April 3, 2026 · 7:25 am

Extension to right to erasure

The Victims and Prisoners Act 2024 (Commencement No. 10) and Data (Use and Access) Act 2025 (Commencement No. 8) Regulations 2026 were made on 31 March 2026, bringing into effect an important amendment to the UK GDPR right to erasure.

In May 2024 Parliament enacted section 31 of the Victims and Prisoners Act 2024. Section 31 inserts a new Article 17(1)(g) into the UK GDPR, which invokes the right to erasure in the case of certain unfounded malicious allegations, where:

the personal data have been processed as a result of an allegation about the data subject—
(i) which was made by a person who is a malicious person in relation to the data subject (whether they became such a person before or after the allegation was made),
(ii) which has been investigated by the controller, and
(iii) in relation to which the controller has decided that no further action is to be taken

New Article 17(4) defines a “malicious person” as one who has been convicted of a specified offence or who is subject to a stalking protection order.

At the same time para 32 of Schedule 11 of the Data (Use and Access) Act, which extends the same provisions to Scotland and Northern Ireland, is also commenced.

The provisions were introduced to the 2024 Act by way of an amendment by Stella Creasy MP, informed in part by her own experiences of an entirely false and malicious allegation, and difficulties with expunging records of it (see here).

Leave a comment

Filed under accuracy, Data (Use and Access) Act, Data Protection, erasure, Legislation, UK GDPR

Tagged as

March 28, 2026 · 8:29 am

Erasure request in Children Act proceedings

[reposted from my LinkedIn account]

This is a rather extraordinary judgment in Children Act proceedings in the Family Court, in which a person who is an unregistered barrister and holds herself out as a lawyer, started out as a lay advocate to mother, then put herself forward to care for all of the children, seeking three times to be joined as a party.

In her skeleton argument in support of her final application to be joined, the court established – in a now wearily familiar way – that there were a number of cases of citations and propositions that were included as a result of using a “widely known publicly available AI tool to assist her in preparing [the argument]”.

She then informed the court that she was unable to continue to offer a home for the children or be part of the proceedings, that she no longer wished to proceed with the assessment to be either a special guardian or foster carer for the children, and sought for her assessment to be “formally withdrawn”. At the same time she asked for her data and that of her family members in the court bundle to be destroyed.

Unsurprisingly, the judge declined to do so (X v The Transcription Agency LLP and another [2024] 1 WLR 33 applied).

But more than that, in a judgment in which all of the parties’ identities (including the applicant public authority) are anonymised, she has been named, with the judge saying that she is “…a person who holds herself out as a lawyer. She offers, or has offered, paid legal work to members of the public. This is an important consideration. I am satisfied having read her written submissions lodged since the hearing that [she] still does not really acknowledge or accept that her actions in not checking the citations and propositions she included in her skeleton argument were serious”.

I think it’s important to note that the judge expresses some (although by no means complete) sympathy for aspects of the person’s position and personal circumstances, and the judgment states that she has self-referred to the Bar Standards Board. For that reason, I’m not naming in her in this post itself.

A, B, C, D, Re (Extension of assessment; Use of AI: hallucinations) [2026] EWFC 71 (B)

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, erasure, judgments

Tagged as

March 7, 2026 · 7:39 am

Ofwat and Open Justice

On 5 March Ofwat announced its intention to fine South East Water £22m for repeated supply failures.

It transpires that South East Water has applied for permission for judicial review of the proposal, and also that it sought an injunction to restrain Ofwat from publishing its announcement, pending the outcome of the JR application.

Mr Justice Chamberlain’s dismissal of the application for the interim injunction strikes me as an important one in relation to the principle of open justice. The judgment notes that, although Ofwat, as a public authority, would not generally enjoy the benefit of Convention rights, Article 10 confers on members of the public not just the right to freedom of expression (ie to impart information) but also to receive information which a public authority wishes to publish. An order which prevented Ofwat from doing so would interfere with those Article 10 rights. By s12(3) of the Human Rights Act 1998, the court cannot make such an order on an interim basis unless it is “satisfied that the applicant is likely to establish that publication should not be allowed”.

On the facts, the judge was very far from satisfied. The allegations of public law unfairness and predetermination on the part of Ofwat appeared to have strong potential defences. And the argument that publication would have negative effects on South East Water’s credit rating, although it had some merit, had to be balanced against three other types of harm which would be caused in the scenario where interim relief was granted but the claim later failed: one harm would be to potential investors; one harm would be to South East Water’s customers, many of whom had already suffered from repeated supply issues, and who would be delayed in hearing about the proposed enforcement action by at least four months; and the final harm would be that the substantive JR proceedings would have to proceed in private, thus denying any other party (e.g. a group representing customers or consumers) to apply to file evidence or make submissions as an intervenor – that would be a “very substantial derogation from the principle of open justice, which itself would give rise to significant damage to the public interest”.

