Category: Privacy

Filming Strangers in Public for Social Media: Are UK Privacy Laws Keeping Pace? 

The growth of social media platforms such as YouTube, TikTok, Instagram and Snapchat has fundamentally changed the way people are photographed and filmed in public. What was once the preserve of professional photographers, journalists and documentary makers has become an everyday activity undertaken by millions of smartphone users. Increasingly, concerns are being raised about people filming strangers without consent and uploading those videos online for entertainment, influence and profit. 

In Episode 6 of the Guardians of Data podcast Ibrahim Hasan spoke with Naomi Mathews  about the legal, ethical and societal issues arising from this trend. The conversation highlighted a difficult reality: while many people feel uncomfortable about being filmed and uploaded to social media without their consent, there is no single law in the UK that directly prohibits such conduct. Instead, individuals (and content creators) must navigate a complex legal framework involving human rights law, data protection, criminal law and platform policies. 

The following is a summary of the podcast:

From the 1970s to TikTok: How Society Has Changed 

For those who grew up in the 1970s and 1980s, photography was a relatively deliberate activity. Cameras were expensive, photographs were limited and normally only shared with family and friends. If a photograph appeared in a newspaper, it would usually have been taken by a professional photographer or journalist. 

Today, nearly everyone carries a high-definition camera in their pocket. Videos can be recorded instantly and uploaded to a global audience within seconds. Social media platforms reward engagement, views and shares, creating powerful incentives for content creators to film members of the public, often without their knowledge. 

The emergence of so-called “street content”, “prank videos” and “nightlife content” has intensified concerns about privacy, dignity and consent. Individuals who have done nothing more than walk down a street, visit a restaurant or enjoy a night out can find themselves the subject of viral videos viewed by millions. 

Do People Have a Right to Privacy in Public? 

One of the most common misconceptions is that people have no privacy rights once they enter a public place; but the law is more nuanced than that. 

Article 8 of the European Convention on Human Rights, incorporated into UK law through the Human Rights Act 1998, protects the right to respect for private and family life. Although public spaces are generally considered less private than homes, the courts have repeatedly recognised that privacy rights can still exist in public settings. 

The leading case is Campbell v MGN Ltd [2004], involving the model Naomi Campbell. She was photographed in a public street while leaving a Narcotics Anonymous meeting. Despite being in a public place, the House of Lords held that she had a reasonable expectation of privacy regarding the sensitive information revealed by the photographs. Similarly, in Murray v Express Newspapers plc [2008], J.K. Rowling successfully argued that photographs of her young child taken in a public street engaged privacy rights. These cases confirmed that privacy is not solely determined by location but also by context. 

Through these cases and others, the courts have developed the tort of misuse of private information, allowing individuals to bring civil claims where private information has been disclosed without justification. However, each case requires a careful balancing exercise between privacy rights under Article 8 and freedom of expression under Article 10. 

Data Protection Law 

Many people are surprised to learn that filming an identifiable individual may engage the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Images and videos of identifiable people constitute personal data. Recording, storing, uploading and sharing such footage can amount to the processing of personal data. Where the UK GDPR applies, those carrying out the processing must have a lawful basis, comply with the data protection principles and respect individuals’ rights. 

However, the law contains important exemptions. The domestic purposes exemption means that filming for purely personal or household activities is generally outside the scope of the UK GDPR. The difficulty lies in determining where personal activity ends and commercial activity starts. A video shared with close family members is very different from content uploaded to a monetised YouTube channel with hundreds of thousands of subscribers. Once filming moves beyond personal use, data protection obligations will arise. 

The law also provides a journalism exemption. This exemption can apply not only to traditional media organisations but also to bloggers, citizen journalists and some social media creators, provided the material is published for journalistic purposes and in the public interest. However, the exemption is not unlimited and must be assessed on a case-by-case basis. 

The Manchester Nightlife Videos 

The legal and ethical tensions surrounding public filming became particularly visible following widespread media coverage of the “Manchester nightlife” videos

These videos involved women being filmed during nights out in Manchester city centre, with the footage subsequently uploaded to social media platforms where it attracted substantial audiences. Critics argued that the content objectified women, encouraged online harassment and generated profit from individuals who had never consented to being filmed. 

The controversy prompted police investigations and widespread public debate about whether existing laws adequately protect people from becoming unwilling participants in online content. 

Greater Manchester Police initially arrested an individual on suspicion of stalking and harassment. However, the investigation was later discontinued, with the police citing limitations within the current legislative framework. The outcome highlighted the gap between conduct that many regard as morally objectionable and conduct that is clearly unlawful. 

Criminal Law: Significant Gaps Remain 

While some forms of filming can constitute criminal offences, the criminal law remains limited in scope. The Protection from Harassment Act 1997 can apply where there is a course of conduct that causes alarm or distress. However, a single act of filming is unlikely to satisfy this threshold. 

Similarly, offences under the Sexual Offences Act 2003, including voyeurism, generally require specific elements to be proved. Historically, these provisions have been criticised for failing to keep pace with modern technology. 

Recent reforms have expanded protections against the sharing of intimate images without consent and introduced new offences targeting image-based abuse. Nevertheless, many forms of public filming remain outside the reach of criminal law. 

The challenge for lawmakers is identifying where legitimate filming ends and harmful conduct begins. Few would support criminalising all photography in public places. Equally, many people are uncomfortable with a world in which anyone can be filmed, uploaded and monetised without their knowledge.  

