO covering all those developing or using AI products.

Transforming data privacy and regulation

For data privacy, 2025 is shaping up to be a year of significant change. In the first half of the year, the UK’s Data (Use and Access) Bill is expected to become law, bringing amendments to existing data privacy legislation.

For businesses, a notable change will be the introduction of higher penalties for marketing and cookie infringements, aligning them with those already enforced under the General Data Protection Regulation (GDPR). The Bill will also support ‘Smart Data’ data sharing schemes in industries including energy and finance, aiming to build on the success of the UK’s Open Banking scheme.

In late December and early January, the ICO published updated cookie guidance and guidance on ‘consent or pay’ models respectively, with new ICO guidance anticipated this year on important topics such as data anonymisation, internet of things, cloud computing and international data transfers.

Businesses in the EU are also set to receive (and likely welcome) guidance promised by the EDPB on how the GDPR and other data-relevant legislation, including the AI Act and Digital Markets Act, will interact, with the EDPB recently having published guidance on the interplay between data privacy and competition laws. Additional guidance from the EDPB is also expected on anonymisation and ‘consent or pay’ models, beyond those being operated by major online platforms.

During 2025, EU GDPR procedural reforms are also expected to progress – potentially to completion. These reforms promise to facilitate the resolution of complex cross-border cases more efficiently. Meanwhile, the incoming EU Commissioner for Justice, Michael McGrath, has promised to address unfair personalisation practices.

A new era for digital competition

The new digital markets regime established under the Digital Markets, Competition and Consumers (DMCC) Act 2024, has now commenced, with the CMA expected to designate three or four firms as having “strategic market status” within the first year of its implementation.

Following their designation, these firms will be required to meet merger reporting obligations and adhere to targeted conduct requirements. They may also face ’pro-competitive interventions’ from the CMA. Additionally, a new merger control threshold designed to capture ’killer acquisitions’ will come into effect.

We can also expect the current momentum of enforcement under the Digital Markets Act (DMA) in Europe to continue this year. Teresa Ribera, the new Competition Commissioner, has promised “vigorous enforcement” of the DMA, which was reiterated by Henna Virkkunen, Executive Vice-President for Tech Sovereignty, Security and Democracy.

The two Vice-Presidents aim to collaborate closely on the DMA, focusing on shared goals such as opening up closed ecosystems, enhancing consumer choice, and ensuring data ownership remains with its creators. Ribera has emphasised the need for greater resources to effectively enforce the DMA, highlighting that this is a challenge extending “beyond our borders” and requiring coordinated efforts with national competition authorities

Preparing for regulatory change

With 2025 set to be a pivotal year for digital regulation, businesses must stay vigilant and proactive in understanding and adapting to these developments. From AI governance to data privacy and competition rules, the evolving regulatory landscape demands careful attention and preparation combined with a healthy dose of pragmatism.

By staying ahead of compliance requirements and engaging with new frameworks, organisations can navigate these changes effectively while seizing opportunities in a more regulated digital market.

Laura Houston is a partner at Slaughter and May

Main image courtesy of iStockPhoto.com and putilich