For all these reasons, interim relief was refused. As South East Water confirmed it did not intend to appeal, the notice of intent was published, as was the judgment.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Open Justice, human rights, access to information, Article 10, judgments, judicial review

Tagged as

February 18, 2026 · 8:50 am

Freemasonry, JR and data protection

The High Court has refused to give permission to apply for judicial review upon an application by representative bodies of Freemasons, and by two Freemasons who are serving officers in the Met Police. The respondent was the Commissioner of the same force, and the impugned decisions relate to a new policy under which police officers and staff of the Met who are or have been members of “an organisation that has confidential membership, hierarchical structures and requires members to support and protect each other” to declare that fact, confidentially, to their local professional standards unit.

Among the proposed challenges were claims that the policy was an unlawful interference with officers’ and staffs’ qualified Convention rights under Articles 8 (right to respect for private and family life), 10 (freedom of expression) and 11 (freedom of assembly). On an assumption that the policy involved an interference with these rights, at this permission stage, said the judge, the question was whether there was a real prospect that the Court would find any interference with ECHR rights not to be justified, and the “key question” was whether any interference with the rights was proportionate. He could answer that question “confidently…even at this early stage”: the interference was modest, and the factors on the other side of the scales were compelling.

There was also a challenge on data protection grounds, to the effect, in part, that there was no lawful basis identified for the processing, and nor were purposes or limitations identified. Furthermore, special category data was involved. In answer to this, the judge pointed to the Met’s “appropriate policy document” (see paras 5 and 39 of Sch 1 Data Protection Act 2018) which provided “sufficient clarity”.

The judge also – and here I think he fell into minor error – said that any individual claimants had an alternative remedy, by way of complaint to the Information Commissioner’s Office and “if still dissatisfied, an appeal to the First-tier Tribunal”: but as the authorities make clear, there is no right of appeal to the Tribunal under such circumstances (section 166 Data Protection Act 2018 only allows a data subject to apply for a steps Order, where the ICO has failed to take appropriate steps to investigate a complaint – it does not provide a right of appeal). I doubt very much, though, that this apparent slight error has any real substance in the round.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, judgments, judicial review

Tagged as ,

February 13, 2026 · 7:47 am

Data protection complaints – a missed opportunity

Has the Information Commissioner’s Office ducked an opportunity to improve data subjects’ rights and provide regulatory clarity to data controllers?

Section 103 of the Data (Use and Access) Act 2025, which will come into effect on 19 June this year, inserts a new section 164A into the Data Protection Act 2018. It confers a right on data subjects to make a complaint to a data controller, and imposes a duty on controllers to facilitate this, and take appropriate steps to respond to any such complaint.

Perhaps surprisingly, Parliament chose to say that controllers must acknowledge receipt of complaints within 30 days (!), but chose not to specify a time frame for actually responding to them. Instead, controllers must simply “inform the complainant of the outcome…without undue delay”.

Last year the ICO ran a consultation on draft guidance for handling data subject complaints. In their now-published summary of responses to the consultation, the ICO explained that some people who responded questioned whether the ICO should lay down some guidance for how long a controller should take to respond to a complaint. In declining to do so, the ICO says

We recognise that organisations would like us to set out a specific time period within which we expect they should investigate the complaint. The legislation says “without undue delay”, which is context dependent. We’ve therefore provided advice around how to complete the investigation “without undue delay”./This will vary from one complaint to another, and from one organisation to another. A timeframe that is justifiable for one complaint may be unjustifiable for another.

All this is true, but I don’t really buy it. Legislation will quite often provide a broad framework for a procedure, with regulators or other overseers then producing good practice guidance.

It strikes me that it would have been straightforward for the ICO to say “Complaints must be responded to without undue delay. In most cases we would expect controllers to do so within [say] 40 days. Where this timeframe is exceeded we will expect controllers to explain why this did not constitute an undue delay”.

As it is, I can readily foresee some controllers taking many months to respond. As the ICO generally won’t accept complaints themselves until the data subject has received a response from the controller, this has the potential to build in even greater delay for data subjects.

(And all that is before we get to the issue of delays at the ICO’s end, and their new approach to complaints where, in effect, they will peremptorily dismiss some.)

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under Data (Use and Access) Act, Data Protection, Data Protection Act 2018, Information Commissioner

Tagged as ,

February 12, 2026 · 11:56 am

Have cookies fines just became a lot more likely?

Short answer: probably not, under the current ICO regime. But the fact that PECR are now enforced under the Data Protection Act 2018, rather than the 1998 Act, makes it in principle much easier for fines for cookie contraventions to happen.

By me, on the Mishcon de Reya website:

https://www.mishcon.com/news/unlawful-cookies-a-new-avenue-for-the-ico-to-issue-fines

Leave a comment

Filed under adtech, cookies, Data Protection, Data Protection Act 2018, fines, Information Commissioner, monetary penalty notice, Personal

February 11, 2026 · 5:47 am

ICO: Chiltern Railways is an EIR public authority

Given that Chiltern Railways’ passenger franchise contract with the Department for Transport terminates next year, with plans for public ownership to take place this summer, one doubts that a recent decision by the Information Commissioner’s Office, to the effect that CR is a public authority for the purposes of the Environmental Information Regulations 2004 (EIR), will be subject to an appeal.

