Contact | Search |

Category: Insights

NEW UK DATA PROTECTION COMPLAINTS PROCEDURE: WHAT YOU NEED TO KNOW BEFORE 19 JUNE

Posted on by Dea Dragashi

The UK’s new Data (Use and Access) Act 2025 will be changing the UK data protection laws to obligate all data controllers to implement a data protection complaints procedure by 19 June 2026.

What is the purpose of this new complaints procedure?

The new procedure allows individuals to raise data protection concerns directly with the organisation, prior to the individual complaining to the UK’s data protection regulator, the Information Commission. It is designed to ensure organisations handle complaints transparently, efficiently, and fairly while reducing the burden on the Information Commission.

What obligations do organisations have under this new procedure?

  • Provide assistance to individuals making complaints, such as offering an electronic complaints form or dedicated complaints email address.
  • Acknowledge complaints within 30 days.
  • Take appropriate interim steps, such as investigating the subject matter of the complaint and keeping the complainant updated on progress.
  • Inform the complainant of the outcome of their complaint without undue delay.
  • Issue a final response to the complaint.

The Information Commission has produced guidance and the new rules and details can be found here.

What can you do now to prepare?

  • Prepare and implement a complaints procedure for data protection concerns.
  • Update your privacy policy to inform people of the complaints procedure and how to raise complaints.
  • Train staff on how to respond to queries and complaints from people about data protection.

If you would like to receive similar updates, please sign up to our data protection newsletter here.

UK Government announces plans for a social media ban and additional measures to protect younger audiences

Posted on by Jess Brady

The UK Government today announced plans to introduce a social media ban for under-16s, alongside a range of additional measures intended to safeguard younger audiences. Key drivers of the ban are stated to be children’s mental health and wellbeing, in addition to concerns over exposure to harmful content online.   

The ban is expected to be brought in before the end of this year, and to take effect from Spring 2027. It follows largely the same model as the Australian social media ban, which was introduced earlier this year, but with some additional measures. The Government has been taking preparatory steps so that the ban can be implemented quickly – including through changes to the UK Online Safety Act via the Children’s Wellbeing and Schools Act 2026. These changes empower the Secretary of State to introduce rules to prevent children’s access to “specified internet services” or their functionalities.

In addition to banning social media, the ban also promises a restriction on “harmful functions”, such as livestreaming and stranger communication with children for under-16s. The Government says that these restrictions will apply to a wide range of online services, including so-called “gaming sites” where adults can be paired with children (the exact meaning of which is not provided).

In parallel to this, the Government has said that it plans to introduce more Highly Effective Age Assurance (HEAA) to support compliance and make it harder for children to bypass restrictions – an issue which has plagued the equivalent restrictions in Australia.

The Secretary of State wrote to Ofcom to ask for an urgent review of Ofcom’s enforcement capabilities, and for Ofcom to publish an enforcement strategy. Ofcom has responded at lightning pace to confirm its commitment to working alongside Government to ensure the protections will be effective, robust and introduced quickly. Further, its updated enforcement strategy will be published in due course.

While details of the plans are still thin, a few immediate concerns arise. For example, the scope of what platforms will be caught within this is unclear. The announcement openly says that Snapchat, TikTok, YouTube, Instagram, Facebook and X will be caught; and that messaging services like WhatsApp will not. However, the outer limit of the scope are not clear. This will cause concern for providers of mixed services, such as online multiplayer video games which contain a mixture of solo content, multiplayer content, chat/social functions and UGC.

At a time when studios and publishers have only just got to grips with their obligations under the UK Online Safety Act and the EU Digital Services Act, this is not what they will want to hear. The UK Online Safety Act is a comprehensive law, requiring many providers to implement safety measures which are designed specifically to protect children. For example, informational resources for children, child-friendly anonymous ways to report harmful content, internal policies for children protection, training, performance targets etc. A lot of these efforts could be in vain (or need significant update) if then U16s are simply blocked from the service (or the communications part of it).

Partner Kostyantyn Lobov said: “Like most of these laws, the games industry is not the primary target here but, once again it will be caught in the crossfire. If we continue to put games into the same bucket as social media then, sadly, developing and incorporating multiplayer interaction features may eventually not be worth it for smaller and medium-sized studios. The irony is that multiplayer games can foster social interaction and create meaningful friendships, in a way that doomscrolling your favourite social media app does not.”

