ICO fines: are you certain? In his inaugural speech as Information Commissioner, in 2022, John Edwards said my focus is on bringing certainty in what the law requires of you and your organisations, and in how the regulator ac…

I’ve written on my personal blog on the still-unclear question of why one very large charity received “public sector” lenience from the ICO - and a 97.5% reduction in proposed fine - while a few months later a tiny charity didn’t informationrightsandwrongs.com/2025/07/29/i...

Data Protection risks to life: Should more be done? The Secretary of State for Defence announced on 16 July, a significant data protection breach relating to the Afghan Relocations and Assistance Policy

I’ve written up my thoughts for the @mishcondereya.bsky.social website, on the baffling decision by the ICO to take no action in response to the most catastrophic data breach in UK history, which exposed many thousands of people to immediate risk to their lives.

www.mishcon.com/news/data-pr...

Kate, I don’t even mind (all that much) the lack of holding to account - it’s the failure to take the opportunity to educate the public about something that has happened much too often, and puts lives at risk

Today, after the High Court discharged a super-injunction preventing anyone from knowing about it, or even knowing about the existence of the injunction, we’ve learnt about possibly the most… | Jon Ba... Today, after the High Court discharged a super-injunction preventing anyone from knowing about it, or even knowing about the existence of the injunction, we’ve learnt about possibly the most catastrop...

Today we heard about the most catastrophic data breach in UK history. And the ICO’s response? No need for any action.

Not. Good. Enough.

www.linkedin.com/posts/jon-ba...

Fines for cookie contraventions more likely as a result of law change The Data (Use and Access) Act 2025 (DUAA) will make some significant changes to the enforcement regime for cookies and direct electronic marketing.

A largely overlooked but significant change wrought by the Data (Use and Access) Act 2025 means that, in principle, it will be *much* easier for the ICO to issue fines for cookies contravention I've written about this for the @Mishcon_de_Reya website www.mishcon.com/news/fines-f...

How will the Data (Use and Access) Act reshape data protection? On 19 June, the Data (Use and Access) Act (DUAA) received Royal Assent. We consider what changes it will bring in terms of data protection law.

I’ve written for the Mishcon de Reya website on the Data (Use and Access) Act 2025 and the changes it will make to the UK’s data protection laws

www.mishcon.com/news/how-wil...

Oral disclosure of personal data: a new domestic case “Pretexting” and “blagging” are forms of social engineering whereby someone attempts to extract information from a source by deception. One (unethical) example is when a journalist purports to be s…

A man on remand for assaulting his ex-partner duped former employer, JD Wetherspoon, into orally disclosing her mother’s mobile phone number, which he then used to continue his abuse. I’ve written on my personal blog about the case which has resulted informationrightsandwrongs.com/2025/06/29/o...

From what I can see, the only major operative "data protection" provision that comes immediately into effect is the section 78 "reasonable and proportionate searches" one (and that... From what I can see, the only major operative "data protection" provision that comes immediately into effect is the section 78 "reasonable and proportionate searches" one (and that...

The Data (Use and Access) Act 2025 has now been published. NB that most of the operative data protection provisions still need secondary legislation to commence them www.linkedin.com/posts/jon-ba...

What the DUAA 2025 will do Section 1(2) of the Data Protection Act 2018 tells us that Most processing of personal data is subject to the UK GDPR Despite the attention given to the progress of the Data (Use and Access) Act 20…

A blogpost on what the Data (Use and Access) Act 2025 will do. It’s essentially an amending statute: practitioners should look mostly to how it changes UK GDPR, DPA 2018 and PECR informationrightsandwrongs.com/2025/06/20/w...

Data (Use and Access) Bill [HL] Royal Assent - Parliamentary Bills - UK Parliament Data (Use and Access) Bill [HL] Royal Assent sittings

The Data (Use and Access) Bill is due to receive Royal Assent on 19 June: bills.parliament.uk/bills/3825/s...

For the want of a nail the shoe was lost.

For the want of a signature the €4.3m GDPR fine against VW was lost.

themunicheye.com/volkswagen-e...

Next week the Court of Appeal will hear the claimants’ appeal in the case of Farley and Others v. | Jon Baines Next week the Court of Appeal will hear the claimants’ appeal in the case of Farley and Others v. Paymaster (1836) Limited (trading as Equiniti) [2024] EWHC 383 (KB). This is an important case when i...

Next week the Court of Appeal will hear the claimants’ appeal in the case of Farley and Others v. Paymaster (1836) Limited (trading as Equiniti) [2024] EWHC 383 (KB). See my short primer on the issues www.linkedin.com/posts/jon-ba...

Defamation rules are applied to UK GDPR claim An interesting recent judgment in the High Court considers the extent to which rules in defamation law might also apply to data protection claims. In July 2024 His Honour Judge Lewis struck out a c…

To what extent do rules in defamation carry over to data protection claims about publication of personal data? There’s some interesting analysis in a recent judgment, striking out a claim by Dale Vince against Associated Newspapers. On my personal blog:
informationrightsandwrongs.com/2025/06/09/d...

