UK law
ICO fines South Staffordshire plc and South Staffordshire Water plc £963,900 following cyberattack and data breach
The Information Commissioner’s Office (ICO) has fined South Staffordshire plc and South Staffordshire Water plc £963,900. This follows a cyberattack and data breach which led to the personal information of 633,887 customers and employees being extracted and published on the dark web. The cyberattack started with a phishing email in 2020 and took place between May and July 2022. It was not detected for nearly two years and showed how South Staffordshire failed to implement appropriate security controls required under UK data protection laws. The ICO and South Staffordshire have now agreed a voluntary settlement. During the investigation, South Staffordshire made an early admission of liability and, in accepting the ICO’s findings, has agreed to pay the penalty without appeal. The ICO applied a 40% reduction, bringing the final penalty to £963,900, in recognition of the efficiencies that the early admission brought to the investigation.
Ofcom strengthens security reporting requirements for telecoms networks as threats grow
Ofcom has launched a consultation on proposed changes to its guidance for communications operators on reporting security incidents. Under the Telecoms Security Act, communications operators must protect their infrastructure and know what to do if a security compromise occurs, which can lead to service disruption. Incidents can have a wide range of causes, including cyber-attacks, major weather events and issues with technology. As malicious actors are becoming more sophisticated, geopolitical tensions are on the rise and environmental challenges are routine, so Ofcom is proposing to update its guidance for industry. This aims to make sure that there is more clarity about what incidents need to be reported to Ofcom and that reports contain detailed and useful information. In turn, it will help Ofcom make sure that networks remain resilient and that it has a precise and consistent sector-level view of the security of critical national telecoms infrastructure. In particular, it is setting new, clearer reporting thresholds for mobile operators based on the number of customers and mobile masts that could be affected by an incident. In addition, as significant mobile service outages in the countryside tend to affect wider geographic areas with limited alternative coverage, it is introducing new criteria for reporting incidents affecting mobile sites in rural areas. As well as this, it intends to evolve how it makes sure that telecoms operators are complying with their other responsibilities under the Telecoms Security Act. This will include, for example, using a broader range of powers and focusing on specific security themes of concern. The consultation ends on 4 August 2026.
Ofcom fines online suicide forum £950,000
Ofcom has fined the provider of an online suicide forum £950,000 for not complying with duties under the Online Safety Act 2023 (OSA) to protect people in the UK from illegal content. The forum was reportedly linked with over 130 deaths in the UK and was the first service to be investigated by Ofcom under the OSA last year. Due to its nature, Ofcom has not named the forum or its provider. Ofcom has assessed extensive evidence and considered representations by the forum’s provider, as well as assessing the impact of the changes it has made to the service in response to the investigation. Ofcom has concluded that the forum’s provider has failed, and continues to fail, to comply with its duties to assess and mitigate the risk of people in the UK encountering illegal content on its service. Consequently, it has imposed a financial penalty of £950,000 on the forum’s provider. This reflects the serious and deliberate nature of the contraventions, and the risk of fatal harm to people in the UK posed by the content present on the service. It has also taken into account that the forum’s provider has made several changes to their service in apparent attempts to restrict access to people in the UK. The forum’s provider now has ten working days to take specific steps to come into compliance. Ofcom is preparing an application for a court order requiring internet service providers to block UK access to the site if its concerns are not fully addressed and there continues to be an ongoing breach. It will provide a further update, and publish the full version of today’s decision, in due course.
Ofcom investigates two porn sites under age-check rules
As well as the fine above, Ofcom has launched investigations into the providers of two pornography sites to determine their compliance with age-check rules under the OSA. Sites that host pornographic material must use “highly effective” age-checks to determine whether a particular user is over 18, to prevent children from readily accessing that content. Ofcom is investigating the providers of pimpbunny.com and kemono.cr. Its investigations will examine if there are reasonable grounds to believe that the providers have failed, or are failing, to comply with their duties under the OSA. Ofcom has prioritised action against these providers based on the risk of harm posed by the services they operate. It has taken particular account of their user numbers, including where it has seen significant increases in their user traffic since age-check laws came into force last summer.
Separately, it has published its provisional decision into fapello.com, setting out that it has reasonable grounds to believe the provider of the service is in breach of their duties under the OSA. Fapello can now make representations to Ofcom, which will be carefully considered before it reaches a final decision. And finally, Ofcom is announcing an expansion to its ongoing investigation into the provider of xgroovy to determine if it has have also failed to adequately respond to Ofcom’s formal requests for information. Ofcom will provide an update on these investigations in due course.
UK government publishes response to smart data call for evidence
In the Modern Industrial Strategy, the UK government committed to examining how it could empower individuals by improving access to data in a way that supports innovation, competition and economic growth, while maintaining strong protections for customers and carried out a call for evidence. It has now published its response. It says that the call for evidence has demonstrated that there are clear concerns regarding how effectively data portability works in digital markets. Respondents noted problems with the time it takes for UK GDPR portability requests to be addressed as well as with the formats in which data is provided. Firms also noted the risks involved in being satisfied that data portability requests are genuine. Several points were also made in relation to the inconsistent provision of APIs, particularly those developed to comply with the EU’s Digital Markets Act. Respondents also argued that addressing these concerns could support a range of promising business use cases including opportunities for data monetisation and donation and contextual AI services. There was a broad consensus that a Smart Data scheme could address these issues and that a scheme in digital markets would be beneficial for growth and individuals. However, there was less consensus on precisely what a scheme should look like. Responses highlighted the diverse and broad nature of digital markets. Unlike other broadly homogenous sectors where Smart Data schemes are envisioned, digital markets firms form a complex ecosystem offering complementary rather than necessarily equivalent products and services. This makes the question of the scope of any scheme particularly complex. Stakeholders also presented arguments in favour of a mandatory scheme, an “opt in” scheme or for an industry led approach. Any scheme in digital markets must be evidence-led, proportionate and designed to deliver meaningful benefits for businesses and individuals. As such, the government will consult shortly on these issues and the overall design of a digital markets scheme.
