Legal development

Data Bytes 63: Your UK and European Data Privacy update for November, December 2025 and January 2026

12 February 2026

Welcome back to the first Data Bytes of 2026. This edition we report on the not insubstantial degree of legislative change ahead of us in 2026 in the world of data and cyber: we finally have a confirmed timetable for the Data Use and Access Act implementation following commencement of various provisions on 5 February; the Cyber Security and Resilience Bill is shortly entering the committee stage of Parliament and is expected to become law sooner rather than later in 2026. Keep scrolling to our spotlight section to see the changes that this latest cyber security law will bring in. In both these pieces of legislation we are seeing the result of Brexit in black letter data protection law, but it remains to be seen whether those of you operating across the UK and Europe will adopt divergent compliance programmes in practice.

What else are we expecting to see in 2026? Those of you who attended our Data Bytes 2025 round up and look ahead to 2026 in our London office will have heard us predicting a further expanded role for the data practitioner as they need to get to grips with an ever growing number of digital regulation laws and continued uncertainty as new rules and regulators come into effect.

In the meantime, get your November, December and January Data Bytes here.

Spotlight on Data Protection and Privacy: Movement and publication of the working Cyber Security and Resilience Bill 2025

What is the Cyber Security and Resilience Bill?

On 12 November 2025, the Cyber Security and Resilience Bill (“CSRB”) was introduced to Parliament for its first reading in the House of Commons. It has since had its first and second readings and entered the committee stage this month. The CSRB seeks to amend Network and Information Systems Regulation 2018 (“NIS1”), the UK's only current cross sector cyber legislation which governs cyber security for national critical infrastructure. Following in the wake of the EU's NIS2 Directive (2022/255), the CSRB seeks to address gaps that have arisen amid a shifting cyber risk environment by broadening the scope of the existing regime's coverage to capture a broader range of organisations, tighten the obligations imposed and increase the power and resources of the regulators tasked with regulating this legislation.

It is expected that CSRB will come into force during 2026.

What are the expanded thresholds and who is captured?

Changed thresholds of captured organisations	Position under NIS1	New position under the CSRB
Data Centres	Only captured if they provided a covered digital service such as a cloud computing service (IaaS/PaaS/SaaS). Simple wholesale data centre services, without providing cloud computing, generally did not make the operator a Digital Service Provider (“DSP”) and thus were not covered under NIS1.	UK data centres will be deemed as essential services if they meet the set threshold of equal to or greater than: 1 Megawatt for non-enterprise data centres; or 10 Megawatts for enterprise data centres. A non‑enterprise data centre is a facility that provides data‑hosting or processing services to external customers. An enterprise data centre is a company’s own facility that it owns or manages solely to run its own IT systems and services.
Large Load Controllers	Only electrical entities with large generators operating at a grid-critical scale were formally designated as Operators of Essential Service (“OES”) and as such brought into scope under NIS1.	Entities will now be captured if they control an aggregate electrical flow with a potential of equal to or greater than 300 Megawatts in relation to electrical vehicles (“EVs”), EV charge points, electrical heating appliances, battery storage and virtual power plants.
Relevant Digital Service Providers (RDSPs)	The definition of a "cloud computing service" was limited to 'a digital service that enables access to a scalable and elastic pool of shareable computing resources'.	The CSRB updates the definition of cloud computing service. This is defined as a digital service which: enables access to a scalable and elastic pool of shareable computing resources (such as networks, servers, software, and storage) where: there is broad remote access to the service the service is capable of being provided on demand and on a self-serve basis the pool of computing resources may be distributed across two or more locations the service is not provided solely for use for the purpose of a business; and is not a managed service.
Relevant Managed Service Providers (RMSP)	IT outsourcing and managed security services were generally out of scope of NIS1, except where they were indirectly captured through the supply chain obligations of their regulated customers or where the provider itself qualified as an OES or an RDSP (as defined under NIS1).	Organisations that provide management of information technology systems and, in doing so, obtain access to networks and information systems relied upon by their customers are brought into scope. This includes IT outsourcing, e.g. IT remote support or helpdesks or IT infrastructure management, and managed security services.
Designation of Critical Suppliers	NIS1 did not empower authorities to bring suppliers into scope as regulated persons by designation.	A competent authority (for an OES) or the Information Commissioner (for RDSPs/RMSPs) may now designate an organisation as a “critical supplier" and bring them into scope of the CSRB, if that supplier supplies goods or services to a regulated body, which could cause a significant impact on the economy or the UK as a whole should an incident occur stemming from the critical supplier.

