Our 'In Case You Missed It' section of the Data, Privacy and Cyber Bulletin provides readers with a high-level digest of important regulatory and legal developments from August 2025.
Contents
Case Law Updates
Michael Farley & Anor v Paymaster (1836) Limited (trading as Equiniti) [2025] EWCA Civ 1117
We commented on the High Court decision in this action in September 2024, where all but 14 claims from a collective action of nearly 450 claims were struck out. The Court of Appeal ruled on an appeal (and cross-appeal) by 432 appellants.
The appellants were pension scheme members whose annual benefit statements were accidentally sent to outdated addresses by the administrator of the scheme. The pension members were current and former police officers and the statements included their name, date of birth, National Insurance number, and salary and pension details.
The High Court chose to strike out those claims where the letters been returned unopened or where there was no proof that the letters had been opened and read by someone other than the claimant. Nicklin J considered there could be no claim for damages for the apprehension that a wrong had occurred. The High Court also made note of the fact that each envelope was marked as private and confidential and a return address was included with the statement for any misdirected post.
Handing down lead judgment in the Court of Appeal, Lord Justice Warby found that each of the appellants had pleaded a reasonable basis for alleging an infringement of the GDPR. Proof that the data was disclosed is not an essential ingredient of an allegation of processing or infringement.
The judgment also addressed whether the appellants had set out a reasonable basis for claiming compensation and had a realistic prospect of succeeding at trial.
Lord Justice Warby highlighted a number of European Court of Justice decisions including Austrian Post when considering (and rejecting) Equiniti’s submissions that the claims fell short of a threshold of seriousness. The court found that Equiniti was entitled to argue that the appellants’ fears of third-party misuse were not 'well-founded' and hence cannot qualify as 'non-material damage' (which is recoverable in compensation).
However, that question of whether a claim based on those fears could prevail is to be remitted to the High Court, which may conduct the review itself or give directions for it to be carried out in the County Court. The fate of the claims for consequent psychiatric injury will likely turn on the outcome of that issue.
A cross-appeal by the respondent alleging that the claims were an abuse of process of the Jameel variety was dismissed. The full judgment can be found here.
Regulatory Developments
Government publishes AI action plan for justice
The UK Government has published a policy paper 'AI action plan for justice', highlighting strategic priorities to allow for the integration of AI into the justice system. Setting out a 3 year roadmap for delivery, proposals include:
- The creation of a dedicated Justice AI Unit led by a chief AI officer to coordinate the delivery of the action plan
- Embedding AI across the justice system, such as the use of AI productivity tools (including search speech and document processing), creating reductions in administrative burdens
- Investment in people through the strengthening AI awareness and skills. In addition, the Ministry of Justice will work with regulators such as the Solicitors Regulation Authority to support responsible adoption of AI in the sector.
Law Commission publishes discussion paper on AI and the law
The Law Commission has published a discussion paper on Artificial Intelligence and the Law. Aiming to raise awareness of the legal issues relating to AI, the paper explains how the use of AI might raise legal issues in private, public and criminal law. However, the paper does not contain proposals for any legal reform.
The paper considers issues such as oversight and increasing reliance on AI, and the radical option of granting AI systems some form of legal personality in the future.
EU-US Framework Agreement on trade silent on DSA and DMA issues
The announcement of an agreement on a Framework on an Agreement on Reciprocal, Fair, and Balanced Trade between the European Union and United States commits the parties to "address unjustified digital trade barriers". Inevitably, the framework agreement has raised questions relating to the EU Digital Services Act and Digital Market Act.
Following the publication of the agreement, President Trump issued a statement threatening to impose additional tariffs on countries with digital taxes, legislation and regulation affecting US technology. Further developments are awaited with interest.
EU Data Act to take effect in September
The EU Data Act will apply from 12 September 2025. It aims to harmonize rules on data access, sharing, and reuse across the EU, focusing on making more data available for use and sets rules on who can access and use it.
A suite of documentation made available by the European Commission when the Data Act entered into force in January 2024 can be found here.
