Legal development

Data Bytes 66: Your UK and European Data Privacy update for June 2026

    UK Data protection update

    Key Updates

    ICO publishes advice to UK Government on potential changes to online advertising rules

    On 18 May 2026, the ICO published a blog post setting out its advice to the UK Government on potential changes to regulation 6 of the Privacy and Electronic Communications Regulations (PECR) concerning online advertising. The ICO's advice follows its review in support of government economic growth commitments, and examined where PECR’s regulation 6 consent requirements may be hindering the development of privacy-preserving advertising technologies.

    The ICO's advice proposes that regulation 6 could be amended to permit certain low-risk forms of online advertising (such as contextual advertising based on content being viewed) to operate without consent, while continuing to require consent for more intrusive behavioural advertising involving tracking and profiling. This reflects the ICO's assessment that privacy risks are lower where advertising is based on context rather than a person’s past online activity. The ICO emphasised that the existing PECR rules remain in force and organisations must continue to comply with current requirements.

    Alongside its advice, the ICO has published findings from its public call for views, citizen jury results and a cost-benefit analysis. The ICO warns that it will take action against organisations acting irresponsibly in online advertising delivery, particularly where users lack control and harm can occur.

    Organisations involved in online advertising should monitor developments closely. While no legislative changes have been made, the ICO's advice signals a potential future framework distinguishing between low-risk contextual advertising and intrusive behavioural tracking. Organisations should continue full compliance with existing PECR consent requirements and review the ICO's updated guidance on storage and access technologies.

    Data Subject Right to Complain to an Organisation

    On 19 June 2026, Section 103 of the Data (Use and Access) Act 2025 (the DUAA) is expected to take effect, amending the Data Protection Act 2018. This provision introduces a mandatory requirement for all data controllers, regardless of size or sector, to establish and operate a formal process for handling data protection complaints from individuals. Data subjects will have a statutory right to complain directly to the controller where they consider that their personal data has been handled in breach of UK data protection law. The ICO has indicated that data subjects will generally be expected to use this internal process before escalating complaints to the ICO, although the right to complain to the ICO remains a separate statutory right.

    Controllers must facilitate complaints by providing an electronic complaint form and at least one alternative route, acknowledge receipt within 30 days, investigate without undue delay, and communicate the outcome to the complainant, including informing them of their right to escalate to the ICO. The ICO's published guidance confirms that controllers must accept complaints however they are received, including by telephone, social media or in person.

    To prepare, organisations should audit existing complaints processes, adapt or design a procedure that meets the DUAA requirements, update privacy notices and internal documents to reflect the new right, train staff to identify and route data protection complaints within the acknowledgement window, and develop reporting capability to track complaint volumes.

    ICO publishes final guidance on storage and access technologies

    On 29 April 2026, the ICO published its finalised guidance on storage and access technologies, setting out how PECR and, where relevant, the UK GDPR apply to cookies, tracking pixels, device fingerprinting and similar technologies. The guidance reflects changes introduced by the Data (Use and Access) Act 2025 (DUAA) and incorporates updates following two public consultations.

    The guidance sets out key obligations for organisations when using storage and access technologies, including when and how to procure consent and what information individuals must be provided and details two new DUAA exceptions to the consent requirement:

    • The "statistical purposes" exception — consent is not required if the sole purpose is collecting statistical information about how a service is used, with a view to making improvements. The ICO clarifies this relates to analytics about service usage, not user identification. Third-party providers may be used but must act as processors.
    • The "appearance" exception — consent is not required if the sole purpose is adapting the service’s appearance or functionality in line with user preferences. This does not extend to adapting content based on known or inferred user interests.

    Importantly, even where an exception applies, organisations must still provide information about the technology’s use and offer a simple, free means to object.

    Organisations using cookies, tracking pixels, device fingerprinting or similar technologies should review the finalised guidance and assess whether the new exceptions apply to current or planned uses of storage and access technologies. These exceptions are narrow and purpose-specific; the guidance provides an opportunity to refresh overall cookie compliance.

