Tag: GDPR

The Grok AI Controversy and what it teaches us about AI and Equality

In Episode 2of the Guardians of Data podcast  Ibrahim Hasan spoke with Lynn Wyeth, an AI and data protection expert, about the Grok controversy and what it means for AI governance and equality. The following is an abridged transcript of the podcast: 

What is Grok and what triggered this controversy? 

Grok is the AI companion built into X, Elon Musk’s social media platform. It’s been around since late 2023 as a competitor to ChatGPT; a chatbot designed to give
real-time, unfiltered responses with, in Musk’s words, a “rebellious” tone. 

The controversy began in May 2025 when users prompted Grok to alter photos of real women into sexualised images. By late 2025 it had escalated dramatically; users simply replied to public photos with requests like “put her in a bikini,” and Grok posted the generated images directly to X, publicly and instantly. Estimates suggest it produced around 4.4 million images in nine days, with 41 to 65 per cent sexualised. Worryingly, some of those images involved children. 

What made Grok’s situation different from other AI tools? 

The crucial difference is that Grok published the images as the answer, live on the internet, with no human review and no filter. With ChatGPT and similar tools, the user has to export and manually share what’s been generated. Grok skipped that step entirely. There was no sanity check; no moment where a person could pause and think, “maybe not.” 

It also reflects Musk’s “free speech” philosophy. What’s acceptable to him clearly isn’t what’s acceptable to many others, and the platform’s algorithm appears to amplify certain content regardless of whether it’s truly neutral. 

Is this a technology failure, a governance failure, or a regulatory gap? 

All three. Technology moved faster than the safeguards. Governance failed because proper Data Protection Impact Assessments weren’t done or weren’t done honestly. And the legislation simply hasn’t kept pace. GDPR tried to modernise privacy law, but along comes AI updating on a daily basis. How can legislation possibly keep up? Our regulators, particularly in the UK, have also been disappointingly toothless; plenty of investigations and bland statements, very little meaningful action. 

What are the GDPR issues the ICO will be examining? 

The key question is whether AI-generated imagery of a real, identifiable person constitutes personal data. Almost certainly yes. After that, it’s about lawful basis; what legal justification does xAI have for generating and publishing these images? Consent? Definitely not. Legitimate interests? Possibly claimed, but has the balancing test actually been done? I doubt it. 

More interesting for me is GDPR’s principle one. The requirement that processing be not just lawful, but fair and transparent. Even if xAI constructed a technical legal argument, is this what people expect when they post a photo? Is it fair? That’s where ethics enters data protection, and the ICO will have some very difficult arguments to navigate. 

What about the legal gaps around deepfakes specifically? 

Currently in the UK, sharing a non-consensual intimate deepfake is illegal but creating one isn’t. The government is working to close that through the Crime and Policing Bill and the Data Use and Access Act, making the creation or requesting of such images an offence too. 

But definitions will matter enormously. What counts as “intimate”? What’s the threshold between causing upset and causing real harm? There’s a phrase I saw recently, “lawful but awful content”, which captures the problem perfectly.
Sometimes something can be technically legal and still completely unacceptable.
We need clear definitions, so people know their rights, and so the police aren’t swamped with every complaint about every post. 

(More on the legal issues of filming and uploading images in episode 6 with Naomi Mathews.) 

Is this fundamentally a women’s equality issue? 

It’s hard to see it as anything else. The overwhelming majority of victims were women and girls. The images were sexualised, non-consensual, and designed to humiliate.
And when Musk himself was subjected to similar images, he laughed. That tells you everything about the power imbalance at the heart of this. 

Lynn Wyeth is clear that this isn’t new: “It’s just a continuation of decades of the same.” The tabloid page-three culture of the seventies and eighties, the racism and misogyny peddled to sell newspapers; the medium has changed but the dynamic hasn’t. Now it’s clickbait and likes instead of print runs, but the underlying impulse to commodify and demean women remains. And what’s particularly troubling about Grok is that it industrialised that harm; turning what once required effort and skill into something anyone could do with a single reply. 

The Equality Act 2010 protects women from harassment and discrimination, and human rights law guarantees dignity and private life. But as the government’s own language around the Online Safety Act and the Violence Against Women and Girls strategy makes clear, those protections have consistently failed to keep pace online. When a platform can generate 4.4 million sexualised images in nine days, a significant proportion of them of women who never consented, and face no immediate legal consequence, the gap between the law on paper and the protection it delivers in practice is stark. 

