On initial appeal, the First-tier Tribunal (FTT) agreed with the ICO that DSG Retail had contravened the data security principle requirement to take "appropriate technical and organisational measures...against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data". However, the FTT reduced the fine to £250,000, holding that the contravention was not as serious as the ICO had determined.

On next appeal to the Upper Tribunal, DSG Retail focused its case on an argument that, when assessing whether a controller has complied with the data security principle, the ICO - and the courts - must consider whether the information accessed by the attacker was personal data from the perspective of the attacker. As the very large majority of exfiltrated information in this case was incapable of being connected by the attacker to any identifiable individual, it was not personal data in the attacker's hands. In agreeing with this submission, and upholding DSG's appeal, the Upper Tribunal held that the ICO had fallen into error in finding that there had been a contravention of the data security principle without considering whether the data that was rendered vulnerable would be "personal data" in the hands of third parties who could access it.

The Court of Appeal has now overturned the Upper Tribunal's decision, with the court saying that the data security principle applies if the data is "personal" from the perspective of the data controller, and that it is unnecessary to consider whether it is the personal data "in the hands of" or "from the perspective" of any other person.

This is the latest in a long line of cases, including from the European courts, which deal with the questions of "identifiability" and "perspective", and the issues remain both complex and controversial. It is quite possible that there will be a further appeal to the Supreme Court, although DSG Retail is not believed to have made any announcement as yet.

With the commencement of section 115 and Schedule 1 of the Data (Use and Access) Act 2025, (DUAA) those "seriousness" and "substantial damage or substantial distress" requirements are removed, and, in principle, any contravention is punishable by a fine.

In reality, given that the ICO - in contrast to the field of unsolicited direct electronic marketing (where the similar "substantial damage or substantial distress" requirement had been repealed in 2015) - has not shown much appetite for enforcing the cookie provisions of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), this may not present an immediate regulatory risk. However, those deploying cookies and similar technologies, and those advising them, would do well to bear the changes in mind. They would also do well to watch for any changes in messaging coming out of the ICO.

Regulation 6 of PECR, as amended, provides that, in general, a person "must not store information, or gain access to information stored, in the terminal equipment of a subscriber or user". As the ICO explains, "Cookies are used by many websites and can do a number of things, e.g. remembering your preferences, recording what you have put in your shopping basket, and counting the number of people looking at a website". They are also an essential feature of much online programmatic advertising targeted at individual users, through profiling.

Although cookies and similar tracking technology are ubiquitous online, they should not be deployed unless certain conditions, as laid out in new schedule A1 of PECR are met. These conditions include: where the user has consented to the cookies (provided they have been given clear and comprehensive information about them); where the cookies are required for transmitting a communication over a network; where the cookies are strictly necessary to provide an "information society service" (broadly, this means most online services, such as apps, search engines, social media platforms, online marketplaces, content streaming services, online games, news websites, and any websites offering other goods or services, but it will generally not include websites operated by public authorities); the collection - in some cases - of website/user analytics.

Understanding aspects of PECR requires knowledge of wider communications law and technological understanding of how communications are made across online networks. Some of the amendments recently made by the DUAA involve these complex aspects. Shortly after the DUAA was enacted, the ICO indicated that updated PECR guidance was due in "Winter 2025/2026", but it has not emerged yet. Practitioners and advisers would do well to look out for it though, as it may give an indication of the ICO’s possible areas of regulatory focus.

The DUAA also increased the maximum penalty for PECR contraventions from £500,000 to £17.5 million or 4% of global annual turnover (whichever is higher). Even under the current low-interventionist ICO regime, this increase, and the technical complexity of PECR represents a risk that should be understood all the way up to board level.

• Various aspects of data protection and eprivacy reforms take effect in the UK on 5 February 2026.
• Significant automated decision-making undergoes a major shift, from a “can’t, unless…” framework, to a “can, so long as…” one.
• Charities’ ability to send electronic marketing to their supporters becomes much wider.
• Potential maximum fines for eprivacy breaches rise from £500,000 to £17.5m or 4% of global annual turnover.
• A new concept of “recognised legitimate interests” is introduced which does not require the usual balancing tests for reliance on the existing legitimate interests lawful basis.
• With the making of The Data (Use and Access) Act 2025 (Commencement No. 6 and Transitional and Saving Provisions) Regulations 2026, Parliament has now finally commenced the most significant data protection and eprivacy reform provisions since the UK left the EU.

Almost as soon as Brexit took effect, the-then government introduced a National Data Strategy and proposed a “bold new data regime outside the EU”. Two failed Parliamentary Bills followed (the Data Protection and Digital Information Bills 1 and 2) before Parliament finally passed the Data Use and Access Act 2025 (DUAA), in June last year. The final version of the reform package was notably less bold than what earlier governments had proposed, but practitioners and advisers have still been waiting, with some anticipation, for the commencement of part 5 of DUAA, which deals primarily with amendments to the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003. With the Commencement No. 6 Regulations now made, that wait is over.

What changes are made?

Automated decision-making

Possibly the most significant change, given both the current stage and likely future stages of technological advancement, is to Article 22 of the UK GDPR. Prior to amendment, Article 22 placed a general prohibition on automated processing, including profiling, which produced legal effects on a data subject or similarly significantly affected them. This prohibition (cast as a data subject right) was subject to exceptions where that automated processing was necessary for performance of a contract with the data subject, was required or authorised by law, or was based on the data subject’s consent. These exceptions were, obviously, limited in effect.

Article 22 is now replaced by Article 22A, the effect of which is that it is only when automated processing (producing legal effects on a data subject or similarly significantly affecting them) is done to special category data that the general prohibition, and exceptions, still apply. With “ordinary” personal data, meanwhile, automated decision-making can take place, provided specific safeguards are observed, such as: providing information about the decision-making; the ability for the data subject to make representations; the ability to obtain human intervention; and the ability to contest the decision made.

In many cases, provided they observe those safeguards, and provided that the rights, freedoms and interests of data subjects are not overriding, businesses will be able to rely on their (or others’) legitimate interests as a legal basis for automated decision-making. This change from a “can’t, unless…” to a “can, so long as…” scheme represents a potentially fundamental shift in how the law will treat such processing, including in the context of AI systems.

Charities and electronic direct marketing, and PECR fines

The law governing the sending of direct marketing to individuals by email and SMS was passed as far back as 2003 - the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). It only allows direct electronic marketing to be sent with the recipient’s consent, but with an important exception for organisations who have sold products or services (or entered into negotiations for the sale of such products or services) to the individuals to be marketed to - as long as those organisations provided information on opting-out, they can send such electronic marketing without consent.

This exception has come to be called the “soft opt-in”. Because of the requirement for there to be a “sale” of a product or service, charities have not generally been able to avail themselves of it, until now. Regulation 22 of PECR has been amended to allow charities to send direct marketing to individuals where: the sole purpose of the marketing is to further one or more of the charity’s charitable purposes; the individual provided their details when expressing an interest in one or more of those purposes, or when offering or providing support for one or more of those purposes; and the appropriate opt-out information is provided at all stages.

This amendment is potentially very significant for the charity sector and its fundraising capabilities. But charities would be wise to step cautiously and take appropriate advice. Unlawful direct electronic marketing has long been a target for enforcement action by the Information Commissioner (ICO) who is also receiving increased enforcement powers in relation to PECR, including, notably, an increase in the maximum fine for PECR infringement from £500,000 to £17.5m or 4% of global annual turnover (whichever is higher) - the equivalent of the maximum fines under the UK GDPR and Data Protection Act 2018.

“Recognised” legitimate interests

For processing of personal data to be lawful under the UK GDPR, it must, at least, have a lawful basis under Article 6(1). Perhaps the basis most commonly relied upon is that the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (Article 6(1)(f)), which applies unless those interests are overridden by the interests or fundamental rights and freedoms of the data subject. As the case law has established, to determine properly whether this basis is available requires a careful set of at least three staged tests: i) are legitimate interests being pursued (and by whom)? ii) is the processing necessary for the purposes of those interests? iii) are those interests outweighed by the data subject’s interests, rights or freedoms?

With the amendments to Article 6, Parliament has now introduced the concept of a “recognised” legitimate interest. Where such an interest exists, the third test above is effectively knocked away: Parliament has determined that certain processing activities are for legitimate interests and those interests are never outweighed by the data subject’s rights. These include: processing for the purposes of safeguarding national security, of protecting public security, for defence purposes and for safeguarding a vulnerable individual.

It should be stressed however that the existence of a recognised legitimate interest does not imply an exemption from the obligation to comply with all other aspects of the data protection principles.

Regulation-making powers

A notable feature of the DUAA – and indeed of much modern legislation – is that it confers on the Secretary of State the power to make further regulations. There are multiple instances of this in the Act, but, as one example, further "recognised legitimate interests" can be created by this route.

Other amendments

We will be providing further commentary in the coming weeks on other significant changes to the UK's data protection and eprivacy regime. These include in the areas of scientific research, cookies, data subject complaints and rights, and reform of the Information Commissioner's Office.

• Synthetic identity fraud involves the creation of fictitious identities by combining real personal information (such as National Insurance numbers) with fabricated details (false names, addresses, dates of birth). Unlike traditional identity theft, no real person corresponds to the identity created. 
• The threat is growing rapidly: synthetic identity fraud is now one of the fastest-growing financial crimes in the UK and globally, with annual losses estimated in the billions. Financial services, credit providers, and e-commerce platforms are particularly vulnerable. 
• Victims include individuals whose genuine details are misused, lenders and businesses suffering direct financial losses, and the broader economy through facilitation of money laundering and other serious crimes. 
• Legal remedies are available: victims and affected businesses can pursue freezing orders, asset tracing, proprietary injunctions, and Norwich Pharmacal relief, whilst lawyers play a crucial role in coordinating enforcement action and advising on prevention frameworks. 

What is synthetic identity fraud? 

Synthetic identity fraud involves the construction of fictitious identities by blending genuine personal information - often a real National Insurance number or date of birth - with fabricated elements such as false names, addresses, or telephone numbers. The resulting "synthetic identity" does not correspond to any real person, which distinguishes it from traditional identity theft, where a fraudster assumes the complete identity of an existing individual. 

These synthetic identities are then cultivated over time. Fraudsters apply for credit, make small purchases, and build a credit history, establishing apparent legitimacy. After months or even years of "nurturing" the identity, the fraudster executes a "bust-out": resulting in the fraudster maximising credit lines before disappearing, leaving victims - primarily lenders - with substantial losses and no real person to pursue. 

Scale and prevalence 

Synthetic identity fraud has emerged as one of the most significant and fastest-growing threats in financial crime. In the United States, the Federal Reserve has identified it as the fastest-growing type of financial crime, accounting for an estimated 10–15% of credit losses and costing lenders approximately $6 billion annually. UK-specific data remains more limited. UK Finance and the Financial Conduct Authority have flagged synthetic identity fraud as an escalating concern, particularly as digital onboarding and remote account opening have accelerated post-pandemic. 

The financial services sector bears the brunt of losses, but e-commerce platforms, telecommunications providers, and any business extending credit or processing high-value transactions face exposure.  

Who is at risk and what are the harms? 

Synthetic identity fraud creates multiple categories of victim: 

Individuals: persons whose genuine personal details (often children, the elderly, or individuals with thin credit files) are harvested and incorporated into synthetic identities may suffer credit damage, difficulty accessing finance, and the burden of proving they are victims rather than perpetrators. Such personal data is frequently obtained through cyber-attacks on third parties. 

Lenders and businesses: these entities face direct financial losses from unpaid credit and chargebacks, and fraud-related write-offs can be substantial. Reputational damage and regulatory scrutiny may follow, particularly where inadequate controls are identified. 

Consumers and the economy: synthetic identities underpin wider criminal enterprises, from money laundering to fraud-as-a-service operations, eroding trust in digital commerce and increasing costs across the financial system. 

Prevention and protection 

Effective prevention requires a multi-layered approach: 

For individuals: regularly monitor credit reports for unfamiliar accounts or enquiries; consider credit freezes or fraud alerts; safeguard personal information, particularly National Insurance numbers and identity documents. 

For businesses: implement robust Know Your Customer (KYC), Anti-Money Laundering (AML) and cyber-security controls; deploy advanced identity verification technologies, including biometric authentication, document verification, and AI-driven anomaly detection; monitor account behaviour for patterns consistent with synthetic identity cultivation (e.g., rapid credit-building followed by sudden high-value applications); and share intelligence through industry fraud-prevention networks. 

Legal remedies and the role of legal practitioners 

When synthetic identity fraud is detected, swift legal action is essential to mitigate losses and hold perpetrators accountable. Mishcon de Reya's Fraud team advises clients on the full spectrum of remedies: 

Freezing orders and asset preservation: obtaining urgent injunctive relief to freeze assets and prevent dissipation, including worldwide freezing orders where fraud spans multiple jurisdictions. 

Norwich Pharmacal relief: compelling third parties (banks, telecommunications providers, online platforms) to disclose information identifying fraudsters and tracing the flow of funds. 

Proprietary claims and tracing: pursuing assets through complex transaction chains, asserting proprietary interests, and recovering misappropriated funds. 

Coordination with law enforcement: liaising with the National Crime Agency, Report Fraud, and international authorities to support criminal investigations and enhance prospects of recovery. 

Regulatory compliance and prevention: advising financial institutions and businesses on regulatory obligations, designing and stress-testing KYC/AML frameworks, and implementing technology-driven controls to detect and prevent synthetic identity fraud before losses occur. 

Synthetic identity fraud presents a sophisticated and evolving threat, but it is not insurmountable. With the right combination of vigilance, technology controls, and timely legal action, individuals and businesses can protect themselves and pursue effective remedies when fraud of this kind occurs. 

• Although the technological and societal threats to privacy are greater than ever, privacy is not dead and is worth fighting for.
• There is more private information in use, therefore more scope for misuse, and scrutiny has been turbocharged by technology, including AI.
• Even the most exposed and scrutinised families and public figures have the right to respect for their private and family lives, and to prevent unwarranted intrusion.
• The law recognises individual autonomy: a person's right to exercise close control over particular information about their private life.
• Being "for" privacy does not mean being against freedom of expression. They are two equal but competing rights, always in tension. The legal approach to privacy has built-in safeguards, including to prevent trivial claims, and it will not stop the publication of material that is genuinely in the public interest.

