Construction of art 82 (1) GDPR: Case C‑590/22 AT and another v PS GbR and others

Wesel Court House

Author KingKurt  Licence CC BY-SA 4.0  Source Wikimedia Commons

 

Jane Lambert

Court of Justice of the European Union (K. Jürimäe, President of the Chamber, K. Lenaerts, President of the Court, N. Piçarra, N. Jääskinen (Rapporteur) and M. Gavalec, Judges) Case C‑590/22 AT and another v PS GbR and others ECLI:EU: C:2024:536, [2024] EUECJ C-590/22, EU: C:2024:536

This was a request by the Wesel Amtsgericht for a preliminary ruling on the interpretation of art 82 (1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1) (‘the GDPR’) pursuant to art 267 of the Treaty on the Functioning of the European Union.  The request was made in proceedings between AT and BT against PS Gesellschaft bürgerlichen Rechts ("PS GbR") and its members for compensation for the disclosure of their personal data to third parties without their consent as a result of an error by the firm.

The Proceedings

PS GbR was a tax consultancy, and AT and BT were two of its clients.  AT and BT instructed PS GbR to draw up their tax return.  The consultancy carried out their instructions but sent the return to AT and BT's previous address.  AT and BT recovered the envelope that had contained the tax return but found that it contained only a covering letter and a copy of the return.  The missing documents contained the names, dates of birth, tax identification numbers, religious denominations, bank details, professions, places of work and disability status of AT and BT, as well as their children's personal data.  AT and BT sued PS GbR and its members for €15,000 compensation in the Wesel Amtsgericht, the lowest civil court in the German legal system.

The Reference

The court decided that it could not decide the claim without referring the following questions to the Court of Justice of the European Union:

"(1) Is it sufficient for the establishment of a claim for compensation under Article 82 (1) of [the GDPR] that a provision of [that regulation] serving to protect the claimant has been infringed or is it necessary that a further adverse effect on the claimant has occurred, beyond the infringement of the provision as such?
(2) Under EU law, does the establishment of a claim for compensation for non-material damage under Article 82 (1) of the GDPR require an adverse effect of a certain magnitude?
(3) In particular, is it sufficient for the establishment of a claim for compensation for non-material damage under Article 82(1) of the GDPR that the claimant fears that his or her personal data have come into the hands of third parties as a result of infringements of provisions of the GDPR, even though that circumstance cannot be positively established?
(4) Is it in conformity with EU law for the national court to apply mutatis mutandis the criteria of the second sentence of Article 83 (2) of the GDPR - which, according to the wording, apply only to administrative fines - when assessing compensation for non-material damage under Article 82 (1) of the GDPR?
(5) Must the amount of a claim for compensation for non-material damage under Article 82 (1) of the GDPR also be assessed by reference to the fact that the amount of the claim awarded serves to have a deterrent effect and/or to prevent the “commercialisation” (calculated acceptance of administrative fines/compensation payments) of infringements?
(6) Is it in conformity with EU law, when assessing the amount of a claim for compensation for non-material damage under Article 82(1) of the GDPR, to take into account simultaneous infringements of national provisions which have as their purpose the protection of personal data but which are not delegated or implementing acts adopted in accordance with that regulation or Member State laws [specifying rules] of that regulation?’

Legislative Context

The CJEU considered recitals (85), (146) and (148) and  arts 4 (1), (7), (10) and (12), 79 (1) and 83 (3) and (5) of the GDPR as well as the following paragraphs of art 82:

"1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
2. Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.
3. A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.
......."

Judgment

The CJEU delivered judgment on 20 June 2024 (Case C‑590/22 AT and another v PS GbR and others ECLI:EU: C:2024:536, [2024] EUECJ C-590/22, EU: C:2024:536).

The First and Second Questions

The Court took the 1st and 2nd questions together.  In its view, the Amstgericht was asking whether art 82 (1) should be interpreted as meaning that the mere infringement of the GDPR would be sufficient to give rise to compensation or whether a claimant had also to show that the infringement had led to damage of a sufficient degree of seriousness.  

