Menu
undefined undefined
My dashboard
My Content
My products (0) My insights (0) My events (0) My contacts (0)

UpData

UpData provides regular updates on contentious, criminal and insurance risks relating to data, from cyber-attacks to regulatory enforcement.

27 June 2025

Publication

Data risks are prevalent in our fast-paced, data-hungry society. Let us help you manage these risks by bringing you the latest news, updates and insight on what we see as being the biggest data risks out there today.

Below are our recent updates, or for older editions, check out our archive.

Recent updates

Cyberattacks on UK retailers highlight data and cybersecurity risks

27 June 2025

In April and May 2025, sophisticated cyberattacks targeted major UK retailers, including M&S, Co-op, and Harrods, disrupting operations & exposing customer data. Read more here.

ICO’s call to action amid rising cyber attacks

24 June 2024

The Information Commissioner's Office ('ICO') has recently issued a statement urging all organisations to enhance their cyber security in order to protect the personal information they hold. Read more here.

The ICO’s new data protection fining guidance

8 April 2024

The Information Commissioner’s Office (‘ICO’) new data protection fining guidance, published on March 18, 2024, might sound familiar to veterans of other regulatory fining guidelines. Read more here.

UK ICO publishes guidance for platforms when moderating online content

6 March 2024

The ICO has published its first piece of guidance on content moderation, which sets out the data privacy obligations that organisations need to consider. Read more here.

Important CJEU ruling on Cyber attack damages

23 February 2024

Even before the inception of the GDPR there has been lively argument over what damages are available for breach of data protection rights, not least in the leading Vidal-Hall and Lloyd cases, both against Google. Read more here.

ICO’s £7.5m Clearview AI fine overturned

7 November 2023

Despite the overturning of the ICO’s fine for data scraping from the web and social media, there is no green light for this practice in the UK. Read more here.

FCA fines Equifax Ltd £11m following 2017 cyberattack of US parent

7 November 2023

Along with the ICO’s 2018 fine, the Final Notice provides a textbook example of what not to do in a cyberattack. Read more here.

DSARs and Debanking

8 August 2023

In this podcast, we explore the DSAR process through the lens of debanking. With an esteemed panel of experts, we'll navigate the key points, shed light on crucial considerations for data controllers, and unravel the pressing issues that arise in debanking situations. Read more and listen here.

Strike-out of data class action against Google and DeepMind

7 June 2023

The Court has struck out a representative claim brought on behalf of c.1.6 million NHS patients against Google / DeepMind for alleged misuse of private information. The Court found that, to satisfy the “same interest” requirement of representative actions, the claim could only be pursued on the “lowest common denominator” in the patients’ circumstances. Once that had been done, the only common adverse allegation over DeepMind’s processing was the “sheer fact of the loss of control” over the patients’ data. That loss was insufficient to establish the requisite limbs of a misuse of private information claim, or that the data subjects suffered anything more than trivial damages. The decision is significant because, until this strike-out, the claim had been seen as a potential way to circumvent the implications of the decision at the end of 2021 in Lloyd v Google. Read more here.

Meta fined €1.2 billion – Data transfers Q&A

24 May 2023

The fine by the Irish DPC related to Meta Ireland’s transfer of personal data about users of its Facebook service from the EU and EEA to the US. This is the latest development in relation to international transfers of personal data from the EU, an area that has been a recent focus of both regulators and privacy campaigners. The Irish DPC’s decision does not change the law but rather (in light of the severity of the sanctions imposed) emphasises the importance of getting compliance right. We consider some key questions for organisations as well as what they should be focusing on. Read more here.

The ICO fines TikTok £12.7m for failing to protect children's privacy

6 April 2023

On 4 April 2023, the ICO issued a £12.7m fine to TikTok for breaching UK data protection law between May 2018 and July 2020. This is the third largest fine imposed by the ICO to date. The ICO found that TikTok had not done enough to prevent children under 13 from using its platform without parental consent. Read more here.

21 March 2023

A Scottish Sheriff Court considered the data protection obligations of an employer in respect of its (former) employee (Riley) when defending an employment tribunal claim brought by another employee, Mr Adamson. Riley sought £75,000 in damages for distress and anxiety after the employer disclosed in the employment claim a number of matters comprising Riley’s personal data. Read more here

Experian effectively wins appeal against ICO Enforcement Notice

17 March 2023

The First-Tier Tribunal (General Regulatory Chamber - Information Rights) has partly allowed an appeal by credit reference agency Experian against an ICO GDPR Enforcement Notice issued in October 2020 in relation to data processing operations of Experian’s marketing business. Read more here.

