Legal News

In this issue: Data protection Cybersecurity Daily and weekly news alerts New and updated content Latest Q& A Data protection ICO extends public sector approach, launches consultation on fines The Information Commissioner’s Office ( ICO) will continue its public sector approach after a two-year pilot. This model, which emphasises early engagement and lower penalties for public authorities, has delivered positive results according to a review. The ICO is consulting on the reach of the approach and on when fines should be imposed on public bodies, with feedback invited until 31 January 2025. The Information Commissioner has also pledged to deepen engagement beyond central government and to ensure senior leaders are held to account for data protection compliance. See: LNB News 09/12/2024 53. A closer look at the Data ( Use and Access) Bill of 2024 Victoria Hordern, partner at Taylor Wessing LLP, examines the Data ( Use and Access) Bill, how it...

The main impact of DORA DORA DORA is reshaping the financial services landscape, altering how organisations manage operational risk and keep critical operations going during disruption. The regulatory focus has shifted from protection to resilience — a broader idea that spans preventing disruption, mitigating incidents, addressing consequences and recovering from disruptive events. For financial entities, DORA introduces a structured set of requirements that will compel organisations to re‑evaluate: data, cyber and contractual governance risk management policies and processes technology estates and testing methods incident management framework technology and data contracts These organisations already operate under extensive regulation, but DORA’s fresh requirements will bring further scrutiny and operational adjustment, adding another layer of rigour and cost. DORA also has wide reach, applying to both intra‑group and external information and communication technology ( ICT) service providers and creating a...

In the UK, AI-related data breaches raise liability questions: who bears responsibility when an AI-enabled tool triggers a breach? Is it the software creator, the deploying organisation, or a third-party data processor? As AI advances, grasping the legal and regulatory regimes governing AI-driven breaches is essential to meeting these issues and safeguarding individuals’ rights. This article considers these matters from the perspective of, assessing the current legal landscape, real-world examples of AI-associated breaches, and practical measures to reduce liability. Clarifying accountability in AI is therefore a pressing concern in real-world settings. What is AI and how is it defined under UK law? Artificial Intelligence ( AI) describes computer systems that emulate human cognition, learning from data and refining performance over time. It spans simple rule-based decision tools through to sophisticated systems capable of independently diagnosing medical conditions or operating vehicles. Because AI depends on data,...

According to records held by the courts, a judicial review seeking to contest the €91m penalty for breaching the EU’s General Data Protection Regulation, Regulation ( EU) 2016/679 ( EU GDPR), was lodged with the Irish High Court on 29 November 2024, via Meta’s legal representative in Ireland, the law firm A& L Goodbody. The claim is brought against the Irish DPC and also against Ireland’s Chief Legal Officer, the Attorney General. That positioning signals Meta may additionally point to shortcomings in Irish legislation, or argue that the state has failed to protect its rights within the proceedings. The court system does not specify the precise subject of the challenge, but MLex understands it relates to the fine and the reprimand issued in the......

In this issue: Data protection Cybersecurity Lex Talk® Information Law: a Lexis®Nexis community Daily and weekly news alerts New and updated content Data protection EDPB approves certification criteria for EU Data Protection Seal under EU GDPR The EDPB has endorsed the certification criteria for the EU Data Protection Seal, a scheme confirming adherence to the EU GDPR ( Regulation ( EU) 2016/679) within processing activities, including cross-border transfers to third countries. The seal underpins appropriate safeguards for such transfers, providing a harmonised assurance benchmark across the EU. It also sets out the functions of supervisory authorities, accreditation bodies and certification bodies to secure consistent application of GDPR rules. See: LNB News 03/12/2024 34. Guidance for consultation on data sharing with third-country authorities The EDPB has issued refreshed guidance clarifying the framework for transfers to authorities in third countries. It addresses cases where such...

In this issue: Cybersecurity Daily and weekly news alerts New and updated content Cybersecurity ENISA releases report on cybersecurity investments under NIS 2 Directive The European Union Agency for Cybersecurity ( ENISA) has issued a study assessing the effects of Directive ( EU) 2022/2555 ( NIS 2 Directive) on cybersecurity investment and organisational maturity. It notes a marked rise in information security expenditure, with 9% of EU IT investments now directed to this area......

What has happened? An automatically delivered update to Crowd Strike Falcon (cyber security software built to oversee and safeguard computers) is, in numerous instances, triggering crashes on Microsoft Windows machines, leading to the notorious ‘ Blue Screen of Death’. Critically, indeed, the issue is especially severe as systems that fail in this manner become totally unusable in practice. As a result, hands-on remediation—and at times on-site presence—is needed to repair every impacted device individually (be that staff laptops, servers, cash points, e POS (electronic point of sale) units, etc). This remains true even though Crowd Strike has rolled back the update in question......

