Data sharing and transactions

FORTHCOMING CHANGE: On 19 June 2025, the Data (Use and Access) Bill received Royal Assent, becoming the Data (Use and Access) Act 2025 (DUAA 2025) and coming partly into force on that date. Parts 5 and 6 serve to amend aspects of data protection and ePrivacy law in the UK, including the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003, SI 2003/2426. Certain provisions of DUAA 2025, concerning matters such as responding to data subject access requests and the conferring of power to make further regulations, came into force immediately on 19 June 2025. Other provisions, concerning notices from the Information Commissioner and some aspects of law enforcement processing, come into effect on 19 August 2025 (being two months from the date of Royal Assent). The majority of DUAA 2025’s provisions require further regulations (in the form of statutory instruments) to be made to bring them into force. For further information on DUAA 2025 generally, see Practice Note: The Data (Use and Access)

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

Powered by Lexis+®
Latest Information Law News

No harm, no foul? Court of Appeal provides clarifications around controllers’ liability in the context of compensation claims under Article 82 of the UK GDPR (Farley and others v Paymaster (1836) Ltd (trading as Equiniti) (Information Commissioner intervening))

Information Law analysis: In a landmark ruling, the Court of Appeal overturned a High Court decision which denied compensation to individuals affected by a data breach. The judgment contains helpful clarifications regarding compensation claims made pursuant to Article 82 of the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (the UK GDPR), including the requirements for establishing UK GDPR infringement, the scope of non-material damage and, more broadly, the position of the UK courts in relation to EU Court of Justice case law and its application in the context of domestic data protection rules. The Court of Appeal held that bringing a UK GDPR infringement claim does not require proof that personal data was actually disclosed to third parties. Unlawful processing is a sufficient basis in principle for damage to be suffered. There is also no minimum threshold for non-material damage when it comes to a data subject’s entitlement to compensation under Article 82 of the UK GDPR. The scope of such damage can include an objective, well-founded fear or apprehension of misuse of personal data. This judgment is also a helpful reminder of the broad scope of activities that fall within the concept of processing and the importance of controllers’ compliance with Articles 24, 25 and 32 of the UK GDPR and the general principles in Article 5(1) of the UK GDPR. Written by Marija Nonkovic, associate at Kemp IT Law.

View Information Law by content type :

Popular documents