We will be monitoring these plans in the coming months and will post further updates as needed, but the key takeaways are as follows:

  • Law expected in late 2026, coming into force in Spring 2027.
  • Social media platforms will be banned for under 16s.
  • “Harmful functions” like livestreaming and stranger comms will be restricted for under 16s.
  • Expanded roll out of Highly Effective Age Assurance (HEAA).
  • Ofcom to publish an enforcement strategy.
  • Mixed services, such as some online multiplayer games, likely to be at least partly within scope.

For further information please contact Kostyantyn Lobov or Sophie Lewis.

The Sporting Events Bill: a legislative framework for major sporting events

Posted on by Anna Weeden

The Sporting Events Bill, which establishes a legislative framework for future major international sporting events hosted in the UK, is currently moving through Parliament. Its key provisions relate to ticket touting, advertising and trading in restricted areas, unauthorised association with an event, transport and funding.

What is the Sporting Events Bill?

The Sporting Events Bill (“the Bill”), introduced to the House of Lords on 14 May 2026, offers a common legislative framework for future major sporting events. While in the past, Parliament passed event-specific legislation such as the London Olympic Games and Paralympic Games Act 2006 and the Birmingham Commonwealth Games Act 2020 to plug any necessary legislative gaps, the Bill establishes an event-agnostic legislative framework that will govern major sporting events hosted by the UK going forward. This would likely include the upcoming men’s UEFA EURO 2028 football tournament, and, if the UK’s bid for it is successful, the FIFA Women’s World Cup in 2035.

This new framework aims to ensure that the UK remains competitive when entering bid processes for hosting rights for major international sporting events. The goal is to make it clear that the UK is able to fulfil any required commitments to sporting event owners during the bidding process (for example, regarding protections in place for the event), and to do so efficiently without the uncertain and cumbersome process associated with passing bespoke primary legislation.

Which sporting events will be covered?

The framework will apply to events held wholly or partly in the UK on an irregular basis which are of significant international interest, and would bring social or economic benefits to the whole or part of the UK, and to events likely to facilitate holding such events (clause 3 of the Bill). For example, while UEFA European Championships, FIFA Football World Cups and Rugby World Cups may be in scope, events that regularly take place in the UK such as the Wimbledon Championships or FA Cup Final are not in scope of the Bill.

Key Provisions

The Bill includes provisions in respect of the following issues:

Ticket touting (clauses 5-7 and Schedule 1)Under the Bill, it is a criminal offence to sell, offer to sell, expose for sale, or advertise an event ticket without authorisation in a public place, in the course of a business, or to make a profit.
Advertising in restricted areas (clauses 8-10 and Schedule 2)Under the Bill, it is a criminal offence to carry out an advertising activity in a restricted advertising zone during a specified period, or to arrange or permit for this to be done. An advertising activity is anything done to promote a product, service or business to members of the public who are in a restricted advertising zone or watching or listening to a broadcast of the event.
Trading in restricted areas (clauses 11-13 and Schedule 3)The Bill sets out a criminal offence which partially mirrors the ‘advertising in restricted areas’ offence in respect of trading. Trading activities include (i) selling or offering or exposing a product for sale, (ii) providing or offering to provide a service or providing entertainment for gain or reward, and (iii) appealing for money or other property (except begging).
Unauthorised association with the event (clauses 14-16 and Schedule 4)The Bill prohibits a person acting in the course of a business from engaging in the unauthorised use of a representation (of any kind) in a manner likely to suggest to the public an association between the sporting event and goods or services (or a person providing them) during the specified period.  

Those guilty of the ticket touting and advertising and trading in restricted areas provisions can be fined, and breach of the unauthorised association with the event provision is treated as an infringement of a property right, with various court remedies available.

The Bill also includes provisions to facilitate transport arrangements for events (clause 17 and Schedule 5) and to enable national authorities to provide financial assistance to support sporting events (clause 25).

Event-specific regulations

The Bill has been drafted with built-in flexibility to accommodate the varied requirements of the different sporting events to which it will apply.

Although the Bill offers a framework for issues affecting a broad range of sports, there is an expectation that an appropriate national authority and/or the Secretary of State will introduce regulations applying one or more of the Bill’s provisions to specific sporting events within its scope. Many parts of the provisions are defined by reference to these event-specific regulations, such as the location of the restricted advertising and trading zones in the provisions governing advertising and trading in restricted areas.

There are also various carve-outs and exceptions, and the relevant authorities are empowered to specify further ones by regulation. Authorisations can be granted to ensure that, for example, event sponsors can carry out advertising or trading within a restricted zone.

What happens next?

The Bill was debated during its second reading in the House of Lords on 3 June 2026. We will continue to monitor its progress through Parliament and keep clients informed on key updates.