Court of Appeal considers another dispute over SEPS
In Acer v Nokia [2026] EWCA Civ 564, the Court of Appeal considered disputes over standard-essential patents (SEPs) and RAND licensing, focusing on whether English courts should determine licence terms or defer to arbitration where the patent owner (Nokia) offered an “adjustable” interim licence with final terms to be set by arbitration. The Court upheld jurisdiction of the English courts over the implementers’ (Acer/ASUS) claims but allowed Nokia’s appeal on case management, holding that Nokia’s adjustable licence offer constituted a valid offer of a RAND licence capable of acceptance. As a result, implementers who refuse such an offer may be treated as unwilling licensees and cannot insist on a court determination of RAND terms. The Court therefore stayed the proceedings, emphasising that offering arbitration as the mechanism for setting final licence terms can satisfy a SEP holder’s RAND obligations even without the implementer’s consent, provided the terms offered are objectively RAND and capable of acceptance.
IPO publishes 2026-27 Corporate Plan
The Intellectual Property Office has published its 2026-27 Corporate Plan, which describes its key activities and priorities for the coming year. It focuses on digital transformation, strengthening the UK IP framework, supporting small and medium-sized enterprises, organisational development and the adoption of AI to improve operational efficiency and customer experience.
EU law
European Commission consults on draft guidelines for AI Act Article 50 transparency obligations
The European Commission is consulting on draft guidelines concerning the transparency obligations under the AI Act. The guidelines clarify how the AI Act’s transparency requirements will apply from 2 August 2026, including obligations to inform individuals in the EU when they are interacting with AI systems or exposed to certain AI-generated or manipulated content. Under the AI Act, providers of AI systems will be required to inform users when they are interacting with AI and to implement machine-readable marking and detection mechanisms for AI-generated or manipulated content. Deployers, meanwhile, must disclose the use of deepfakes, AI-generated public-interest content and emotion recognition or biometric categorisation systems. The consultation ends on 3 June 2026.
BEUC says AI Omnibus risks creating dangerous regulatory loopholes and weakening consumer protection
BEUC (the European Consumer Organisation) has issued a statement in which it says it believes that the final AI omnibus creates a less safe digital environment for consumers as it delays key provisions in the AI Act and creates dangerous loopholes in the scope of the law. It says that the omnibus rolls back key consumer protections for uncontrolled processing of previously protected personal data while disproportionately expanding regulatory privileges to larger companies. BEUC says that it is good news that consumer-facing devices such as medical devices and toys stay within the scope of the AI Act but it is concerned that machinery is exempt from higher scrutiny. This weakens oversight of essential machines that power the everyday life and put consumers at risk when they fail. BEUC is also concerned that the agreed omnibus allows for the EU to limit core AI Act obligations and exempt certain systems from its requirements at a later point through delegated acts. This could risk further deregulation in the future. Moving forward, BEUC calls on legislators to strengthen protections for special category data use for AI training in the Digital Omnibus, as the current safeguards in the AI Omnibus are simply not enough to prevent harm. It appreciates the shorter deadline for AI-generated content transparency requirements and the decision to keep obligations to register high-risk AI systems. However, it says that the reduced registration requirements will ultimately reduce transparency and weaken public oversight of AI systems placed on the market.
CJEU holds that Member States may provide for publishers of press publications to be entitled to fair remuneration when they allow online service providers to use those publications
In Meta Platforms Ireland (C‑797/23), the Court of Justice of the EU held that EU law permits Member States to introduce mechanisms ensuring that press publishers receive fair remuneration for the online use of their publications, provided that this payment genuinely reflects consideration for granting authorisation and that publishers remain free to refuse or waive payment. The case arose from Meta’s challenge to Italian rules empowering the regulator (AGCOM) to set criteria for such remuneration and require platforms to negotiate with publishers, share relevant data and maintain content visibility during negotiations. The Court found these obligations compatible with the Digital Single Market Directive and fundamental rights, noting they may restrict platforms’ freedom to conduct a business but are justified and proportionate to achieving a fair and well‑functioning copyright market and addressing publishers’ weaker bargaining position. Overall, the framework was seen as striking a fair balance between business freedom, intellectual property protection, and media pluralism, subject to a final decision by the national court.
European Commission calls for evidence on Copyright in the Digital Single Market Directive
The European Commission has launched a call for evidence to support its review of Directive (EU) 2019/790 on copyright in the Digital Single Market. It seeks to collect the information necessary to support the review of the Directive, and to seek feedback on the challenges linked to the exercise of copyright and related rights in the context of technological developments and potential ways to address them. The call for evidence ends on 25 June 2026.