What are the implications for in scope-organisations?

The CSRB does not in itself substantially change the core obligations under NIS1 to implement appropriate technical and organisational security measures. This is in contrast to Article 21 of EU NIS2 which sets out a minimum set of security requirements. Whether additional obligations are introduced by statutory codes of practice remains to be determined.

What are the new notification obligations?

The CSRB amends the notification requirements on all in-scope organisations. Organisations will be obligated to notify their relevant regulator of any incidents affecting, or likely to affect, the operation or security of an essential service. Crucially, the notification obligations are triggered for incidents which are capable of being significant rather than triggering incidents that have had a significant impact.

Significance is now measured according to the impact on the following factors (with factors in bold indicating the additional considerations introduced by the CSRB):

Extent of the disruption to the service;
Number of users affected and duration of the incident;
Geographical area affected; and
Whether the confidentiality, authenticity, integrity or availability of data has been compromised.

The CSRB will require:

an initial notification of a qualifying incident within 24 hours; and
a full notification within 72 hours.

It also requires copies of the notification to be sent to the National Cyber Security Centre. Importantly, all OESs (including data centres), RDSPs, and RMSPs will have to take reasonable steps to identify UK customers likely to be adversely affected and notify them as soon as reasonably practicable.

How have penalties increased for non-compliance?

The CSRB increases the penalties for non-compliance to a:

Standard maximum: The greater of £10 million and 2% of global turnover (principally for failures to provide required information); or
Higher maximum: The greater of £17 million and 4% of global turnover (principally for failures to implement appropriate and proportionate technical/organisational measures, and failures to notify incidents or potential incidents).

What greater powers have been bestowed to the Secretary of State and regulators?

The CSRB empowers regulators and the Secretary of State to issue formal information notices, conduct onsite inspections and implement a new full cost recovery regime (as opposed to the previous 'reasonable' cost recovery) which allows regulators to impose periodic fees for oversight and enforcement costs.

What is the ICO’s response?

On 23 December 2025, the ICO published its response to the CSRB: Information Commissioner’s Response to the Cyber Security and Resilience Bill | ICO. It is supportive of the legislation, in particular the expanded costs recovery power which should ensure the resources of the competent authorities. However, acknowledging the complexity of the determination of what entities are in scope and what triggers a notifiable incident, it calls on the government to create practical primary legislation, secondary legislation and guidance.

UK Updates

Key provisions in Data Use and Access Act 2025 enter into force

On 5 February 2026, the next phase of the Data (Use and Access) Act 2025 (“DUAA”) officially came into force through the publication of commencement regulations which bring most of the key provisions from the law into effect. These changes cover topics such as “recognised” legitimate interests, cookie consent exemptions and automated decision making.

Organisations should note that section 103 of DUAA, which requires organisations to implement a formal complaints procedure, is scheduled to take effect on 19 June 2026. We recommend organisations start looking now out the draft ICO guidance on complaints and start to plan what (if any) updates are required to their internal processes and privacy notices.

ICO announces formal investigation into Grok

On 3 February 2026, the ICO announced it has opened a formal investigation to X Internet Unlimited and X.AI LLC in relation to the Grok AI system and its potential to produce harmful sexualised images and content.

The ICO opened its investigation following reports that Grok had been used for generating non-consensual sexual images of individuals including children which raised concerns about whether personal data was being processed lawfully, fairly and transparently. The investigation raises questions about what types of appropriate safeguards must be designed and deployed to prevent the generation of these harmful images which has a clear overlap with the UK online safety regime as set out in the Online Safety Act 2023.

Organisations should note that the ICO mentioned it is in close contact with Ofcom, the regulator of the Online Safety Act, in relation to Grok, to ensure that the UK’s data protection and online safety laws work in tandem to protect people and mitigate harms.

