Legal News

Section 6 of the Victims and Prisoners Act 2024 supersedes VPA 2024, s 17, scrapping the prior constraint that protected disclosures had to be made to particular recipients for specified purposes. Any term in any agreement, including commercial non-disclosure agreements ( NDAs), is void to the extent it seeks to stop a victim, or someone who reasonably believes they are a victim, from revealing relevant criminal conduct-or the counterparty’s reaction to it-to anyone, for any purpose. The new provision binds the Crown, subject only to a tightly drawn national security exception. This analysis examines how these reforms align with existing common law limits on confidentiality and their consequences for standard commercial NDA templates. It is written by Richard Hanstock, a barrister at Cornerstone Barristers and the founder of Deeptech Legal, an SRA-authorised firm specialising in cybersecurity, artificial...

In this issue: Cybersecurity Data protection Daily and weekly news alerts New and updated content Cybersecurity DSIT publishes speech by Digital Minister on rising cyber security threats The Department for Science, Innovation and Technology ( DSIT) has released a speech delivered by the Digital Minister, Liz Lloyd, at the New Statesman Security and Resilience Conference on 5 May 2026, in which she characterised cyber security as ‘foundational’ to national security, economic resilience and business growth in a world facing growing instability. The minister cautioned that cyber threats are increasing in frequency, disruption and cost: 43% of businesses reported a cyber breach or attack in the past 12 months, rising to 69% among large organisations, while 29% encountered assaults at least weekly......

The Department for Science, Innovation and Technology ( DSIT) stated that the UK AI Security Institute ( AISI), together with the Australian AISI, has agreed a memorandum of understanding aimed at bolstering co-operation regarding AI safety and security risks......

In this issue: Data protection Cybersecurity Daily and weekly news alerts New and updated content Data protection EDPB unveils DPIA template to bolster uniformity in GDPR compliance workflows The European Data Protection Board ( EDPB) has approved a template for Data Protection Impact Assessments ( DPIAs), seeking to simplify adherence to the EU’s General Data Protection Regulation, Regulation ( EU) 2016/679 ( EU GDPR), and to improve consistency and alignment across Europe. The template is designed to help organisations structure, harmonise, substantiate and evidence their DPIA reporting processes, and is accompanied by an explainer document intended to support its practical use. The template is open for public consultation until 9 June 2026. See: LNB News 15/04/2026 22. Commission to launch EU age-verification app The European Commission has announced and confirmed that its EU age verification app is technically ready and complete, and will soon be made available for citizens to use when...

In this issue: Data protection Cybersecurity Reputation management Daily and weekly news alerts New and updated content Data protection Abuse of the right of access and causality ( Brillen Rottler) The Court of Justice has issued a judgment in Brillen Rottler clarifying the limits of the right of access in Article 15 of the EU’s General Data Protection Regulation, Regulation ( EU) 2016/679. It found that even an initial access request can be treated as “excessive” where the data subject acts with an abusive purpose, marking a move from a numerical to a qualitative appraisal of excessiveness. The Court also confirmed that Article 82(1) liability covers administrative breaches—for example, an unjustified refusal of an access request—even in the absence of a discrete processing operation. However, it applied a causation safeguard to prevent the EU GDPR being exploited for purely monetary...

In this issue: Data protection e Privacy Cybersecurity Daily and weekly news alerts New and updated content Data protection Data ( Use and Access) Act 2025 ( Consequential Amendments and Transitional Provision) Regulations 2026 SI 2026/386: These Regulations amend 39 pieces of UK primary legislation, 16 pieces of UK secondary legislation, and five pieces of assimilated direct legislation concerning data protection. They introduce a range of changes arising from sections 117, 118 and 119(1) of the Data ( Use and Access) Act 2025 ( DUAA 2025). Made under the DUAA 2025 in relation to assimilated law, they commence partly before DUAA 2025, s 119 is fully in force, and take full effect once DUAA 2025, s 119 (transfer of functions to the Information Commission) is wholly commenced. ( Updated from draft on 31 March 2026.) See: LNB News...

In this issue: Data protection Cybersecurity Reputation management Daily and weekly news alerts New and updated content Data protection ICO updates data protection guidances following DUAA 2025 and publishes guidance on recognised legitimate interest The Information Commissioner’s Office ( ICO) has refreshed three guidance documents. Updates include: its data protection principles guidance, incorporating changes from the Data ( Use and Access) Act 2025 ( DUAA 2025), such as rules on compatibility and reusing personal data its guidance on the legitimate interests lawful basis, revised to reflect DUAA 2025 amendments and to align with the ICO’s current style guide its purpose limitation guidance, updated for DUAA 2025 changes — including compatibility and the reuse of personal information — and aligned to the ICO’s latest style guide See: LNB News 24/03/2026 70. Ofcom publishes statement on age assurance and...

