Legal News

At a tech UK cyber security gathering, the Department for Science, Innovation and Technology ( DSIT), via Digital Economy Minister Liz Lloyd CBE, delivered remarks. In her address, Minister Lloyd underlined UK government dedication to the cyber security industry, emphasising its importance as a......

Alaska Airlines Inc v Virgin Aviation TM Ltd and another company [2025] EWHC 2505 ( Comm) What are the practical implications of this case? The principal outcomes of Mr Justice Foxton’s analysis can be stated as follows: Where an unjust enrichment claim founded on failure of basis is invoked to stop payment of a contractual amount, the correct characterisation is that this engages the defence of circuity of action (para [49]). In that scenario, circuity of action does not mean the debt is never due; rather, it supplies a defence to liability. A broadly drafted no set off clause captures such a defence, so summary judgment can be granted (para [52]). To reach those conclusions, Foxton J reviewed a range of authorities in which no set off provisions were relied upon (see especially para [47]), and he also considered and clarified other...

According to an official paper dated 8 October 2025, the European Commission intends to publish guidance on the EU AI Act’s relationship with other digital rules starting in Q3 2026, implying the documents could appear shortly before or after core provisions begin to apply. An annex to the Apply AI Strategy—an effort to accelerate AI uptake in priority industries—states the Commission will ‘develop guidelines on the EU AI Act’s interplay with other Union law from Q3 2026’. The annex outlines timelines for planned AI measure. Some projects are pinned to precise quarters, while others are slated to kick off from a broader window, implying activity may not commence until that point. Overall, the schedule signals a staggered roll-out across actions......

Cyber resilience needs to be built in from the very start, not bolted on after terms are settled. Bringing legal teams into procurement at an early stage allows organisations to set expectations before contracts are concluded, ensuring protections are workable, clear and aligned to supplier practice. This early involvement reduces the likelihood of retrofitting clauses and promotes more integrated risk management. Before the contract lay the groundwork early Effective resilience planning should start before the contract is signed. Legal teams should collaborate with stakeholders to evaluate: applicable laws and frameworks by sector and service where the solution sits within the wider business ecosystem how it connects to other systems—connectivity can pose greater risk than criticality the supplier’s visibility of its own supply chain, including indirect dependencies who holds responsibility for different layers of technology, particularly in cloud...

In this issue: Data protection e Privacy Cybersecurity Lex Talk® Information Law: a Lexis®Nexis community Daily and weekly news alerts New and updated content Data protection Government departments update ECCTA guidance on AML information sharing measures The Home Office, HM Treasury ( HMT), the Ministry of Justice, Companies House, the Serious Fraud Office and the Department for Business and Trade have revised guidance on information-sharing measures under the Economic Crime and Corporate Transparency Act 2023 ( ECCTA 2023). Released on 3 October 2025, the document explains how anti-money laundering ( AML) regulated firms may share customer data either directly or via third-party intermediaries to prevent, detect and investigate economic crime. It outlines the conditions for warnings and requests when sharing directly, offers practical points including cross-sector sharing mechanisms, and sets out obligations for reporting to law...

In this issue: Data protection Official secrets Lex Talk®Information Law: a Lexis®Nexis community Daily and weekly news alerts Data protection ICO issues enforcement notice to Bristol City Council over failures to respond to data requests The Information Commissioner’s Office ( ICO) has served an enforcement notice on Bristol City Council ( BCC) for failing to reply to subject access requests ( SARs)......

In this issue: Reputation management Cybersecurity Lex Talk®Information Law: a Lexis®Nexis community Daily and weekly news alerts New and updated content Reputation management Reputation management Libel, truth and public interest ( Clarke v Guardian) The court in Clarke v Guardian News and Media Ltd [2025] EWHC 2193 ( KB) threw out the libel claim brought by actor and director Noel Clarke against the publisher of the Guardian. The dispute centred on eight Guardian pieces. The first article, titled ‘“ Sexual predator”: actor Noel Clarke accused of groping, harassment and bullying by 20 women’, was accepted by the Guardian as having caused, or as being likely to cause, serious harm to Mr Clarke’s reputation for the purposes of section 1 of the Defamation Act 2013 ( DA 2013). The Guardian maintained that the remaining seven articles did not result in serious...