The CJEU has already held in para [32] of Case C‑300/2 UI v Österreichische Post AG [2023] WLR(D) 221, EU: C:2023:370, [2023] EUECJ C-300/21, ECLI: EU: C:2023:370 and para [34] of Case C‑741/21, GP v juris GmbH [2024] EUECJ C-741/21, ECLI: EU: C:2024:288, EU: C:2024:288 that it is clear from the wording of the article that the existence of ‘damage, whether material or non-material, constitutes one of the conditions for compensation under art 82 (1).  So, too, does the existence of an infringement and of a causal link between that damage and the infringement.  The three conditions are cumulative.

It follows that it cannot be held that any ‘infringement’ of the provisions of the GDPR, by itself, confers a right to compensation.  The answer to question 1 is that art 82 (1) of the GDPR must be interpreted as meaning that the mere infringement of the provisions of that regulation is not sufficient to confer a right to compensation.

The Third Question

The 3rd question was reframed as to whether art 82 (1) should be interpreted as meaning that a data subject's fear that his or her personal data had been disclosed to third parties without any certainty as to whether that had actually happened is sufficient to give rise to a claim for non-material damage under that article.  

Citing paras [30] and [44] of UI v Österreichische Post AG and para [64] of Case C‑687/21 BL v MediaMarktSaturn Hagen-Iserlohn GmbH, [2024] 1 WLR 2597, [2024] EUECJ C-687/21, ECLI: EU: C:2024:72, EU: C:2024:72, [2024] WLR(D) 53, the CJEU noted that the concept of ‘non-material damage’, within the meaning of art 82 (1), must be given an autonomous and uniform definition specific to EU law.  

The Court has already held in Case C‑340/21VB v Natsionalna agentsia za prihodite EU: C:2023:986, ECLI:EU: C:2023:986, [2024] WLR(D) 17, [2023] EUECJ C-340/21 and BL v MediaMarktSaturn Hagen-Iserlohn GmbH that the fear experienced by a data subject with regard to a possible misuse of his or her personal data by third parties as a result of an infringement of that regulation is capable, in itself, of constituting ‘non-material damage’, within the meaning of art 82 (1).  It added that the loss of control over personal data, even for a short period of time, may constitute ‘non-material damage’, within the meaning of art 82 (1), giving rise to a right to compensation, provided that the data subject can show that he or she has actually suffered such damage, however slight.

A person who considers that his or her personal data has been processed in breach of the relevant provisions of the GDPR and seeks compensation on the basis of art 82 (1)  must therefore prove that he or she has actually suffered material or non-material damage.  However,  a mere allegation of fear, with no proven negative consequences, cannot give rise to compensation.

The CJEU concluded at para [36] that the answer to the 3rd question is that art 82 (1) must be interpreted as meaning that a person’s fear that his or her personal data have, as a result of an infringement of that regulation, been disclosed to third parties, without it being possible to establish that that was in fact the case, is sufficient to give rise to a right to compensation, provided that that fear, with its negative consequences, is duly proven.

The Fourth and Fifth Questions

In the 4th and 5th questions the Amtsgericht asked whether art 82 (1) should be interpreted as meaning that, to determine the amount of damages due as compensation for damage based on that provision, it is necessary, to apply the criteria for setting the amount of administrative fines laid down in art 83 mutatis mutandis and that a dissuasive function be conferred on the right to compensation.  The CJEU observed that arts 82 and 83 pursue different objectives. While art 83 determines the "general conditions for imposing administrative fines", art 82 governs the "right to compensation and liability."   The criteria set out in art 83 for the purposes of determining the amount of administrative fines cannot be used to assess the amount of damages under art 82 thereof (see para [57] ) of C‑741/21, GP v juris GmbH).  The answer to the 4th and 5th questions is that art 82 (1) must be interpreted as meaning that, in order to determine the amount of damages due as compensation for damage based on that provision, it is not necessary, first, to apply mutatis mutandis the criteria for setting the amount of administrative fines laid down in art 83, and, second, to confer on that right to compensation a dissuasive function.

The Sixth Question

In its 6th question, the Amtsgericht was asking whether art 82 (1) must be interpreted as meaning that, to determine the amount of damages due as compensation for damage based on that provision, account must be taken of simultaneous infringements of national provisions relating to the protection of personal data, but not intended to specify the rules of that regulation.  The Court ruled that it was not necessary to take account of simultaneous infringements of national provisions that relate to the protection of personal data, but which are not intended to specify the rules of that regulation.

