Data and Cyber Update - January 2026
Welcome to the latest, bumper, edition of the Stephenson Harwood Data and Cyber Update, covering the key developments in data protection and cyber security law during both December 2025 and January 2026.
In data regulation news, the European Commission and Brazil adopt mutual adequacy decisions; the UK Information Commissioner’s Office (“ICO”) provides a series of updates for the year ahead; and new Commencement Regulations set the commencement date for Section 138 of the Data (Use and Access) Act 2025 (the “DUAA”).
In cybersecurity news, the European Commission defines “important” and “critical” products under the EU Cyber Resilience Act and publishes a new Cybersecurity Package; and the ICO publishes its response to the UK Cyber Security and Resilience (Network and Information Systems) Bill.
In our enforcement and civil litigation update, the Court of Justice of the European Union (“CJEU”) rules that an online marketplace is a data controller for personal data in user ads on its platform; the Single Resolution Board (“SRB”) withdraws its appeal against the European Data Protection Supervisor (“EDPS”) from the EU General Court; and the European Commission issues its first major fine under the Digital Services Act.
Data Regulation
- European Commission and Brazil adopt mutual adequacy decisions
- ICO updates on access, transfers and enforcement
- New Commencement Regulations confirm commencement date for Section 138 of the DUAA
Cyber Security
- EU defines “important” and “critical” products under the Cyber Resilience Act
- European Commission publishes new Cybersecurity Package
- ICO publishes response to the UK Cyber Security and Resilience Bill
Enforcement and Civil Litigation
- CJEU rules that an online marketplace is a controller for personal data in user advertisements
- SRB withdraws appeal against the EDPS at EU General Court
- European Commission issues first fine under the Digital Services Act
Data Regulation
European Commission and Brazil adopt mutual adequacy decisions
On 27 January, the European Commission (the “Commission”) and Brazil adopted mutual adequacy decisions, confirming that Brazil’s data protection framework offers a level of protection essentially equivalent to the EU GDPR (“GDPR”). Now in effect, this decision allows for the free flow of personal data between the European Union (“EU”) and Brazil without the need for additional safeguards under Article 45 GDPR. Practical implications of this decision include greater legal certainty, reduced costs and a boost to digital trade between the two regions.
This decision was initiated by the draft adequacy decision published by the Commission on 5 September 2025, which we covered in our September 2025 update here. Before finalisation, the decision received an opinion by the European Data Protection Board (“EDPB”), which acknowledged the alignment between Brazil and Europe’s data protection frameworks. The decision also received approval by the EU Member States prior to finalisation.
ICO updates on access, transfers and enforcement
The start of 2026 has seen a series of developments from the ICO, with the publication of updated guidance and government collaboration. Organisations are encouraged to review these developments to ensure ongoing compliance and readiness for future changes.
Updated guidance on right of access and international transfers
The ICO has revised its guidance on the right of access in response to the DUAA. The update clarifies what constitutes a “manifestly unfounded” subject access request (“DSAR”), confirming that organisations should take a reasonable and proportionate approach when responding; a requirement that has been codified under the DUAA. The guidance also confirms the (not yet in-force) DUAA amendment that organisations can “stop the clock” when responding to a DSAR if they require clarification from the requester, provided this is “reasonably required” to fulfil the DSAR.
The ICO has also made important updates to its guidance on international data transfers under the UK General Data Protection Regulation (“UK GDPR”). The updates focus on clarifying and simplifying the guidance, with the introduction of quick reference FAQs, a glossary of terms and examples to support understanding and compliance. The updated guidance includes a practical three-step test to help organisations to determine if they are making a restricted transfer:
- Does the UK GDPR apply to the processing of the personal information being transferred?
- Are we initiating the transfer of personal information to an organisation outside the UK?
- Is the organisation we’re transferring the personal information to a separate legal entity?
Our key takeaways from the updated guidance are as follows:
- Contractual location versus geographical location: the most noteworthy point is the ICO’s view that, when considering whether an organisation is transferring personal information to outside of the UK, what matters is the contractual location of the receiving organisation, not the geographical location of the data. For a company or registered partnership, this is the country in which it is registered.
