Contact | Search |

Author: Nikhita Kalsi

Technology Briefing – December 2025

Posted on by Nikhita Kalsi

Welcome to our inaugural technology briefing, designed to keep you updated on the latest legal and regulatory developments in the technology sector.

In this edition, we explore the implications of the Getty Images v Stability AI ruling, practical steps for managing AI risks, and the latest updates in data protection law. We also examine new measures aimed at tackling ransomware threats and provide guidance on safeguarding sensitive information following the ChatGPT share feature breach.

Additionally, we showcase our collaboration with legal AI platform Legora, and share key highlights from recent industry events, including the SCL AI Conference and the ITechLaw European Conference.

IN RECENT NEWS

Model behaviour: Stability AI’s model is not an “infringing copy”, but legality of AI training remains unresolved

In the recent judgment in Getty Images v Stability AI [2025], the High Court considered whether the generative AI model Stable Diffusion infringed copyright in works owned by/licensed to Getty Images, and further whether the model outputs infringed Getty Images’ trade marks. Getty argued that millions of its images had been used without permission to train the Stable Diffusion model, and that the model itself was therefore an infringing copy of the works.

Read more >

Managing risks and opportunities with AI

In a GC100 poll of 106 companies, 8% of respondents reported they already regularly used Co-Pilot and Teams Premium for transcription of initial draft minutes; since then, there has been an influx of providers in the market that can prepare agendas, summarise discussions, and draft lists of action points. Before employing such AI tools in your company, it is essential to consider whether the use of AI is appropriate, and, if so, whether all the necessary risk-mitigation steps have been taken.

Read more >

HARBOTTLE HIGHLIGHTS

Early adopters of Legora

Legora recently announced the completion of a Series C round of $150 million at a $1.8 billion valuation. We were the third law firm in the UK to partner with Legora earlier this year.

It is a secure, purpose-built legal AI designed for lawyers to streamline legal workflows and enhance productivity. The solution accelerates legal reviews through AI-powered playbooks that enhance legal reviews, guiding juniors in the process.

The solution is capable of reviewing, comparing, and summarising lengthy documents, as well as extracting critical clauses, and analysing their content to support decisions on matters of law and risk.

Read more >

SCL annual conference

We attended the 2025 Society for Computers & Law (SCL) AI Conference: AI Law – what every business (and their lawyers) needs to know. As ever, the event was fully booked and offered a fantastic day of insightful discussions and debates on the development, interpretation, and implementation of AI law across businesses, government and the legal industry.

iTech Law

On 30 October, partner Lizzie Williams spoke at the ITechLaw Association‘s 2025 European Conference. As a member of iTechLaw and its Dispute Resolution Committee, Lizzie appeared on a panel to share her insights and experience on commercial disputes involving AI. The conference brings together legal professionals, tech innovators and industry leaders from around the world to discuss key topics and challenges in tech law including AI, data privacy and cybersecurity. 

Safeguarding your business in the wake of the ChatGPT share breach

In today’s fast-paced digital landscape, businesses are increasingly leveraging Artificial Intelligence (AI) tools such as OpenAI’s ChatGPT to streamline operations.

However, recent developments surrounding the now-discontinued “share” feature of ChatGPT should serve as a critical reminder of the importance of robust data governance and proactive measures to safeguard sensitive information, such as personal data and confidential business information.

Read more >

New measures announced to tackle ransomware attacks: what does this mean for business?

Earlier this year, the UK government unveiled a set of measures designed to curb ransomware attacks and protect critical public and private sector services. Following public consultation, these steps aim to dismantle the business model of cyber criminals while fortifying national resilience against cyber threats.

Read more >

Data protection update

This update outlines key changes, including the Data (Use and Access) Act 2025, which introduces reforms like a new lawful basis for data use, cookie exemptions and complaint procedures. The UK’s data adequacy status is likely to be extended to 2031, a Court of Appeal ruling confirmed compensation for non-material damage is recoverable, and plans for a secure digital ID scheme are underway. ICO consultations and enforcement actions on data breaches are also highlighted.

Read more >

Please contact our technology experts if you would like to discuss anything in this briefing.

Trump saves TikTok: Influencing the influencers

Posted on by Nikhita Kalsi

President Trump will reverse the TikTok ban within hours of being sworn in as President of the United States, as he promises to find a solution for the 170 million TikTok users in the United States (US). The US ban officially came into force at midnight on 19 January 2025.

The US, and President Trump’s ‘new best friend’ Elon Musk, know a lot about the power of social media, but can we really expect TikTok to sell to a US company? The US played a game of chicken with TikTok and it didn’t flinch – shutting its US site down, rather than handing over control. With the potential of a foreign adversary having access to its population, and the mass market data TikTok controls, the US would prefer to trust one of its own with such power.