It is often said that privacy is dead. Over a decade ago, Facebook's founder Mark Zuckerberg claimed that privacy was no longer a "social norm"; that people had become so comfortable sharing more information, more openly and with more people, that the notion of holding back and protecting personal information was antiquated, even obsolete.

Technological and societal threats to privacy have only increased since then. Sceptics and certain sections of the media would have you believe that those who seek to assert their right to privacy must have something to hide - they are branded as "furtive", "evasive" or "secretive". Yet the human right to respect for private and family life is intrinsically connected to our respect for human dignity and autonomy, and legal protections for private information and – crucially – against unwarranted intrusion into private life, remain alive and well, and are consistently being applied in novel contemporary situations.

It is, without doubt, harder now to protect private information. For one thing, our private data and information is more in use, so the scope for misuse is higher. We are just at the start of an AI revolution, fuelled by data gathering on a massive scale, as well as increasingly sophisticated surveillance. Some technology, such as smart fridges and tracking apps, we can opt out of, but much of it, like biometric data collection, is built into everyday transactions, especially for security. It is almost impossible to live 'off grid'. Technology has also turbocharged scrutiny, not just by the press but by citizen journalists, activists and hackers. Private moments are more likely to be captured – from video doorbells to drones – and have never been easier to spread. The Coldplay concert embrace this summer, and the viral storm which followed, is just one example of the internet turned sleuth, judge and jury.

Even the most exposed and scrutinised families and public figures have privacy rights, which can – indeed must - be enforced confidently and consistently if we are not to concede the fight entirely. The best way to guard against loss of privacy is by being mindful about what we share, with whom, and how it is received by the recipient. It is prudent to set clear expectations before sharing – so that if information is not for onward dissemination, that is understood and agreed in advance. Equally, if privacy boundaries are set, they must be actively policed in order to be effective – and unlawful interference addressed.

It is often forgotten that privacy law does not just protect the keeping of secrets, but also against intrusion into the private spheres of our lives. The Supreme Court has upheld privacy injunctions, even in the face of considerable online speculation about the parties' identities, appreciating the significance of the additional scrutiny and media intrusion that would result in the injunction being lifted.

The law also recognises individual autonomy. At one time it was thought that disclosures in a given "zone" of a person's private life could defeat, or at least greatly reduce, the weight of any claim for privacy in respect of other information in the same "zone". That theory has been discredited. The starting point now is that a person has the right to exercise close control over particular information about their private life: to decide whether to disclose anything about a given aspect of that life and, if so, what to disclose, when and to whom. For public figures in particular, this fits with the established principle that they are not "fair game" simply because they seek favourable publicity in other aspects of their lives.

Being "for" privacy should not be equated with being "against" freedom of expression. These are equal but often competing rights, always in tension, and any interference with each must be necessary and proportionate. In other words, the legal approach to privacy has built-in safeguards, including to prevent trivial claims, and it will not stop the publication of material that is genuinely in the public interest. Privacy is worth fighting for. It is a human right, and should not be a dirty word.

• The UK lacks overarching deepfake legislation, leaving victims facing a complex patchwork of existing laws including intellectual property (IP), data protection, defamation and malicious falsehood.  
• While the Government recently introduced criminal sanctions for sharing non-consensual intimate deepfakes (via the Online Safety Act 2023), and provisions criminalising their creation (in the Data (Use and Access) Act 2025, significant gaps remain. 
• Detection and enforcement present substantial challenges for individuals, with perpetrators often difficult to identify and frequently based overseas, beyond UK regulatory reach, whilst platforms are often slow to remove deepfake content. 
• The Government's current consultation on AI and copyright may include consideration of whether more controls should be given to performers over the use of their likenesses and performances.  
• The EU AI Act meanwhile includes transparency requirements for deepfakes including machine-readable marking and disclosure obligations, though practical implementation challenges remain. 

The use of AI tools is proliferating and becoming mainstream. Allied to fast-moving developments in the technology, it is becoming increasingly difficult to distinguish AI-generated content – including deepfakes (i.e. images, video or audio intended to impersonate an individual's likeness or voice) - from human-generated and authentic content. Deepfake technology isn't, in itself, particularly new, but the ease and scale with which deepfakes can now be produced and disseminated, without easy detection or challenge, has led to urgent calls for a review of regulation in this area. 

'Digital replicas' (a more benign expression for 'deepfakes') can, of course, be created for positive uses. The technology has been used to de-age the actor Harrison Ford in the movie Indiana Jones and the Dial of Destiny and to reanimate deceased actors (such as Carrie Fisher) on screen. But, when digital replicas are made without consent, they can be put to more nefarious uses. Ofcom summarised these risks well in a recent study when it noted that deepfakes can be used to "demean, defraud and disinform". Many famous people have been the subject of deepfakes, from Taylor Swift through to Stephen Fry and the financial journalist Martin Lewis, but the problem also impacts non-celebrities, and sometimes in devastating ways.   

No overarching regulatory framework 

The problem for those impacted is that there is no overarching law regulating deepfakes in the UK. Instead, there is a patchwork of existing laws (for example, IP, data protection, defamation, malicious falsehood) alongside existing laws that meet particular harms (such as the use of deepfakes in fraudulent activity). Importantly, current regulatory focus is on the creation and dissemination of non-consensual intimate images in the form of deepfakes, where the Government has taken a number of steps to introduce criminal sanctions, with more developments to come shortly. These developments have been hard fought for, and greatly welcomed by campaigners, but there are still gaps in the legislation, for example, there is nothing yet to address "nudifying" or "undressing" apps, which remove clothing from images.  

Difficulties in detection and enforcement 

In addition to the overly complex nature of the current regulatory framework, those impacted by deepfakes face the additional difficulty of tracking down those who create or disseminate such images. Even if they can be identified, the perpetrators are often based overseas and out of reach of the UK regulatory authorities. While contractual protections may assist for some individuals (for example, performers, who may wish to contract against having their performance used to train an AI model), there is no one size fits all approach to this enforcement question. Accordingly, in addition to enhanced regulation, many are looking to the role of the AI model developers and the large tech platforms (including social media) in detecting and expeditiously removing such content, enforcing their terms of use, and, where possible, preventing such content being generated in the first place. But our experience has been that the platforms are often slow to react, which can be detrimental where content can go viral rapidly online. 

Potential claims against deepfakes 

There are some potential claims that an individual might make in relation to the use of their likeness (image or voice) in a deepfake, some of which are currently less relevant to non-celebrities, but where we may see calls to broaden out the protection available. 

Intellectual property rights  

In the UK, there are certain forms of IP rights that might be available to provide protection for an individual's likeness. However, there is no form of personality right or image right in the UK (unlike in some other countries).  Potential IP rights that might arise include: 

• Copyright: while there is no copyright in an individual's voice or image, there is likely to be copyright in a photograph or video of an individual, or in a sound recording of their voice. If those copyright works are reproduced without the copyright owner's consent (e.g. during the training of an AI model), arguments of copyright infringement may arise. However, the difficulty here is that often the individual who is the subject of e.g. the photograph is not the copyright owner of that photograph. Individuals may also find that any relevant copyright works have been licensed to AI model developers to train their models. 
  
  Separately, performers have certain rights in their performances (there is no requirement to be a celebrity to rely upon these rights), as well as certain moral rights (though in practice moral rights are often waived by performers). While these rights may be relied upon to tackle unauthorised uses of a performance, the performers' union, Equity, has called on the government to strengthen performers' rights to encourage licensing and prevent unauthorised AI-related uses. In particular, Equity is lobbying for increased transparency measures and additional rights, including in relation to performance synthesisation, image rights and unwaivable moral rights. It is also concerned about the terms of contracts used by production companies for training AI models/generating digital replicas, citing the example of a performer whose likeness was used as a 'performance avatar' and who later discovered it being used to promote the Venezuelan government. 
  
  Copyright may, however, have a greater role to play in relation to deepfakes going forward. The Danish government is considering using copyright law to regulate deepfakes by making unauthorised sharing of AI-generated deepfakes illegal, including in relation to deepfakes of non-celebrities. Individuals would be able to demand removal of the images, as well as compensation, and the right would last for up to 50 years after their death. Meanwhile, the central proposal of the US Copyright Office's report on Digital Replicas is a new federal law to deal with unauthorised digital replicas (again, which would be available for all individuals, not just celebrities), on the grounds that existing laws in the US do not provide sufficient legal redress. A number of US sates have also proposed such laws. 
  
  In the UK, the Government is currently conducting a consultation process in relation to AI and copyright. While the consultation does not formally consult on specific proposals on digital replicas and personality rights, the Government has said that it is keen to hear views on the topic. This could include whether the current legal framework provides sufficient control to performers over the use of their likenesses/performances (perhaps involving consideration of whether performers should be able to opt their performances out of being used to train AI models). 
   
• Trade marks and passing off: Celebrities, such as Rihanna and former motor racing driver Eddie Irvine, have had some success in bringing passing off proceedings for the use of their image to advertise a product, on the grounds that this amounts to a false endorsement. While such claims may assist in similar situations involving deepfakes of celebrities, it will be much more difficult for a non-celebrity to get such a claim off the ground. 

Data protection  

Information which "relates to" an identified or identifiable individual is their "personal data", and will, as a general principle, mean that the data subject has rights arising, and those who process the personal data have obligations imposed on them. "Inaccurate" data is still personal data, and, by extension, there is certainly a strong argument that a deepfake of an identifiable individual will also be their personal data. This means that affected individuals potentially have the right to request erasure, or to bring complaints or claims, under the UK GDPR. 

Defamation 

A deepfake could give rise to a claim in defamation if it contains false and defamatory information and causes the subject serious reputational harm. Consider a politician who becomes the subject of a fake video where they admit to wrongdoing. The merits will depend on multiple factors including the meaning, nature and extent of publication of the deepfake, and the evidence of reputational harm. There may also be problems locating and identifying the source of the deepfake/its author, problems establishing the liability of any platform hosting the deepfake, and jurisdictional hurdles if they/the platform are based outside of the UK.  

Breach of privacy and/or confidence  

Where a deepfake contains true but private and/or confidential information, the subject may be able to bring a claim for misuse of private information and/or breach of confidence if they did not consent to the information being used and shared in this way. What constitutes "private information" is not defined in law, but it is established that it includes information such as: medical information, details of a person's sexuality and sex life, and details of their home or family life. 

Non-consensual intimate image deepfakes 

The UK Government recently introduced various pieces of legislation aimed at criminalising conduct around non-consensual intimate deepfakes. As of 31 January 2024, legislation brought in by the Online Safety Act 2023 and inserted into the Sexual Offences Act 2003 criminalises the sharing, or threatening to share, of intimate deepfakes without consent. In addition, the Data (Use and Access) Act 2025 contains provisions criminalising the creation, and requesting of the creation, of intimate deepfakes without consent.  

Wider regulatory responses 

The EU's AI Act is a wide-ranging piece of legislation regulating the development and deployment of AI, including generative AI. One of the bedrocks of ensuring trustworthiness and integrity of AI systems is a robust framework of transparency requirements which enables people to know when they are interacting with or are exposed to AI systems and their outputs (including deepfakes or other manipulated content). In that context, the EU AI Act contains a number of transparency requirements, including in relation to deepfakes, which will start to apply from 2 August 2026. 

The European Commission is considering how best to implement the AI Act's transparency requirements and has recently published a draft Code of Practice on the detection and labelling of artificially generated or manipulated content.  

Specifically, in relation to deepfakes and other generated content, Article 50 of the EU AI Act requires: 

• Providers of AI systems that directly interact with individuals to ensure they are informed they are interacting with an AI system and not a human (unless this is obvious to a reasonably well-informed, observant and circumspect individual in the circumstances and context of use). For example, the Archival Producers Alliance has published guidance on best practices for the use of Generative AI in Documentaries which include providing visual vocabulary that alerts the audience to GenAI use, such as a unique frame around the material, change of aspect ratio etc. 
• Providers of AI systems to facilitate detection and identification of AI-generated or manipulated content by marking such content in a machine-readable manner and enabling related detection mechanisms (e.g. metadata identification, cryptographic techniques and watermarking). 
• Deployers of AI systems generating or manipulating deepfake content to provide information about the origin of the content. However, where the content forms part of an evidently artistic, creative, satirical, fictional or analogous work or programme, these obligations are limited to disclosing the existence of the generated or manipulated content in an appropriate manner that does not hamper the display or enjoyment of the work.  

Of course, the position in relation to transparency and labelling of AI content is not straightforward, both legally and practically. Many organisations, for example, have partnered with the Coalition for Content Provenance and Authenticity (C2PA) to add labels to AI-generated content (e.g. LinkedIn). These tags are automatically added based on embedded code data in the images, as identified by the C2PA process. However, this may easily be circumvented by stripping the metadata from digital files. It must therefore be anticipated that the discussions around the proposed Code of Practice will lead to a range of (potentially conflicting) viewpoints that may require compromises to be reached in certain areas.  

Practical steps 

While a number of legal measures are available for individuals who find that their likeness or voice has been used in a deepfake (as well as preventative measures to protect against creation in the first place), the framework for taking action remains a complex one, and so we would recommend anyone impacted to seek specialist legal advice. Those needing support with non-consensual intimate image deepfakes can contact services such as the Revenge Porn Helpline, who provide free assistance with the removal of intimate imagine including deepfakes shared without consent from the internet. The Police also have published guidance on reporting potential criminal offences involving deepfakes.   

If you would like to discuss issues relating to deepfakes, including how to take action to protect against digital replicas being created and shared, please get in touch with a member of the team.  

• A care home director has been prosecuted and fined by the Information Commissioner in relation to a Data Subject Access Request (DSAR). This is believed to be the first such prosecution of its type. 
• While failure to comply with a DSAR is usually treated as a civil matter, section 173 of the Data Protection Act 2018 makes it a criminal offence – once a DSAR is received - to alter, erase, or conceal information to prevent disclosure. 
• Criminal liability under section 173 can lie with the data controller itself, or with individual directors and staff, and all organisations should be alive to the possibility of prosecutions being brought. 