ICO Publishes Update to International Transfers Guidance

On 15 January 2026, the ICO published an update to its international transfers guidance. The guidance has undergone a restructure and reword to make it clearer and address changes required by the Data (Use and Access) Act 2025 . Specific changes in the guidance which we consider helpful for organisations include:

recognition that the International Data Transfer Agreement and Addendum to the EU model clauses can be incorporated into wider contracts by reference and includes wording that should be used to do this;
further clarification of the concept of an “initiator” of the transfer, moving away from the position under the previous guidance that you consider who is ‘initiating and agreeing’ the transfer;
an explanation that you should “follow the contract” rather than actual data flows. The guidance explains that where a UK company contracts with a non-UK company but the non-UK company has a UK subsidiary which in reality receives the data flows, the transfer should be dealt with as if the data was flowing to the non-UK party that contracted for it; and
streamlining of requirements for US transfers: the guidance clarifies content required in a transfer risk assessment for transfers to the US.

Organisations should review their data transfer agreements, assessments and processes in light of this updated guidance. There are likely to be a few areas which can be streamlined in light of these updates.

ICO Releases Tech Futures Report on Agentic AI

On 8 January 2026, the ICO released its Tech Futures report on agentic AI which sets out its understanding of the technology and its early thoughts on the data protection implication organisations will have to consider during development and deployment.

The data protection risks identified by the ICO were a mixture of amplified risks already present in other forms of AI such as transparency and explainability risks, as well as risks which are novel to agentic AI such controllership for autonomous actions.

The report considers potential agentic AI use cases such as agentic commerce, workplace application, and integrated personal assistants and includes extensive references which in-house legal teams may find useful when looking to develop their knowledge of this area.

ICO fines LastPass £1.2 million following 2022 data breach

On 11 December 2025, the ICO announced that it had fined LastPass UK Limited (“LastPass”), a password manager provider, £1.2 million in connection with a data breach in 2022 comprising of personal data of 1.6 million UK users. The full penalty notice is available here: LastPass UK

The data breach, which occurred in 2022, consisted of a threat actor gaining access to employee laptops in Europe and the US, following which the threat actor accessed LastPass’s backup database and exfiltrated personal data including names, emails, phone numbers and stored URLs. The ICO found that LastPass failed to implement suitably robust technical and security measures to protect against this type of incident.

This is a sizeable fine considering the lack of sensitive nature of the data accessed and the fact there was no evidence that hackers were able to unencrypt customer passwords as these were stored locally on customer devices and not by LastPass. The full penalty notice states that “due to the nature of its business, the confidentiality of the personal data it processes and the reasonable expectations of its customers, LastPass was subject to a high level of responsibility for compliance with its security obligations” under the UK GDPR.

The ICO consistently points organisations to the National Cyber Security Centre and its own guidance which provide sources of information detailing ways to improve practices including Working from home – security checklist for employers, Data security guidance and Device security guidance. Organisations should consult this guidance regularly to ensure their own policies and procedures meet these requirements.

FCA and ICO issue clarification on Targeted Support and Direct Marketing

On 11 December 2025, the ICO and FCA published a joint statement to provide regulatory clarity on the interplay between the new FCA targeted support framework (as now set out in the FCA's policy statement (PS25/22) on the rules for targeted support), and existing direct marketing rules (the Statement). The ICO and FCA acknowledge in the Statement that firms can indeed engage with their customers about targeted support, while ensuring compliance with UK data protection rules (including PECR), this broadly aligns with our analysis on this topic which was published before the Statement was released.

The Statement outlines that firms can do so by, for example:

continuing to engage with customers to provide important messages about their finances, whether or not they have given permission for direct marketing or targeted support (e.g. warning a customer they are under-saving for retirement or telling customers about the performance of their investments or savings and the choices they have available);
considering promoting a targeted support offering in ways which are not covered by the direct marketing rules (e.g., displaying a message on the firm website or mobile application showing the same message to everyone that visits the site or logs into their online account); and
considering how to engage customers depending on their direct marketing preferences and providing clear choices (e.g., sending a message (such as an email) to customers who have not provided permission to receive direct marketing in a way which does not constitute direct marketing but ensures customers are aware of the firm's targeted support authorisation from the FCA so that the customer can choose, if they wish, to be part of it).

The FCA notes it expects the targeted support rules to take effect from 6 April 2026.