This means that a restricted transfer could occur even if personal data does not factually leave the UK, depending on the contractual relationships involved. In contrast, it means that a restricted transfer would not occur even if data were being sent to overseas servers, if the counterparty to the contract were registered in the UK.
This new approach would minimise the benefit of taking server space in “adequate” locations, as this would not be sufficient if the counterparty entity were registered in a non-adequate third country. This could have significant implications and will require organisations to assess and safeguard their data flows for UK GDPR purposes with close reference to the relevant contracts, rather than the facts of the transfer. - Initiating a transfer: the guidance confirms the existing position that it is the person who “initiates” the transfer that is responsible for ensuring that the transferred data is properly safeguarded, rather than the person who actually makes the transfer. The guidance offers useful indicators to help organisations determine whether they are “initiating” the transfer: one example given is of a UK controller initiating a restricted transfer to a Mexican processor, even though it is the controller’s UK-based third-party processor that actually transmits the information. The controller would be the initiator responsible for putting safeguards in place in this case.
- Remote access: the guidance confirms the commonly accepted principle that making personal information accessible, such as through remote access, constitutes a transfer.
- Incorporation by reference: when making restricted transfers, organisations can utilise a pre-approved set of standard transfer clauses – either the international data transfer agreement (“IDTA”) or the international data transfer addendum (“Addendum”). The ICO confirms that both the IDTA and Addendum can be incorporated into a commercial contract by reference, provided that certain specific text references are included in the contract.
- Processor to controller transfers: the guidance confirms that when a processor based in the UK transfers data to its controller overseas, this is not a restricted transfer. The logic now given in the guidance is that this is because the processor did not initiate the transfer, but rather the controller did, and the controller (as both initiator and recipient) cannot enter into safeguards with itself.
Consultation on early settlement of enforcement actions
The ICO recently closed its public consultation on its approach to early settlement in enforcement actions, which ran from 31 October 2025 to 23 January 2026. The consultation sought feedback on proposed discounts for fines where organisations settle early in the enforcement process. The draft guidance proposes a tiered discount structure:
- 40% discount for settlement before a Notice of Intent is issued;
- 30% if settled before representations on the Notice of Intent; and
- 20% for settlements thereafter.
The final version of the guidance will be published in due course and will reflect responses from this consultation. The ICO Executive Director of Regulatory Supervision describes the guidance as “significantly more detailed than previous guidance on their approach to investigation and enforcement”.
Memorandum of Understanding with the UK Government
On 8 January, the ICO and the UK Government signed a Memorandum of Understanding (“MoU”) to enhance cooperation on data security. The MoU establishes a framework for collaboration while maintaining the ICO’s independence and the government’s statutory obligations. Its aims include leveraging new technologies to improve public services, fostering economic growth, and ensuring public trust in the use of personal data.
Key actions under the MoU include annual assurance statements on data safety, learning from data breaches, and appointing a Chief Data Officer to oversee cross-government data protection. The ICO will continue to provide guidance, share risk insights, and support government compliance, with a focus on high standards and transparency.
New Commencement Regulations confirm commencement date for Section 138 of the DUAA
The Data (Use and Access) Act 2025 (Commencement No.5) Regulations 2026 were made on 15 January, bringing section 138 of the DUAA into force on 6 February 2026. Section 138 of the DUAA amends the Sexual Offences Act 2003 to criminalise creating, or requesting the creation of, a “purported intimate image” of an adult without their consent. As we reported in our January 2026 edition of the Neural Network, this action by the UK government is in response to serious concerns about the use of X’s AI chatbot Grok to generate harmful content.
Our DUAA implementation tracker follows all existing and upcoming changes introduced by the DUAA, along with the ICO’s progress in updating its guidance to reflect these changes.
Cyber Security
EU defines “important” and “critical” products under the Cyber Resilience Act
On 1 December 2025, the Commission published Implementing Regulation (EU) 2025/2392 (the “Implementing Regulation”), clarifying which digital products are considered “important” or “critical” under the EU Cyber Resilience Act (Regulation (EU) 2024/2847) (“CRA”).