Phishing attack leaves Tecnimont USD5 million out of pocket

14 February 2023

The High Court last year rejected a claim by Tecnimont's Saudi subsidiary against NatWest after a fraudster diverted a USD 5 million payment by Tecnimont destined for an Italian Tecnimont subsidiary to a NatWest account in the UK using a phishing attack. Read more here.

A busy start to the year for the Irish Data Protection Commission

12 January 2023

Meta has received two fines from the Irish Data Protection Commission (DPC) for EU GDPR data protection breaches. Read more here.

Discord Inc fined EUR 800,000 by French Regulator

14 December 2022

Last month Discord was given a strong reprimand and significant fine by the French regulator. Read more here.

New ICO guidance on the lawful use of personal data and AI

18 November 2022

The ICO has published recent guidance which include a series of FAQs to assist with the handling of AI when applied to personal data. Read more here.

ICO’s new approach to public sector enforcement in action

11 November 2022

The Department for Education has avoided a penalty in line with the Information Commissioner's Office new approach to enforcement against public sector organisations. Read more here.

ICO publishes draft guidance on privacy enhancing technologies

11 October 2022

This article provides an update on the ICO’s publication of its draft guidance on PETs, and a high-level summary of what is included in the draft guidance. Read more here.

New plans to replace UK GDPR

7 October 2022

On 3 October 2022, Michelle Donelan, Secretary of State for Digital, Culture, Media and Sport, gave a speech announcing (new) plans to replace UK GDPR. Read more here.

Self-Driving Vehicles: Is the future closer than we thought?

25 August 2022

On 19 August 2022, the government published a report by the Centre for Data Ethics and Innovation (CDEI) entitled “Responsible Innovation in Self-Driving Vehicles”. Read more here.

Google and DeepMind face claim for unauthorised use of NHS medical records

22 August 2022

Mr Andrew Prismall is suing Google and its subsidiary DeepMind on behalf of 1.6 million NHS patients under a claim in misuse of private information. Read more here.

UK-US Data Access Agreement – Now (nearly) live

4 August 2022

The Data Access Agreement will significantly increase the ability of UK enforcement agencies to obtain data from US multinationals falling with its scope. Read more here.

China fines Didi USD 1.18 billion for data violations

21 July 2022

China’s ride-hailing conglomerate Didi Global Inc was fined RMB 8.026 billion (approx. USD 1.18 billion) for violations of cybersecurity and data related laws. Read more here.

UK Government tables a bill to reform the UK’s data protection regime

19 July 2022

A summary of key takeaways for businesses from the UK Government’s Data Protection and Digital Information Bill, introduced to Parliament on 18 July 2022. Read more here.

ICO25 plain

18 July 2022

The ICO published its new strategic plan, ICO25 – we recap some of the key points relating to safeguarding and empowering people, business and enforcement. Read more here.

Foreign Interference Offence to be created by the National Security Bill

7 July 2022

"We need the big online platforms to do more to identify and disrupt [disinformation]" (Damian Hinds, Minister for Security. This week the Department for Digital, Culture, Media & Sport announced that an amendment linking the National Security Bill with the Online Safety Bill will be tabled.

Digital twins: a new frontier

28 June 2022

We explore the legal implications of digital twins, including an overview of the technology and its applications, as well as some of the the key legal risks. Read more here.

UK Information Commissioner’s Office (ICO) fines Clearview AI £7.5m

25 May 2022

On 23 May 2022, the UK’s ICO announced that it had fined Clearview AI, a US-based facial recognition firm, £7.5 million. Read more here.

EU Data Act proposals

12 March 2022

The EC published its proposals on the EU Data Act in February 2022 – we recap some of the key points. Read more here.

Ticketmaster settles class action for 2018 data breach

18 February 2022

Ticketmaster class action settled which may lift stay on ICO fine appeal linked to 2018 data breach. Read more here

UK government consults on changes to cyber resilience legislation

15 February 2022

The UK government is consulting on proposals for legislative reform to improve the cyber resilience of organisations. Read more here.

