On 5 February 2026, the main changes to data protection legislation in Part 5 of the Data (Use and Access) Act 2025 (“DUAA“) came into force. The DUAA was passed and received Royal Assent on 19 June 2025. Although some of...more
The UK Data (Use and Access) Act 2025 makes major changes to UK data protection law, including the UK General Data Protection Regulation (UK GDPR). ...more
On January 15, 2026, the UK Information Commissioner’s Office (ICO) announced updated guidance on restricted international transfers aimed at improving organizational understanding and compliance with the United Kingdom’s...more
Welcome to your weekly update from the A&O Shearman Pensions team, covering all the latest legal and regulatory developments in the world of workplace pensions. TPR encourages trustee input on value for money - The...more
Agentic AI heads towards the mainstream - As the democratisation of AI continues apace, organisational deployment of AI agents is rapidly becoming a reality. To take one example, in September last year OpenAI announced the...more
As the year draws to a close, reform of the data subject access request (DSAR) regime in the EU and the UK may turn out to be a welcome gift for organisations grappling with complex access requests....more
Welcome to our monthly update on current legal issues for trustees of DC pension schemes, designed to help you stay up to date with key developments between trustee meetings and to support the legal update item on your next...more
ISSUES AFFECTING ALL SCHEMES - CYBER SECURITY – £14 MILLION FINE FOR BREACH - The Information Commissioner’s Office (ICO) has issued a penalty notice imposing a £14 million fine on Capita for infringements of the UK...more
On October 20 2025, the European Data Protection Board (EDPB) announced that it had adopted two opinions on the European Commission’s draft implementing decisions which propose to extend the validity of the UK adequacy...more
On 22 August 2025, the UK Court of Appeal issued its judgment in Farley v Paymaster. The case related to the Sussex Police, whose pension scheme members’ “annual benefit statements” were posted to out-of-date addresses. The...more
The Information Commissioner’s Office (“ICO”) has imposed a £14 million fine on Capita for infringements of the UK General Data Protection Regulation (“UK GDPR”) relating to a cyber security incident suffered by Capita in...more
On October 15, 2025, the UK’s Information Commissioner’s Office (ICO) fined Capita plc and Capita Pension Solutions Limited (collectively “Capita”) £14 million (~$18.8 million) for failing to implement adequate security...more
Does your organisation see an uptick in data subject access requests whenever the story of a high-profile individual exercising their data protection rights makes the headlines? DSARs are a real leveller. Whether the...more
On October 7 2025, the Upper Tribunal handed down its judgment on the ICO’s appeal against the First-tier Tribunal’s decision on Clearview AI Inc (Clearview). The Upper Tribunal found in favour of the ICO, deciding that the...more
The Upper Tribunal (UT) has handed down its judgment in the UK Information Commissioner’s (Information Commissioner) appeal against the First-tier Tribunal (FTT) decision on Clearview AI Inc (Clearview). The UT upheld three...more
“With so many cyber attacks in the headlines, our message is clear: every organisation, no matter how large, must take proactive steps to keep people’s data secure,” was the UK Information Commissioner’s Office (ICO) message...more
Despite the fears of foreign organisations about the long-arm jurisdiction of European data protection laws, the extra-territorial application of the GDPR — and, subsequently the UK GDPR — has received relatively scant...more
Over the summer, the High Court considered a case concerning employer liability for the disclosure of personal data belonging to a former employee. The judgment in Danielle Raine v JD Wetherspoon plc serves as a reminder of...more
On June 19, 2025, the United Kingdom’s Data Use and Access Act 2025 (DUAA) received royal assent and passed into law. The bill touches on a wide variety of matters and includes important revisions to the UK’s foundational...more
The English Court of Appeal has handed down an important judgment in Farley v. Paymaster (Equiniti) [1] on when compensation may be claimed for nonmaterial damage (such as distress or anxiety) arising out of breaches of the...more
In our previous newsletter, we explained how the new UK Data (Use and Access) Act 2025 (“DUA Act”), which modifies the UK’s data and e-privacy regime, has a phased commencement such that most of the provisions require the...more
Welcome to your weekly update from the A&O Shearman Pensions team, covering all the latest legal and regulatory developments in the world of workplace pensions....more
In this short series of podcasts, senior knowledge lawyer, Emma Keeling, and A&O Shearman’s data consultant and former ICO Deputy Commissioner, Steve Wood, take a look at some of the key data protection and e-privacy aspects...more
Although they do not focus the minds of many organisations in the same way as multi-million euro enforcement actions, the importance of low-value, non-material damages claims under the GDPR has gathered steam since the...more
The UK Data (Use and Access) Act 2025, which came into force on 19 June 2025 and will be implemented in a phased approach, marks a significant shift in the United Kingdom’s approach to data regulation....more