What Can Victims Do? 

Individuals who find themselves featured in unwanted online content have several options available. 

They can complain directly to the platform hosting the content and request removal. They may also raise complaints with the Information Commissioner’s Office where data protection concerns arise. 

In some cases, civil claims for misuse of private information or breaches of data protection law may be available. However, these remedies are often costly and time-consuming. Legal aid is generally unavailable, meaning individuals must fund litigation themselves. 

Law Reform 

The discussion ultimately highlighted a broader concern: the law has struggled to keep pace with technological change. This is particularly where women and girls are targeted. See for example, the Grok AI controversy and its impact on equality for women and girls. (This is covered in Episode 2of the Guardians of Data podcast.) 

Whether a new law is needed remains controversial. Any reform would need to balance two fundamental rights: freedom of expression and the right to privacy. Neither automatically overrides the other. 

Listen to the full Episode 6 with Naomi. 

Previous episodes of the Guardians of Data podcast have featured Jen Persson, a privacy campaigner, explaining the privacy implications of the Government’s new plans for children’s data and Tahir Latif discussing how to build responsible and ethical AI systems.  

New Podcast: Beyond GDPR – The Real Purpose of Data Protection 

“Think clarity of purpose. Find your why. Find the reason that you’re doing what you do. It just puts fire in my belly every day knowing that I have such a clarity of purpose.” 

Emma Martins, Former Data Protection Commissioner for Guernsey 

Episode 10 of the Guardians of Data Podcast is out now. It is a fascinating and deeply human conversation with one of the most thoughtful voices in the world of privacy and information governance.  

Emma Martins served as Data Protection Commissioner for the Bailiwick of Guernsey for over a decade. In our conversation, Emma reminds us that data protection is about far more than compliance checklists, privacy notices, or subject access requests.
At its core, data protection is about people, power, democracy and human dignity. 

We explore the historical roots of data protection law, including the lessons Europe learned from surveillance and authoritarianism after World War Two, and why those lessons matter now more than ever in the age of AI, predictive policing, algorithmic bias, and mass data collection. 

Emma also shares her reflections on: 

  • The need for data protection professionals need to reconnect with their “why” 
  • The importance of diversity, curiosity, and collaboration in the IG profession 
  • And how we can all move from being seen as blockers to becoming trusted cultural leaders inside our organisations 

This is not a conversation about technology or the minutiae of data protection law; it’s a conversation about humanity and why we are here as data protection professionals.  

Listen on your preferred platform via our podcast page, or download the episode directly.

Emma also shared her recommended books and films/dramas about privacy, AI and data protection. You can find these in the episode show notes.

This podcast is sponsored by Phaselaw – a purpose-built solution for document disclosures, like subject access requests and FOI requests. Instead of redacting PDFs one by one, or forcing litigation software to do a job it wasn’t designed for, with Phaselaw you get collection, review, and redaction in one workflow. Teams across the World are using it to cut response times from weeks to days. 

For Guardians of Data listeners, Phaselaw is offering a two-month free trial; run it on live requests, see what it does to your backlog, decide from there. No card, no commitment. 

Head to https://www.phase.law/guardians to claim your free trial.  

Previous episodes of the Guardians of Data podcast have featured Tahir Latif talking about responsible AI deployment, Jen Persson, a privacy campaigner, explaining the privacy implications of the Government’s new plans for children’s data, Naomi Mathews and Ibrahim Hasan explaining the law on filming people in public for social media and Olu Odeniyi analysing recent cyber breaches and discussing the lessons learnt.

What Recent Cyber Attacks Can Teach Us About Cyber Resilience

Cyber security incidents have become a regular feature of the news cycle.
From attacks on major retailers to breaches affecting public bodies and critical infrastructure, organisations of all sizes are facing increasing threats from cyber criminals. 

In Episode 4of the Guardians of Data podcast  Ibrahim Hasan spoke with Olu Odeniyi about cyber security through the lens of the recent cyberattacks on major UK retailers. They explored how businesses can build resilience and trust in the face of growing threats, the future of cyber security and practical tips for all of us to stay ahead of the hackers.  The following is an abridged transcript of the podcast: 

Cyber threats are becoming more sophisticated

Cyber criminals are constantly adapting their methods. While ransomware remains a major threat, organisations are also facing attacks involving artificial intelligence, supply chain vulnerabilities, compromised Internet of Things devices and even
state-sponsored actors.  

One of the most significant developments is the increasing use of AI by criminals. Generative AI can create convincing phishing emails, impersonate trusted individuals and help less skilled attackers launch sophisticated campaigns. In the past, poorly written emails were often a warning sign of fraud. Today, AI can produce polished and convincing communications that are much harder to identify as malicious. At the same time, defenders are using AI to improve detection, automate routine tasks and strengthen security monitoring.  

The growing risk of social engineering 

Many recent cyber attacks have not relied on advanced technical exploits.
Instead, attackers have targeted people. Social engineering remains one of the most effective methods of gaining access to systems. Criminals impersonate trusted individuals, helpdesk staff or suppliers to persuade employees to reveal information, reset passwords or approve access requests. 

The attack on Marks & Spencer reportedly involved attackers posing as IT support personnel to trick individuals into resetting credentials and disabling security controls. Once inside the network, attackers were able to move through systems and cause significant disruption. 

