Legal News

In this issue: Data protection Confidential information Lex Talk®Information Law: a Lexis®Nexis community Daily and weekly news alerts New and updated content Data protection ICO issues reprimand to Greater Manchester Police over lost CCTV footage The Information Commissioner’s Office ( ICO) has reprimanded Greater Manchester Police ( GMP) after two hours of custody suite CCTV from February 2021 went missing internally. The incident arose when footage, marked for retention beyond the routine 90-day window, was not kept appropriately. The ICO determined that GMP infringed the Data Protection Act 2018 by failing to adopt adequate technical safeguards to avoid data loss and by not providing the data subject with access within the statutory time limits. The inquiry concluded the loss stemmed from unclear internal ownership of quality checks and weak retention practices, rather than any external compromise or unauthorised disclosure. GMP has since enhanced its surveillance systems and introduced more robust...

The AI Act follows a staggered timeline for when its different chapters take legal effect, although the enforcement rules and sanction regime will only apply with the bulk of the provisions starting 2 August 2026 The AI Act is being phased in, with different chapters activating at separate times, while the enforcement mechanisms and penalties start alongside most provisions on 2 August 2026. The early roll-out has been demanding, with the Commission juggling the creation of a new AI Office, the publication of administrative guidance, and the orchestration of a code of practice for general-purpose AI models. That code has become especially divisive, touching on delicate matters such as copyright safeguards in developing generative AI and approaches to societal risks, which ultimately led to the legal deadline being missed. It has also turned into a source of friction with the US...

In this issue: Data protection Cybersecurity Lex Talk®Information Law: a Lexis®Nexis community Daily and weekly news alerts New and updated content Data protection DPC approves Meta's revised AI training plans following EU GDPR compliance improvements The Data Protection Commission ( DPC) has worked closely with technology companies on the handling of personal data for training large language models within the EU/ EEA, paying particular attention to Meta’s planned initiatives. The DPC initially flagged multiple concerns about Meta’s proposal to use publicly available material from Facebook and Instagram for artificial intelligence ( AI) training, and, after these issues were communicated, Meta temporarily halted the project. Seeking alignment of oversight across the EU, the DPC then engaged with its European Data Protection Board ( EDPB) counterparts to obtain a formal opinion under the EU General Data Protection Regulation ( EU) 2016/679 on central...

Home Office plans to prohibit public-sector organisations from paying ransoms, and to require other entities to consult with the authorities before contemplating any transfer to their attackers, are designed to undercut the prevailing ransomware business model by making the UK a far less lucrative destination. Yet lawyers also warn the measures, set out in a wide‑ranging government consultation, may underestimate their opponents. Julian Hayes, a partner at BCL Solicitors LLP, described the idea as “deceptively simple and unquestionably well‑intentioned”, but said it verges on the naive. He added that, even if it succeeded, it would simply divert ransomware operators towards softer targets. According to the Home Office, ransomware drew in more than £1bn from victims worldwide in 2023. It has become a profitable stream of cash for cybercriminals and state‑sponsored actors able to penetrate businesses and public agencies and seize control of their...

Facts The defendant in the proceedings, Ms Lawrence, entered into a loan agreement with a lender, for whom HNW, the claimant in the matter, acted as the security agent for the lender. The purpose of the loan agreement was to help finance Ms Lawrence’s development of a property. That property was also secured separately by a legal mortgage, operating as continuing security to the lender under the loan terms. Although HNW was not itself a party to the loan agreement, the loan agreement nonetheless contained an express provision said to grant HNW certain third party rights to enforce its terms; namely, that, even though HNW Lending Ltd was not a party to this Loan Agreement, HNW Lending Ltd could take the benefit of and specifically enforce each and every express term of the Loan Agreement, together with any term implied under it pursuant to the...

In this issue: Data protection Artificial intelligence Lex Talk® Information Law: a Lexis®Nexis community Daily and weekly news alerts New and updated content Data protection Gender identity and the right to rectification of personal data ( VP v Országos Idegenrendészeti Főigazgatóság) EU law analysis: In Case C‑247/23, VP v Országos Idegenrendészeti Főigazgatóság, the Court of Justice ruled that personal data relating to gender identity entered on a Member State’s public registers fall within the right to rectification under Article 16 of the General Data Protection Regulation, Regulation 2016/679 ( EU GDPR). Making a correction may require the submission of appropriate and adequate evidence reasonably needed to demonstrate inaccuracy, which can include medical certificates. That said, a Member State cannot make exercising this right dependent on proof of gender reassignment surgery......

In this issue: Data protection Confidential information Cybersecurity Lex Talk®Information Law: a Lexis®Nexis community Daily and weekly news alerts New and updated content Data protection Parliament considers Data Bill amendments in final legislative stages As of 8 May 2025, the Data ( Use and Access) Bill is in its final parliamentary stage. Backed by the Department for Science, Innovation and Technology ( DSIT), it brings wide reforms to data regulation, including new rules on customer data access, privacy standards, and establishing an Information Commission. The Bill also spans electronic trust services, biometric data retention, and information sharing for public services. Introduced in the House of Lords in the 2024–25 session, it has completed its first passage through both Houses. See: LNB News 08/05/2025 38. DSIT opens user engagement for 2026 UK Business Data Survey DSIT has launched a user...

