Data protection complaints – a missed opportunity Has the Information Commissioner’s Office ducked an opportunity to improve data subjects’ rights and provide regulatory clarity to data controllers? Section 103 of the Data (Use and Access) A…

The ICO has declined to suggest in its guidance how long controllers should normally take to respond to data subject complaints. I think this is a missed opportunity. On my personal blog:

informationrightsandwrongs.com/2026/02/13/d...

Unlawful cookies: a new avenue for the ICO to issue fines? The ICO can now fine for any unlawful cookie use under PECR. Discover how DUAA reforms and rising penalties could affect compliance strategies.

The ICO no longer has to establish that cookie contraventions are likely to cause significant damage or distress before issuing a fine. Will it lead to flurry of fines? (Hint: not under the current regime). Still a noteworthy change though @mishcondereya.bsky.social www.mishcon.com/news/unlawfu...

Data protection and electronic privacy reform: what’s hot and what’s not? Various aspects of data protection and eprivacy reforms take effect in the UK on 5 February 2026.

I've written for the @mishcondereya.bsky.social website on some of the more significant changes wrought by the Data (Use and Access) Act 2025 which commence today (5 February) www.mishcon.com/news/data-pr...

I’m happy to confess I assumed the absoluteness extended to NCND. I’d imagine the ICO’s position would be that s40(5) is a subordinate part of s40(2), and so NCND carries across, but the reference to Coppel in the judgment indicates that there’s been this contrary view for some time

NCND for personal data – a qualified exemption? [reposted from my LinkedIn Account] I’ve been known to criticise First-tier Tribunal (FTT) judgments in the freedom of information jurisdiction. By contrast, this one is superb. In it, the FTT dism…

On my personal blog: FTT rather dismantles @ICOnews on both the facts and the law in this remarkable FOI judgment. Will the ICO have to rewrite their section 40 NCND guidance? informationrightsandwrongs.com/2025/11/29/n...

It’s not my area at all, but see CPR 81, and 81.9 in particular - the court has the power to commit to prison or issue an (unlimited) fine www.justice.gov.uk/courts/proce...

One of those initialisms that is almost a standard word for those practising in data protection and privacy, so much so that it didn’t occur to me to spell it out (but will edit to do so now)

After all these years, I see that a social media post by @davidallengreen.bsky.social can have a remarkable booster effect on the visits to one’s blog

Incredible story. The ICO should absolutely now be paying the force some real attention given the potential wider implications for FOI requests and subject access requests.

Chief Constable in contempt over BWV footage disclosure failures The Court of Appeal has handed down an extraordinary judgment (Buzzard-Quashie v Chief Constable of Northamptonshire Police [2025] EWCA Civ 1397) in which the Chief Constable of Northamptonshire wa…

I’ve written on my personal blog about an extraordinary CoA judgment in which the Chief Constable of Northants Police has been found in contempt over egregious BWV disclosure failings informationrightsandwrongs.com/2025/11/13/c...

MoD: “too costly” to find out if there have been further spreadsheet data breaches Response to FOI request says it would take 237 hours to find out. How can ICO have confidence lessons have been learnt? Anyone who’s ever had been responsible for compiling or overseeing a data bre…

The MoD has said it cannot say whether it has had any spreadsheet-based data breaches following the catastrophic Afghan citizen one, because it would take >237 hours to find out. On my personal blog informationrightsandwrongs.com/2025/11/07/m...

And to this day no one knows where that guitar disappeared to at the end

I’m especially ticked off that he likes Au Hasard, Balthazar, as that’s been my go-to pseuds-cornerish answer to “what’s your favourite film?” for 35 years. Now I have to find another one

ICO fines: are you certain? In his inaugural speech as Information Commissioner, in 2022, John Edwards said my focus is on bringing certainty in what the law requires of you and your organisations, and in how the regulator ac…

I’ve written on my personal blog on the still-unclear question of why one very large charity received “public sector” lenience from the ICO - and a 97.5% reduction in proposed fine - while a few months later a tiny charity didn’t informationrightsandwrongs.com/2025/07/29/i...

Data Protection risks to life: Should more be done? The Secretary of State for Defence announced on 16 July, a significant data protection breach relating to the Afghan Relocations and Assistance Policy

I’ve written up my thoughts for the @mishcondereya.bsky.social website, on the baffling decision by the ICO to take no action in response to the most catastrophic data breach in UK history, which exposed many thousands of people to immediate risk to their lives.

www.mishcon.com/news/data-pr...

Kate, I don’t even mind (all that much) the lack of holding to account - it’s the failure to take the opportunity to educate the public about something that has happened much too often, and puts lives at risk

Today, after the High Court discharged a super-injunction preventing anyone from knowing about it, or even knowing about the existence of the injunction, we’ve learnt about possibly the most… | Jon Ba... Today, after the High Court discharged a super-injunction preventing anyone from knowing about it, or even knowing about the existence of the injunction, we’ve learnt about possibly the most catastrop...

Today we heard about the most catastrophic data breach in UK history. And the ICO’s response? No need for any action.