ICO announces scrutiny on children online privacy in mobile games

On 1 December 2025, the ICO announced it will be assessing how mobile game developers and platforms are applying its statutory Children’s Code in practice, with a particular focus on default privacy settings, geolocation controls and targeted advertising practices.

The ICO expects privacy-by-design to be the norm, not an aspiration. In respect of the three key areas of the review’s focus, the ICO’s Children's Code sets out:

Default privacy settings: It should be assumed that children will accept default settings and not change them, meaning that default settings should be appropriate and provide adequate protection. The ICO’s stance is that these should be high by default (unless there is a compelling reason to do otherwise).
Geolocation data: Children should be offered control over whether and how their geolocation data is used unless the use of geolocation data is intrinsic to the core service (which the ICO interprets narrowly). Optional geolocation data should be off by default.
Profiling and advertising: Much like geolocation, if profiling is intrinsic to the core service, then a privacy setting is not appropriate. Otherwise, profiling and targeted advertising which is used to fund a service should be off by default.

The ICO has continued with its priority focus on children’s personal data (see our previous Data Bytes on the ICO's review on the financial sector’s use of children’s data and the ICO's Children's Code Strategy) by targeting for review ten popular mobile games which are aimed at, or likely to be accessed by, children.

FCA prosecutes individual for data protection breach linked to fraud

On 29 October 2025, the FCA reported its first prosecution under the Data Protection Act after a former employee of Virgin Media O2 pleaded guilty to unlawfully obtaining and disclosing customers' personal data to a friend in connection with boiler room fraud which saw investors lose over £1.5 million. The former employee was fined £384 and ordered to pay a £38 surcharge and £500 towards prosecution costs.

The FCA emphasised that it intends to continue deploying all enforcement powers against those who enable crime. This signals that there is heighted regulatory scrutiny against misuse of personal data associated with financial crimes.

The ICO clarifies approach to public sector enforcement

On 11 November 2025, the ICO issued a statement clarifying how it intends to regulate UK public authorities: guidance-first, engagement-led, and with monetary penalties reserved for only the most egregious breaches.

The ICO’s bar for determining what is “egregious” appears to be practical and people-centred focusing on evidence of harm, deliberate or reckless failings, and repeated errors or infringements. Once the ICO has determined that the infringement is sufficiently egregious, it will apply the five-step approach set out in its fining guidance to calculate the fine amount.

UK Government tables new legislative amendments to prevent AI models from creating CSAM at source

On 12 November 2025, the UK Government Department for Science, Innovation and Technology announced the tabling of amendments to the Crime and Policing Bill, intended to tackle the misuse of AI models in the creation of child sexual abuse material (“CSAM”).

The press release notes that:

while possessing and generating CSAM is already illegal under UK law, the new law can tackle the growing challenges presented by AI model capabilities; and
currently the criminal liability to create and possess CSAM can mean that AI developers cannot carry out early safety testing on AI models and that CSAM can only be removed after that have been created and shared online.

The new law therefore seeks to:

empower designated bodies, such as AI developers and child protection organisations, to scrutinise AI models and ensure safeguards are in place to prevent the generation or proliferation of CSAM i.e., to prevent CSAM production "at source"; and
enable organisations to check that AI models have protections against extreme pornography and non-consensual intimate images.

EU Updates

EU: Commission consults on guideline for reasonable compensation under the Data Act

On 30 January 2026, the EU Commission released guidelines for public consultation concerning the calculation of reasonable compensation for data holders in connection with their obligations under Chapter III of the EU Data Act to make data available to data recipients. The guidelines are intended to provide clarity for IoT businesses who are data holders and have a right under Article 9 of the EU Data Act to request reasonable compensation from data recipients.

The consultation ends on 20 February 2026.

EU: Commission and Brazil adopt mutual adequacy decisions

On 27 January 2026, the EU Commission and Brazil adopted mutual adequacy decisions which allow for the free flow of information between the EU and Brazil without the need to implement appropriate safeguards such as standard contractual clauses or completed data transfer impact assessments.

According to a press release from the EU Commission, the decisions create the largest area of free and safe data flows in the world, benefitting a combined 670 million consumers across the EU and Brazil. The EU Commission will conduct a review of the adequacy decision in four years’ time.