This highlights an important point. Technology alone cannot prevent cyber attacks. Security depends on people, processes and technology working together. 

Supply chain attacks are a growing concern

Modern organisations rely heavily on suppliers, contractors and service providers. While this brings efficiency and specialist expertise, it also creates additional cyber risk. Supply chain attacks occur when criminals compromise a third party in order to gain access to their target. Rather than attacking a large organisation directly, attackers often look for weaker points elsewhere in the supply chain. 

The recent retail attacks demonstrate how interconnected organisations have become. Even businesses with mature security programmes can be affected if a trusted supplier is compromised. This means organisations must look beyond their own systems and assess the security of the wider ecosystem they depend upon. 

Why resilience matters

One of the key themes from the discussion was resilience. No organisation can eliminate cyber risk completely. The question is not whether an attack will occur, but how well prepared an organisation is to respond. 

The Co-op’s response to a recent attack illustrates this point. Having experienced previous incidents, the organisation had invested in preparation and incident response planning. This enabled it to detect suspicious activity quickly and take action to limit the damage. 

Early detection is critical. The sooner an attack is identified, the sooner organisations can activate response plans and contain the threat. Cyber resilience means understanding risks, preparing for incidents and ensuring the business can continue operating when problems occur.

Multi-factor authentication is essential but not enough

Multi-factor authentication (MFA) remains one of the most effective security controls available. However, not all forms of MFA provide the same level of protection. 
Many organisations rely on simple push notifications sent to mobile devices.
Attackers have learned how to exploit this through what is known as MFA fatigue.
In these attacks, criminals repeatedly trigger authentication requests in the hope that a user will eventually approve one by mistake. 

Organisations should therefore consider stronger authentication methods, particularly for privileged accounts. Hardware security keys and passkeys offer significantly greater protection and are more resistant to phishing attacks. 

Security controls should be based on risk, with the strongest protections applied to accounts that could cause the most damage if compromised. 

Privileged accounts remain a prime target

Attackers often focus on obtaining privileged or administrator-level access. 
Once criminals gain control of these accounts, they can access sensitive information, disable security tools and move freely through systems. This was highlighted in the discussion of recent retail breaches, where attackers reportedly sought to obtain elevated access after gaining an initial foothold. 

Organisations should ensure privileged access is tightly controlled, regularly reviewed and granted only when necessary. The principle of least privilege remains one of the most effective ways of reducing risk. 

Observability and monitoring are becoming critical

A recurring challenge in cyber security is that many organisations do not realise they have been compromised until weeks or even months after the initial breach. During that time, attackers can explore systems, steal information and establish persistence. Improved monitoring and observability can help organisation identify unusual behaviour more quickly. Understanding what normal activity looks like makes it easier to spot anomalies that could indicate an attack. The ability to detect threats early can significantly reduce the impact of an incident. 

What can individuals do?

Cyber security is not solely an organisational responsibility. Individuals also play an important role in protecting their personal information. Some practical steps include: 

* Using strong and unique passwords for every account. 

* Using a password manager to store credentials securely. 

* Enabling multi-factor authentication wherever possible. 

* Using passkeys where supported. 

* Avoiding the reuse of passwords across different services. 

* Being cautious about the information shared online. 

* Monitoring accounts following any reported data breach. 

Criminals frequently combine information gathered from different sources to make scams appear more convincing. Limiting the amount of personal information available online can reduce this risk. 

The recent wave of cyber-attacks offers several important lessons: 

1. Treat cyber security as a board-level responsibility. 

2. Strengthen supply chain security and vendor oversight. 

3. Invest in incident response planning and regular testing. 

4. Adopt stronger forms of multi-factor authentication. 

5. Limit privileged access and apply the principle of least privilege. 

6. Improve monitoring and threat detection capabilities. 

7. Provide regular staff awareness training focused on social engineering. 

8. Build resilience so the organisation can continue operating during an incident. 

The cyber threat landscape is unlikely to become simpler. The combination of increasing digitalisation, AI-driven attacks, global interconnectivity and geopolitical tensions means organisations will continue to face growing challenges. At the same time, regulation and governance requirements are likely to increase as governments seek to improve cyber resilience across both the public and private sectors. The organisations that succeed will be those that treat cyber security as a business issue rather than simply an IT issue. 

Listen to the full Episode 4with Olu.  

Previous episodes of the Guardians of Data podcast have featured Jen Persson, a privacy campaigner, explaining the privacy implications of the Government’s new plans for children’s data and Tahir Latif discussing how to build responsible and ethical AI systems.

The Grok AI Controversy and what it teaches us about AI and Equality

In Episode 2of the Guardians of Data podcast  Ibrahim Hasan spoke with Lynn Wyeth, an AI and data protection expert, about the Grok controversy and what it means for AI governance and equality. The following is an abridged transcript of the podcast: 

What is Grok and what triggered this controversy? 

Grok is the AI companion built into X, Elon Musk’s social media platform. It’s been around since late 2023 as a competitor to ChatGPT; a chatbot designed to give
real-time, unfiltered responses with, in Musk’s words, a “rebellious” tone. 

The controversy began in May 2025 when users prompted Grok to alter photos of real women into sexualised images. By late 2025 it had escalated dramatically; users simply replied to public photos with requests like “put her in a bikini,” and Grok posted the generated images directly to X, publicly and instantly. Estimates suggest it produced around 4.4 million images in nine days, with 41 to 65 per cent sexualised. Worryingly, some of those images involved children. 

