Data Protection: 2026

Friday, 20 March 2026

Data Protection Litigation: Pre-action Protocol for Media and Communications Claims

There has recently been a surge in claims by individuals seeking to enforce their rights under data protection legislation through litigation. I have appeared in two such claims this week, one in London and another in the Thames Valley. I have also advised in writing and in conference on several more. A surprising aspect of the surge is that the United Kingdom General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018 are much more complicated than the Data Protection Act 1998 and the Data Protection Act 1984, which preceded them. Those Acts also provided rights of action, but they were used much less frequently than the present legislation. Another surprise is the infrequency with which parties refer to the Pre-action Protocol for Media and Communications Claims, even though that protocol applies to all data protection claims. In both of the cases in which I appeared this week, observance of the protocol would have made a significant difference to the outcome of the litigation.

Effective Judicial Remedy

Art 79 (1) of the UK GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation) as modified by The Data Protecion, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019) entitles data subjects to an effective judicial remedy if they consider that their rights under the Regulation have been infringed as a result of the processing of their personal data in non-compliance with the regulation. That includes a right under art 82 (1) to compensation from a controller or processor for any material or non-material damage that may arise as a result of such non-compliance.

Pre-action Protocols

Para 1 of Practice Direction - Pre-action Conduct and Protocols states that pre-action protocols explain the conduct and set out the steps the court would normally expect parties to take before commencing proceedings for particular types of civil claims. Para 2 warns that a person who knowingly makes a false statement in a pre-action protocol letter or other document prepared in anticipation of legal proceedings may be subject to proceedings for contempt of court. Para 3 states that the objectives of pre-action conduct and protocols are to enable parties to disputes to:

"(a) understand each other’s position;
(b) make decisions about how to proceed;
(c) try to settle the issues without proceedings;
(d) consider a form of Alternative Dispute Resolution (ADR) to assist with settlement;
(e) support the efficient management of those proceedings; and
(f) reduce the costs of resolving the dispute."

Para 4 stresses that a pre-action protocol must not be used by a party as a tactical device to secure an unfair advantage over another party. Only reasonable and proportionate steps should be taken by the parties to identify, narrow and resolve the legal, factual or expert issues. Para 5 adds that disproportionate costs in complying with any pre-action protocol are likely to be irrecoverable. Para 6 states that where there is a relevant pre-action protocol, the parties should comply with it before commencing proceedings. Para 8 reminds parties that litigation should be a last resort. As part of a relevant pre-action protocol, the parties should consider whether negotiation or some other form of ADR might enable them to settle their dispute without commencing proceedings.

Non-compliance with a protocol can be penalized in several ways. For example, para 16 states that a party at fault may be ordered to pay costs on an indemnity basis or a successful party may be deprived of some or all of his or her costs.

Pre-action Protocol for Media and Communications Claims

Although it is not listed among the "Protocols in Force" in para 18 of PD-Pre-action Conduct and Protocols, para 1.1 of the Pre-action Protocol for Media and Communications Claims states that it applies to data protection claims, including those brought by litigants in person. If a party to a claim becomes aware that another party is a litigant in person, he or she should send a copy of the protocol to the litigant in person at the earliest opportunity.

The aims of the protocol listed in para 2.1 are similar to those of the practice direction, namely enabling parties to prospective claims to:

"(a) understand and properly identify the issues in dispute and to share information and relevant documents;
(b) make informed decisions as to whether and how to proceed;
(c) try to settle the dispute without proceedings or reduce the issues in dispute;
(d) avoid unnecessary expense and control the costs of resolving the dispute; and
(e) support the efficient management of proceedings where court proceedings cannot be avoided."

Para 3.1 requires intending claimants to notify intended defendants of their claims in writing at the earliest reasonable opportunity. They are also reminded of the need for proportionality in formulating both the letter of claim and response in para 2.2:

"In formulating both the Letter of Claim and Response and in taking any subsequent steps, the parties should act reasonably to keep costs proportionate to the nature and gravity of the case and the stage the complaint has reached."

The following information should be included in the letter of claim:

the name of the claimant;
the nature of and basis for the entitlement to the remedies sought by the claimant;
any facts or matters relevant to England and Wales being the most appropriate forum for the dispute; and
details of any funding arrangement in place.

