The Lens Newsletter - September 2025

ICO Issues First Guidance on Distributed Ledger Technologies

The UK Information Commissioner’s Office (ICO) has followed the European Data Protection Board (EDPB) in issuing draft guidance on Distributed Ledger Technologies (DLTs), with finalised guidance expected in the winter of 2025/26. The ICO’s... Read more

Cookie catch-up: What you need to know about the CNIL’s Google and Shein fines (and other summer developments)

At the start of September, the French data protection authority (the CNIL) issued record breaking cookie penalties against Google (€325 million) and online fashion retailer Shein (€150 million). With the UK’s cookie penalties set to increase at... Read more

As the Data Act becomes applicable, what do you need to know?

The EU’s flagship Data Act starts to apply today (12 September), marking a new phase for data sharing in the EU. The Data Act, an EU regulation (2023/2854), promises to enhance the EU’s data economy and facilitate data-driven innovation by... Read more

Ransomware Reform: UK Government confirms it will push ahead with new ransomware rules

Ransomware remains one of the most serious cyber threats facing the UK today, costing the economy millions and threatening the functioning of a wide range of organisations, including those in critical sectors. In response, the UK Government.... Read more

The fair necessities: DMCC Act and unfair commercial practices under the microscope 

Earlier this year, the majority of the unfair commercial practices (“UCPs”) provisions in the Digital Markets, Competition and Consumers Act 2024 (the “DMCC Act”) came into force and the Competition and Markets Authority (CMA) published guidance... Read more

Data claims must be proved: lessons from the Court of Appeal on non-material damage

Ever since Lloyd v Google [2021] stemmed the flow of mass data protection litigation, potential claimants have sought new ways to bring claims against controllers that, by accident or design, have ‘mishandled’ individuals’ their data. The... Read more

FCA shares cyber resilience insights from 2024 industry discussions

The FCA has published a summary of discussions held throughout 2024 with industry members of its Cyber Coordination Group (CCG) programme, offering valuable insights for regulated firms navigating the cyber threat landscape. The insights centre on... Read more

Recent retailer attacks shine spotlight on the Computer Misuse Act

Ransomware has been very much in the headlines recently, from the retailer attacks on M&S, Co-op and others, to the government’s recent decision to proceed with its ransomware proposals (blog). The fact that the National Crime Agency has,... Read more

What do the open source exemptions for GPAI models mean for you? The EU AI Act Guidelines provide some clarity

The EU AI Act’s GPAI rules came into force on 2 August. To help organisation’s comply, the Commission has published Guidelines on the scope of the obligations for general-purpose AI models. Although non-binding, the guidelines explain how the... Read more

Zalando loses its challenge against DSA VLOP designation

On 3 September 2025, the General Court of the European Union delivered the first major judicial interpretation of the DSA in its dismissal of Zalando’s challenge against its designation as a “very large online platform” (“VLOP”) under the... Read more

When deletion becomes a breach: ICO fines Birthlink for destroying irreplaceable data

Enforcement action in respect of GDPR data deletion requirements is rare in the UK and the EU, and even more so when the issue is excessive deletion. But on 28 July, the Information Commissioner’s Office (ICO) issued an £18,000 fine to Birthlink,... Read more

Just in time! EU AI Office publishes template for summarising GPAI training content

Following hot on the heels of the General Purpose AI (GPAI) guidelines and Code of Practice, the European Commission’s AI Office has recently published its long-awaited template for publicly summarising the... Read more

Smart data progress report: FCA/ICO statement confirms Open Finance in the pipeline

Legislation is now in place to revolutionise access to customer data in the UK by enabling new ‘smart data’ schemes to come to fruition. A recent joint statement from the UK’s data privacy and financial regulators (under the umbrella of the... Read more

Digital Fairness Act: European Commission launches consultation and call for evidence

On 17 July 2025, the European Commission launched a long-awaited public consultation and call for evidence to inform its upcoming proposal for a new EU Digital Fairness Act. The legislative initiative contributes to the growing... Read more