Data and Cyber Update - May 2026
Welcome to the latest edition of the Stephenson Harwood Data and Cyber Update, covering the key developments in data protection, digital regulation and cyber security law in May 2026.
In data regulation news, we cover the ICO's finalised Storage and Access Technologies guidance; the entry into force of the Crime and Policing Act 2026 (“CPA”) and the Children’s Wellbeing and Schools Act 2026 (“CWSA”); the Canadian DPA’s finding that OpenAI violated privacy law in its initial ChatGPT training; and the entry into effect of the statutory ”right to complain” under the Data (Use and Access) Act 2025 on 19 June 2026.
In cybersecurity news, we report on the King's Speech 2026 and the Government's decision to frame the Cyber Security and Resilience Bill alongside national security legislation and the first significant reform of the Computer Misuse Act 1990 in over three decades.
In our enforcement and civil litigation update, we examine what appears to be the ICO's first application of its draft tiered settlement discount framework, following the £963,900 penalty issued to South Staffordshire Plc and South Staffordshire Water Plc.
Data Regulation
- ICO finalises guidance on Storage and Access Technologies
- Children's Wellbeing and Schools Act 2026 and the Crime and Policing Act 2026 receive royal assent
- Canadian privacy regulators find OpenAI violated privacy law in ChatGPT training
- Data (Use and Access) Act 2025: right to complain comes come into force on 19 June 2026
Cyber Security
Enforcement and civil litigation
Data Regulation
ICO finalises guidance on Storage and Access Technologies
The ICO has published its finalised guidance on storage and access technologies under Regulation 6 of the Privacy and Electronic Communications Regulations 2003 ("PECR"). The guidance, which replaces the ICO's previous cookie guidance, takes a broader and more technology-neutral approach. It reflects the wide range of technologies now used to store information on - or access information from - users' devices; practices that now extend beyond traditional cookies to encompass tracking pixels, device fingerprinting, and other similar techniques. The guidance reflects recent consultations and changes to PECR made by the Data (Use and Access) Act 2025 (“DUAA”), which are already in force.
The guidance includes two new sections that address key questions from organisations:
- "what does a 'simple means of objecting' mean?"; and
- "can we use the same storage and access technology for multiple purposes?".
Key practical points of interest for organisations include the coverage of the new DUAA exemptions from the PECR consent requirements. We noted points such as:
- confirmation that whether tracking is strictly necessary for a service requested by the user must be assessed from the user’s point of view;
- measuring the effectiveness of ads does not require a separate consent of its own;
- the new DUAA “statistical purposes” exemption from consent may only be relied on if that data is not also used for any other purposes; and
- the ICO’s view that trying to apply another lawful basis such as legitimate interests for subsequent processing where you originally obtained consent to tracking is not only “entirely unnecessary”, it may also render the original consent request invalid.
As well as developing this guidance, in its statutory capacity as an independent expert adviser, the ICO carried out a research project in parallel for the Department for Science, Innovation and Technology ("DSIT") that analysed online advertising models and user engagement. The ICO’s report was published mid-May, setting out its findings from the project and providing evidence-based input and advice to support the government in its public policy development.
In its report the ICO notably considers how Regulation 6 of PECR could be amended to allow certain “privacy-preserving” forms of online advertising to operate without consent, while continuing to require consent for advertising that involves intrusive tracking and profiling people over time and across services. The ICO has submitted evidence on the same to the UK Government, which may decide to introduce further exemptions in due course, making it easier to engage in advertising-related activities in the UK.
Children's Wellbeing and Schools Act 2026 and the Crime and Policing Act 2026 receive royal assent
The UK’s approach to regulating AI chatbots is shifting rapidly in an effort to keep pace with technological change and address the risks of online harm, particularly for children.
The Crime and Policing Act 2026 (“CPA”) and the Children’s Wellbeing and Schools Act 2026 (“CWSA”) both received Royal Assent at the end of April 2026. These Acts are significant not only for what they do now, but for the regulation-making powers they unlock.
We explored what these changes mean for AI chatbots and the wider digital landscape in an article published at the end of May: AI Chatbots Facing Tighter Rules Under New Laws.
Canadian privacy regulators find OpenAI violated privacy law in ChatGPT training
On 6 May 2026, Canada's federal privacy commissioner and counterparts from British Columbia, Alberta, and Quebec announced the findings of a joint investigation into OpenAI. All four regulators concluded that OpenAI had violated Canadian privacy law in the development and training of its early ChatGPT models, including the GPT-3.5 and GPT-4 models. The decision is among the first findings by a national privacy regulator that training a mass-market AI model on scraped internet data breaches national privacy law; a distinct departure from the copyright litigation that has until now dominated disputes over AI training data.
The joint investigation examined how OpenAI sourced training data from publicly accessible websites, licensed third-party sources and user interactions without valid consent. Regulators found that OpenAI collected vast amounts of personal information including data relating to children, sensitive political views and health conditions. They also identified inadequate transparency with users; no effective mechanism for individuals to access, correct, or delete their personal data; a failure to address known privacy risks before launch; and insufficient accountability for the personal information under OpenAI's control. The commissioner for British Columbia described the data collection as "widespread and indiscriminate."