What made Grok’s situation different from other AI tools? 

The crucial difference is that Grok published the images as the answer, live on the internet, with no human review and no filter. With ChatGPT and similar tools, the user has to export and manually share what’s been generated. Grok skipped that step entirely. There was no sanity check; no moment where a person could pause and think, “maybe not.” 

It also reflects Musk’s “free speech” philosophy. What’s acceptable to him clearly isn’t what’s acceptable to many others, and the platform’s algorithm appears to amplify certain content regardless of whether it’s truly neutral. 

Is this a technology failure, a governance failure, or a regulatory gap? 

All three. Technology moved faster than the safeguards. Governance failed because proper Data Protection Impact Assessments weren’t done or weren’t done honestly. And the legislation simply hasn’t kept pace. GDPR tried to modernise privacy law, but along comes AI updating on a daily basis. How can legislation possibly keep up? Our regulators, particularly in the UK, have also been disappointingly toothless; plenty of investigations and bland statements, very little meaningful action. 

What are the GDPR issues the ICO will be examining? 

The key question is whether AI-generated imagery of a real, identifiable person constitutes personal data. Almost certainly yes. After that, it’s about lawful basis; what legal justification does xAI have for generating and publishing these images? Consent? Definitely not. Legitimate interests? Possibly claimed, but has the balancing test actually been done? I doubt it. 

More interesting for me is GDPR’s principle one. The requirement that processing be not just lawful, but fair and transparent. Even if xAI constructed a technical legal argument, is this what people expect when they post a photo? Is it fair? That’s where ethics enters data protection, and the ICO will have some very difficult arguments to navigate. 

What about the legal gaps around deepfakes specifically? 

Currently in the UK, sharing a non-consensual intimate deepfake is illegal but creating one isn’t. The government is working to close that through the Crime and Policing Bill and the Data Use and Access Act, making the creation or requesting of such images an offence too. 

But definitions will matter enormously. What counts as “intimate”? What’s the threshold between causing upset and causing real harm? There’s a phrase I saw recently, “lawful but awful content”, which captures the problem perfectly.
Sometimes something can be technically legal and still completely unacceptable.
We need clear definitions, so people know their rights, and so the police aren’t swamped with every complaint about every post. 

(More on the legal issues of filming and uploading images in episode 6 with Naomi Mathews.) 

Is this fundamentally a women’s equality issue? 

It’s hard to see it as anything else. The overwhelming majority of victims were women and girls. The images were sexualised, non-consensual, and designed to humiliate.
And when Musk himself was subjected to similar images, he laughed. That tells you everything about the power imbalance at the heart of this. 

Lynn Wyeth is clear that this isn’t new: “It’s just a continuation of decades of the same.” The tabloid page-three culture of the seventies and eighties, the racism and misogyny peddled to sell newspapers; the medium has changed but the dynamic hasn’t. Now it’s clickbait and likes instead of print runs, but the underlying impulse to commodify and demean women remains. And what’s particularly troubling about Grok is that it industrialised that harm; turning what once required effort and skill into something anyone could do with a single reply. 

The Equality Act 2010 protects women from harassment and discrimination, and human rights law guarantees dignity and private life. But as the government’s own language around the Online Safety Act and the Violence Against Women and Girls strategy makes clear, those protections have consistently failed to keep pace online. When a platform can generate 4.4 million sexualised images in nine days, a significant proportion of them of women who never consented, and face no immediate legal consequence, the gap between the law on paper and the protection it delivers in practice is stark. 

This is why the framing matters. Grok isn’t just a data protection problem or a tech governance problem. It’s a discrimination problem. Any serious regulatory response needs to treat it as such. 

Should organisations be reconsidering their presence on X? 

Every organisation has to make that call for itself. Some have left e.g. Belfast City Council, and Sport England. There are still good people on X, and for many organisations it remains a vital communications tool. But you do have to ask: when does staying cross your ethical red line? When does it compromise your values? That’s a board-level conversation, and it needs to happen. 

What are the practical lessons for organisations deploying AI? 

Do your homework before you roll it out. Think about where it could go wrong. And do a proper DPIA; not a tick-box exercise, but an honest assessment of both the legal and ethical risks. The classic failure pattern is the tech team deploying something and then asking information governance to sign it off. By then it’s too late. Governance has to be embedded at the start.  

AI oversight also can’t sit in one team. It needs technology, legal, data protection, and board-level leadership all working together. How many boards genuinely understand what AI is and how it works? Not enough. Someone needs to be educating them, because if the organisation is going to make decisions about AI, leadership needs to understand what they’re deciding. 

More on making AI ethical in Episode 7 with Tahir Latif.  

Has AI lost its way? 

No. The genie is out of the bottle. You can’t put it back, and regulation alone won’t change that. AI will save lives, save time, and deliver real value. It will also cause harm if it’s deployed carelessly and regulated too slowly. 

The responsibility doesn’t start when harm occurs. It starts at design, at deployment, and at the moment decisions are made about what a system should and shouldn’t be allowed to do. 

The question isn’t whether to use AI. It’s whether we’re serious about using it well. 

Listen to the full Episode 2 with Lynn.  

Previous episodes of the Guardians of Data podcast have featured Jen Persson, a privacy campaigner, explaining the privacy implications of the Government’s new plans for children’s data and Olu Odeniyi analysing recent cyber breaches and discussing the lessons learnt.

