I’ve written up my thoughts for the @Mishcon_de_Reya website, on the baffling decision by @ICOnews to take no action in response to the most catastrophic data breach in UK history, which exposed many thousands of people to immediate risk to their lives.

Today we heard about the most catastrophic data breach in UK history. And the ICO’s response? No need for any action. Not. Good. Enough.

A largely overlooked but significant change wrought by the Data (Use and Access) Act 2025 means that, in principle, it will be *much* easier for the ICO to issue fines for cookies contravention I've written about this for the @Mishcon_de_Reya website

I’ve written for the Mishcon de Reya website on the Data (Use and Access) Act 2025 and the changes it will make to the UK’s data protection laws.

A man on remand for assaulting his ex-partner duped former employer, JD Wetherspoon, into orally disclosing her mother’s mobile phone number, which he then used to continue his abuse. I’ve written on my personal blog about the case which has resulted

The Data (Use and Access) Act 2025 has now been published. NB that most of the operative data protection provisions still need secondary legislation to commence them

A blogpost on what the Data (Use and Access) Act 2025 will do. It’s essentially an amending statute: practitioners should look mostly to how it changes UK GDPR, DPA 2018 and PECR

The Data (Use and Access) Bill is due to receive Royal Assent on 19 June:.

For the want of a nail the shoe was lost. For the want of a signature the €4.3m GDPR fine against VW was lost.

Next week the Court of Appeal will hear the claimants’ appeal in the case of Farley and Others v. Paymaster (1836) Limited (trading as Equiniti) [2024] EWHC 383 (KB). See my short primer on the issues

To what extent do rules in defamation carry over to data protection claims about publication of personal data? There’s some interesting analysis in a recent judgment, striking out a claim by Dale Vince against Associated Newspapers. On my personal blog:.

The @GoodLawProject is suing @reformparty_uk as a representative body (the first such case brought under Article 80(1) of the UK GDPR. GLP have published both its particulars of claim and Reform’s defence. I’ve written about it on my personal blog

The Information Tribunal has ruled that the Hinkley Point C construction company is a public authority for the purposes of the Environmental Information Regulations (a parallel access regime to the FOI Act). On my personal blog:

The Family Justice Council has produced guidance on covert recordings in family law proceedings - some of its references to data protection law are misguided. On my personal blog:

When Liz Truss was elected leader of the Tory Party (and thus recommended to and appointed by the Queen as her PM) was it an exercise of a public function amenable to JR? Unsurprisingly, the Court of Appeal says “no”. On my personal blog

This looks very nasty - a cyber attack has apparently compromised the Legal Aid Agency’s online digital services, involving a "significant" amount of personal data from those who applied online for legal aid since 2010.

For data subjects considering complaints to the ICO, or for controllers faced with such complaints, you might want to know there is a current 16-week wait just to get allocated to a caseworker. A tub-thumping post by me on LinkedIn

The Data (Use and Access) Bill was returned to the Lords yesterday, and once again, on three key votes - on sex data and DVS, the definition of “scientific research”, and AI & copyright, the Government lost. My LinkedIn post:

The First-tier Tribunal has certified to the Upper Tribunal an offence of contempt by the University of Exeter, in respect of “wilful” and “flagrant” failure to comply with an order by the FTT under FOIA to disclose information. On my personal blog

The @ICOnews has ruled, in two important recent decisions, that BT and Openreach are public authorities for the purposes of the Environmental Information Regulations 2004