The Ruling

The CJEU ruled as follows:

"1. Article 82 (1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), must be interpreted as meaning that an infringement of that regulation is not, in itself, sufficient to give rise to a right to compensation under that provision. The data subject must also establish the existence of damage caused by that infringement, without, however, that damage having to reach a certain degree of seriousness.
2. Article 82 (1) of Regulation 2016/679 must be interpreted as meaning that a person’s fear that his or her personal data have, as a result of an infringement of that regulation, been disclosed to third parties, without it being possible to establish that that was in fact the case, is sufficient to give rise to a right to compensation, provided that that fear, with its negative consequences, is duly proven.
3. Article 82 (1) of Regulation 2016/679 must be interpreted as meaning that, in order to determine the amount of damages due as compensation for damage based on that provision, it is not necessary, first, to apply mutatis mutandis the criteria for setting the amount of administrative fines laid down in Article 83 of that regulation and, second, to confer on that right to compensation a dissuasive function.
4. Article 82 (1) of Regulation 2016/679 must be interpreted as meaning that, in order to determine the amount of damages due as compensation for damage based on that provision, it is not necessary to take account of simultaneous infringements of national provisions which relate to the protection of personal data but which are not intended to specify the rules of that regulation."

Comment

As this ruling was delivered after IP completion day, courts in England and Wales, Scotland and Northern Ireland are not bound by it or the principles contained in this judgment.  However, s.6 (2) of the European Union (Withdrawal) Act 2018, as amended, permits courts in those jurisdictions to have regard to it insofar as it is relevant to any matter before them.   This judgment will therefore be cited and considered in cases on the meaning and effect of art 82 of the UK GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation) (Text with EEA relevance)).

Anyone wishing to discuss this case may call me on +44 (0)20 7404 5252 or send me a message through my contact form.

Data Protection Litigation: Pre-action Protocol for Media and Communications Claims

Jane Lambert

 

There has recently been a surge in claims by individuals seeking to enforce their rights under data protection legislation through litigation.  I have appeared in two such claims this week, one in London and another in the Thames Valley.  I have also advised in writing and in conference on several more. A surprising aspect of the surge is that the United Kingdom General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018 are much more complicated than the Data Protection Act 1998 and the Data Protection Act 1984, which preceded them. Those Acts also provided rights of action, but they were used much less frequently than the present legislation.  Another surprise is the infrequency with which parties refer to the Pre-action Protocol for Media and Communications Claims, even though that protocol applies to all data protection claims.  In both of the cases in which I appeared this week, observance of the protocol would have made a significant difference to the outcome of the litigation.  

Effective Judicial Remedy

Art 79 (1) of the UK GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation) as modified by The Data Protecion, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019) entitles data subjects to an effective judicial remedy if they consider that their rights under the Regulation have been infringed as a result of the processing of their personal data in non-compliance with the regulation.  That includes a right under art 82 (1) to compensation from a controller or processor for any material or non-material damage that may arise as a result of such non-compliance.

Pre-action Protocols

Para 1 of Practice Direction - Pre-action Conduct and Protocols states that pre-action protocols explain the conduct and set out the steps the court would normally expect parties to take before commencing proceedings for particular types of civil claims. Para 2 warns that a person who knowingly makes a false statement in a pre-action protocol letter or other document prepared in anticipation of legal proceedings may be subject to proceedings for contempt of court.  Para 3 states that the objectives of pre-action conduct and protocols are to enable parties to disputes to:

"(a) understand each other’s position;
(b) make decisions about how to proceed;

(c) try to settle the issues without proceedings;
(d) consider a form of Alternative Dispute Resolution (ADR) to assist with settlement;
(e) support the efficient management of those proceedings; and
(f) reduce the costs of resolving the dispute."

Para 4 stresses that a pre-action protocol must not be used by a party as a tactical device to secure an unfair advantage over another party. Only reasonable and proportionate steps should be taken by the parties to identify, narrow and resolve the legal, factual or expert issues.  Para 5 adds that disproportionate costs in complying with any pre-action protocol are likely to be irrecoverable.  Para 6 states that where there is a relevant pre-action protocol, the parties should comply with it before commencing proceedings.  Para 8 reminds parties that litigation should be a last resort. As part of a relevant pre-action protocol, the parties should consider whether negotiation or some other form of ADR might enable them to settle their dispute without commencing proceedings.

Non-compliance with a protocol can be penalized in several ways.  For example, para 16 states that a party at fault may be ordered to pay costs on an indemnity basis or a successful party may be deprived of some or all of his or her costs.

