Header image

Data and Cyber Update - June 2026

Data Protection | 02/07/2026

Welcome to the latest edition of the Stephenson Harwood Data and Cyber Update, covering the key developments in data protection and cyber security law in June 2026.

In data regulation news, we consider the UK Government's announcement of a ban on social media for under-16s and what its reliance on age assurance means for data protection. The new statutory data protection complaint-handling obligations are now in force under the UK’s Data (Use and Access) Act 2025; and the UK Information Commissioner, John Edwards, has resigned following an independent workplace investigation.

In cybersecurity news, we report on the NCSC's reframing of cyber as an ongoing contest, and its warning that AI will be used to exploit ageing systems by 2028.

In our enforcement and civil litigation update, we examine the US Supreme Court decision in Trump v. Slaughter and whether a “Schrems III” case is on the horizon for EU-US data transfers. We take a look at two rulings from the Court of Justice of the European Union, on the retention of records where no wrongdoing is found; and on the right to bring a regulator complaint alongside a court claim; and consider the High Court's refusal to strike out the Good Law Project's representative UK GDPR claim against Reform UK.
 

Data Regulation

Cyber Security

Enforcement and civil litigation

Data Regulation

ICO sharpens expectations on children's data as UK Government announces under-16s social media ban

On 15 June 2026, the UK Government announced that it will ban social media platforms, including TikTok, Instagram, Snapchat, YouTube, Facebook and X, from offering their services to under-16s. Its proposal (outlined in our insight: UK Government announces social media ban for under-16s: Enforcement and Next Steps) is expected to reach Parliament before Christmas and come into force in Spring 2027.

The ICO responded to the social media ban in a statement on 15 June 2026, confirming that working to keep children safe online is a key priority. The ICO emphasised that it is already taking action to ensure social media platforms are preventing access to underage users on their platforms, pointing to its recent fines against Reddit and Imgur.

Exactly how the social media ban will be enforced remains to be seen, but the age verification options likely to be required, including digital ID schemes, facial age estimation or enhanced document checks, will all involve the increased collection of personal data, including biometric data, as organisations move away from reliance on self-declaration. Adults will not be exempt from this processing of their personal data, since a system that verifies age necessarily applies to every user, not only those it is designed to exclude.

The risk in collecting this kind of personal data is not theoretical. In October 2025, Discord suffered a breach in which attackers accessed one of its third-party support providers and stole around 70,000 images of government-issued IDs that users had submitted for age verification. Although Discord's policy was to delete ID scans once age had been confirmed, the leaked images had been kept back in its support system to handle age-determination appeals. Age assurance will inevitably increase the volume of sensitive data that businesses hold, so how long the data is kept - and how well it is secured – will become key considerations for ensuring compliance with data protection obligations.

While the Government works on the legislation to underpin its social media ban, organisations should not lose sight of the obligations that already apply to children's data, which the Data (Use and Access) Act ("DUAA") has recently enhanced. Organisations processing personal data in the course of providing information society services likely to be accessed by children, must take account of children’s "higher protection matters" threshold when assessing whether appropriate technical and organisational measures are in place. The ICO updated its guidance on children's data on 15 May 2026 to reflect those changes, tightening what it expects on lawful basis, data minimisation, profiling, and designing online services appropriately for children.
 

In force: UK Data Protection Complaint-Handling Obligations

On 19 June 2026, the new complaint-handling obligations under the DUAA came into force for any organisation subject to UK data protection law. Organisations must now operate a formal, documented process allowing individuals to complain directly about how their personal data has been handled, acknowledge complaints within 30 calendar days, and respond without undue delay.

We set out the practical steps organisations should take, including a compliance checklist, here.
 

John Edwards resigns as Information Commissioner

On 19 June 2026, the ICO confirmed that the Information Commissioner, John Edwards, had resigned with immediate effect, the first time in the regulator's 42-year history that its head has left in this manner. Around seven months shy of the end of his five-year term, he has stepped down both as Information Commissioner and as Chair-designate of the new Information Commission. As a Crown appointee accountable to Parliament, rather than an ICO employee, Edwards tendered his resignation to the Department for Science, Innovation and Technology ("DSIT").

Edwards initially stepped back from his duties on 26 February 2026 while an independent workplace investigation took place, with the Deputy Commissioner and Chief Executive, Paul Arnold, covering his responsibilities. The investigation concluded in mid-June 2026 that there was a case to answer, finding that his behaviour fell short of the standards expected of a public official under the ICO's Dignity at Work Policy, its Code of Conduct and the Nolan Principles of Public Life.