It is worth noting that there is a separate push to make it illegal for tickets to concerts, theatre, comedy, sport and other live events to be resold for more than their original cost. On 19 November 2025, the government published its response to its consultation on the resale of live events tickets, and proposed a draft Ticket Tout Ban Bill in the King’s Speech on 13 May 2026.

Those in any way involved with major sporting events, including organisers, sponsors and commercial partners, should consider how they will be affected and take proactive steps to ensure they are prepared once the Bill is ready to come into effect.

Please reach out to Ella Ditri or Mike Glover-Smith for support on this.

Can IP rights protect your image and persona?

Posted on by Dea Dragashi

We are seeing an increasing trend towards celebrities applying to register aspects of their image and persona as trade marks, including in the UK, EU and US. This is no doubt an attempt to bolster their toolkit to prevent deepfakes and generative AI models from outputting voices or likenesses, and in controlling how their personal brand is used.

Following on the heels of Matthew McConaughey, who registered his “Alright, alright, alright” catchphrase, Taylor Swift is reported to have filed trade mark applications in the US covering voice clips such as “Hey, it’s Taylor” and a promotional image from her Eras tour.

In the UK, Jeremy Clarkson has registered a series mark containing two specific images, Cole Palmer has registered one image, and an application by Luke Littler for one image is currently pending. There is no reason in principle why an individual cannot apply to register their image, or even a video or audio clip, as a trade mark in the UK. In the EU, Dutch model Maartje Verhoef has succeeded in registering an image of herself as a trade mark, whilst an application by Jan Smit is still pending.

There are some question marks over the extent to which these trade marks can protect against images or sounds that are not identical to the trade mark which has been registered, or which are not piggybacking on, or tarnishing, their reputation. However, they could be a useful tool against commercially driven clones, particularly where they cover recognisable and distinctive features such as a well-known soundbite or promotional image. They also potentially have deterrent value.

In the UK, trade marks can become vulnerable to challenge if they are not used for the goods and services for which they have been registered. They can also be challenged on bad faith grounds if they are registered without any genuine intention to use them. It is therefore important to consider the scope of protection sought very carefully, as well as how the trade marks will be used. The fact that individuals are considering registering elements of their persona as trade marks is perhaps also indicative of the fact that the UK does not have a standalone right of publicity or personality, unlike other jurisdictions. Existing protection for digital reproductions relies on a patchwork of rights such as passing off, misuse of private information, misuse of personal data and defamation. The recent government report on AI and copyright indicates that the government is considering introducing standalone personality rights protection.

In the meantime, however, we are advising a number of clients on generative AI and protection against digital replicas, and specifically on trade mark protection for names, images, likenesses and voices, and the use of them in AI training and outputs.

Do please reach out to our IP team if you would like to discuss this topic further.

Technology Briefing – May 2026

Posted on by Deborah King

Welcome to the spring edition of our technology briefing, designed to keep you updated on the latest legal and regulatory developments in the technology sector.

In this edition, we unpack the EU AI Act’s transparency obligations, highlighting recent developments and timelines for compliance. Additionally, we explore how businesses can challenge procurement decisions in government IT contracts and review the CMA’s updated guidance on unfair contract terms marking 10 years since the Consumer Rights Act 2015 was introduced. We also address the latest updates in data protection law. Finally, we cover the UK Government’s recently published Report on Copyright and Artificial Intelligence, which follows its consultation.

Recent Harbottle highlights include advising on the sale of After Party Studios to SISTER Group and launching our Indie Games Collective to mentor early-stage games businesses. We also published a thought leadership piece on AI-enabled cyber threats and, at C5’s AI & crypto fraud conference, Lizzie Williams shared insights on resolving smart contract disputes.

IN THIS EDITION

EU AI Act transparency obligations: latest developments and key obligations

A core requirement imposed by the EU AI Act (the Act) is in respect of transparency obligations for the AI systems used. The majority of the Act is expected to come into force on 2 August 2026. The European Parliament, however, has agreed a proposal that would delay the obligations imposed in respect of high risk AI systems. 

Read more >

Government IT contracts: how to challenge the procurement process

If your business enters into contracts with public sector entities for the provision of IT or related services, you will be familiar with the public sector tender and procurement processes. But are you familiar with what can be done to challenge the outcome of those processes? 

Read more >

Unfair contract terms in consumer contracts: new draft guidance from the CMA

If you deal with consumers, then you need to know how consumer law applies to your contract terms and notices. Ten years on from the introduction of the Consumer Rights Act 2015, the Competition and Markets Authority is revising its current guidance on unfair contract terms. 

