Dechert Cyber Bits

EU Regulators Issue Joint Opinion on EU Proposal for Simplification of AI Rules 

On January 21, 2026, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) published a joint opinion responding to the European Commission’s proposal to simplify and adjust parts of the AI Act, through the Digital Omnibus on AI. While the EDPB and EDPS support efforts to reduce administrative burdens and improve workability for businesses and authorities, they emphasize that simplification must not undermine fundamental rights, particularly data protection, privacy and non-discrimination. The opinion therefore examines how the proposed simplification measures can be implemented without creating risks of abuse or regulatory gaps.

A central focus addressed in the opinion is the proposed expansion of the legal basis for processing special categories of personal data for the purposes of bias detection and correction in AI systems. While the EDPB and EDPS acknowledge that such processing may be necessary in some cases, they highlight that it must be limited to cases where there is a sufficiently serious risk of adverse effects caused by such bias. Similarly, the opinion raises concerns that the proposed relaxation of registration and documentation obligations for AI systems in high-risk fields would undermine transparency, accountability, and effective supervision. 

The EDPB and EDPS also express concern about proposed delays to the application timeline of key AI obligations, warning that postponements may weaken protection in a rapidly evolving AI landscape. 

Takeaway: The EU has been making and continues to make efforts to ease the burden of compliance across digital regulation, but how to re-draw the balance is a contentious issue, particularly in the context of AI. Passing the EU AI Act initially involved extensive and complex negotiations between EU legislative bodies. The EDPB and EDPS opinion demonstrates some of the difficulties of re-opening the requirements of that legislation. Where legislation is designed to protect individuals’ fundamental rights, de-regulation is likely to involve a tradeoff. The opinion shows regulatory pushback against promoting AI innovation at the expense of safeguards for individuals’ rights. It remains to be seen whether the EU legislator will find the political will to push through more business-friendly regulation.

“To Be, or Not to Be” a “Consumer” Under the Video Privacy Protection Act

The U.S. Supreme Court has granted a petition for a writ of certiorari to resolve the question of who qualifies as a “consumer” under the federal Video Privacy Protection Act (“VPPA”). The Court accepted a challenge to a ruling that held a Paramount Global 24/7 Sports digital newsletter subscriber could not sue under the VPPA. Last month, the Court denied petitions seeking consideration of another case by the same petitioner, Michael Salazar, in the Second Circuit addressing the VPPA’s scope.

Salazar asked the Court to determine whether the VPPA applies to individuals who subscribe to non-audiovisual content, such as a digital newsletter from a company that also offers video, rather than only to those who subscribe directly to audiovisual materials. The VPPA defines a “consumer” as anyone who rents, purchases, or subscribes to “goods or services from a video tape service provider.” Salazar argued that subscribing to any of a provider’s offerings suffices, even if videos are accessed on a provider’s website rather than through the newsletter. Defendants countered that plaintiffs must subscribe specifically to video content, warning that a broader reading would “transmogrify [the statute] into a prohibition against targeted advertising on the internet,” apply “haphazard[ly],” be “unadministrable,” and produce windfalls.

U.S. Circuit Courts are currently split on this issue. The Second and Seventh Circuits read “consumer” to include anyone who rents, purchases, or subscribes to any of the provider’s goods or services, audiovisual or not. A divided Sixth Circuit (in Salazar’s dispute with Paramount), and the D.C. Circuit in Pileggi v. Washington Newspaper Publishing Co., have adopted a narrower view requiring a plaintiffs to subscribe to audiovisual materials.

Takeaway: The U.S. Supreme Court’s decision in this case will clarify who qualifies as a “consumer” under the VPPA, resolving whether non-video subscribers, such as newsletter subscribers, can bring claims under the statute. A broader interpretation would heighten litigation risk for companies offering video content alongside newsletters or other services, prompting changes to consent mechanisms and other data and advertising practices. Conversely, a narrower definition would limit VPPA claims to users who subscribe directly to video offerings, reducing companies’ exposure.

UK Data Regulator Updates Guidance on International Transfers Under the UK GDPR 

The UK Information Commissioner’s Office (“ICO”) has published updated guidance on international transfers of personal data, clarifying how businesses should comply with the transfer rules under the UK GDPR. The revised guidance outlines key requirements and aims to simplify compliance by setting out a ‘three step test’ to help organizations determine whether a data transfer is restricted by the UK GDPR. The three step test for identifying a restricted transfer involves considering:

1. whether the UK GDPR applies to the processing of the data to be transferred;
2. whether the transfer is to a recipient that is outside of the UK; and
3. whether the recipient is a separate legal entity (data controller or data processor) from the exporter.

If all three criteria are met, the transfer is considered a restricted transfer, and the UK GDPR transfer rules will apply. 