In its formal statement confirming Edwards’ resignation, the ICO stated that “Mr Edwards’ actions were completely at odds with our values” and they “do not accept sexual harassment, bullying or discrimination in any form”.

In a public LinkedIn post addressing his resignation statement, Edwards confirmed that his position had become “untenable” and he accepted that on occasions he had “exercised poor judgement and made attempts at humour that were inappropriate and caused offence”.

The Secretary of State for Science, Innovation and Technology, Liz Kendall, gave a markedly stronger account, confirming that she had seen evidence of “the vulgar and highly sexualised language that was used in his interactions with staff”, and was “extremely concerned that he continues to describe these incidents as misplaced humour”.

The departure comes at an awkward moment for the regulator. It leaves the chair of the incoming Information Commission vacant just as the ICO moves from its single-commissioner "corporation sole" model to a board-governed Information Commission under the DUAA, a transition the investigation is understood to have already delayed. This change brings the ICO's governance into line with other major UK regulators, replacing the sole commissioner with a chair, a chief executive and a board of non-executive directors who were expected to be announced this summer 2026. For now, Arnold continues to lead the office while the DSIT decides how to fill the role on an interim and permanent basis.
 

Cyber Security

NCSC reframes cyber as a contest, and warns AI will hit ageing systems by 2028

The National Cyber Security Centre ("NCSC") has set out a sharper view of the threat facing UK organisations, with direct consequences for how businesses protect personal data.

In a speech at the RUSI Annual Security Lecture on 17 June 2026, NCSC chief executive Dr Richard Horne disclosed that the NCSC had handled more than 200 incidents affecting UK critical national infrastructure from June 2025 to May 2026, around three-quarters of them believed to be linked to state actors. His central message was that organisations should stop treating cyber as a risk to be managed and quietly tolerated, and start treating it as an ongoing contest that demands continuous effort. The “vulnerabilities that organisations tolerate today”, he warned, “will be exploited in conflict tomorrow”.

For data protection law purposes, this reframing matters, because the ICO assesses "appropriate" security under Article 32 UK GDPR by reference to NCSC guidance. When the NCSC restates and hardens its expectations, that is the same body of guidance the ICO draws on when it assesses whether an organisation's security measures are adequate, so a shift in risk tolerance towards continuous improvement arguably raises the baseline of what controllers are expected to do.

Alongside the speech, the NCSC published an assessment judging it "highly likely" that by 2028 attackers will use AI tools to exploit “known vulnerabilities in legacy technology in our critical national infrastructure” at scale. Horne noted that frontier AI models are already good at finding flaws in widely used software. The same warning runs through the joint Bank of England, FCA and HM Treasury statement on frontier AI models and cyber resilience and the ICO's own five-step guidance on AI-powered cyber threats

These comments serve as a useful reminder that the obligation to keep personal data secure does not stand still. As the threats change, so does the standard for the technical and organisational measures expected of an organisation, and running unsupported or unpatched systems gets harder to defend with each warning of this kind. Ensuring that regular compliance audits are carried out, and remediating legacy technology now where necessary, is the clearest way for organisations to remain compliant.
 

Enforcement and Civil Litigation

Trump v. Slaughter – is "Schrems III" challenge on the horizon for EU-US data transfers?

On 29 June 2026, the U.S. Supreme Court handed down its 6-3 decision in Trump v. Slaughter, holding that the President may fire the heads of independent executive agencies without cause. This case arose after the White House fired Federal Trade Commissioner (“FTC”) Rebecca Kelly Slaughter in 2025. She sued after her removal, and the Trump administration subsequently appealed a U.S. District order ruling to reinstate her.

The Supreme Court’s decision overturns a 1935 landmark ruling, known as Humphrey's Executor, which previously limited the president’s power over independent agencies and protected regulators like the FTC from politically motivated removal. In response, privacy activist Max Schrems and his organization, noyb, have swiftly declared that the legal foundation for transatlantic data flows from the EU to the US has been undermined and “the basis for any EU-US data transfer deal is dead”.

Under EU constitutional and treaty law, any authority overseeing personal data transfers must operate free of political interference. Since 2000, the EU has relied on the FTC to be the independent enforcer of commitments made by US companies receiving European personal data. The European Commission’s 2023 adequacy decision, which underpins the current EU-US Data Privacy Framework (“Framework”), makes multiple references to the FTC's independence. Noyb contends that the Supreme Court’s decision removes the constitutional guarantee of that independence.

