Trowers Tech News - December 2025

Welcome to the latest edition of Trowers Tech News.

This month, we examine pivotal developments in data and AI regulation that will shape compliance strategies and innovation across the technology sector. From the UK’s landmark Data (Use and Access) Act to sweeping EU proposals under the Digital Omnibus, and a high-profile IP dispute in the generative AI space, the regulatory and legal landscape is evolving at pace.

We begin with the Data (Use and Access) Act 2025, which introduces targeted reforms to the UK’s data protection framework. For technology companies, the Act’s relaxation of restrictions on automated decision-making presents new opportunities for AI-driven solutions, alongside heightened obligations to ensure meaningful human oversight and transparency.

Next, we turn to the European Commission’s Digital Omnibus proposals, a far-reaching initiative aimed at simplifying data, cybersecurity, and AI rules across the EU. While designed to reduce compliance burdens and spur innovation, the proposals have sparked debate over their potential impact on digital rights and the ripple effects for UK businesses operating in a post-Brexit regulatory environment.

Finally, we analyse the High Court’s judgment in Getty Images v Stability AI, a case that underscores the growing tension between intellectual property law and generative AI technologies. The decision offers critical insights for developers and rights holders navigating the complex intersection of innovation and IP enforcement.

As always, we round up the latest legal tech developments, providing practical guidance for organisations seeking to stay ahead in a rapidly shifting regulatory landscape.

Top tech trends: Legal updates

Victoria Robertson, Partner

The Data (Use and Access) Act 2025: Key Implications for the Technology Sector

The Data (Use and Access) Act 2025 (DUAA) received royal assent on 18 June 2025, introducing targeted reforms to the UK's data protection framework. Some provisions came into force earlier this year, whilst most will be implemented throughout 2026. For technology companies - from AI developers to SaaS providers - DUAA presents both opportunities and compliance challenges that require attention. 

One of DUAA's most significant changes is the relaxation of restrictions on automated decision-making (ADM). Previously, solely automated decisions with legal or similarly significant effects were generally prohibited unless necessary for a contract, authorised by law, or based on explicit consent. DUAA introduces a more flexible framework, allowing organisations to use any lawful basis (including legitimate interests, but excluding the new recognised legitimate interests basis for ADM) provided appropriate safeguards are in place.

These safeguards include providing clear information about the logic involved in the decision-making; allowing individuals to make representations; ensuring meaningful human intervention in the decision-making process; and enabling individuals to contest decisions. Critically, DUAA clarifies that "meaningful human intervention" must be substantive and informed - the human reviewer must be able to challenge or override the AI system. This is particularly relevant for tech companies deploying AI-driven systems in recruitment, credit scoring, or customer service.

Read the full article here.

The Digital Omnibus: Reshaping Data Protection and AI Regulation Across Europe and Beyond-A "Simpler and Faster Europe"

The European Commission published a far-reaching set of proposed changes to existing data and AI legislation on 19 November 2025 as part of its Digital Omnibus, which seeks to simplify existing data privacy, cybersecurity, and AI rules, and boost innovation by requiring less time to be spent on compliance and administrative work.

The changes carry implications that will extend beyond EU borders, particularly for the United Kingdom, which has the UK GDPR (a retained and amended version of the EU GDPR) in force. The published proposals will need to be negotiated and agreed with the European Parliament and the Council of the EU. If the proposals are made law in the EU they will not take direct effect in the UK but the UK's data commissioner, the ICO, will doubtless consider changes made to the EU GDPR and whether similar changes will need to be made to the UK GDPR so that it does not end up being more prohibitive than the EU version.

The European Commission's staff working document notes that the Digital Omnibus could amount to EUR 5 billion in cost savings for businesses by 2029 and a further EUR 1 billion for public authorities. The Digital Omnibus has had a mixed reception – for example, the Lovelace Institute has commented, "If passed, the Omnibus will be the most significant and extraordinary reversal in digital rights in a generation, leaving the EU with worse personal data protection than, for instance, California in some respects."

Read the full article here.

Alice Stripe, Senior Associate and Alina Kazmi, Trainee Solicitor

Getty Images v Stability AI: Case Update

The High Court recently delivered its judgment in Getty Images v Stability AI. The decision marks a significant development in the use of generative AI and the enforcement of intellectual property.

Originally, Getty Images claimed that Stability AI's Stable Diffusion model, which creates images from text prompts, infringed copyright, trade marks and database rights. Before trial, Getty however abandoned some of its claims, so that the judgment ultimately focused on i) trade mark infringement; and ii) secondary copyright infringement issues.

The Stability AI model operates (much like other AI models) by scraping millions of images without permission in order to train its model. Released in 2022, Stable Diffusion generates synthetic images based on text prompts and has multiple versions (v1.x, v2.x, SD XL, v1.6). Getty alleged this training process infringed its intellectual property, with some AI-generated outputs containing Getty and iStock watermarks.

Read the full article here.