Our 'In Case You Missed It' section of the Data, Privacy and Cyber Bulletin provides readers with a high-level digest of important regulatory and legal developments from April 2026.
Contents
Case law updates
Logix Aero Ireland Ltd v Siam Aero Repair Company Ltd [2026] EWCA Civ 510
In September 2025, we commented on the High Court decision in Logix Aero. The Court of Appeal recently handed down its judgment following an appeal made by Logix Aero. The Court of Appeal upheld the finding in the High Court decision.
In summary, Logix Aero ("Logix"), a company based in Ireland, were negotiating the purchase of two aircraft engines from Siam Aero Repair Company ("Siam Aero") based in Thailand. The negotiations were conducted by email. A fraudulent third party inserted themselves into the email chain, resulting in payment by Logix to the fraudster, not Siam Aero. Logix filed a claim alleging that Siam Aero disclosed confidential information in breach of a confidentiality clause and provided authority to the agent to act on its behalf. The High Court struck out the claim.
The Court of Appeal agreed. The fraudulent third party, by inserting themselves in and manipulating the email correspondence were considered to be the cause of loss suffered by Logix. The loss was not caused by the alleged breach of the confidentiality clause by Siam Aero. If there had been a breach of the confidentiality clause, this was not causative of the loss of purchase monies. The loss was caused by the communications from both sides and, primarily, the actions of the fraudster.
The Court also held that had the claim proceeded to trial, it "would have faced significant obstacles." The Court of Appeal judgment can be accessed here.
RTM v (1) Bonne Terre Limited (2) Hestview Limited [2026] EWCA Civ 488
This appeal from a High Court decision considered what must be proved to establish that consent was given for the placement of cookies, processing of personal data, and the sending of unsolicited direct marketing communications; specifically, whether the concept of consent has a subjective element.
The High Court had held that the claimant’s gambling addiction meant his apparent consent was not freely given. The Court of Appeal allowed the appeal, holding that consent is assessed objectively by reference to the data subject’s outward actions and the quality of information and choice provided, not by enquiring into the individual’s state of mind or vulnerabilities.
The decision in the High Court was found to be in error. The Court of Appeal set aside the findings on consent, cookies and profiling. The scope of the remission back to the High Court will be subject to further submissions.
Secake & Ors v Shared Services Connected Ltd [2026] EWHC 1022 (KB)
The underlying data breach action involves a class of over 2,500 claimants. The claimants are current or former members of HM Armed Forces. The defendant is responsible for the provision of critical business support services for a number of Government departments, as well as payroll and pension responsibilities. It is alleged that between July 2023 and May 2024, third parties engaged in unauthorised access to the claimants' personal data held by the defendant.
The claimants sought a wide-ranging class-based anonymity order. The High Court dismissed the application. Mr Justice Sani noted the risks in wide-ranging anonymity applications that do not consider individual claimants. Four of the claimants had LinkedIn profiles asserting their services in HM Armed Forces. The claimants had not discharged their evidential burden of demonstrating that anonymity was necessary.
Mr Justice Sani also highlighted that prior notice of the application should have been provided to the media, and that those making any future applications should consider serving notice on a media organisation such as the Press Association. The judgment can be accessed here.
Abbott & Ors v Ministry of Defence [2026] EWHC 941 (KB)
This action, although relating to noise induced hearing loss, is one of a number providing clarity on the operation of the 'omnibus' Claim Form. The process is relevant to data breach actions, as we discussed last year. The ‘omnibus' Claim Form is shorthand for a type of Claim Form permitted by CPR 7.3. Under this provision, multiple claimants are permitted “use a single Claim Form to start all claims which can be conveniently disposed of in the same proceedings.”
The process is developing, and a recent judgment relating to two test cases in the Abbott action has recently been handed down, providing an insight into the use of the omnibus Claim Form and the selected test cases.
The number of actions in the Abbott claim has now reached in excess of 10,000 claims. The chronology of the action provided by the High Court highlighted that a selection of the chosen test cases and their reserve cases had settled or been withdrawn prior to the trial. For future reference, the judgment makes clear that CPR 38.2(2)(c) provides that where there is more than one claimant, an individual claimant may not discontinue without the agreement of the other claimants of, in the alternative, if the court gives permission, and in this action (given the number of claimants), it was appropriate that the court do that.