Clarke v Guardian News and Media Ltd [2025] EWHC 2193 ( KB) What are the practical implications of this case? The matter was determined chiefly on its facts, with little real dispute about the relevant law on the principal issues. Mr Clarke’s serious harm claim across seven articles failed largely because of defective pleadings. It is well‑established that each impugned statement (here, each of the seven articles) must be specifically pleaded and shown, by inference or factual evidence, to have caused serious harm to the claimant’s reputation. Mr Clarke effectively tried to aggregate the alleged serious harm across the articles; that approach is not permitted and caused his failure on this point. The defence of truth was convincingly established. Mr Clarke was found not to be a reliable witness on numerous matters, and his allegation of a conspiracy among the Guardian’s many witnesses was firmly...

In this issue: Data protection e Privacy Cybersecurity Lex Talk®Information Law: a Lexis®Nexis community Daily and weekly news alerts New and updated content Data protection EDPB launches consultation on draft guidelines on interplay between EU DSA and GDPR The European Data Protection Board ( EDPB) is inviting feedback on draft Guidelines 3/2025, intended to ensure the EU Digital Services Act ( EU DSA) and the EU’s General Data Protection Regulation, Regulation ( EU) 2016/679 ( EU GDPR) are applied coherently where their scopes overlap. The draft sets out lawful grounds for handling personal data when identifying or taking down unlawful content, clarifies transparency obligations for recommender systems and advertising, and reaffirms the ban on targeted advertising based on special categories of data. It further emphasises cooperation between Digital Services Coordinators and data protection authorities to avoid...

UK companies face uncertainties in cybersecurity regulation UK businesses remain unsure about forthcoming cyber security rules as lawmakers step up pressure on the government to bring forward the Cyber Security and Resilience Bill as soon as possible, following attacks on high-profile British companies. A draft is anticipated in Parliament within the next few weeks, yet the schedule could shift due to the recent ministerial reshuffle. When challenged by opposition politicians on 9 September 2025 and 10 September 2025, Labour lawmakers speaking for the government declined to give a firm date, stating that new legislation would arrive “when parliamentary time allows”. The Bill is intended to refresh the UK’s cyber security framework to align with the NIS 2 Directive. A policy statement from April 2025 indicates it would bring further sectors and their suppliers into the scope of mandatory regulatory duties, tighten oversight, and raise...

In this issue: Data protection e Privacy Lex Talk®Information Law: a Lexis®Nexis community Daily and weekly news alerts New and updated content Data protection Data ( Use and Access) Act 2025 ( Commencement No 2) Regulations 2025 SI 2025/982: Selected provisions of the Data ( Use and Access) Act 2025 ( DUAA 2025) come into force on 30 September 2025. See: LNB News 05/09/2025 23. Data ( Use and Access) Act 2025 ( Commencement No 3 and Transitional and Saving Provisions) Regulations 2025 SI 2025/996: Additional elements of the DUAA 2025 commence on 5 September 2025 and 17 November 2025. These Regulations also include transitional and saving provisions. See: LNB News 05/09/2025 10. No harm, no foul? Court of Appeal provides clarifications on controllers’ liability for compensation under Article 82 of the UK GDPR ( Farley and others v Paymaster (1836) Ltd...

On 30 July 2025, the Information Commissioner’s Office ( ICO) released refreshed guidance on how ‘profiling tools’ are used within trust and safety workflows by relevant actors. The document clarifies key data protection and privacy issues for those undertaking profiling, to meet obligations under UK data protection legislation and the Online Safety Act 2023 ( OSA 2023). It is aimed at relevant parties engaged in trust and safety functions. Profiling Article 4(4) of the Assimilated Regulation ( EU) 2016/679 ( UK GDPR) describes profiling as any automated processing of personal data employed to assess certain personal facets of an individual, notably a person’s job performance, financial circumstances, health, and other traits or behaviours. Profiling tools are the mechanisms that ingest, analyse, and produce assessments or forecasts about personal characteristics inferred from someone’s data. Organisations deploy these tools chiefly to spot and curb harmful online conduct,...

Farley and others v Paymaster (1836) Ltd (trading as Equiniti) ( Information Commissioner intervening) [2025] EWCA Civ 1117 What are the practical implications of this case? The court’s confirmation that unlawful processing, by itself, can found a duty to compensate for ensuing damage emphasises the need for controllers to maintain rigorous UK data protection compliance that is well-documented and to record those measures, including clear documentation of steps taken and decisions taken. It also serves as a useful prompt that ‘processing’ spans collection, storage and organisation of personal data, and that even small departures from handling protocols may attract liability. Organisations should reassess incident response frameworks so that appropriate standards for logging, inquiry and remediation also apply to low-level events (for example, misdirected emails), and keep contemporaneous records of investigations and outcomes. Documenting investigation and remediation for seemingly minor mishaps can therefore be...