This is why the framing matters. Grok isn’t just a data protection problem or a tech governance problem. It’s a discrimination problem. Any serious regulatory response needs to treat it as such. 

Should organisations be reconsidering their presence on X? 

Every organisation has to make that call for itself. Some have left e.g. Belfast City Council, and Sport England. There are still good people on X, and for many organisations it remains a vital communications tool. But you do have to ask: when does staying cross your ethical red line? When does it compromise your values? That’s a board-level conversation, and it needs to happen. 

What are the practical lessons for organisations deploying AI? 

Do your homework before you roll it out. Think about where it could go wrong. And do a proper DPIA; not a tick-box exercise, but an honest assessment of both the legal and ethical risks. The classic failure pattern is the tech team deploying something and then asking information governance to sign it off. By then it’s too late. Governance has to be embedded at the start.  

AI oversight also can’t sit in one team. It needs technology, legal, data protection, and board-level leadership all working together. How many boards genuinely understand what AI is and how it works? Not enough. Someone needs to be educating them, because if the organisation is going to make decisions about AI, leadership needs to understand what they’re deciding. 

More on making AI ethical in Episode 7 with Tahir Latif.  

Has AI lost its way? 

No. The genie is out of the bottle. You can’t put it back, and regulation alone won’t change that. AI will save lives, save time, and deliver real value. It will also cause harm if it’s deployed carelessly and regulated too slowly. 

The responsibility doesn’t start when harm occurs. It starts at design, at deployment, and at the moment decisions are made about what a system should and shouldn’t be allowed to do. 

The question isn’t whether to use AI. It’s whether we’re serious about using it well. 

Listen to the full Episode 2 with Lynn.  

Previous episodes of the Guardians of Data podcast have featured Jen Persson, a privacy campaigner, explaining the privacy implications of the Government’s new plans for children’s data and Olu Odeniyi analysing recent cyber breaches and discussing the lessons learnt.

Act Now Wins IRMS Supplier of the Year Award 2026

Act Now Training is proud to announce that it has won the Information and Records Management Society (IRMS) Supplier of the Year award for 2026. The aim of the award is “to recognise suppliers in the IG/IM/RM world that go above and beyond normal expectations of customer service.”  The awards ceremony took place on Monday night at the IRMS Conference in Cardiff. 

This is the fourth time in six years that Act Now Training has won this award. Ibrahim Hasan said:  

“We would like to thank all our colleagues in the IG profession who voted for us. 
The award recognises our education led approach and our commitment to providing measurable training that develops participants’ IG skills, competencies and behaviours.   

It has been another fantastic 12 months for Act Now Training. Notable achievements include: 

Launching the Guardians of Data Podcast 

The new Guardians of Data Podcast has proved extremely popular with the IG profession. It’s a show which explores the world of information law and information governance; from privacy and AI to cybersecurity and freedom of information. In each episode we speak to experts and practitioners to unpack the big issues shaping the IG profession 

Previous episodes  have featured Tahir Latif talking about responsible AI deployment, Naomi Matthews and Ibrahim Hasan  explaining the law on filming people in public for social media, Maurice Frenkel looking back at 20 years of the Freedom of Information Act and Olu Odeniyi analysing recent cyber breaches and discussing the lessons learnt. 

Building the AI Skillset  

Act Now launched the AI Governance Practitioner Certificate with the aim of helping data protection professionals to play a leading role in addressing the legal and ethical dilemmas posed by emerging AI as well as position themselves as
forward-thinking leaders who can bridge the gap between law, ethics, and technology. The course has been extremely well received by the profession.     

Revising the Advanced GDPR certificate  

Since its launch in 2020, Act Now’s  Advanced Certificate in GDPR Practice has attracted hundreds of DPOs from across the public and private sectors. Feedback has been consistently positive with many participants commenting on how the course has given them the confidence and skills to be able to dissect complex data protection scenarios and give clear and practical compliance advice. This year the syllabus has been revised to reflect advances in technology, especially in AI, and the latest ICO/Tribunal decisions. The assessment method for this course has also been revised to help develop participants’ communication skills. 

