Our 'In Case You Missed It' section of the Data, Privacy and Cyber Bulletin provides readers with a high-level digest of important regulatory and legal developments from the first weeks of 2026.
Contents
Case Law Updates
WhatsApp Ireland v European Data Protection Board (C-97/23 P)
The Court of Justice of the European Union has held that a binding decision of the European Data Protection Board (EPDB) is open to challenge before the courts of the European Union. The EDPB is held to be an EU body, and produce legal effects on third parties. Our team have commented in detail on this decision as part of this month's articles.
Our article on the decision can be found here.
Farley v Paymaster [2025] UKSC/2025/0185
This action was subject to a significant decision in the Court of Appeal in August 2025. In September 2024, the High Court had dismissed all but 14 claims alleging infringement of the GDPR from a collective action of nearly 450 claims. A number of annual benefit pension statements for current or former Sussex Police officers were mistakenly posted to incorrect addresses. The officers alleged a misuse of their personal information, infringing the GDPR. The 14 claims permitted by the High Court could show an arguable case the misaddressed envelope had been opened, and their statements read.
The Court of Appeal reinstate the struck out claims, finding that the judge erred in law by striking out those actions, holding a reasonable basis for alleging an infringement of the GDPR had been pleaded. The Court also held that Equiniti was entitled to argue that the appellants’ fears of third-party misuse were not 'well-founded' and hence cannot qualify as 'non-material damage' (which is recoverable in compensation). However, the Court of Appeal remitted the decision of whether a claim based on those fears could prevail back to the High Court at that time.
Paymaster sought permission to the Court of Appeal decision reinstating the claims. The Supreme Court granted that permission on 17 December 2025. We will provide updates on the progression of the Supreme Court appeal when available.
Spurgeon & Ors v Capita PLC [2026] EWHC 241 (KB)
The High Court has refused an application by Capita to strike out approximately 4,000 data breach claims as an abuse of process. The claims relate to a cyber attack on Capita's system in Match 2023, affecting employee and pension-scheme data. The claimants are seeking compensation for damage and distress caused by the data breach under the GDPR and Data Protection Act 2018.
Capita alleged that the claimants' solicitors improperly advanced certain assertions within the Particulars of Claim regarding the mental consequences allegedly sustained by the claimants as a result of the data breach, tainting the claimant's beliefs and evidence. It was alleged that the entirety of the claims represented an abuse of process, being so serious as to require the court to strike out the entirety of all of the claims.
The Court rejected the application, finding that on the basis of the materials there was not an abuse of process. The full judgment can be found here.
Regulatory Developments
Next phase of Data (Use and Access) Act commencement
Stage 3 regulations implementing certain provisions of the Data (Use and Access) Act ("DUAA") have taken effect. In December, DUAA (Commencement No.4) Regulations brought into effect the UK digital identity and attributes trust framework and statutory register. In early February, the following Stage 3 regulations took effect:
- DUAA (Commencement No. 5) Regulations 2026 brought Section 138 of the Data (Use and Access) Act 2025 into force on 6 February 2026, relating to new offences involving creating or requesting the creation of purported intimate images of an adult without consent or reasonable belief in consent. The Regulations can be found here.
- DUAA (Commencement No. 6 and Transitional and Saving Provisions) Regulations 2026 brought into force the majority of the data protection and privacy provisions in Part 5 of DUAA on 5 February 2026. They include changes which simplify aspects of the UK GDPR and modernise the Information Commissioner’s enforcement powers. The Regulations can be found here.
Per the ICO, these regulations now mean that most of the data protection provisions of DUAA have come into force, except for the requirement for organisations to have a complaints procedure (to commence on 19 June 2026) and some ICO governance provisions which will follow at a later date.
Cyber Security and Resilience Bill passes 2nd reading
In November 2025, the government introduced the Cyber Security and Resilience Bill, setting out a major overhaul of the UK regulatory framework underpinning the cyber defence of essential public services.
At the time of writing, the Bill has now passed 1st and 2nd reading. The Bill is currently at Committee stage, with hearings and debates taking place throughout February.
EDPB and EPDS issue opinions on Digital Omnibus Package proposals
In the final months of 2025, the European Commission published the Digital Omnibus Package, made up of two proposed regulations. The first provides for the simplification of the digital legislative framework, covering data, cybersecurity and privacy rules. The second proposes simplification of the implementation of harmonised rules on artificial intelligence. Our December article discussed the content of these proposals.
As part of the legislative journey for the proposals, the EDPB and European Data Protection Supervisor have issued Joint Opinions on the respective regulations. Joint Opinion 1/2026 considered the proposed simplification of AI rules. The Opinion is broadly supportive of the proposals providing that the protection of individual fundamental rights are not lowered, and greater legal certainty is provided.
The bodies issued a further Joint Opinion (2/2026) on the proposals to simply the digital legislative framework. The Opinion can be accessed here; several changes are welcomed including a definition of scientific research and new exemption for processing of special category data for biometric. However, the Opinion expresses "significant concerns regarding certain proposed changes to the definition of personal data and the possible use of implementing acts to define the effects of pseudonymisation." Furthermore, improvements are suggested to a number of the proposals such as use of legitimate interest in the context of AI.
