Blog
When can organisations rely on “consent” under data protection laws? The Court of Appeal clarifies in RTM v Sky Betting and Gaming
Caroline Sheldon
The UK Government has now published its March 2026 Report on Copyright and Artificial Intelligence, following its 2024–25 consultation on the use of copyright‑protected works in AI training. The outcome is significant - not for what it introduces but for what it postpones.
For now, copyright reform has been paused. The question is whether this pause meaningfully improves certainty for creators and AI developers or simply prolongs an already difficult status quo.
Why this consultation mattered
The consultation addressed a genuine and growing problem. Rights holders remain concerned that their works are being used to train AI systems without consent or remuneration. AI developers, meanwhile, stress that access to large volumes of data is essential for innovation and competitiveness.
The Government accepted that UK copyright law, drafted long before generative AI, does not provide clear answers. In practice, businesses have been left to navigate this through litigation, licensing workarounds and varying risk appetites.
That uncertainty carries real economic and operational consequences.
The Government’s original objectives
Launched in December 2024, the consultation set out three aims:
- To support rights holders’ ability to control and monetise their works.
- To enable world‑leading AI development in the UK through lawful access to data.
- To improve transparency and trust between the creative and AI sectors.
A wide range of options were considered, from licensing‑only approaches to broad text and data mining exceptions. Initially, the Government indicated a preference for an opt‑out model, subject to new transparency obligations.
What the consultation showed
Stakeholder engagement was high. More than 11,500 responses were submitted, with a clear message emerging from creative industries in particular: strong resistance to opt‑out exceptions and broad support for licensing‑based models requiring consent.
The consultation succeeded in surfacing evidence and views. What it did not produce was a consensus on a solution that met all policy objectives simultaneously.
Where things now stand
In its March 2026 Report and Written Ministerial Statement, the Government confirmed it will not proceed with legislative reform at this stage.
The previously favoured opt‑out exception has been set aside. No alternative model has been chosen. Instead, the Government has emphasised the need for further analysis before making changes to copyright law.
That caution is understandable to a certain degree. Copyright reform in the AI context carries real trade‑offs, but the result is that existing law, and its uncertainties, remain firmly in place.
What is still moving forward
The pause on reform does not mean inactivity. The Report highlights continued work on:
- Transparency around AI training data and web‑scraping practices
- Labelling of AI‑generated content
- Technical tools such as metadata and watermarking
- Exploration of scalable licensing mechanisms
These strands are useful and necessary. However, they sit alongside (rather than resolve) the underlying legal uncertainty around AI training.
Why the current approach remains challenging
The Government’s emphasis on “getting this right” is sensible in principle. But prolonged deferral has consequences. In the absence of clearer rules, risk continues to be allocated unevenly, often to individual creators, SMEs and early‑stage businesses with limited leverage.
Transparency initiatives and market solutions cannot fully substitute for legal clarity.
What clients should take away
- Rights holders should continue to assume their rights are enforceable and invest in monitoring and licensing strategies.
- AI developers should plan on the basis that no copyright exception is imminent; data provenance, consent, and transparency remain essential.
- Boards and investors should continue to treat copyright exposure as both a legal and reputational issue.
The consultation has clarified the difficulty of the problem. It has not yet resolved it.
While further work may be justified, the risk is that delay becomes a policy outcome in itself, leaving uncertainty to harden rather than diminish.
Further information
If you have any questions regarding this blog, please contact Christopher Perrin in our Corporate, Commercial & Finance team.
about the author
Christopher Perrin is a highly experienced solicitor who leads the Corporate, Commercial and Finance team’s general Commercial & Technology Contracts, Outsourcing & Data legal advisory services.
Latest blogs & news
When can organisations rely on “consent” under data protection laws? The Court of Appeal clarifies in RTM v Sky Betting and Gaming
The Court of Appeal's recent decision in RTM v Bonne Terre Limited & Hestview Limited [2026] EWCA Civ 488 is an important one for any business/controller that relies on consent as a lawful basis for processing personal data or sending direct marketing communications. In short, the legal test for consent under data protection legislation is an objective one, not a subjective inquiry into the data subject’s internal state of mind.
“Recruitment Rewired”: what employers need to know about automated recruitment
On 31 March 2026, the Information Commissioner’s Office (ICO) published its Report, “Recruitment Rewired: an update on the ICO’s work on the fair and responsible use of automation in recruitment”, setting out its findings and regulatory expectations for employers using AI‑enabled or automated tools in recruitment.