    UK: In Case You Missed It

    • On 27 May 2026, Ofcom fined pornography provider Youngtek Solutions Ltd a total of £600,000 comprising £500,000 for failing to implement highly effective age assurance to prevent children from accessing pornographic content on its four adult sites (between 25 July 2025 and 22 September 2025) in breach of the Online Safety Act, and a further £100,000 for failing to respond to a formal information request from Ofcom within the required deadline. The company has since implemented age assurance methods on all sites subject to the investigation. See more details here.
    • On 25 May 2026, the Australian and UK Governments signed a new Memorandum of Understanding (MoU) to deepen cooperation on the responsible development, deployment, governance and use of safe and trustworthy AI. The MoU was signed during the visit to Australia by UK Minister for AI and Online Safety, Kanishka Narayan MP, and will deepen cooperation between the Australian AI Safety Institute and the UK AI Security Institute. Under the MoU, the two countries will collaborate by sharing information on emerging AI capabilities and risks, conducting joint research including novel approaches to measure, test and manage risks, and supporting the International Network for Advanced AI Measurement, Evaluation and Science. See more details here.
    • On 1 April 2026, the ICO confirmed that Reddit had appealed its £14.47 million monetary penalty notice to the First-tier Tribunal. As previously reported, the ICO fined Reddit on 24 February 2026 for processing children's personal data without a lawful basis — specifically through its failure to implement appropriate age assurance mechanisms — and for failing to conduct a DPIA focusing on risks to children. See more details here.
    • On 12 May 2026, The Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026 (SI 2026/425) came into force, requiring the Information Commissioner to prepare a code of practice on the processing of personal data under the UK GDPR and the Data Protection Act 2018 in relation to developing and using AI and automated decision-making. In parallel, the ICO is consulting on draft (non-binding) guidance on automated decision-making, with responses due by 29 May 2026. See more details here.
    • On 11 May 2026, the ICO fined South Staffordshire Plc and South Staffordshire Water Plc £963,900 following a cyber attack that resulted in the personal information of 633,887 people being extracted and published on the dark web. The attack, traceable to September 2020 but largely occurring between May and July 2022, exposed failures including limited access controls, inadequate monitoring and logging (only 5% of the IT environment was monitored), use of obsolete unsupported software and inadequate vulnerability management. The final penalty reflects a 40% reduction following South Staffordshire's early admission of liability and agreement to pay without appeal. See more details here.
    • On 13 May 2026, the King's Speech opened the new Parliamentary session, which contained several announcements relevant to the broader data and digital landscape: the "Regulating for Growth Bill" aims to reduce the burden of “unnecessary regulation”, including cross-cutting AI sandboxes and, once again, requiring regulators to prioritise growth; the "Digital Access to Services Bill" puts Digital ID on a statutory footing for public services, building on the digital verification framework in the DUAA and the “Police Reform Bill” creates a legal framework underpinning how law enforcement may use facial recognition and biometric technologies.

    EU Data protection update

    Key Updates

    EU Commission publishes draft guidelines on classification of high-risk AI systems

    On 19 May 2026, the European Commission published draft guidelines clarifying high-risk AI system classification under the EU AI Act, alongside a targeted stakeholder consultation. Article 6 establishes two high-risk scenarios: (i) where a system is a safety component of a product (or is itself a product) covered by Annex I harmonisation legislation requiring third-party conformity assessment; and (ii) where a system falls within the use cases listed in Annex III. The draft guidelines address both categories, with practical examples to assist stakeholders in understanding the classification criteria.

    Organisations developing or deploying AI systems should review the draft guidelines to assess whether their systems may be classified as high-risk. The guidelines provide significant clarity on the boundary between high-risk and non-high-risk systems: an issue that has generated considerable uncertainty since the AI Act entered into force. Providers whose systems are classified as high-risk will be subject to the full suite of obligations, including conformity assessments, risk management systems, data governance requirements, and post-market monitoring. The Commission is seeking feedback from stakeholders on these draft guidelines through a targeted consultation process.

    CJEU: A data subject access request may be refused where it is made solely to claim compensation

    On 19 March 2026, the CJEU delivered its judgment in Case C-526/24 (Brillen Rottler), ruling that a DSAR under Article 15 GDPR may be considered abusive and refused where it is made solely for the purpose of subsequently claiming compensation. The case involved an individual who subscribed to a company’s newsletter and submitted a DSAR thirteen days later. Evidence suggested the individual systematically subscribed to various companies’ newsletters before submitting access requests and claiming compensation. The CJEU held that under Article 12(5) GDPR, controllers may refuse excessive requests, and that in assessing abuse, all circumstances must be considered, including whether data was provided solely to exercise access rights and claim compensation.

