Legal News

In this issue: Data protection Financial sanctions AML, CTF & counter-proliferation financing Cybersecurity Other Risk & Compliance updates this week Daily and weekly news alerts Trackers New and updated content Data protection ICO consults on draft updated guidance on encryption The Information Commissioner’s Office ( ICO) has now opened a consultation on its refreshed draft guidance for encryption. Participants are invited to outline who they are and the nature of their organisations, set out their thoughts on encryption within data protection law, comment on the encryption scenarios presented in the guidance, and add any further observations. Submissions are requested by 24 June 2025. See: LNB News 14/05/2025 40. House of Lords pushes for AI and copyright transparency measures in Data ( Use and Access) Bill On 12 May 2025, the House of Lords reviewed amendments sent by the House of...

The solicitors’ watchdog confirmed that, at its 29 April 2025 board meeting, it resolved to use UK rather than global turnover when calculating financial penalties for all kinds of breaches in future. The board also determined, in line with consultation feedback, that solicitors should no longer be fined for drink-driving convictions, with warnings or a rebuke to be issued instead. However, individuals will be referred to the Solicitors Disciplinary Tribunal where offences are serious or repeated. The SRA noted respondents’ views that the criminal courts are already addressing the matter. ‘ If you continue to break the law in a serious way, then we think you need to consider whether or not you should still be allowed to practise’, said Paul Philip, the watchdog’s chief executive......

Aged 52, Oghenochuko Ojiri admitted offences of terrorist financing, which prosecutors said were connected to eight sales, in all, of artistic works, together worth a total sum of £140,000, made to an alleged Hezbollah financier, Nazem Ahmad. Prosecution counsel Lyndon Harris of 6KBW College Hill told Westminster Magistrates' Court in London that Ojiri was aware at the time of the sales that Ahmad had been sanctioned by the US government......

Dyson’s bid to contest a Court of Appeal ruling “does not raise a point of law of general public importance”, states an order dated 1 May 2025 and approved by the UK Supreme Court on 6 May 2025. On 13 December 2024, the Court of Appeal determined that England was plainly the proper forum to hear the claim brought by 24 migrant labourers. That decision reversed the High Court’s view, where a judge had found the dispute bore strong connections to Malaysia and ought to proceed there. The workers, originating from Nepal and Bangladesh, allege they were trafficked from their homelands. They report having endured exploitative and abusive working and living conditions while engaged by a third‑party supplier providing products and components to the Dyson Group, most widely recognised for its vacuum cleaners. The succinct Supreme Court order records that...

Why is defining performance metrics and customer requirements more challenging for AI systems? AI’s intricacy and dependence on extensive datasets make it tougher to pin down clear success measures than in traditional IT projects. Key reasons include: non-deterministic behaviour. Numerous AI models, especially those built on machine learning or deep learning, may return different answers to the same inputs at different times. Whereas conventional software tends to be consistent, shifting model parameters blur simple pass/fail judgements. One test run can vary in outcome, so it’s wiser to define performance thresholds than fixed, single-shot checks. dynamic training data. Many AI solutions continue learning after deployment, risking ‘model drift’. As data or the surrounding context changes, accuracy and reliability can move unexpectedly. Contracts should recognise this and call for periodic evaluations or ‘recalibration’ to remedy any slide in...

A substantial penalty, imposed on Tik Tok on 2 May 2025 by Ireland’s privacy regulator, has sparked serious and widespread doubts over whether any firm exporting personal data to China can do so lawfully under EU data‑protection rules. Byte Dance, Tik Tok’s parent, was hit with a €530m (around $600m) fine after the Irish Data Protection Commission ( DPC) found it had failed to ‘verify, guarantee and demonstrate’ that EU users’ data—remotely accessed by staff in China—enjoyed safeguards ‘essentially equivalent to that guaranteed within the EU’. Concern over data flows to China has further intensified. The US government has now explicitly barred the movement of bulk sensitive personal data or government-related information between US persons and ‘countries of concern’—notably China. ‘ The screw is turning on restricting the flow of data to China, under the banner of privacy, national security and...

Fraud Track 2025 BDO Global’s Fraud Track 2025 reports that £337m is recorded as having been laundered between December 2023 and November 2024, though the real total is probably higher. Money laundering from criminal proceeds made up 61% of the overall reported value of fraud and economic crime. Non-corporate fraud, covering phishing scams and identity theft, followed next, contributing around 20%. The study also notes that the value of reported fraud and economic crime in the UK remains on a long-term downward trajectory, dropping 76% to £550m over the previous twelve months, down from £2.3bn in 2023. BDO attributed this reduction to a decrease in instances of high-value fraud. Stephen Peters, a partner at BDO and its head of investigations, said in a statement that the data indicates fraud continues to evolve......