Social media is a powerful tool for influencing its users, and it is clear that the US would prefer to keep control of its influencers rather than allow the Chinese to wield such influence. The TikTok ban has highlighted a much bigger issue, which is the power of social media and mass market data sets. Can we trust social media platforms with such data, irrespective of where they are based? The need for proper regulation and governance is clear and this must be addressed. Even in the land of the free, who is guarding the gatekeepers?

Alleged ‘Smear Campaigns’ under the legal spotlight in the UK and USA

Posted on by Nikhita Kalsi

A recent UK judgment and a number of US court claims have referenced allegations of sophisticated ‘smear campaigns’ being conducted against the claimants by business or personal rivals.

Last week saw judgment on a preliminary issue in Marinakis v Karipidis & Ors*, a claim brought by the owner of Nottingham Forest Football Club who has sued a number of people and companies who he alleges have conducted a defamatory public relations campaign against him. It is said that this has involved the creation of websites, videos, social media posts, and even mobile advertising boards, to make serious allegations against him disguised as a ‘grassroots’ campaign by Nottingham Forest fans. The claim continues.

In unrelated disputes, a number of US celebrities have also recently alleged they are the target of ‘hostile’ campaigns by others, designed to damage their reputation, and have commenced legal proceedings in response. It has been reported that these campaigns involved widespread inauthentic social media postings, and other attempts to establish public narratives critical of the claimants.

One similarity between the UK and one US case is evidence obtained by claimants from Public Relations firms alleged to have been involved.

The legal risks of engaging in such campaigns are clearly obvious.

*Marinakis v Karipidis & Ors [2025] EWHC 13 (KB) (10 January 2025)

Meta to end third party fact checking

Posted on by Nikhita Kalsi

Mark Zuckerberg‘s announcement that Meta will end its third party fact checking programme is the latest threat to the integrity of online data.

We live in a world where misinformation can spread quickly, and where bots and targeted posts can be used to push false stories. The harm is greater when large parts of society now obtain their news solely from social media and chat groups, and when algorithms push “stories for you” to specific user groups entrenching beliefs, and polarising positions. This is the same no matter which side of a debate you are on.

Meta says it has programmes in place to spot misinformation, and it will rely on its own community to moderate content, but the potential for misuse is huge, and the need to guard against misinformation is greater than ever. If we are being generous perhaps Zuckerberg felt like King Canute, unable to stem the tide of misinformation flooding the beach.

This latest development highlights the need for a comprehensive strategy to deal with misinformation on social media. This can include calling out false claims, enforcing social media terms of use, which prevents the posting of harmful and unlawful content, or taking action through the courts.

All of this is turbo charged by AI which harnesses its data from the net, so misinformation can not be left unchecked. Apple has faced calls to withdraw its AI feature that has been pushing out inaccurate summaries of BBC content to its latest AI enabled iPhones.

There is of course an old fashioned technology that is fact checked, and that is held accountable through editorial and legal processes. It is found with traditional newspapers and broadcasters. If we can respect proper journalism with accuracy at its core it will benefit us all.

The UK’s data protection regulator publishes a new code of conduct for UK private investigators and litigation services

Posted on by Nikhita Kalsi

On 13 November, the Information Commissioner’s Office (ICO) approved and published a new sector-owned code of conduct – the Association of British Investigators Limited (ABI) UK GDPR Code of Conduct for Investigative and Litigation Support Services (Code).

What is the Code?

The Code seeks to address key challenges faced by investigators and enable code members to demonstrate compliance with specific areas of data protection law in the provision of investigative and litigation support services.

It aims to provide sector-specific guidance and to increase accountability in handling personal data. As such, by complying with the Code, you are complying with data protection laws in the UK.

The Code includes advice, guidance, and practical examples in relation to:

  • the roles and responsibilities of investigators;
  • how to conduct Data Protection Impact Assessments;
  • identification of the lawful basis for processing personal data;
  • Legitimate Interests Assessments including for invisible processing such as covert surveillance, tracking devices, background checks and social media monitoring; and
  • consent to share when tracing and locating individuals in certain cases.

How does the Code help your private investigation or litigation service?