New Podcast: The Government’s Plans For Our Children’s Data

“I think privacy is often given a bad name. We talk about it in abstract terms; we should abandon thinking about it in that way. What you do to my data, you do to me. There is no real distinction anymore between our online life and our offline life. So whatever you know about me through my digital footprint, you know about my real life.” 

Jen Persson, Director of Defend Digital Me 

Children today are growing up in a world where almost everything they do leaves a data trail. From the apps they use, to the schools they attend and the healthcare they receive; data is being collected, analysed and increasingly connected and shared.
But at what cost? 

Recent initiatives from the UK Government, such as the Schools White Paper and the Children’s Wellbeing and Schools Act 2026, have major implications for children’s privacy; from age verification to plans for a “Data Spine” to link information across the public sector.  

In our latest Guardians of Data podcast, we analyse the Government’s plans for our children’s data, discuss children’s privacy in the internet age and the role Big Tech is playing in the collection storage and analysis of all our data.  We ask if the government is simply trying to do a better job of protecting children or if it is quietly building a surveillance system which will impact all of us. 

Our guest is Jen Persson, Director of Defend Digital Me,  a not-for- profit organisation that advocates for children’s privacy and digital rights in UK education and the wider public sector. Jen said: 

“Everybody wants to keep children safe… I think the important thing in the Children’s Wellbeing and Schools [Act], is that there is so much going through it that is untested and unevidenced. So some of our work has been to analyse that as it went through Parliament. For example, the single unique identifier is only part of the data aspects of the [Act], but it’s very vague and there’s been very little explanation in writing or in Parliament.” 

Listen on your preferred platform via our podcast page, or download the episode directly.

This podcast is sponsored by Phaselaw – a purpose-built solution for document disclosures, like subject access requests and FOI requests. Instead of redacting PDFs one by one, or forcing litigation software to do a job it wasn’t designed for, with Phaselaw you get collection, review, and redaction in one workflow. Teams across the world are using it to cut response times from weeks to days. 

For Guardians of Data listeners, Phaselaw is offering a two-month free trial; run it on live requests, see what it does to your backlog, decide from there. No card, no commitment. 

Head to https://www.phase.law/guardians to claim your free trial.  

Previous episodes of the Guardians of Data podcast have featured Tahir Latif talking about responsible AI deployment, Naomi Mathews and Ibrahim Hasan explaining the law on filming people in public for social media, Maurice Frenkel looking back at 20 years of the Freedom of Information Act and Olu Odeniyi analysing recent cyber breaches and discussing the lessons learnt.

New Podcast: Building Trustworthy and Responsible AI Systems

“Information governance professionals are the bedrock for deploying good governance of AI. We need to be there at the start of the actual thinking process.” 

Tahir Latif, Global Practice Lead for Data Privacy & Responsible AI at Cognizant 

The last two years has seen a massive increase in AI deployment. Previously the domain of Science Fiction, AI is now everywhere – in our workplaces, our personal lives, and in the systems that shape society. From healthcare to security and law enforcement. But alongside the opportunities, there are some big risks: including lack of accuracy and transparency as well as bias and discrimination. 

In this episode, we dive into one of the biggest questions of our time: How do we build trustworthy and responsible AI systems? 

To help us answer this question, we are joined by someone who is right at the heart of the conversation. Tahir Latif is a distinguished expert on building responsible and transparent AI systems. He is the Global Practice Lead for Data Privacy & Responsible AI at Cognizant, one of the largest global professional services companies. Tahir has led complex privacy and AI programmes across multiple industry sectors both in the UK and globally. He is also the Chief AI and Governance Officer and board member at the Ethical AI Alliance, a not for profit body which promotes ethical standards in AI development. Tahir is the co-author of Data Privacy – A Practical Handbook on Governance and Operation.

In this conversation, we explore how to cut through the complexity of ethical AI, what the future holds, and most importantly, what practical steps IG professionals can take to succeed in this new landscape. 

Listen on your preferred platform via our podcast page, or download the episode directly.

This podcast is sponsored by Phaselaw – a purpose-built solution for document disclosures, like subject access requests and FOI requests. Instead of redacting PDFs one by one, or forcing litigation software to do a job it wasn’t designed for, with Phaselaw you get collection, review, and redaction in one workflow. Teams across the World are using it to cut response times from weeks to days. 

For Guardians of Data listeners, Phaselaw is offering a two-month free trial; run it on live requests, see what it does to your backlog, decide from there. No card, no commitment. 

Head to https://www.phase.law/guardians to claim your free trial.  

Previous episodes of the Guardians of Data podcast have featured  Naomi Mathews and Ibrahim Hasan explaining the law on filming people in public for social media, Maurice Frenkel looking back at 20 years of the Freedom of Information Act, Olu Odeniyi analysing recent cyber breaches and discussing the lessons to learn and Raz Edwards talking about how to succeed as an IG leader. 

Could Children’s Use of Social Media be Banned in the UK?

Some argue that the primary goal of social media is no longer genuine connection, but the maximisation of user engagement for commercial gain. Platforms generate vast revenues by delivering highly targeted, personalised advertising, incentivising designs that keep users scrolling for longer. With the rise of AI, this content stream has become even more relentless, often amplified by manipulative or overly flattering language that encourages continuous interaction. 