Siniakovich v Hassan- Soudey and others [2026] EWCA Civ 215 What are the practical implications of this case? Disputes about limitation and the point at which proceedings are ‘brought’ despite payment of an incorrect court fee can now be conclusively resolved by adhering to the Court of Appeal’s guidance: The issue of when an action is ‘brought’ under the Limitation Act 1980 is one of substance rather than form; it does not depend on interpreting the civil procedure rules or practice directions. For limitation, proceedings are brought when a claim form, stated with sufficient clarity, is first delivered to the court office and a fee is tendered or paid, or a help with fees form is filed. That is sufficient. Proceedings are still treated as brought (for limitation) even if the court issue fee paid is the wrong amount......

In this issue: Data protection Cybersecurity Daily and weekly news alerts New and updated content Data protection Commission and EDPB publish responses to consultation on draft EU DMA- GDPR joint guidelines The European Commission and the European Data Protection Board ( EDPB) have released the submissions received to their October 2025 consultation on draft joint guidelines examining the relationship between the EU Digital Markets Act ( DMA) and Regulation ( EU) 2016/679 ( General Data Protection Regulation ( GDPR)). More than 100 responses were lodged, indicating broad endorsement of the initiative and a desire for stronger cross-regulatory cooperation. The Commission and the EDPB are now assessing the feedback to decide whether, and in what manner, to refine the draft guidelines, with final adoption anticipated in Q4 2026. The aim is to deliver greater legal clarity and certainty for businesses and citizens across the EU,...

Statement follows. EDPB and EDPS support harmonisation of clinical trials under European Biotech Act, but call for specific safeguards for sensitive health data Brussels, 12 March 2026— The European Data Protection Board ( EDPB) and the European Data Protection Supervisor ( EDPS) have issued a Joint Opinion on the European Commission’s Proposal for a European Biotech Act. The Proposal aims to reinforce Europe’s biotechnology and biomanufacturing sectors, particularly in health, by simplifying the regulatory landscape and updating the framework for clinical trials. The EDPB and the EDPS back the Proposal’s objective of strengthening the EU’s competitiveness and tackling existing fragmentation in the implementation of the Clinical Trials Regulation ( CTR). Notably, they welcome the intention to create a single legal basis for sponsors and investigators to process personal data, which would greatly improve legal certainty across Europe......

In this issue: Data protection e Privacy Daily and weekly news alerts New and updated content Data protection Government launches consultation on introduction of voluntary digital ID for public services The Cabinet Office, working alongside the Department for Science, Innovation and Technology, has opened a consultation on proposals to create a voluntary national digital identity document ( ID) for use when accessing public services. The exercise invites opinions on the planned system’s design, scope and governance. The government’s aim is for the digital ID to build upon existing identity verification frameworks. Participation would be optional, with no legal duty to acquire or present it, and established non-digital routes to public services would continue to be available. The consultation also requests views on topics such as the minimum qualifying age, the data elements to appear on the digital ID (for example, proof of...

In this issue: Data protection Cybersecurity Lex Talk® Information Law: a Lexis®Nexis community Daily and weekly news alerts New and updated content Data protection Data by any other name— Court of Appeal reverses Upper Tribunal’s ruling on the protection of ‘personal data’ ( DSG v ICO) The Court of Appeal unanimously allowed the Information Commissioner’s Office ( ICO) appeal, deciding that data subjected to unauthorised or unlawful handling by a third party still counts as personal data from the controller’s standpoint, even where it is pseudonymised for the controller and rendered anonymised for the attacker. As a result, the court confirmed that a data controller must implement appropriate technical and organisational measures to safeguard that personal data against hackers, notwithstanding that those third parties cannot themselves identify the individuals to whom the data pertains......

In this issue: Data protection Daily and weekly news alerts New and updated content Data protection ICO fines Reddit £14.47m for unlawful use of children’s personal data The Information Commissioner’s Office ( ICO) has imposed a £14.47m penalty on Reddit after determining it unlawfully processed children’s personal data because of age‑assurance shortcomings under UK data protection law. The ICO concluded that, before January 2025, Reddit had neither implemented any robust age‑assurance solution nor undertaken a data protection impact assessment, leading to the unlawful handling of data relating to children under 13 and exposing them to unsuitable and harmful material. While Reddit brought in both age verification and age declaration measures in July 2025, the ICO flagged that self‑declaration carries inherent risks and confirmed it is keeping the platform’s processing of children’s personal information under close ongoing review as part of its broader intervention to enhance the...

In this issue: Data protection Cybersecurity Daily and weekly news alerts New and updated content Data protection ICO publishes guidance on data protection complaints processes The Information Commissioner’s Office ( ICO) has issued guidance setting out fresh duties for organisations to put in place data protection complaints procedures under the Data ( Use and Access) Act 2025. From 19 June 2026, all organisations must offer a route to complain, acknowledge receipt within 30 days, provide a timely response, and clearly inform complainants of the outcome of their complaint. Importantly, these rules carry no exemptions. See: LNB News 13/02/2026 16. Forum selection for data protection claims ( Wysokinski v OCS Security Ltd) The Court of Appeal ruled that a judge was right to move a data protection and human rights action from the High Court to the County Court under CPR 53.4(2). The claim lacked...

