Photo of Tomos Griffiths

Tomos Griffiths

Tomos Griffiths is an associate working across the technology regulatory and competition groups in London.

Tomos joined the firm as a trainee solicitor in 2021, qualifying in 2023. His practice covers technology regulation, competition law, and regulation that spans the two. His recent experience includes advising clients on data protection compliance, foreign direct investment screening, and competition law litigation.

As a trainee solicitor, Tomos also gained experience in capital markets and commercial litigation for clients in the technology and life sciences sectors.

In the past few weeks, there have been significant developments relating to the “legitimate interests” legal basis under Article 6(1)(f) of the GDPR:

  • On 4 October 2024, the Court of Justice of the EU (“CJEU”) handed down its judgment in a case relating to the Royal Dutch Lawn
Continue Reading Five key takeaways from recent EU developments on the GDPR’s “legitimate interests” legal basis

The UK Government has announced that it intends to introduce the Cyber Security and Resilience Bill (the “Bill”) to Parliament in 2025. Formally proposed as part of the King’s Speech in July, this Bill is intended to strengthen the UK’s cross-sectoral cyber security legislation to better protect the UK’s economy and infrastructure. This Bill will update the existing NIS Regulations, which derive from EU law. Part of the UK Government’s motivation seems to be to keep pace with updates to EU law in this area, specifically relating to the NIS2 Directive that starts to apply this month (see our blog post on this, here).Continue Reading What to expect from the UK’s Cyber Security and Resilience Bill (and when)

The UK Government recently published its AI Governance and Regulation: Policy Statement (the “AI Statement”) setting out its proposed approach to regulating Artificial Intelligence (“AI”) in the UK. The AI Statement was published alongside the draft Data Protection and Digital Information Bill (see our blog post here for further details

Continue Reading UK Government Sets Out Sector-Specific Vision for Regulating AI  

On 18 July 2022, following its recent response to the public consultation on the reform of UK data protection law (see our blog post on the response here), the UK Government introduced its draft Data Protection and Digital Information Bill (the “Bill”) to the House of Commons.

The Bill is 192 pages, and contains 113 sections and 13 Schedules, which amend and sit alongside existing law (the UK GDPR, Data Protection Act 2018 (“DPA”), Privacy and Electronic Communications Regulations 2003 (“PECR”), the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, etc.). Some readers’ immediate reaction might be to query whether the Bill will simplify the legislative framework for businesses operating in the UK and facilitate the goal of the Information Commissioner to provide “certainty” for businesses. Time will tell. The Government’s publication of a Keeling Schedule (essentially a redline of the UK GDPR and DPA 2018 showing the changes resulting from the Bill), expected in the Autumn, will be welcome.

Much of the content of the Bill was previewed in the Government’s consultation response and include proposed changes that are designed to try to reduce the administrative burden on business to some extent.  The Bill is by no means a radical departure from existing law, however, and in some key areas – such as data transfers – the law will essentially remain the same.  But we now have additional important details on proposed changes to UK data protection law, and we set out in this post our immediate thoughts on some details that are worth highlighting.Continue Reading A Cautious Approach: the UK Government’s Data Protection and Digital Information Bill

In the early hours of Friday, 13 May, the European Parliament and the Council of the EU reached provisional political agreement on a new framework EU cybersecurity law, known as “NIS2”. This new law, which will replace the existing NIS Directive (which was agreed around the same time as GDPR, see here) aims to strengthen EU-wide cybersecurity protection across a broader range of sectors, including the pharmaceutical sector, medical device manufacturing, and the food sector.Continue Reading Political Agreement Reached on New EU Horizontal Cybersecurity Directive

On May 10, 2022, Prince Charles announced in the Queen’s Speech that the UK Government’s proposed Online Safety Bill (the “OSB”) will proceed through Parliament. The OSB is currently at committee stage in the House of Commons. Since it was first announced in December 2020, the OSB has been the subject of intense debate and scrutiny on the balance it seeks to strike between online safety and protecting children on the one hand, and freedom of expression and privacy on the other.Continue Reading Online Safety Bill to Proceed Through Parliament

In the Queen’s Speech on 10 May 2022, the UK Government set out its legislative programme for the months ahead. This includes: reforms to UK data protection laws (no details yet); confirmation that the government will strengthen cybersecurity obligations for connected products and make it easier for telecoms providers to improve the UK’s digital infrastructure; and new rules to enable the use of self-driving cars on public roads. In addition, the government confirmed its plans to move forward with the Online Safety Bill. As part of the government’s broader agenda to “level up” the UK and provide a post-Brexit economic dividend, many of the legislative initiatives referenced in the Queen’s Speech are presented as seeking to encourage greater use of data and technology to support innovation and enable growth.

We summarize below the key digital policy announcements in the Queen’s Speech and how they fit into wider developments in the UK’s regulatory landscape.Continue Reading UK Privacy and Digital Policy & Legislative Roundup

As many readers will be aware, a key enforcement trend in the privacy sphere is the increasing scrutiny by regulators and activists of cookie banners and the use of cookies. This is a topic that we have been tracking on the Inside Privacy blog for some time. Italian and
Continue Reading Regulators and Activists Increase Scrutiny on Use of Cookies and Cookie Banner Design