Pre-action Protocol for Media and Communications Claims

Although it is not listed among the "Protocols in Force" in para 18 of PD-Pre-action Conduct and Protocols, para 1.1 of the Pre-action Protocol for Media and Communications Claims states that it applies to data protection claims, including those brought by litigants in person. If a party to a claim becomes aware that another party is a litigant in person, he or she should send a copy of the protocol to the litigant in person at the earliest opportunity.

The aims of the protocol listed in para 2.1 are similar to those of the practice direction, namely enabling parties to prospective claims to:

"(a) understand and properly identify the issues in dispute and to share information and relevant documents;
(b) make informed decisions as to whether and how to proceed;
(c) try to settle the dispute without proceedings or reduce the issues in dispute;
(d) avoid unnecessary expense and control the costs of resolving the dispute; and
(e) support the efficient management of proceedings where court proceedings cannot be avoided."

Para 3.1 requires intending claimants to notify intended defendants of their claims in writing at the earliest reasonable opportunity.   They are also reminded of the need for proportionality in formulating both the letter of claim and response in para 2.2:

"In formulating both the Letter of Claim and Response and in taking any subsequent steps, the parties should act reasonably to keep costs proportionate to the nature and gravity of the case and the stage the complaint has reached."

The following information should be included in the letter of claim: 

• the name of the claimant;
• the nature of and basis for the entitlement to the remedies sought by the claimant;
• any facts or matters relevant to England and Wales being the most appropriate forum for the dispute; and
• details of any funding arrangement in place.

Para 3.4 adds that letters of claim in data protection cases should also include:

•  "any further information necessary to identify the data subject;
• the data controller to which the claim is addressed;
• the information or categories of information which is claimed to constitute personal data including, where necessary, the information which is said to constitute sensitive personal data or to fall within a special category of personal data;
• sufficient details to identify the relevant processing;
• the identification of the duty or duties which are said to have been breached and details of the manner in which they are said to have been breached, including any positive case on behalf of the Claimant;
• why the personal data ought not to be processed/further processed, if applicable;
• the nature and any available details as to any particular damage caused or likely to be caused by the processing/breach of duty complained of; and
• Where a representative data protection claim is intended to be brought on behalf of data subjects, the letter of claim should also: set out the nature of the entity which intends to bring the claim and explain how it fulfils the relevant suitability criteria – see Article 80 of the General Data Protection regulation (GDPR); include details of the data subjects on whose behalf the claim would be brought; and, confirmation that they have mandated the representative body to represent them and receive compensation, where applicable."

Defendants are required by para 3.6 to provide a full response to the letter of claim, as soon as reasonably possible. If a defendant believes that he or she will be unable to respond within 14 days (or such shorter time limit as specified in the letter of claim), then he or she should specify the date by which he/she intends to respond.

Para 3.7 requires letters of response to include:

• "whether or to what extent the Claimant’s claim is accepted, whether more information is required or whether it is rejected;
• if the claim is accepted in whole or in part, the Defendant should indicate which remedies it is willing to offer;
• if more information is required, then the Defendant should specify precisely what information is needed to enable the claim to be dealt with and why;
• if the claim is rejected, then the Defendant should explain the reasons why it is rejected, including a sufficient indication of any statutory exemptions or facts on which the Defendant is likely to rely in support of any substantive defence;
• in a defamation or malicious falsehood claim, the defamatory or false imputation(s) the Defendant contends was conveyed by the statement complained of, if any; and
• where the Claimant to a proposed action has indicated his/her intention to make an application to bring the claim anonymously, the Defendant should indicate whether the Defendant accepts such an order would be appropriate and give an indication of the basis for the Defendant’s position."

Para 3.8 reminds parties that litigation should be a last resort, while para 3.9 suggests the following options for parties to data protection disputes:

"(a) without prejudice discussions and negotiations between the parties;
(b) mediation – a form of facilitated negotiation assisted by an independent neutral third party; [and]
(c) early neutral evaluation (ENE) – a third party giving an informed opinion on the dispute (for example, a lawyer experienced in the field of [data protection] or an individual experienced in the subject matter of the claim)......."

Para 3.10 mentions the need to consider offers under CPR Part 36.  If a dispute is not settled, para 3.11 encourages parties to undertake a further review of their respective positions, to consider the state of the papers and the evidence in order to see if proceedings can be avoided and, at least, narrow the issues between them which can assist efficient case management.  