The updated guidance also aims to clarify the respective roles and responsibilities for controllers and processors when engaging in restricted transfers, including some helpful scenarios for understanding which party is considered to be ‘initiating’ a transfer (and is therefore responsible for complying with the transfer rules):

• Controller transferring personal data to non-UK processor: Controller initiating
• Processor transferring personal data to non-UK sub-processor: Processor initiating (with Controller authorization)
• Controller instructing processor A to transfer personal data to non-UK processor B: Controller initiating
• Processor transferring personal data to multiple parties as part of its processor-designed service: Processor initiating

While the guidance indicates that the party initiating the transfer is responsible for complying with the transfer rules, there is a later reminder of a controller’s general responsibilities when allowing a processor to initiate transfers (including ensuring there is a lawful basis and informing data subjects of such transfers). Further, although it is the processor’s responsibility to put in place a transfer mechanism and conduct a transfer risk assessment (where required), the controller must still carry out reasonable and proportionate checks on whether those restricted transfers comply with the UK GDPR. 

Helpfully, the guidance also clarifies that organizations do not need to carry out transfer risk assessments for onwards transfers by the initial recipient, although an understanding and mapping of those transfers is recommended. The ICO has confirmed that its work in this area is ongoing and that it will be updating its template transfer documents later this year. 

Takeaway: The updated guidance is intended to provide simple and accessible guidance and tools for compliance with rules on international data transfers, containing many useful example scenarios. For those concerned that the new “not materially lower” test for adequacy under the UK’s Data (Use and Access) Act (see further here) might represent a divergence from EU standards, the ICO confirms that it considers the underlying principle to remain the same. This also means that transfer risk assessments carried out previously remain valid under the new language.  The reminders in the guidance of broader UK GDPR obligations (including checks on processor transfers) mean that those organizations leaving transfers entirely to their processors may find that they are not satisfying the ICO’s expectations. As such, while the fundamental requirements for data transfers have not changed, organizations will want to conduct a review of their transfer landscapes and the checks and balances they have in place. 

House of Commons Releases Research Briefing on AI Content Labelling

On January 20, 2026, the House of Commons (“HOC”) published a research briefing on AI content labelling, which alerts people when they are engaging with content that has not been created by humans. In sum, it involves marking content that has been generated or altered by AI to help people understand its origins and assess its reliability. The briefing discusses types of labels, including impact-based labels, which highlight the potential for harm, and process-based labels, which aim to communicate to users how content was created, including whether AI was involved. Also discussed in the briefing is a study of the influence of labels on users.

The HOC’s briefing provided an encompassing overview of the current labelling policies of social media companies, news organizations, search engines, and video game services. For example, some social media companies, such as Meta and TikTok, have different labelling policies for content edited or modified using generative AI tools on the one hand, and content that has been wholly generated using AI tools, on the other. Companies such as LinkedIn label AI-generated content using technologies such as the “content credentials” developed by the Coalition for Content Provenance and Authenticity. The briefing identified X as the only social media company that has not published any policies on the use and labelling of AI-generated content on its platform. In its issued strategic approach to AI for 2025/26, Ofcom, the UK’s media regulator, said that industries it regulates are free to use AI as they see fit, though it will monitor and mitigate any associated risks.

The briefing includes an examination of regulations and company policies that could affect AI content labelling in the UK. In the UK, there is no legislation that requires AI-generated content to be labelled as such; however, the government’s consultation on Copyright and Artificial Intelligence which closed December 2024, said that the government was in favor of clear AI content labelling. The EU, in contrast, has transparency rules for content produced by generative AI under article 50 of the EU AI Act (due to become effective from August 2026, but proposed to be delayed until 2027), discussed in Issue 88 of Cyber Bits, which includes among those requirements, for providers of AI systems that generate or manipulate content to mark those outputs in ways that are machine-readable and detectable.

Takeaway: The HOC’s briefing highlights clearly that AI content labelling is on the UK government’s radar, even absent a UK legal mandate. The briefing identifies the need for organizations that create, host, or distribute AI‑generated or altered content to adopt consistent process‑ and/or impact‑based labelling frameworks. It would also be prudent for companies that employ AI tools in content creation to build machine‑readable, detectable disclosures to future‑proof against the EU AI Act’s transparency requirements where operations or audiences touch the EU. Early, voluntary labelling, backed by governance for accuracy, detection, and audit trails, will mitigate regulatory and reputational risk and position businesses to comply quickly if UK rules follow.

Dechert Tidbits

Proposed New Cybersecurity Package for the EU

On January 20, 2026, the European Commission proposed a cybersecurity package that would revise the Cybersecurity Act and amend the NIS 2 Directive. The proposals follow a November 2025 announcement of the Digital Omnibus simplification package, aiming to simplify rules and reduce administrative compliance burdens. Notably, the proposal aims to facilitate a single reporting mechanism for cyber incidents proposed to be introduced under the Omnibus.