Data Bytes 66: Your UK and European Data Privacy update for June 2026
On 18 May 2026, the ICO published a blog post setting out its advice to the UK Government on potential changes to regulation 6 of the Privacy and Electronic Communications Regulations (PECR) concerning online advertising. The ICO's advice follows its review in support of government economic growth commitments, and examined where PECR’s regulation 6 consent requirements may be hindering the development of privacy-preserving advertising technologies.
The ICO's advice proposes that regulation 6 could be amended to permit certain low-risk forms of online advertising (such as contextual advertising based on content being viewed) to operate without consent, while continuing to require consent for more intrusive behavioural advertising involving tracking and profiling. This reflects the ICO's assessment that privacy risks are lower where advertising is based on context rather than a person’s past online activity. The ICO emphasised that the existing PECR rules remain in force and organisations must continue to comply with current requirements.
Alongside its advice, the ICO has published findings from its public call for views, citizen jury results and a cost-benefit analysis. The ICO warns that it will take action against organisations acting irresponsibly in online advertising delivery, particularly where users lack control and harm can occur.
Organisations involved in online advertising should monitor developments closely. While no legislative changes have been made, the ICO's advice signals a potential future framework distinguishing between low-risk contextual advertising and intrusive behavioural tracking. Organisations should continue full compliance with existing PECR consent requirements and review the ICO's updated guidance on storage and access technologies.
On 19 June 2026, Section 103 of the Data (Use and Access) Act 2025 (the DUAA) is expected to take effect, amending the Data Protection Act 2018. This provision introduces a mandatory requirement for all data controllers, regardless of size or sector, to establish and operate a formal process for handling data protection complaints from individuals. Data subjects will have a statutory right to complain directly to the controller where they consider that their personal data has been handled in breach of UK data protection law. The ICO has indicated that data subjects will generally be expected to use this internal process before escalating complaints to the ICO, although the right to complain to the ICO remains a separate statutory right.
Controllers must facilitate complaints by providing an electronic complaint form and at least one alternative route, acknowledge receipt within 30 days, investigate without undue delay, and communicate the outcome to the complainant, including informing them of their right to escalate to the ICO. The ICO's published guidance confirms that controllers must accept complaints however they are received, including by telephone, social media or in person.
To prepare, organisations should audit existing complaints processes, adapt or design a procedure that meets the DUAA requirements, update privacy notices and internal documents to reflect the new right, train staff to identify and route data protection complaints within the acknowledgement window, and develop reporting capability to track complaint volumes.
On 29 April 2026, the ICO published its finalised guidance on storage and access technologies, setting out how PECR and, where relevant, the UK GDPR apply to cookies, tracking pixels, device fingerprinting and similar technologies. The guidance reflects changes introduced by the Data (Use and Access) Act 2025 (DUAA) and incorporates updates following two public consultations.
The guidance sets out key obligations for organisations when using storage and access technologies, including when and how to procure consent and what information individuals must be provided and details two new DUAA exceptions to the consent requirement:
Importantly, even where an exception applies, organisations must still provide information about the technology’s use and offer a simple, free means to object.
Organisations using cookies, tracking pixels, device fingerprinting or similar technologies should review the finalised guidance and assess whether the new exceptions apply to current or planned uses of storage and access technologies. These exceptions are narrow and purpose-specific; the guidance provides an opportunity to refresh overall cookie compliance.
On 19 May 2026, the European Commission published draft guidelines clarifying high-risk AI system classification under the EU AI Act, alongside a targeted stakeholder consultation. Article 6 establishes two high-risk scenarios: (i) where a system is a safety component of a product (or is itself a product) covered by Annex I harmonisation legislation requiring third-party conformity assessment; and (ii) where a system falls within the use cases listed in Annex III. The draft guidelines address both categories, with practical examples to assist stakeholders in understanding the classification criteria.
Organisations developing or deploying AI systems should review the draft guidelines to assess whether their systems may be classified as high-risk. The guidelines provide significant clarity on the boundary between high-risk and non-high-risk systems: an issue that has generated considerable uncertainty since the AI Act entered into force. Providers whose systems are classified as high-risk will be subject to the full suite of obligations, including conformity assessments, risk management systems, data governance requirements, and post-market monitoring. The Commission is seeking feedback from stakeholders on these draft guidelines through a targeted consultation process.