Unsurprisingly, many parents are concerned about their children’s use of social media. Endless scrolling and exposure to videos featuring mindless pranks or viral challenges can have negative effects on both mental and physical health. Increasingly, attention is turning to the platforms themselves: critics suggest that their design may not only encourage excessive use, but also contribute to addiction, anxiety and other forms of harm. 

The US Court Case  

On 25th March 2026, a jury in Los Angeles delivered a damning verdict on two of the world’s most popular social media platforms. It ruled that Instagram and You Tube were deliberately designed to be addictive and consequently their parent companies have been negligent in failing to safeguard their child users. Meta and Google, owners of Instagram and YouTube, must now pay $6m (£4.5m) in damages to “Kaley”, the young woman who was the plaintiff (claimant) in this case. Her lawyers argued that the design of Instagram and YouTube caused her to be addicted to the social media platforms. This addiction impacted her mental health during childhood leaving her with body dysmorphia, depression and suicidal thoughts.  

The judgement has sent shockwaves through tech companies worldwide, not just in Silicon Valley. One tech company insider, who asked not to be identified, told the BBC, “we’re having a moment”. Even the Royal Family chimed in. In a statement, the Duke and Duchess of Sussex said: “This verdict is a reckoning. For too long, families have paid the price for platforms built with total disregard for the children they reach.”   

Both companies vigorously defended the claim and intend to appeal the judgement. Meta maintains that a single platform cannot be solely responsible for a user’s mental health crisis. Google, meanwhile, argues that YouTube is not a social network. 

English Law 

Could such a claim succeed in this country? The tort of negligence provides the best hope for claimants who allege harm from social media use subject to the elements of the tort (duty of care, breach, causation and foreseeability) being satisfied. There is growing recognition in UK law that online platforms may owe a duty of care to users, particularly if the users are children. And the harms of over use of social media  are well documented. However causation is likely to be the most difficult hurdle for claimants in the UK. To succeed, a claimant must prove that a platform’s design caused or materially contributed to the harm they suffered through their use of social media. This is a difficult hurdle when it comes to social media. Psychological harm rarely has a single identifiable cause. Social media companies are likely to argue that their platforms are only one of the many factors which can contribute to an individual’s mental health; alongside family environment, school experiences, pre-existing vulnerabilities and offline relationships to name a few.  

Could social media platforms be treated as “defective products” under the Consumer Protection Act 1987 (CPA)  which carries strict liability for harm? Products, under the CPA, are traditionally understood as tangible goods, not the likes of YouTube and Instagram. It is arguable though that social media platforms are not just intermediaries but “manufacturers” of digital environments, making them liable for defects in algorithms or addictive design. The Law Commission is currently reviewing the CPA to determine if it is fit for the digital age, with a focus on artificial intelligence, software and online platforms. The review, which began in September 2025, may lead to expanded liability for online platforms and software providers. 

It is worth noting that the US case was decided by a jury. In the UK civil cases, particularly those involving negligence, are decided by judges. Juries may be influenced by emotional arguments, whereas judges are trained to apply the law strictly and are less susceptible to being swayed by emotion at the expense of legal principles. 

Despite the issues around causation, a legal action in negligence is probably the best option for aggrieved social media users in the UK; although the lack of Legal Aid and the UK courts restrictive approach to class actions mean a test case would require significant upfront funding. Perhaps insurers, emboldened by the US Judgement, may now be more willing to cover the costs of such a test case.  

Regulating Social Media 

Unlike the US, the UK has moved toward statutory regulation rather than litigation as the primary means of controlling social media harms. 

Since the passage of the Online Safety Act in 2023 (OSA), social media companies and search engines have a duty to ensure their services aren’t used for illegal activity or to promote illegal content, with particular protections for children. The communications regulator, Ofcom, has been tasked with implementing the OSA and can fine infringing companies of up to £18 million, or 10% of their global revenue (whichever is greater). Last month, it published guidance on how platforms must protect children. Furthermore, since platforms are processing users’ personal data, they have to comply with the UK GDPR. The Data (Use and Access) Act 2025, which mainly came into force in February, explicitly requires those who provide an online service that is likely to be used by children, to take their needs into account when deciding how to use their personal data.   

Even before the US judgement, many countries had been considering whether, to regulate social media further and/or ban children from using it. Australia has banned it and others, like France and Denmark, have introduced or are planning to introduce tighter rules. 

The UK government is currently carrying out a consultation to consider whether additional measures are required to keep children safe in the online world. This includes setting a minimum age for children to access social media, restricting risky functionalities and design features that encourage excessive use, such as infinite scrolling and autoplay, whether the digital age of consent should be raised, whether the guidance on the use of mobile phones in schools should be put on a statutory footing and better support for parents, including clearer guidance and simpler parental controls. The consultation ends on 26th May, and the government will respond before the end of July. Alongside the consultation, the government is running a pilot scheme which will see 300 teenagers have their social media apps disabled entirely, blocked overnight or capped to one hour’s use – with some also seeing no such changes at all – in order to compare their experiences. Children and parents involved in the pilot will be interviewed before and after to assess its impact. 

Meanwhile, on 27th March 2026, the government published national guidance that urges parents to strictly limit screen exposure in early years over health and development risks. The new recommendations advise that there should be no screen exposure for children under two except for shared activities. For those aged two to five, usage should be capped at one hour per day, with additional guidance to avoid screens at mealtimes and before bed. 

