Data, Privacy & Cyber: 10 Top Trends for 2025 | Ius Laboris - JDSupra
AI continues to dominate headlines in 2025. Global regulation is advancing rapidly, with significant developments such as the UK’s AI Opportunities Action Plan, Australia’s National AI Capability Plan, and the first provisions of the EU AI Act coming into force. In the US, President Trump has rescinded existing Executive Orders and signed a new Executive Order to develop an AI action plan in 180 days. In Europe on the other hand regulatory scrutiny is increasing, with fines (e.g. for Open AI) and investigations (e.g. Meta, Grok AI and of course, DeepSeek). The UK Information Commissioner’s Office’s (‘ICO’s’) Gen AI outcomes report, the culmination of the series of consultations it conducted throughout the year, emphasises the need for transparency, urging companies to tell people how their information is used.
AI Governance and Compliance
Against this backdrop, ensuring your AI governance is fit for purpose is going to be key, whether by identifying your lawful basis to train or deploy a model, putting DPIAs in place, reviewing AI vendor terms, updating your procurement processes or setting boundaries with LLM/Gen AI policies. This is the year to get your house in order!
UK Data Reform and GDPR
Is it third time lucky for data reform in the UK? The Data (Use and Access) Bill is making significant progress through the UK Parliament. This Bill aims to simplify data protection requirements to encourage trade, while maintaining the UK’s adequacy status with the EU. So, what does this mean in practice? For now, it is a case of waiting to see what is finally enacted but it likely means the relaxing of some, for want of a better phrase, “red” tape. We should all keep a close eye on what is happening in the Privacy and Electronic Communications Regulations (‘PECR’) space – UK GDPR level fines are one thing, but cookie consent and proposed exemptions will need to be scrutinised to understand their impact.
EU-US Data Privacy Framework and International Data Transfers
The EU-US Data Privacy Framework (‘DPF’) and its UK Extension and Swiss framework meant we all hoped to see a more settled period for international data transfers. However, recent fines and court decisions, such as the Dutch DPA’s €290 million fine for Uber and the EU General Court’s decision in Bindl v. European Commission, highlight ongoing challenges. Max Schrems and NOYB also appear to have shifted their focus to data transfers to China, filing complaints against companies like TikTok, AliExpress, Temu and SHEIN. For global businesses with complex international data flows it will be imperative to keep track of developments in order to ensure compliance.
Online Tracking and Privacy Regulations
To answer our question from last year, 2024 was not the year when we saw the death of third party cookies, instead Google announced an updated approach. Google also announced it is adopting a new stance on device fingerprinting. The ICO has also been busy publishing various guidance related to online tracking. In December, it released a draft of its storage and access technologies (cookies) guidance, where it took a conservative view regarding the need to obtain cookie consent for non-essential cookies, although interestingly seemed to take a more relaxed view on enforcement.
Online Tech Regulation and Child Data Protection
2025 is a pivotal year for online tech regulation in the UK, with many of the Online Safety Act (‘OSA’) provisions coming into force. Providers must assess the risk of illegal harms and implement safety measures set out in the codes of practice. Protecting children’s data remains a global priority. While there has been very little in the way of regulatory enforcement so far in the UK, the ICO and Ofcom are expected to begin actively enforcing the Children’s Code and the OSA, respectively.
Cyber Security and Ransomware
With 2024 reportedly being a record year for ransomware payments, cyber security remains a top concern – governments around the world are looking for a way to tackle its scourge and ever-increasing scale. For its part, the UK is currently consulting on introducing a ban on ransomware payments, as well as a mandatory ransomware incident reporting regime. Meanwhile, many UK organisations are affected – either directly or indirectly – by the progress of the EU’s cybersecurity strategy. Notably, the deadline for EU Member States to transpose the Network and Information Systems Directive (NIS 2) has now passed.