Employment law changes tech businesses need to know about
A significant number of employment law reforms are coming into effect in 2026 and 2027 following the introduction of the Employment Rights Act 2025 at the end of last year.
Court of Appeal confirms scope of data controllers’ security obligations
In a recent decision, the Court of Appeal allowed the UK Information Commissioner's appeal against the decision of the Upper Tribunal in proceedings involving DSG Retail Limited ("DSG"). The case arose from a nine-month cyber-attack in 2017-2018 on DSG’s systems, during which the attackers scraped transaction data from point-of-sale terminals from over 5.6 million payment cards. The compromised data included card numbers and expiry dates but not cardholders' names, meaning the attackers could not directly identify individuals from the data alone.
Copyright & artificial intelligence: Progress, pause and persistent uncertainty
The UK Government has now published its March 2026 Report on Copyright and Artificial Intelligence, following its 2024–25 consultation on the use of copyright protected works in AI training. The outcome is significant - not for what it introduces but for what it postpones.
Government announces tough new late payment laws – what happens next?
The UK Government has confirmed a major package of reforms to tackle late payments, a persistent pressure point for small businesses, costing the economy £11 billion a year and contributing to 38 business closures every day.
Business Development: Playing The Right CARD
The professional services industry faces rapid change
Companies House security issue: What your business should do now
A serious security vulnerability affecting the five million registered companies on Companies House was recently discovered. More on this below, but we would urge all companies to check their records carefully and ensure there is nothing unexpected in their Companies House filings and dashboard.
What tech businesses need to know in 2026
At our recent Tech Briefing, 'What tech businesses need to know in 2026', we explored how the EU’s Digital Omnibus package and the UK’s Employment Rights Act will reshape compliance for UK tech SMEs.
Five common contract weaknesses – and how to fix them
Most commercial disputes don’t come from exotic legal issues - they come from everyday contract weaknesses that could have been avoided with a few smart tweaks
2026 marks a turning point for data governance in the UK
2026 is shaping up to be the most consequential year for UK data protection enforcement since the introduction of the EU/UK GDPR regime. With record fines issued in late 2025, a new enforcement playbook on the horizon, and shifting legislative and regulatory expectations, the Information Commissioner’s Office (“ICO”) is signalling a marked transformation in how it supervises, and sanctions, organisations.
Why limitation of liability clauses deserve more attention than they get
Too often, limitation of liability clauses are treated as standard boilerplate - something to tidy up at the end of a negotiation once the “real” commercial points are agreed.
2026 brand threats that could be opportunities: Polarisation, AI, NextGen, and Saturation
What are these megatrends that could pose a threat to brands in 2026?
From Seed to Series A and Beyond: 7 Key Insights for Tech Founders
In this article, we share 7 key considerations to help tech founders navigate the journey from seed funding to Series A and beyond.
Biggest EU Digital Shake-Up Since GDPR? What Businesses Need To Know
In November 2025, the European Commission unveiled its Digital Omnibus package – a set of proposals aimed at simplifying (not deregulating) EU rules on data protection, cybersecurity and AI.
Clearview AI ruling confirms UK GDPR applies beyond borders
In a recent decision on the UK GDPR’s global scope, the Upper Tribunal in The Information Commissioner v Clearview AI Incorporated and Privacy International [2025] UKUT 319 (AAC) confirmed that the UK’s data protection regime can extend well beyond its borders.
UK Tech SMEs & the November Budget
Founders and teams across the country are looking for signals that the UK still backs its innovators. Here’s what’s top of the wish-list:
Why does software ownership matter? Six key legal takeaways for tech businesses
For founders, investors and anyone involved in the tech sector, understanding who owns your software and how to prove it is critical. Whether you’re seeking investment, planning an exit or simply aiming to protect your IP, clarity on ownership can make or break a deal
Court of Appeal clarifies data protection claims for non-material damage: A win for claimants - But what are the implications for controllers and processors?
The Court of Appeal has recently handed down an important decision in respect of data protection law considerations in Farley & Others v Paymaster (trading as Equiniti) [2025] EWCA Civ 1117, providing clarity on the scope of infringement and compensation data protection claims under the UK GDPR and Data Protection Act 2018 (“DPA”). The judgment will be of particular interest to any service provider dealing with and processing large volumes of customer personal data.
5 Reasons Why Fundraising can Go Wrong
At some point in their history, businesses commonly have need for external funding to help their growth trajectory.
Share insightLinkedIn X Facebook Email to a friend Print