Businesses investing in, financing or operating data centres face a complex matrix of laws and regulatory requirements. Ensuring compliance is important for lender and investor due diligence and is crucial to avoiding fines, penalties and contractual or regulatory breaches that

Marcus Evans (UK)
Marcus is a communications, media and technology lawyer based in London. He focuses on data privacy and IT services.
What do organisations need to disclose to individuals about AI and automated decisions?
Individuals have the right to receive meaningful information about solely automated decisions with significant effects under the General Data Protection Regulation (GDPR). This includes decisions that will impact an individual’s finances or employment. But how much information are…
Prohibited practices under the AI Act: Answered and unanswered questions in the Commission’s guidelines
The EU AI Act’s prohibitions came into effect on 2 February 2025 and carry fines of 7% worldwide annual turnover for non-compliance. The prohibitions at Article 5 and accompanying recitals (particularly recitals 28-44) set out a complex set of provisions.

The Commission’s guidelines on AI systems – what can we infer?
The EU’s AI Act imposes extensive obligations on the development and use of AI. Most of the obligations in the AI Act look to regulate the impact of the specific use cases on health, safety, or fundamental rights. These sets…
CJEU Advocate General clarifies when pseudonymised data falls outside the definition of personal data
On 5 February 2025, the Advocate General of the Court of Justice of the European Union (CJEU) issued its opinion in the case of C 413/23 P European Data Protection Supervisor (EDPS) v Single Resolution Board…
Online Safety Act: Protecting Children from Harmful Content Online – Ofcom’s Guidance on Age Assurance for Part 3 Services
Ofcom has published its guidance for implementing age assurance measures for regulated service providers. User-to-user (U2U) services and search services take note: a decision not to implement highly effective age assurance measures means that your service may be deemed by…
The EDPB Opinion on training AI models using personal data and recent Garante fine – lawful deployment of LLMs
The final days of 2024 were very eventful in the world of AI and data protection: the European Data Protection Board (EDPB) published its Article 64 General Data Protection Regulation (GDPR) opinion on training AI models using…
China’s proposed AI Labelling Regulations: Key points
In response to the rapid development of artificial intelligence (AI) technologies, the Cyberspace Administration of China (the CAC) recently issued two draft regulations for public consultation: Measures for Labelling Artificial Intelligence-Generated or Synthetic Content (the Draft AI…
The UK’s Public Authority Algorithmic and Automated Decision-Making Systems Bill: key takeaways
Lord Clement-Jones has introduced a Public Authority Algorithmic and Automated Decision-Making Systems Private Members’ Bill (Bill) into the House of Lords. Currently at the second reading stage, the Bill addresses increasing reliance on AI and algorithmic systems by…

Lessons on international transfers to the US to organisations caught by the GDPR
The Dutch data protection authority, the Autoriteit Persoonsgegevens (AP) announced a fine of €290 million on Uber Technologies Inc. (UTI) and Uber B.V.,(UBV) (together Uber) with press releases in Dutch and English. The fine relates to the transfer of…