14 February 2022

The Belgium Data Protection Authority finds IAB Europe’s Transparency and Consent Framework in beach of the GDPR rules. What’s next for the ad tech industry? Read more here.

The new UK international data transfer contract documentation

8 February 2022

We take a first look at the UK’s new international data transfer agreement and addendum and look at the practical implications of them for organisations. Read more here.

ICO consults on its regulatory responsibilities

25 January 2022

The ICO is consulting on three documents which, taken together cover how it aims to carry out its regulatory responsibilities and its mission to uphold information rights for the UK public. The consultation is open until 24 March 2022 and the ICO intends to publish updated documents later this year, including an updated Regulatory Action Policy. Read more here.

The ICO issues an Opinion on data protection expectations for online advertising proposals

7 January 2022

As AI becomes increasingly prevalent, the ICO sends a clear message that companies need to be more vigilant than ever when handling personal data. Read more here.

Clearview AI Inc receives provisional ICO fine of £17m

9 December 2021

The UK authority has published an Opinion setting out the expectations it has on new advertising technologies (“adtech”). The Opinion acts as a guidance to market participants in relation to their demonstration of compliance with data protection by default and design. Read more here.

Lloyd v Google: closing floodgates and opening doors?

18 November 2021

The Supreme Court has held that there is no entitlement to damages for the mere loss of control of data and prevented representative actions to bring such claims. Read more here.

Decision in Lloyd v Google

10 November 2021

The Supreme Court unanimously allowed the appeal in the case of Lloyd v Google. This is a positive outcome for data controllers of all sizes and will have significant impact on claims in this area going forward. Hear our team’s instant reactions to the judgment in a short 6 minute video here.

GCHQ to deploy offensive cyber operations to deter cybercrime

9 November 2021

As ransomware attacks double in only a year, GCHQ signals that its campaign against international cyber criminals will escalate. Read more here.

Ransomware and spyware: the “most immediate danger to UK businesses”

8 November 2021

As attackers grow increasingly sophisticated, ransomware is now the "most immediate danger to UK businesses". Read more here.

High Court rules there is no liability for a de minimis data breach

5 November 2021

The recent High Court judgment in Rolfe & Ors v Veale Wasbrough Vizards LLP is welcome guidance for data controllers on the approach the High Court will take in claims concerning a one-off data breach. Read more here.

Ireland’s balance between Big Tech and data privacy

4 October 2021

Ireland faces increasing criticism over its lack of enforcement of EU data protection rules against Big Tech. Read more here.

The UK GDPR - A New Regulatory Regime

17 September 2021

Is the first post-Brexit revision of the GDPR in the UK a bold step that will position UK businesses well to take advantage of data and technology advances? Read more here.

Amazon faces record GDPR fine

2 August 2021

Amazon has disclosed that it is facing a €746 million fine from the Luxembourg data protection regulator. See more here.

Data breach claimants lose bid for anonymity in courts

30 July 2021

In a judgment of the High Court, the Claimant’s application for anonymity and reporting restrictions that would prevent their identification was refused. See more here.

British Airways flying high as data-breach compensation claim settles

12 July 2021

British Airways have managed to (largely) draw a line under what is thought to be the biggest claim for a data breach in British legal history – ending in a settlement between the company and most of the individuals bringing a claim against it. See more here.

Head in the clouds: Australia passes US CLOUD Act-style law

7 July 2021

In the latest addition to a growing cross-border framework, the Australian Parliament has passed a Bill which expands local authorities’ data collection powers. See more here.

Colonial Pipeline: a victory in the fight against ransomware hackers

14 June 2021

The FBI has recovered approximately 64 bitcoin that was paid by Colonial Pipeline to cyber-hackers following a ransomware attack. This development raises important questions for participants in the crypto-currency market, as well as for businesses more generally. However, it comes at a time when the threat posed by ransomware attacks looms larger than ever; whilst the recovery of these crypto-assets is no doubt an important victory in the fight against such attacks, the need for caution remains paramount. See more here.

Cyberattack: when paying the ransom does more harm than good…

10 June 2021

The French Cybersecurity Agency has published a report on cyberthreats in France, discouraging the victims of a ransomware attack from paying the ransom. Read more here.

Robin Hood hackers: hackers turn social justice warriors

28 May 2021

How the rise of socially aware cyber criminals influences public reaction and impacts corporate response. Read more here.

Ransomware attacks: the next level?