EU: EDPB updates guidance materials on the EU-US Data Privacy Framework

On 23 January 2026, the European Data Protection Board (“EDPB”) published updated guidance on the EU–US Data Privacy Framework, including revised frequently asked questions for individuals and businesses, an updated template complaint form for submitting complaints to EU data protection authorities (“DPAs”), and updated rules of procedure governing the informal panel of EU DPAs, replacing the versions adopted in 2024. Organisations seeking to rely on the EU-US Data Privacy Framework will find the updated FAQ particularly helpful which covers topics such as vendor due diligence, onwards transfers and interplay with other transfer tools such as standard contractual clauses.

EU: Commission publishes new cyber security package

On 20 January 2026, the European Commission published a new ‘Cybersecurity Package’ consisting of a proposed Regulation referred to as ‘Cybersecurity Act 2’ of the ‘Revised EU Cybersecurity Act’ that would replace Regulation (EU) 2019/881, the current EU Cybersecurity Act ("CSA”) and a proposal for a Directive amending Directive (EU) 2022/2555, the EU NIS 2 Directive (”NIS2”). The proposals are intended to address supply-chain risks, reform the EU Cybersecurity Certification Framework, and make targeted changes to NIS 2 such as bringing providers of the EU Digital Identity Wallets into scope and introducing a new definition of “small mid-cap enterprise” which are classified as “important entities” and therefore subject to a simpler compliance obligations and oversight.

EU: Latombe files appeal with ECJ on the validity of the EU-US Data Privacy Framework

On 22 December 2025, appeal pleading documents to the Court of Justice of the European Union (“CJEU”) prepared by French MEP Philippe Latombe were published in the Official Journal of European Union concerning the politician’s attempts to overturn the EU US Data privacy Framework (“DPF”). The appeal relates to a decision by General Court’s September judgment which upheld the European Commission’s adequacy decision. Latombe disputes the EU Commission’s finding that privacy protection in the US is “substantially equivalent” to that in the EU and asks the CJEU to reassess whether the current framework meets the requirements of EU fundamental rights law.

The DPF continues to operate as a valid transfer mechanism under the EU GDPR, but doubts will remain over reliance on the DPF until the CJEU issues its binding judgement on the appeal.

EU: Commission renews adequacy decisions for UK

On 19 December 2025, the EU Commission announced it will renew the 2021 UK adequacy decisions which enable the free flow of personal data between EEA member states and the UK. The previous adequacy decisions had been extended while the Commission assessed the UK’s data protection framework and in particular the Data Use and Access Act 2025 which received royal assent in June 2025.

For organisations operating in the EEA and UK the adequacy renewal provides certainty until the next review on the ability to transfer personal data between the two jurisdictions without the need for additional safeguards such as standard contractual clauses.

EU: CJEU issues decision on information to be provided when using body cameras

On 18 December 2025, the Court of Justice of European Union (“CJEU”) issued a ruling regarding the use of body cameras by a public transport company in Stockholm, Sweden. The company was fined by the Swedish Authority data protection authority for failing to provide adequate information to passengers being recorded through body worn cameras during ticket inspections.

The CJEU clarified that data collected through the cameras was considered "direct" data collection. As a result, the relevant individuals should have been informed about the recording, regardless of whether they actively provided information or not. Organisations deploying body worn cameras should note the CJEU emphasised that individuals must receive immediate notification when they are being recorded by body cameras and may also find previously released guidance from the UK ICO a helpful resource to review.

EU: EDPB consults on recommendations on legal basis creation of user accounts on websites

On 5 December 2025, the European Data Protection Board ("EDPB") released for public consultation recommendations for data controllers on the legal basis under Article 6 of the GDPR for requiring users of e-commerce websites to create online accounts.

The EDPB notes as a general rule, users should have the option to engage with e-commerce websites, including the ability to make purchases, without creating an account to comply with the principles of data minimisation and privacy by default. Mandatory account creation can be justified according to the EDPB in a limited number of cases e.g when offering a subscription service or providing access to exclusive offers.

The recommendations serve as a reminder to organisations to carefully assess their account creation processes and ensure any mandatory account creation is genuinely necessary.

