Data sharing and transactions

FORTHCOMING CHANGE: On 19 June 2025, the Data (Use and Access) Bill received Royal Assent, becoming the Data (Use and Access) Act 2025 (DUAA 2025) and coming partly into force on that date. Parts 5 and 6 serve to amend aspects of data protection and ePrivacy law in the UK, including the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003, SI 2003/2426. Certain provisions of DUAA 2025, concerning matters such as responding to data subject access requests and the conferring of power to make further regulations, came into force immediately on 19 June 2025. Other provisions, concerning notices from the Information Commissioner and some aspects of law enforcement processing, come into effect on 19 August 2025 (being two months from the date of Royal Assent). The majority of DUAA 2025’s provisions require further regulations (in the form of statutory instruments) to be made to bring them into force. For further information on DUAA 2025 generally, see Practice Note: The Data (Use and Access)

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

TAKE A FREE TRIAL

Latest Information Law News

ICO issues enforcement notice to Bristol City Council over failures to respond to data requests

The Information Commissioner's Office (ICO) has issued an enforcement notice to Bristol City Council (BCC) for failing to respond to subject access requests (SARs). The notice requires BCC to: (1) notify individuals with overdue SARs about the delays; (2) provide outstanding SAR responses by specified deadlines, prioritising the oldest cases from 2022 to be resolved within 30 days; (3) submit weekly progress updates to the ICO until all overdue SARs are resolved; (4) develop an action plan within 90 days to address the SAR backlog, including defined responsibilities, prioritisation and timelines; and (5) implement system and process improvements within 12 months, including adequate staffing, resources and staff training to ensure compliance with the UK General Data Protection Regulation requirements.

Information Law weekly highlights—25 September 2025

Welcome to this week’s edition of the Information Law weekly highlights: a hand-picked summary of news analysis, updates and new content related to laws governing the use and dissemination of information and personal data. Each week these highlights focus on developments in key topics such as data protection, ePrivacy, cybersecurity, breach of confidence, misuse of private information, and defamation.

The construction of jurisdiction clauses in the context of the Contracts (Rights of Third Parties) Act 1999 and the mechanisms of service(Campeau v Gottex Real Asset Fund 1 (OE) Waste S.À.R.L)

Dispute Resolution analysis: This case considers a jurisdictional clause in the context of service under CPR 6.33(2B)(b), which allows service out of the jurisdiction where the defendant is party to a jurisdiction clause. There is no corresponding requirement for the claimant to be a party to that jurisdiction clause. The starting point is that jurisdiction clauses are not generally intended to concern disputes with third parties. However, that is no more than a starting point and one which can be departed from in appropriate cases. This was one such appropriate case whereby the circumstances and construction of the clause led to the finding that it did include the third party claimant’s (Mr Campeau) claim. While not strictly necessary given the judge’s findings in relation to the construction of the clause, Mr Justice Butcher considered that, where a jurisdictional clause was wide enough to encompass disputes from third parties, then it will likely also amount to a ‘relevant term’ for the purposes of section 1(4) of the Contracts (Rights of Third Parties) Act 1999 (C(RTP)A 1999). That meant that the third party, in seeking to enforce their rights under the SPA, was statutorily obliged to do so in England and so could rely upon CPR 6.33 (2B) (b) in that respect also. Written by Georgia Whiting, legal counsel (contentious construction) at Capita.

Libel, truth and public interest (Clarke v Guardian)

TMT analysis: The court dismissed the actor and director Noel Clarke’s claim in libel against the publisher of the Guardian newspaper. The case concerned eight articles published by the Guardian. The first article was titled ‘“Sexual predator”: actor Noel Clarke accused of groping, harassment and bullying by 20 women’, which the Guardian admitted had caused or was likely to cause serious harm to Mr Clarke’s reputation under section 1 of the Defamation Act 2013 (DA 2013). The Guardian denied that serious harm was caused by the remaining seven articles. The court determined the issue of serious harm in respect of the other seven articles, and the Guardian’s defences of i) truth under DA 2013, s 2, and ii) publication on matter of public interest under DA 2013, s 4. The Guardian succeeded on all the disputed issues: the remaining articles did not cause Mr Clarke serious reputational harm, and the articles were substantially true and published on a matter of public interest. Written by Hector Penny, barrister at 5RB.

View Information Law by content type :

News