Our 'In Case You Missed It' section of the Data, Privacy and Cyber Bulletin provides readers with a high-level digest of important regulatory and legal developments from June 2026.
Contents
By Hans Allnutt, Jade Kowalski, Justin Tivey and Peter Given
|Published 09 July 2026
Our 'In Case You Missed It' section of the Data, Privacy and Cyber Bulletin provides readers with a high-level digest of important regulatory and legal developments from June 2026.
Contents
Black Horse Limited v Stuart Angel & Ors [2026] EWCA Civ 831
This appeal related to the use of multi-claimant claim forms for more than 5,000 consumer claims relating to motor finance, brought under CPR 7.3. Although this action did not relate to data breach or privacy actions, judicial comments on CPR 7.3 are of note. Our team has previously examined the connection between motor finance actions and potential mass data breach claims using the 'omnibus' claim form method permitted by CPR 7.3.
Lord Justice Coulson noted that the motor finance actions in question provided examples of the risks and issues associated with multi-claimant claim forms. He proposed that HMCTS should compile data on the effect of such claims, including the effect on court resources and fee revenue. Although the Civil Procedure Rule Committee has previously decided not to review CPR 7.3, Coulson LJ stated that reconsideration of these issues may be possible. Data breach practitioners should continue to monitor any developments in this area.
As our team have previously noted, there are still material uncertainties in relation to the use of omnibus claim forms in data breach claims, particularly where the impacted data and effect on individuals is not uniform or easily measured. Existing data breach compensation judgments typically focus on the individual circumstances of the claimant which may create a hurdle when it comes to meeting the "same or similar" threshold for omnibus claim forms.
The Black Horse judgment can be accessed here.
Good Law Project Ltd v Reform UK Party Ltd [2026] EWHC 1458 (KB)
The defendant made an application to strike out, or for summary judgment in its favour, a claim brought by the claimant on behalf of a group of data subjects. The claim relates to an alleged failure to comply with obligations under GDPR, specifically the failure of the defendant to respond to data subject access requests sent by the data subjects (DSARs) within the statutory time limit. It is also pleaded that the late responses were deficient and thus caused non-material damage to the data subjects.
The data subjects mandated the claimant organisation, the Good Law Project, to act as their representative. The defendant argued that the Good Law Project did not meet the conditions set out within section 187(3)-(4) of the Data Protection Act 2018, allowing it to act as a representative body for the data subjects under Article 80(1) of the UK GDPR.
The court dismissed the application, stating that the claim should proceed to trial. Mr Justice Murray held that the Good Law Project has a reasonable basis to argue that it qualifies as a representative body and has standing to bring the claim. The court also found that the data subjects' mandates to the Good Law Project were sufficient, that the claim disclosed a recognisable cause of action, and that the litigation was neither abusive nor vexatious.
The issue of compliance with the DSARs was one for disclosure and any subsequent trial.
For data protection practitioners, the judgment clearly emphasises the possibility of non-profit and public interest organisations bringing GDPR-related claims, subject to qualification in line with the Data Protection Act and UK GDPR.
The full judgment can be accessed here.
NTH Haustechnik GmbH v EM (Case C‑484/24)
The Court of Justice of the European Union has provided a preliminary ruling following a referral where data which was collected in breach of the GDPR and then relied on as evidence in court proceedings.
An employer had brought a claim for damages against a former employee who had sold company property on eBay without the employer's consent. The parties disagreed over how the employer obtained the employee's user ID and password and discovered the sale of company property.
The employer submitted they had reviewed the browsing history and obtained the password by consulting a ‘family file’ created on the server. The employee submitted this password was not stored. It was alleged that the employer's managing director reported the mobile telephone the employee was using (registered in the employer's name) as having been lost. This allowed the managing director to request a new SIM card from the relevant network. This enabled use of the telephone number to change, on the eBay platform, the password of the private account and gain access.
The CJEU concluded that any alleged GDPR infringement resulting from how evidence was obtained, does not automatically render that evidence unusable in subsequent litigation. The courts have an obligation to balance privacy rights with the right to a fair trial, subject to the application of GDPR principles, in particular necessity and data minimisation.
The judgment can be accessed here.
Cyber Security and Resilience Bill passes House of Commons
The Cyber Security and Resilience (Network and Information Systems) Bill successfully completed Report Stage and Third Reading in the House of Commons on 16 June 2026.
The Bill has now been introduced to the House of Lords and is scheduled for its Second Reading on 14 July 2026.
European Parliament and European Council approve AI Omnibus
The European Parliament and the European Council have approved the draft regulation regarding the simplification of the implementation of harmonised rules on artificial intelligence ("the AI Omnibus"). The AI Omnibus makes a number of amendments and additions to the AI Act.
At the time of writing, the AI Omnibus had not been published in the Official Journal of the European Union. When this occurs, the amendments enter into force three days later.
