Data breaches, sanctions and enforcement

FORTHCOMING CHANGE: On 19 June 2025, the Data (Use and Access) Bill received Royal Assent, becoming the Data (Use and Access) Act 2025 (DUAA 2025) and coming partly into force on that date. Parts 5 and 6 serve to amend aspects of data protection and ePrivacy law in the UK, including the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003, SI 2003/2426. Certain provisions of DUAA 2025, concerning matters such as responding to data subject access requests and the conferring of power to make further regulations, came into force immediately on 19 June 2025. Other provisions, concerning notices from the Information Commissioner and some aspects of law enforcement processing, come into effect on 19 August 2025 (being two months from the date of Royal Assent). The majority of DUAA 2025’s provisions require further regulations (in the form of statutory instruments) to be made to bring them into force. For further information on DUAA 2025 generally, see Practice Note: The Data (Use and Access)

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

TAKE A FREE TRIAL

Latest Information Law News

Commission launches new UK data protection adequacy assessment process

The European Commission has initiated procedures to adopt new adequacy decisions for EU-UK personal data transfers, following its assessment of the UK Data Use and Access Act which received Royal Assent on 19 June 2025. The Commission's initial evaluation found the UK's legal framework continues to provide data protection safeguards 'essentially equivalent' to EU standards. The draft decisions will require European Data Protection Board opinion, EU Member States committee approval and European Parliament scrutiny before adoption. This follows the Commission's June 2025 six-month technical extension of existing 2021 adequacy decisions to allow assessment of the new UK legislation.

Home Office publishes response to ransomware consultation on new legislative proposals to tackle cybercrime

The Home Office has published its response to the public consultation on legislative proposals to address ransomware. The consultation ran from 14 January to 8 April 2025 and sought views on three measures: a targeted ban on ransomware payments for public sector and regulated critical national infrastructure (CNI); a ransomware payment prevention regime; and a mandatory incident reporting regime. A total of 273 responses were received and 36 engagement events were held. The response confirms ransomware is considered the most serious organised cybercrime threat to UK national security. Feedback was broadly supportive and highlighted several cross-cutting themes, including the need for clarity on scope and definitions, proportionate penalties that avoid revictimising victims, tailored guidance and support, and improved cyber resilience. The government intends to continue to develop the proposals in collaboration with stakeholders, explore appropriate enforcement mechanisms and publish guidance to support implementation.

Supreme Court confirms cumulative approach to public interest exemptions under FIA 2000

The UK Supreme Court has held that when information falls under multiple qualified exemptions (QEs) in the Freedom of Information Act 2000 (FIA 2000), public authorities may consider the combined public interest in maintaining all applicable exemptions. The Court rejected the ‘independent approach,’ which would have required each exemption to be assessed separately. Dr Lewis Graham of Christ's College Cambridge and the Public Law team at LexisNexis comment on the implications of the judgment.

Standards of candour in closed hearings, and corporate witness statements (Attorney General v BBC; R (‘Beth’) v IPT)

Public Law analysis: In reviewing the conduct of MI5 in two sets of High Court proceedings, the court considered the serious implications of the provision of false information in the context of closed proceedings. The court provided an overview of the limited circumstances which justify departure from the principle of open justice pursuant to section 6 of the Justice and Security Act 2013 (‘JSA 2013), acknowledging that the appointment of special advocates mitigates rather than extinguishing the inherent unfairness that arises. In this case, the special advocates, the High Court, and the Investigatory Powers Tribunal (‘IPT’) were all misled on a key issue and had made decisions relying upon this misinformation. The court recognised that the safeguards in closed material proceedings are reliant on the high standards of candour of MI5 and expressed the need for a prompt and effective investigation when there is evidence of a departure from this high standard. The importance of compliance with CPR 32 PD, para 18.2, which applies to government departments as well as corporate entities, was also considered (para [173]). Written by Alexandra Scott, barrister at Mountford Chambers.

View Information Law by content type :

News