UK data protection, GDPR, DPIAs, international transfers, data protection for AI-enabled products
On 19 March 2026, the Court of Justice of the European Union handed down its judgment in Case C-526/24 Brillen Rottler, ruling that even a first-ever data subject access request can be refused as “excessive” under Article 12(5) of the EU GDPR where the controller demonstrates it was made with abusive intent. The decision matters…
The Data (Use and Access) Act 2025 commenced on 5 February 2026, reforming automated decision-making, expanding ICO enforcement powers, and raising PECR fines to UK GDPR levels. Combined with record enforcement activity in 2025 and a new settlement procedure, the ICO is better equipped and more willing to act. What regulated businesses need to do now.
Quick answer. Ofcom’s Connected Nations 2025 report confirms UK mobile data usage rose 18% year-on-year, 5G standalone networks cover 83% of the UK population from at least one operator, full-fibre broadband reaches 78% of UK premises, and over one million households have stopped using a landline. The report is the primary independent data source for…
Quick answer. The European Commission has proposed a Digital Omnibus Regulation amending the GDPR, ePrivacy Directive, NIS2 and the Data Act, and repealing or consolidating several overlapping measures. The Commission’s Staff Working Document estimates annual administrative cost savings to business of over EUR 1.3bn once implemented. UK controllers processing EU residents’ data should track the…
Quick answer. The Judicial Office and the Information Commissioner’s Office have each published internal AI use guidelines for their own staff. The guidance is operational, not directed at industry. It illustrates the UK’s sectoral approach to AI governance: existing bodies publishing rules for their own use within their existing remits, rather than a horizontal AI…
The Data (Use and Access) Act 2025 (DUAA) introduces sweeping changes in UK data regimes, from smart-data schemes and digital verification services to amendments of the Data Protection Act 2018 and UK GDPR. Rob Bratby of bratby.law guides UK businesses through compliance, strategic opportunities, and contract implications. Essential reading for counsel, transaction teams and commercial leaders.
This article was published in June 2022 and reflects the regulatory position at that time. For current guidance on this topic, contact Bratby Law or see our latest insights.
This article was published in March 2022 and reflects the regulatory position at that time. For current guidance on this topic, contact Bratby Law or see our latest insights. Quick answer. In February 2022 the UK published two alternative sets of contracts for exporting personal data from the UK to non-adequate countries: the International Data…
This article was published in September 2021 and reflects the regulatory position at that time. For current guidance on this topic, contact Bratby Law or see our latest insights. Quick answer. The UK government published proposals on 10 September 2021 to reform UK data protection law, using post‑Brexit freedom to set separate UK rules. The…
This article was published in June 2021 and reflects the regulatory position at that time. For current guidance on this topic, contact Bratby Law or see our latest insights. On 28 June 2021, the EU Commission found that the UK provides adequate protection for personal data, enabling personal to freely flow from the EU (and…
This article was published in June 2021 and reflects the regulatory position at that time. For current guidance on this topic, contact Bratby Law or see our latest insights. Quick answer. From 27 June 2021 exporters of personal data from the EU to third countries could adopt the new EU Standard Contractual Clauses under Commission…
EU progresses revised ePrivacy Regulation