Parliament is also debating the use of social media platforms by children but remains divided on what action to take. In March, during a debate on the Children’s Wellbeing and Schools Bill, the House of Lords supported a proposal to ban under-16s in the UK from social media platforms. It is the second time peers have defeated the government over the proposal. There is now a standoff between the Commons and the Lords. Whatever happens the verdict in the California court has signalled a rising public expectation for more aggressive regulation of social media platforms. 

Listen to the Guardians of Data Podcast for the latest news and views on data protection, cyber security, AI and freedom of information.   

This and other developments relating to children’s data will be covered forthcoming workshop, Working with Children’s Data.

New Podcast: Filming the Public for Social Media

Act Now is pleased to bring you episode 6 of the Guardians of Data podcast.  

Think about the last time you walked down a busy street, sat in a pub, or queued for a train. Now imagine that moment, completely ordinary to you, being filmed by a stranger, uploaded to TikTok or YouTube and watched by millions. 
Maybe it’s monetised; maybe it’s mocked. One thing is for sure though, it never disappears. 

Filming people in public has now become second nature for some. But what happens when those images are shared, edited and turned into social media content? Can you stop someone filming you in public? What rights do you have when the footage is published? 

In this episode, we are joined by Naomi Mathews, a lawyer who specialises in Data Protection, Freedom of Information and Surveillance Law. Naomi helps us explore what the law actually says about filming people in public; where it falls short and how that affects real people who find themselves turned into content without consent. We’ll also ask the harder questions about ethics, power and whether the UK needs a new law to better protect the public. 

Download and listen here, or on your preferred podcast app. Available on Apple Podcasts, Spotify, and all major podcast platforms. 

Previous episodes of the Guardians of Data podcast have featured Jon Baines, reflecting on his career as a Data Protection Specialist and the hot issues in information governance,  Lynn Wyeth discussing the recent controversy around Grok AI, Maurice Frenkel looking back at 20 years of the Freedom of Information Act, Olu Odeniyi analysing recent cyber breaches and discussing the lessons to learn and Raz Edwards talking about how to succeed as an IG leader.

ICO Focus on Children’s Data Processing 

In February we wrote about the Information Commissioner’s Office (ICO) issuing fines under the UK GDPR to two social media companies. Reddit was fined £14.47 million and MediaLab (owner of Imgur) was fined £247,590 for failing to implement age‑assurance measures and for processing children’s personal data in a way that potentially exposed them to harmful content. 

Safeguarding children’s privacy is a key enforcement priority for the ICO. The ICO’s investigation into TikTok (opened in March 2025) is still ongoing. It is considering how the platform uses personal data of 13-17 year-olds in the UK to make recommendations to them and deliver suggested content to their feeds. This is in the light of growing concerns about social media and video sharing platforms using data generated by children’s online activity in their recommender systems, which could lead to them being served inappropriate or harmful content. The ICO is also investigating 17 other platforms including Discord, Pinterest, and X, and has been in discussions with Meta and Snapchat over how they use children’s location data in their user map features.  

Safeguarding children’s privacy is also a duty of the ICO under the Online Safety Act, alongside Ofcom. Last week the ICO published an open letter to social media and video‑sharing platforms operating in the UK, calling on them to strengthen age assurance measures so young children cannot access services that are not designed for them. The letter sets out the ICO’s expectations about measures that platforms with a minimum age must implement, beyond relying on children to self-declare their ages (which they can easily bypass).  Instead, platforms should make use of the viable technology that is now readily available to enforce their own minimum ages and prevent these children from accessing their services. The ICO has also written directly to platforms, starting with TikTok, Snapchat, Facebook, Instagram, YouTube and X to ask them to demonstrate how their age assurance measures meet the ICO’s expectations.  

The Data (Use and Access) Act 2025, most of which came in to force earlier this month, explicitly requires those who provide an online service that is likely to be used by children, to take their needs into account when deciding how to use their personal data.  

Listen to the Guardians of Data Podcast for the latest news and views on data protection, cyber security, AI and freedom of information.  

This and other developments relating to children’s data will be covered forthcoming workshop, Working with Children’s Data.

AI Transcription Tools in Social Work Under Scrutiny 

Anyone remember Dragon Dictate? The first versions of this voice transcription software required users to spend hours training it (usually wearing a headset) by repeating stock phrases many times over. Even after full training, the transcription output was far from accurate. How technology has moved on, especially in the last few years, with the proliferation of AI. 

AI powered transcription software has been rapidly adopted by public sector organisations especially in local authority social work departments. Tools, like Magic Notes and Microsoft Copilot, are used by social workers to record conversations with children and families (e.g. interviews or assessments), transcribe spoken audio into text and generate summaries automatically. These “ambient scribes” listen in real-time or process recordings, reducing the need for manual notetaking; thus allowing professionals to focus on interactions rather than documentation. However the use of such tools, especially in sensitive contexts like social work, is not without risks as was highlighted by a recent report.  

Ada Lovelace Institute Report 

On 11th February 2026, the Ada Lovelace Institute published a report titled “Scribe and prejudice? Exploring the use of AI transcription tools in social care.” The report explored the dynamics of adoption and the impacts of AI transcription tools in adult and children’s social care across 17 local authorities in England and Scotland. Based on interviews with frontline social workers and managers, it highlighted serious risks that should be addressed by users.  

