Contact | Search |

Tag: data-privacy

Technology Briefing – May 2026

Posted on by Deborah King

Welcome to the spring edition of our technology briefing, designed to keep you updated on the latest legal and regulatory developments in the technology sector.

In this edition, we unpack the EU AI Act’s transparency obligations, highlighting recent developments and timelines for compliance. Additionally, we explore how businesses can challenge procurement decisions in government IT contracts and review the CMA’s updated guidance on unfair contract terms marking 10 years since the Consumer Rights Act 2015 was introduced. We also address the latest updates in data protection law. Finally, we cover the UK Government’s recently published Report on Copyright and Artificial Intelligence, which follows its consultation.

Recent Harbottle highlights include advising on the sale of After Party Studios to SISTER Group and launching our Indie Games Collective to mentor early-stage games businesses. We also published a thought leadership piece on AI-enabled cyber threats and, at C5’s AI & crypto fraud conference, Lizzie Williams shared insights on resolving smart contract disputes.

IN THIS EDITION

EU AI Act transparency obligations: latest developments and key obligations

A core requirement imposed by the EU AI Act (the Act) is in respect of transparency obligations for the AI systems used. The majority of the Act is expected to come into force on 2 August 2026. The European Parliament, however, has agreed a proposal that would delay the obligations imposed in respect of high risk AI systems. 

Read more >

Government IT contracts: how to challenge the procurement process

If your business enters into contracts with public sector entities for the provision of IT or related services, you will be familiar with the public sector tender and procurement processes. But are you familiar with what can be done to challenge the outcome of those processes? 

Read more >

Unfair contract terms in consumer contracts: new draft guidance from the CMA

If you deal with consumers, then you need to know how consumer law applies to your contract terms and notices. Ten years on from the introduction of the Consumer Rights Act 2015, the Competition and Markets Authority is revising its current guidance on unfair contract terms. 

Read more >

UK Government holds off on immediate AI Copyright reform

The Government has published its much-anticipated Report on Copyright and Artificial Intelligence, which follows a consultation that ran from 17 December 2024 to 25 February 2025. 

Read more >

Data protection update

This update includes key developments such as the ICO-HMG memorandum on data protection, new provisions under the Data (Use and Access) Act, guidance on international data transfers and age assurance, and significant enforcement actions like fines for unsolicited marketing, misuse of biometric data, and breaches involving children’s data, alongside global concerns over AI and high-profile investigations. 

Read more >

HARBOTTLE HIGHLIGHTS

Deal announcement: sale of After Party Studios

We have recently advised the shareholders of After Party Studios, a digital-first creative production company, on the sale of a majority stake to SISTER Group. 

Read more >

Harbottle & Lewis Indie Games Collective (IGC)

We recently launched our IGC, a mentorship programme which offers legal guidance to early-stage games businesses, to help them navigate in their next steps in the industry.

Read more >

AI-enabled cybercrime

Our new thought leadership piece, developed with Sodali & Co and LevelBlue, builds on insights from our recent event. It highlights key AI-enabled cyber threats, offers practical talking points, and provides actionable recommendations to support informed discussions with risk, legal, and cyber security teams. 

Read here >

AI & crypto fraud and asset recovery conference

Lizzie Williams recently spoke at this annual conference hosted by C5 Communications. She joined a panel to discuss smart contract disputes: what they are, how to avoid them and how to resolve them. The session proved valuable for those interested in coded contracts.

Please contact our technology experts if you would like to discuss anything in this briefing.

Data protection update

Posted on by Deborah King

This update includes key developments such as the ICO-HMG memorandum on data protection, new provisions under the Data (Use and Access) Act, guidance on international data transfers and age assurance, and significant enforcement actions like fines for unsolicited marketing, misuse of biometric data, and breaches involving children’s data, alongside global concerns over AI and high-profile investigations.