Finally, parties are referred to other provisions which they might find useful, such as CPR Part 25: Interim Remedies and Security for Costs and CPR PD48 paragraphs 3.1 and 3.2: Part 2 of the Legal Aid, Sentencing and Punishment of Offenders Act 2012 Relating to Civil Litigation Funding and Costs.

Further Information
Anyone wishing to discuss this article further may call me on 020 7404 5252 during UK office hours or send me a message through my contact form at any time.

IC fines Data Controller more than £1.2 million for Infringing Art 5 (1) (f) UK GDPR

 

Jane Lamebert

LastPass UK Ltd Penalty Notice 20 Nov 2025

By para [1] of his penalty notice dated 20 Nov 2025, the Information Commissioner for the United Kingdom ordered  LastPass UK Ltd ("LastPass") to pay a penalty of £1,228,283 pursuant to s.155 (1) (a) of the Data Protection Act 2018 for infringing art 5 (1) (f) and art 32 (1) of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data as amemded ("the UK GDPR").

The Obligation

Art 5 (1) (f) of the UK GDPR provides:

"Personal data shall be

................

(f)   processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)."

Art 5 (2) further provides that the controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1, a principle known as "accountability".

Art 32 (1) amplifies the above duty:

"Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing."

The Infringement

The Commissioner found that LastPass had infringed arts 5 (1) (f) and 32 (1) between 31 Dec 2021 and 31 Dec 2024 in failing to implement appropriate technical and organizational measures to ensure an appropriate level of security for the personal data for which the company was responsible, and the ongoing confidentiality and integrity of its processing systems and services.  

The infringements resulted from allowing employees to access accounts from a personal device, where the latter contained the decryption keys required to access customers’ personal data and combine their personal and employee business accounts so that they could be accessed by a single master password.  Because LastPass failed to implement and use appropriate technical and organizational measures, personal data relating to 1,631,410 customers in the UK were unlawfully accessed in two incidents during August 2022.

Enforcement

S.l55 (1) (a) of the Data Protection Act 2018 provides that the Commissioner may, by written notice, require that person to pay to the Commissioner an amount specified in the notice if he is satisfied that a person has failed to comply with any of the provisions of the UK GDPR specified in section 149 (2) of the Act.

Appeal

Para [228] of the penalty notice advised LastPass that it had a right of appeal against both the notice and the amount of the penalty to the First-tier Tribunal (General Regulatory Chamber) (Information Rights) to be exercised within 28 days of the date of the notice.

Civil Liability

In addition to the Information Commissioner's administrative sanctions, anyone who suffers material or non-material damage as a result of an infringement of the UK GDPR has a right to compensation from the controller for the damage suffered under art 82 (1) of the regulation (see Taking your case to court and claiming compensation on the ICO website).

Further Information

Anyone wishing to discuss this article may call me on 020 7404 5252 during UK office hours or send me a message through my contact form. 

Data (Use and Access) Act 2025 - Part 1: Access to Business and Customer Data

Baroness Jones of Whitchurch

Author Roger Harris  Licence CC BY 3.0  Source  UK Parliament

Jane Lambert

In Data Protection Law Reform (23 Dec 2025), I discussed the Conservative government's proposed Data Reform Bill and its Data Protection and Digital Information Bill.  Part 3 of that bill was headed "Customer Data and Business Data" and was intended to create a statutory framework for smart data, that is to say, sharing customer data and business data with third parties who will use that information to create new businesses and services.  The previous government set out its plans for smart data in The Smart Data Roadmap in April 2024.

As I mentioned in Data Protection Law Reform, the Data Protection and Digital Information Bill did not complete its passage through Parliament before the 2024 general election.  However, as Lady Jones of Whitchurch said on the second reading of the Data (Use and Access) Bill in the House of Lords on 19 Nov 2024, facilitating smart data was in the Labour Party manifesto.  In her speech, she said:

"My Lords, data is the DNA of modern life. It is integral to almost every aspect of our society and economy, from NHS treatments and bank transactions to social interactions. An estimated 85% of UK businesses handle some form of digital data, and the UK data economy was estimated to represent 6.9% of UK GDP. Data-enabled UK service exports accounted for 85% of total service exports, estimated to be worth £259 billion, but data use in the UK drives productivity benefits of around 0.12%, which is only one minute per worker per day."