It’s an interesting decision in any event. CR has been operating under a franchise since 1996 – by far the longest standing such agreement involving an operator still in private hands. Nonetheless, the ICO, drawing heavily on a previous decision by the Scottish Information Commissioner in respect of Abellio Scotrail (the ICO refers to “Abelli” – just one of multiple typos and infelicities in the decision notice) has determined that the specific nature of the franchise agreement vests the government with sufficient control such as to make CR “under the control” of a government department, for the purposes of regulation 2(2)(d) of the EIR, and, as CR conceded, it is “providing a public service relating to the environment based on the nature of rail travel in England and Wales and also the environmental obligations set out in the [franchise agreement]”.

This was despite the fact that the agreement itself forbids CR from responding to any request for information under the EIR (or the Freedom of Information Act) and requires it to pass any such request to the DfT. However, as the ICO correctly points out, whether a person is an EIR public authority must be determined on the law, as applied to the facts, and the person cannot contract themselves out of a statutory obligation.

In a few years’ time the era of national rail privatisation will largely have passed, at least in terms of passenger services. My instinct is that the ICO is correct, but, unfortunately, it is not a particularly detailed and well argued decision. As I mention above, I suspect the chances of an appeal are low, which is perhaps a shame, as we might have had the chance to see the points argued out more fully.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Environmental Information Regulations, Freedom of Information, Information Commissioner

Tagged as

February 7, 2026 · 9:48 am

Beware invisible law

An interesting aspect of domestic law-making is what I think of as the “invisible provisions”. Here is an example which finally made it off the statute books recently.

If, prior to the last week, you went to the Data Protection Act 1998 page on legislation dot gov dot uk, and opened the “latest version”, you would get the words:

Act repealed (except s. 62, Sch. 15 paras. 13, 15, 16, 18, 19) (25.5.2018) by Data Protection Act 2018 (c. 12), s. 212(1), Sch. 19 para. 44 (with ss. 117, 209, 210, Sch. 20 paras. 2-9, 17-25, 27-46, 53, 54, 58); S.I. 2018/625, reg. 2(1)(g)

Straightforward, then? It’s all been repealed (except for some minor provisions dealing with consumer credit and interpretation of Northern Ireland access to medical records law). And “repealed” means, “no longer in force”, yes? Well, not necessarily.

Because, what you wouldn’t see anywhere on the legislation pages for the 1998 Act, is paragraph 58 of Schedule 20 to the Data Protection Act 2018 (the Act that repealed the 1998 Act), where you will see “The repeal of a provision of the 1998 Act does not affect its operation for the purposes of the Privacy and Electronic Communications (EC Directive) Regulations 2003”.

So, even though the enforcement provisions of the 1998 Act were repealed, that repeal did not affect their operation for the purposes of enforcing PECR. They remained in effect even though they were repealed.

The commencement of section 115 of the Data (Use and Access) Act 2025 finally takes PECR enforcement away from the 1998 Act.

There are myriad examples of this. Take the Freedom of Information Act 2000. Nothing in its own provisions would suggest that its enforcement provisions also apply to the Environmental Information Regulations 2004. To understand that point, you have to refer to the Regulations themselves, which say “The enforcement and appeals provisions of the Act shall apply for the purposes of these Regulations as they apply for the purposes of the Act”.

How is one meant to know if an invisible provision is affecting a statute or other instrument? The simple answer is, you will only know if you know, or if you undertake sufficiently diligent research. Some have access to expensive legal research tools, but that’s not a luxury open to all.

All I can say is that it is a potential pitfall to be aware of, for anyone advising on the law.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data (Use and Access) Act, Data Protection Act 2018, Environmental Information Regulations, FOIA, Legislation

Tagged as ,

February 5, 2026 · 4:39 pm

DUAA commencement – what’s hot and what’s not

I’ve written for the Mishcon de Reya website on the commencement on 5 February of the majority of the data protection and eprivacy provisions of the Data (Use and Access) Act 2025: 

https://www.mishcon.com/news/data-protection-and-electronic-privacy-reform-whats-hot-and-whats-not

Leave a comment

Filed under charities, Data (Use and Access) Act, Data Protection, Data Protection Act 2018, marketing, PECR, UK GDPR

Tagged as ,

February 5, 2026 · 2:45 pm

Guardians of Data Podcast

I spoke to my old friend Ibrahim Hasan recently for his new Act Now Training New Guardians of Data Podcast.

It was good to talk about my route into the information rights practice law and my current role, but the conversation ranges widely, and goes into: what sort of work a non-lawyer like me gets involved in at a law firm; whether young professionals need to or should qualify as solicitors in order to develop a career in information law; some of the specialisms and the history of Mishcon de Reya LLP; and developments of data protection in the age of AI.

Ibrahim is a great interviewer. I hate listening to myself, but I do feel quite strongly about some of the things we discuss, and some of it might be useful to those seeking a career in the field.

Leave a comment

Filed under Uncategorized