Our 'In Case You Missed It' section of the Data, Privacy and Cyber Bulletin provides readers with a high-level digest of important regulatory and legal developments from February 2026.
Contents
Thought leadership: Perspectives on the data, privacy and cyber landscape 2026
We are pleased to direct readers to our recently-published and comprehensive collection of thought leadership pieces, bringing together insightful articles, expert analysis and forward-thinking perspectives on the evolving world of data protection, privacy, and cybersecurity.
We invite you to explore these articles and help shape the conversation on data, privacy, and cybersecurity in the year ahead. The full document or each individual article can be accessed here.
Case law updates
DSG Retail Limited v The Information Commissioner [2026] EWCA Civ 140
The Court of Appeal has handed down a long-awaited judgment addressing the scope of the security duty on data controllers to protect personal data. In many aspects, the judgment does nothing other than confirm the status quo: if a controller can identify data as personal data based on other information it holds, then it must treat and protect that data as personal data.
Our team have commented on this decision in detail here.
Spurgeon & Ors v Capita PLC [2026] EWHC 241 (KB)
The High Court refused an application by Capita to strike out approximately 4,000 data breach claims as an abuse of process. The claims relate to a cyber attack on Capita's system in March 2023, affecting employee and pension-scheme data. The claimants are seeking compensation for damage and distress caused by the data breach under the GDPR and Data Protection Act 2018.
Capita alleged that the claimants' solicitors improperly advanced certain assertions within the Particulars of Claim regarding the mental consequences allegedly sustained by the claimants as a result of the data breach, tainting the claimant's beliefs and evidence. It was alleged that the entirety of the claims represented an abuse of process, being so serious as to require the court to strike out the entirety of all of the claims.
The Court rejected the application, finding that on the basis of the materials there was not an abuse of process. The full judgment can be found here.
Regulatory developments
Cyber Security and Resilience Bill passes committee stage
The Cyber Security and Resilience Bill, setting out a major overhaul of the UK regulatory framework underpinning the cyber defence of essential public services, has now passed committee stage.
Amendments to the Bill were few and far between during committee stage in the House of Commons. One significant amendment altered the proposed dual regulator model for the data infrastructure sector. The initial draft of the Bill provided for Ofcom and the Secretary of State for Science, Innovation and Technology acting a dual regulator. In response to concerns that this would create unnecessary complexity and limit accountability, Ofcom will now act as a sole regulator for this sector.
The Bill has now proceeded to the report stage.
ICO fines Reddit £14.47m for failures related to children's privacy
The ICO fined Reddit £14.47 million for using children's personal information unlawfully, reflecting the ICO's wider intervention into the protection of children's personal information online.
The ICO's investigation found that Reddit had failed to apply a robust age assurance mechanism, meaning the company did not have a lawful basis for processing personal information of children under 13. The company had also failed to carry out a data protection impact assessment to help mitigate the risks to children before January 2025.
In setting the penalty amount, the ICO accounted for the number of children affected, the duration of the failures, degree of potential harm caused and Reddit's global turnover. The ICO press release confirming the fine can be found here.
Next phase of Data (Use and Access) Act commencement
Reiterating the update from our previous In Case You Missed It article, Stage 3 regulations implementing certain provisions of the Data (Use and Access) Act ("DUAA") took effect as follows in February:
- DUAA (Commencement No. 5) Regulations 2026 brought Section 138 of the Data (Use and Access) Act 2025 into force on 6 February 2026, relating to new offences involving creating or requesting the creation of purported intimate images of an adult without consent or reasonable belief in consent. The Regulations can be found here.
- DUAA (Commencement No. 6 and Transitional and Saving Provisions) Regulations 2026 brought into force the majority of the data protection and privacy provisions in Part 5 of DUAA on 5 February 2026. They include changes which simplify aspects of the UK GDPR and modernise the Information Commissioner’s enforcement powers. The Regulations can be found here.
Per the ICO, these regulations now mean that most of the data protection provisions of DUAA have come into force, except for the requirement for organisations to have a complaints procedure (to commence on 19 June 2026) and some ICO governance provisions which will follow at a later date. Please refer to our detailed piece on the complaints procedure this month linked here.
Bank of England provides updates on AI roundtables
The Bank of England has held roundtable meetings with representatives from regulated reforms on the responsible adoption of AI and machine learning. Summarising the roundtables, the Bank highlighted the key points that were generated at the roundtables:
- Participants expressed support for the PRA's principles-based, outcomes-based policy, as it allowed firms sufficient space to innovate but within clear regulatory guardrails.
