Information Law

Section 6 of the Victims and Prisoners Act 2024 supersedes VPA 2024, s 17, scrapping the prior constraint that protected disclosures had to be made to particular recipients for specified purposes. Any term in any agreement, including commercial non-disclosure agreements (NDAs), is void to the extent it seeks to stop a victim, or someone who reasonably believes they are a victim, from revealing relevant criminal conduct-or the counterparty’s reaction to it-to anyone, for any purpose. The new provision binds the Crown, subject only to a tightly drawn national security exception. This analysis examines how these reforms align with existing common law limits on confidentiality and their consequences for standard commercial NDA templates. It is written by Richard Hanstock, a barrister at Cornerstone Barristers and the founder of Deeptech Legal, an SRA-authorised firm specialising in cybersecurity, artificial intelligence, defence technology and national security...

In this issue: Cybersecurity Data protection Daily and weekly news alerts New and updated content Cybersecurity DSIT publishes speech by Digital Minister on rising cyber security threats The Department for Science, Innovation and Technology (DSIT) has released a speech delivered by the Digital Minister, Liz Lloyd, at the New Statesman Security and Resilience Conference on 5 May 2026, in which she characterised cyber security as ‘foundational’ to national security, economic resilience and business growth in a world facing growing instability. The minister cautioned that cyber threats are increasing in frequency, disruption and cost: 43% of businesses reported a cyber breach or attack in the past 12 months, rising to 69% among large organisations, while 29% encountered assaults at least weekly......

The Department for Science, Innovation and Technology (DSIT) stated that the UK AI Security Institute (AISI), together with the Australian AISI, has agreed a memorandum of understanding aimed at bolstering co-operation regarding AI safety and security risks......

Practice Note This Practice Note offers practical guidance on the current border controls between the United Kingdom and the European Union, along with the changes scheduled to commence on 1 January 2022. It covers customs declarations, the payment of customs duty and VAT, and sanitary and phytosanitary checks. Introduction In November 2021, the UK released its updated border operating model, explaining how the UK border functions in relation to the EU. The model was originally brought in on 1 January 2021 following the UK’s departure from the EU customs union. From that date, certain border controls were introduced. These were phased in to allow time to build and prepare the necessary infrastructure to support those controls. In December 2021, the UK further updated the border operating model to temporarily prolong staged customs controls for goods moving from the island of Ireland into Great Britain. This interim step was taken...

Environmental law comprises the body of rules intended to protect the environment. It affects a local authority (LA) through the LA’s own compliance responsibilities and because LAs hold statutory roles for consenting, enforcement and remediation across diverse environmental law regimes. This Practice Note assists practitioners working in or with LAs by describing scenarios in which environmental law issues might arise, and by offering guidance and links to the relevant environmental law content. Waste What is the LA’s duty in relation to the collection of waste? Subject to certain limited exceptions, waste collection authorities (WCAs) in England and Wales have a statutory legal obligation to arrange for the collection of household waste and, where requested, commercial waste and industrial waste. Local authorities in England and Wales must also collect specified categories of waste, ensuring those types are collected separately as distinct streams. The...

Database right Database right is a proprietary entitlement in the UK, arising from the transposition of Directive 96/9/EC (the EU Database Directive), and applies to a database where there has been substantial investment in acquiring, checking, or presenting its contents. Illustrations of what may amount to a database include: a hard copy or electronic encyclopaedia; collections of data hosted on websites; the intranet; a spreadsheet recording a database and a PDF version of that spreadsheet (see the Forensic Telecommunications Services Limited case); and a document management system. The EU Database Directive was put into effect in the UK by the Copyright and Rights in Databases Regulations 1997 (CRD 1997, also called the Database Regulations 1997), SI 1997/3032. Database right is infringed by the extraction or re-utilisation of the whole or a substantial part of the database’s contents without the permission of the rights holder. Not every database benefits from database right....

Defined terms : In addition to the definitions set out below, this Precedent also uses the defined terms ‘Agreement’, ‘Business Day’, ‘Customer’, ‘party’ / ‘parties’, ‘Services’ and ‘Supplier’, which are general rather than specific to data processing and are assumed to be defined separately in the relevant agreement. Refer to the drafting notes for further guidance. The Schedule 1 Definitions and interpretation 1.1 In this Schedule: Adequacy Regulation means any valid adequacy regulation referenced in Article 45A of the GDPR; Attached Standard Contractual Clauses means the provisions set out in [ Annex [ insert ] to ] Appendix 7; Binding Corporate Rules means the binding corporate rules referred to in Appendix 6; Controller has the meaning given in Data Protection Laws; Data Protection Impact Assessment shall be interpreted in line with Data Protection Laws; Data Protection Laws means all applicable laws relating to the processing, privacy and/or use of Personal Data, as...

STOP PRESS: On 19 June 2025, the Data (Use and Access) Bill obtained Royal Assent, becoming the Data (Use and Access) Act 2025 (DUAA 2025), with provisions also coming into force in part on that day. Certain DUAA 2025 provisions, addressing matters such as handling data subject access requests and the conferral of powers to make further regulations, commenced straightaway on 19 June 2025. Other provisions, relating to notices issued by the Information Commissioner and specific aspects of law enforcement processing, took effect on 19 August 2025 (being two months from the date of Royal Assent). The majority of DUAA 2025’s provisions will only commence once additional regulations are made, in the form of statutory instruments, to bring them into effect. Parts 5 and 6 of DUAA 2025 serve to amend aspects of data protection and ePrivacy law in the UK, including the United...

Confidentiality letter—private M&A—asset purchase—corporate seller Strictly private and confidential To: [ insert buyer name ] [ insert buyer address ] Date: [ insert date ] Dear [ insert buyer contact name ], Proposed acquisition of the business of [ insert name of business being acquired ] 1 Introduction 1.1 Further to our recent conversations, this letter concerns the intended disposal detailed herein by [ insert seller name ] (the Seller) of [ insert description of the business being sold ] (the Business), which trades under the name [ insert name of business being sold ] (the Business Name), on a going concern basis, together with [ insert description of the assets being sold ] (the Assets), to [ insert buyer name ] (or any member of its group of companies) (the Buyer) (the Proposed Acquisition). Each of the Seller and the Buyer constitutes a party and,...

This Q&A proceeds on the basis that: the question relates to a business-to-business transaction the question relates to a contract drafted and negotiated in the conventional manner and is not an e-commerce transaction entered into between the parties via website terms and conditions the question relates to the execution of a simple contract the question relates to the law of England and Wales Contract formation General contract law principles apply to agreements formed virtually......

Brexit—Commercial For help with your query, please refer to the following: Brexit—contract clauses and resources—checklist [Archived] Clause: Brexit—warranty for commercial contracts clause [Archived] Clause: Territory definition For additional guidance, see: Brexit collection......

Q&A For this Q&A, we take 'email journaling' to mean a method whereby messages entering or leaving a server are duplicated and sent to a single designated mailbox, creating a record of every message in and out, arranged in a user-selected order (typically by date/time). We have limited this response to circumstances that fit those assumptions, and to cases where the journal mailbox cannot be changed or interfered with by any server user holding normal privileges......