That bill received royal assent on 19 June 2025.  I introduced it in Data Use and Access: Structure on 26 Dec 2025.

In that introduction, I said that the Act consisted of 8 parts and 16 schedules.   The first of those parts is headed "Access to customer data and business data" and consists of 26 sections.  It covers much the same ground as Part 3 of the Data Protection and Digital Information Bill, though Lady Jones said that there had been several important changes to make her bill more focused, more balanced, and better able to achieve its objectives.

The key provision of part 1 is s.1 (1):

"This Part confers powers on the Secretary of State and the Treasury to make provision in connection with access to customer data and business data."

S.2 (1) of the Act enables the Secretary of State or the Treasury to make regulations requiring a data holder to provide customer data to a customer at his or her request or to a person authorized by the customer to receive the data (an “authorized person”), at the customer’s request or at the authorized person’s request.  

"Customer data" is defined by s.1 (2) as information relating to a customer of a trader.  It includes information relating to goods, services and digital content supplied or provided by the trader to the customer or to another person at the customer’s request.  It could be information about 

• prices or other terms on which goods, services or digital content are supplied or provided to the customer or another person, 
• how they are used by the customer or other person, or 
• their performance or quality when used by the customer or another person.

Such data can also include information relating to the provision of information described above or of other information relating to a customer of a trader, to a person in accordance with data regulations. A “trader” means a person who supplies or provides goods, services or digital content in the course of a business, whether acting personally or through another person acting in the trader’s name or on the trader’s behalf.

S.4 (1) enables the Secretary of State or the Treasury to make regulations requiring a data holder to publish business data or to provide it to a customer of the trader to whom the business data relates, or
to another person of a specified description.  “business data”, in relation to a trader, means information:

• about goods, services and digital content supplied or provided by the trader,
• relating to the supply or provision of goods, services and digital content by the trader, such as 
• where goods, services or digital content are supplied or provided, 
• prices or other terms on which they are supplied or provided, 
• how they are used, or 
• their performance or quality,
• relating to feedback about the goods, services or digital content (or their supply or provision), and
• relating to the provision of information described above to a person in accordance with data regulations.

There will also be regulations on enforcement, fees, financial services and other matters.

Other than reg 2 (a) of The Data (Use and Access) Act 2025 (Commencement No. 1) Regulations 2025, which provided for Part 1 of the Act: Access to Business and Customer Data to come into force on 20 Aug 2025, no regulations have been made.  There are likely to be further consultations on the secondary legislation, which I shall monitor.

Guidance from the Department for Science, Innovation and Technology accompanying the introduction of the bill on 24 Oct 2024 estimated that the legislation would bring an estimated £10 billion boost to the UK economy over 10 years.   Anyone wishing to discuss this article may call me on +44 (0)20 7404 5252 during UK office hours or send me a message through my contact form at any time. 

Further Information

Jane Lambert  Data (Use and Access) Act 2025: Structure 26 Dec 2025

Data (Use and Access) Act 2025: Structure

Jane Lambert

 

An inkling of the scope and complexity of the Data (Use and Access) Act 2025 can be gained from the introductory text:

"An Act to make provision about access to customer data and business data; to make provision about services consisting of the use of information to ascertain and verify facts about individuals; to make provision about the recording and sharing, and keeping of registers, of information relating to apparatus in streets; to make provision about the keeping and maintenance of registers of births and deaths; to make provision for the regulation of the processing of information relating to identified or identifiable living individuals; to make provision about privacy and electronic communications; to establish the Information Commission; to make provision about information standards for health and social care; to make provision about the grant of smart meter communication licences; to make provision about the disclosure of information to improve public service delivery; to make provision about the retention of information by providers of internet services in connection with investigations into child deaths; to make provision about providing information for purposes related to the carrying out of independent research into online safety matters; to make provision about the retention of biometric data; to make provision about services for the provision of electronic signatures, electronic seals and other trust services; to make provision about works protected by copyright and the development of artificial intelligence systems; to make provision about the creation of purported intimate images; and for connected purposes.

As I said in Data Protection Law Reform, the Act consists of 144 sections divided into 8 parts with 16 schedules.