Delivering New Workshops  

Act Now has continued to provide relevant and cost effective IG workshops during rapidly changing times for the IG community. Our programme has been expanded to include practical advice on topical issues such as the Data (Use and Access) Act, Data Breach Management and Children’s Data. 

New Podcast: The Government’s Plans For Our Children’s Data

“I think privacy is often given a bad name. We talk about it in abstract terms; we should abandon thinking about it in that way. What you do to my data, you do to me. There is no real distinction anymore between our online life and our offline life. So whatever you know about me through my digital footprint, you know about my real life.” 

Jen Persson, Director of Defend Digital Me 

Children today are growing up in a world where almost everything they do leaves a data trail. From the apps they use, to the schools they attend and the healthcare they receive; data is being collected, analysed and increasingly connected and shared.
But at what cost? 

Recent initiatives from the UK Government, such as the Schools White Paper and the Children’s Wellbeing and Schools Act 2026, have major implications for children’s privacy; from age verification to plans for a “Data Spine” to link information across the public sector.  

In our latest Guardians of Data podcast, we analyse the Government’s plans for our children’s data, discuss children’s privacy in the internet age and the role Big Tech is playing in the collection storage and analysis of all our data.  We ask if the government is simply trying to do a better job of protecting children or if it is quietly building a surveillance system which will impact all of us. 

Our guest is Jen Persson, Director of Defend Digital Me,  a not-for- profit organisation that advocates for children’s privacy and digital rights in UK education and the wider public sector. Jen said: 

“Everybody wants to keep children safe… I think the important thing in the Children’s Wellbeing and Schools [Act], is that there is so much going through it that is untested and unevidenced. So some of our work has been to analyse that as it went through Parliament. For example, the single unique identifier is only part of the data aspects of the [Act], but it’s very vague and there’s been very little explanation in writing or in Parliament.” 

Listen on your preferred platform via our podcast page, or download the episode directly.

This podcast is sponsored by Phaselaw – a purpose-built solution for document disclosures, like subject access requests and FOI requests. Instead of redacting PDFs one by one, or forcing litigation software to do a job it wasn’t designed for, with Phaselaw you get collection, review, and redaction in one workflow. Teams across the world are using it to cut response times from weeks to days. 

For Guardians of Data listeners, Phaselaw is offering a two-month free trial; run it on live requests, see what it does to your backlog, decide from there. No card, no commitment. 

Head to https://www.phase.law/guardians to claim your free trial.  

Previous episodes of the Guardians of Data podcast have featured Tahir Latif talking about responsible AI deployment, Naomi Mathews and Ibrahim Hasan explaining the law on filming people in public for social media, Maurice Frenkel looking back at 20 years of the Freedom of Information Act and Olu Odeniyi analysing recent cyber breaches and discussing the lessons learnt.

Water Company Fined Almost £1 Million Following Cyber Attack  

The ICO has issued its third GDPR fine of 2026. It has fined South Staffordshire Plc and South Staffordshire Water Plc  £963,900 after a cyber-attack resulted in the personal data of 633,887 people being extracted and published on the dark web.  

As with many cyber-attacks, it started with a phishing email. The recipient opened an attachment which enabled the attacker to install malicious software which remained undetected within the company’s systems for 20 months. Then, in May 2022, the hacker moved through the network and compromised domain administrator privileges, the highest level of system access to the IT network.  

The company reported a personal data breach to the ICO on 24 July 2022. Then, on 26 July 2022, South Staffordshire discovered a ransom note that the hacker had unsuccessfully attempted to distribute to certain members of staff. Between August and November 2022, South Staffordshire detected that over 4.1 terabytes of data had been published on the dark web.  

The breach resulted in the personal data of 633,887 people being subsequently published on the dark web in August 2022. This included personal details and HR information of employees as well as customer account information (including username and password for South Staffordshire Water online services) and bank account number and sort code.  

The ICO investigation found that South Staffordshire failed to implement appropriate security controls required under the UK GDPR. These failures included:  

  • Limited controls enabled the attacker to escalate to administrator privileges after gaining an initial foothold on the network.  
  • Inadequate monitoring and logging – only 5% of the IT environment was being monitored, meaning malicious activity was not detected.  
  • Use of obsolete, unsupported software on some devices, including Windows Server 2003.  
  • Inadequate vulnerability management, including unpatched critical systems and the absence of regular internal or external security scans.  

