Legal News

Abraaj Investment Management Ltd (in liquidation) and other companies v Kes Power Ltd and others [2026] EWHC 65 ( Comm) What are the practical implications of this case? The recent High Court judgment in Abraaj Investment Management v Kes Power closely analyses assignment principles within secured lending. In particular, the court considers when estoppel can aid a lender confronted with defective or uncertain security. The ruling also explores several adjacent issues: the potential for assignments to be implied, whether ‘no assignment’ clauses are tempered by a reasonableness qualification, and matters of consideration in acknowledgements of notice. While estoppel provided the lender with a solution on the facts, the decision emphatically reinforces a fundamental point: only the entity to which the debt is actually owed should be the assignor. The realities of group operations can obscure the true creditor, meaning it is not always obvious which...

In this issue: Data protection e Privacy Cybersecurity Daily and weekly news alerts New and updated content Data protection ICO publishes updated guidance on international transfers of personal data The Information Commissioner’s Office ( ICO) has refreshed its guidance on sending personal data overseas. The revisions are designed to streamline how organisations interpret and meet UK GDPR transfer obligations. The new materials set out a ‘three step test’ to determine when a transfer is restricted, expand FAQs to tackle queries commonly raised by organisations, and add detail on roles and responsibilities to reflect complex, multi-layered arrangements. There is also a concise guide, FAQs and a glossary to assist teams without specialist knowledge. The ICO also plans a webinar to support those carrying out or advising on restricted transfers. See: LNB News 16/01/2026 10. ICO updates guidance on transfer risk...

In this issue: Data protection Daily and weekly news alerts New and updated content Data protection EU GDPR obligations and platform liability ( X v Russmedia) The host of an online marketplace that carried an advert was held to have breached its duties under the EU General Data Protection Regulation, Regulation ( EU) 2016/679 ( EU GDPR), although it took down listing within an hour of a removal request. The court determined it acted as a joint controller for the sensitive personal data in the advert and ought to have had pre-publication safeguards in place to (i) detect advertisements before any listing went live online......

In this edition: Data protection Cybersecurity Daily and weekly news alerts New and updated content Data protection Commission renews UK adequacy decisions for EEA– UK personal data transfers The European Commission has renewed its pair of 2021 adequacy decisions, enabling the free and secure movement of personal data between the European Economic Area ( EEA) and the UK under the General Data Protection Regulation ( GDPR) and the Law Enforcement Directive. This renewal follows a six-month technical extension adopted in June 2025, which allowed the Commission to evaluate amendments to the UK’s data protection framework introduced by the Data ( Use and Access) Act 2025 ( DUAA 2025). The decisions were finalised after a favourable opinion from the European Data Protection Board and approval by Member States through the comitology procedure......

In this issue: Data protection Cybersecurity Confidential information Daily and weekly news alerts New and updated content Information Law Highlights 2025/2026 Data protection ICO fines Last Pass £1.2m for data breach affecting 1.6 million UK users The Information Commissioner’s Office has imposed a £1.2m penalty on Last Pass UK Ltd after a 2022 incident exposed personal data for as many as 1.6 million UK customers. The ICO concluded Last Pass lacked adequate technical and organisational security, following two linked intrusions in August 2022 that let attackers obtain names, email addresses, telephone numbers and saved website URLs. The compromise began with a breached corporate laptop, before a senior staff member’s personal device was targeted to extract decryption keys for a backup database. See: LNB News 12/12/2025 16. ICO updates SAR guidance and publishes template following Data ( Use and Access) Act...

Earlier this year, the decision in Macdonald Hotels v Bank of Scotland unsettled lenders and their advisers, with obiter observations intimating that, for the ‘face value’ test to be satisfied for a deed, the document, on its face, must make plain that all parties expressly intended it to operate as a deed, rather than only those executing it as a deed. That stance differs from common practice in certain finance instruments, notably intercreditor agreements, which frequently state that only specified parties execute and deliver them as deeds and, unlike security documents, are ordinarily styled as ‘agreements’ in many instances. The City of London Law Society ( CLLS) subsequently released a note expressing its view on the comments and on how to comply with the face value test, confirming that, in its opinion, there is a measure of flexibility in the ways the face value...

In this issue: Data protection e Privacy Cybersecurity Reputation management Daily and weekly news alerts New and updated content Data protection EDPB adopts recommendations on mandatory user account creation for e-commerce sites The European Data Protection Board ( EDPB) has set out recommendations clarifying the lawful basis for obliging customers to create accounts on e‑commerce services. As a rule, users should be able to interact with sites, including completing purchases, without registering, via a guest checkout or by choosing to open an account. Compulsory registration is justified only in narrow circumstances, such as delivering subscription products or granting access to exclusive deals. The recommendations will undergo public consultation to invite stakeholder views. The EDPB also held initial exchanges on the Digital Omnibus proposal and will issue a joint opinion with the European Data Protection Supervisor. At its 4 December 2025...