On 19 March 2026, the CJEU delivered its judgment in Case C-526/24 (Brillen Rottler), ruling that a DSAR under Article 15 GDPR may be considered abusive and refused where it is made solely for the purpose of subsequently claiming compensation. The case involved an individual who subscribed to a company’s newsletter and submitted a DSAR thirteen days later. Evidence suggested the individual systematically subscribed to various companies’ newsletters before submitting access requests and claiming compensation. The CJEU held that under Article 12(5) GDPR, controllers may refuse excessive requests, and that in assessing abuse, all circumstances must be considered, including whether data was provided solely to exercise access rights and claim compensation.
The CJEU emphasised that the right of access exists to enable data subjects to verify the lawfulness of processing and, depending on the circumstances, to lawful processing and exercise their related rights to rectification, erasure, restriction, and objection, and their right of action where they suffer damage. A request that does not pursue any of these purposes may fall outside the protective scope of Article 15. This judgment provides welcome clarity for controllers receiving DSARs that appear part of a systematic pattern aimed at generating compensation claims. Organisations may refuse such requests where circumstances demonstrate the request is made solely to manufacture a damages claim. However, the burden of demonstrating abuse remains on the controller, and blanket refusal policies would be inappropriate and each case must be assessed on its individual facts.
On 30 April 2026, the Berlin Higher Regional Court (Kammergericht) dismissed the collective redress action brought by Dutch foundation Stichting Onderzoek Marktinformatie ("SOMI") against X (formerly known as Twitter) for alleged GDPR violations.
SOMI sought at least EUR 750 per registered X user in Germany for allegedly unlawful data processing, claiming that X collected, combined and evaluated user data extensively without valid consent to deliver personalised advertising, and an additional EUR 250 per user affected by a specific data leak. The Kammergericht held that the claims are not "essentially similar" (wesentlich gleichartig) within the meaning of the German collective redress regime because they depend on the individual circumstances of each data subject. Non-material damages under the GDPR require proof that a breach of data protection law actually caused damage to the specific data subject. While a mere loss of control over personal data can in principle constitute compensable harm, the court found that whether such loss of control occurred – and if so, its extent and duration – can only be assessed on a case-by-case basis. The same applies to aggravating factors such as anxiety, negative feelings or misuse of personal data by third parties.
The ruling is not yet final; SOMI may appeal to the Federal Court of Justice within one month.
The decision signals that German courts may set a high threshold for collective GDPR damages actions where individual damage assessments are required. Companies facing mass non-material damages claims under Article 82 GDPR can point to this ruling to argue that such claims are inadequate for collective redress because the existence, extent and duration of damage depend on individual data subject circumstances. Companies should monitor whether the BGH confirms this approach on appeal, as it could significantly limit the viability of large-scale GDPR damages litigation in Germany.
In May 2026, the ICO and the National Cyber Security Centre (NCSC) each published separate but complementary guidance addressing cybersecurity risks associated with AI.
On 15 May 2026, the NCSC published a blog post summarising new joint guidance (co-authored with international partners) entitled "Careful adoption of agentic AI services". Agentic AI systems differ from conventional generative AI in that they can access data sources, remember context, make decisions, use tools and take actions in pursuit of a goal — often without continuous human intervention. The guidance is aimed at anyone involved in the design, development, deployment and operation of agentic AI systems.
The NCSC emphasises that while many risks associated with agentic AI are not new (including access control, secure development, supply chain risk, monitoring and incident response), the extra autonomy and complexity of agentic systems can increase the attack surface and make behaviour harder to predict. Agentic AI systems also inherit known large language model (LLM) risks such as susceptibility to jailbreaking and prompt injection. Key recommendations include:
In a complementary publication, the ICO published a blog setting out five practical steps organisations should take to protect themselves from AI-powered cyber threats. These five steps are:
Organisations deploying or considering deploying agentic AI systems should assess whether their existing cybersecurity frameworks adequately account for the additional risks posed by autonomous AI agents. Equally, all organisations — regardless of whether they are using AI — should review their cybersecurity posture against the ICO's five-step framework, given the increasing sophistication of AI-powered attacks. The ICO's guidance makes clear that organisations processing personal data have a responsibility to protect that data against AI-enabled threats, and failure to do so could result in regulatory action. . Our article available here unpacks what AI-enabled threats means in practice and outlines the key questions and actions for boards, legal and risk teams.
The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.
Editorial Disclaimer
Originally published before the Ashurst Perkins Coie combination. See disclaimer.