The ICO applied a 40% reduction to the original proposed the penalty “in recognition of the efficiencies that South Staffordshire’s early admission brought to the investigation.”   

This is the first ICO fine for a cyber-attack since November last year when it fined password manager provider, LastPass UK Ltd, £1.2 million following a 2022 data breach that compromised the personal data of up to 1.6 million UK users. Prior to that the ICO issued a £14m fine to Capita. This followed a cyber-attack in March 2023 which saw hackers gain access to 6.6 million people’s personal data; from pension and staff records to the details of customers of organisations Capita supports.  

The ICO is urging organisations to review their cyber resilience and ask themselves:  

  • Are controls in place so that users and systems can only access what they genuinely need?  
  • Are logging and monitoring controls in place providing sufficient coverage of the IT environment, and are alerts being acted upon?  
  • Are all systems patched and supported? Legacy or end-of-life software represents a significant and avoidable risk.  
  • Is vulnerability management part of regular operational practice, including both internal and external scanning?  

In episode 4 of the Guardians of Data Podcast cyber security expert, Olu Odeniyi, reviews recent high profile cyber security breaches and the lessons learnt.  

Our Cyber Security for DPOs workshop is ideal for organisations who wish to upskill their employees about cyber security. See also our new Data Breach Management Workshop.

The Information Commissioner Steps Aside (Temporarily)  

Five days ago, the Information Commissioner, John Edwards, posted on LinkedIn: 

“Colleagues and friends!👋🏻 I wanted to let you know that for the last few weeks I have voluntarily stepped aside from my duties at the ICO while an independent investigation into HR matters is undertaken. I am fully cooperating and engaged with the investigation and will report progress in due course.” 

Paul Arnold, CEO of the new (but not yet functioning) Information Commission, has assumed the role of Acting Information Commissioner.   

Edwards announcement has come as a surprise to ICO watchers. It was only issued after a POLITICO journalist made enquiries to the ICO regarding Edwards’ work absence. Until then there was silence; not what you would expect from a statutory regulator in the area of, amongst other things, openness and transparency.  

Listen to the Guardians of Data Podcast for the latest news and views on data protection, cyber security, AI and freedom of information. 

New Podcast: Building Trustworthy and Responsible AI Systems

“Information governance professionals are the bedrock for deploying good governance of AI. We need to be there at the start of the actual thinking process.” 

Tahir Latif, Global Practice Lead for Data Privacy & Responsible AI at Cognizant 

The last two years has seen a massive increase in AI deployment. Previously the domain of Science Fiction, AI is now everywhere – in our workplaces, our personal lives, and in the systems that shape society. From healthcare to security and law enforcement. But alongside the opportunities, there are some big risks: including lack of accuracy and transparency as well as bias and discrimination. 

In this episode, we dive into one of the biggest questions of our time: How do we build trustworthy and responsible AI systems? 

To help us answer this question, we are joined by someone who is right at the heart of the conversation. Tahir Latif is a distinguished expert on building responsible and transparent AI systems. He is the Global Practice Lead for Data Privacy & Responsible AI at Cognizant, one of the largest global professional services companies. Tahir has led complex privacy and AI programmes across multiple industry sectors both in the UK and globally. He is also the Chief AI and Governance Officer and board member at the Ethical AI Alliance, a not for profit body which promotes ethical standards in AI development. Tahir is the co-author of Data Privacy – A Practical Handbook on Governance and Operation.

In this conversation, we explore how to cut through the complexity of ethical AI, what the future holds, and most importantly, what practical steps IG professionals can take to succeed in this new landscape. 

Listen on your preferred platform via our podcast page, or download the episode directly.

This podcast is sponsored by Phaselaw – a purpose-built solution for document disclosures, like subject access requests and FOI requests. Instead of redacting PDFs one by one, or forcing litigation software to do a job it wasn’t designed for, with Phaselaw you get collection, review, and redaction in one workflow. Teams across the World are using it to cut response times from weeks to days. 

For Guardians of Data listeners, Phaselaw is offering a two-month free trial; run it on live requests, see what it does to your backlog, decide from there. No card, no commitment. 