In this issue: Financial sanctions Other financial crime Daily and weekly news alerts Trackers New and updated content Financial sanctions Navigating the complexities of sanctions compliance in law firms— OFSI’s Legal Services Threat Assessment April 2025 saw the Office of Financial Sanctions Implementation ( OFSI) issue its inaugural Legal Services Threat Assessment, one instalment in a suite of sector‑specific studies on sanctions threats. The publication sets out OFSI’s perspective on compliance risks facing legal services, illuminating the nuanced hurdles the UK profession encounters in upholding financial sanctions. It also highlights sector vulnerabilities and the persistent compliance challenges UK law firms confront under financial sanctions. Adopting OFSI’s recommendations enables firms to strengthen controls and reduce exposure to potential sanctions breaches within the UK legal services sector at large. Against a backdrop of geopolitical volatility and ever more complex regimes, firms should stay alert and take a...

Enhance When unveiling the Review, OFSI led with the headline, ‘ UK sanctions freeze £25bn of Russian assets’, adding that ‘over £25 billion of Russian assets [has been] reported frozen since Russia’s illegal invasion of Ukraine’. That total derives from OFSI’s Russian Frozen Assets In‑ Year Reporting, which records the most recent known value of frozen assets said to be held at the moment of designation, as reported to the authority by those required to make such notifications. By December 2024, £25bn in assets linked to the Russia regime had been notified to OFSI as frozen since February 2022. In 2023, frozen funds reported to OFSI across every sanctions regime came to £24.5bn, with £10bn attributable to the Russia regime. The updated number appears in OFSI’s latest Annual Frozen Asset Review, which obliges anyone holding or controlling assets frozen under UK financial...

EU AI Act timeline for GPAI Code of Practice Under the EU AI Act, the Code of Practice must be finalised by 2 May 2025 at the latest, and the European Commission’s AI Office is obliged to take the ‘necessary steps’ so the Code is recognised as an official compliance instrument. Yet, earlier this week the EU AI Office informed participants in the drafting work that ‘the final GPAI Code of Practice and the Commission guidelines on GPAI [are] expected to be published ahead of August 2025’. Its communication further notes: ‘ This extension of the deadline comes as a result of prioritising extended feedback cycles (as requested by all stakeholders), and to give stakeholders four weeks to respond to the consultation on guidelines’. According to the Commission’s updated website, the definitive Code will be presented at the closing plenary session and issued by August 2025,...

On 14 March 2025, delegates from EU Member States examined the interaction between the two regimes, aiming to pinpoint compliance hurdles for both supervised organisations and supervisory authorities. Following this exchange of views, Poland, the current chair of the EU diplomatic discussions, collated the contributions and prepared a synopsis — obtained by MLex — setting out principal takeaways on the core issues identified. The resulting summary will be tabled for debate at a meeting of national representatives. Differing regulatory approaches Most European governments underlined how the two laws diverge in regulatory design. The EU GDPR safeguards personal data through a fundamental‑rights lens, while the AI Act functions as product‑safety legislation, imposing targeted obligations calibrated to the level of risk. For a number of Member States, this divergence in underlying logic could produce contradictory regulatory outcomes, whereby an AI system is judged compliant with the AI Act but not...

The white-collar watchdog’s revised stance, allowing firms to sidestep charges save in ‘exceptional’ cases when they flag suspected economic wrongdoing, could nudge boardrooms towards deferred prosecution agreements ( DPAs) rather than gambling at trial. ‘ This guidance could usher in a fresh phase of corporate self-reporting and DPAs,’ said Louise Hodges, head of criminal litigation at Kingsley Napley LLP. Previously, the SFO’s approach offered no assurance that businesses would escape prosecution if they owned up. But SFO director Nick Ephgrave told white-collar defence practitioners in a 24 April 2025 speech that, for the first time, companies would know exactly what they are entering into: no ifs, no buts, no maybes; as close to a cast-iron promise as possible—work with us and we will work with you. Eye-catching as the pledge is, the real shift is the office’s vow to reply to...

The SFO has charged United Insurance Brokers with failing to prevent its associates from paying bribes in Ecuador—the first time the agency is preparing to go to trial over the adequacy of a company's compliance programmes. Experts say the case also signals—amid debate over the SFO’s priorities and doubts about the near‑term trajectory of international corruption inquiries—that the agency remains firmly engaged in tackling bribery at home and abroad today. Jonah Anderson, a partner at White & Case LLP, noted that although there now appear to be fewer bribery prosecutions than five or ten years ago and the global environment is shifting, the SFO continues to act as a vigorous corporate bribery enforcer. The UK’s anti‑bribery regime renders companies criminally responsible if they fail to stop employees or associated persons from making illicit payments to secure business in the UK or anywhere in the world. Since its...