As a reminder, the CRA will be fully applicable from 11 December 2027, but is being implemented in phases. Two key obligations take effect this year. Firstly, by 11 June 2026 EU Member States must have their notifying authority arrangements in place, and the framework for notifying conformity assessment bodies will start to apply on the same date, enabling the third party assessment procedure under the CRA to operate. Secondly, the obligations for the reporting of exploited vulnerability and severe incidents will apply from 11 September 2026, which is particularly important for all products with digital elements that are already placed on the EU market before 11 December 2027.
The Commission sought feedback on its draft technical descriptions for important and critical products with digital elements at the beginning of last year (see our March bulletin), to support the identification of products that may be subject to more stringent conformity assessment procedures than other products with digital elements.
The Implementing Regulation defines two classes of “important” products. Class I includes identity management systems, VPNs and smart home assistants. Class II covers firewalls, intrusion detection/prevention systems and tamper-resistant microprocessors. “Critical” products, subject to more rigorous oversight, include hardware devices with security boxes, smart meter gateways, and smartcards or similar devices.
The Implementing Regulation clarifies that only products whose “core functionality” matches these definitions will be subject to the CRA’s enhanced cybersecurity requirements and stricter conformity assessments - including mandatory third-party assessments for “important” products of class II and “critical” products.
Ahead of entry into force of the obligations, businesses should review their product portfolios to determine if they are likely to fall within these categories, determine the applicable conformity assessment procedure, and prepare for any compliance or reporting obligations. The publication of the Implementing Regulation marks a significant step in strengthening the EU’s digital security framework and raising standards for products with substantial security implications.
European Commission publishes new Cybersecurity Package
On 20 January 2026, the Commission proposed a new cybersecurity package aimed at updating and strengthening cybersecurity resilience and capabilities in the EU. The package includes a proposal for a revised Cybersecurity Act and targeted amendments to the NIS2 Directive.
The Commission’s initiative reflects a commitment to support businesses in a complex digital landscape, where cybersecurity threats are increasingly prevalent and sophisticated. The amendments are designed to address the need for clearer, more streamlined cybersecurity obligations for companies operating in the EU that are commensurate to the risks posed by cyber threats. By simplifying risk-management requirements and making compliance more accessible, especially for smaller enterprises, the EU hopes to strengthen the overall resilience of its digital infrastructure.
Changes to the Cybersecurity Act include proposals to:
- develop a framework to enhance the security of the EU’s ICT supply chains in critical infrastructure and ensure that operators of electronic communications networks do not rely on high-risk suppliers for their critical assets;
- simplify and enhance the EU cybersecurity certification framework to ensure “security-by-design”;
- introduce simplification measures to reduce unnecessary administrative burden related to compliance with EU cybersecurity regulations and risk management standards; and
- strengthen the role of the EU Agency for Cybersecurity (“ENISA”), in supporting cross-border supervision and mutual assistance.
The proposal attempts to harmonise requirements and obligations (such as incident notification procedures) across a regulatory framework that includes the Cybersecurity Act, the NIS2 Directive, the Cyber Resilience Act, the EU GDPR as well as other sector specific regulations. This approach complements the single-entry point for incident reporting proposed in the Digital Omnibus. Under the expanded voluntary certification framework, entities will be able to certify their overall organisation-wide ‘cyber posture’, in addition to their ICT products, services, processes and managed security services, and use this certification to obtain a presumption of conformity with the NIS2 Directive and other EU legislation.
The proposed amendments to the NIS2 Directive represent a targeted effort to ease compliance and address certain sector-specific requirements. This includes introducing a new category for small mid-cap enterprises, to reduce compliance costs and simplify compliance requirements for these entities. Measures have also been introduced to streamline the collection of data on ransomware attacks and require Member States to adopt policies for the migration to post-quantum cryptography as part of their national cybersecurity strategy.
The changes support the EU’s broader goal of a more competitive digital single market while maintaining high cybersecurity standards. Changes to the Cybersecurity Act will be applicable immediately after approval by the European Parliament and the Council of the EU. Whereas changes to the NIS2 Directive will need to be implemented by Member States within one year of receiving approval by the same institutions.