Para 3.4 adds that letters of claim in data protection cases should also include:

"any further information necessary to identify the data subject;
the data controller to which the claim is addressed;
the information or categories of information which is claimed to constitute personal data including, where necessary, the information which is said to constitute sensitive personal data or to fall within a special category of personal data;
sufficient details to identify the relevant processing;
the identification of the duty or duties which are said to have been breached and details of the manner in which they are said to have been breached, including any positive case on behalf of the Claimant;
why the personal data ought not to be processed/further processed, if applicable;
the nature and any available details as to any particular damage caused or likely to be caused by the processing/breach of duty complained of; and
Where a representative data protection claim is intended to be brought on behalf of data subjects, the letter of claim should also: set out the nature of the entity which intends to bring the claim and explain how it fulfils the relevant suitability criteria – see Article 80 of the General Data Protection regulation (GDPR); include details of the data subjects on whose behalf the claim would be brought; and, confirmation that they have mandated the representative body to represent them and receive compensation, where applicable."

Defendants are required by para 3.6 to provide a full response to the letter of claim, as soon as reasonably possible. If a defendant believes that he or she will be unable to respond within 14 days (or such shorter time limit as specified in the letter of claim), then he or she should specify the date by which he/she intends to respond.

Para 3.7 requires letters of response to include:

"whether or to what extent the Claimant’s claim is accepted, whether more information is required or whether it is rejected;
if the claim is accepted in whole or in part, the Defendant should indicate which remedies it is willing to offer;
if more information is required, then the Defendant should specify precisely what information is needed to enable the claim to be dealt with and why;
if the claim is rejected, then the Defendant should explain the reasons why it is rejected, including a sufficient indication of any statutory exemptions or facts on which the Defendant is likely to rely in support of any substantive defence;
in a defamation or malicious falsehood claim, the defamatory or false imputation(s) the Defendant contends was conveyed by the statement complained of, if any; and
where the Claimant to a proposed action has indicated his/her intention to make an application to bring the claim anonymously, the Defendant should indicate whether the Defendant accepts such an order would be appropriate and give an indication of the basis for the Defendant’s position."

Para 3.8 reminds parties that litigation should be a last resort, while para 3.9 suggests the following options for parties to data protection disputes:

"(a) without prejudice discussions and negotiations between the parties;
(b) mediation – a form of facilitated negotiation assisted by an independent neutral third party; [and]
(c) early neutral evaluation (ENE) – a third party giving an informed opinion on the dispute (for example, a lawyer experienced in the field of [data protection] or an individual experienced in the subject matter of the claim)......."

Para 3.10 mentions the need to consider offers under CPR Part 36. If a dispute is not settled, para 3.11 encourages parties to undertake a further review of their respective positions, to consider the state of the papers and the evidence in order to see if proceedings can be avoided and, at least, narrow the issues between them which can assist efficient case management.

Finally, parties are referred to other provisions which they might find useful, such as CPR Part 25: Interim Remedies and Security for Costs and CPR PD48 paragraphs 3.1 and 3.2: Part 2 of the Legal Aid, Sentencing and Punishment of Offenders Act 2012 Relating to Civil Litigation Funding and Costs.

Further Information
Anyone wishing to discuss this article further may call me on 020 7404 5252 during UK office hours or send me a message through my contact form at any time.

Wednesday, 11 February 2026

IC fines Data Controller more than £1.2 million for Infringing Art 5 (1) (f) UK GDPR

Jane Lamebert

LastPass UK Ltd Penalty Notice 20 Nov 2025

By para [1] of his penalty notice dated 20 Nov 2025, the Information Commissioner for the United Kingdom ordered LastPass UK Ltd ("LastPass") to pay a penalty of £1,228,283 pursuant to s.155 (1) (a) of the Data Protection Act 2018 for infringing art 5 (1) (f) and art 32 (1) of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data as amemded ("the UK GDPR").

The Obligation

Art 5 (1) (f) of the UK GDPR provides:

"Personal data shall be

................

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)."

Art 5 (2) further provides that the controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1, a principle known as "accountability".

Art 32 (1) amplifies the above duty:

"Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing."

The Infringement

The Commissioner found that LastPass had infringed arts 5 (1) (f) and 32 (1) between 31 Dec 2021 and 31 Dec 2024 in failing to implement appropriate technical and organizational measures to ensure an appropriate level of security for the personal data for which the company was responsible, and the ongoing confidentiality and integrity of its processing systems and services.

The infringements resulted from allowing employees to access accounts from a personal device, where the latter contained the decryption keys required to access customers’ personal data and combine their personal and employee business accounts so that they could be accessed by a single master password. Because LastPass failed to implement and use appropriate technical and organizational measures, personal data relating to 1,631,410 customers in the UK were unlawfully accessed in two incidents during August 2022.

Enforcement

S.l55 (1) (a) of the Data Protection Act 2018 provides that the Commissioner may, by written notice, require that person to pay to the Commissioner an amount specified in the notice if he is satisfied that a person has failed to comply with any of the provisions of the UK GDPR specified in section 149 (2) of the Act.