  • Public confidence: Verified adherence to the Code is intended to give confidence to users and subjects of investigative and litigation support services. It demonstrates that Code members comply with key aspects of data protection law and operate to a high standard in key areas.
  • Reduce risk and enforcement action: Showing compliance with the Code reduces the risks of enforcement action from the ICO. This means you are less likely to receive fines, reprimands or other regulatory action in the event of a breach of data protection laws.
  • Due diligence carried out by users: Users of investigation and litigation services (particularly other businesses who are controllers) should be carrying out diligence on service providers. Your prospective clients may check whether you adhere to the Code when they are carrying out due diligence prior to instructing you.

Can I sign up to the Code? If so, how?

Investigators and litigation services can voluntarily sign up for the Code and Code membership is managed by an independent ICO approved and UKAS accredited monitoring body. Code members must satisfy the monitoring body with the requirements explained in Appendix I to the Code. Such requirements include:

  • Administrative evidence: Such as registration with the ICO, basic DBS disclosure, two references, finance checks and CV.
  • Training: Satisfactory completion and maintenance of data protection training to the level comparable to the ABI UK GDPR compliance workshop, or training to an equivalent standard on the areas covered by the Code – including data protection impact assessments, lawful bases and more.
  • Roles and responsibilities: Evidence that the Code member has documented and communicated to its client the roles and responsibilities in respect of the data processing undertaken in the delivery of Code services. This could be evidenced for example by providing a copy of the client engagement letter and/or contract.
  • Case extracts: Samples of Data Protection Impact Assessments, lawful bases relied on, Legitimate Interest Assessments. In particular for children and the Code notes that Code members must not maintain a register of criminal convictions.
  • Complaints: Evidence of any complaints received by the Code member from individuals in relation to data protection and the steps the Code member took to respond to the complaint and where relevant, evidence that in relation to monitoring body investigations of alleged breaches of the Code, the Code member has communicated with the monitoring body in accordance with the Code and the cooperation criteria in this Code.

The Code builds on the existing standards and criteria required for ABI membership however, Code members are not required to be ABI members and Code membership is available to any sector agency that meets the Code member criteria as at Appendix I to the Code, whether affiliated to the ABI or not.

What to do next?

We can assist you with your data protection compliance programme ahead of signing up to the Code. The following checklist describes the compliance steps that we suggest to cover:

  • Registration with the ICO: As a data controller you are obliged to pay a fee to the ICO depending on your size.
  • Records of processing activity: This document explains what data you process, how, who it is shared with and why. This is a legal requirement under GDPR (in most cases) but in any case will be a necessary exercise in order to satisfy the other requirements below.
  • Privacy policies: Such as website privacy policy, employees privacy policy, recruitment privacy policy, privacy policy for users and third parties subject to the services – this is to comply with transparency requirements.
  • Cookie audit: Policy and mechanism cookie banner – this is the consent mechanism that allows you to drop cookies. A good cookie banner will be tailored to your needs and allow users to decide what type of cookies they want. This is a requirement under the electronic marketing rules.
  • Assessments: Such as Data Protection Impact Assessments, Legitimate Interests Assessments and Transfer Risk Assessments – this is to demonstrate your compliance and prove accountability.
  • Supplier onboarding checklist and procedure and template data sharing clauses: To ensure you have carried out due diligence on any third parties you choose to use to help fulfil your services.
  • Data protection rights procedure: This document sets out how to manage DSARs and other requests in relation to an individual’s data. Dealing with these requests is a legal requirement, getting it wrong can lead to fines and to reputational damage.
  • Security incident management policy: This document sets out what each team needs to do in the event of a data breach. Dealing with these requests is a legal requirement, getting it wrong can lead to fines and to reputational damage.
  • Regular privacy training: We can provide introductory or further training sessions depending on what your staff have already received. In order to comply with your security obligations you must train people to ensure that human error is avoided to the extent possible and that they understand what the GDPR requirements are.
  • Data handling policy: This policy contains an explanation on why data protection is important and how you and your staff and comply with data protections laws on a day to day basis.
  • BYOD and acceptable use policy: This policy would contain rules on how employees are allowed to use their personal devices including acceptable use practices.
  • Data security policy: This policy documents how you keep data safe from an organisational and technical perspective.
  • Data retention policy: This document explains how long you keep each type of data.

If you would like more information, please feel free to reach out to one of our dedicated data protection lawyers, or if you would like keep up to date on the latest in data protection, please subscribe to our newsletter, The Data Download here.

Further details about the Code can be found here.

Family Mediation Week 2024

Posted on by Nikhita Kalsi

22 to 26 January 2024 marks Family Mediation Week 2024, an annual event run by the Family Mediation Council (“FMC”) devoted to raising awareness of mediation and the ways in which it can help and benefit separating couples and their families.

Throughout the week, the FMC publishes resources and information about mediation and hosts events for the public, lawyers, other professionals working with separating families, and mediators.