ICO publishes response to the UK Cyber Security and Resilience Bill
The ICO has published its response to the UK Government’s proposed Cyber Security and Resilience (Network and Information Systems) Bill (the “Bill”), which passed its second reading in the House of Commons on 6 January 2026. The ICO welcomes the Bill’s aim to strengthen the UK’s cyber resilience and recognises the importance of robust data protection for all organisations, but calls for practical guidance to help small and medium-sized businesses implement the new requirements. In its response, the ICO highlights the need for clear alignment with existing data protection laws, such as the UK GDPR, to prevent duplication and confusion, and offers to work with the government to ensure cyber security measures enhance both data protection and public trust.
Importantly, the ICO urges transparency and consultation regarding secondary legislation, which will set out many of the Bill’s detailed requirements, emphasising its desire for these regulations to be proportionate and not create unnecessary burdens.
Enforcement and Civil Litigation
CJEU rules that an online marketplace is a controller for personal data in user advertisements
On 2 December 2025, the CJEU delivered a landmark judgment in Case C-492/23 (X v Russmedia Digital and Inform Media Press SRL), clarifying the responsibilities of certain online marketplace operators under the EU General Data Protection Regulation (“GDPR”) when user-generated advertisements contain personal data.
The case arose after an unidentified user posted an advertisement on Russmedia Digital’s platform, which contained photographs of the applicant and her telephone number without her consent. The advertisement was subsequently copied to other websites. The applicant sought damages, arguing that the marketplace operator had failed to protect her data.
The CJEU ruled that the operator of the online marketplace was to be considered a controller of the personal data contained in the advertisements published on its platform, even though the content was provided by a user. It found the marketplace operator was not merely a passive host, but played an active role in making the personal data accessible online.
Crucially, the CJEU held that the operator must implement robust technical and organisational measures to identify advertisements containing “sensitive data” or special category data, before publication. It must verify the identity of the advertiser and confirm whether the individual whose data is being published has given explicit consent. If such consent is not obtained, or another GDPR exception does not apply, the advertisement must not be published.
The judgment also makes clear that the online marketplace could not rely on the liability exemptions for hosting providers under the e-Commerce Directive to avoid its GDPR obligations. Furthermore, the operator must take reasonable steps to prevent the unlawful copying and further publication of sensitive data from its platform.
This decision potentially significantly raises the bar for data protection compliance by online marketplaces and platforms for user-generated content, potentially requiring operators to proactively safeguard personal data and ensure that posted content does not infringe individuals’ privacy rights.
SRB withdraws appeal against the EDPS at EU General Court
SRB has withdrawn its appeal at the EU General Court against the EDPS, ending a long-running dispute over the transfer of pseudonymised data during a winding-up procedure. The withdrawal follows an important ruling by the CJEU in September 2025, which clarified that pseudonymised data may not always be personal data. The CJEU’s decision stands as the current key authority guiding EU regulators on pseudonymised data.
For further background on this case and its implications, see our previous article here.
European Commission issues first fine under the Digital Services Act
On 5 December 2025, the Commission issued its first fine under the Digital Services Act (“DSA”). X was fined €120 million for breaching its transparency obligations. The Commission identified infringements in three areas: deceptive design practices with the use of its “blue checkmark” verification system, transparency and accessibility shortcomings in its advertising repository, and failure to provide researcher access to public data. The fine amount took into account the nature and duration of the infringements and the extent of their impact on EU users.
X permits anyone to pay for a “verified” status without conducting meaningful verification checks, making it difficult for users to judge the authenticity of accounts and potentially exposing users to scams. The DSA prohibits online platforms from falsely representing users as verified, when no such verification has occurred. Additionally, X’s ads repository was considered to be missing critical information, and to include access barriers that undermine the purpose of such a repository, and the platform’s terms of service prohibit eligible researchers from independently accessing its public data in contravention of the DSA.
X is required to report within 60 business days on how it intends to address concerns with its verification scheme and, within 90 days, to present measures on remedying the advertising repository and researcher data access.
The decision highlights the potential for significant EU fines in the complex digital landscape, contrasting with the more hands off approach taken to date in other jurisdictions.