Read more >

UK Government holds off on immediate AI Copyright reform

The Government has published its much-anticipated Report on Copyright and Artificial Intelligence, which follows a consultation that ran from 17 December 2024 to 25 February 2025. 

Read more >

Data protection update

This update includes key developments such as the ICO-HMG memorandum on data protection, new provisions under the Data (Use and Access) Act, guidance on international data transfers and age assurance, and significant enforcement actions like fines for unsolicited marketing, misuse of biometric data, and breaches involving children’s data, alongside global concerns over AI and high-profile investigations. 

Read more >

HARBOTTLE HIGHLIGHTS

Deal announcement: sale of After Party Studios

We have recently advised the shareholders of After Party Studios, a digital-first creative production company, on the sale of a majority stake to SISTER Group. 

Read more >

Harbottle & Lewis Indie Games Collective (IGC)

We recently launched our IGC, a mentorship programme which offers legal guidance to early-stage games businesses, to help them navigate in their next steps in the industry.

Read more >

AI-enabled cybercrime

Our new thought leadership piece, developed with Sodali & Co and LevelBlue, builds on insights from our recent event. It highlights key AI-enabled cyber threats, offers practical talking points, and provides actionable recommendations to support informed discussions with risk, legal, and cyber security teams. 

Read here >

AI & crypto fraud and asset recovery conference

Lizzie Williams recently spoke at this annual conference hosted by C5 Communications. She joined a panel to discuss smart contract disputes: what they are, how to avoid them and how to resolve them. The session proved valuable for those interested in coded contracts.

Please contact our technology experts if you would like to discuss anything in this briefing.

Data protection update

Posted on by Deborah King

This update includes key developments such as the ICO-HMG memorandum on data protection, new provisions under the Data (Use and Access) Act, guidance on international data transfers and age assurance, and significant enforcement actions like fines for unsolicited marketing, misuse of biometric data, and breaches involving children’s data, alongside global concerns over AI and high-profile investigations.

General updates

  • On 8 January, the Information Commissioner’s Office and His Majesty’s UK Government (HMG) signed a Memorandum of Understanding (MOU) to formalise their shared commitment to improving data protection standards which includes appointing a Government Chief Data Officer to oversee data protection risks and compliance across HMG departments and key governance boards, such as the Transformation Board and Government Security Board, will monitor data protection risks and progress.
  • On 3 February, the ICO opened formal investigations into X Internet Unlimited Company (XIUC) and X.AI LLC (X.AI) covering their processing of personal data in relation to the Grok artificial intelligence system and its potential to produce harmful sexualised image and video content.
  • On 5 February, most of the remaining data protection provisions of the Data (Use and Access) Act have come into force, except for the requirement for organisations to have a complaints procedure which is due to commence on 19 June 2026 and some ICO governance provisions which will follow at a later date. Such provisions now in force include only having to carryout, a “reasonable and proportionate” search in response to data subject access requests and the maximum fine issued under the Privacy and Electronic Communications Regulations is no longer £500,000 but, now matches the GDPR of up to £17.5 million or 4% of global turnover (whichever the greater).
  • On 23 February, privacy regulators from around the world issued a joint statement addressing mounting concerns over artificial intelligence (AI) systems that create realistic images and videos of identifiable individuals without their consent.
  • On 11 February 2026, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) issued a joint opinion on the European Commission’s Digital Omnibus Regulation proposal, which seeks to streamline digital regulations, reduce administrative burdens, and enhance competitiveness across the EU. The EDPB and EDPS strongly oppose proposed changes to the definition of personal data, warning that they could narrow its scope, weaken privacy protections, and create legal uncertainty.
  • On 25 April, John Edwards, the UK’s Information Commissioner, announced that he has temporarily stepped back from his role as the ICO conducts an independent investigation into unspecified “HR matters.” Edwards, who has held the position since January 2022, announced his cooperation with the inquiry in a LinkedIn post.