    The CJEU emphasised that the right of access exists to enable data subjects to verify the lawfulness of processing and, depending on the circumstances, to lawful processing and exercise their related rights to rectification, erasure, restriction, and objection, and their right of action where they suffer damage. A request that does not pursue any of these purposes may fall outside the protective scope of Article 15. This judgment provides welcome clarity for controllers receiving DSARs that appear part of a systematic pattern aimed at generating compensation claims. Organisations may refuse such requests where circumstances demonstrate the request is made solely to manufacture a damages claim. However, the burden of demonstrating abuse remains on the controller, and blanket refusal policies would be inappropriate and each case must be assessed on its individual facts.

    Higher Regional Court of Berlin dismisses collective GDPR damages action against X

    On 30 April 2026, the Berlin Higher Regional Court (Kammergericht) dismissed the collective redress action brought by Dutch foundation Stichting Onderzoek Marktinformatie ("SOMI") against X (formerly known as Twitter) for alleged GDPR violations.

    SOMI sought at least EUR 750 per registered X user in Germany for allegedly unlawful data processing, claiming that X collected, combined and evaluated user data extensively without valid consent to deliver personalised advertising, and an additional EUR 250 per user affected by a specific data leak. The Kammergericht held that the claims are not "essentially similar" (wesentlich gleichartig) within the meaning of the German collective redress regime because they depend on the individual circumstances of each data subject. Non-material damages under the GDPR require proof that a breach of data protection law actually caused damage to the specific data subject. While a mere loss of control over personal data can in principle constitute compensable harm, the court found that whether such loss of control occurred – and if so, its extent and duration – can only be assessed on a case-by-case basis. The same applies to aggravating factors such as anxiety, negative feelings or misuse of personal data by third parties.

    The ruling is not yet final; SOMI may appeal to the Federal Court of Justice within one month.

    The decision signals that German courts may set a high threshold for collective GDPR damages actions where individual damage assessments are required. Companies facing mass non-material damages claims under Article 82 GDPR can point to this ruling to argue that such claims are inadequate for collective redress because the existence, extent and duration of damage depend on individual data subject circumstances. Companies should monitor whether the BGH confirms this approach on appeal, as it could significantly limit the viability of large-scale GDPR damages litigation in Germany.

    Europe: in case you missed it

    • On 14 April 2026, the EDPB adopted a standardised DPIA template and opened a public consultation running until 9 June 2026. The non-mandatory template provides pre-defined fields to help organisations structure and harmonise their DPIA processes. Following the consultation, all EU supervisory authorities are expected to adopt the template either as their sole standard or as a compatible "meta-template" with which national templates will be compatible. Organisations are encouraged to use the template and provide feedback during the consultation period. See more details here.
    • On 20 April 2026, the EU issued Delegated Regulation 2026/881 on delaying cybersecurity vulnerability notifications. This Regulation supplements the Cyber Resilience Act by specifying conditions under which CSIRTs may delay disseminating vulnerability and incident notifications, for example, where further dissemination could enable malicious exploitation of unpatched vulnerabilities, or where a coordinated vulnerability disclosure is ongoing. CSIRTs must immediately inform ENISA of any delay decision. Manufacturers should familiarise themselves with this notification framework. See more details here.
    • On 8 May 2026, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) fined MLU B.V. (Yango taxi app operator, a Yandex subsidiary) €100 million for unlawfully transferring sensitive personal data to Russia without adequate safeguards. A joint Dutch, Norwegian and Finnish investigation found deficient SCCs, including use of the wrong module and encryption keys stored in Russia. The decision reinforces that SCCs alone are insufficient for transfers to high-risk jurisdictions. See more details here.
    • On 21 May 2026, Austria’s Federal Administrative Court upheld an order requiring broadcaster ORF to redesign its cookie consent banner to provide equally prominent "Accept All" and "Only Necessary" options. The Court found the original design, which used a blue background on the "Accept All" button versus less prominent alternatives constituted "nudging" that violated Article 4(11) GDPR by failing to enable free and genuine choice. The Court rejected ORF's argument that the absence of detailed binding provisions on cookie banner design rendered the order unlawful, holding that the issue was whether the design permitted users to make a voluntary and genuine choice, not whether the GDPR prescribes a specific design. This decision underscores the continued regulatory and judicial scrutiny of dark patterns in cookie consent mechanisms across the EU. See more details here.
    • On 26 May 2026, the CNIL fined IQVIA Operations France for failing to comply with health data warehouse authorisations. Investigations revealed pharmacies did not inform customers that data was transferred to IQVIA — as data controller, IQVIA bore responsibility for information obligations regardless of delegation to pharmacists. Additional breaches included unauthorised studies and privacy-by-design failures in pharmacy software. See more details here.
    • On 19 May 2026, the AEPD fined Ares Capital €200,000 for excessive employee monitoring, including monitoring via employees' private mobile phones. This case underscores GDPR proportionality requirements when deploying workplace surveillance technologies. See more details here (in Spanish).