Imgur owner fined over children's privacy failures
The owner of Imgur, MediaLab, has been fined £247,950 by the ICO for failing to use children's personal information lawfully. The ICO found that MediaLab allowed the use of Imgur by children without putting into place basic safeguards required under UK data protection law, such as age verification and the failure to carry out a data protection impact assessment.
The ICO statement can be found here.
ICO announces investigation into Grok AI system
The ICO has announced it is opening formal investigations into X Internet Unlimited Company and X.AI covering the processing of personal data in relation to the Grok AI system. The investigation has been announced following reports that Grok is being used to generate non-consensual imagery of individuals including children.
The ICO will consider whether personal data has been processed lawfully, fairly and transparently, and whether appropriate safeguards have been deployed to prevent the generation of harmful manipulated images using personal data. The ICO announcement can be found here.
Ofcom provides update into investigation into X
Noting the above update, Ofcom has provided its own update on their investigation into X, specifically whether the company had done enough to assess and mitigate the risk of non-consensual imagery spreading on its social media platform, and to take it down quickly when identified. For the avoidance of doubt, Ofcom is not investigating xAI at this time. Due to the operation of the Online Safety Act in relation to chatbots, Ofcom is currently unable to investigate the creation of illegal images by the standalone Grok service. Ofcom's update can be found here.
Data & Privacy Developments
ICO publishes updated guidance on international transfers
The ICO has published updated guidance for the international transfers of personal information, setting out key requirements, reducing complexity and supporting the responsible transfer of personal information. The guidance sets out a clear ‘three step test’ for use in identifying if restricted transfers are being made, and new content provides clarity on areas known to generate questions from organisations.
The guidance can be found here.
ICO and UK government sign Memorandum of Understanding
The ICO has announced it has signed a Memorandum of Understanding (MoU) with the Government to raise data protection standards, following high-profile data breaches such as the Ministry of Defence Afghan breach which 'undermined public trust in government'. The MoU is intended to be a consistent framework, setting out an approach to co-operation and collaboration between the two.
The full text of the MoU can be accessed here, along with the ICO statement on the MoU.
Treasury Committee publishes report on AI approach risks
The Treasury Committee has published a report on the risks associated with the current approach to AI adopted by the Bank of England, the FCA and the Treasury itself. The report, which can be accessed here, submits that by adopting a wait-and-see approach, the institutions, which are responsible for protecting consumers and maintaining stability in the UK economy, are not doing enough to manage the risks presented by the increased use of AI in the financial services sector.
FCA launches Mills Review into long-term impact of AI on retail financial services
The Financial Conduct Authority has launched a review into how advances in artificial intelligence will impact retail financial services, led by Sheldon Mills, the Executive Director of the FCA. The review will cover 4 interrelated themes, namely the future evolution of AI technology, impact of AI on markets and firms, consumer trends and regulatory approach.
The initial stages of the review include a call for evidence from interested parties, with responses requested by 24 February 2026. The Executive Director is expected to report to the FCA Board in the summer, providing recommendations to the FCA. The FCA's page on the review can be accessed here.
European Commission and Brazil adopt mutual adequacy decisions
The European Commission confirmed that it has adopted mutual adequacy decisions with Brazil, confirming that their levels of data protection are comparable. The outcome follows an opinion by the European Data Protection Board and approval by Member States. The Commission will review the adequacy decision after a period of four years. The European Commission statement is here.
Cyber Developments
DSIT publishes Cyber Action Plan
The Department for Science, Innovation and Technology has published the Cyber Action Plan ("CAP"), setting out how government will respond to the growing range of online threats. The CAP sets out the practical, measurable steps that can be taken to improve the cyber security and resilience of government and the public sector. The four strategic objectives of the CAP are:
- Better visibility of cyber security and resilience risk
- Addressing severe and complex risks
- Improving responsiveness to fast moving threats
- Rapidly increasing government-wide published
As part of Phase 1, a number of steps will be taken by April 2027, including building critical functions for the establishment of a Government Cyber Unit, and setting clear standards and targets for government organisations. The Cyber Action Plan can be found here.
NCSC issues warning over state-aligned hacktivists
The National Cyber Security Centre has issued a warning that UK-based organisations are being persistently targeted by Russian state-aligned hacktivist groups aiming to disrupt networks. The full text of the alert can be accessed here.
The alert encourages organisations, such as local government authorities and operators of critical national infrastructure to review their defences and improve their cyber resilience.
Minister comments on cyber security and insurance at BIBA event
The Digital Minister, Liz Lloyd, spoke on cyber security issues and cyber insurance at the recent launch of the British Insurance Brokers Association manifesto. The speech emphasised the measures being taken by government to raise the resilience of organisations including the Cyber Security and Resilience Bill noted above, and the Cyber Action Plan.
The Minister noted the importance of explaining cyber security and insurance to potential customers; she referred to evidence that a large number of SMEs did not fully understand cyber insurance, with brokers playing a crucial role in advising on this issue. The full text of the speech can be accessed here.