Latest guidance

  • On 15 January 2026, the Information Commissioner’s Office released updated guidance on international transfers of personal data under the UK GDPR. Key updates include: a three-step test for restricted transfers and explanations on roles and responsibilities, particularly for complex, multi-layered transfer scenarios. The regulators back several provisions aimed at reducing administrative burdens, including raising thresholds for mandatory data breach notifications and extending deadlines for reporting.
  • On 12 March 2026, the UK’s data protection regulator, the Information Commissioner’s Office has published an open letter to social media and video-sharing platforms operating in the UK calling on them to urgently strengthen their age assurance measures.
  • On 25 March 2026, Ofcom and the Information Commissioner’s Office released a joint statement outlining regulatory expectations for age assurance measures under the Online Safety Act and UK data protection laws. The statement aims to help online services protect children from harmful content and data risks while ensuring compliance with both legal frameworks.
  • On 31 March, the ICO called on businesses to review their use of automated decision-making in recruitment to ensure compliance with data protection laws and to protect jobseekers from unfair or biased outcomes.
  • On 29 April 2026, the Information Commissioner’s Office (ICO) released its finalised guidance on Storage and Access Technologies alongside an update on its online tracking strategy. This guidance addresses the application of the Privacy and Electronic Communications Regulations and, where relevant, the UK GDPR to technologies such as cookies, tracking pixels, device fingerprinting, and similar tools. It incorporates updates following two consultations and amendments introduced by the Data (Use and Access) Act 2025.
  • On 14 April 2026, the European Data Protection Board announced a new Data Protection Impact Assessment template to simplify compliance with the General Data Protection Regulation and promote consistency across Europe.

Latest enforcement action

  • On 15 January, the Information Commissioner’s Office fined Allay Claims Ltd £120,000 for sending over 4 million unsolicited marketing SMS messages between February 2023 and February 2024. These messages promoted PPI tax refund services and were sent without valid consent or compliance with the ‘soft opt-in’ exemption. Allay argued that recipients were existing customers who had engaged with the company in 2019 and signed terms of engagement, which it believed satisfied the ‘soft opt-in’ exemption. However, aggravating circumstances included Allay was previously investigated by the ICO in 2020 for PECR breaches and despite the investigation and complaints, Allay failed to suspend its marketing activities, resulting in further complaints. The distress caused to recipients, as unsolicited marketing is intrusive and can lead to financial harm, particularly in the context of PPI tax refund services, which often involve high fees and hidden charges.
  • On 2 January, The President of the Personal Data Protection Office (Poland’s data protection authority) imposed a fine of PLN 978,128 (approximately €232,379) on T. S.A. for the failure to ensure the independence of the Data Protection Officer (DPO) and the absence of measures to prevent conflicts of interest in the DPO’s role. The DPO of T. S.A. simultaneously held a managerial role (Director V.) and other positions within the company. The company’s history of GDPR violations was considered an aggravating factor, as it demonstrated ongoing compliance challenges. The company resolved the identified issues by restructuring the DPO’s role before the administrative proceedings concluded. This led to a 40% reduction in the fine.
  • On 29 January, the Italian Data Protection Authority (GPDP) fined e-Campus Online University €50,000 for unlawfully using facial recognition technology to verify student attendance during a teacher qualification course. The university processed biometric data without a valid legal basis, relying on invalid consent while failing to conduct a proper Data Protection Impact Assessment (DPIA) before implementation. The GPDP highlighted several violations of GDPR, including unnecessary data retention, lack of alternatives for students, and the power imbalance inherent in requiring biometric data for course participation. While the university cooperated with the investigation and ceased using the system, the fine reflected the serious nature of processing sensitive biometric data and the large number of students affected.
  • On 13 February, the ICO and Ofcom responded to an open letter from approx. 20 MPs urging the ICO to investigate Tattle Life for potential breaches of data protection laws after the death of a social media influencer’s 16 year old daughter.
  • The ICO confirmed it has an ongoing investigation into Tattle Life, examining its compliance with data protection laws. These include obligations to process personal data lawfully, transparently, and fairly, and to address user requests for data rectification or erasure. While the ICO does not have the authority to shut down websites, it can issue enforcement notices to ensure compliance if data protection violations are identified.
  • On 19 February, the ICO won its appeal in a landmark case against DSG Retail Limited. The dispute originated from a 2020 ICO fine of £500,000 imposed on DSG after a cyber-attack compromised the personal data of at least 14 million individuals. Despite appeals by DSG to the First-tier Tribunal and Upper Tribunal, the ICO sought further clarification on a critical point of data protection law by appealing to the CoA in 2024. The court clarified that this duty applies even if the stolen data cannot directly identify individuals, recognising the broader harm caused by cyber-attacks.
  • On 3 February, the ICO reprimanded Staines Health Group for sending excessive medical details about a terminally ill patient to their insurance company, Vitality. A patient at the NHS GP surgery was diagnosed with a terminal illness and made a claim to their insurer. The insurer, on behalf of the patient, subsequently requested that five years of medical history be sent to the patient to review, before being sent to the insurer in order to progress the claim. But, instead of five years of medical history being sent to the patient, Staines Health Group sent 23 years of medical records direct to the insurer. The patient believed the excessive disclosure of unnecessary medical records led to a reduction in the payout of their claim.
  • On 3 February, the ICO issued a monetary penalty of £100,000 to TMAC Ltd for making calls promoting alarm systems and monitoring services to individuals registered with the Telephone Preference Service.
  • On 4 February, the ICO issued a Penalty Notice to MediaLab.AI, Inc. fining it £247,590 for UK GDPR breaches relating to children’s data and the absence of a DPIA. The ICO found unlawful processing of under-13s’ data without valid parental consent and a failure to complete a DPIA for high-risk processing affecting under-18s during 27 September 2021 to 30 September 2025.
  • On 23 February 2026, the ICO issued a Penalty Notice to Reddit, Inc of £14,472,500 for UK GDPR breaches involving children’s personal data and failure to complete a DPIA.

