UK & Global Data Law in 2025: Case Review & Insights

Introduction

UK GDPR is not a choice - it is mandatory regulation of anyone working with personal data. How the courts interpret, expand, and ‘legislate’ provisions changes - and it is vital to understand what those changes are. This session provides an update on the main data cases from 2025 and what we can learn from them.

What You Will Learn

This live and interactive course will cover the following:

• Data Breaches, Security Failures & Remedies - Farley & Ors v Paymaster (1836) Limited (t/a Equiniti) [2025] - UK GDPR data breach litigation; scope of ‘processing’, no seriousness threshold for claims, and confirmation that proof of third-party access or distress is not required
• Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] - Cybersecurity and breach notification obligations under Australian privacy law; inadequate security, delayed breach assessment and notification, and per-individual counting of contraventions
• Ministry of Defence v Global Media and Entertainment Limited [2025] - Catastrophic government data breach; interaction between data protection, national security, open justice, freedom of expression, and super-injunctions
• Damages, Distress & Privacy as a Standalone Harm - Insurance Corporation of British Columbia v Ari [2025] - Statutory privacy torts; damages awarded for loss of privacy itself without proof of consequential loss, and the deterrent function of privacy damages
• Kurraba Group Pty Ltd & Smith v Williams [2025] - Australia’s new statutory tort for serious invasion of privacy; misuse of private information and grant of the first interlocutory injunction under the regime
• Jurisdiction, Territorial Scope & Extraterritorial Reach - Information Commissioner’s Office v Clearview AI Inc [2025] - Territorial and material scope of UK GDPR; facial recognition, web-scraping, and a broad interpretation of ‘behavioural monitoring’ under Article 3(2)(b) (enforcement action by the Information Commissioner’s Office)
• Green v United Kingdom [2025] - Article 8 ECHR privacy rights; limits of State responsibility for disclosures protected by parliamentary privilege and constitutional constraints on privacy protection
• Definition of Personal Data & Data Subject Rights - Ashley v HMRC [2025] - Subject access rights under UK GDPR Article 15; rejection of a ‘sufficient proximity’ test, broad interpretation of “personal data”, and requirement for organisation-wide searches
• EDPS v Single Resolution Board (SRB) - EU GDPR concepts of anonymisation vs pseudonymisation; personal data status depends on whether the controller has realistic means of re-identification
• Platform Liability, Controllers & Joint Controllers - X v Russmedia Digital SRL [2025] - Online platform liability under the GDPR; marketplace operators as controllers and joint controllers, with duties to prevent publication of advertisements containing sensitive personal data

Recording of live sessions: Soon after the Learn Live session has taken place you will be able to go back and access the recording - should you wish to revisit the material discussed.