    Spotlight on the ICOs and NCSC's AI-related cybersecurity guidance

    In May 2026, the ICO and the National Cyber Security Centre (NCSC) each published separate but complementary guidance addressing cybersecurity risks associated with AI.

    NCSC guidance on agentic AI

    On 15 May 2026, the NCSC published a blog post summarising new joint guidance (co-authored with international partners) entitled "Careful adoption of agentic AI services". Agentic AI systems differ from conventional generative AI in that they can access data sources, remember context, make decisions, use tools and take actions in pursuit of a goal — often without continuous human intervention. The guidance is aimed at anyone involved in the design, development, deployment and operation of agentic AI systems.

    The NCSC emphasises that while many risks associated with agentic AI are not new (including access control, secure development, supply chain risk, monitoring and incident response), the extra autonomy and complexity of agentic systems can increase the attack surface and make behaviour harder to predict. Agentic AI systems also inherit known large language model (LLM) risks such as susceptibility to jailbreaking and prompt injection. Key recommendations include:

    • Start small — use agents only for low-risk tasks and apply established cybersecurity controls from the outset;
    • Apply least privilege — give agents only the minimum access they need, for the shortest time required;
    • Limit scope — constrain what an agent can access, what actions it can take and when;
    • Define accountability clearly — be clear about who owns the system, who approves its access, who monitors its behaviour, who reviews incidents and who can stop it; and
    • Plan for failure — including how you would respond to incidents involving agentic systems.

    ICO guidance on AI-powered cyber threats

    In a complementary publication, the ICO published a blog setting out five practical steps organisations should take to protect themselves from AI-powered cyber threats. These five steps are:

    1. Know what you're up against — the main AI-powered risks include deepfake-enhanced phishing, automated vulnerability discovery, data poisoning and indirect prompt injection attacks; the NCSC has updated its Cyber Assessment Framework to reflect AI threats explicitly;
    2. Train people and embed a security culture — staff awareness training should be updated to reflect the current AI threat landscape;
    3. Restrict access points — implement multi-factor authentication, enforce strong password policies, apply the principle of least privilege, and map supply chain access;
    4. Improve detection, monitoring and incident response — implement comprehensive security monitoring and maintain and regularly test incident response plans; and
    5. Protect personal data — adopt data minimisation and storage limitation principles, conduct regular data audits, train staff on AI-powered social engineering attacks and ensure appropriate DPIAs and safeguards are in place for AI tools that process high-risk personal data.

    Organisations deploying or considering deploying agentic AI systems should assess whether their existing cybersecurity frameworks adequately account for the additional risks posed by autonomous AI agents. Equally, all organisations — regardless of whether they are using AI — should review their cybersecurity posture against the ICO's five-step framework, given the increasing sophistication of AI-powered attacks. The ICO's guidance makes clear that organisations processing personal data have a responsibility to protect that data against AI-enabled threats, and failure to do so could result in regulatory action. . Our article available here unpacks what AI-enabled threats means in practice and outlines the key questions and actions for boards, legal and risk teams.

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.

    Editorial Disclaimer

    Originally published before the Ashurst Perkins Coie combination. See disclaimer.