Data & Privacy Developments
ICO launches consultations on DUA Act guidance
In response to the Data (Use and Access) Act 2025 entering into force, the ICO has launched public consultations to help shape final guidance.
The ICO has produced and is consulting on draft guidance to support organisations in understanding and applying upcoming amendments.
- The ICO is consulting on draft guidance covering 'recognised legitimate interest'. This is a new lawful basis added to the UK GDPR by the DUA Act. This is separate from the legitimate interests lawful basis. The consultation closes on 30 October 2025,and the draft guidance can be accessed here.
- The DUA Act inserts s164A into the Data Protection Act 2018, imposing additional requirements for organisations handling complaints. The ICO in consulting on draft guidance for organisations to assist. The consultation closes on 19 October 2025, and the draft guidance can be accessed here.
ICO consultation commenced on Distributed Ledger Technologies
The ICO has released and is consulting on draft guidance for distributed ledger technologies, such as blockchains. The guidance details the effect on these technologies on data protection compliance, automated decision making and data controllers' responsibilities.
The draft guidance is open for public consultation until 7 November, and can be found here.
ICO clarifies how data protection law applies to facial recognition technology
The ICO issued a statement reminding that facial recognition technology (FRT) must be deployed with appropriate safeguards in place, and is covered by data protection law. The ICO directed readers to the necessary data protection reminders when using live FRT.
Online Safety Act: Internet forums file action in US against Ofcom
It has been reported that US internet forums, 4chan and Kiwi Farms, have filed an action in the United States against Ofcom, alleging breaches of Americans' right to free speech.
Ofcom is responsible for the enforcement of the Online Safety Act, and had previously stated that it was opening an investigation into 4chan for failing to comply with its duties under the Online Safety Act, including:
- Adequately responding to a statutory information request
- Completing and keeping a record of a suitable and sufficient illegal content risk assessment, and
- Complying with the safety duties about illegal content
Colleagues from our technology team have discussed this action in further detail as part of their wider piece discussing The Online Safety Act: Moving from policy to practice (key developments and potential implications).
Austrian court finds that newspaper's 'consent or pay' model is unlawful
The Austrian Federal Administrative Court has confirmed an earlier decision by the Austrian Data Protection Authority that a 'consent or pay' model introduced by a newspaper is in a violation of GDPR. However, the court found that 'consent or pay' models may be viable if users are provided with the option to consent to specific types of processing.
Commentary by the privacy group, noyb, on the decision can be found here. It is expected that the case will be referred to the Supreme Administrative Court in Austria, and a subsequent referral to the Court of Justice of the European Union is likely.
Cyber Developments
DSIT publishes study on SME adoption of cyber insurance
The Department for Science, Innovation and Technology (DSIT) has published a study on small and medium enterprises' (SMEs) perceptions of cyber insurance. The study can be accessed here, with key findings stating that cyber insurance adoption among UK SMEs remains limited due to a number of challenges including tight budgets and basic cyber security measures. This has meant self-insuring is often commonplace.
The study emphasises the need for cyber insurance as a key element of SME risk management, recommending the simplification of policy terms and the development of specialist cyber underwriting and broker knowledge.
DSIT updates mapping of Cyber Governance Code of Practice
DSIT has updated new details mapping the Cyber Governance Code of Practice to ISACA CMMI, WEF Principles for Board Governance of Cyber Risk, and ISO 27001.
The mapping documents (found here) were a response to industry feedback, seeking greater clarification on how the Code fits into the current cyber standards landscape. This mapping document addresses this by illustrating similarities and differences between the Code, and other domestic and international frameworks.
Report published on converged technologies an impact on cyber security
DSIT has published a research paper, 'Securing converged technologies: insights from subject matter experts'. The convergence of existing and emerging technologies are creating significant risks and opportunities for cyber security. Using research from 20 experts primarily with the cyber security sector, The report examines the role of technology convergence, its impact upon cyber security, and potential policy responses.
The report notes that the impact of technology convergence for cyber security is often difficult to assess in advance, and are only likely to be appropriately identified when technologies are closer to deployment. In order to response at the necessary, a long-term task force dedicated to technology convergence may be necessary.
