Lexology PRO data rounds up the most significant stories of 2025, which range from a controversial EU digital omnibus package to the outcome of the UK’s first AI copyright court case.
Shutterstock.com/AlexanderSupertramp
This year saw many tensions come to the fore as old laws were adapted and new ones forged in the face of shifting technologies and evolving priorities. The standoff between innovation and regulation was front of mind for lawmakers in Brussels, who spent a good part of this year rushing to keep up with emerging tech and simultaneously deliberating on how to best simplify the already-crowded policy space.
And of course data protection interpretation and enforcement continues to drive the bulk of the work for EU courts and practitioners, as reflected in Lexology’s top-read news stories of 2025.
Unsurprisingly, another big theme in 2025 was AI regulation and how it held up in the face of mounting challenges, especially with regards to copyright. Online safety and content moderation have also moved up the priority list for global lawmakers and tech players alike – partially driven by landmark laws in the UK and Australia – and with it fresh questions on the age-old tension with freedom of expression.
All this can be seen in Lexology PRO data’s coverage. Below are some of the biggest stories the specialist data team covered over the last twelve months, setting the tone for an undoubtedly busy 2026.
Commission shows its hand on GDPR and AI Act reform
19 November 2025
Lexology readers have been keenly following the European Commission’s digital omnibus package as it makes its way through the legislative process. The draft proposals, which were officially revealed last month, amend key elements of the EU digital rulebook – including the GDPR and the AI Act – with the aim of streamlining compliance and boosting competitiveness in the bloc. Regulators and privacy groups have largely greeted the package with apprehension, warning that its impact on individuals’ rights must be properly assessed before the rules are finalised.
Getty loses UK Stability secondary copyright claims – but uncertainty persists
4 November 2025
The outcome of the first UK court challenge to deal with the complex interplay between copyright law and AI model development was also one of our most-read stories this year. High Court judge Mrs Justice Joanna Smith had found that Stability AI did not commit secondary copyright infringement by making its image-generation model available in the UK, but ruled in favour of Getty Images on limited trademark infringement claims. Although the case was expected to be pivotal in shaping how the UK legal regime deals with copyright challenges against AI training and output, the judgment ended up only dealing with narrow and fact-specific issues after Getty had abandoned key claims mid-trial.
GDPR/AI Act overlap poses compliance challenges for businesses
24 July 2025
With AI Act compliance deadlines looming, Lexology took a deep dive into how the new rules interact with now well-known GDPR provisions. Businesses that find themselves caught under both regimes – for example if they are deploying AI systems involving personal data processing – must navigate the overlap between requirements to avoid duplicating efforts or misapplying obligations. This new complexity will become especially evident when they are dealing with automated decision-making systems, completing risk assessments, assigning internal roles, and notably when dealing with different regulators on the same issues.
Schrems: EU-US Data Privacy Framework at risk
26 March 2025
Recent developments to the US administration following the inauguration of president Trump shifted the spotlight back onto the EU-US data transfer framework. Max Schrems, who had brought down the first trans-atlantic framework and hinted at challenging its successor, weighed in on fresh independence concerns triggered by the firings of US Privacy and Civil Liberties Oversight Board and Federal Trade Commission members. While the framework is still standing today, after having survived a General Court challenge, it is not out of the woods just yet.
UK data bill passes Commons with new AI commitments
8 May 2025
While the EU was looking for ways to refine its six year-old data law, UK lawmakers continued on their own long winded journey to enact a post-Brexit data protection law. The third version of the data bill went through what felt like endless stages of debates – 44 hours across nearly eight months – before it was ultimately passed in July.
ECJ clarifies line between pseudonymised and personal data
4 September 2025
The very definition of personal data was questioned in Europe’s highest court this year. A dispute about the data privacy obligations of controllers handling pseudonymised data triggered a long-running case that ultimately saw the ECJ ruling that “pseudonymised data must not be regarded as constituting, in all cases and for every person, personal data”. It controversially clarified that the key question lies in whether third parties have reasonable means allowing them to identify data subjects. The decision’s significance can be seen in the fact that its findings may be codified into the GDPR itself.
California enacts AI transparency law with million-dollar penalties
30 September 2025
California is set to ring in the new year with a landmark AI law, which will take effect on 1 January. The Transparency in Frontier Artificial Intelligence Act sets out new requirements for large, high-risk developers and proposes steep non-compliance penalties which could reach up to US$1 million per violation. But its ultimate application will depend on the success of federal government attempts to clamp down on growing state AI regulation efforts in order to avoid disincentivising innovation in the US.
Commission ordered to pay US data transfer damages
8 January 2025
January saw the European Commission ordered to pay non-material damages over its transfer of data to the US In a case that has now made its way up to the ECJ. The long-anticipated General Court judgment said the commission committed a “sufficiently serious” breach of law by creating conditions for the unlawful transfer of plaintiff Thomas Bindl’s IP address to US-based Meta. It ordered the EU body to pay €400 in damages; while a mere drop in the ocean compared to million-dollar big tech fines, the result – if upheld on appeal – could catalyse mass claims across the EU.
ICO hands Capita £14 million data breach fine
15 October 2025
In the midst of heavy criticism over its suspected lack of enforcement – especially against breaches by public sector bodies – the ICO issued one of its highest GDPR fines to date. The regulator’s £14 million against Capita, which followed a data breach exposing the information of 6.6 million individuals, was initially set at £45 million but later cut by almost 68% based on mitigating factors presented by the company as well as its admission of liability.
EDPB Meta decisions upheld following DPC appeal
29 January 2025
A General Court ruling on the European Data Board’s role under the GDPR one-stop-shop mechanism was another one of Lexology PRO’s top-read stories this year. The ruling, which said the EDPB was entitled to order Ireland’s Data Protection Commission to conduct new Meta investigations, notably left the door open to future challenges to the board’s decisions. The landmark judgment backs the ability of EU regulators and the EDPB to force lead regulators to take more action than they had initially planned – a finding which could alter the balance of power in cross-border enforcement.