OpenAI committed to a range of remedial measures, including implementing filtering tools to detect and mask personal information in datasets; improving data deletion and correction protocols; and adding notices to ChatGPT to inform users that their chats may be used for model training. The regulators concluded that because of these actions, sanctions were not warranted at this stage and no fines were imposed. Whilst the federal investigation is considered conditionally resolved, the British Columbia and Alberta investigations remain unresolved. OpenAI is required to report to the regulators quarterly until its remedial commitments are met.
This is not the first regulatory action against OpenAI on privacy grounds. Italy's data protection authority fined OpenAI 15 million euros in 2024, though that decision was reversed in March 2026. The principles at issue in both cases - consent, transparency and data subject rights - are common to the UK GDPR and EU GDPR. The Canadian regulators acknowledged that existing consent frameworks may be structurally difficult to reconcile with large-scale AI training, but stopped short of prescribing how the law should evolve. Until it does, organisations developing or procuring AI systems face a live and unresolved compliance question over how they source training data, establish a legal basis, and give effect to data subject rights.
Data (Use and Access) Act 2025: right to complain comes come into force on 19 June 2026
On 19 June 2026, the “right to complain” under the DUAA comes into effect, marking a firm deadline date for organisations to implement a formal data protection complaints process.
We outlined the practical steps organisations should take to implement and operate a compliant internal complaints-handling process earlier this year.
We are also continuing to track the DUAA's commencement provisions and key compliance deadlines, alongside supporting guidance from the ICO, here.
Cyber Security
King's Speech 2026: cyber legislation enters the national security conversation
The King's Speech of May 2026 (“Speech”) devoted just 19 of its approximately 1,400 words to cyber, but the framing of those words was deliberate. The Cyber Security and Resilience Bill was grouped alongside the Tackling State Threats Bill and the National Security Bill, a sequencing that signals a clear shift in how this Government is positioning cyber risk: no longer primarily as a regulatory or compliance matter, but as a question of national security.
The most concrete legal development announced was the reform of the Computer Misuse Act 1990 via the National Security Bill, marking the first significant overhaul of the Act in over 35 years. The proposed reforms include a new Cyber Crime Risk Order; expanded search and seizure powers; and a commitment to clarify the legal position of defensive security professionals conducting legitimate research activity. The National Crime Agency welcomed the announcement, with its Director General noting that the reforms would give law enforcement greater powers to deal with UK-based cyber criminals. Whether the reforms will extend to a statutory public interest defence for good-faith security research, a long-standing ask from the cyber industry, remains to be confirmed.
The Speech was notably silent on the Government's earlier consultation on legislative proposals to restrict ransomware payments, which included a proposed outright ban on public sector ransom payments. It is not yet clear whether those proposals will be revived or absorbed into forthcoming legislation.
The regulatory direction for organisations stays broadly as-is for now. The more significant development is the political weight behind it. Organisations should treat the national security framing as an indicator of the enforcement intensity ahead, and ensure that incident response plans, supply-chain assurance frameworks and any activity touching the Computer Misuse Act are reviewed in light of what is coming.
Enforcement and Civil Litigation
ICO's draft tiered settlement discount applied
The ICO has fined South Staffordshire Plc and South Staffordshire Water Plc (together “South Staffordshire”) £963,900 following a 2020 phishing attack in which a threat actor gained administrator-level access to the company's systems and exfiltrated the personal data of over 630,000 customers and staff onto the dark web. The breach was not identified until July 2022. Detailing its failures in a monetary penalty notice issued on 7 May 2026, the ICO found that South Staffordshire had failed to implement the principle of least privilege; left critical systems unpatched; and was running Windows Server 2003 - an operating system that had reached end-of-life in 2015.
The ICO calculated a baseline fine of approximately £2.2 million, reduced to £1.6 million in light of mitigating factors including post-incident remediation and victim support measures, which included a paid 12-month credit monitoring subscription and dedicated breach helplines. The final penalty of £963,900 reflected a further 40% reduction, in what appears to be the ICO’s first application of its tiered settlement discount. As detailed in the Draft Data Protection Enforcement Procedural Guidance, which has not yet been formally finalised and published, the ICO introduces a three-tier discount framework:
- up to 40% before a Notice of Intent;
- up to 30% after a Notice of Intent but before written representations; and
- up to 20% after representations.
At every tier, the controller must accept the nature, scope and duration of the infringement, including its legal characterisation, and waive any right of appeal. The ICO's 40% ceiling is more generous than the FCA (30%) and Ofcom (30%).
For organisations assessing their position, two tensions are worth noting. The 40% tier requires full admissions before a Notice of Intent, at a point when many controllers will not yet have a complete picture of the breach or whether a penalty is inevitable at all. Controllers must therefore weigh the value of the discount against the risk of accepting liability before the facts are fully established. The further through the process a controller goes, the more it will have spent on representations and the less it saves on the fine. The framework arguably rewards those who move quickly and are well-prepared, but the decision to settle early is not without strategic risk.