Illiquidx Ltd v Altana Wealth Ltd and others [2025] EWHC 299 ( Ch) What are the practical implications of this case? This decision highlights the need for precise, clear definitions and clauses in NDAs, especially concerning the boundaries of confidential information and what falls within the public domain. Equally, spelling out permitted disclosures reduces uncertainty; providing information to third parties does not, on its own, render it public or remove its confidentiality. The court will evaluate disclosures on their individual facts, with the key consideration being how far the veil of secrecy still remains. It is also prudent to set out contractually how confidential information will be handled if a commercial relationship ends or breaks down unexpectedly. Measures might include requiring confidential information (and any materials that contain it) to be returned, deleted, or destroyed. For trade secret protection, the absence of an NDA does not...

A substantial penalty, imposed on Tik Tok on 2 May 2025 by Ireland’s privacy regulator, has sparked serious and widespread doubts over whether any firm exporting personal data to China can do so lawfully under EU data‑protection rules. Byte Dance, Tik Tok’s parent, was hit with a €530m (around $600m) fine after the Irish Data Protection Commission ( DPC) found it had failed to ‘verify, guarantee and demonstrate’ that EU users’ data—remotely accessed by staff in China—enjoyed safeguards ‘essentially equivalent to that guaranteed within the EU’. Concern over data flows to China has further intensified. The US government has now explicitly barred the movement of bulk sensitive personal data or government-related information between US persons and ‘countries of concern’—notably China. ‘ The screw is turning on restricting the flow of data to China, under the banner of privacy, national security and...

In this issue: Data protection Public sector information Databases Lex Talk®Information Law: a Lexis®Nexis community Daily and weekly news alerts New and updated content Data protection Ireland- DPC fines Tik Tok €530m for GDPR breaches in China data transfers Tik Tok Technology Limited ( Tik Tok) has been hit with a €530m penalty by the Irish Data Protection Commission ( DPC) for General Data Protection Board ( GDPR) infringements linked to transferring EEA users’ data to China. The regulator concluded that Tik Tok violated Article 46(1) and Article 13(1)(f) of the GDPR by failing to ensure sufficient levels of protection and by not meeting transparency obligations. The DPC has directed Tik Tok to bring its operations into line within six months or risk a suspension of data flows to China. The ruling follows Tik Tok’s admission, during the inquiry, that it had...

Barclays Bank plc v VEB. RF [2024] EWHC 3088 ( Comm) Contrary to this, the Russian bank commenced proceedings in the Russian courts. The English bank applied to the English courts for anti‑suit and anti‑enforcement injunctions, which were granted. The Russian bank then initiated arbitration proceedings, as it was originally required to do. During the contractual notice period, however, the English bank notified the Russian bank that the dispute should be transferred to the English courts. The Russian bank maintained that the English bank had waived that right......

On 14 March 2025, delegates from EU Member States examined the interaction between the two regimes, aiming to pinpoint compliance hurdles for both supervised organisations and supervisory authorities. Following this exchange of views, Poland, the current chair of the EU diplomatic discussions, collated the contributions and prepared a synopsis — obtained by MLex — setting out principal takeaways on the core issues identified. The resulting summary will be tabled for debate at a meeting of national representatives. Differing regulatory approaches Most European governments underlined how the two laws diverge in regulatory design. The EU GDPR safeguards personal data through a fundamental‑rights lens, while the AI Act functions as product‑safety legislation, imposing targeted obligations calibrated to the level of risk. For a number of Member States, this divergence in underlying logic could produce contradictory regulatory outcomes, whereby an AI system is judged compliant with the AI Act but not...

The ICO penalised DPP Law Solicitors LLP for inadequate protection of personal data after identifying, confidential and legally privileged material on its network was stolen in a cyber attack and subsequently posted on the dark web. Intruders also obtained entry via a seldom-used admin account linked to a legacy case management platform during a June 2022 “brute force” assault—where credentials are guessed through repeated trial and error, over and over again. Using this account, they exfiltrated 32 gigabytes of data from the firm’s network, and, according to the ICO, the administrator account lacked multi-factor authentication at the time. The haul comprised court bundles, documents, photographs and video relating to the firm’s clients and experts instructed to give evidence in......

In this issue Data protection Cybersecurity Lex Talk® Information Law: a Lexis®Nexis community Daily and weekly news alerts New and updated content Data protection Key takeaways from the ICO’s final anonymisation guidance On 28 March 2025, the UK Information Commissioner’s Office released guidance on anonymisation and pseudonymisation under the UK GDPR. Long awaited—with drafts and sector-specific materials appearing periodically since 2021—the Guidance provides practical direction on resolving key questions around lawful use of pseudonymised and anonymised information, particularly for data sharing, advanced analytics and in light of tools available to the ‘motivated intruder’. By Alex Jameson and Steph Ong of Bird & Bird. See News Analysis: Key takeaways from the ICO’s final anonymisation guidance. EDPB issues new blockchain data protection guidelines and signals AI cooperation The European Data Protection Board has adopted guidelines on blockchain data protection and has signalled cooperation on AI......