My Contracts Ltd v 74 Hamilton Terrace Freehold Ltd [2024] EWHC 2896 ( TCC) What are the practical implications of this case? This decision offers a timely reminder of the way time periods are to be construed within construction contracts, and acts as a useful sequel to the judgment in Elements ( Europe) Ltd v FK Building Ltd, which likewise involved a JCT form of contract. At bottom, though, it principally reiterates that the courts will give effect to the contractual text as agreed, and will decline to interpolate wording into a clause that the parties neither drafted nor intended. What was the background? My Contracts Ltd ( MCL) and 74 Hamilton Terrace Freehold Ltd (74HTF) entered into a contract based on the JCT Design and Build Contract 2016 edition, incorporating extensive bespoke amendments and dated 2 March 2023 (the Contract), for the execution of works...

In this issue: Data protection Cyber security e Privacy Daily and weekly news alerts New and updated content Data protection ICO and DSIT launch tool to assess Privacy Enhancing Technologies The Information Commissioner’s Office ( ICO) and the Department for Science, Innovation and Technology ( DSIT) have jointly unveiled a Privacy Enhancing Technologies ( PETs) Cost– Benefit Awareness Tool. Created to assist organisations in carefully weighing the costs and advantages of deploying emerging PETs, including homomorphic encryption and secure multi‑party computation, it comes with a checklist intended to encourage responsible data use and innovation while better protecting privacy. The programme tackles the limited adoption of PETs, which often stems from difficulties in judging their value, and offers direction on compliance-related costs and benefits. A repository of real‑world PETs use cases has also......

Background to the appeal The question on this appeal concerns when a trade union may litigate, as a third party, for breach of an employment contract between employer and worker. Sections 1(1)(b) and 1(3) of the Contracts ( Rights of Third Parties) Act 1999 ( C( RTP) A 1999) create a default rule: where a contractual term grants a benefit to a third party who is expressly identified in the instrument, that third party can enforce the term in its own name. It applies only where the beneficiary is expressly identified within the contract and thereby conferred a benefit. The appeal turns on the proper reading of section 1(2) C( RTP) A 1999, which states that the default position is displaced if, construing the contract correctly, it appears the parties did not intend the term to be actionable by the third party. The...

China’s mobile smart terminals, applications, and application-distribution platforms are now covered by a set of guidelines for building a ‘minor mode’, intended to improve online content and curtail Internet addiction among minors. The CAC-drafted guidelines set out a framework for configuring this mode and allocate responsibilities across the three terminals. It also provides a structured basis for the necessary settings, defining duties for each participating party. As a key compliance reference, they support the rollout of the Regulations on the Protection of Minors on the Internet, which specify the need to establish a minor mode while leaving space to refine particulars such as permitted hours, session length, features, and material. Mobile smart terminals, applications, and application-distribution platforms will collaborate in building the mode, seeking to enhance time-management controls, alongside content curation and safeguards for functionality, with the goal of promoting stronger time...

Monetise Media Ltd v Information Commissioner [2024] UKFTT 959 ( GRC) What are the practical implications of this case? This ruling offers clear guidance for advisers on PECR risk management and the Commissioner’s likely stance when a breach is alleged. Although the DPA 1998 applied at the material time, the insights below remain a helpful reference for penalty decisions under the Data Protection Act 2018: The FTT confirms that a company can commit a serious PECR infringement through third parties and affiliate marketing, even without direct control over customer databases or the marketing content. Familiarity with the relevant, in-force guidance at the point of any alleged PECR breach is crucial, as both the Commissioner and the FTT will afford it considerable weight during enforcement or on appeal. The decision highlights that the Commissioner will evaluate a business’s conduct during the...

In this issue: Data protection e Privacy Reputation management Cybersecurity Daily and weekly news alerts New and updated content Data protection ICO approves first UK GDPR code of conduct for private investigators The Information Commissioner’s Office has signed off and published the first sector‑led code of conduct under the United Kingdom General Data Protection Regulation ( Assimilated Regulation ( EU) 2016/679), created by the Association of British Investigators Limited for the private investigations field. Titled the UK GDPR Code of Conduct for Investigative and Litigation Support Services, it tackles core data protection issues for investigators, offering direction on responsibilities when operating as controllers, joint controllers or processors, the lawful grounds for invisible processing including covert surveillance, and illustrative lawful tracing techniques. Its purpose is to secure UK GDPR compliance while weighing investigative objectives against privacy rights. Subject to ICO approval, the Security Systems and Alarms Inspection Board has been...

TR v Land Hessen ECLI- EU- C-2024-785 What are the practical implications of this case? This judgment spotlights that enforcement by data protection regulators under the EU’s General Data Protection Regulation, Regulation ( EU) 2016/679 (the EU GDPR), is inherently discretionary, stressing that remedial measures, including administrative fines, do not follow a breach as a matter of course. Rather, regulators must determine if steps are suitable, necessary and proportionate in light of the particular context. For practitioners, it offers vital steer when counselling clients who may face EU GDPR probes or enforcement by supervisory bodies. It also illustrates why organisations should mount strong breach responses, with prompt remediation and open engagement with regulators. Evidencing accountability and taking initiative can materially shape a regulator’s choice not to levy sanctions. The ruling likewise highlights the importance of internal processes and training to reduce the risk of...