Appeal

Para [228] of the penalty notice advised LastPass that it had a right of appeal against both the notice and the amount of the penalty to the First-tier Tribunal (General Regulatory Chamber) (Information Rights) to be exercised within 28 days of the date of the notice.

Civil Liability

In addition to the Information Commissioner's administrative sanctions, anyone who suffers material or non-material damage as a result of an infringement of the UK GDPR has a right to compensation from the controller for the damage suffered under art 82 (1) of the regulation (see Taking your case to court and claiming compensation on the ICO website).

Further Information

Anyone wishing to discuss this article may call me on 020 7404 5252 during UK office hours or send me a message through my contact form.

Sunday, 11 January 2026

Data (Use and Access) Act 2025 - Part 1: Access to Business and Customer Data

Baroness Jones of Whitchurch

Author Roger Harris Licence CC BY 3.0 Source UK Parliament

Jane Lambert

In Data Protection Law Reform (23 Dec 2025), I discussed the Conservative government's proposed Data Reform Bill and its Data Protection and Digital Information Bill. Part 3 of that bill was headed "Customer Data and Business Data" and was intended to create a statutory framework for smart data, that is to say, sharing customer data and business data with third parties who will use that information to create new businesses and services. The previous government set out its plans for smart data in The Smart Data Roadmap in April 2024.

As I mentioned in Data Protection Law Reform, the Data Protection and Digital Information Bill did not complete its passage through Parliament before the 2024 general election. However, as Lady Jones of Whitchurch said on the second reading of the Data (Use and Access) Bill in the House of Lords on 19 Nov 2024, facilitating smart data was in the Labour Party manifesto. In her speech, she said:

"My Lords, data is the DNA of modern life. It is integral to almost every aspect of our society and economy, from NHS treatments and bank transactions to social interactions. An estimated 85% of UK businesses handle some form of digital data, and the UK data economy was estimated to represent 6.9% of UK GDP. Data-enabled UK service exports accounted for 85% of total service exports, estimated to be worth £259 billion, but data use in the UK drives productivity benefits of around 0.12%, which is only one minute per worker per day."

That bill received royal assent on 19 June 2025. I introduced it in Data Use and Access: Structure on 26 Dec 2025.

In that introduction, I said that the Act consisted of 8 parts and 16 schedules. The first of those parts is headed "Access to customer data and business data" and consists of 26 sections. It covers much the same ground as Part 3 of the Data Protection and Digital Information Bill, though Lady Jones said that there had been several important changes to make her bill more focused, more balanced, and better able to achieve its objectives.

The key provision of part 1 is s.1 (1):

"This Part confers powers on the Secretary of State and the Treasury to make provision in connection with access to customer data and business data."

S.2 (1) of the Act enables the Secretary of State or the Treasury to make regulations requiring a data holder to provide customer data to a customer at his or her request or to a person authorized by the customer to receive the data (an “authorized person”), at the customer’s request or at the authorized person’s request.

"Customer data" is defined by s.1 (2) as information relating to a customer of a trader. It includes information relating to goods, services and digital content supplied or provided by the trader to the customer or to another person at the customer’s request. It could be information about

prices or other terms on which goods, services or digital content are supplied or provided to the customer or another person,
how they are used by the customer or other person, or
their performance or quality when used by the customer or another person.

Such data can also include information relating to the provision of information described above or of other information relating to a customer of a trader, to a person in accordance with data regulations. A “trader” means a person who supplies or provides goods, services or digital content in the course of a business, whether acting personally or through another person acting in the trader’s name or on the trader’s behalf.

S.4 (1) enables the Secretary of State or the Treasury to make regulations requiring a data holder to publish business data or to provide it to a customer of the trader to whom the business data relates, or
to another person of a specified description. “business data”, in relation to a trader, means information:

about goods, services and digital content supplied or provided by the trader,
relating to the supply or provision of goods, services and digital content by the trader, such as

where goods, services or digital content are supplied or provided,
prices or other terms on which they are supplied or provided,
how they are used, or
their performance or quality,

relating to feedback about the goods, services or digital content (or their supply or provision), and
relating to the provision of information described above to a person in accordance with data regulations.

There will also be regulations on enforcement, fees, financial services and other matters.

Other than reg 2 (a) of The Data (Use and Access) Act 2025 (Commencement No. 1) Regulations 2025, which provided for Part 1 of the Act: Access to Business and Customer Data to come into force on 20 Aug 2025, no regulations have been made. There are likely to be further consultations on the secondary legislation, which I shall monitor.

Guidance from the Department for Science, Innovation and Technology accompanying the introduction of the bill on 24 Oct 2024 estimated that the legislation would bring an estimated £10 billion boost to the UK economy over 10 years. Anyone wishing to discuss this article may call me on +44 (0)20 7404 5252 during UK office hours or send me a message through my contact form at any time.