Mediation is one of a number of different processes (referred to collectively as ‘Non-Court Dispute Resolution’ (“NCDR”)) which can assist separating couples with resolving financial or children-related issues arising from the breakdown of a relationship, if they wish to avoid the stress and expense of court proceedings. Mediation typically involves a trained professional – the mediator – assisting the separating couple in negotiating an agreement by exploring solutions in a structured, consensual manner. The process is ‘without prejudice’, meaning that if the separating couple cannot reach an agreement and end up embarking on court proceedings afterwards, their discussions in mediation cannot be referred to in court. Mediators are independent and impartial and do not provide legal advice. Separating couples can therefore choose to have their respective solicitors ready to advise as and when needed (or even attend the mediation with them).

The benefits of mediation 

If mediation is appropriate, it can have significant benefits:

  1. Reduced costs;
  2. Reduced conflict, which will help maintain a positive co-parenting relationship post-separation;
  3. A forum in which the separating couple can listen to one another and reach a tailor-made agreement which suits their family’s needs and has the flexibility to go beyond what a court would order; and
  4. Retaining control over the outcome, instead of giving up control to a judge.

It is important to note that mediation will be more constructive where there is trust and respect between the separating couple and a mutual willingness to engage in the process and make compromises where it is reasonable to do so. Where finances are being discussed, the first important step is for both to have a clear understanding of the financial landscape, often by agreeing a schedule of assets, liabilities and income or exchanging financial disclosure on a voluntary basis in advance of mediation. A further cost-saving benefit of mediation is that, unlike in court proceedings where both parties are required to provide ‘full and frank’ financial disclosure, in mediation, the parties are able to agree on the extent of the disclosure to be provided and the format for producing this.

Privacy and confidentiality 

One particular consideration for separating couples to have in mind, when exploring NCDR such as mediation as opposed to court proceedings, is privacy. While reporters have previously been able to attend family cases, they have been subject to rigorous restrictions on what they can report.  However, there is a new push by judges to increase transparency in the family courts – and to extend the scope of what can be publicly reported. With the extension of the Transparency Implementation Group Reporting Pilot (“the transparency pilot”) at the end of January 2024, it is anticipated that there will be increased reporting on family cases. The transparency pilot will take place in 16 courts and introduces the presumption that accredited media and legal bloggers are allowed to report on what they see and hear during family court cases, albeit this is subject to strict rules about anonymity and confidentiality.  However, parties often remained concerned that it may be possible for close friends/family members to identify them, based on what is reported.

This is likely to be a particularly significant concern for high-profile individuals, but it will also worry anyone who wants their family dispute to remain completely private. In contrast to the push for transparency in family court cases, NCDR is completely private. With NCDR, it is possible that the press will never find out any details about the family dispute.

There are also the additional costs to think about. The presumption that the press can report on what they see and hear in court (and that they may receive detailed documents with substantial information about the separating couple, their family and the proceedings) is likely to lead to additional work for legal teams in cases where the parties are concerned about reporting. The court will grant what is called a Transparency Order which ordinarily will permit reporting subject to restrictions to preserve anonymity and confidentiality. If a party or both parties do not agree to the court making the standard Transparency Order, they may have to make additional applications to try to further restrict reporting. Extra legal fees will be incurred where steps need to be taken to avoid or minimise what can be reported following a family court hearing.

A push for more separating couples to mediate 

Typically, couples are only able to embark on mediation if both parties agree to do so. However, whilst previously often overlooked by many, there is now a marked increase in couples opting for methods of NCDR such as mediation.

The Family Procedure (Amendments No. 2) Rules 2023/1324 will come into force in April 2024. This will contain significant updates in relation to NCDR, including a new requirement for parties in financial and children proceedings to complete a form setting out their views on using NCDR to resolve issues.

The court will also be able to adjourn (delay) the proceedings to enable NCDR to take place regardless of whether the parties have agreed to such an adjournment. This was recommended by Mr Justice Mostyn in the case of Mann v Mann [2014] 2 FLR 928: previously, the parties had to agree to such an adjournment. At present, the court can only adjourn the proceedings to enable the parties to consider using NCDR (as opposed to allowing NCDR to take place) without their agreement, as was ordered in WL v HL [2021] EWFC B10.

Recently, the Court of Appeal held in Churchill v Merthyr Tydfil CBC [2023] EWCA 1416 that in civil proceedings, the courts can order parties to engage in NCDR. In family proceedings, the courts are currently only able to encourage separating couples to do so, so family lawyers will have to wait to see whether Churchill will lead to the family courts being permitted to compel separating couples to engage in NCDR.