General updates

  • On 8 January, the Information Commissioner’s Office and His Majesty’s UK Government (HMG) signed a Memorandum of Understanding (MOU) to formalise their shared commitment to improving data protection standards which includes appointing a Government Chief Data Officer to oversee data protection risks and compliance across HMG departments and key governance boards, such as the Transformation Board and Government Security Board, will monitor data protection risks and progress.
  • On 3 February, the ICO opened formal investigations into X Internet Unlimited Company (XIUC) and X.AI LLC (X.AI) covering their processing of personal data in relation to the Grok artificial intelligence system and its potential to produce harmful sexualised image and video content.
  • On 5 February, most of the remaining data protection provisions of the Data (Use and Access) Act have come into force, except for the requirement for organisations to have a complaints procedure which is due to commence on 19 June 2026 and some ICO governance provisions which will follow at a later date. Such provisions now in force include only having to carryout, a “reasonable and proportionate” search in response to data subject access requests and the maximum fine issued under the Privacy and Electronic Communications Regulations is no longer £500,000 but, now matches the GDPR of up to £17.5 million or 4% of global turnover (whichever the greater).
  • On 23 February, privacy regulators from around the world issued a joint statement addressing mounting concerns over artificial intelligence (AI) systems that create realistic images and videos of identifiable individuals without their consent.
  • On 11 February 2026, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) issued a joint opinion on the European Commission’s Digital Omnibus Regulation proposal, which seeks to streamline digital regulations, reduce administrative burdens, and enhance competitiveness across the EU. The EDPB and EDPS strongly oppose proposed changes to the definition of personal data, warning that they could narrow its scope, weaken privacy protections, and create legal uncertainty.
  • On 25 April, John Edwards, the UK’s Information Commissioner, announced that he has temporarily stepped back from his role as the ICO conducts an independent investigation into unspecified “HR matters.” Edwards, who has held the position since January 2022, announced his cooperation with the inquiry in a LinkedIn post.

Latest guidance

  • On 15 January 2026, the Information Commissioner’s Office released updated guidance on international transfers of personal data under the UK GDPR. Key updates include: a three-step test for restricted transfers and explanations on roles and responsibilities, particularly for complex, multi-layered transfer scenarios. The regulators back several provisions aimed at reducing administrative burdens, including raising thresholds for mandatory data breach notifications and extending deadlines for reporting.
  • On 12 March 2026, the UK’s data protection regulator, the Information Commissioner’s Office has published an open letter to social media and video-sharing platforms operating in the UK calling on them to urgently strengthen their age assurance measures.
  • On 25 March 2026, Ofcom and the Information Commissioner’s Office released a joint statement outlining regulatory expectations for age assurance measures under the Online Safety Act and UK data protection laws. The statement aims to help online services protect children from harmful content and data risks while ensuring compliance with both legal frameworks.
  • On 31 March, the ICO called on businesses to review their use of automated decision-making in recruitment to ensure compliance with data protection laws and to protect jobseekers from unfair or biased outcomes.
  • On 29 April 2026, the Information Commissioner’s Office (ICO) released its finalised guidance on Storage and Access Technologies alongside an update on its online tracking strategy. This guidance addresses the application of the Privacy and Electronic Communications Regulations and, where relevant, the UK GDPR to technologies such as cookies, tracking pixels, device fingerprinting, and similar tools. It incorporates updates following two consultations and amendments introduced by the Data (Use and Access) Act 2025.
  • On 14 April 2026, the European Data Protection Board announced a new Data Protection Impact Assessment template to simplify compliance with the General Data Protection Regulation and promote consistency across Europe.