What is the background to this Bill? The existing NIS Regulations extend across five sectors: transport, energy, drinking water, health and digital infrastructure, and certain digital services, including online marketplaces, online search engines and cloud computing. Oversight sits with twelve regulators (competent authorities) tasked with putting the rules into practice and issuing guidance. The CSRB builds on a series of reviews into how well the NIS framework works, the latest of which took place in 2022. Those consultations found the regime had delivered benefit, but that legislation must evolve quickly to keep pace with a shifting cyber security environment and be widened to bring further categories of providers within scope. At the same time, a string of incidents has hit the NHS, high street names, local authorities and government suppliers, vehicle manufacturers and others, underlining the need to lift cyber security across the UK. Such...

In this issue: Data protection Cybersecurity Confidential information Key developments Daily and weekly news alerts New and updated content Data protection Digital Omnibus proposal—re-writing the EU's digital rulebook Over recent years, the EU has rolled out fresh digital laws almost as swiftly as the technologies they aim to oversee have evolved. Worries about excessive regulation, duplication and even inconsistency have pushed the European Commission to revisit its strategy and try to lighten the load of digital compliance obligations. On 19 November 2025, the Commission unveiled its Digital Omnibus proposal. It contains two core strands: one delivering “quick fixes” to address several pressure points in the EU AI Act, and a second, more intricate package revising the data acquis, in particular the EU General Data Protection Regulation, Regulation ( EU) 2016/679 ( EU GDPR), Directive 2002/58/ EC (the e Privacy...

Igors Veliks, formerly at Playtech, and his current employer, Realtime Latvia, persuaded the appeal court that the betting company lacks any entitlement to sue them in England. The judges held that any harm arising from the supposed commercial deception occurred beyond the UK, and they set aside a High Court ruling that had favoured Playtech. The court concluded that most of the loss said to stem from Veliks’ alleged misuse of trade secrets took place in Latvia, where Playtech is headquartered. As a result, assessment of damage falls to the Latvian courts, not to the English courts. Playtech maintained it had suffered a downturn in UK licensing income because of the alleged misappropriation of trade secrets, but the appeal court rejected that contention. The court noted: “ This pleading is concerned only with the indirect consequences for Playtech of the...

On 19 November 2025, the Commission unveiled its Digital Omnibus proposal. It comprises two principal strands: one delivering ‘quick fixes’ to pain points in Regulation ( EU) 2024/1689, the EU AI Act, and another, more intricate, amending the data acquis, most notably Regulation ( EU) 2016/679, the EU General Data Protection Regulation ( EU GDPR), Directive 2022/58/ EC, the e Privacy Directive, and Regulation ( EU) 2023/2854, the EU Data Act. The headline items are delays to the high-risk AI rules under the EU AI Act, and a fresh EU GDPR lawful basis of legitimate interest for processing personal data when developing or operating AI systems (with safeguards). There is much to absorb—just as we get to grips with the new regime, changes are proposed, some bound to be disputed while others will be seen as eminently sensible. Here we outline the key...

Inteligo Media SA v Autoritatea Naţională De Supraveghere A Prelucrării Datelor Cu Caracter Personal, Case C-654/23, ECLI: EU: C:2025:871 What are the practical implications of this case? The ruling recalibrates direct marketing for digital platforms, notably those operating freemium offerings and similar user models. By construing ‘sale’ broadly in the e Privacy Directive, the Court of Justice permits reliance on the soft opt-in to send direct promotional messages to holders of seemingly free accounts, provided every condition is met. Practitioners should observe that, where Article 13(2) e Privacy governs, no additional legal basis under the EU GDPR is required, which on paper simplifies compliance workloads and removes a tier of regulatory complication. Yet this point is more doctrinal than operational, as it has long been commonly assumed that, when Article 13(2) applies, consent is typically unnecessary and processing is routinely grounded in Article 6(1)(f) EU GDPR...

In this issue: Data protection Confidential information e Privacy Daily and weekly news alerts New and updated content Data protection Council adopts new EU regulation to speed-up cross-border EU GDPR complaints The Council of the EU has formally approved legislation intended to improve and accelerate the handling of cross-border data protection complaints under the EU’s General Data Protection Regulation ( EU) 2016/679 ( EU GDPR). The regulation harmonises criteria for complaint admissibility, reinforces the procedural rights of complainants and organisations under scrutiny, and introduces a simplified co-operation route for straightforward cases to lessen administrative burden. It also imposes binding deadlines, with most investigations to conclude within 15 months, extendable by a further 12 months for complex matters, and within 12 months for simplified procedures. With the Council’s adoption, the file completes the legislative process, entering into force 20 days after publication in the Official Journal of the EU and applying 15 months...

In this issue: Cybersecurity Confidential information Data protection Daily and weekly news alerts New and updated content Cybersecurity DSIT introduces Cyber Security and Resilience Bill to protect essential UK services The Department for Science, Innovation and Technology ( DSIT) has tabled the Cyber Security and Resilience Bill in Parliament, designed to reinforce the UK’s cyber defences against cybercriminals and state-backed threats. The legislation concentrates on shielding vital public services, including the NHS, transport, energy and drinking water suppliers. It also intends to bring medium and large managed service providers—those delivering IT management, help desk support and cyber security services to organisations in both the public and private sectors, such as the NHS—within a regulatory framework. See: LNB News 12/11/2025 32. Confidential information Company Director held personally liable for misuse of confidential information ( Kieran Corrigan v One E Group &...