Peter Dunn v Kostas Kazolides [2025] EWHC 2212 ( Ch) Mr Dunn, a former chartered accountant and insolvency practitioner, brought a claim for almost £9m against Mr Kazolides. The High Court held that Mr Kazolides (represented at trial by Dov Ohrenstein of Radcliffe Chambers and Canfields Law Solicitors) had given a guarantee in relation to a Cypriot company that owed substantial sums to Mr Dunn, yet the claim was dismissed. How could Mr Kazolides nevertheless prevail in his defence and avoid any liability to pay under the guarantee? By way of background, under a joint venture agreement, Mr Dunn advanced funds to the company to finance the development and sale of seven villas in Cyprus. The agreement stipulated that the loan became repayable upon ‘the insolvency of the company’ and, as the judge found, it also contained a guarantee from Mr...

In this issue: Data protection Cybersecurity Lex Talk®Information Law: a Lexis®Nexis community Daily and weekly news alerts New and updated content Data protection ICO launches consultation on Distributed Ledger Technologies guidance The Information Commissioner’s Office ( ICO) has opened a consultation to collect input on its draft guidance for Distributed Ledger Technologies. Framed as a survey, it examines organisational impact, opinions on the guidance, and broader remarks. The consultation remains open until 7 November 2025. See: LNB News 28/08/2025 29......

In this issue: Data protection Lex Talk®Information Law: a Lexis®Nexis community Daily and weekly news alerts New and updated content Data protection Police officers win application to revive GDPR breach claims ( Farley v Paymaster) Law360 reports that a cohort of police officers may reinstate their collective proceedings after their yearly pension statements were posted to the wrong addresses, with an appeal court in Farley v Paymaster (1836) Ltd (t/a Equiniti) [2025] EWCA Civ 1117 concluding on 22 August 2025 that the mistake infringed their privacy rights. See News Analysis: Police officers win application to revive GDPR breach claims ( Farley v Paymaster). ICO launches consultation on recognised legitimate interest guidance The Information Commissioner’s Office ( ICO) has opened a consultation to obtain comments on its draft guidance concerning the recognised legitimate interest basis for data processing. The guidance considers provisions introduced by the Data ( Use and...

The Court of Appeal held that the judge at the lower court was wrong to hold that the data breach did not violate the General Data Protection Regulation ( GDPR) because third parties did not gain access to the police officers' information. Leading the appellate panel, Justice Mark Warby concluded that ' Each of the appellants has pleaded a reasonable basis for alleging that the respondent's mistake involved infringement of the GDPR', adding that ' Proof that the data were disclosed is not an essential ingredient of an allegation of processing or infringement.' The appellants comprise 432 serving and retired Sussex Police officers enrolled in a pension scheme run by financial services firm Equinti; in 2019, Equinti mistakenly sent their annual pension statements to out-of-date addresses. They issued claims for misuse of data and GDPR breaches, seeking compensation for injury to feelings and—in some...

In this issue: Data protection Lex Talk®Information Law: a Lexis®Nexis community Daily and weekly news alerts New and updated content Data protection From stalemate to statute—the Data ( Use and Access) Act’s journey and the key data protection and e Privacy changes This News Analysis explores the principal changes to data protection and e Privacy law that will arise from the Data ( Use and Access) Act 2025, which received royal assent in June 2025, and outlines how organisations can fully ready themselves for these developments. Authored by Bryony Long, partner and co-head, and Zahra Laher, knowledge lawyer, at Lewis Silkin. See the News Analysis: From stalemate to statute—the Data ( Use and Access) Act’s journey and the key data protection and e Privacy changes......

How have plans for UK data protection reform evolved since Brexit? Since Brexit, the UK’s approach to data protection reform has ebbed and flowed markedly, with successive governments seeking to carefully balance innovation, economic growth and individuals’ rights. The Conservative government aimed to pivot to a GDPR ( General Data Protection Regulation) lite regime by introducing the Data Protection and Digital Information Bill. That bill outlined a series of business‑friendly amendments to existing data protection rules and progressed reasonably well through parliament, only to be ultimately shelved following a change of government in 2024. Once in office, the Labour‑led administration reignited the agenda, bringing forward the Data ( Use and Access) Bill ( DUAB). While retaining the core UK GDPR framework, DUAB set out targeted reforms that indicate a shift towards a more UK‑specific regime centred on data‑driven innovation, enhanced public services and strong data...

In this issue: Daily and weekly news alerts New and updated content Lex Talk® Information Law: a Lexis®Nexis community There is no Information Law news this week. Please see below for details of how to subscribe to our news alerts and for this week’s list of new and updated content. Daily and weekly news alerts Did you know you can create your own personal alerts to receive all of our news stories on either a daily or a weekly basis......