Latest enforcement action

  • On 15 January, the Information Commissioner’s Office fined Allay Claims Ltd £120,000 for sending over 4 million unsolicited marketing SMS messages between February 2023 and February 2024. These messages promoted PPI tax refund services and were sent without valid consent or compliance with the ‘soft opt-in’ exemption. Allay argued that recipients were existing customers who had engaged with the company in 2019 and signed terms of engagement, which it believed satisfied the ‘soft opt-in’ exemption. However, aggravating circumstances included Allay was previously investigated by the ICO in 2020 for PECR breaches and despite the investigation and complaints, Allay failed to suspend its marketing activities, resulting in further complaints. The distress caused to recipients, as unsolicited marketing is intrusive and can lead to financial harm, particularly in the context of PPI tax refund services, which often involve high fees and hidden charges.
  • On 2 January, The President of the Personal Data Protection Office (Poland’s data protection authority) imposed a fine of PLN 978,128 (approximately €232,379) on T. S.A. for the failure to ensure the independence of the Data Protection Officer (DPO) and the absence of measures to prevent conflicts of interest in the DPO’s role. The DPO of T. S.A. simultaneously held a managerial role (Director V.) and other positions within the company. The company’s history of GDPR violations was considered an aggravating factor, as it demonstrated ongoing compliance challenges. The company resolved the identified issues by restructuring the DPO’s role before the administrative proceedings concluded. This led to a 40% reduction in the fine.
  • On 29 January, the Italian Data Protection Authority (GPDP) fined e-Campus Online University €50,000 for unlawfully using facial recognition technology to verify student attendance during a teacher qualification course. The university processed biometric data without a valid legal basis, relying on invalid consent while failing to conduct a proper Data Protection Impact Assessment (DPIA) before implementation. The GPDP highlighted several violations of GDPR, including unnecessary data retention, lack of alternatives for students, and the power imbalance inherent in requiring biometric data for course participation. While the university cooperated with the investigation and ceased using the system, the fine reflected the serious nature of processing sensitive biometric data and the large number of students affected.
  • On 13 February, the ICO and Ofcom responded to an open letter from approx. 20 MPs urging the ICO to investigate Tattle Life for potential breaches of data protection laws after the death of a social media influencer’s 16 year old daughter.
  • The ICO confirmed it has an ongoing investigation into Tattle Life, examining its compliance with data protection laws. These include obligations to process personal data lawfully, transparently, and fairly, and to address user requests for data rectification or erasure. While the ICO does not have the authority to shut down websites, it can issue enforcement notices to ensure compliance if data protection violations are identified.
  • On 19 February, the ICO won its appeal in a landmark case against DSG Retail Limited. The dispute originated from a 2020 ICO fine of £500,000 imposed on DSG after a cyber-attack compromised the personal data of at least 14 million individuals. Despite appeals by DSG to the First-tier Tribunal and Upper Tribunal, the ICO sought further clarification on a critical point of data protection law by appealing to the CoA in 2024. The court clarified that this duty applies even if the stolen data cannot directly identify individuals, recognising the broader harm caused by cyber-attacks.
  • On 3 February, the ICO reprimanded Staines Health Group for sending excessive medical details about a terminally ill patient to their insurance company, Vitality. A patient at the NHS GP surgery was diagnosed with a terminal illness and made a claim to their insurer. The insurer, on behalf of the patient, subsequently requested that five years of medical history be sent to the patient to review, before being sent to the insurer in order to progress the claim. But, instead of five years of medical history being sent to the patient, Staines Health Group sent 23 years of medical records direct to the insurer. The patient believed the excessive disclosure of unnecessary medical records led to a reduction in the payout of their claim.
  • On 3 February, the ICO issued a monetary penalty of £100,000 to TMAC Ltd for making calls promoting alarm systems and monitoring services to individuals registered with the Telephone Preference Service.
  • On 4 February, the ICO issued a Penalty Notice to MediaLab.AI, Inc. fining it £247,590 for UK GDPR breaches relating to children’s data and the absence of a DPIA. The ICO found unlawful processing of under-13s’ data without valid parental consent and a failure to complete a DPIA for high-risk processing affecting under-18s during 27 September 2021 to 30 September 2025.
  • On 23 February 2026, the ICO issued a Penalty Notice to Reddit, Inc of £14,472,500 for UK GDPR breaches involving children’s personal data and failure to complete a DPIA.

Joint Controllers, TC Strings, and OpenRTB: Unpacking the Belgian Market Court’s Appeal Decision on IAB Europe’s TCF

Posted on by Anna Weeden

On 14 May 2025, the Belgian Market Court (part of the Brussels Court of Appeal) delivered a landmark judgment in the case concerning IAB Europe’s Transparency and Consent Framework (TCF).

The case centred on allegations that IAB Europe violated the General Data Protection Regulation (GDPR, or AVG in Dutch) through its data processing practices within the TCF. This judgment follows an earlier decision by the Belgian Data Protection Authority (APD), which found several breaches of the GDPR and imposed a €250,000 fine on IAB Europe.

CASE BACKGROUND

IAB Europe is an international non-profit association aiming to bring compliance to the digital advertising and marketing sector. They developed the TCF to promote adherence to the GDPR when internet sites or applications use the OpenRTB protocol.

On 2 February 2022, the APD found that IAB Europe’s TCF violated GDPR and fined IAB €250,000. Key findings included:

  • The TC String (user preferences signal) is personal data.
  • IAB Europe is a joint controller for both the creation and subsequent processing of the TC String.
  • Lack of a valid legal basis for processing TC Strings as the TCF did not obtain explicit and informed consent from users, nor could it rely on legitimate interests due to the large-scale and intrusive nature of the data processing involved.
  • Failure to fulfil transparency obligations and not adequately informing users about its role as a data controller, the purposes of data processing, or the recipients of their data.
  • Inadequate security measures and lack of mechanisms to prevent manipulation of consent signals.
  • Failure to conduct data protection impact assessments.
  • Failure to appoint a data protection officer. 
  • Incomplete register of processing activities.

On 4 March 2022, IAB Europe challenged the APD’s decision before the Belgian Market Court, disputing its role as a joint controller and the APD’s legal analysis on the TC String being personal data.