Where a data controller fails to comply lawfully with a data subject access request (DSAR) under the UK GDPR, that failure will constitute a breach of statutory duty, potentially attracting civil enforcement action by the Information Commissioner’s Office (ICO). However, a recent prosecution illustrates that a failure can, in some circumstances, also be a criminal offence. 

The right to know how one’s personal data is being processed is recognised in law as especially important - it has been described as a "lynchpin" of data protection law.  

When a DSAR is made to a data controller, the controller must supply, normally within one month - and subject to the application of exemptions - an explanation of the processing, and copies of the personal data undergoing processing.  

Ordinarily, a failure to comply will be treated as a civil wrong, potentially resulting in civil enforcement action by the Information Commissioner (ICO) or civil proceedings by the requester to secure compliance. However, section 173 of the Data Protection Act 2018 (DPA) also provides that a controller (or an employee or officer of the controller) will commit an offence if - after receiving a DSAR - it alters, defaces, blocks, erases, destroys or conceals information with the intention of preventing disclosure of all or part of the information that the requester would have been entitled to receive. 

The recent prosecution by the ICO - believed to be the first such section 173 DPA case - was of a director of Bridlington Lodge, a care home in Yorkshire, who was found to have blocked, erased, or concealed records held by the care home, to prevent this information being disclosed. The request had been made by a woman who had lasting power of attorney over her father’s affairs (and so was authorised to make the request on his behalf).  

At Beverley Magistrates Court on Wednesday 3 September 2025, the director was convicted and ordered to pay a fine of £1,100 and additional costs of £5,440. 

The ICO has informed Mishcon de Reya that the director offered an unsuccessful defence that, variously, claimed that: the information requested had in fact been provided by a member of staff; the care home manager was responsible for responding to the DSAR, not him; the company had been deregistered from the ICO in 2016 (not that this could conceivably have been relevant); Bridlington Lodge was a building, not a data controller. 

The ICO also explained to this firm that the requester now has the requested personal data. 

The ICO has attracted some criticism in recent times for the relatively low volume of civil enforcement actions it brings. In particular, it has rarely shown a willingness to intervene in DSARs where the requester has been faced with a recalcitrant data controller. Whether this criminal enforcement case indicates a shift in approach is not yet clear - it may be that the behaviour of the director in this particular case was simply so egregious that it warranted exceptional action. However, all data controllers - and indeed, their employees and directors, who might be directly criminally liable - should be aware that prosecutions under section 173 of the DPA can be brought, and, in appropriate cases, might well be pursued by the ICO. 

• The Protection of Children Codes (Codes) set out safety measures recommended for providers of Part 3 Services (user-to-user or search engine services) to comply with their duties under the Online Safety Act 2024 (OSA) and come into effect from 25 July 2025. 
• Services that implement the recommended measures within the Codes will be treated as complying with their relevant duties under the OSA. 
• However, service providers are not required to comply with the Codes to meet their OSA duties. They can implement alternative measures, provided they maintain a record of the measures and explain how these meet the duty. 
• These Codes come into force ahead of the deadline of 7 August 2025 for certain services to disclose their children's risk assessments (CRAs) to Ofcom. 

The Codes 

There are two Codes issued by Ofcom (the regulator for the OSA) that set out the safety measures recommended for Part 3 Services, one for user-to-user services and one for search engine services. Where services comply with and implement the recommended measures, the Codes will act as a "safe harbour" and will mean that the services will be treated as having complied with their duties under the OSA in relation to the protection of children from the risk of harm. The Codes do not remove the requirement to complete any of the risk assessments required by the OSA, and services will still be required to complete these and evidence the mitigations that they put in place to reduce risk. 

Measures 

The Codes set out measures by thematic area, and not all services will need to comply with all measures to benefit from the Codes' safe harbour effect. The Codes are not prescriptive, and services can choose to implement other measures provided they maintain a record of the measures implemented and how they consider these to meet the relevant duty. 

Where services do not meet the standard outlined in the Codes and fail to evidence and explain their alternative approaches, it is likely that any Ofcom enforcement will require the implementation of the measures specified in the Codes. As Ofcom continues its enforcement efforts under its powers granted by the OSA, we will gain greater insight into how Ofcom will assess alternative measures to those in the Codes. 

CRA disclosure to Ofcom and the public 

To comply with their duty in relation to the completion of CRAs, some of the Categorised Services (Category 1 and Category 2A Services) are expected to submit their completed CRA(s) to Ofcom by 7 August 2025.  

Categorised Services are considered to be "higher risk" services by Ofcom. Category 1 Services are user-to-user services that have a content recommender system and either (i) more than 34 million UK users, or (ii) have more than seven million UK users and allow those users to forward or share user-generated content. Category 2A Services are search engine services that are not vertical search services and have more than seven million UK users. Category 1 and 2A Services must also publish notices of the findings and conclusions from their completed CRA(s) in a publicly available statement. 

ARAP is the scheme for the resettlement of certain Afghan citizens who worked for, or with, UK Armed Forces over the combat years of Afghanistan. It is evident that information about those who might apply or qualify is of the utmost sensitivity, and that if it fell into the wrong hands it could result in a risk to life. This is why, at enormous cost, as the Secretary of State explained, the UK has had to commit to a specific settlement scheme designed for people not eligible for ARAP, but judged to be at the highest risk of reprisals by the Taliban, as a result of the data breach.  

The Secretary of State also told Parliament that the incident occurred when a defence official emailed an ARAP case working file outside of authorised government systems, believing it to contain the details of only 150 applicants. Instead, it contained all 18,714. 

The risks of disclosure of “hidden” data in spreadsheets are something that have been known about for many years. As far back as 2013 the author wrote about it for the Guardian. However, the fact that it continues to happen suggests that it is not sufficiently widely known, and that many who use spreadsheets and share data do not have the appropriate policies and controls in place to prevent such incidents. In 2024 the Information Commissioner fined the Police Service of Northern Ireland for a worryingly similar infringement. 

The Commissioner is tasked with regulating and enforcing data protection law and has powers to serve fines (to a maximum of £17.5 million, or 4% of global annual turnover, whichever is higher). In a parallel statement on 15 July, a Deputy Commissioner explained that the incident involved “hidden data in a spreadsheet”, and that it was “unacceptable”. However, the Commissioner was “satisfied that no further regulatory action is required at this time in this case”. 

The Commissioner operates what it calls a “public sector approach” under which he will generally only fine a public authority if an infringement is “egregious”. In documents published earlier this year, on proposals to extend the public sector approach, the Commissioner's office explained that the non-exhaustive list of what might qualify as “egregious” included: 

• Actual or potential harm to people: this could be physical or bodily harm. For example, evidence of:  
  • a high risk of actual or potential harm to affected people or their family members, including a threat to life following a data breach; 
  • where there is evidence of a high degree of negligence; and 
  • relevant previous infringements, or recent infringements, by the controller. 

Given that this recent incident put tens of thousands of lives at risk, was (as the Secretary of State told Parliament) a “serious departmental error” and a “clear breach of strict data protection protocols”, and happened around the same time that the Commissioner was fining the Ministry of Defence for another very serious data breach involving high risk to Afghani citizens it is very difficult to understand how it did not meet the threshold for regulatory action. 

But if, for whatever reason, a fine was not felt appropriate, it is worth also noting the Commissioner has various other powers available, and these include the power, under section 139(3) of the Data Protection Act 2018, to lay a report before Parliament on any matter relating to the carrying out of his functions. 

This data protection issue of hidden data in spreadsheets, which has twice in recent years exposed many thousands of people to the risk of loss of life, is surely something that the ICO should consider worthy of drawing to Parliament’s attention by way of a statutory report. 

Related coverage

Independent

The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) is the primary law when it comes to cookies and direct electronic marketing. When the GDPR (now the UK GDPR) came into effect in 2018 the Data Protection Act 1998 (DPA98) was repealed, except that its enforcement sections remained in place for PECR infringements. 

Under section 55A of DPA98, as modified by PECR, the Information Commissioner's Office (ICO) may fine a person if they are satisfied that there has been a serious contravention of the cookie provisions, in regulation 6 of PECR, by that person, and the contravention was of a kind "likely to cause substantial damage or substantial distress" (and also that the contravention was either deliberate or the person acted negligently in allowing it to happen). The requirement for a contravention to be likely to have caused "substantial damage or distress" also originally applied to direct electronic marketing contraventions, but the requirement was removed by secondary legislation in 2015. 

The upshot is that, as the law currently stands, a cookie contravention would have to be both serious and likely to cause substantial damage or substantial distress before the ICO could even consider issuing a fine. It is difficult to imagine that many, if any, contraventions would meet that threshold. 

All that is set to change under the DUAA: once its section 115 and schedule 13 are commenced (at a date yet to be announced), both PECR and the Data Protection Act 2018 will be amended so that any contravention of regulation 6 of PECR is potentially subject to a fine. The ICO will still have to have regard to factors such as the nature, gravity and duration, and the intentional or negligent character of the contravention, but there will be no seriousness threshold and no "harm" threshold. 

So, does this mean that, when the amended powers come into effect, the ICO will be issuing a swathe of cookie fines? That seems unlikely: although the ICO has adopted an "online tracking strategy", which involves assessing some large websites' compliance, there has been no indication that this strategy will lead to multiple fines being deployed.  

However, the possibility cannot be ruled out, especially if the ICO were to encounter cookie contraventions which are serious and egregious. 

Thanks are due to Tim Turner of 2040 Training, who first drew the author's attention to this topic. 

The first thing to note is that this is an amending Act: the core pieces of data protection legislation in the UK will remain the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003. The significance of DUAA lies in the changes it will make to those existing laws. 

 Although the Act will not introduce wholesale changes to data protection law, companies should certainly take note of certain aspects. The large majority of the data protection provisions are not yet in effect, and will require secondary legislation to bring them into effect. This secondary legislation (and associated guidance) may not emerge for some months yet. 

However, we draw attention to the following key points: 

• Changes to cookies rules – once the relevant provisions are commenced, those who operate websites and apps may be able to deploy some "analytics" cookies, without seeking visitors' consent. However, it is important to note that, although the UK law will change in this respect, the EU law will not (at least for the time being). This means that any organisation which is operating in the EU, or even simply making its website or app available in the EU, will have to consider whether there is any benefit to be gained from having different approaches according to the jurisdiction (or even whether it is technically practical to do so); 
• Clarification that, when responding to a subject access request, data controllers only need to undertake a "reasonable and proportionate search" (the reference to "proportionality" may well mean that a small organisation, faced with a request of no obvious value for the requester, may need to do a less comprehensive search than a large company dealing with an obviously serious request). This change simply introduces onto the statute book something that the courts stated as long as 20 years ago, but, nonetheless, it may well be helpful to be able to point to the provision, in cases where requesters dispute how a controller has responded to a request. This is a provision which has commenced immediately upon enactment of DUAA. 
• A requirement to have a "complaints procedure" for data protection matters. Data controllers will, once the provisions have commenced, have to acknowledge complaints within 30 days and respond to them "without undue delay". Those organisations who already have complaints procedures in place should be able to incorporate data protection matters into existing procedures (although they will need to be aware that, unlike with most consumer complaints, there are statutory deadlines when it comes to data protection matters). 
• Charities will, once the provisions have commenced, now be able to avail themselves of existing provisions available to commercial organisations, and send "unsolicited" marketing emails and text messages to supporters (and those who have expressed an interest in the charity), as long as they offer an "opt-out". This has the potential to transform the fundraising market. However, charities should note that unlawful direct electronic marketing continues to be one of the areas that the Information Commissioner targets for enforcement: getting it wrong can be risky. 
• Relatedly to the charities and marketing point, the Information Commissioner will (again, subject to commencement of the provisions) have increased enforcement powers: the maximum fine currently for direct marketing (and, indeed, cookies infringements) is £500,000 – this will increase to match the UK GDPR maximum fines of £17.5 million or (in the case of an undertaking) 4% of global annual turnover (whichever is higher). 

These are by no means the only significant changes, and we will provide further information and updates as the changes take effect. However, organisations should certainly be reviewing their data protection compliance programmes and policies, both to ensure they will be (or remain) compliant, but also to consider whether there are any opportunities to use the data they have to deliver benefits to data subjects and to the organisations themselves. 

What services are in scope?  

The OSA creates a legal obligation on all Part 3 Services to complete an ICRA and outlines certain requirements for the assessment.    

Part 3 Services are those which are either:  

• User-to-user services: where content is generated, uploaded to, or shared on the service by a user, and may be encountered by another user or users of the service; or  
• Search services: services that are or include a search engine, or have the ability to search websites, databases or other aspects of a service. 

What needs to be assessed? 

The requirement to complete an ICRA is set out in the OSA, which outlines the elements needed to complete the assessment. However, the process, form and considerations to be taken into account during the assessment are dictated by guidance issued by Ofcom, the online safety regulator, published on 16 December 2024. Ofcom's guidance follows the same four-stage method that it advises is followed when completing a CRA: 

• Assess the content on the service which may be priority illegal content, other illegal content or used to commit a Priority Offence (see further below as to Priority Offences); 
• Assess the risk of harm to users that encounter the content identified and the risk of harm should the content be used to commit a Priority Offence; 
• Identify and implement measures to address the risks identified; and   
• Ensure that appropriate reports and monitoring are completed.  

When must ICRAs be completed or updated? 

For services that are already in operation and in scope of the obligation to complete an ICRA, the assessment should have been completed by 16 March 2025. 

For services that come into scope of the obligation to complete an ICRA (whether due to a change in the service or due to the launch of a new service), an ICRA must be completed within the first three months of operation. 

What is the penalty for non-compliance? 

If an appropriate ICRA has not been carried out, Ofcom may use its powers to investigate and could impose a penalty of up to 10% of qualifying worldwide revenue or £18 million, whichever is greater. Ofcom may also require remedial action to be taken.  