The AI-enabled threat landscape: real world lessons from lawyers, PR and cybersecurity experts

Posted on by Deborah King

In collaboration with Sodali & Co and LevelBlue, we have produced a new report offering vital insights into AI-driven cybercrime. Designed for non-technical executives and board members, it highlights key threats, practical talking points, and actionable steps to support discussions with risk, legal, and cyber security teams.

AI is transforming the cyber threat landscape, enabling faster, cheaper and more personalised attacks while lowering the entry barrier for malicious actors. These risks pose significant financial, operational and reputational challenges for businesses.

Download the full report here

EU AI Act Transparency Obligations: latest developments and key obligations

Posted on by Deborah King

A core requirement imposed by the EU AI Act (the Act) is in respect of transparency obligations for the AI systems used.

The majority of the Act is expected to come into force on 2 August 2026. The European Parliament, however, has agreed a proposal that would delay the obligations imposed in respect of high risk AI systems. The remaining provisions of the Act remain largely unaffected, and businesses should operate on that basis, noting that breaching these obligations can result in a fine of up to EUR 15 million or 3% of their total worldwide annual turnover for the preceding financial year (whichever is higher).

The Act raised a number of questions around how companies would comply with their transparency obligations. This led to the creation of a draft code of practice (the “Code of Practice on Marking and Labelling of AI-generated content” (the Code)), integrating feedback from hundreds of participants and observers including industry, academia and other stakeholders.

The Code of Practice on marking and labelling of AI-generated content

The second draft of the Code was published on 3 March 2026 and a final version is expected by June 2026. The Code is subject to further amendments, but sets out four key requirements to demonstrate compliance:

  1. multi-layered marking through metadata embedding, imperceptible watermarking, or fingerprinting/logging;
  2. providers having to offer a free interface or publicly available tool enabling users and third parties to verify whether content is AI-generated;
  3. technical solutions for marking and detection must be effective and reliable; and
  4. continuous testing and improvement to keep pace with real-world developments.

The transparency obligations

The Code is underpinned by the underlying transparency obligations in the Act.

The extent of these obligations is influenced by different factors such as whether the AI system is classified as limited or high risk; and whether you are a deployer or provider.

For limited risk AI systems:

If you are a provider

A ‘provider’ is a company, individual, public authority, agency or body that: (a) develops, or procures the development of an AI system or general-purpose AI model; and (b) places it on the market or puts it into service under its own name or trademark. In other words, this applies to those who set out to create, or procure the creation of an AI system.

Providers of limited risk AI systems must comply with three core transparency requirements.

  1. AI systems must be designed to inform individuals that they are engaging with an AI system;
  2. Providers must ensure that outputs are marked in a machine-readable format and are detectable as artificially generated or manipulated; and
  3. Technical solutions employed must be effective, interoperable, robust and reliable.

The question of how providers can satisfy these requirements has been a recurring area of discussion, such that the European Commission has stepped in to provide guidance via the voluntary code of practice on the transparency of AI-generated content. We discuss this in further detail below.

If you are a deployer

In contrast, a ‘deployer’ is a company, individual, public authority, agency or body using an AI system under its authority, except where the AI system is used in a personal non-professional activity.

Given that deployers are effectively users with little to no control over the AI system, they are subject to much fewer disclosure requirements. The Act only imposes obligations on deployers of three specific types of AI systems:

  1. emotion recognition or biometric categorisation systems;
  2. deepfakes, where the system generates or manipulates image, audio or video content; or
  3. systems generating or manipulating text published to inform the public on matters of public interest.

