Data protection regime

STOP PRESS: On 19 June 2025, the Data (Use and Access) Bill received Royal Assent, becoming the Data (Use and Access) Act 2025 (DUAA 2025) and coming partly into force on that date. Certain provisions of DUAA 2025, concerning matters such as responding to data subject access requests and the conferring of power to make further regulations, came into force immediately on 19 June 2025. Other provisions, concerning notices from the Information Commissioner and some aspects of law enforcement processing, came into effect on 19 August 2025 (being two months from the date of Royal Assent). The majority of DUAA 2025’s provisions require further regulations (in the form of statutory instruments) to be made to bring them into force.

Parts 5 and 6 of DUAA 2025 serve to amend aspects of data protection and ePrivacy law in the UK, including the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003, SI 2003/2426. The majority of the provisions in Part 5 come into effect on

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

TAKE A FREE TRIAL

Latest Information Law News

Forum selection for data protection claims (Wysokinski v OCS Security Ltd)

Information Law analysis: The Court of Appeal held that a judge was entitled to transfer a data protection and human rights claim from the High Court to the County Court pursuant to CPR 53.4(2). The claim was neither complex nor high value and raised no issue warranting trial by a High Court judge. This decision provides critical guidance on forum selection for data protection claims. The Court of Appeal confirmed that data protection claims can and do proceed in the County Court, which is the correct forum for claims that are not high value, factually or legally complex, or of significant public importance. Written by Caitlin Moreland, associate at Mishcon de Reya LLP.

ENISA publishes cybersecurity exercise methodology for national and EU authorities

The European Union Agency for Cybersecurity (ENISA) has published the ENISA Cybersecurity Exercise Methodology. The methodology sets out an end-to-end framework for the planning, delivery and evaluation of cybersecurity exercises, intended to ensure that appropriate profiles and stakeholders are involved at the relevant stages. The publication incorporates theoretical material based on lessons learned, industry best practice and cybersecurity expertise. It is designed to be used alongside a support toolkit, which includes templates and guidance materials to assist planners in organising effective exercises.

Prime Minister sets out measures to reinforce platform obligations on child safety

The Prime Minister’s Office (PMO), led by The Rt Hon Sir Keir Starmer KCB KC MP, together with the Department for Science, Innovation and Technology (DSIT), has announced plans to strengthen online child safety protections. The government intends to close loopholes in the Online Safety Act 2023 (OSA 2023) to ensure that all artificial intelligence (AI) chatbot providers are subject to the illegal content duties under the OSA 2023. It will also introduce new powers enabling ministers to act more quickly as technology evolves.

Commission adopts EU ICT supply chain security toolbox

The European Commission has announced several measures on cybersecurity, competition, State aid and mergers. It introduced an information and communication technologies (ICT) Supply Chain Security Toolbox, developed with Member States and EU Agency for Cybersecurity (ENISA) through the NIS2 Cooperation Group, to create a common EU approach to identifying and mitigating cybersecurity risks in ICT supply chains. It also proposed a trusted ICT supply chain framework under the revised EU Cybersecurity Act and published two risk assessments on connected vehicles and border detection equipment. Under the EU Merger Regulation, the Commission approved Universal Music Group’s acquisition of Downtown Music Holdings, subject to the full divestment of Curve Royalty Systems to prevent access to commercially sensitive data. It cleared the acquisitions of Aditya Birla Renewables by Grasim and BlackRock, and of Leeds Bradford and Newcastle airports by Aena and its partners, finding no competition concerns. The Commission approved a €1.04bn Danish State aid scheme to support landowners who remove land from production to reduce emissions and improve environmental protection, concluding that it complied with EU rules. It also opened an in-depth investigation into a €15.4m capital injection into PostNord Logistics to determine whether it constitutes State aid.

View Information Law by content type :

News