Ofcom recently set out its plans for enforcement under the OSA, and has begun to announce investigations that it is undertaking. It is expected that Ofcom will continue to actively enforce compliance. Mishcon de Reya has advised several clients on compliance with the OSA, as well as the commercial and practical implications that it poses and is available to assist. Please contact a member of our Online Safety Team if you wish to discuss this further.   

Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR") creates a rule that means that in most circumstances a person cannot send unsolicited direct electronic marketing (which these days mostly means email and text messages) to an "individual subscriber" unless the recipient has specifically consented to receive it. An "individual subscriber" is a person who has a contract with the service provider (e.g. the email provider or phone provider), and in most cases it equates to one's personal email account or phone number. 

But there is an exception to the rule: regulation 22(3) says that where the sender obtained the contact details of the recipient in the course of the sale, or negotiations for the sale, of a product or service, then unsolicited marketing can be sent without consent, provided that the recipient was offered an opt-out at the time their details were obtained, and is offered one each time marketing is sent. This exception is commonly referred to as the "soft opt-in". 

Charities, though, do not, in the main, sell products or services, and so have not been able to avail themselves of the soft-opt in. The Data (Use and Access) Bill would change that. Clause 114 says that a charity would be able to send or instigate the sending of direct electronic marketing where it obtained the recipient's details when they expressed an interest in, or offered support for, its charitable purposes, and where "the sole purpose of the direct marketing is to further one or more of the charity's charitable purposes". 

So, would an email which solicited funds (and perhaps did nothing else) be permissible? Everything a charity does should further its charitable purpose(s), though sometimes it also has the power to do things that are 'incidental' or 'ancillary' to this. Fundraising is an activity that charities carry out to raise money to spend on their charitable purposes, not a charitable purpose in itself. It is a way of indirectly furthering a charity's purpose or purposes indirectly, but can indirect furthering of purposes be allowed under clause 114?  

Ultimately, it will be for a court to decide (no doubt assisted by guidance from the Information Commissioner which one imagines will be produced once the Bill is passed). But clause 114 was introduced by the government, by an amendment at report stage, and received cross-party support. When proposing the amendment, the minister, Lord Vallance, said. 

"This amendment will permit charities to send marketing material—for example, promoting campaigns or fundraising activities—to people who have previously expressed an interest in their charitable purposes, without seeking express consent." (emphasis added). 

This is surely a clear steer as to how the clause should be interpreted, and it would be very surprising if the ICO or a court subsequently saw it differently. 

None of this is to say that charities should see this as free rein to send masses of spam emails, however important the cause or urgent the fundraising need. In particular, they should be aware that the opt-out provisions have to be abided by, and that the ICO is particularly active in its enforcement of PECR, and quite rigid in its approach. Add to this the fact that the Data (Use and Access) Bill will increase the maximum fine for a PECR infringement from the current £500,000 to £17.5 million or 4% of global annual turnover (whichever is higher), and there will be significant regulatory and legal risk for getting it wrong. But at a time of financial constraint for charities, the loosening of restrictions on fundraising emails should be welcomed by the charity sector. 

What services are in scope? 

All Part 3 Services that have identified in their CAA a likelihood that their service will be accessed by children are in scope of the requirement to complete a CRA under the OSA.  

Part 3 Services are those which are either: 

• User-to-user services: where content is generated, uploaded to, or shared on the service by a user, and may be encountered by another user or users of the service; or 
• Search services: services that are or include a search engine, or have the ability to search websites, databases or other aspects of a service. 

What needs to be assessed? 

The requirement for a CRA is set out in the OSA. However, the process and form of the assessment are dictated by guidance issued by Ofcom on 7 May 2025. Ofcom's guidance follows the same four -stage method, that it advises is followed, when completing an ICRA: 

• assess the content on the service which may be harmful to children  
• assess the level of risk of harm that the content is likely to have on children  
• identify and implement measures to address the risks identified  
• ensure that appropriate reports and monitoring are completed 

Stage 1: Assessment of harmful content 

In the first stage, consideration must be given to the type of content on the service. Ofcom's guidance identifies three categories of content that may be harmful: 

• Primary Priority Content, which includes content that relates to 
  • pornography; 
  • suicide;  
  • self-harm; or 
  • eating disorders. 
• Priority Content, which includes a range of content including that which: 
  • is abusive; 
  • incites hate; 
  • encourages violence; 
  • depicts violence; or 
  • encourages substance abuse. 
• Non-designated Content, which includes all other content which presents a material risk of significant harm to children, such as: 
  • content which creates body stigmas; and 
  • content that promotes depression. 

The CRA must assess each category of content separately and consider how the assessed service may be used harmfully and the level of risk posed. The CRA should consider Ofcom's Children’s Register of Risks and Guidance on Content Harmful to Children, which will assist in identifying risk factors. 

Stage 2: Assessment of the risk of harm to children 

This stage involves using evidence to assess and assign a level of risk to each category of content based on the likelihood and impact of children encountering the content.  

This stage should consider the different ages of children that may access the service and the differing levels of harm they may face. Ofcom has created a series of Children's Risk Profiles as part of their guidance on CRAs. These Children's Risk Profiles should be used to assess harm when completing a CRA and contain a series of risk factors and content that Ofcom considers to be indicative of harm to children. This stage of the CRA may involve considering additional factors and characteristics not contained in the Children's Risk Profiles that may increase the risk of harm. Services should also consider the existing measures in place which may mitigate harm. 

Stage 3: Identification and implementation of measures 

In stage three, services should consider how they may mitigate the risk to children and identify measures that can be taken to comply with the children's safety duties in the OSA. The Protection of Children Codes (Codes) offer some measures recommended by Ofcom based on a Service's size, functionality and risk level. Where a service complies with all the applicable measures in the Codes, it will be considered to have complied with its OSA duties.  

Services should also consider if there are additional measures that can be taken to reduce risk and implement them as needed. 

Stage 4: Reporting and monitoring 

Once a CRA is completed, services must report on the outcome to senior risk management to ensure appropriate internal governance. 

Where services are a Category 1 or 2A service, they must also share a copy of their CRA with Ofcom, as soon as is practicable after completion or revision. Category 1 and 2A services are typically large providers, with more than seven million UK users and either user to user content, a content recommender system, or are a search service. 

Services are also required to report non-designated content identified on the service to Ofcom and provide details and examples of the content.  

The effectiveness of measures implemented will also need to be monitored and adjusted where necessary. The outcome of monitoring should assist with keeping the CRA up to date, as it will need to be reassessed on an annual basis, or where there is a significant change to the service, which could impact the CRA that has already been carried out. Significant changes include adjustments to the service's design or operation, new evidence regarding the risk of harm to children or new evidence of an increase in the number of children using the service. 

When must CRAs be completed? 

For services that are already in operation and in scope of the obligation to complete a CRA, the assessment must be completed by 24 July 2025. Providers have been encouraged to begin the assessment process well in advance of the deadline to allow sufficient time for any required changes to be made. 

For services that come into scope of the obligation to complete a CRA (whether due to a change in the service or due to the launch of a new service), a CRA must be completed within the first three months of operation. 

What is the penalty for non-compliance? 

If an appropriate CRA has not been carried out, Ofcom may use its powers to investigate and could impose a penalty of up to 10% of qualifying worldwide revenue or £18 million, whichever is greater. Ofcom may also require remedial action to be taken. 

Ofcom recently set out its plans for enforcement under the OSA, and has begun to announce investigations that it is undertaking as a result of these plans. It is expected that Ofcom will continue to actively enforce compliance. Mishcon de Reya has advised several clients on compliance with the OSA, as well as the commercial and practical implications that it poses and is available to assist. Please contact a member of our Online Safety Team if you wish to discuss this further.  

The EIR are a piece of legislation that runs in parallel to the Freedom of Information Act 2000 (FOIA). They implemented an EU Directive, which in turn gave effect to an international treaty (the "Aarhus Convention") on access to environmental justice. The EIR require public authorities to disclose environmental information (so long as it is held) to any person who requests it, subject to the application of exemptions. 

However, deciding which bodies qualify as public authorities under the EIR is sometimes complicated. Any body which is a public authority under FOIA counts, but the EIR also say that bodies which carry out "functions of public administration" will also do so. The test for determining this derives from a case involving water companies which went, pre-Brexit, to the Court of Justice of the European Union, but which was then clarified further by the Upper Tribunal. The test boils down to the following criteria, which are laid out in the ICO decisions: 

• The body must be doing a task that the state normally does, or would otherwise do.  
• The state must have required it to do this task and there must be a statutory basis.   
• The task must have an environmental impact.  
• The body must have "special powers", beyond those available in private law, for the purpose of carrying out the task. 

In deciding that BT and Openreach are public authorities, the ICO noted that the state, acting via Ofcom, issues directions to telecoms providers which then entitles the providers to exercise powers under the Communications Code, and has thereby entrusted BT and Openreach with administrative functions, with a clear basis in statute.  

Furthermore, operation of a mobile network involves emission of radio waves, and a cabled network requires laying of cables – usually underground – which requires disturbance and movement of earth. All of these affect the elements of the environment. 

Finally, the powers exercisable under the Communications Code include the right to install equipment on, over or under land, the right to maintain equipment and the right to enter onto private land if necessary for such purposes. These are not powers available to persons under private law, and so constitute "special powers". 

Accordingly, BT and Openreach are public authorities for the purposes of the EIR, and must comply with requests for environmental information. Although the ICO does not specifically say so, one assumes that this would extend to other telecoms providers. 

It is worth mentioning one other point though – in recent years the ICO has made decisions that a housing association and Heathrow Airport were EIR public authorities. In both cases this was overturned on appeal. It is possible, therefore, that these latest decisions may get challenged. 

The judgment follows a small number of claims throughout Europe, including Jenny's case before the High Court in London.  

Read our summary of the decision. 

Filippo Noseda, the Mishcon de Reya Partner who has been leading the firm's work on the data protection implications of the US Foreign Accounts Tax Compliance Act (FATCA), as well as the OECD's Common Reporting Standard (CRS) and beneficial ownership registers commented: “The Belgian decision represents a victory for data protection and the Rule of Law in an extremely politicised context.”  

 “Our research shows that the European Commission believed as early as 2012 that processing sensitive personal and financial information under FATCA (the US Foreign Accounts Tax Compliance Act) was disproportionate and that the US offered lower levels of data protection than Europe.  However, following the UK's signing of the first bilateral Agreement against the negative advice of EU data protection experts, the Commission went along with the idea of "temporary" agreements to be signed by EU Member States.  Once that happened, our research shows that new Commissioners started resisting calls from campaigners and data protection authorities to review the position. We published a timeline and chronology of events based on internal EU documents and have been pressing the EU for the disclosure of additional documents that show the true extent of the problem. 

 “Nobody should engage in tax evasion. However, the fight against tax evasion must be conducted respecting the fundamental rights of compliant citizens. FATCA entails the automatic processing and transfer of sensitive personal data without any indicia of tax evasion, which exposes compliant citizens to serious risks for their data and the Belgian data protection authority confirmed its previous finding that a generalised processing of personal data violates the principle of proportionality enshrined in the EU Charter of fundamental rights and the GDPR.  The Belgian data protection authority also found that the relevant FATCA Agreement violates basic data protection principles, including the principle of purpose limitation and the prohibition against excessive data retention.  What's more, the decision confirms a previous finding from the UK's Information Commissioner's Office that affected citizens are not provided with sufficient information over the existence and extent of data processing, which violates the principle of transparency of data processing." 

Filippo added: "This is the second time that the Belgian data protection authority found that FATCA is illegal.  However, a previous decision handed down in May 2023 was appealed by the Belgian State on procedural grounds.  This is reminiscent of the approach taken by HMRC in Jenny's case.  Instead of engaging with the substance of Jenny's claim, HMRC mounted a procedural battle aimed at blocking any criticism of HMRC's handling of FATCA against the better judgment of the European Commission and the EU's data protection working party that had already reached the conclusions contained in the Belgian decision before HMRC jumped the gun and signed up to FATCA, thus opening the floodgates. Jenny's case remains pending before the UK's Information Commissioner's Office. 

Today’s judgment is likely to have practical implications beyond the EU, including the UK. The UK was the first country to sign a FATCA agreement with the US.  While the UK is no longer a member of the EU, the GDPR continues to survive in the UK, albeit with a new name (UK GDPR). Also, the EU Charter of fundamental right (which no longer applies to the UK) is based on the European Convention on Human Rights, which continues to apply to the UK. 

[The European Convention on Human Rights was the brainchild of Winston Churchill and remains relevant for the UK.  Art. 8 of that Convention introduced a right to privacy aimed at giving citizens back control over their lives after the horrors perpetrated by fascist States during World War II.  While the right to privacy is not absolute, any restriction is subject to the principle of proportionality and the Belgian decision confirms that the indiscriminate and generalised processing and transfer of data is disproportionate, and thus illegal.  At a time where populism is on the rise and the Rule of Law is under attack in liberal countries, the right to privacy and data protection is a principle worth fighting for.] 

Mishcon de Reya has been at the forefront of addressing the data protection implications of systems of automatic exchange of information under FATCA and the CRS, as well as public registers of beneficial ownership.  In 2018, Mishcon Academy, the firm’s think-tank, published a report entitled ‘The Great Debate: Privacy vs Transparency’. The firm has also published its research into internal EU documents and its correspondence with the EU, the OECD, as well as the UK Information Commissioner’s Office to ensure accountability of the work carried out by public authorities and raise awareness over the underlying data protection issues.   

The firm's work in this area has been widely reported in the media (including The Financial Times, The Economist, TIME Magazine, Forbes and Bloomberg) and specialised press (including Tax Analyst  in the US and Trusts & Trustees in Europe).  

What services are in scope? 

All Part 3 services are in scope of the requirement to complete a CAA under the OSA. Part 3 services are services which are either: 

• User-to-user services: services where content is generated, uploaded to, or shared on the service by a user, and may be encountered by another user or users of the service; or 
• Search services: services that are or include a search engine, or have the ability to search websites, databases or other aspects of a service. 