For high risk AI systems:

If you are a provider

Unsurprisingly, the Act imposes the most obligations for this category. In general, it will include requirements for providers to supply instructions for safe use and information about accuracy, robustness, and cybersecurity. Individuals overseeing such systems must be suitably qualified to understand the system’s capacities and limitations, with various recordkeeping and risk management protocols.

If you are a deployer

Similar to above, deployers face fewer but a broader set of obligations reflective of the higher risk AI system. These include the implementation of specific governance, monitoring, transparency and impact assessment requirements. The key obligations can be grouped under two headings:

Operational obligations

The deployer must implement appropriate measures to ensure the high-risk AI system is used in accordance with the relevant instructions for use, that input data is relevant and sufficiently representative for the intended purpose of the system, and monitor its operation in order to be able to inform the provider in the event it identifies any risks or serious incidents.

Control and risk management obligations

A deployer must conduct a fundamental rights impact assessment (FRIA) before deploying the system, assign human oversight to individuals with the necessary competence, train and regularly monitor the AI system for risks, and keep the logs of the AI system in an automatic and documented manner for at least six months.

Future outlook

The trajectory is unmistakable: the Act positions transparency as a core principle, which is going to impact design choices, user interfaces and governance processes. Organisations will be expected to comply with the Code and the underlying transparency obligations that underpin it.

Companies leveraging AI along their supply chain should therefore prioritise embedding and documenting transparency measures that can withstand both regulatory and legal scrutiny, while ensuring alignment with wider IP governance and strategic commercial decisions.

For more information the EU AI Act and the Code and how they might impact your business, contact Sacha Wilson and Jacky Lai.

Unfair contract terms in consumer contracts: new draft guidance from the CMA

Posted on by Deborah King

If you deal with consumers, then you need to know how consumer law applies to your contract terms and notices.

Ten years on from the introduction of the Consumer Rights Act 2015 (the CRA), the Competition and Markets Authority (the CMA) is revising its current guidance on unfair contract terms.

The draft guidance is aimed at making the guidance more accessible, helping businesses better understand and comply with the CRA. The consultation closed on 19 March 2026. Once finalised, it will replace the existing guidance on unfair contract terms.

Which terms are unfair?

Contract terms are unfair if they tilt the rights and responsibilities excessively in favour of the supplier. The law currently uses a ‘fairness test’ by looking at the words in the contract, taking into consideration what is being sold, how a term relates to other terms in the contract, and all the circumstances at the time the term was agreed.

Certain terms and notices giving rise to particular concerns are ‘blacklisted’ and deemed as unsuitable for use with consumers. These include terms that exclude or restrict liability for death or personal injury resulting from negligence, a consumer’s statutory rights and any associated remedies. Blacklisted terms are never enforceable against a consumer.

What are the key changes in the draft guidance?

Enhanced CMA enforcement powers under the DMCC:

The updated guidance integrates the Digital Markets, Competition and Consumer Act 2024 (the DMCC), enabling the CMA to impose penalties without going to court for businesses that use prohibited, non-transparent or unfair terms or notices. Fines may be up to 10% of a company’s global turnover or £300,000 (whichever is higher).

Transparency – more than words:

Transparency now covers not just the content itself, but also its presentation by requiring clear fonts and headings that follow a logical structure, supported by explanation of terms which may be complex or challenging to understand.

Fairness and consumer behaviour:

The requirement of ‘good faith’ should include a behavioural dimension. Suppliers must consider consumer psychology and avoid exploiting consumer biases — for instance, consumers’ tendency not to read standard terms thoroughly, or to underestimate future costs such as renewal or termination fees. Campaigns emphasising quick benefits, such as a free trial, while using tactics to minimise attention as to future costs will face greater scrutiny. Automatic renewal of subscriptions are also specifically noted as an area of concern, with the DMCC’s new subscription provisions (to enter into force no later than August 2026) adding further obligations.

The role of advertising:

Advertising is explicitly incorporated into the fairness assessment, requiring consistency between terms and marketing claims. Small print which removes or curtails more prominent claims, failing to highlight key terms during the marketing process, or inconsistency between marketing claims and the contract terms could give rise to an unfair commercial practices. Statements made by a supplier that a consumer is likely to see may also be treated as terms of the contract.

Exclusions and variations to the contract:

Vague language such as “liability is excluded so far as the law permits” will not remedy an unfair clause; and terms allowing a supplier to vary terms such as changing the description or price of the services or goods may now be deemed unfair should they be overly wide in scope or result in changes that may be unexpected to the customer.