What does the Guidance cover? The Guidance covers the following topic: Core principles of anonymisation and pseudonymisation The Guidance opens by affirming the core legal position: anonymised information lies beyond the reach of the United Kingdom General Data Protection Regulation, Assimilated Regulation ( EU) 2016/679 ( UK GDPR), whereas pseudonymised information does not. The ICO then explains how this plays out in practice and the advantages linked to each category of data. It frames anonymisation as a personal data minimisation exercise, and pseudonymisation as a means of mitigating risk. Anonymisation involves transforming data so that the individuals to whom it pertains are not, or are no longer, identifiable. Under the UK GDPR, the standard is ‘effective’ anonymisation—reducing the chance of a person being identified to a sufficiently remote level, thereby severing any link between the information and the individual. Merely removing direct...

Rukhadze and others v Recovery Partners GP Ltd and another [2025] UKSC 10 Background This appeal concerns the fiduciary ‘profit rule’. Fiduciaries, including trustees and company directors, owe a duty of loyalty to their beneficiary or principal (the person for whom they hold or administer property, eg the company in the case of a director). That duty includes a requirement that, where a fiduciary derives a profit by virtue of their position, they must account for that gain to the principal, unless the principal has given fully informed consent. The respondents to this appeal are a company incorporated in the British Virgin Islands (to which the claims of another such company have been assigned) together with an English LLP. The individual appellants were engaged by the respondents and occupied roles of trust and responsibility (for example serving as directors), thereby owing fiduciary duties to them. In...

In this issue: Cybersecurity Data protection Lex Talk®Information Law: a Lexis®Nexis community Daily and weekly news alerts New and updated content Cybersecurity DSIT and NCSC launch new Cyber Governance Code of Practice On 8 April 2025, the Department for Science, Innovation and Technology ( DSIT) and the National Cyber Security Centre ( NCSC) released a new Cyber Governance Code of Practice, shaped by industry consultation in 2024. The code sets out actions for boards and directors to tackle cyber security risks across five areas: risk management, strategy, people, incident planning, and assurance. It sits within a broader governance package featuring training and an implementation toolkit, aimed chiefly at medium and large organisations. The initiative was created in light of data showing that 74% of large businesses faced cyber attacks in the past year. See: LNB News 08/04/2025 8. Data...

Background The initial iteration of the MCC‑ AI appeared in September 2023 ahead of the EU AI Act, setting out a systematic route for sourcing AI. Following the EU AI Act’s formal entry into force on 13 June 2024, the Commission has updated the model clauses to better match regulatory expectations. The latest release comprises: a comprehensive edition for high‑risk AI systems a streamlined variant for non‑high‑risk AI systems a commentary detailing how to tailor and apply the clauses Why should companies get acquainted with the MCC- AI? The MCC‑ AI offers a practical framework for businesses buying or supplying AI services, by setting a shared baseline of obligations. The clauses foster alignment between parties on core compliance areas — transparency, risk management and accountability — consistent with the EU AI Act. By tailoring MCC‑ AI clauses to their...

In this issue: Cybersecurity Data protection Lex Talk®Information Law: a Lexis®Nexis community Daily and weekly news alerts Cybersecurity DSIT unveils Cyber Security and Resilience Bill policy statement and scope The Department for Science, Innovation and Technology ( DSIT) has outlined plans for the forthcoming Cyber Security and Resilience Bill, due to reach Parliament in 2025. The proposals will oblige around 1,000 providers—spanning data centres, managed service operators and critical suppliers—to adhere to tougher cyber security obligations. The Bill also provides regulators with enhanced oversight powers and permits the Technology Secretary to adjust regulatory frameworks in line with emerging risks. The National Cyber Security Centre ( NCSC) managed 430 cyber incidents in the year to September 2024, 89 labelled nationally significant. The legislation seeks to counter threats that cost the UK economy an estimated £22bn each year between 2015 and 2019. See: LNB News...

The provisions include The measures impose tougher supply chain responsibilities on operators of essential services and relevant digital service providers. By widening obligations beyond the existing Network and Information Systems Regulations 2018, SI 2018/506 ( NIS), the new Bill would draw more businesses into the UK’s cybersecurity oversight and scrutiny, covering further sectors and their supply chains. The reforms would enable regulators to name designated critical suppliers, placing them under requirements akin to those for essential services, and would place comparable duties on certain small digital services that underpin the delivery of essential services. On 1 April 2025, Kyle said the Bill will require regulated organisations to strengthen their cyber defences, adding that ‘ensuring the security of the vital services which will deliver growth is non-negotiable’. Framing growth as central to the cybersecurity overhaul aligns with the government’s present focus on positive economic...