If more than one Part 3 service is provided by a platform, site, or app, separate CAAs must be carried out for each service. If only part of a service is within scope, a CAA must still be carried out. 

What needs to be assessed? 

The requirement for a CAA is set out in the OSA. However, the process and form of the assessment are dictated by guidance issued by Ofcom on 16 January 2025. Ofcom's guidance defines two stages of assessment in a CAA, though both stages may not always need to be carried out. The first stage is to consider whether it is possible for children to normally access the service. The second stage is to assess whether the "child user condition" is met. 

Stage 1: Possible for children to access the service? 

Ofcom says that, where no highly effective age assurance (HEAA) is in place, it must be concluded that it is possible for children normally to access the service. HEAA is a form of age assurance where robust checks are completed to ensure users are over 18 years of age (or another appropriate age). Ofcom has also issued guidance about HEAA for Part 3 Services, including how to identify whether age assurance methods meet the criteria to be classified as HEAA and other considerations such as data protection compliance.  

If no HEAA is identified as being in place, services must conclude that children can normally access the service and go on to complete stage 2 of the CAA. 

Stage 2: The child user condition 

This stage contains two parts. If the first part concludes positively that there is a significant number of children who access the service, the second part, which asks whether the service is likely to attract children, does not need to be completed. 

Part 1: Significant number of children 

In this part of the CAA, platforms must determine if a significant number of children are accessing their service. This involves analysing user data to identify the proportion of users who are under 18 and assess whether this is a significant number. The number of children who access the service will be significant if either: 

• The number of children reflects a significant number in proportion to the total userbase of the service; or 
• The number of children is inherently significant. 

If the data indicates that a significant number of users are children, the service must proceed to complete a CRA and consider whether protection measures need to be implemented. Factors such as user demographics, content type, and marketing strategies should be considered to make an informed determination. 

Part 2: Likely to attract children 

If the first part of stage 2 concludes that a significant number of children do not access the service, the second part must be completed. This involves assessing whether the service is likely to attract children. Considerations that should be made include the nature of the content, the design and functionality of the service, and any marketing or promotional activities that may appeal to children. Services that are designed in a way that is appealing to children, or that feature content popular with younger audiences, are more likely to meet this condition. 

When must CAAs be completed? 

For services that are already in operation and in scope of the obligation to complete a CAA, the assessment must be completed by 16 April 2025. Providers have been encouraged to begin the assessment process well in advance of the deadline to allow sufficient time for any required changes to be made. 

For services that, in the future, come into scope of the obligation to complete a CAA (whether due to a change in the service or due to the launch of a new service), a CAA must be completed within the first three months of operation. 

Once a CAA is completed, it will need to be re-assessed on an annual basis, or where there is a significant change to the service which could impact the CAA that has already been carried out. Significant changes include adjustments to the service's design or operation, new evidence regarding the efficacy of age assurance or new evidence of an increase in the number of children using the service. 

When must CRAs be completed? 

If a CRA is needed, it must be completed within three months of the release of Ofcom's final guidance about completing CRAs. This guidance is expected to be released in April 2025. Ofcom's draft guidance provides insight into the expected requirements and should be used by services to prepare for when the final guidance is released. 

What is the penalty for non-compliance? 

If an appropriate CAA has not been carried out, Ofcom may use its powers to investigate and could impose a penalty of up to 10% of qualifying worldwide revenue or £18 million, whichever is greater. Ofcom may also require remedial action to be taken. 

Ofcom recently set out its plans for enforcement under the OSA, and it is expected that it will continue to actively enforce compliance. Mishcon continues to advise multiple clients on compliance with the OSA, as well as the commercial and practical implications that it poses.  

Ongoing enforcement 

Alongside enforcement action following illegal harm risk assessments, Ofcom has launched two further enforcement programmes, tackling those areas it considers to be key priorities. These programmes signal its intention, as the online safety regulator, to ensure compliance with the OSA, as well as its illegal content Codes of Practice. The areas subject to ongoing enforcement activity are: 

• Age assurance measures in the adult sector: From 17 January 2025, Ofcom has been writing to all service providers that display or publish pornographic content to inform them of their obligations under the OSA and to request confirmation of the age assurance provisions they are implementing to achieve compliance. Ofcom has also perhaps signalled its intentions in this area, announcing on 27 March 2025 that it had fined OnlyFans £1 million for failure to accurately respond to requests for information about its age assurance practices. Whilst the enforcement action against OnlyFans was commenced under the previously in place video-sharing platform (VSP) regime, it provides an indication of the approach that Ofcom is likely to take under the OSA.  
• Dissemination of child sexual abuse material (CSAM) by offenders: The level of harm from CSAM and the risk it poses is acute. On 17 March 2025, given the high-risk nature and susceptibility of file-sharing and file-storage platforms for the sharing and distribution of CSAM, Ofcom also announced the launch of an enforcement programme that will require providers to demonstrate how they are tackling this issue. 

These enforcement programmes are aimed at assessing the safety measures being taken, or that will soon be taken, in relation to these identified risks for adult and CSAM content. It is likely that Ofcom will announce further enforcement programmes in the coming months, and in-scope platforms should be prepared to evidence their compliance to Ofcom for all the risks and duties placed on them by the OSA. 

If in-scope platforms fail to engage with its enforcement programmes, Ofcom has confirmed that it will not hesitate to open investigations into individual services and, if required, use its enforcement powers. As its Enforcement Director commented: "Any provider who fails to include the necessary protections can expect to face the full force of our enforcement action". Ofcom's enforcement powers under the OSA are significant and include the ability to issue fines of up to 10% of worldwide turnover or £18 million, whichever is greater, as well as significant information gathering powers.  Certain infringements of the OSA may lead to criminal liability (including for senior managers), and business disruption measures.  

The new Data (Use and Access) Bill could have provided an opportunity for the Government to show its commitment to a planned new "covenant" with the charity sector, by reviving a proposal to change the law and allow charities and other nonprofits to promote their services by email and text message, in the same way that profit-making companies can. The previous Data Protection and Digital Information Bill, which was dropped just before the general election, proposed to extend what is known as the electronic direct marketing “soft opt-in” to non-profits. However,  a similar clause does not appear in the new Bill.

Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR") deals with circumstances under which a person can send an unsolicited direct marketing communication by email, or text message.

In simple terms, a person cannot send an unsolicited direct marketing email or text message to an individual’s private email account, unless the individual has consented to receive it. “Consent”, here, takes its definition from the UK GDPR.

(The actual law is more complex – it talks of an “individual subscriber”. This is the person who is a party to a contract with a provider of public electronic communications (for which, read “email” and “text message”) services for the supply of such services. So, if you have signed up for, say, a Gmail account, you have a contract with Google, and you are – if you are an individual – an individual subscriber.)

The exception to the consent requirement is at regulation 22(3) of PECR, which says that the sender does not need the prior consent of the recipient where the sender: obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient; the direct marketing is in respect of the sender’s similar products and services only; and the recipient has been given a simple means of refusing the use of their contact details for the purposes of such direct marketing, at the time that the details were initially collected, and at the time of each subsequent communication.

This exception has long (and perhaps unhelpfully) been known as the “soft opt in”.

Note though, that the recipient’s contact details must have been collected “in the course of the sale or negotiations for the sale of a product or service”.

There are various types of non-profit who might wish to send promotional emails and text messages to individuals, but which don’t as a rule sell products or services. Perhaps the most obvious of these are charities, but political parties also fall into the type.

The Information Commissioner has long held that promotional communications sent by such non-profits do constitute “marketing” (and the Information Tribunal has upheld this).

But the combined effect of regulation 22(3) and the interpretation of “marketing” as covering promotional emails and text messages by charities, means that those charities (and political parties etc.) can’t send soft opt in communications.

PECR are an old (in terms of technology) piece of law. They gave effect to an EU Directive which was drafted at a time when e-commerce was in its infancy. There is a good argument that the drafters did not envisage a time when non-profits would habitually use, or wish to use, electronic communications to promote their services and ideals. But in current times, there appears to be no rationale for the UK to favour the commercial sector over the non-profit one.

It is noteworthy that the Government did not reintroduce the clause from the previous Bill.  Particularly in light of concerns from the sector about increased employer National Insurance Contributions, and about funding in general, many charities and non-profits may wish to avail themselves of lobbying opportunities as the Data (Use and Access) Bill proceeds in Parliament.

The UK GDPR 

PECR 

There are some interesting proposed amendments to the Privacy and Electronic Communications (EC Directive) Regulations 2003) (PECR).

The Information Commissioner 

The proposal to recast the Commissioner (a "corporation sole") as a Commission, with a chief executive, is also revived. However, also revived is the intention that the Secretary of State would have considerable ability to affect the operation of the Commission - for instance, they would be able to determine the number of members, would be able to appoint non-executive members and would have to be consulted on the matter of the appointment of a chief executive.

What does it all mean? 

"Never let a good bill go to waste" may well have been the thought of ministers in the new Labour administration, when they took power in July. Certainly, by breathing life back into the expired DPDI Bill, they have declined the opportunity a) to decide to prepare a wholly new bill, or b) to decide there was no need for change at all. And many of the returning provisions are sensible (and some of those which have been dispensed with are not going to be mourned).

What needs, now, to be observed closely, is how any final enactment lands with business, and how it lands with the European Commission. The UK-EU "adequacy agreement", which enables effective free movement of personal data between the two jurisdictions, is due to expire (and be renegotiated) in 2025. If the EU member states, and the European Commission, decide that the UK has diverged too far from the EU model, they may want to take the opportunity to give the UK a bloody nose. And that, in itself, would inevitably have an economic impact.

There is a long road ahead.

The UK has an estimated 500 data centres. This puts it ahead of many countries, including China and most of Europe, although it is dwarfed by America (which has circa 5,000). Moreover, it is highly likely that demand for data centre capacity will grow significantly, as business seek to meet the computing needs of Artificial Intelligence alongside more routine services.  

The recognition of data centres as a vital part of the country's infrastructure is therefore not before time. Undoubtedly it will bring some benefits to the sector, in particular in justifying greater focus and support at a governmental level. However, it is no panacea, and much will still fall to the providers and consumers of these services. 

Strong and stable? 

Security is often the headline issue when it comes to digital services. As a data centre client, ensuring that the data centre can securely house sensitive data is crucial. As a result, many view the sector as being a leader in physical security already, and there are well-trodden practices to manage physical risks. 

However, from the customer's viewpoint, resilience often takes precedence. Recent outages in data centres, such as the Oct 2021 Meta misconfiguration, show that availability issues that cause service disruption create headlines. Whilst in this case, although the fault only led to 6 hours of service outage, it was a highly public event and was linked to a drop in the share price of Meta. 

Clouds on the horizon? 

Perhaps the most interesting part of the announcement is contained in a footnote that "CNI will include both the physical data centres and the cloud operators that use them to supply ordinary services".  

The extent of support for major cloud providers is yet to be disclosed. However, it is a positive sign to see government support for these service providers being potentially formalised.  

Benefits of designation 

Risk management in data centres is a collaborative effort, with strategies between operators and clients being mutually dependent. 

The UK Government National Protection Security Authority already publishes guidance for the data centre sector and its customers. The advice is well developed, focusing on specific risks driven by considerations ranging from geography and asset ownership to the management of data halls and 'meet-me rooms' where network interconnectivity occurs.  

The Government's designation of data centres as CNI will likely lead to greater support in the sharing of intelligence related to issues, and support in the recovery from crisis events. The changes are not just focused on cyber security issues, but also will improve overall resilience – such as from extreme weather events or other disruptions.  

This designation may also offer further, more subtle, benefits to Data Centre operators, who (like other sectors) have likely recognised their susceptibility to disruptions from physical protests; their status as CNI may now mean that data centre operators will have an easier argument when seeking injunctive relief to safeguard their services. Additionally, it could influence planning and construction practices to improve access to essential utilities like electricity and water making construction more viable.  

However, a belief that this status alone will deter cybercriminals may be somewhat optimistic. It will need to be backed by clear measures that target those who attack critical infrastructure, to send a message that it is off-limits.  

Further, the change will potentially bring more scrutiny with it for data centre operators. In the context of the broader economic environment, it appears that businesses will bear the brunt of any implementation costs, barring extraordinary events or civil contingencies. 

Data scraping

Data scraping is where a "bot" or automated computer program captures information that is stored online on a mass scale. One of the uses of data scraping in recent years has been to collect data to train AI (Artificial Intelligence) and LLMs (Large Language Models) such as that used in ChatGPT.

The Dutch DPA's guidance

For processing of personal data to be lawful under the EU GDPR one of the bases listed in Article 6(1) must apply. Article 6(1)(f) provides such a basis where processing is necessary for the legitimate interests of the data controller, or any other person, as long as those interests are not overridden by the interests, rights or freedoms of data subjects.

In the Dutch DPA's view, commercial entities cannot rely on legitimate interests to collect and process data that has been scraped; rather, explicit consent is always required from the data subjects.

The Dutch DPA recognises that the collection of consent on this scale from data subjects who may not be contactable would be impractical. Given the impracticalities, the Dutch DPA says that there is, therefore, no legal basis under EU GDPR for the practice of data scraping by commercial entities.

The Dutch DPA does accept that scraping of personal data for personal, non-commercial, purposes may be compliant without consent. However, if that data was then shared on a public repository (such as GitHub) then it is unlikely that further processing would be lawful.

The guidance requires certain risk assessments and safeguards to be put in place to protect data subjects in the instances where data scraping is compliant. The Dutch DPA also suggests that if a high risk to privacy is identified when completing a DPIA (Data Protection Impact Assessment) then a controller would have an obligation under Article 36 of the GDPR to consult with the Dutch DPA directly, so that it can assess intended processing and what measures may be needed before any processing starts.

The guidance is particularly critical of data scraping that is used to train AI. This is because it identifies that information stored on the internet may contain incorrect, biased, and discriminatory information which may pose a risk to fundamental rights when the AI is later deployed.

The guidance does not address enforcement, which may raise questions, at least for the time being, about what realistic deterrent there is to poor compliance.

Is this indicative of other Regulators' direction of travel?