After a series of high-profile probes, several US technology firms have halted the training of generative AI systems across the 27 EU Member States in 2024 throughout the bloc. Supervisory authorities fear such training may breach the EU GDPR, as generative AI can ingest immense volumes of personal data without users’ consent or an appropriate legal basis. Building these models depends on sweeping up data from the public internet, spanning personal, non-personal and mixed datasets, much of it scraped from publicly accessible sources, including social media platforms, often at scale. This approach has triggered knotty debates about how data protection rules should be interpreted and enforced. How can AI providers develop generative models while fully honouring GDPR principles such as lawfulness, transparency and fairness, purpose limitation, data minimisation, storage limitation, accuracy, security and accountability? Authors and creators also face the pressing concern of whether these...

In this issue: Data Protection Lex Talk®Information Law: a Lexis®Nexis community Daily and weekly news alerts New and updated content Data Protection ICO releases audit report on using AI tools in recruitment The Information Commissioner’s Office ( ICO) has published an outcomes audit examining how artificial intelligence ( AI) tools are deployed in hiring. It sets out close to 300 recommendations for AI builders and vendors, aimed at safeguarding jobseekers’ information rights and promoting fair processing of personal data. The document also distils key findings from the ICO’s consensual audits of multiple suppliers and creators of AI recruitment tools. It further includes case studies, examples of good practice, and lessons learnt for both developers and hiring teams. This work forms part of the ICO’s upstream scrutiny of the broader AI landscape, to gauge how the design and delivery of AI...

In this issue: Autumn Budget 2024 Data Protection e Privacy Daily and weekly news alerts New and updated content Autumn Budget 2024—key Information Law announcements In the Autumn Budget 2024, the Chancellor of the Exchequer, the Rt Hon Rachel Reeves MP, set out a number of measures for the information law landscape. Highlights include the establishment of a National Data Library and a Regulatory Innovation Office, enhanced NHS digitisation, the modernisation of HMRC’s access to third party data, a new Fraud, Error and Debt Bill, and boosted funding for the Single Intelligence Account. Commentary from Shoosmiths LLP is provided by Hamish Corner, partner, and William Moore, associate, on the Autumn Budget 2024. See: LNB News 30/10/2024 42......

The watchdog’s decision According to the regulator, the major social network’s handling of information breached multiple provisions and infringed several articles of the EU’s General Data Protection Regulation, Regulation ( EU) 2016/679 ( EU GDPR). The ruling stems from a 2018 complaint lodged by the French non-profit organisation La Quadrature Du Net, and was initially submitted to the French Data Protection Authority ( CNIL). At that time, the group brought several complaints concerning Big Tech companies during the first week of the EU GDPR’s operation. Lawfulness of processing is central to data protection law, and processing personal data without an appropriate legal basis is a clear and serious breach of data subjects’ fundamental right to data protection, said the DPC’s deputy commissioner, Graham Doyle......

In this issue Data Protection Cybersecurity Daily and weekly news alerts New and updated content Data Protection Expansive Data ( Use and Access) Bill introduced to Parliament The Data ( Use and Access) Bill was formally introduced in Parliament, in the House of Lords, on 23 October 2024. Sponsored by the Department for Science, Innovation & Technology, it seeks to stimulate economic growth and to enhance the delivery of public services, with the expectation of delivering an estimated £10bn boost to the UK economy over ten years. Victoria Hordern, a partner at Taylor Wessing LLP, comments that the Government has emphasised its ambition that the new law will improve public services and bolster the UK economy, including an intention to improve the sharing of patients’ data within the NHS. However, as the Bill amends the existing UK data protection legal...

In this issue: Data Protection e Privacy Cybersecurity Reputation management Confidential information Daily and weekly news alerts New and updated content Data Protection ICO reprimand Levales Solicitors LLP under Articles 32(1)(b) and (d) of UK GDPR The Information Commissioner’s Office ( ICO) has censured Levales Solicitors LLP for breaches of Article 32(1)(b) and (d) of the United Kingdom General Data Protection Regulation, Retained Regulation ( EU) 2016/679 ( UK GDPR), after a security incident. A threat actor entered the firm’s cloud-hosted server using valid credentials and released sensitive data on the dark web, affecting 8,234 individuals in the UK; 863 were assessed as high risk given the sensitivity of the information. The ICO’s inquiry concluded the firm failed to ensure the ongoing confidentiality of its processing systems and had not deployed sufficient organisational measures to safeguard personal data. See: LNB News 14/10/2024 31. ICO reports on criminal record and suspended sentence handed to former RAC...