On 7 September 2022, the Belgian Market Court made an interim ruling, confirming the procedural irregularities in the APD’s investigation. It referred two preliminary questions to the CJEU:

  • Does the TC String constitute personal data under GDPR?
  • Is IAB Europe a joint controller for processing TC Strings and subsequent data uses?

On 7 March 2024, the CJEU judgement confirmed that:

  • the TC String may constitute personal data if:
    1. It is associated with other data points (e.g., IP address) that can identify a user.
    2. IAB Europe has reasonable means to access such data.
  • IAB Europe may be a joint controller for the creation and use of TC Strings if it influences the processing’s purposes and means.
  • IAB Europe is not a joint controller for subsequent processing (e.g. personalised advertising) by third parties.

The case was sent back to the Belgian Market Court for factual verification and further examination which this article explains.

FINDINGS OF THE MARKET COURT

Are TC Strings Personal Data?

TC Strings are unique codes containing users’ consent preferences.

The Market Court referenced the preliminary ruling of the CJEU in March 2024, which clarified that TC Strings, when linked to identifiers such as IP addresses, allow for user identification.

In paragraph 48 of the judgment, the Market Court stated that “the fact that IAB Europe itself would not have the reasonable means to proceed with Identification because it cannot make the link between a TC String and the IP address and would not have direct access to the personal data, is in itself irrelevant”.

As such, the Market Court confirmed that a TC String is personal data within the meaning of Article 4(1) of the GDPR.

Is there any processing of personal data?

IAB Europe, as the managing organisation and central figure in the digital ecosystem, determines the storage and dissemination of the TC String.

Under the TCF Technical Specifications, the TC String is shared with Consent Management Platforms (CMPs) in two ways:

  • By storing it in a shared global consent cookie on IAB Europe’s consensu.org domain; or
  • By storing it in a CMP-chosen system for service-specific consent signals.

The Market Court found that storing the TC String in a shared cookie and making it available via the consensu.org domain clearly constitutes processing of personal data under GDPR.

The Market Court further explained that, regardless of the consent cookie or domain, processing of personal data occurs in the TCF, including:

  • User preferences being collected by CMPs (along with the user’s IP address);
  • User preferences being structured and ordered in a TC String; and
  • The TC String being stored, distributed, and shared with TCF participants.

Should IAB Europe’s Role in the TCF be considered as a Data Controller?

Paragraphs 62-75 of the judgment confirms that it is clear that IAB Europe has real decision-making power, both over the purposes and means of processing and this given its overriding control over the operation of the TCF:

  • IAB Europe acknowledges its responsibility for the TCF in its own documentation – such as “Frequently Asked Questions” on the TCF (version 2.0) – noting that this judgment only focusses on v2.0 as IAB Europe’s TCF v2.2 already includes updates to address compliance concerns raised.
  • On determining the purpose and means of these processing operations, IAB Europe indeed exercises a decisive influence. IAB Europe has a shared purpose with the other participants for the processing of personal data, which incidentally all have the same, which is to ensure that user preferences are captured in a structured way and then shared with all other participants. Even though many TCF participants may be competitors, when it comes to the processing of user preferences under the TCF, they all have similar interests, which are also similar to those of IAB.

The Market Court states that “the concept of a data controller in this case just does have to interpreted broadly, since IAB Europe is the only one who, as it itself states, manages and administers the TCF and can therefore resolve the issues identified by the Dispute Resolution Chamber, after consultation with all other EU regulators.”

The Market Court confirmed that IAB Europe is a joint data controller with TCF participants for storing the consent preferences of the affected users in the TC String.

If yes, is IAB Europe a Joint Controller for the processing of personal data in the context of OpenRTB?

The Market Court assessed whether IAB Europe with the TCF “influences” the further processing of personal data under OpenRTB.

The APD argued that IAB Europe’s TCF and OpenRTB are inherently interconnected. It claimed that IAB Europe facilitates an ecosystem where consent preferences are collected and shared for further processing by third parties (e.g. publishers and adtech vendors). As such, the ADP considered IAB Europe and participating organisations to be joint controllers for both the collection and dissemination of consent data.

The Market Court identified inconsistencies in the ADP’s reasoning. Although the ADP acknowledged that IAB Europe does not act as a data controller for processing under OpenRTB, it nevertheless implied such responsibility in its decision. The Market Court found that the Appellants had limited the scope of their arguments to the TCF, no evidence was provided to establish IAB Europe as a joint controller for OpenRTB processing and it lacked influence over this stage of data use..

It concluded that the APD failed to demonstrate that IAB Europe acts as a joint data controller for processing operations under OpenRTB as not all processing stages fall under their control.