Regulatory developments
Data Protection Act Regulations laid covering AI and automated decision-making
The Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026 have been laid in Parliament, coming into force on 12 May 2026. The Regulations require the ICO to prepare a code of practice giving guidance on good practice regarding the processing of personal data in relation to developing and using AI, and automated decision-making. The code of practice must also include guidance on good practice regarding the processing of children's data.
ICO updates guidance for lawful basis
The Information Commissioner’s Office (ICO) has updated the guidance for lawful basis for data processing to reflect amendments introduced by the Data (Use and Access) Act 2025. An additional lawful basis termed ‘recognised legitimate interest' has been included. This new basis covers pre-approved purposes, including safeguarding vulnerable people, responding to emergencies, preventing or investigating crime, addressing national security matters and sharing personal information for public tasks.
Public authorities cannot rely on recognised legitimate interest to process personal information for their official tasks.
ICO publishes final storage and access technologies guidance
The ICO has published its finalised guidance on Storage and Access Technologies. The guidance covers the application of the Privacy and Electronic Regulations (PECR), and where relevant GDPR, to cookies, tracking pixels and similar technologies such as device fingerprinting.
The guidance reflects updates following changes introduced by the Data (Use and Access) Act and the output from two consultations. The ICO emphasises that the guidance sits separately from ongoing work reviewing regulation 6 of PECR, dealing with online advertising purposes. Further updates on that work will be forthcoming.
ICO publishes online tracking strategy update
The ICO has published an update on its online tracking strategy, highlighting developments such as the publication of guidance on storage and access technologies (SATs) referred to above. The update also reflects on other developments and key achievements.
The ICO confirms that it will be publishing its advice to government on where PECR requirements to obtain consent for SATs for online advertising purposes could be removed. Action on cookies banners has also brought positive results as 99% of the top 1000 websites met compliance checks at the time of the most recent test.
The regulator is continuing to monitor the adoption of consent or pay models and approaches to compliance, following the publication of guidance in 2025. The ICO is also working with smart product manufacturers and developers on tracking issues and will soon publish finalised guidance and impact assessment on the use of 'Internet of Things' products and services.
ICO publishes guidance on 'charitable purposes soft opt-in'
The ICO has published updated and final guidance for the charitable purposes soft opt-in provision introduced by the DUAA. The charitable purposes soft opt-in commenced on 5 February 2026 and must only be used if the recipient’s contact details were obtained on or after this date.
The opt-in means that charities can send direct marketing by electronic mail, including emails, text and direct messages on social media, without needing to obtain consent first, providing that strict requirements have been met.
EDPB publishes Annual Report 2026
The European Data Protection Board (EPDB) has published its Annual Report covering developments in 2025. The report discusses a wide range of issues related to the EDPB including its role in litigation before the CJEU, with the Board's involvement in fifteen actions in 2025 reflecting the steady increase in proceedings since 2022. The majority of the actions, some of which are ongoing, concerned applications for annulment against binding decisions.
The report also set out the number and value of fines issued in 2025 across all EU Member States. Approximately 90% of the total value was concentrated in Ireland and France, largely due to individual fines issued against large social media and search platforms totalling hundreds of millions of Euros. The most active data protection authorities were Slovakia and Germany (across the range of federal authorities) each issuing around 500 fines each in total.
European Commission finds Instagram and Facebook in breach of the DSA
The European Commission has preliminarily found Instagram and Facebook in breach of the Digital Services Act, as a result of failures to diligently identify, assess and mitigate the risk of minors under 13 years old from accessing the services.
The Commission proposes that the platforms must strengthen their measures to prevent, detect and remove minors under the age of 13 from the services. Both Instagram and Facebook are now permitted to reply to the Commission's findings. If the Commission's findings are confirmed, then a non-compliance decision can be issued, potentially resulting in a fine up to 6% of worldwide annual turnover.
Data & privacy developments
European Data Protection Board adopts DPIA template
The EDPB has adopted a template for Data Protection Impact Assessments. The template is intended to help organisations structure, harmonise and evidence their DPIA reporting processes.