- Second-line risk functions continue to approach the use of AI with caution, which may delay AI deployment pipelines.
- As expected, firms operating in different jurisdictions were facing a variety of regulatory approaches to AI. Participants highlighted the approaches of the UK and US, with particular comparison to the EU AI Act.
- Existing data protection laws, and emerging data sovereignty schemes in some countries were challenging the deployment of AI use cases.
The full summaries of the roundtables can be accessed here.
Data & privacy developments
Global data protection authorities issue joint statement of AI-generated imagery
A number of international data protection authorities including the ICO have issued a 'Joint Statement on AI-Generated Imagery and the Protection of Privacy'. The statement is a response to concerns around the use of generative AI models to create images and videos identifiable individuals without their knowledge or consent.
The co-signatories to the statement confirm they intend to share information on their approaches to addressing these concerns including enforcement, policy and education as may be appropriate. The full statement can be found here, as well as comments from the ICO Executive Director Regulatory Risk and Innovation, and the European Data Protection Board.
ICO to consult on updated guidance for research, archiving and statistical provisions
The ICO is consulting on updated guidance on the Research, Archiving and Statistics Provisions as part of the steps relating to the introductions of the DUAA. The guidance is aimed at data protection officers and those with specific data protection responsibilities in organisations undertaking research, archiving or processing for statistical purposes
The consultation is open until 27 April 2026 and be accessed via this link.
Information Commissioner gives keynote speech at IAPP UK Intensive 2026
The Information Commissioner, John Edwards, provided the keynote speech at this years IAPP UK Intensive. Noting it would be his last appearance at the event as Commissioner, Edwards reflected on the development of the ICO in recent years, and upcoming challenges.
The Commissioner reflected on the fine issued to Reddit, and the ongoing litigation involving Clearview AI, which is now proceedings to the Court of Appeal. He noted the importance of pursuing this particular action due to the sensitivity of biometric data and the wider implications of jurisdiction over foreign companies processing the data of UK citizens.
The full speech can be found here.
Second International AI Safety Report published
The second International AI Safety Report, authored by over 100 AI expects had been published. The report discusses developments in AI since the first report was published in January 2025, including the development of general-purpose AI capabilities, uneven AI adoption across regions and evidence of AI systems being used in real-world cyberattacks.
On this issue, the report notes that AI systems are automating more parts of cyberattacks, but cannot yet execute them autonomously. One example highlighted involved the use of semi-autonomous cyber capabilities, with humans intervening only at critical decision points. However, the report does note that there is particularly strong evidence of AI systems providing meaningful assistance is in discovering software vulnerabilities.
The report can be accessed here.
Cyber developments
UK government rolls out vulnerability monitoring services for public services
The UK government has successfully rolled out vulnerabilities monitoring services for critical cyber weaknesses across the public sector. Vulnerabilities in the Domain Name System for these websites are now being fixed 6 times faster than before. The vulnerability monitoring service has closed the window of weaknesses being unnoticed from 2 months down to 8 days.
In support of the government's plan to protect the UK's public services from cyber threats, a government Cyber Profession has also been launched in collaboration with the National Cyber Security Centre (NCSC). This will create structured a career framework aligned with UK Cyber Security Council professional standards, and include a Cyber Academy for training and development. The Department for Science, Technology and Innovation press release can be found here.
NCSC issues warning in response to Middle East conflict
The NCSC have issued an advisory to UK organisations in response to the ongoing conflict in the Middle East. The NCSC has indicated the level of cyber threat from Iran to the UK has not changed, but there is a heightened risk of indirect cyber threat or those organisation and entities with a presence or supply chains, in the area.
The NCSC directs organisations to previously issued advisories on DDoS attacks, phishing activity and ICS targeting, all which may be collateral impacts from Iran-linked hacktivists. The NSCS advisory can be found here.
European Commission commences stakeholder consultation on Cyber Resilience Act guidance
The European Commission has launched a consultation relating to draft guidance on the Cyber Resilience Act will apply in practice. The guidance is intended to assist manufacturers, developers and other relevant stakeholders understand their obligations, and clarify how key provisions of the CRA will apply in practice. The CRA will introduce cybersecurity requirements for the design, development, and production of these products applying to manufacturers, distributors and importers.
The draft guidance can be accessed via this link.