7 May 2021

Criminals are always looking for new ways to make money, and information that has recently come to light on the Dark Web suggests that cybercriminals are beginning to take a more sophisticated and enterprising approach to ransomware attacks. This UpData article considers the tactics being deployed and the likely motivations driving them. Read more here.

Ticketmaster data breach fine – appeal stayed until 2023

24 April 2021

Ticketmaster UK v the Information Commissioner: Tribunal grants stay of proceedings over 2018 data breach that resulted in fine of £1.25m. Read more here.

The sixth annual Cyber Security Breaches Survey: a tension between business continuity and cyber security?

6 April 2021

The UK Government’s Department for Digital, Culture, Media & Sport has released its annual Cyber Security Survey, which provides a helpful snapshot of how businesses have been dealing with cyber security issues in the context of the pandemic. As the survey responses demonstrate, businesses are increasingly finding that they face a tension between continuity and flexibility on the one hand and cyber security on the other. Cyber security processes and policies must therefore adapt to new working practices if they are to provide adequate protection against the latest cyber threats. See more here.

Court of Appeal refuses to exclude evidence obtained by phishing

30 March 2021

The Court of Appeal has refused to exclude evidence of fraud on the grounds that it had been unlawfully obtained by means of a ‘spear phishing’ attack. Read more here.

Microsoft Exchange Server data breach

15 March 2021

A malicious large-scale hacking of Microsoft’s Exchange Server may have affected hundreds, if not thousands, of UK servers. Subject to the full extent of the hack, enforcement activity by data privacy regulators and civil claims by victims may follow. Read more here.

The ICO launches its Data Analytics Toolkit

1 March 2021

The ICO had published a toolkit to help organisations considering using data analytics. The toolkit encourages organisations to embed data protection principles into their data analytics projects from the outset and recognise the risks to user privacy. The hope is that the toolkit will help organisations – particularly those with more limited resources - recognise the risks of processing large quantities of personal data and reduce the risk of non-compliance. See more here.

Data breaches, investigations and parallel civil proceedings

22 February 2021

An uptick in regulatory enforcement, the impact of the pandemic and pending court decisions suggest a rise in parallel proceedings risk following data breaches. In particular, the wave of representative actions issued against companies in recent months has emphasised the significance of the upcoming Supreme Court decision in Lloyd v Google. If these actions proceed, data class actions will almost inevitably become a hugely significant and complex part of the litigation landscape for – given the pervasiveness of personal data in the modern economy - almost all corporates in every sector. See more here.

British Airways - £1m advertising costs not recoverable

11 February 2021

The High Court has held that advertising costs incurred by lawyers leading the group litigation against British Airways are not recoverable. Read more here.

Data breach risk: dangers of the dark web

5 February 2021

Recent reports of customer details held by several companies ending up on the dark web point to rising dangers of data breaches for companies. Read more here.

German GDPR fine for camera surveillance in warehouse

19 January 2021

eCommerce company used video surveillance on workers without justified suspicion. Read more here.

Investigations Outlook 2021: Data Protection

11 January 2021

We've published our predictions for the outlook for investigations in 2021. In particular, we think companies should continue to treat data protection and network security as a priority as the ICO accelerates its enforcement activity, which will likely prompt a material increase in the level of fines enforced in 2021 vs 2020. See more here.

Ticketmaster is fined £1.25m for data breach

17 November 2020

The Information Commissioner has issued Ticketmaster a £1.25m fine for a customer data breach linked to a chat bot. Read more here.

Marriott penalty notice: The download

16 November 2020

The fine faced by US hotel chain Marriott International Inc is significantly less than what was originally suggested by the ICO in July 2019 from £99m to £18.4m. Read more here.

Webinar - The future of DSARs: New ICO guidance

9 November 2020

The ICO published its new finalised guidance on Data Subject Access Requests (DSARs). Find out more here.

The European fight against cybercriminals: ‘cyber sanctions’

6 November 2020

Our Dutch colleagues David Schreuders and Nosh van der Voort comment on the EU's cyber-sanctions regime and the recent imposition of new sanctions on individuals who are held responsible for the cyber-attack on the German Bundestag in 2015. Read more here.

DSARs - ICO publishes new detailed guidance

4 November 2020

We have a look at some of the key changes, and the implications for how companies handle their DSAR obligations. Read more here.