OUTCOME

The Market Court upheld the €250,000 fine imposed by the APD, deeming it proportionate and justified under Article 83 of the GDPR. It also confirmed the corrective measures requiring IAB Europe to bring its processing activities into compliance.

The Market Court dismissed most of IAB Europe’s grievances but acknowledged procedural flaws in the initial decision. It upheld the APD’s sanctions regarding TCF operations but clarified that IAB Europe is not responsible for OpenRTB operations – annulling the APD’s decision in part.

IAB Europe is ordered to pay the costs of proceedings, estimated at €7,848.84, and other contributions totalling €424.

IMPLICATIONS

This Judgment clarifies that even entities without direct access to personal data can be held accountable as data controllers if they influence the purposes and means of processing.

For the adtech industry, this ruling reinforces the GDPR principles and in particular supports the requirements to:

  • carefully examine consent mechanisms to ensure they are transparent, freely given, specific, informed and unambiguous;
  • ensure the use of consent frameworks like the TCF does not create ambiguity about their own roles and accountability in data processing operations;
  • provide users with clear, accessible, and understandable information about how their data is processed; and
  • minimise the processing of personal data by leveraging contextual advertising, privacy-enhancing technologies, and aggregated or pseudonymised datasets instead of third party cookies.

Cyber attacks on UK retailers: Michael Yates’ comments featured in the Financial Times

Posted on by Anna Weeden

“Hacking a well-known retail brand generates leverage…because the victim will want to avoid brand reputational damage at all costs to stop eroding customer trust.”

Michael Yates’ comments on the recent cyber attack on Marks and Spencer, which is still causing havoc for shoppers of the popular retail brand a fortnight on, have been featured in the Financial Times.

Now that two other major household names have also been targeted and a police investigation has been launched, the article discusses why hackers decide to target such trusted brands.

The full article is available here to those with a subscription.

Harbottle & Lewis strengthens client offering with new partner hires

Posted on by Alex Molyneux

Harbottle & Lewis today announced two lateral partner hires to strengthen its client offering. Private client disputes partner Charles Lloyd and reputation management partner Michael Yates will both join the firm in April 2025.

Charles Lloyd arrives at Harbottle & Lewis from Macfarlanes where he has held a leading position within his field for over 30 years, specialising in private client disputes, particularly international trusts and estates litigation. Charles’s client base includes high net worth individuals engaged in complex family and succession-related disputes, often involving multi-jurisdictional offshore trust and corporate structures. Charles’s eminent reputation and extensive experience will enable the firm to build on its leading private client practice with a specific focus on enhancing the contentious work that it does in this space.

Charles commented:

”I am really looking forward to joining Harbottle & Lewis and what is already a strong and highly reputed private client practice. This move provides a great opportunity for me to help build on the firm’s existing expertise and will enable me to contribute towards creating a leading private client disputes practice.”

Michael Yates joins Harbottle & Lewis from international law firm Taylor Wessing. As an information litigator, Michael advises high net worth and high-profile individuals and companies on reputation management, privacy protection, confidentiality, cyber response and media and information law disputes. His expertise aligns perfectly with Harbottle & Lewis’s renowned proficiency in the media, entertainment, technology and private wealth sectors. Michael’s significant focus on cyber response dovetails with the firm’s strategic emphasis on technology, and he will work alongside the firm’s technology and data lawyers to further develop its services in this area.

Michael said:

“I’m delighted to be joining the firm’s market leading media and information group and am very excited to soon be working alongside the firm’s fantastic media, tech, data and cyber experts. I look forward to working with clients to help them navigate what is an ever more hostile and complex media and information landscape, protecting them from threats to their reputation, privacy and information and mitigating the increasing risk of cyber attacks. There is no better place to do this work.”

This strategic expansion underscores Harbottle & Lewis’s commitment to bolstering its highly-regarded private client practice and enhancing its offering to high net worth and often high-profile individuals, as well as expanding and deepening its offering to companies. The addition of Charles and Michael to the partnership demonstrates the firm’s ambition to grow and to provide clients with unparalleled expertise across a spectrum of legal services.

Tony Littner, co-managing partner at Harbottle & Lewis, commented:

“The addition of two such high quality lawyers to our partnership supports the strategic growth of our firm. Focusing deliberately on extending our offering to both our private client and corporate client base, Charles and Michael are perfectly placed to complement our existing practice groups and contribute significantly to our continued growth and success.”

For further information, please contact:

Alex Molyneux, Communications & Marketing Manager ([email protected])