Not. Good. Enough.

www.linkedin.com/posts/jon-ba...

Fines for cookie contraventions more likely as a result of law change The Data (Use and Access) Act 2025 (DUAA) will make some significant changes to the enforcement regime for cookies and direct electronic marketing.

A largely overlooked but significant change wrought by the Data (Use and Access) Act 2025 means that, in principle, it will be *much* easier for the ICO to issue fines for cookies contravention I've written about this for the @Mishcon_de_Reya website www.mishcon.com/news/fines-f...

How will the Data (Use and Access) Act reshape data protection? On 19 June, the Data (Use and Access) Act (DUAA) received Royal Assent. We consider what changes it will bring in terms of data protection law.

I’ve written for the Mishcon de Reya website on the Data (Use and Access) Act 2025 and the changes it will make to the UK’s data protection laws

www.mishcon.com/news/how-wil...

Oral disclosure of personal data: a new domestic case “Pretexting” and “blagging” are forms of social engineering whereby someone attempts to extract information from a source by deception. One (unethical) example is when a journalist purports to be s…

A man on remand for assaulting his ex-partner duped former employer, JD Wetherspoon, into orally disclosing her mother’s mobile phone number, which he then used to continue his abuse. I’ve written on my personal blog about the case which has resulted informationrightsandwrongs.com/2025/06/29/o...

From what I can see, the only major operative "data protection" provision that comes immediately into effect is the section 78 "reasonable and proportionate searches" one (and that... From what I can see, the only major operative "data protection" provision that comes immediately into effect is the section 78 "reasonable and proportionate searches" one (and that...

The Data (Use and Access) Act 2025 has now been published. NB that most of the operative data protection provisions still need secondary legislation to commence them www.linkedin.com/posts/jon-ba...

What the DUAA 2025 will do Section 1(2) of the Data Protection Act 2018 tells us that Most processing of personal data is subject to the UK GDPR Despite the attention given to the progress of the Data (Use and Access) Act 20…

A blogpost on what the Data (Use and Access) Act 2025 will do. It’s essentially an amending statute: practitioners should look mostly to how it changes UK GDPR, DPA 2018 and PECR informationrightsandwrongs.com/2025/06/20/w...

Data (Use and Access) Bill [HL] Royal Assent - Parliamentary Bills - UK Parliament Data (Use and Access) Bill [HL] Royal Assent sittings

The Data (Use and Access) Bill is due to receive Royal Assent on 19 June: bills.parliament.uk/bills/3825/s...

For the want of a nail the shoe was lost.

For the want of a signature the €4.3m GDPR fine against VW was lost.

themunicheye.com/volkswagen-e...

Next week the Court of Appeal will hear the claimants’ appeal in the case of Farley and Others v. | Jon Baines Next week the Court of Appeal will hear the claimants’ appeal in the case of Farley and Others v. Paymaster (1836) Limited (trading as Equiniti) [2024] EWHC 383 (KB). This is an important case when i...

Next week the Court of Appeal will hear the claimants’ appeal in the case of Farley and Others v. Paymaster (1836) Limited (trading as Equiniti) [2024] EWHC 383 (KB). See my short primer on the issues www.linkedin.com/posts/jon-ba...

Defamation rules are applied to UK GDPR claim An interesting recent judgment in the High Court considers the extent to which rules in defamation law might also apply to data protection claims. In July 2024 His Honour Judge Lewis struck out a c…

To what extent do rules in defamation carry over to data protection claims about publication of personal data? There’s some interesting analysis in a recent judgment, striking out a claim by Dale Vince against Associated Newspapers. On my personal blog:
informationrightsandwrongs.com/2025/06/09/d...

Good Law Project v Reform In the run-up to last year’s General Election, the campaigning group The Good Law Project (GLP) actively encouraged people to make subject access requests (under Article 15 of the UK GDPR) to polit…

The @goodlawproject.bsky.social is suing Reform, as a representative body (the first such case brought under Article 80(1) of the UK GDPR. GLP have published both its particulars of claim and Reform’s defence. I’ve written about it on my personal blog informationrightsandwrongs.com/2025/06/06/g...

Hinkley Point C construction company is a public authority under the EIR The Information Tribunal has ruled that the Nuclear New Build Generation Company, a subsidiary of EDF Energy, created to construct s new nuclear power plant at Hinkley Point C (HPC), is a public au…

The Information Tribunal has ruled that the Hinkley Point C construction company is a public authority for the purposes of the Environmental Information Regulations (a parallel access regime to the FOI Act). On my personal blog: informationrightsandwrongs.com/2025/06/06/h...

For some reason @familoo.pinktape.co.uk @juliedoughty.bsky.social I can’t reply to this post, so having to repost it: these are my initial thoughts on the data protection aspects of the guidance informationrightsandwrongs.com/2025/06/04/c...

The Family Justice Council has produced guidance on covert recordings in family law proceedings - some of its references to data protection law are misguided. On my personal blog: informationrightsandwrongs.com/2025/06/04/c...