What are the practical implications of this case? Inter Digital Inc and other companies v Optis Cellular Technology LLC and others [2025] EWCA Civ 1263 delivers clear direction for those engaged in patent litigation, extending to third parties with a stake in confidential material at issue. Notably, it was the non-parties—rather than Apple and Optis—who sought permission to appeal the High Court decision. The court’s acknowledgement of third-party rights may prompt greater participation by non-party stakeholders where disputes turn on third party licences. By backing a single approach to redactions and outlining how factual mistakes can be corrected, the court has sharpened understanding of the treatment of confidential information in UK proceedings. Even so, the judgment stresses that any departure from open justice must be exceptional and justified by compelling reasons, so applicants must articulate and justify their proposals. Citing his reasoning in Unwired Planet v...

In this issue: e Privacy Data protection Lex Talk® Information Law: a Lexis®Nexis community Daily and weekly news alerts New and updated content e Privacy The Information Commissioner’s Office ( ICO) has levied a £200,000 penalty against sole trader Bharat Singh Chand after 966,449 marketing texts were sent without permission between 3 December 2023 and 3 July 2024. Promoting debt solutions and energy-saving grants, the messages prompted 19,138 complaints via the 7726 spam reporting service and breached the Privacy and Electronic Communications Regulations 2003 ( SI 2003/2426) due to the absence of valid consent. The ICO has also served an enforcement notice requiring Chand to stop dispatching marketing communications without appropriate consent. Investigators reported evasive tactics, including the use of false company names during follow-up calls. Chand has appealed the ICO’s decision. See: LNB News 30/10/2025 21. Data...

IDDQD Ltd v Codeberry & Smith, Royal Mail Group Ltd v Codeberry & Smith [2025] EWHC 2561 ( Ch) What are the practical implications of this case? Rulings on database right infringement are infrequent, so this judgment offers valuable direction for practitioners in this field. It matters especially to digital enterprises working with extensive datasets sourced from third parties. The court confirmed that the sui generis database right in the Copyright and Rights in Databases Regulations 1997 ( CRD 1997) safeguards significant investment in collecting, checking and arranging information. Early-stage companies cannot depend on indirect or ‘open data’ sources where those datasets embed protected content. The judgment also clarifies that employing licensed material to ‘cleanse’, ‘validate’ or ‘update’ one’s own dataset still amounts to extraction or re-utilisation when substantial elements of another database are carried across. The court further touched on...

Attorney General, Lord Hermer KC, gave evidence to the National Security Strategy Joint Committee Parliament’s slow move to scrap and replace the Official Secrets Act 1911 was a factor in a prominent espionage prosecution collapsing, the Attorney General told the National Security Strategy Joint Committee. Lord Hermer KC noted that, in 2017, the Law Commission warned MPs that the term 'enemy' in the statute was highly problematic and would cause difficulties for future cases. He said the Crown Prosecution Service would have had no difficulty bringing the matter to trial had Parliament acted on that advice earlier and passed the National Security Act before its 2023 enactment. He added that he struggled to see why the measure took so long, and that, had the new law applied during 2021–2023, he was certain the prosecution would have proceeded to trial. In April 2024, the CPS...

In this issue: Data protection Cybersecurity Lex Talk®Information Law: a Lexis®Nexis community Daily and weekly news alerts New and updated content Data protection ICO issues enforcement notice to South Wales Police over SAR delays The Information Commissioner’s Office ( ICO) has served an enforcement notice on South Wales Police ( SWP) for delays in handling subject access requests ( SARs) within the legal time limits. The ICO found infringements of Articles 12(3), 15(1) and 15(3) of the UK General Data Protection Regulation, together with section 45 of the Data Protection Act 2018. As a consequence, the notice requires SWP to: issue overdue SAR responses to 352 individuals by 1 June 2026; implement the recommendations in its Action Plan submitted to the ICO on 5 March 2025 by 1 June 2026; and amend internal systems, policies and...

In this issue: Data protection Cybersecurity e Privacy State security and intelligence Lex Talk®Information Law: a Lexis®Nexis community Daily and weekly news alerts New and updated content Data protection ICO launches consultation on charitable purpose soft opt-in rules for fundraising The Information Commissioner’s Office ( ICO) has opened a consultation on guidance for forthcoming ‘charitable purpose soft opt-in’ provisions, which the ICO says should come into force in January 2026 under the Data ( Use and Access) Act 2025 ( DUAA 2025). These provisions would permit charities to send electronic marketing to individuals who have shown interest in supporting them without prior consent, but exclude contacts already held in existing databases. The consultation is open until 27 November 2025. See LNB News 16/10/2025 27. EDPB adopts opinions on UK data adequacy extensions The European Data Protection Board ( EDPB) has issued Opinions 26/2025 and 27/2025 on the European Commission’s draft decisions to prolong the...