EU: Commission publishes Digital Omnibus Proposals

On 19 November 2025, the European Commission unveiled a comprehensive proposed overhaul of Europe's digital legislation in the form of the Digital Omnibus Regulation Proposal and Digital Omnibus on AI Regulation Proposal. An overview of our initial views on the proposals and what you need to know can be found here. The Omnibus proposals must pass through the EU legislative process and substantive changes to the proposals are likely.

On 21 January 2026, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) published a joint opinion on the proposal to amend the EU AI Act warning against any simplification to the legislation which would undermine the protection of fundamental rights including data protection rights.

EU: CJEU clarifies a number of points on direct marketing and soft opt-in

On 13 November 2025, in the case of Inteligo, (CJEU, C‑654/23) the CJEU clarified that an offer to access services for “free” meets the ”in the context of the sale of a product or service” requirement to benefit from the soft opt-in exception for consent to marketing under the ePrivacy Directive ("ePD"). The case concerned Inteligo Media which is the publisher of a Romanian online legal news publication avocatnet.ro. Users could read up to six articles per month, free of charge. To read more, users had to create a free account on the online platform, which meant that the user accepted the contractual terms and conditions for the provision of the Premium Service (i.e., the paid subscription service) and then obtained the right to access, free of charge, two additional articles per month, and to receive, free of charge, via email, a daily newsletter.

There has been some ambiguity to date as to whether an offer to access services for “free” meets the "in the context of the sale of a product or service” requirement and benefits from this exception. The CJEU’s decision confirms that the term “sale” does not necessarily require direct remuneration for a good or a service, and that indirect remuneration may suffice.

It also clarified that although the newsletter was informative in nature, its underlying purpose was commercial (i.e., to encourage users to reach their monthly quota for free articles, and to subscribe to the paid service) and therefore qualifies as “direct marketing”.

EU: Commission publishes report on application of Article 33 of DSA and interplay between DSA and other legal acts

On 17 November 2025, the European Commission published a report on the application of Article 33 of the Digital Services Act (“DSA”), examining how the DSA’s designation process for very large online platforms (VLOPs) and very large online search engines (VLOSEs) operates in practice and how it interacts with other EU legislation (“Report”). The Report confirms that the designation criteria, including the threshold of 45 million average monthly active recipients in the EU, remain appropriate and well-suited to a fast-evolving digital environment.

Covering 54 legal acts across areas such as data protection and privacy, audiovisual and media law, intellectual property, consumer protection, product safety, and democracy, security and justice, the Report shows how the DSA complements sector-specific rules and serves as a horizontal, fully harmonised baseline for digital platforms.

EU: Council adopts rules on handling of cross-border data protection complaints

On 17 November 2025, the Council adopted a new EU regulation (the "Regulation") to streamline how national data protection authorities handle cross-border GDPR complaints, with the aim of speeding up investigations and making enforcement more efficient. The rules harmonise the admissibility criteria for cross-border complaints across the EU and introduce common procedural guarantees, including the complainant’s involvement in the procedure, the right of companies under investigation to be heard and to receive the preliminary findings so they can comment.

The Regulation also creates a “simple cooperation” procedure for straightforward cases, allowing authorities to settle them without triggering the full cooperation mechanism. It sets clear deadlines: as a rule, investigations should be completed within 15 months, extendable by 12 months for the most complex cases, while simple cooperation procedures should be concluded within 12 months. After its publication in the Official Journal, the Regulation will enter into force 20 days later and will start applying 15 months after that date.

France: CNIL fines Ad Tech Firm EUR 1 million

On 11 December 2025, the CNIL issued a EUR 1 million penalty to an Israeli based ad tech company, Mobius Solution Ltd, for non-compliance with GDPR obligations after providing personalised advertising services to Deezer, an EU music-streaming platform. The CNIL determined that GDPR applied to the non-EU based processor under Article 3(2) GDPR, on the basis that it had monitored the behaviour of EU users by creating audience segments based on demographics and listening habits, on behalf of the controller.

Germany: NIS 2 transposed into German law

On 5 December 2025, the Act Transposing the NIS 2 Directive and Regulating Key Aspects of Information Security Management in the Federal Administration (Gesetz zur Umsetzung der NIS-2-Richtlinie und zur Regelung wesentlicher Grundzüge des Informationssicherheitsmanagements in der Bundesverwaltung (“NIS2UmsG”) (see here, in German only) became binding in Germany.