The approach taken by the Dutch DPA to whether commercial entities can rely on the "legitimate interests" basis is one which has been the subject of some criticism and which has been referred to the Court of Justice of the European Union (CJEU) by the Duch court in another case. It is certainly not shared by all (if any) other European data protection authorities.

Nonetheless, data scraping is an area of increasing scrutiny for some regulators, and we are aware that the Polish Data Protection Authority fined a Swedish scraper €220,000 in 2019. However, this was in response to a failure to notify individuals that their data had been scraped, as opposed to the scraping itself. Similarly, the Spanish regulator fined Equifax Inc. €1 million in 2021 for failing to inform data subjects, limit their collection to what was necessary, ensure the data's accuracy, and satisfy the balancing test required to rely on the legitimate interest basis for collection and processing.

It is difficult to say whether other data protection authorities and regulators will take similar positions to this guidance from the Dutch DPA (whilst probably not adopting the full "legitimate interests" analysis). It may be that other authorities wait to see what happens following this guidance, and how the CJEU rules on the "legitimate interests" point, before implementing their own.

There are some key takeaways from the ICO's action, some of which extend beyond schools and into a wider business and retail context.

FRT systems uniquely identify individuals by capturing an image of their face in real time and matching it with a pre-existing database of images. This constitutes “processing” of the individual’s personal data, but, because of how the FRT works, it also qualifies as “biometric processing”, and it therefore requires extra measures under data protection law to be taken to ensure it is done fairly and lawfully.

Prior to doing such biometric processing - and therefore prior to implementing FRT - a data controller must undertake a Data Protection Impact Assessment (DPIA) - a type of risk assessment which needs to take into account the necessity and proportionality of the processing, and the risks to the rights and freedoms of the data subjects. In the case of the Essex school, a DPIA had only been undertaken after the FRT system had been introduced.

If FRT systems are used in schools, and in the workplace (for instance for access control to certain spaces, service or items) the data controller has to have a lawful justification for doing so. And it may be unlikely that there are sufficiently compelling reasons to impose the system, without asking the students, or the workers, for their explicit consent. In the Essex school example, the ICO found that, instead, it had merely been inferred that students consented, in the absence of a parental opt-out. The ICO pointed out that this was insufficient: "the law does not deem ‘opt out’ a valid form of consent and requires explicit permission". And, furthermore, the ICO noted that most of the students were of an age and competence that meant they were able to take their own decision on whether to partake in the scheme, regardless of their parents' wishes. In fact, the ICO did not refer, as it could have done to the fact that under the Protection of Freedoms Act 2012, students in schools have their own express rights, and even if a parent has said that it is ok, or not ok, for the school to use biometric processing, the student still has the right to override that parental decision. 

When employers look to introduce FRT in the workplace for access control reasons, they should also bear in mind that data protection law considers that where there is an “imbalance of power” - for instance between a worker and an employer - it can be difficult to rely on the worker’s consent to the processing. At the very least, the employer will need to offer the option not to be exposed to the FRT, which may well mean providing an alternative means of access - for instance through the use of codes or PIN numbers.

It is also important that those purchasing and deploying FRT systems and software exercise due diligence. Suppliers might seek to provide advice and reassurance, but they are not the ones who will be liable for any data protection infringements, and investigation by the ICO.

Although the ICO chose not to impose a fine on the school, perhaps because it has a policy of rarely, if ever, fining public bodies, it is not impossible that a more punitive sanction could be imposed on a private sector organisation that failed to undertake a DPIA before introducing FRT, or failed properly to take into account the legal issues around consent. Anyone proposing to use of FRT should consider the legal issues carefully, and take advice where appropriate.

But what do the main political parties propose, in the area of data protection itself, in their pre-election manifestos? The main answer is not a great deal: it does not look like a return to data protection reform is high on any of the parties' agendas. This may come as some relief, especially for those who have concerns that too great a divergence between the UK and the EU data protection frameworks could threaten the European Commission's position that the UK has an "adequate" regime, for the purposes of transfers of data from the EU to the UK. Despite this, it is likely that the next Government, whatever party or parties form it, will still need to give attention to aspects of the current regime which warrant amendment.

The Conservative Party – the party which sponsored the Data Protection and Digital Information Bill – also says nothing specific in its manifesto on the topic of data protection. It does say that the Conservatives would "invest £3.4 billion in new technology to transform the NHS for staff and for patients", and that this would result in the digitisation of NHS processes through the proposed Federated Data Platform. And there is a proposal to legislate for comparable data across the UK, in order that performance of public services can be accurately compared. There is also reference to accelerating AI development, and investment into the sector, although nothing on whether or how it might be subject to future regulation.

Similarly, the Labour Party makes no express reference to data protection, although it does propose a number of points on digital policy, especially in the area of AI. For instance, it will establish a 'Regulatory Innovation Office' to "co-ordinate issues that span existing boundaries". And it says Labour will introduce "binding regulation on the handful of companies developing the most powerful AI models and by banning the creation of sexually explicit deepfakes". There is also a suggestion of an expansion of the Online Safety Act, but no specific details.

The Liberal Democrat manifesto does refer to data protection, in the context of a wider proposal for a Digital Bill of Rights "to protect everyone’s rights online, including the rights to privacy, free expression, and participation without being subjected to harassment and abuse". It also proposes repeal of the "immigration exemption" in the Data Protection Act 2018, and that "all products" will be required to provide a "short, clear version of their terms and conditions, setting out the key facts as they relate to individuals’ data and privacy". There would also be a 'Patients' Charter' who would seek, among other things, to protect patient data and "patients’ rights to opt out of data sharing".

The Green Party also proposes a Digital Bill of Rights in its manifesto, to establish the UK as "a leading voice on standards for the rule of law and democracy in digital spaces", and to ensure that "UK data protection is as strong as any other regulatory regime". Meanwhile, the Green Party would adopt a "precautionary regulatory approach to the harms and risk of AI" and would seek to "align the UK approach with our neighbours in Europe, UNESCO and global efforts to support a coordinated response to future risks of AI".

None of the party manifestos covered above make reference to Freedom of Information, although it is perhaps notable that the Liberal Democrat manifesto does propose that "all Ministers’ instant-messaging conversations involving government business must be placed on the departmental record" and that "all lobbying of Ministers via instant messages, emails, letters and phone calls is published as part of quarterly transparency releases".

None of this is to suggest that data protection, and wider digital rights issues, might not become subject to policy focus, once the next administration is in power, but as things stand none of the parties appears to see information rights as a topic to boost their campaigns.

It clarifies, or confirms, some key points for all those who make, respond to or advise on such requests, whether they are made under the UK GDPR or - in the case of subject access requests to law enforcement authorities – under part 3 of the Data Protection Act 2018.

Key rulings were made in particular to the effect that;

1. requesters are entitled, in principle, to be informed of the identities of the recipients of their personal data (not just the categories of recipient)
2. the subject access regime has a “specific and limited purpose, which is to enable a person to check whether a data controller’s processing of his or her personal data unlawfully infringes privacy rights and, if so, to take such steps as the data protection law provides”
3. a director of a company, when acting as such, will not be a “controller”.

The underlying details of the case are striking. A director of a gardening company (Mr C) had covertly recorded threatening calls made by a wealthy homeowner working in the property investment industry (Mr H) with whom the company was coming into dispute, and subsequently circulated the recordings to a limited number of unnamed family members and others.

The recordings found their way to a wider circle of people, including some of Mr H’s peers and competitors in the property investment sector. Mr H contended that the circulation of the recordings had caused his own company to lose out on a significant property acquisition. Accordingly, he made subject access requests, under Article 15 of the UK GDPR both to Mr C and to Mr C’s company (“ACL”). Those requests were rejected on the grounds that i) Mr C, when circulating the recordings, was processing Mr H’s personal data in a “purely personal and household” context, and so the processing was out of scope of the UK GDPR, ii) Mr C was not personally a controller under the UK GDPR, and iii) ACL could rely on the exemption to disclosure where it would involve disclosing information relating to another individual who did not consent to disclosure, and where – in the absence of such consent – it was not reasonable in the circumstances to disclose, when having regard to the backing test required under Article 15(4) of the  UK GDPR and paragraph 16 of Schedule 2 to the Data Protection Act 2018 (DPA 2018).

In a lengthy judgment (dealing mostly with the facts and evidence) Mrs Justice Steyn held that Mr C’s processing was not for purely personal and household reasons: he was clearly acting as a director of ACL in making the recordings and circulating them. However, she agreed that he was not a controller – he was acting in his capacity as a director, and – following the case law in Ittihadieh and In re Southern Pacific Loans – a director processing data in the course of their duties for their company is not a controller; the company is.

A crucial part of the judgment, in terms of wider relevance, is on the interpretation of Article 15(1)(c) of the UK GDPR. This provides that a data subject should be given information on “the recipients or categories of recipient” to whom personal data have been or will be disclosed. Many practitioners, and lawyers, have taken this to be an option available to the controller (i.e. the controller can decide whether to provide information on the specific recipient or just on categories thereof). Not so, said Steyn J, agreeing with the CJEU in the Austrian Post case (which, as a post-Brexit case, wasn’t binding on her, but to which she could have regard, so far as it was relevant to the issues (see section 6(2) of the EU (Withdrawal) Act 2018)): the choice lies with the data subject, and, if the data subject chooses to receive information on individual recipients, he or she is entitled, in principle, to that information, unless it would be impossible or manifestly excessive to do so.

Notwithstanding this, Mr H was not entitled in this case to have the identities. Mr H had previously sent subject access requests individually to at least 23 employees of ACL, and he had an intention to pursue further legal options other than under the UK GDPR, if he was able to identify potential claimants. ACL believed that disclosing identities of recipients of the recordings would put them at “significant risk of being the object of intimidating, harassing and hostile legal correspondence and litigation”. The judge agreed that it was “not unreasonable for the Defendants to give significant weight to [Mr H’s] sustained and menacing behaviour in considering whether to protect or disclose the identities of friends, colleagues and family members”. The fact that “hostile litigation”, against the third parties to whom the recordings were disclosed, was being contemplated was a relevant factor to take into account when balancing their interests with Mr H’s access rights, under paragraph 16 of Schedule 2. The judge agreed with the court in the case of X v The Transcription Agency that the subject access regime, “has a specific and limited purpose, which is to enable a person to check whether a data controller’s processing of his or her ‘personal data’ unlawfully infringes privacy rights and, if so, to take such steps as the DPA 2018 provides…[and so] it was reasonable for the Defendants to give weight to their desire to protect family, friends and colleagues from hostile litigation going beyond the exercise of rights under the UK GDPR and the DPA 2018.”

It has long been a subject of debate, under the UK GDPR and the prior law, whether a requester’s motive is relevant when responding to a subject access request rears its head again. The judge’s analysis in Harrison v Cameron is compelling, and so it certainly appears that – at the very least when it comes to the balancing test implied by paragraph 16 of Schedule 2 of the DPA 2018 – the motive is capable of being taken into account.

The Bill, which was approaching report stage in the House of Lords, had, prior to 22 May, seemed destined to pass, provided there was enough parliamentary time: it was largely unopposed by the main opposition, and was well advanced in its passage through Parliament.

However, it now appears that, with Parliament due to be dissolved no later than the 31 May, and no indication that there is any likelihood of the Bill being included in the "wash up" process, whereby some priority legislation is fast-tracked before dissolution, it has lapsed. Indeed – there has been strong indication from opposition peers that the Bill has now "failed".

It will now have to be seen whether the next administration – whatever its political colour – has any appetite to revive the Bill in something like its current form. Should Rishi Sunak be Prime Minister of the next government, with something like his current cabinet in place, it would seem quite likely the Bill would be relatively swiftly resurrected. Should, instead, a Labour government assume power, it is probably unlikely that an identical data protection bill would be high on its agenda, but legal news outlet Lexology has reported rumours that Labour might look to introduce a “digital bill in the autumn on entirely different lines” which would include legislation on Artificial Intelligence.

The subject access right ("SAR") under the UK GDPR and the Data Protection Act 2018, is one that has existed in the UK since 1984, and the report, Getting Personal: Accountability and Personal Data in the UK, notes that it is 

"…an extremely powerful right, covering public authorities as well as private companies, charities, political parties and other organisations. Over the years, SARs have been responsible for exposing injustices, supporting legal claims and revealing the extent of surveillance." 

However, data from freedom of information requests, and interviews with a number of people who have tried to exercise their rights, reveals what the report describes as  

"…long and unjustified delays – sometimes lasting several months [which] are depriving citizens of their personal information and undermining their legal and human rights." 

The Information Commissioner's Office (ICO) has an enforcement role, but the report notes that "formal action is vanishingly rare" and that citizens are often left only with the possibility of bringing legal claims – something that is beyond the means of most. 

The report includes an interview with Mishcon de Reya client John Pring (for whom we acted on a pro bono basis), who had to wait an astonishing two and half years to get access to his personal data from the Department of Work and Pensions, and who feels that a “policy of delaying the release of potentially embarrassing information, often for years, has gradually become ingrained within DWP". 

There are a number of recommendations in the report. These include that the ICO should take more enforcement action and, in particular, that this should include intervention on individual SAR cases where there has been a clear breach of data protection laws, instead of only taking action about an organisation’s overall compliance levels.   

Although there are some changes to the SAR process proposed in the Data Protection and Digital Information Bill currently before Parliament, none of these looks set to address the systematic, and structural, problems with compliance and enforcement. One hopes, though, that OpenDemocracy's report will at least generate a debate on the issue and how things might be improved. 

The Office for Product Safety and Standards (OPSS) has now issued guidance setting out how it intends to approach enforcement of the requirements of the PSTIA.  