The template will be subject to public consultation until 9 June 2026. Following the conclusion of the public consultation, all EU Data Protection Authorities are expected to use the template as their sole standard or as a 'meta-template' from which all national-specific templates will align.
EDPB adopts Guidelines on processing of personal data for scientific research purposes
The EDPB has adopted Guidelines on processing of personal data for scientific research purposes. The guidelines intend to provide more clarity for researchers, making compliance with GDPR easier. The EDPB has provided clarifications on the concept of 'scientific research', including six key indicative factors that should be considered in addition to the nature, scope, context and purposes of processing.
The guidelines will be subject to public consultation until 25 June 2026.
EDPB adopts Opinions on European Data Protection Seal
The European Data Protection Board adopted two landmark opinions for the Europrivacy certification scheme.
- Opinion 14/2026 updates the Europrivacy certificate criteria, expanding the scope to include controllers and processors established outside Europe, who are subject to Article 3(2) GDPR. Those controllers and processors provide goods or services to individuals in Europe or because they monitor their behaviour.
- Opinion 15/2026 recognises the Europrivacy certification criteria as a European Data Protection Seal to be used as a tool for transfers in accordance with Arts. 42 and 46 GDPR. Data importers outside Europe not subject to the GDPR can now apply to the Europrivacy certificate scheme for the transfers of data they receive to be able to demonstrate adequate safeguards for their international data transfers.
Cyber developments
Government warns of AI cyber threats and launches Cyber Resilience Pledge
Following developments in respect of the offensive cyber capabilities of AI models, the Ministers for Security and Science, Innovation and Technology issued an open letter to business leaders. The letter encourages organisations to take a number of cyber hygiene measures, specifically:
- Make cyber security a boardroom priority, using the Cyber Governance Code of Practice as part of this.
- Use the Cyber Essentials government-backed certification scheme to protect against common attacks and embed the same requirements across supply chains.
- Following the National Cyber Security Centre and signing up for the free Early Warning Service.
The open letter was also followed by the announcement of the voluntary Cyber Resilience Pledge, encouraging organisations to sign and commit to the actions set out above. The Cyber Security Minister confirmed she had written to around 180 of the UK's leading businesses to encourage involvement ahead of a formal launch later this year.
NCSC warns of 'perfect' storm for cyber security
Speaking at the CYBERUK conference, the head of the NCSC, Dr Richard Horne warned that the UK is facing a "perfect storm" for cyber security. Rapid technological change is coinciding with rising geopolitical tensions, and advances in areas such as artificial intelligence. Areas that cyber security must cover are moving well beyond traditional IT systems, meaning that cyber security must be treated as a core business responsibility.
The speech also highlights that most nationally significant incidents are originating directly or indirectly from hostile nation states, emphasising the importance of cyber operations to modern conflict. The NCSC report can be found here.
FCA publishes summary of 2025 Cyber Coordination Group insights
The FCA has published a summary of insights generated by quarterly cyber co-ordination group (CCG) meetings held in 2025. The insights will assist firms in understanding existing FCA expectations, learning from the experiences of others and also strengthening cyber resilience capabilities.
CCG members found that robust testing can identify operational issues that tabletop exercises may miss. A range of severe but plausible scenarios is also critical to thoroughly testing important business services. The CCG members also considered how firms are adopting emerging technologies, including AI and preparation for the transition to post-quantum computing cryptography. Management of insider risks (the risk of harm from those with legitimate access to systems or data) was also highlighted as a cyber resilience issue.
Government publishes response on enterprise connected device security
The Government has published a response to a call for views on a voluntary code of practice for the security of enterprise connected devices. The Government response sets out that it will refine the code of practice and also proposes a series of next steps that will be taken to improve the cyber security of enterprise connected devices including:
- Manufacturers will be asked to use device security principles available from the NCSC.
- Security principles will be finalised, including making this modular within broader secure design codes of practices and consideration given to a certificate scheme for manufacturers.
- Potential regulatory measures, going further than voluntary adoption, possibly including some form of assurance or enforcement mechanism.