Good Law Project v Reform In the run-up to last year’s General Election, the campaigning group The Good Law Project (GLP) actively encouraged people to make subject access requests (under Article 15 of the UK GDPR) to polit…

The @goodlawproject.bsky.social is suing Reform, as a representative body (the first such case brought under Article 80(1) of the UK GDPR. GLP have published both its particulars of claim and Reform’s defence. I’ve written about it on my personal blog informationrightsandwrongs.com/2025/06/06/g...

Hinkley Point C construction company is a public authority under the EIR The Information Tribunal has ruled that the Nuclear New Build Generation Company, a subsidiary of EDF Energy, created to construct s new nuclear power plant at Hinkley Point C (HPC), is a public au…

The Information Tribunal has ruled that the Hinkley Point C construction company is a public authority for the purposes of the Environmental Information Regulations (a parallel access regime to the FOI Act). On my personal blog: informationrightsandwrongs.com/2025/06/06/h...

For some reason @familoo.pinktape.co.uk @juliedoughty.bsky.social I can’t reply to this post, so having to repost it: these are my initial thoughts on the data protection aspects of the guidance informationrightsandwrongs.com/2025/06/04/c...

The Family Justice Council has produced guidance on covert recordings in family law proceedings - some of its references to data protection law are misguided. On my personal blog: informationrightsandwrongs.com/2025/06/04/c...

Liz Truss leadership election not amenable to JR Was the leadership election in which Liz Truss was elected as leader of the Conservative Party (and as a result of which she was recommended to the Queen by the outgoing Boris Johnson, and appointe…

When Liz Truss was elected leader of the Tory Party (and thus recommended to and appointed by the Queen as her PM) was it an exercise of a public function amenable to JR? Unsurprisingly, the Court of Appeal says “no”. On my personal blog informationrightsandwrongs.com/2025/05/27/l...

Yes, the LAA (or, strictly, the MoJ, given that the former is an executive agency of the latter) will be a controller

Certainly in the event of a regulatory investigation, or a legal claim by an affected individual, they would need to justify the retention, and if they couldn’t do so, they would be in breach of UK GDPR storage limitation principle

As to why they were still holding the old data, that’s less a data protection question (there, the law just says “don’t hold for longer than you need to”) and one around any specific legal aid laws/guidance or LAA’s own policies

As a matter of law, if the LAA assesses that this presents a likely high risk to data subjects it must inform them itself, “in clear and plain language”, giving them a contact point, describing likely consequences and the measures being taken to address and mitigate the breach’s adverse effects

Legal Aid Agency data breach An update following a cyber-attack on the Legal Aid Agency’s online digital services.

This looks very nasty - a cyber attack has apparently compromised the Legal Aid Agency’s online digital services, involving a "significant" amount of personal data from those who applied online for legal aid since 2010

www.gov.uk/government/n...

The Information Commissioner's Office’s backlog in handling data… | Jon Baines The Information Commissioner's Office’s backlog in handling data protection complaints means that in effectively every case it is exceeding the time envisaged by Parliament for doing so. Section ...

For data subjects considering complaints to the ICO, or for controllers faced with such complaints, you might want to know there is a current 16-week wait just to get allocated to a caseworker. A tub-thumping post by me on LinkedIn www.linkedin.com/posts/jon-ba...

Data (Use and Access) Bill [HL] - Hansard - UK Parliament | Jon Baines For a bill in Parliament to proceed to royal assent, it must be agreed by both the House of Commons and the House of Lords. When the Houses cannot agree the bill, it enters a stage referred to as “pin...

The Data (Use and Access) Bill was returned to the Lords yesterday, and once again, on three key votes - on sex data and DVS, the definition of “scientific research”, and AI & copyright, the Government lost. My LinkedIn post: www.linkedin.com/posts/jon-ba...

Yesterday evening I read the judgment in the recent shocker of a case… | Jon Baines Yesterday evening I read the judgment in the recent shocker of a case involving fake citations of non-existent case law (read it and weep https://lnkd.in/egUycSWi). Although the judge said it would ha...

As I said in a LinkedIn post this morning, are cases slipping through the net where this is happening? I fear it’s highly unlikely that all are being picked up www.linkedin.com/posts/jon-ba...

FOIA contempt proceedings against University of Exeter Non-compliance by a public authority with the provisions of the Freedom of Information Act 2000 is rarely a particularly serious matter for the public authority: a delay in responding, or a failure…

The First-tier Tribunal has certified to the Upper Tribunal an offence of contempt by the University of Exeter, in respect of “wilful” and “flagrant” failure to comply with an order by the FTT under FOIA to disclose information. On my personal blog informationrightsandwrongs.com/2025/05/07/f...

BT is subject to Environmental Information law, says Information Commissioner The Information Commissioner (ICO) has issued decision notices ruling that British Telecommunications plc and Openreach Limited are public authorities for the purposes of the Environmental Information...

The Information Commissioner has ruled, in two important recent decisions, that BT and Openreach are public authorities for the purposes of the Environmental Information Regulations 2004 www.mishcon.com/news/bt-is-s...

As @paulclarke.com indicates, it’s a convoluted topic which the law can’t really circumscribe (although there are occasionally times when it gets litigated - usually in the context of paparazzi and celebrities, but occasionally neighbour disputes over CCTV)

And I misspelt judgment in that thread and must forever hang my head in shame