Enforcement actions by the OPSS 

The OPSS announced in January 2024 that it will take a risk-based approach to non-compliance with the PSTIA in line with its existing Enforcement Policy. The new guidance, specific to the PSTIA, outlines how the OPSS intends to implement the five actions available for enforcement under the PSTIA where there has been a breach of a duty under Chapter 2 of Part 1 of the PSTIA. The five actions are: 

1. Compliance Notices 
   These set out the steps the OPSS requires a business to take to comply with their statutory duties and bring themselves into compliance. 
2. Stop Notices 
   These prohibit non-compliant activities and restrict non-compliant product availability on the market until compliance is achieved via the steps set out in the notice by the OPSS. 
3. Recall Notice 
   These are issued where the OPSS believes that there has been a compliance failure in relation to any consumer facing product and/or the action taken by the business to mitigate the failure is inadequate. The guidance explains that the OPSS considers a recall to be an appropriate compliance action given the risk that non-compliance may pose. However, the PSTIA does not create a duty on businesses to recall products. 
4. Monetary Penalty Notices 
   These may be issued where the OPSS is satisfied that there has been a failure to comply with a duty. These penalties can be fixed, consisting of a one-off penalty, or incurred daily, where a further penalty is due in respect of each day that non-compliance continues. The OPSS will issue Monetary Penalties in line with its Enforcement Policy and the circumstances of the case. However, it should be noted that penalties can be severe and amount to the greater of £10m or 4% of the business's qualifying worldwide revenue during its most recent complete accounting period. 
5. Forfeiture Order 
   The OPSS may issue a Forfeiture Order where they require that non-compliant products defined by section 42(1) of the PSTIA are delivered up, destroyed or disposed of. The OPSS must apply to the court to obtain the order. 

The OPSS may choose to issue a combination of the above actions, or issue one in isolation. Before taking any of these actions the OPSS will notify the affected businesses via a Notice of Intent and provide an opportunity to respond. The guidance encourages businesses to engage with the OPSS and states that any response will be considered, and a decision will be made as to whether to continue proceeding with the enforcement action. 

Compensation may be available where a Stop Notice or Recall Notice is made, and loss has been suffered. Businesses must apply for compensation within 45 days of the Notice and then the OPSS will assess whether compensation is due (such decisions will be appealable).  

Details of any Notice given, varied, or revoked by the OPSS may be publicly published, and businesses need to be aware that this may have reputational implications.  

If a business ignores or fails to comply with a Notice, the OPSS may choose to prosecute or pursue a civil claim where a Monetary Penalty has not been paid.  

Right to appeal 

Businesses have a statutory right to appeal the Notices and compensation decisions by the OPSS to the First Tier Tribunal within 28 days of the Notice or decision being served or varied. Appeals against Forfeiture Orders must be made to the relevant court within the same timeframe. 

What does the guidance mean for businesses? 

The guidance suggests that the OPSS is looking to take a risk-based approach, having consulted with businesses about how to comply with the PSTIA. We have seen similar approaches taken by the Information Commissioner's Office and other government regulators such as Ofcom, which suggests that the risk-based approach is a trend we will continue to see in enforcement. 

Time will tell how actively the OPSS pursues compliance with the PSTIA. However, there are severe penalties available, which it may choose to use as a deterrent in the early days of enforcement. Businesses should actively work with the OPSS where possible, particularly given both the monetary and reputational risks associated with enforcement action. 

The judgment in Wessex Fertility Ltd & Ors v Donor Conception Network [2024] EWHC 587 (Fam) deals with whether it was lawful to request that an egg donor ("Donor A") provide a DNA sample for the purposes of genetic analysis, in circumstances a) where Donor A's eggs had been used in fertility treatment for a couple ("Mr and Mrs H") b) where the resultant child was born with a number of health problems, and c) where Donor A had, at the time of donation, indicated on a "consent form" that she did not want subsequently to be notified that she had a previously unsuspected genetic disease, or that she was a carrier of a harmful inherited condition.

The court considered the position under both Article 8 of the European Convention on Human Rights, which provides a right to respect for a private and family life, and under data protection law - specifically, whether the processing of Donor A's own personal data could be held to be necessary for the purpose of medical diagnosis and/or in the provision of health treatment and proportionate to any interference with her rights (including her prior objections).

Ultimately, the court appears to have found it relatively straightforward to decide that the compelling circumstances warranted the interference under Article 8 and the data protection provisions fell accordingly into place. Perhaps key though was the court's findings to the effect that Donor A would retain the right to her own decision as to whether she provides a sample upon request or not, and that she could also decide that she would not wish to know the results of any DNA testing (and that request would be respected).

Nonetheless, the Court also found that the "consent form" had been ambiguous in the first place as to whether it actually covered the situation in question. There was at least an argument that all the form had done was convey Donor A's wish not to be informed if she had "a previously unsuspected genetic disease, or that (she was) a carrier of a harmful inherited condition, rather than any child subsequently born as a result of her donation. 

Probably the key lesson for clinics, clinicians and donors, therefore, is to ensure that terms of any agreements or expression of wishes, made at the time of donation, are as carefully drafted, and carefully read, as possible. 

There are estimated to be around 67.5 million people in the United Kingdom. Each of those is a data subject under our data protection laws. Yet in 2023 - alone – according to the Information Commissioner's Office's statistics, there were approximately 195 million data subjects whose rights and freedoms were put at a likely risk by breaches of data security in central government, in relation to “economic or financial data”. This means that, in a single calendar year, every single person in the country's rights and freedoms were put at likely risk almost three times, on average, by a Government breach of data security.

It is possible that some of the 195 million were outside the UK, or that some people were less affected (or not affected at all), and some were more affected. It's also important to note this finding only relates to "economic and financial data", so full figures for all personal data will be much higher.

A crisis in data security in central government?

The figures derive from reports of 'personal data breaches'(PDBs) made under Article 33 of the UK GDPR to the Information Commissioner’s Office (ICO). A PDB is defined as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed".

There was for a while a problem with 'over-reporting' of PDBs, but the ICO has been very vocal in discouraging such over-reporting in recent years, so - all things being equal - one might actually have expected a drop in figures. It should also be noted that when a data controller makes a report under Article 33, estimates of people affected are rarely going to be 100% accurate. 

Not every PDB indicates a serious failure warranting enforcement action, and some will end up being 'near misses'. However, what the figures do unequivocally show is a massive increase in the numbers potentially affected between 2019 and 2023 (from 2.4 million in 2019) with a notable upswing between 2022 and 2023 (from 70 million to 195 million).

There have certainly been several damaging data security breaches in recent months. Examples such as the compromise of the England and Wales electoral register as well as ransomware incidents involving the British Library and a number of other UK public authorities may have upped the figures, but not all of those will have involved economic and financial data, and it is not immediately obvious how they could be categorised as 'central government'.

The ICO's response

The Information Commissioner John Edwards was only recently reported as saying that his policy of not fining the public sector but instead issuing non-binding reprimands was “very effective, especially in the public sector where reputation is worth more than the purse”. The evidence in fact points rather starkly the opposite way. Since his softer-touch approach for public authorities was adopted, it appears that data security failings at least in central government have skyrocketed.

It is important to note that the softer-touch was introduced as a “trial”, and Mr Edwards did say “if I do not see the improvements that I hope to see, I will look again”. However, the trial is soon to end (assuming it is still a two year trial, as announced in June 2022) and data security failings in central government appear to be on the rise. It is true that the numbers of PDBs and people affected does not necessarily indicate a failure of the trial, but - as yet - there appears to be very little indication of what evidence or metrics will be used to gauge success or failure.

The ICO was asked to comment but did not state whether the increase in central government data breaches required action. It responded: "We are continuously engaging and working with government departments to remind them of their legal obligations, and offer guidance and advice with the aim of improving practices. Over the past two years, we’ve also taken formal action against a number of central government departments, using the full range of our regulatory powers to uphold people’s information rights…We can confirm there will be a review [of the revised approach to public sector enforcement, after the two year trial]".

The issue of transparency

These figures are buried away in a freedom of information disclosure by the ICO: they were not proactively published, and there appears to be no explanation for the enormity of the issue, and nor does there seem to be any transparency within central government about how such security issues are happening and what is being done about them.

Regardless, the evidence points to a pressing need for government to get its house in order, and for the ICO to take a fresh look at whether there is a need for more robust enforcement in the public sector.

In 1938, Sir Edward Herbert Keeling complained in Parliament about the difficulties of understanding the impact of draft laws which would have the effect of amending existing laws. In response, the Prime Minister, Neville Chamberlain, announced that, in appropriate cases,

“a Bill amending or applying an existing enactment by reference should contain a Schedule setting out the enactment as it will read when amended by the Bill and showing by typographical devices the Amendments proposed”.

These are what came to be known as “Keeling Schedules”, and when they are made publicly available, they can an invaluable reference tool to understand potential legislative changes.

The Government published Keeling Schedules in May 2023 on an earlier iteration of the DPDI Bill, but has since published updated versions.

They illustrate how, respectively, the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) 2003 would be affected by the DPDI Bill.

It’s important to note, of course, that until the DPDI Bill gets enacted, none of these changes will happen, and also that the Bill will almost inevitably emerge from the current committee stage in the House of Lords with further adjustments . It is an ever-changing situation, but at Mishcon de Reya we will aim to continue to provide updates.

This article delves into the concept of "anonymised" data within the data protection framework, addresses the complexities of the topic, and offers recommendations for organisations in the life sciences field.

The challenge for the life sciences sector

Life sciences organisations may collect personal data from many sources. They might collect human samples from sponsored studies, receive datasets that have already been processed outside of the organisation, or work with public data.

In many cases it may be possible to combine data held within the organisation, or that is easily accessible from collaborators, to identify an individual from the data. To avoid some of the obligations that come from processing personal data, many organisations would like to be able to treat data that they work with, and disclose to third parties, as anonymised data.

The legal background

Anonymous data falls outside the scope of EU and UK data protection laws, namely the GDPR and UK GDPR, which govern the processing of "personal data." Personal data is defined as information relating to an identifiable person.

Pseudonymous data, by contrast, is still personal data, and subject to data protection laws. The GDPR defines "pseudonymisation" as processing data such that it cannot be attributed to a specific individual without additional information, which must be kept separate and protected.

The crux of determining whether information is anonymous involves assessing if a living individual can be identified using "all the means reasonably likely to be used." This includes considering the costs, time, and available technology for identification. The law requires a binary test, to ascertain whether an individual can be identified using reasonably likely means, rather than the likelihood of identification.

One interesting issue that can arise is that the same dataset can be considered personal data or anonymised data depending on who holds it. For instance, if Person A has a pseudonymised dataset and a key to identify individuals, it constitutes personal data for them. However, if Person B holds the same dataset without the key, it constitutes anonymised data for them.

Issues arising

In most circumstances, the complexities are unlikely to present an issue, but it is necessary to draw attention to them, if only to be aware that this is not always a straightforward area of law.

For example, anomalies within a dataset such as a patient in an age demographic of 30 - 40 with dementia are valuable data points and cannot easily be excluded from the dataset without impacting the effectiveness of the research. However, it is much easier to re-identify outliers from limited data compared to routine cases.

Regulatory guidance in the UK

The UK's Information Commissioner's Office (ICO) produced its Anonymisation Code of Practice in 2014, which remains relevant despite being based on the pre-GDPR regime. In May 2021, however, the ICO began drafting new guidance on anonymisation, pseudonymisation and privacy enhancing technologies (PETs), and held a consultation that closed in December 2022. However, development of the aspects of the guidance relating to anonymisation and pseudonymisation is on hold pending the passage of the Data Protection and Digital Information Bill.

Risk-based steps, measures, and mitigations

Organisations can take several steps to mitigate the risks of identification and to comply with regulatory requirements:

1. Reduce identifiability: Aim to make identification as remote as possible, using the ICO's "motivated intruder" test as a benchmark. Such an intruder is described as "a person who starts without any prior knowledge but who wishes to identify the individual from whose personal data the anonymised data has been derived".
2. Technical and organisational measures: Implement measures such as access controls, secure data transfer methods, and encryption to reduce the risk of identification.
3. Privacy-enhancing technologies (PETs): The ICO's June 2023 guidance on PETs includes measures such as differential privacy, synthetic data, encryption, and trusted execution environments.
4. Risk assessments: Even when the processing involved might not strictly mandate Data Protection Impact Assessments (DPIAs), it would be sensible to undertake them. A DPIA brings potentially at least three benefits: it informs decision-making; it helps mitigate risk; and it serves as documentation to rely on in the event of any subsequent complaints or challenges. Again, the ICO has guidance on undertaking DPIAs.
5. Person A/Person B Approach: This approach means that only one party, such as the collaborator, holds the key and the other party, such as the sponsor, does not. In these circumstances the collaborator would hold pseudonymised data, but it would be anonymised in the sponsor's hands.

Mishcon de Reya, with its deep-rooted expertise in working with life sciences organisations, can assist in reviewing and negotiating agreements to ensure responsibilities for data protection are appropriately allocated.

"Any investigation by the ICO is likely to consider whether a criminal offence might have been committed by an individual or individuals. Section 170 of the Data Protection Act 2018 says that a person commits an offence if they obtain or disclose personal data "without the consent of the controller". Here, the "controller" will be the clinic itself. The ICO themselves have the power to bring prosecutions.

"Although there are defences available to someone charged with the offence - such as that they reasonably believed they had the right to "obtain" the personal data, or on grounds of public interest - such defences are unlikely to apply where someone knowingly accesses patient notes for no valid or justifiable reason.

"The section 170 offence is (in England and Wales) a "recordable offence" (one where the police may keep a record of a conviction on the police national computer), in contrast to the equivalent offence under the prior Data Protection Act. However, it remains an offence only punishable by a fine. In England and Wales, although the maximum fine is unlimited, there is no possibility of any custodial sentence. Recent prosecutions by the ICO under section 170 have seen a council officer fined for unlawfully accessing social services records, and a tracing agent fined for illegally obtaining personal information to check if customers of a high street bank could repay their debts.

"A further area of potential investigation for the ICO will be whether the clinic itself complied with its obligations under the UK GDPR to have "appropriate technical or organisational measures" in place to keep personal data secure. Serious failures to comply with that obligation could lead to civil monetary penalties from the ICO, to a maximum of £17.5m although, in reality, given that such civil "fines" must be proportionate, it is rare that such large sums are even considered by the ICO.

"Individuals, such as - in this case - The Princess of Wales, can also bring claims for compensation under the UK GDPR, and for "misuse of private information", where their data protection and privacy rights have been infringed.