Structure

The parts of the Act are as follows:

• Part 1 Access to customer data and business data (sections 1 to 26);
• Part 2 Digital verification services (sections 27 to 55); 
• Part 3 National Underground Asset Register (sections 56 to 60); 
• Part 4 Registers of births and deaths (sections 61 to 65); 
• Part 5 Data protection and privacy (sections 66 to 116):
• Chapter 1 Data protection (sections 66 to 108);
• Chapter 2 Privacy and electronic communications (sections 109 to 116);
• Part 6 The Information Commission (sections 117 to 120); 
• Part 7 Other provision about use of, or access to, data (sections 121 to 138); and 
• Part 8 Final provisions (sections 139 to 144).

The schedules are as follows:

Schedule 1: National Underground Asset Register (England and Wales): monetary penalties; 

Schedule 2: National Underground Asset Register (Northern Ireland): monetary penalties;

Schedule 3: Registers of births and deaths: minor and consequential amendments; 

Schedule 4: Lawfulness of processing: recognised legitimate interests; 

Schedule 5: Purpose limitation: processing to be treated as compatible with original purpose; 

Schedule 6: Automated decision-making: minor and consequential amendments; 

Schedule 7: Transfers of personal data to third countries etc: general processing;

Schedule 8: Transfers of personal data to third countries, etc: law enforcement processing;

Schedule 9: Transfer of personal data to third countries etc: minor and consequential amendments and transitional provision; 

Schedule 10: Complaints: minor and consequential amendments;

Schedule 11: Further minor provision about data protection;
Schedule 12: Storing information in the terminal equipment of a subscriber or user;
Schedule 13: Privacy and electronic communications: Commissioner’s enforcement powers;
Schedule 14: The Information Commission;
Schedule 15: Information standards for health and adult social care in England; and
Schedule 16: Grant of smart meter communication licences.

Further Information

The Departments of State and Ministries concerned with this legislation have prepared explanatory notes on the statute.  Probably the most useful are the Overview (paras 1 to 15) and the Legal Policy (paras 16 to 83).  Also useful are the Guidance on Data Use and Access Act 2025: plans for commencement by the Department for Science, Innovation and Technology ("DSIT"), the Information Commissioner's index page and the DSIT's fact sheets on the UK GDPR and the Data Protection Act, the ICO and the Privacy and Electronic Communications Regulations 2003.

Subsequent articles will discuss particular parts and schedules of the Act.  Anyone wishing to discuss this article may call me on +44 (0)20 7404 5252 during office hours or send me a message through my contact form at any time.

Related Articles

Jane Lambert  Data Protection Law Reform 23 Dec 2025

Jane Lambert Data (Use and Access) Act 2025 - Part 1: Access to Business and Customer Data 11 Jan 2026

Data Protection Law Reform

Author Robert Harker Licence CC BY-SA 3.0  Source Wikimedia

 

Jane Lambert

Shortly after EU law ceased to apply to the UK, the government of the day proposed changes to this country's data protection laws.  I discussed those proposals in Dowden's Data Protection Plans on 27 Aug 2021.  A consultation was launched on 10 Sept 2021, which I considered in Consultation on Changing the Data Protection Laws on 12 Sept 2021.  Draft legislation was introduced on 17 June 2022, which I mentioned in The Proposed Data Reform Bill on 25 June 2022.  That bill never made it past its first reading because the minister responsible for piloting it through the Commons was replaced when Liz Truss became prime minister.  The new minister introduced the Data Protection and Digital Information Bill, which was more far-reaching than the Data Reform Bill (see the Data Protection and Digital Information (No 2) Bill 2022-2023). That bill fell with the Conservative government when the general election was held.  One of the first acts of the incoming Labour government was to introduce the Data (Use and Access) Bill on 23 Oct 2024.  That bill received royal assent on 19 June 2025.

The Data (Use and Access) Act 2025 consists of 144 sections divided into 8 Parts with 16 schedules.   The Department for Science, Innovation and Technology describes the legislation as "a wide-ranging Act which includes provisions to enable the growth of digital verification services, new Smart Data schemes like Open Banking and a new National Underground Asset Register" in its Guidance.  The new Act "will not replace the UK General Data Protection Regulation (“UK GDPR”), Data Protection Act 2018 or the Privacy and Electronic Communications (EC Directive) Regulations 2003, but it will make some changes to them to make the rules simpler for organisations, encourage innovation, help law enforcement agencies to tackle crime and allow responsible data-sharing while maintaining high data protection standards."