What are the key takeaways for consumer businesses?

The draft guidance makes clear that unfair, onerous or significantly unbalanced terms will be closely scrutinised. Suppliers should ensure that lines of communication with customers are clear, transparent and user-friendly to understand.

Contract terms should similarly be reviewed to make sure that they strike a reasonable balance without prejudicing consumers by including reasonable protections around cancellation or refund rights.

For more information on how the new guidance will impact your consumer contracts, contact Sacha Wilson and Jacky Lai.

Government IT contracts: how to challenge the procurement process

Posted on by Deborah King

If your business enters into contracts with public sector entities for the provision of IT or related services, you will be familiar with the public sector tender and procurement processes. But are you familiar with what can be done to challenge the outcome of those processes?

Whether it is an issue with the application of the scoring criteria, or how the process has been conducted, your business may have the ability to challenge contract awards.

However, in order to do so effectively, your business will need to move quickly and ensure that it deploys the various legal tools available to it strategically.

What is the relevant legislation?

In 2025, the Procurement Act 2023 (the Act) came into force. This represented the most significant development to UK public procurement laws for over 30 years, replacing the well-established EU-founded regime under the Public Contracts Regulations 2015 (the PCR).

How long do you have to bring a claim?

The period during which a legal claim can be brought under the Act is very short and remains largely unchanged from the PCR. In summary:

  • If you are a supplier seeking to challenge an award, the period to bring a claim is just 30 days from when they knew, or ought reasonably to have known, of the circumstances giving rise to the claim. However, this may be extended for up to three months where the court considers there is a good reason to do so.
  • If you are supplier seeking to set aside a contract that has been entered into, the period to bring a claim is 30 days from the date it knew or ought to have known of the circumstances giving rise to a claim with a long stop date of 6 months from the date the contract was entered into.

However, the parties can enter into a standstill agreement which, in effect, extends the limitation period, allowing the parties an opportunity to resolve the dispute.

Can you prevent the authority from entering into a contract with another supplier whilst you challenge the decision?

Under the previous regime, contracting authorities were required to observe a 10-day waiting period following the issue of a ‘standstill letter’ to all tendering suppliers before entering into a contract with the preferred supplier. Claims issued prior to contract execution would trigger an automatic suspension of the procurement process.

The Act reduces the standstill period from 10 to eight working days, with the period now triggered by the contract award notice instead of the issue of a standstill letter. Claimants are no longer entitled to the benefit of automatic suspension up until the date of contract execution. This is a significant shift from the previous position and impacts upon strategic considerations.

What information do you have about the decision-making process?

There are various ways you can find out more about the decision-making process. One of them is that contracting authorities must publish a Contract Award Notice on a central digital platform, and an assessment summary to each supplier that submitted an assessed tender.

The assessment summary must include: (a) the scores awarded for each criterion; (b) an explanation of those scores; and (c) in respect of unsuccessful suppliers, the reasons why the contract was not awarded to them, together with the corresponding information at (a) and (b) for the successful tender.

The enhanced disclosure requirements are a positive development for suppliers looking for substantive grounds on which to base a potential challenge.

What remedies can you obtain when challenging an award?

In many cases, compromise solutions are reached with the relevant authority without a claim needing to be issued. However, if you do pursue a claim, the remedies available remain mostly unchanged from the previous regime. There are two main categories:

Pre-contractual remedies:

Where a contract has been awarded but not yet executed, a successful challenge may result in the court granting one of the following orders:

  • an order setting aside the relevant decision or action (including the decision to award the contract);
  • an order requiring the contracting authority to take specified action (such as reconsidering a decision previously made);
  • an order for damages (which may be granted in addition to any other order, and has historically encompassed lost profits arising from the breach and/or wasted bid costs); or
  • such other order as the court considers appropriate.

Post-contractual remedies:

Where the awarded contract has been executed, the available remedies are limited to damages and/or an order setting aside the contract (subject to certain conditions in the Act).

What does this mean for suppliers?

If you are concerned about a procurement decision, then given the short timeframes for challenge, it is critical to seek legal advice at the earliest possible opportunity to allow your advisors time to evaluate the claim and devise and deploy the optimum strategy.

The Act’s emphasis on transparency, creating a level playing field and the introduction of new obligations on contracting authorities, expands the scope for potential challenges.

You will however need to navigate the reduced standstill period, which now runs for 8 working days from the contract award notice, and the fact that automatic suspension is no longer available until the date of contract execution.

If you would like to find out more about how to make procurement challenges, contact Lizzie Williams and Jacky Lai.