The amendments and changes include:
EDPB adopts common data breach notification template
The European Data Protection Board ("EDPB") has adopted a common data breach notification template. The template aims to help organisations and data protection authorities to structure their data breach notification processes.
It provides predefined options for selection, and additional guidance on other fields, in order to assist small organisations. The template can be accessed via this page, and is subject to consultation until 5 August 2026.
UK Government announces social media ban for under-16s
The UK Government has announced that social media platforms will be blocked from offering services to under-16s. The announcement stated that is expected that legislation will be placed before Parliament before Christmas 2026, with protections expected to be place by Spring 2027. The ban will capture user-to-user platforms that enable social interactions and allow users to post material. Messaging services will not be included.
The announcement also indicated that AI chatbots, designed to simulate romantic relationships, will be subject to a minimum age of 18. The press release can be found here.
ICO publishes guidance on consumer IoT products and services
The Information Commissioner's Office ("ICO") has published finalised guidance on consumer Internet of Things ("IoT") products and services. The guidance sets out expectations on manufacturers and developers on how to use personal information responsibly.
The guidance has been updated to reflect feedback to a consultation last year, providing certainty on areas such as informed consent, transparency privacy information, and tools for people to exercise their rights over their data.
The press release also confirmed that the ICO will now be engaging with connected TV manufacturers to assess how they are using people's personal information and complying with the law.
The full finalised guidance can be accessed here.
Statutory right to complain takes effect
A new statutory right for individuals to complain to an organisation or business acting as a data controller took effect from 19 June 2026, following its introduction in the Data (Use and Access) Act 2025 ("DUAA").
Our team provided an overview of the changes and advice in anticipation of the introduction of this change, which can be accessed here.
ICO marks one year of Data (Use and Access) Act
The Deputy Commissioner for Regulatory Policy at the ICO, Emily Keaney, has marked one year since the commencement of the DUAA and reflected on the ICO's response. This review can be found here.
The ICO has delivered eleven consultations on high-impact topics; covering direct marketing, recognised legitimate interest, complaints, research, and automated decision-making, among others. The review confirms that the ICO is working on a new statutory code of practice on artificial intelligence and automated decision making.
European Data Protection Board case digest on right to object and right to erasure
The EDPB has published an update to the One-Stop-Shop case digest on the right to object and right to erasure. The updated digest can be accessed here.
It offers insights into how data protection authorities analyse the internal processes implemented within organisations to comply with these rights. It also lists the most frequent infringements and gives an overview of which corrective measures have been issued.
European Data Protection Board launches consistency form
The EDPB has launched a dedicated form for stakeholders to report inconsistencies in the interpretation of the GDPR across Member States. Although individual submissions will not be responded to, information receive will be used for Board-level discussions on steps to improve consistency.
The dedicated contact form can be accessed here.
NOYB challenges European Commission to commence 'orderly exit' from EU-US Data Privacy Framework
The privacy activist group, NOYB, has published a letter to the European Commission proposing, in light of developments in the United States, that steps be taken to allow European businesses and citizens and 'orderly exit' from the EU-US Data Protection Framework.
Our team have reflected on this development and the possible implications here.
Five Eyes cyber security agencies warn organisations on cyber risk
The leaders of the Five Eyes cyber security agencies (US, UK, Canada, Australia, New Zealand) have issued a call to action for business leaders as frontier AI models are anticipated to fundamentally transform offensive and defensive cyber capabilities in months, not years.
The warning provides a number of practical actions that should be taken to reduce technical risk, and operational, financial, and reputational exposure. The statement also recommends that defenders should look to integrate AI tools into their own security operations.
The Five Eyes statement can be accessed here.
NCSC issues advice following targeting of Fortinet services
Following the targeting of Fortinet firewalls and VPN gateways as part of a global campaign, possibly affecting the UK, the NCSC has issued advice for those affected.
The NCSC states that organisations using the products in questions should investigate whether they have been affected, and follow the mitigation advice provided, including priority actions. The blog post can be accessed here.
NCSC CEO speaks at RUSI Annual Security Lecture
Speaking at the Royal United Services Institute, NCSC CEO Richard Horne argued that cyber security should be viewed not as a compliance or risk-management issue, but as an ongoing strategic contest between defenders and adversaries.
He argued that there should be a framework for cyber defence across three 'spaces', reflecting broader national security infrastructure, shared technology infrastructure and the 'near space' covering the security and resilience of individual organisations. The full text of the speech can be accessed here.
National framework for quantum standards announced
The UK Department for Science, Innovation and Technology has announced a national framework, led by the National Physical Laboratory, to develop common standards for emerging quantum technologies. The press release can be accessed here.
The initiative aims to accelerate commercialisation, and coordinate standards to accelerate breakthroughs in healthcare, transport, and finance.
Authors