Data protection update
Mini-summary
This article provides an outline of the key copyright implications of the first English judgment on generative AI. The judgment has been eagerly awaited by the creative and technology industries, as well as the government which, so far, has been unsuccessful in resolving the tension between them arising from the use of copyright works by AI developers. While the decision did not deliver a decisive victory to either party, it has revived the discussion around secondary copyright infringement in the digital age.
The judgment ends (as an appeal seems unlikely) a three-year legal battle between Getty Images (Getty) and Stability AI (Stability) in the UK. Getty’s US case against Stability continues, alongside other high profile cases against generative AI, and will be looked at to offer judicial thinking on primary infringement albeit in a different legislative setting.
The Data (Use and Access) Act 2025 (the “Act”) represents the most significant reform to UK data protection since Brexit. Most provisions are being phased in between August 2025 and June 2026 through secondary legislation. This article offers a brief overview of the key changes affecting UK businesses. With our firm’s focus on advising creators on the use and impact of artificial intelligence, we end by discussing the provisions of the Act which become the vehicle for acknowledging broader concerns of the creative industries.
Background
The government began consulting on reform of data law in September 2021 via a public consultation. The data protection regime, derived from the retained EU law, was perceived as overly complex and onerous on UK businesses. However, these considerations had to be balanced with the need that the European Commission renews the UK adequacy decision for EEA-UK personal data transfers. A reform which was to stray too far from the EU template would risk the renewal, and disrupt the free and secure transfer of personal data between the EEA and the UK under the EU GDPR.
The European Commission renewed the UK adequacy decision on 19 December 2025 thus acknowledging that the Act strikes the right balance between the UK and the EU positions.
Complaints – New Process Requirements
Under the Act, organizations must establish formal data protection complaints procedures by June 2026, requiring them to receive, acknowledge within 30 days, and respond to complaints directly from individuals before matters escalate to the Information Commissioner’s Office (“ICO”). ICO figures show complaints rising from 39,721 in 2023/24 to 42,881 in 2024/25, with forecasts suggesting further increase of individual complaints ahead.
International Data Transfers
The Act introduces a new test requiring third countries maintain protections that are not materially lower than the UK's, rather than “adequate protection” tracking the wording of the EU GDPR. This may potentially making transfers easier especially between the US and the UK which both allow a degree of interference with the data protection regime in the interest of national security.
AI and Automated Decision-Making
The government has raised concerns that the laws around the use of personal data for research purposes are too complex (including that they are spread across different pieces of legislation). DUAA 2025 aims to bring about greater legal certainty and reduce barriers to the use of personal data for research.
The government’s focus on research was considered to be an indirectly linked to the government’s consultation on AI and copyright (“Consultation”). There, the government argued that the limited exception under s. 29 of the Copyright, Designs and Patents Act 1988, dealing with use of copyright works for non-commercial research and private study, was stifling innovation and research by AI developers. The government’s preferred option to broaden the exception was successfully opposed by the creative industries.
However, in the data protection context, the Act has introduced a new definition of what constitutes processing for scientific research under the UK GDPR into new paragraphs 2 and 3 of Article 4 of the UK GDPR. Section 67 of the Act provides that scientific research includes any research that can reasonably be described as scientific whether publicly or privately funded and whether carried out as a commercial or non-commercial activity.
Copyright was further included in the Act by means of sections 135 - 137 (the, so called, “Kidron amendment” introduced through the perseverance of Baroness Kidon, OBE, herself a filmmaker and advocate for online safety). The amendment requires that the government provide an economic impact assessment of options presented in the Consultation, setting out the impact on copyright owners and AI developers, as well as proposals in relation to technical standards, transparency and enforcement allowing effective control by copyright owners.
AI – unresolved questions
The Act leaves many AI-related questions unresolved, including whether training models on internet-scraped data is lawful, how to comply with erasure requests from AI models, and whether AI outputs meet accuracy principles. The ICO launched a new AI and biometrics strategy in June 2025, focusing on transparency, bias and discrimination, and rights and redress, with plans to publish a statutory code of practice on AI and automated decision-making in 2026.
The overall picture shows the UK attempting to balance innovation with maintaining EU adequacy status, while grappling with emerging AI challenges and enforcement effectiveness questions.
%201.jpg)
