Insights for In-house Counsel Spring 2026 - AI, tech and IP

Now Reading

The EU rethinks its digital rulebook: simplified, softened and delayed

What's happening?

The European Commission unveiled a digital simplification package in November 2025 proposing significant changes to the EU AI Act, the GDPR, e-privacy and cyber incident reporting rules. The aim is to simplify and soften rules that are perceived to hinder the EU's digital competitiveness and act as a brake on innovation. Proposals include postponing the compliance deadline for high-risk AI systems (currently set for August 2026), lifting AI literacy obligations for most businesses, streamlining cyber/data breach incident reporting, and a range of measures designed to make AI development and deployment easier. For more information about the proposals read our briefing on the EU's Digital Omnibus.

Our view:

These reforms appear to be a step in a more business-friendly direction, particularly for smaller businesses struggling with the tide of EU digital regulation over the last few years. However, the uncertainty, particularly in relation to AI deadlines, is not welcome. Moreover, reforms which touch on fundamental rights face significant opposition from the other European institutions and privacy lobbyists. For example, the Commission's clarification that pseudonymised data does not constitute personal data in the hands of a recipient who does not have the keys to identification, which would smooth the path for training AI and data sharing, looks unlikely to survive the legislative process.

No immediate action is required as these proposals are currently being negotiated between the European institutions, which is likely to result in a number of them being chipped away.
Businesses in scope for the EU's AI Act should monitor for changing deadlines – in most cases this will be a postponement, not a relaxation, of the new rules.

DON'T SHELVE YOUR AI TRAINING:

Businesses should think twice before planning to curtail (or scrap) their "AI literacy" training programmes. Even if AI literacy ceases to be a legal requirement under the EU's AI Act, equipping staff with training on AI usage and potential risks is essential to fully capitalise on the benefits - and avoid the pitfalls - of AI. Moreover, training will remain a requirement for staff who are responsible for high-risk AI systems under the AI Act. Our earlier briefing discussed the AI literacy requirement.

The UK's data protection reforms are largely now in force

Why it matters:

Most of the UK data protection and e-privacy reforms introduced in June 2025 by the Data (Use and Access) Act came into effect in February 2026. While the regulator has been busy issuing new guidance to reflect the new rules, it is still playing catch-up, and its guidance on some key areas of reform, such as automated decision making, is still to come. There is a little longer to prepare for the new rules on complaints (the right of individuals to complain directly to the data controller) as those provisions will only apply from 19 June 2026.

Our view:

Some changes to privacy policies, subject access request templates, internal process documents and training will be required, particularly in relation to the new complaints rules - which we explain in more detail here. Businesses are not required to significantly adapt their compliance approach to cater for the new rules. Those operating in the EU, looking to adopt a uniform approach to UK and EU compliance, are unlikely to benefit from the minor relaxations that are available.

Prepare for the new complaints rules by amending your policies, complaints handling processes and staff training. The good news is that there is significant flexibility around their implementation.
Consider whether there are opportunities to take advantage of the relaxation to automated decision-making and profiling rules – e.g. for HR use cases. However, bear in mind that keeping a "human in the loop" is still advisable in many circumstances e.g. to guard against discriminatory outcomes. Read our briefing on automated decision-making for more information.
The Information Commissioner's Office will soon change to the Information Commission - but hasn't yet. This change is due to happen in "Spring 2026".

UK Cyber Bill targets critical suppliers

Why it matters:

Against a backdrop of increasingly sophisticated cyber attacks - costing the UK economy nearly £15 billion a year - the UK Government has introduced the Cyber Security and Resilience (Network and Information Systems) Bill. Focused on protecting the systems behind essential services and the digital infrastructure that supports daily life, the Bill will expand cyber compliance obligations and regulators' enforcement powers - including for data centres, managed IT service providers, and designated “critical suppliers".

Our view:

The EU's NIS2 Directive covers a much broader range of sectors than the UK's Bill – for example the manufacturing and food sectors are within scope for NIS2 but outside the Bill's scope. This may be seen as a missed opportunity by the UK Government, particularly given the damage and disruption caused by the attacks last year on businesses such as Marks and Spencer and Jaguar Land Rover.

With stricter incident reporting duties and a new emphasis on supply chain resilience, now is the time for organisations to assess whether they are likely to be in scope for the Bill and begin to prepare. Read our briefing on the Cyber Security and Resilience Bill.

UK Government goes back to the drawing board on copyright and AI

What's happening?

The ongoing debate between the AI sector and the creative industries has been well documented. In short, the AI sector requires large volumes of data to train AI models, but many right holders within the creative industries do not want their work to be used for these purposes without their express permission. The UK Government has acknowledged that existing copyright laws lack clarity on this point, largely because they were drafted when AI was in its infancy. In December 2024, the UK Government opened its Copyright and AI consultation, asking for views on four possible routes towards a solution. At the time, the UK Government's preferred route was to permit AI developers to train on materials to which they have lawful access, but only to the extent that the right holders have not expressly reserved their rights. Just over 12 months on from this consultation, and in light of strong opposition from the creative industries, the UK Government has now reported that it no longer has a preferred route forward and has offered no fixed timeline for reaching its decision, stating that it must "take the time needed to get this right".

Our view:

It remains unclear exactly which route forward the UK Government is likely to take. The UK Government has stated that it will "continue to monitor developments in technology, litigation, international approaches, and the licensing market". Clearly then, what happens in the courts, the market and on the international stage will be key to shaping the future of this debate. This lack of clarity and continued delay remains frustrating for both the AI sector and the creative industries.

The outcome of this debate will inevitably have repercussions for businesses operating in a variety of different industries. It would therefore be sensible for lawyers to continue to monitor the latest developments in this area.

Dryrobe® v Caesr Group: the importance of pro-active brand strategies

Why it matters:

In the case of Dryrobe Limited v Caesr Group Limited (t/a D-Robe Outdoors), Dryrobe® successfully brought trade mark infringement and passing off claims against D-Robe, but in doing so, also successfully defended a counterclaim that the "DRYROBE" trade marks should be invalidated or revoked due to genericide (i.e. where a term becomes the generic, common name for a particular product – think "aspirin" and "escalator" for example). Key to Dryrobe®'s successes at trial was its pro-active brand protection strategy, which was frequently commented on in the judgment. For more information read our briefing on the Dryrobe® v Caesr Group case.

Our view:

The diligent brand protection strategy implemented by Dryrobe® was fundamental to its successes at trial and can serve as something of a blueprint for brand-conscious businesses.

Businesses should take steps to police and protect the use of their key consumer brands, particularly on social media, and diligently record all actions taken and any related communications with consumers. Collectively, this may serve as important evidence should a brand be challenged or infringed.

Read Louisa Chambers Profile