Recent years have seen a wave of new and sometimes overlapping digital regulations across the world. The EU’s ambitious digital program enacts a raft of legislation, while the UK walks a fine line between testing post-Brexit divergence while recognizing the need for certainty and consistency for global businesses. . 2025 is the year that many of these new laws will begin to take effect, and organizations will need to have processes in place to comply. Here we look at developments in four key areas: AI, data, competition, and digital regulation of financial services.
A.I.
EU AI law has dominated the debate on AI regulation within and outside Europe for some time. Although currently in effect, this focus is likely to continue as further developments are expected this year. For example, rules banning the use of specific AI will come into effect from February this year, and rules regarding general AI will come into effect from August this year. Listening to EU legislators and regulators discuss implementation of the law, they believe (particularly in the wake of the Draghi report on EU competitiveness) that innovation in the competitive global AI market will appears to be well aware of the challenges it faces in order to avoid being hampered by regulation, and this subject. (or tension) is something we’re seeing playing out more generally in relation to digital regulation around the world. That said, the UK is also expected to enact an AI bill, which is expected to only regulate companies that are developing the most powerful AI models.
However, new AI-specific legislation is not the only development to watch. AI poses special challenges with respect to intellectual property law, and to determine whether current approaches to training AI are compatible with intellectual property law and whether the output from generative AI is protectable. Case law and government intervention are awaited. Ultimately, this comes down to balancing the interests of content providers and AI developers.
On the privacy front, regulators continue to focus on AI. Organizations are still processing new guidance from both the EU and the UK. At the time of writing, the European Data Protection Board (EDPB) is expected to publish its underlying model document on 23 December 2024, and the UK data regulator, the Information Commissioner’s Office (ICO), Generative AI is expected to see further development in 2025.
Elsewhere, developments in the UK’s new online safety rules and sectoral regulators (including financial regulators – see below) are also expected to impact on AI.
data
2025 looks set to be a transformative year for data privacy. The UK Data (Use and Access) Bill will amend existing data privacy laws and is expected to become law in the first half of 2025. Most importantly for businesses, the bill introduces tougher penalties for cookie breaches and marketing breaches under the GDPR, and builds on the success of the UK’s existing open services in sectors such as finance and energy. “Smart Data” is to promote data sharing schemes. banking system. New guidance is also expected from the ICO on important topics such as data anonymization and cookies. In the EU, businesses will welcome promised guidance from the EDPB on the interaction of GDPR with other data-related legislation such as the AI Act and the Digital Markets Act. A key part of the EDPB guidance is anonymization and “consent or payment” models (beyond those operating on large online platforms). Additionally, the EU’s GDPR procedural reforms are expected to progress and potentially be finalized during 2025, and are expected to facilitate more efficient resolution of complex cross-border cases. , a practice that incoming EU justice commissioner Michael McGrath says will tackle unfair personalization.
competition
In the UK, at the time of writing, the new digital markets regime established by the Digital Markets, Competition and Consumers Act 2024 (DMCC) is due to start soon, and the Competition and Markets Authority (CMA) In the first year since its launch, four companies have achieved “strategic market positions.” Once designated, these companies will have to comply with merger reporting obligations and targeted conduct requirements and may be subject to “pro-competitive intervention” by the CMA. New merger control standards aimed at catching “killer acquisitions” will also be implemented.
In Europe, the existing momentum for enforcement under the Digital Markets Act (DMA) is expected to continue in 2025. New Competition Commissioner Teresa Rivera said she planned “robust enforcement” of the DMA, a sentiment echoed by Hena Virkunen. , Executive Vice President for Technology Sovereignty, Security and Democracy. Both vice presidents will work closely on the DMA, with shared priorities of opening up closed ecosystems, giving consumers choice, and ensuring that data belongs to the creators. Rivera made it clear that more resources are needed to enforce the DMA, noting that this is a “cross-border” issue and requires coordination with national competition authorities.
Digital regulation of financial services
Companies operating in the financial services sector are subject to special digital regulations, which will continue to evolve into 2025. Regulatory rules on operational resilience aimed at managing the risk of disruptions such as cyber-attacks and IT system outages will continue to apply. It applies from 17 January 2025 in the EU and until 31 March 2025 for certain businesses in the UK. Both jurisdictions will also begin designating a small number of businesses as part of this operational resilience framework. Position third-party providers (which may include AI and cloud services) as “critical” to the financial sector and directly impose requirements on them.
The regulatory capture of this important third party speaks to the increasing intertwining of technology and financial services. In response, we expect financial regulators in the EU and UK to continue to examine the impact of Big Tech’s entry into financial services, advance the development of open finance, and modernize the payment services landscape.
As AI use cases in finance proliferate, we may see clarification from EU authorities on the relationship between financial regulation and EU AI law, with the UK regulator’s current technology-agnostic approach to AI ultimately There are also indications that this may change. Finally, the EU regulatory framework for cryptoassets will be fully applicable from 30 December 2024 and will begin to be implemented in 2025 (subject to derogations). The UK has confirmed that it will proceed with the development of a more comprehensive regulatory framework for crypto-asset activities in 2025, with final rules expected to be completed in 2026.