According to the Information Commissioner, the statute updates some laws about digital information matters and changes data protection laws in order to promote innovation and economic growth.   Its provisions will be phased in between June 2025 and June 2026.  The Department for Science, Innovation and Technology has published useful fact sheets on the UK GDPR and Data Protection Act 2018, the Information Commissioner's Office and the Privacy and Electronic Communications Regulations 2003.

Anyone wishing to discuss this article is welcome to call me on +44 (0)20 7404 5252 during UK office hours or send me a message through my contact form at any time.  In subsequent articles, I shall review the Act and analyse its provisions.

Data Protection and Digital Information (No 2) Bill 2022-2023

Jane Lambert

In The Proposed Data Reform Bill I discussed the government's proposals for a new data protection statute. On 18 July 2022 - 23 days after I wrote that article - Nadine Dorries MP, the Secretary of State for Digital, Culture, Media & Sport, introduced the Data Protection and Digital Information Bill into the House of Commons.  That bill never got beyond its first reading because Ms Dorries was replaced by Michelle Donelan MP when Elizabeth Truss MP became Prime Minister.

At the Conservative Party conference Ms Donelan promised what sounded like far more reaching legislation (see Graham Turner UK Gov Pauses Data Reform Bill | What you Need to Know 4 Oct 2022 Digit News). On 8 March 2023, Ms Donelan withdrew the previous bill and introduced a new Data Protection and Digital Information (No. 2) Bill into the House of Commons.  That Bill has now completed its passage through the Commons and is about to proceed to the House of Lords.

The new Bill consists of 114 clauses divided into 6 Parts with 13 Schedules. 

Part 1 (clauses 1 to 34) and the first 9 Schedules amend the Data Protection Act 2018 and those provisions of the General Data Protection Regulation that are incorporated into the laws of England and Wales, Scotland and Northern Ireland by s.3 of the European Union (Withdrawal) Act 2019 ("UK GDPR") and amended by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019 No 419).

Part 2 (clauses 46 to 60) regulates "digital verification services."   These are defined by clause 46 (2) as "verification services provided to any extent by means of the Internet."  "Verification services" are defined in the same subsection as 

"services that are provided at the request of an individual and consist in—

(a) ascertaining or verifying a fact about the individual from 5 information provided otherwise than by the individual, and

(b) confirming to another person that the fact about the individual has been ascertained or verified from information so provided."

An article by Charlotte Bowyer on Onfido Ltd.s website adds that:

"Digital identity verification is how businesses confirm that a customer is who they say they are, online. They do this by assessing personal information and personal data related to an individual."

The technique is used by central and local governments, financial services institutions and other businesses to verify identity, age, qualifications and other personal attributes. 

Part 3 (clauses 61 to 77) permits the Secretary of State and the Treasury to make provision in connection with access to customer data and business data.   "Business data" is defined by clause 61 (2) as 

"(a) information about goods, services and digital content supplied or provided by the trader, 

(b) information relating to the supply or provision of goods, services and digital content by the trader (such as, for example, information about where they are supplied, the terms on which they are supplied or provided, prices or performance), 

(c) information relating to feedback from customers about the goods, services or digital content, and 

(d) information relating to the provision of business data to a person in accordance with data regulations."

"Customer data" means 

"information relating to a customer of a trader, including— 

(a) information relating to transactions between a customer and the trader, and 

(b) information relating to the provision of customer data to a person in accordance with data regulations; 'data holder', in relation to customer data or business data of a trader,"

Clauses 79 to 86 of Part 4 and Sched 10 amend The Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426). The Regulations implement arts 2, 4, 5 (3), 6 to 13, 15 and 16 of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector. Clauses 87 to 91 amend Regulation (EU) No. 910/2014 of the European Parliament and the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market. Reg 910/2014 (also known as eIDAS) regulates electronic identification and trust services, such as verifying the identity of individuals and businesses and authenticating electronic documents.

Clauses 94 to 98 and Sched 11 amend The Births and Deaths Registration Act 1953 to facilitate the electronic storage of the relevant data.  Clause 99 and Sched 12 provide for information standards for health and adult social care d and information technology.

Clauses 100 to 103 and Sched 13 establish an Information Commission to enforce the Act.

Anyone wishing to discuss this article may call me on 020 7404 5252 during office hours or send me a message through my contact page.