Marriott is fined £18.4m for massive data breach

30 October 2020

The UK’s data protection supervisory authority, the Information Commissioner has issued Marriott international with a £18.4m fine for a data breach. Read more here.

Cybersecurity and ransomware

29 October 2020

Recent developments in the Netherlands. Read more here.

The ICO takes action against Experian’s ‘invisible processing'

28 October 2020

The ICO orders Experian Limited to make fundamental changes to how it handles people’s personal data within its direct marketing services. Read more here.

DSARs – ICO publishes new detailed guidance

22 October 2020

On 21 October 2020, the ICO published its new right of access detailed guidance. Read more here.

British Airways penalty - reduction or reformulation?

22 October 2020

Part 2 in our series on the ICO’s long awaited and much reduced fine against BA suggests that the detail of the calculation explained in the Penalty Notice suggests that data controllers should not leap to the conclusion that the ICO have significantly reduced its expectations for the quantum of future fines. See our article by Supervising Associate Tom Bowen here.

British Airways Penalty Notice: the download

22 October 2020

Part 1 in our series on the ICO’s long awaited fine of British Airways summarises the key points set out in the ICO’s 144-page decision. See our article by Associate Bryony Couchman here.

British Airways fined £20m over data breach

16 October 2020

The ICO’s long awaited fine of BA has been announced. The £20m figure is much reduced but still a very significant amount and a step change in UK data protection enforcement. Read more here.

Ransomware attacks remain on the increase

13 October 2020

The insurance industry has suffered two major cyber-attacks in recent weeks. Read more here.

New guidance from the ICO – finally some clarity on GDPR fines?

9 October 2020

The ICO has published draft guidance on its regulatory and enforcement activities. The guidance provides valuable insight on how fines will be calculated. We also engage in some idle speculation about how the ICO might be going about calculating any fine to be paid by BA. Read more here.

Regulator issues €35.3m fine against H&M for data protection violation

8 October 2020

The Hamburg Commissioner for Data Protection and Freedom of Information has issued a €35.3m fine against H&M for data protection violations. See the article by Sophie Sheldon of our ICT Team here.

Law enforcement without borders: The US-UK Data Access Agreement

2 October 2020

Our colleagues in Simmons & Simmons’ white collar crime team have published an update on the UK-US bilateral data access agreement, which enables law enforcement to request data directly from tech companies based abroad. The agreement is an example of both the increasing strength and necessity of international law enforcement collaboration, but a lack of clarity in its implementation is likely to prompt considerable data protection litigation in due course. See here.

The FinCEN Files – Data protection concerns

24 September 2020

The leak of suspicious activity reports from FinCEN has raised GDPR & data protection issues amongst other concerns. Read more here.

Floodgates open in respect of data breach representative actions

18 September 2020

The tide continues to ride in respect of opt-out representative class actions, with a class action now issued against YouTube in the UK High Court. Read more here.

Cyber-attacks during lockdown: small/medium companies most vulnerable

17 September 2020

Increased cybersecurity concerns seem to have hit small and medium sized organisations hardest but this coronavirus surge in cyberattacks does not yet appear to have shown up in regulatory reports. See our article here.

Data breach representative actions: hints at a rising tide?

1 September 2020

Whilst we await the Supreme Court's decision in Lloyd v Google, the door remains open for claimant groups to litigate data breaches/misuse under the precedent set by the Court of Appeal. One such claim, against Marriott Hotels, has just been filed and another is anticipated.

British Airways, data breach fines and credibility

20 August 2020

The long delay and apparent dramatic reduction in the fine the ICO is likely to impose on British Airways in respect of its 2018 data breach poses challenges for the market perception of the regulator and throws into sharp focus the current dominance – notwithstanding the feted status of the GDPR - of US regulators in relation to data protection enforcement. See our comment piece here.

Important Supreme Court decisions on vicarious liability

1 April 2020

COVID-19: Navigating cybersecurity risks

19 March 2020

This article looks at how to navigate the cybersecurity risks associated with COVID-19.

Cyber extortion – how should insurers respond?

13 January 2020

The cyber-attack on Travelex serves as a cautionary reminder to insurers of considerations and risks involved when responding to extortion threats. This article explores issues arising from cyber extortion incidents.

Archive

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.

Related insights

This website uses cookies and other similar technologies to ensure you get the best experience on our website. Please review our cookie policy and our data protection privacy notice for more information on how the data that is collected is used.