In this issue: Data protection Cybersecurity Daily and weekly news alerts New and updated content Data protection ICO publishes framework for handling data protection complaints The Information Commissioner’s Office ( ICO) has released guidance explaining its method for dealing with data protection complaints, including the factors it will use to decide the scope of any inquiry. The framework brings in a triage approach that gives priority to complaints showing significant harm, involving vulnerable people, or linked to strategic aims. In addition, the ICO is developing a threshold mechanism that could prompt intervention where organisations receive several complaints within a defined period, although the precise thresholds have not yet been set out. See: LNB News 06/02/2026 54. ICO updates data protection by design guidance following DUAA commencement The ICO has issued updated guidance on data protection by design and by default to coincide with the...

Meta Platforms’ Whats App can challenge a decision by a group of EU data protection authorities before the EU courts EU judges confirmed on 10 February 2026 that Whats App may directly contest a binding decision of the EDPB before the EU courts, in a landmark move that could clear the way for similar appeals currently stuck before EU judges. The EU Court of Justice said the EDPB’s measure creates binding legal consequences that can immediately impact the company, so a direct action is available indeed. As the court put it, the EDPB’s decision clearly qualifies as an act that can be challenged before the Courts of the EU, according to its statement. Observers have tracked the dispute closely because this is the first ruling to address whether an EDPB decision can be brought straight to the General Court, rather than forcing a company to route its...

In this issue: Data protection Cybersecurity Lex Talk®Information Law: a Lexis®Nexis community Daily and weekly news alerts New and updated content Data protection Key provisions of Data ( Use and Access) Act 2025 to come into force on 5 February 2026 The Secretary of State has made the Data ( Use and Access) Act 2025 ( DUAA 2025) ( Commencement No 6 and Transitional and Saving Provisions) Regulations 2026, SI 2026/82, bringing the bulk of the DUAA 2025’s data protection reforms into effect from 5 February 2026. These regulations initiate provisions on research and statistical purposes, consent to processing for scientific research, the lawfulness of processing, purpose limitation, data subject requests, automated decision-making, data protection by design for children, and transfers of personal data to third countries, among other matters. Further provisions dealing with complaints by data subjects will commence on 19 June 2026. See: LNB News 04/02/2026 26 and also LNB News...

RMK Maritime ( Europe) Ltd and another company v CMB. Tech NV (formerly known as Euronav NV) [2025] EWHC 2739 ( Comm) What are the practical implications of this case? The judgment has notable consequences for commercial lawyers advising on professional services contracts, M& A advisory mandates, and restitutionary claims. Prevalence of contract over restitution The court confirmed that unjust enrichment is a fallback doctrine, ordinarily inapplicable where a binding contract regulates the parties’ dealings. Even where certain services might be said to sit beyond the precise contractual remit, a restitutionary claim will fail if it would cut across the contractually agreed allocation of risk and remuneration. Legal force of NOM clauses and variation provisions The advisory agreement required any change to scope to be recorded in writing and signed by authorised representatives. The court regarded this as compelling evidence that informal...

Background and purpose of the proposal The existing CSA reinforced the EU Agency for Cybersecurity (‘ ENISA’) and established the European Cybersecurity Certification Framework (‘ ECCF’) to enable voluntary, EU-wide cybersecurity certification. After NIS2 was adopted in 2022, the EU legislator introduced compulsory cyber risk management and incident reporting duties for critical sectors. In light of escalating cyber threats and geopolitical shifts, the new Cybersecurity Package proposes updates to the CSA and NIS2 to: strengthen the protection of critical Information and Communication Technologies (‘ ICT’) supply chains within NIS2 sectors streamline use of EU cybersecurity certifications under the ECCF make NIS2 compliance easier while bolstering ENISA’s cross-border supervision support What are key changes in the EU Cybersecurity Act 2? The proposed Revised EU Cybersecurity Act, or EU Cybersecurity Act 2 (‘ CSA2’), would fully replace the CSA and introduces the following new...

For more on significant movements in Information Law, consult Trackers—overview and, in particular, these key Practice Notes: Data ( Use and Access) Act—tracker UK e Privacy law reform—tracker The UK NIS Regulations—timeline ICO consultations tracker 2025 Additional trackers can be found within our EU Law practice area, including the following Practice Notes: EU GDPR—cross-border enforcement reforms—tracker EU e Privacy Directive—tracker EU Cybersecurity initiatives tracker The EU NIS 2 Directive—timeline EU GDPR— EDPB supranational level guidance tracker Further commentary and updates are delivered via our current awareness alerts and highlights. Select ‘ Create Alert’ on your ‘ Alerts’ tab and adjust your personal settings to subscribe. Confidential information What were the key developments in 2025? In the UK, section 17 of the Victims and Prisoners Act 2024 ( VPA 2024) commenced on 1 October 2025. This provision places on a...