Head to https://www.phase.law/guardians to claim your free trial.  

Previous episodes of the Guardians of Data podcast have featured  Naomi Mathews and Ibrahim Hasan explaining the law on filming people in public for social media, Maurice Frenkel looking back at 20 years of the Freedom of Information Act, Olu Odeniyi analysing recent cyber breaches and discussing the lessons to learn and Raz Edwards talking about how to succeed as an IG leader. 

How to Succeed in Information Governance

Seasoned IG professionals offer invaluable advice, having tackled data protection hurdles and shaped best practices over years in the field. By listening to their journeys, new IG professionals can better prepare themselves to face tomorrow’s IG challenges with confidence. 

In Episode 1 of the Guardians of Data podcast our guest was Jon Baines who is a senior data protection specialist at Mishcon de Reya LLP, a law firm where he advises on complex data protection and freedom of information matters. Jon isn’t a lawyer in the traditional sense, yet he has been listed in Legal 500 as a rising star in the data protection, privacy and cybersecurity category. Jon is also the long standing chair of the National Association of Data Protection and Freedom of Information Officers.  

In the podcast, our conversation ranges widely and goes into Jon’s route to the law, what sort of work a non-lawyer like gets involved in at a law firm, whether young professionals need to or should qualify as solicitors in order to develop a career in information law, some of the specialisms and the history of Mishcon de Reya LLP; and developments of data protection in the age of AI. 

The following is an abridged version of the podcast focusing on Jon’s advice to IG professionals.  

Question: You’ve proved that you don’t need to be a lawyer to work at the cutting edge of information law. What skills or perspectives can non-lawyers bring that make them particularly valuable in this field? 

Answer: Critical thinking. I’m a big advocate for seeing both sides. I nearly always, when I approach a task or an instruction, think “if I were advising the other side, what would I be doing?” Because I think it’s really important that you don’t just see the positives on your side; that ability to see across the issue and be able to challenge yourself is important. And that’s part of critical thinking.  

In a lot of data protection matters, it’s important to remember that a data subject is all of us effectively; we are all data subjects. Data protection is about a fundamental right, let’s call it the right to respect for our personal information and a limited right to control that information. So a certain amount of empathy is important.  

It’s also important to understand how commerce works; data protection law doesn’t exist in a vacuum. As I say, it’s about us; it’s about our information. It’s also about how that information, operates and can be used within a commercial world, a business world, a public service world. We don’t have a complete right to privacy, let alone privacy of our information. It’s a qualified right. So I think an understanding of business and understanding that business needs data in order to operate is important. 

What is your advice for those who are new to the IG profession? 

I think one of the biggest skills you need is being able to be across the whole organisation that you work for. So don’t work in a silo. Your role might be part of Legal etc. but make sure that you get out and learn about your organisation. Make sure that people know who you are. It’s old fashioned internal networking, I guess. 

How should IG professionals, position themselves, to add value to AI projects? 

Well, it kind of makes me think of the old Data Protection Impact Assessment or prior to GDPR, when we called them privacy impact assessments. It’s not much use being part of that sort of project if you’re only brought in at the last moment. The whole idea of risk assessment is to assess in advance. So it’s important for IG professionals to remind those setting up AI projects that their input is needed from the start; indeed, even before a decision is taken to initiate a project. There are going to be few AI projects that will not involve data protection, in some way or another, or that don’t have the potential to do so in the future. So I think it’s as simple as that really. Try and make sure you’ve got your foot in the door at the start, because it’s going to be very difficult to do your job if you’re brought in at the last moment. 

If you could go back and give your younger self one piece of career advice, what would it be? 

I would probably tell myself that, just in the years after graduation, time goes quite quickly. And whilst I wouldn’t ever want to put pressure on my younger self, I think I would want to tell my younger self to “pull your socks up” a bit and start doing this sort of thing earlier. I think I drifted for a number of years and, as I get older, I increasingly find myself in this role of elder sage and telling young people, don’t waste time; it goes so quickly. 

How useful is NADPO in terms of professional development? 