"Whatever the outcome from the ICO, anyone working in an environment where they might have access to personal data, particularly of a sensitive nature, should be aware that there are potential criminal law implications arising from unauthorised access, and any organisation holding such information should ensure it has appropriate measures in place to prevent, or at least reduce the risk, of such access."

Related coverage

Daily Star
Daily Mail
Forbes
Daily Telegraph
ITV News
The Mirror
Newsweek
stylecaster

According to the reports at least one member of staff at the clinic, where The Princess of Wales recently underwent abdominal surgery, "was said to have been caught trying to access" the notes.

Any investigation by the ICO is likely to consider whether a criminal offence might have been committed by an individual or individuals. Section 170 of the Data Protection Act 2018 says that a person commits an offence if they obtain or disclose personal data "without the consent of the controller". Here, the "controller" will be the clinic itself. The ICO themselves have the power to bring prosecutions.

Although there are defences available to someone charged with the offence - such as that they reasonably believed they had the right to "obtain" the personal data, or on grounds of public interest - such defences are unlikely to apply where someone knowingly accesses patient notes for no valid or justifiable reason.

The section 170 offence is (in England and Wales) a "recordable offence" (one where the police may keep a record of a conviction on the police national computer), in contrast to the equivalent offence under the prior Data Protection Act. However, it remains an offence only punishable by a fine. In England and Wales, although the maximum fine is unlimited, there is no possibility of any custodial sentence. Recent prosecutions by the ICO under section 170 have seen a council officer fined for unlawfully accessing social services records, and a tracing agent fined for illegally obtaining personal information to check if customers of a high street bank could repay their debts.

A further area of potential investigation for the ICO will be whether the clinic itself complied with its obligations under the UK GDPR to have "appropriate technical or organisational measures" in place to keep personal data secure (Article 5(1)(f)). Serious failures to comply with that obligation could lead to civil monetary penalties from the ICO, to a maximum of £17.5m (although, in reality, given that such civil "fines" must be proportionate, it is rare that such large sums are even considered by the ICO).

Individuals, such as - in this case - the princess, can also bring claims for compensation under the UK GDPR, and for "misuse of private information", where their data protection and privacy rights have been infringed.

Whatever the outcome from the ICO, anyone working in an environment where they might have access to personal data, particularly of a sensitive nature, should be aware that there are potential criminal law implications arising from unauthorised access, and any organisation holding such information should ensure it has appropriate measures in place to prevent, or at least reduce the risk, of such access.

1. Investigate: Investigations should be started early as they can be complex and time intensive because of the large amounts of data involved or due to difficulties with getting access to relevant devices. Choose a team of trusted people to carry out the investigation to avoid tipping off potential co-conspirators. When reviewing large amounts of data, carry out a data protection impact assessment.  
2. Consider other potential wrongdoing: Theft of confidential information may be part of a bigger problem, so don't make the focus of the investigation too narrow. Other unlawful conduct often also happens, and the employee may not be acting alone. For example, the employee may have been soliciting clients and/or staff, or evidence of a team move may come to light.
3. Stabilise the business: To prevent any further damage to the business, inform relevant senior leaders of the confidential information that has been taken and what the consequences could be for the business and the relevant stakeholders. Business leaders should have early conversations with senior people who are in a position of trust. Consider what action are needed need to take to stabilise the business, such as suspending or limiting staff access to systems and placing employees on garden leave if they have not already left employment.
4. Secure the confidential information: Problem employees still owe continuing obligations to their employers. These obligations include a mix of express and implied duties and in some cases include restrictive covenants and fiduciary duties. If the employee has already left the business, to secure the confidential information and flush out instances of wrongdoing, remind the employee of their continuing obligations and demand the return all confidential information. It may also be appropriate to request certain undertakings from them at this stage too. Carefully consider, however, whether putting the employee on notice of the findings will cause further harm to the business: will the employee destroy or tamper with the evidence? If so, consider other options instead such as applying to the court for relief and protection without giving the employee notice of the application.
5. Put the new employer on notice: If the employee has resigned to go to a competitor, it is important to ensure that they are made aware of the employee's obligations to their current employee and their wrongdoing. Businesses may also want to require a set of undertakings from the competitor, putting them under pressure to confirm that they will not act unlawfully or induce breaches of contract.
6. Engage external counsel and other advisers: Consider what outside support may be needed, such as forensic services providers, external lawyers and PR advisers. Engaging advisers at an early stage will help ensure the business has the best possible protection.

The remedies in this context include:

1. Court injunctions: In certain circumstances the court may grant an injunction, either on an interim or final basis. Appropriate injunctions include: immediate delivery up of the confidential information, an imaging order to copy the information held on electronic devices (which could include personal phones and laptops and personal email accounts) search orders (allowing entry and search of premises to seize evidence), freezing orders (to freeze assets) or springboard relief (used to tackle any head start gained) .
2. Financial remedies: Another option is a claim for damages to put the business in the position it would have been in had it not been for the breach. In certain less common situations, the company may have a claim for an account of profits.
3. Criminal liability: The employee's actions may also amount to a criminal offence, for example under data protection law or the Computer Misuse Act 1990. While financial remedies and securing stolen data is not the focus of criminal actions in the same way as civil actions, the threat of criminal liability may persuade the employee to take matters seriously.

Mishcon's High Court team has extensive and market leading experience advising on some of the most prominent, high value and complex commercial employment disputes. We help employers recover stolen confidential information and trade secrets, prevent the publication, dissemination or use of such information by competitors and former employees, and obtain other appropriate remedies. If you have any questions, contact our experts at mdremploymenthighcourt@mishcon.com.

This article introduces the data protection framework that surrounds the use of AI platforms. We summarise the key legal considerations that employers should be aware of when using AI technologies in recruitment and employment.

Controller vs Processor?

When an organisation decides to process personal data for any activity, the first thing it should consider is whether it is a controller or processor of that data. If the organisation decides the purpose and means of processing data (i.e. what personal data is processed, and why – for example an employer obtaining employee or candidate data), then it is likely to be a controller.

If the organisation provides a service to a third party and the third party decides what data is to be processed and why, or the organisation is processing the personal data on the third party's instructions – for example a company that handles payroll administration for another employer - the organisation is likely to be a processor.

This role-based classification is important as the obligations on an employer depend on whether it is a controller or a processor.

As a controller, the employer is required under the UK GDPR to provide specific information (usually in the form of what is termed a "privacy notice") to employees and job candidates etc. This privacy notice should set out key information about the processing activity, such as how the personal data is going to be used, the lawful basis relied on by the employer, and the rights of employees in this regard. For example, if an employer uses an AI system to select candidates in a recruitment process, the employer should set this out in its privacy notice together with the associated lawful basis.    

Another key requirement for controllers considering the use of AI systems is to assess the risks associated with the use of an AI system before engaging in the activity - this is likely to constitute a DPIA as outlined below.  

Data Protection Impact Assessment (DPIA)

When an organisation decides to carry out a "high-risk" processing activity using personal data, it is required to assess the risks associated with the activity by carrying out a DPIA. In an employment context potential "high-risk" activities using personal data include using AI platforms in recruitment, making employment decisions on task allocation, promotion and termination, and monitoring or evaluating employees.

Using of AI platforms for activities such as candidate selection or to review employee performance are likely to be  "high-risk" activities because they involve what the Information Commissioner has classed as "innovative technology" and, furthermore, these processes can have significant impact on candidates and employees.

Some common risks associated with the use of AI based technologies include:

• inherent inbuilt bias in the AI platform;
• lack of transparency;
• unfair decision making; and
• accessing personal data without the knowledge or consent of individuals (also known as data scraping).

Consequently, when using AI-based technologies, employers should be aware of their data protection obligations. For instance, in addition to providing the usual information necessary to comply with the UK GDPR, transparency requires employers to inform employees when they are using AI systems to handle their personal data.  

Where use of AI involves automated decision-making about individuals, they also have the right under the UK GDPR to receive meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing. As a responsible operator of an AI system, an employer must be able to explain to its staff how its system works and how it reaches the decisions it does, in a way that a typical member of the public can understand.

To the extent that employers may be operating in the EU, or otherwise affected by extra-territorial provisions, these overarching principles are also echoed in the EU's incoming AI Act.

Data Subject Access Requests (DSARs)

Explainablity requirements are particularly important because employees, candidates and other individuals have the right under the UK GDPR to make a DSAR. This is a formal request made by an individual to an organisation, seeking information about and access to the personal data that the organisation holds about them. This helps individuals be aware of and verify the lawfulness of the processing of their personal data.

It is therefore important for creators of AI systems to consider how to develop the AI system to comply with the DSAR right, and for employers as users of an AI system to consider how well the system can respond to these requests.

Practical Measures

More broadly, creators and employers using AI systems should ensure the following practical measures are implemented where appropriate. This will help ensure compliance with the data protection framework applicable to the use of AI platforms, and also help manage potential risks.

• Be clear and up front with employees about how and why you are using data (in your privacy notices and relevant policies).
• If the employer is scraping data to train its AI model (such as extracting information from a website), it will need to complete a DPIA (and there may be legal implications beyond just data protection law).
• Be prepared to explain how your AI model works. You should consider this a mandatory requirement if you use an AI system in a recruitment or employment context.
• Build the AI model so that a human is involved in the decision-making process.  
• If relevant, expect questions from investors, and others, around where you acquired your data, and be able to confirm that data was collected lawfully.

You can achieve this by using factsheets (a collection of information about how an AI model was developed and deployed), DPIAs (describing the capabilities and limitations of the system) and conformity assessments i.e. a demonstration that the AI system meets legal and regulatory requirements (insert link).

AI v Data Protection Compliance

The use of AI is increasingly coming under the regulatory spotlight, and in the UK the Information Commissioner's Office has launched the first of a series of consultations on generative AI, "examining how aspects of data protection law should apply to the development and use of the technology". It will be essential for employers to keep up to date not just with technological and legal developments in this area, but also with developments in regulatory approach and risk.

The effective use of AI in the employment context requires a comprehensive understanding of data protection laws. As AI continues to evolve, staying on top of employers' legal obligations in relation to AI is crucial for both creators and for employers using AI systems. This helps not only with regulatory compliance but also fosters trust and transparency in AI technologies.

IAB Europe is a European advertising group, which developed, implemented, and promoted a framework and platform which allowed for the collection of consent, to enable the RTB system. The framework involves the large-scale processing of data and the application of a string of character-based code with advertisers and data brokers to track the individual's consent and interests for targeting advertising. This code, referred to as the “TC String", facilitated the RTB process by interacting with a cookie placed on the individual's browser, to identify whether they had consented to the processing of their information for the purpose of the targeted advertising. The cookie is also connected to the IP address of the individual.

The data used for the targeted advertising included various data shared and collected by advertisers who rely on the “legitimate interests” lawful basis for processing contained within Article 6(1)(f) of the EU GDPR. The personal data ranged from gender, age, information on the individual's location and recent search and purchase history.

IAB Europe argued that it was not a controller as it did not process data itself, but only established the system and rules for processing.

The two questions referred to the CJEU can be distilled into the following: (i) was the TC String personal data, and (ii) was IAB Europe, as the implementer of the framework for the TC String, a "controller" for the purpose of the EU GDPR?

TC String as Personal Data

The DPA argued that the TC String is personal data according to the definition at Article 4(1) of the EU GDPR, on the basis that when linked with other data, the individual user to whom it relates becomes identifiable. The CJEU found that the scope of Article 4(1) was intentionally wide, and in line with existing case law on the matter, where it was possible that the individual could be identified, then the data was personal. The court agreed with the view of the DPA and found that IAB Europe and its members had sufficient access to information to combine with the TC String to make it identifiable, meaning that it was personal data within the scope of Article 4(1).

IAB Europe as a Controller

Under Article 4(7) a controller is an entity which jointly or with others determines the purposes and means of processing the personal data. The CJEU recalled that an entity that exerts influence over the processing of personal data is also a controller, referencing by analogy Jehovan todistajat C-25/17 10 July 2018. The CJEU said also that IAB Europe set out rules within the framework as to how the TC String containing the details of an individual's consent may be used, stored and shared, and would revoke access to the Strings should members fail to abide by the rules. Accordingly, it is exerting influence over the processing of personal data. Therefore, the court considered the IAB Europe was a joint controller, despite the fact that the organisation of the framework was such that IAB would never have direct access to personal data beyond the TC Strings. However, the joint controllership does not extend to the subsequent processing of data that occurs by third parties for the targeting of adverts based on their preferences.

This decision will have an impact on all digital processing in the EU as it highlights just how broad the protections under GDPR should be applied. It continues a trend in the CJEU of being willing to find joint controllership. It may also mean that, in time, we see significant changes in how consent to data processing is obtained and shared within the digital advertising industry which, for consumers, may mean changes to cookie banners.

It’s important to note that, post-Brexit, judgments of the CJEU in relation to the EU GDPR do not apply in the UK, let alone bind the domestic courts or the Information Commissioner’s Office (though the UK courts may 'have regard' to those decisions). So, although the CJEU’s findings should be noted, especially by anyone who makes use of the TCF framework, it remains uncertain what the effect of the judgment will be in the UK.

Senior Data Protection Specialist Jon Baines provided comment on the decision, commending the ICO for their action, and has been quoted across various media publications.

Jon commented: “It is interesting - and encouraging in many ways - to see the ICO taking formal enforcement action in this area. Although data protection law gives rights to all individuals, there’s a strong argument for saying that regulatory action should be focused in particular on respecting and enforcing the rights of the most vulnerable in society.

“The ICO is making clear with this action that monitoring someone’s movements 24/7 is incredibly intrusive, and in the context of affected asylum claimants, disproportionate and unlawful.

“Recently, the ICO has been in the habit of issuing ‘reprimands’ for serious infringements, but the problem with reprimands is that they do not compel recipients to do - or refrain from doing - anything. By contrast, an enforcement notice, like this one - can require a recipient to stop activities, and failure to comply can be treated as a contempt of court. It will be interesting, therefore, to see if the Home Office decides to appeal this notice.”

Related coverage

National Technology News
Infosecurity Magazine