Whilst the European Commission has not yet signalled any intent to review or suspend the Framework, noyb has warned of an imminent legal challenge before the Court of Justice of the European Union ("CJEU"). Whether styled as "Schrems III" or otherwise, a clear question is being posed: can the EU continue to treat US regulatory oversight as "essentially equivalent" to the EU, when the institutional independence that justified that finding has been lost?

This ruling may affect transfer impact assessments conducted by data exporters, and could undermine continued reliance on the Framework as a lawful transfer mechanism long-term.
 

CJEU limits retention of records where no wrongdoing is found

On 4 June 2026, the CJEU ruled in Case C 312/24 that public authorities cannot retain data from criminal investigations in personnel files when no wrongdoing is found.

The case concerned a Bulgarian police officer who was arrested as a suspect in an internal robbery investigation in 2016. He was not identified by the victims, there was no physical evidence linking him to the offence, and the investigation was suspended without charges being brought. Despite this, the Ministry of the Interior (the "Ministry"), acting as both his employer and as the investigating authority, retained data about his arrest in his personnel file. When he later sat promotion examinations, he was refused on the grounds that he had been arrested.

While the original data collection by the Ministry's internal security directorate fell within the scope of Directive 2016/680 (the Law Enforcement Directive), the subsequent retention of that data in the personnel file for HR purposes was governed by the GDPR.

The CJEU considered whether the retention of such personal data (in this instance in reliance on Article 17(3)(b) GDPR) served a legitimate public interest and was proportionate. Whilst the CJEU accepted that ensuring the probity of police officers is a legitimate aim capable of justifying retention of investigation data where proceedings are ongoing, or have resulted in prosecution or conviction, it drew an important distinction. It held that retention was not justified when investigations are closed with no charges or evidence of wrongdoing. The CJEU further noted that even where initial retention is justified, prolonged retention may become disproportionate over time.

The judgment makes clear that organisations must align investigation-related data retention policies with GDPR requirements, ensuring retention periods reflect and address investigation outcomes and are legally justified. 
 

Regulator complaints can run alongside court claims, CJEU holds

Another CJEU case, decided on 18 June 2026, has held that a data protection regulator cannot refuse to deal with a complaint just because the same dispute is already before a court.

The GDPR gives individuals a right to complain to a supervisory authority, and the Court confirmed that this right stands on its own, separate from any claim a person may bring concurrently in the courts.

In Case C-414/24, a doctor asked a review platform to delete some of her personal data, and when it refused, she took two routes at once: a claim in the civil courts and a complaint to the Austrian data protection authority. The authority declined to take the complaint forward, relying on a principle in Austrian law that a dispute must go either to the courts or to an administrative body, but not both. The CJEU rejected that approach. The GDPR, it held, deliberately gives individuals a two-track remedy, and this overrides the national rule. A complaint under Article 77 and a court claim under Article 79 can run in parallel. Regulators keep some room to manage the overlap, as they can suspend a complaint and wait for the court to rule, but they cannot dismiss it outright because litigation is already underway.
 

Good Law Project v Reform UK: representative UK GDPR claim survives strike-out

The High Court has allowed a representative data protection claim brought by the Good Law Project ("GLP") against Reform UK to proceed toward trial, refusing Reform's application to strike it out or obtain summary judgment.

A claim under Article 80 UK GDPR has been brought on behalf of 51 individuals who submitted data subject access requests (“DSARs”) to Reform in the run-up to the last general election, with the support of GLP. GLP says Reform missed the statutory deadline to respond to the DSARs and that its eventual reply, a short message saying it held no record of the sender, was inadequate and caused distress.

Reform's main argument was that GLP had no standing to bring a representative claim under section 187(3) to (4) of the Data Protection Act 2018 (”DPA 2018”). To do so, a body must apply its income to charitable or public purposes, must not distribute its assets to members, must have objectives in the public interest, and must be active in the field of data protection. Reform argued that GLP satisfied none of these conditions.

Mr Justice Murray was not persuaded, finding that GLP had a realistic chance of meeting the requirements and should be allowed to go to trial.

The case is one of the first to look closely at the section 187 DPA 2018 gateway for representative actions, signalling that UK courts may be open to more group claims about data rights, especially when organisations give weak responses to DSARs, potentially making the appropriate handling of DSARs a litigation problem as much as a regulatory one.

Share Article

Related Expertise

Contributors