NADPO is a venerable institution. It’s been going since 1993. We’re an association of information law professionals and by that I mean there are DPOs, there are FOI officers, there are lawyers, there are some journalist members, academics etc. So everyone is welcome. We exist to support the profession by providing an opportunity to learn from experts (whilst we don’t do direct training). So for a payment of, what’s rather an eccentric, membership fee of £130 for two years, you get to attend our in-person events, which includes our annual conference where we have seven or eight expert speakers talking on various areas of information law. We also have monthly webinars and a range of other member benefits. I’m very keen that NADPO is for its members. So I love it when members come to me with ideas for speakers or offers. Like I say, it’s open to anyone who’s working in or really interested in the area of data protection, FOI and IG.  

You can listen to the full Episode 1 podcast with Jon here.  

More valuable careers advice in Episode 5 where our guest is Raz Edwards, Head of Data Security and Protection at Wolverhampton NHS Trust. In our conversation, Raz shares her journey into Information Governance, the challenges she’s faced and overcome as an IG leader, her advice for both new starters and seasoned professionals and her perspective on the future of the profession.  She also reflects on what she’s learned through her tribunal role and what it takes to succeed as an IG leader. 

Could Children’s Use of Social Media be Banned in the UK?

Some argue that the primary goal of social media is no longer genuine connection, but the maximisation of user engagement for commercial gain. Platforms generate vast revenues by delivering highly targeted, personalised advertising, incentivising designs that keep users scrolling for longer. With the rise of AI, this content stream has become even more relentless, often amplified by manipulative or overly flattering language that encourages continuous interaction. 

Unsurprisingly, many parents are concerned about their children’s use of social media. Endless scrolling and exposure to videos featuring mindless pranks or viral challenges can have negative effects on both mental and physical health. Increasingly, attention is turning to the platforms themselves: critics suggest that their design may not only encourage excessive use, but also contribute to addiction, anxiety and other forms of harm. 

The US Court Case  

On 25th March 2026, a jury in Los Angeles delivered a damning verdict on two of the world’s most popular social media platforms. It ruled that Instagram and You Tube were deliberately designed to be addictive and consequently their parent companies have been negligent in failing to safeguard their child users. Meta and Google, owners of Instagram and YouTube, must now pay $6m (£4.5m) in damages to “Kaley”, the young woman who was the plaintiff (claimant) in this case. Her lawyers argued that the design of Instagram and YouTube caused her to be addicted to the social media platforms. This addiction impacted her mental health during childhood leaving her with body dysmorphia, depression and suicidal thoughts.  

The judgement has sent shockwaves through tech companies worldwide, not just in Silicon Valley. One tech company insider, who asked not to be identified, told the BBC, “we’re having a moment”. Even the Royal Family chimed in. In a statement, the Duke and Duchess of Sussex said: “This verdict is a reckoning. For too long, families have paid the price for platforms built with total disregard for the children they reach.”   

Both companies vigorously defended the claim and intend to appeal the judgement. Meta maintains that a single platform cannot be solely responsible for a user’s mental health crisis. Google, meanwhile, argues that YouTube is not a social network. 

English Law 

Could such a claim succeed in this country? The tort of negligence provides the best hope for claimants who allege harm from social media use subject to the elements of the tort (duty of care, breach, causation and foreseeability) being satisfied. There is growing recognition in UK law that online platforms may owe a duty of care to users, particularly if the users are children. And the harms of over use of social media  are well documented. However causation is likely to be the most difficult hurdle for claimants in the UK. To succeed, a claimant must prove that a platform’s design caused or materially contributed to the harm they suffered through their use of social media. This is a difficult hurdle when it comes to social media. Psychological harm rarely has a single identifiable cause. Social media companies are likely to argue that their platforms are only one of the many factors which can contribute to an individual’s mental health; alongside family environment, school experiences, pre-existing vulnerabilities and offline relationships to name a few.  

Could social media platforms be treated as “defective products” under the Consumer Protection Act 1987 (CPA)  which carries strict liability for harm? Products, under the CPA, are traditionally understood as tangible goods, not the likes of YouTube and Instagram. It is arguable though that social media platforms are not just intermediaries but “manufacturers” of digital environments, making them liable for defects in algorithms or addictive design. The Law Commission is currently reviewing the CPA to determine if it is fit for the digital age, with a focus on artificial intelligence, software and online platforms. The review, which began in September 2025, may lead to expanded liability for online platforms and software providers. 