These include, amongst others: 

AI “Hallucinations”: The AI sometimes generates false information that wasn’t said in the recorded conversation. A prominent example involved an AI-generated summary incorrectly stating that a child had expressed suicidal ideation. This kind of error is especially dangerous in child protection or mental health contexts, where it could trigger unnecessary interventions or lead to flawed decisions about care. 

Gibberish, misrepresentations, and other errors: AI generated transcripts have included nonsense phrases, misspelled names, incorrect speaker attributions (especially in multi-person conversations), fabricated statements, irrelevant or foul language insertions and overly formal or academic wording that doesn’t reflect normal social work language. 

Bias and Harmful Stereotyping: Some outputs have reportedly promoted stereotypes or biased perceptions of individuals that weren’t present in the original recording. 

These issues echo broader AI concerns but of course are more serious in the context of social work records. Inaccuracies entering official care records could lead to incorrect decisions about a child’s safety, family support, or adult care; potentially resulting in harm to vulnerable people, professional consequences for social workers or even legal liability. 

Social workers generally bear full responsibility for reviewing and approving these AI outputs (the “human in the loop” safeguard), but practices vary widely according to the report. Some social workers spend minutes checking AI output whilst others spend hours. The report questions how effective this is in high-pressure frontline environments. There is also concern that over-reliance on summarisation features could erode professional judgment and the nuanced, interpretive nature of social work documentation. 

The report notes that in early 2025, one AI transcription tool was already in active use by 85 local authorities for social care. But the Ada Lovelace Institute criticises the “limited and light-touch” approaches to ethics, evaluation, testing, regulation, and risk mitigation so far. It has called for more robust safeguards, better guidance and thorough evaluation before wider use. 

Recommendations 

To ensure the safe and responsible use of AI transcription tools, the Institute urged the government to require local authorities to document their use of such tools through the ‘Algorithmic Transparency Reporting Standard.’ 

It also recommended that social care regulators and local authorities collaborate with relevant sector bodies to develop guidance on using AI transcription tools in statutory processes and formal proceedings, supported by clear accountability structures. 

The Institute added that: ‘To enable end-to-end accountability, regulators and professional bodies should review and revise rules and guidance on professional ethics for social workers and support social workers to collaborate with legal and advisory bodies around procedures for AI use in formal proceedings. An advisory board comprised of people with lived experience of drawing on care should be established to inform these actions.’ 

Further recommendations include: 

  • The UK government should extend its pilots of AI transcription tools to include various locations and public sector contexts. 
  • The UK government should set up a What Works Centre for AI in Public Services to generate and synthesise learnings from pilots and evaluations. 
  • A coalition of researchers, policymakers, civil society and community groups should collaborate on research on the systemic impacts of AI transcription tools. 
  • Local authorities should specify their outcomes and expected impact when procuring AI transcription tools to ensure a shared understanding among staff and users. 

The UK GDPR Angle 

The use of AI powered transcription software will involve processing highly sensitive personal data, including audio recordings and derived transcripts/summaries of conversations involving vulnerable individuals. This triggers UK GDPR obligations, with heightened risks due to the sensitive nature of the data and potential for harm if errors occur. 

Local authorities and social care providers should integrate UK GDPR compliance into procurement, deployment, and ongoing use of AI transcription software. Key practical steps include: 

  • Conduct a DPIA:  Before rollout or expansion, complete a Data Protection Impact Assessment to assess all the risks (e.g., hallucinations affecting accuracy, bias in diverse accents/dialects, unauthorised access). Update DPIAs for new tools or features. Involve the organisation’s Data Protection Officer from the outset. 
  • Choose compliant tools and vendors: Prioritise tools with strong data protection (e.g. UK-hosted data, no unnecessary retention, robust security). Review vendor DPIAs, processor agreements, and compliance certifications.  
  • Establish clear consent and transparency processes: Inform service users upfront about recording, AI involvement, and data use (via privacy notices or verbal explanation). Document decisions and allow opt-outs where appropriate. 
  • Implement strong human oversight and review: Mandate thorough checks of all AI outputs before approving records. Train staff to detect inaccuracies, bias, or inappropriate content. Flag AI-generated sections (e.g. via watermarks or metadata) for transparency and future audits. 
  • Secure data handling and contracts: Use encrypted recording/uploading, limit data shared with tools and delete audio promptly after transcription. Ensure processor contracts (Article 28) specify UK GDPR compliance, audit rights and breach notification. 
  • Monitor, audit and train: Regularly audit tool use and outputs for compliance. Provide targeted training on UK GDPR risks (e.g. accuracy, breaches, bias). Track incidents (e.g. hallucinations) and report serious ones as breaches if required. 
  • Define boundaries for use: Establish consensus on when AI transcription is appropriate (or unacceptable).  

AI transcription offers clear benefits for reducing paperwork and freeing up social workers’ time for direct care. However, strong governance measures must be taken to avoid dangerous inaccuracies slipping into official records, and the potential for biased or harmful decisions. 

Listen to the Guardians of Data Podcast for the latest news and views on data protection, cyber security, AI and freedom of information. 

If you need to train your staff on responsible use of AI please get in touch to discuss our customised in house training. The following public courses may also interest you: 

AI and Information Governance:  A one day workshop examining the key data protection and IG issues when deploying AI solutions.  

AI Governance Practitioner Certificate training programme: A four day course providing a practical overview of how AI systems are developed, deployed, and regulated, with particular attention to risk, bias, and accountability.