Data law | UK Regulatory Outlook March 2026

UK updates 

ICO fines Reddit £14.47 million for children's privacy failures 

The Information Commissioner's Office (ICO) has fined the social media platform Reddit £14.47 million for failing to use children's personal information lawfully on its platform, in breach of UK data protection law and the standards set out in the ICO's Age Appropriate Design Code (also known as the Children's Code). Key failings highlighted by the ICO include Reddit's lack of robust age assurance mechanisms and failure to carry out a data protection impact assessment to assess and mitigate risks to children.  

See this Insight for more information.  

ICO's open letter to platforms on strengthening age assurance  

The ICO has published an open letter to social media and video-sharing platforms, calling on them to "act now" to strengthen age assurance measures to ensure that young children are not accessing services that are not designed for them. The letter follows closely on the ICO's fine imposed on Reddit (see above). 

The key points are: 

• Where a platform sets a minimum age (for example, 13), it generally has no lawful basis to process the personal data of children below that age. Platforms must therefore prevent access to children under their minimum age by implementing an effective age gate.
• In those circumstances, self-declaration is not an effective age assurance method and the ICO expects platforms to make use of current viable technologies when enforcing minimum age requirements. The ICO's recent fine against Reddit demonstrates that it is prepared to act swiftly where age assurance measures are ineffective.
• Viable, privacy-friendly age assurance technologies are now available, such as facial age estimation, digital ID verification and one-time photo matching. Platforms are expected to deploy such measures, provided that they comply with data protection law. The technology deployed must be lawful, fair, proportionate and secure, must minimise data collection, and must be clearly explained to users in an age-appropriate manner. 

The ICO makes clear that it is actively monitoring practices and has begun direct engagement with the highest-risk services, expecting them to strengthen their measures within two months. It highlights that regulatory action may follow if platforms fail to cooperate. 

The ICO points organisations to its updated opinion on age assurance. 

Court of Appeal confirms data controllers' security duty applies regardless of hacker's ability to identify individuals 

The ICO has succeeded in its appeal against the decision of the Upper Tribunal in the case of DSG Retail Limited (DSG). The ICO had fined DSG £500,000 under the Data Protection Act 1998 (DPA 1998) in 2020, following a cyber attack in which attackers scraped transaction details from point-of-sale terminals, obtaining card numbers and expiry dates but, in most cases, not the cardholders' names or other identifying information. The First-tier Tribunal upheld the penalty, but the Upper Tribunal found in DSG's favour. 

The ICO's appeal to the Court of Appeal concerned the scope of the "security duty": the obligation on data controllers to take "appropriate technical and organisational measures" to protect personal data. The court assumed that the cardholders were identifiable to DSG but not to the attackers. The Court of Appeal held that whether or not the hacked data constitutes personal data from the perspective of the hacker is irrelevant for the purposes of the security duty; if the controller can identify the data, they must secure it.  

While the case was decided under the DPA 1998 (since the breach pre-dated the UK GDPR), it is likely that the court would have reached the same conclusion under the UK GDPR and the Data Protection Act 2018.  

ICO issues fine and reprimand to Police Scotland for data security and breach reporting failures 

The ICO has issued a £66,000 fine and a reprimand to Police Scotland for serious failures in handling sensitive personal information. Following an individual's report of an alleged crime, Police Scotland extracted the entire contents of their mobile phone without adequate safeguards, collecting a substantial volume of highly sensitive information unrelated to the investigation. The unredacted content was subsequently included in a misconduct disclosure bundle and shared with an unauthorised third party. 

The ICO found that Police Scotland failed to: (i) implement appropriate organisational and technical measures to ensure data security; (ii) limit data sharing to what was strictly necessary; (iii) ensure that staff followed clear guidance and procedures; and (iv) report the breach to the ICO within the required 72-hour timeframe. 

While the context of the fine is very specific to law enforcement, there are some broader points arising from it which are notable: (i) the ICO's public sector enforcement approach means that it does not generally fine public sector bodies – this case was evidently sufficiently egregious; and (ii) one of the infringements was that Police Scotland failed to notify the ICO of the breach in time – it contacted the ICO helpline 13 days after becoming aware of the breach. 

International data protection authorities (including ICO) issue statement on privacy risks of AI-generated imagery 

See AI section.  

EU updates 

EDPB identifies problems preventing the full implementation of the 'right to be forgotten' under EU GDPR  

The European Data Protection Board (EDPB) has adopted a report on its Coordinated Enforcement Framework (CEF) action on the right to erasure under Article 17 of the EU GDPR. The right to erasure was chosen for the CEF action in 2025 as it is one of the most frequently exercised GDPR rights and a consistent source of complaints to Data Protection Authorities (DPAs) across the EU. 

The DPAs identified seven main compliance failures: 

• lack of appropriate internal procedures for handling requests;
• absence of, or inadequate, training;
• insufficient information provided to individuals;
• misuse of, and legal uncertainty surrounding, the exceptions available to deny erasure requests;
• difficulties in defining and implementing data retention periods;
• deletion of personal data in the context of back-ups; and
• difficulties with the use of anonymisation as a means of responding to erasure requests. 

As the right to erasure is not an absolute right, some controllers face difficulties in assessing and applying the applicable conditions for the exercise of this right, including in carrying out the relevant balancing tests between the right to erasure and other rights and freedoms. 

The report sets out a series of recommendations addressing each of the issues identified, aimed at improving controllers' compliance with the right to erasure. 

Digital Omnibus proposal: progress update  

Discussions among EU institutions on the Digital Omnibus Regulation, the European Commission's proposal to make significant changes to the EU GDPR and other data legislation, are ongoing. 

Separately, the EU legislative procedure on the Digital Omnibus on AI, which proposes changes to the EU AI Act, is progressing rapidly. The Council of the EU has adopted its position and the European Parliament is close to finalising its own position. 

See Osborne Clarke's Digital Omnibus microsite for the latest updates.