The task force brings together: The UK Serious Fraud Office ( SFO) France's National Financial Prosecutor's Office, Parquet National Financier ( PNF) The Swiss Office of the Attorney General of Switzerland ( OAG) Its founding declaration unequivocally affirmed the trio's unwavering resolve to combat bribery and corruption under domestic and international legal regimes. Businesses within the reach of these authorities' jurisdictions—including US companies operating in Europe—should continue to uphold rigorous, well-embedded anti-corruption programmes. Purpose of the task force Its creation crowns more than ten years of close operational partnership among the three nations, spanning tightly coordinated cross-border enquiries, systematic intelligence collection, and law-enforcement information sharing and co-operation. Among other outcomes, the task force will deliver: a leaders' group dedicated to the regular and routine exchange of insight and strategy a working group tasked with developing proposals for case...

The ICO penalised DPP Law Solicitors LLP for inadequate protection of personal data after identifying, confidential and legally privileged material on its network was stolen in a cyber attack and subsequently posted on the dark web. Intruders also obtained entry via a seldom-used admin account linked to a legacy case management platform during a June 2022 “brute force” assault—where credentials are guessed through repeated trial and error, over and over again. Using this account, they exfiltrated 32 gigabytes of data from the firm’s network, and, according to the ICO, the administrator account lacked multi-factor authentication at the time. The haul comprised court bundles, documents, photographs and video relating to the firm’s clients and experts instructed to give evidence in......

In this issue: Risk & Compliance forecast Data protection Financial sanctions Other financial crime Other Risk & Compliance updates this week Daily and weekly news alerts New and updated content No Weekly Highlights on 24 April 2025 Risk & Compliance forecast New Risk & Compliance forecast as at 15 April 2025 Our updated Risk & Compliance forecast (as at 15 April 2025) is available now. This edition highlights, among other matters, the Serious Fraud Office’s new business plan, developments on the Cyber Security and Resilience Bill trailed in the King’s Speech, the Employment Rights Bill, and draft ICO guidance on deploying storage and access technologies. See News Analysis: New Risk & Compliance forecast as at 15 April 2025. Data protection Key takeaways from the ICO’s final anonymisation guidance On 28 March 2025, the UK Information...

The successful prosecution of Dmitrii Ovsiannikov The successful prosecution of Dmitrii Ovsiannikov, the first person convicted of breaching the UK’s sanctions regime against Russia, has triggered debate among lawyers, who argue that pursuing spending on basic living costs sits uneasily with Britain’s foreign policy objectives. While police, prosecutors and ministers trumpeted the Southwark Crown Court verdict as a warning shot to oligarchs, some practitioners caution it may send the wrong signal. Carter- Ruck associate Tasha Benkhadra suggested the National Crime Agency’s efforts would be better directed at suspected circumvention tied to arms transactions and the funding of sectors essential to the Russian war effort. A Southwark jury found Ovsiannikov guilty of circumventing the UK sanctions regime on 9 April 2025, and he received a 40-month prison term on 11 April 2025. The case alleged he and his family intentionally sidestepped financial...

Background This appeal concerns the Appellant’s challenge to the legality of statutory guidance from the Respondent, which treats a GRC confirming a person’s gender as female as bringing them within the Eq A 2010 definition of ‘woman’. The Gender Representation on Public Boards ( Scotland) Act 2018, an Act of the Scottish Parliament ( ASP 2018), sets targets to boost the share of women on public boards. Originally, ASP 2018 defined ‘woman’ to include those with the protected characteristic of gender reassignment: individuals living as women and proposing to undergo, undergoing, or having undergone a process of gender reassignment. In 2022, following a challenge by the Appellant ( FWS1), the Inner House held that this statutory definition was unlawful, as it addressed matters beyond the Scottish Parliament’s legislative competence. After FWS1, the Respondent published revised statutory guidance, which is now under...

New Risk & Compliance forecast as at 15 April 2025 Our Risk and Compliance forecast, dated 15 April 2025, charts proposed regulatory changes linked to risk & compliance, helping you prepare for any adjustments that may affect your organisation, and to support planning efforts. Please read it closely; nevertheless, a number of points that ought to be on your radar are summarised below......

What does the Guidance cover? The Guidance covers the following topic: Core principles of anonymisation and pseudonymisation The Guidance opens by affirming the core legal position: anonymised information lies beyond the reach of the United Kingdom General Data Protection Regulation, Assimilated Regulation ( EU) 2016/679 ( UK GDPR), whereas pseudonymised information does not. The ICO then explains how this plays out in practice and the advantages linked to each category of data. It frames anonymisation as a personal data minimisation exercise, and pseudonymisation as a means of mitigating risk. Anonymisation involves transforming data so that the individuals to whom it pertains are not, or are no longer, identifiable. Under the UK GDPR, the standard is ‘effective’ anonymisation—reducing the chance of a person being identified to a sufficiently remote level, thereby severing any link between the information and the individual. Merely removing direct...