It is worth noting that the US case was decided by a jury. In the UK civil cases, particularly those involving negligence, are decided by judges. Juries may be influenced by emotional arguments, whereas judges are trained to apply the law strictly and are less susceptible to being swayed by emotion at the expense of legal principles. 

Despite the issues around causation, a legal action in negligence is probably the best option for aggrieved social media users in the UK; although the lack of Legal Aid and the UK courts restrictive approach to class actions mean a test case would require significant upfront funding. Perhaps insurers, emboldened by the US Judgement, may now be more willing to cover the costs of such a test case.  

Regulating Social Media 

Unlike the US, the UK has moved toward statutory regulation rather than litigation as the primary means of controlling social media harms. 

Since the passage of the Online Safety Act in 2023 (OSA), social media companies and search engines have a duty to ensure their services aren’t used for illegal activity or to promote illegal content, with particular protections for children. The communications regulator, Ofcom, has been tasked with implementing the OSA and can fine infringing companies of up to £18 million, or 10% of their global revenue (whichever is greater). Last month, it published guidance on how platforms must protect children. Furthermore, since platforms are processing users’ personal data, they have to comply with the UK GDPR. The Data (Use and Access) Act 2025, which mainly came into force in February, explicitly requires those who provide an online service that is likely to be used by children, to take their needs into account when deciding how to use their personal data.   

Even before the US judgement, many countries had been considering whether, to regulate social media further and/or ban children from using it. Australia has banned it and others, like France and Denmark, have introduced or are planning to introduce tighter rules. 

The UK government is currently carrying out a consultation to consider whether additional measures are required to keep children safe in the online world. This includes setting a minimum age for children to access social media, restricting risky functionalities and design features that encourage excessive use, such as infinite scrolling and autoplay, whether the digital age of consent should be raised, whether the guidance on the use of mobile phones in schools should be put on a statutory footing and better support for parents, including clearer guidance and simpler parental controls. The consultation ends on 26th May, and the government will respond before the end of July. Alongside the consultation, the government is running a pilot scheme which will see 300 teenagers have their social media apps disabled entirely, blocked overnight or capped to one hour’s use – with some also seeing no such changes at all – in order to compare their experiences. Children and parents involved in the pilot will be interviewed before and after to assess its impact. 

Meanwhile, on 27th March 2026, the government published national guidance that urges parents to strictly limit screen exposure in early years over health and development risks. The new recommendations advise that there should be no screen exposure for children under two except for shared activities. For those aged two to five, usage should be capped at one hour per day, with additional guidance to avoid screens at mealtimes and before bed. 

Parliament is also debating the use of social media platforms by children but remains divided on what action to take. In March, during a debate on the Children’s Wellbeing and Schools Bill, the House of Lords supported a proposal to ban under-16s in the UK from social media platforms. It is the second time peers have defeated the government over the proposal. There is now a standoff between the Commons and the Lords. Whatever happens the verdict in the California court has signalled a rising public expectation for more aggressive regulation of social media platforms. 

Listen to the Guardians of Data Podcast for the latest news and views on data protection, cyber security, AI and freedom of information.   

This and other developments relating to children’s data will be covered forthcoming workshop, Working with Children’s Data.

New Podcast: Filming the Public for Social Media

Act Now is pleased to bring you episode 6 of the Guardians of Data podcast.  

Think about the last time you walked down a busy street, sat in a pub, or queued for a train. Now imagine that moment, completely ordinary to you, being filmed by a stranger, uploaded to TikTok or YouTube and watched by millions. 
Maybe it’s monetised; maybe it’s mocked. One thing is for sure though, it never disappears. 

Filming people in public has now become second nature for some. But what happens when those images are shared, edited and turned into social media content? Can you stop someone filming you in public? What rights do you have when the footage is published? 

In this episode, we are joined by Naomi Mathews, a lawyer who specialises in Data Protection, Freedom of Information and Surveillance Law. Naomi helps us explore what the law actually says about filming people in public; where it falls short and how that affects real people who find themselves turned into content without consent. We’ll also ask the harder questions about ethics, power and whether the UK needs a new law to better protect the public. 

Download and listen here, or on your preferred podcast app. Available on Apple Podcasts, Spotify, and all major podcast platforms. 

Previous episodes of the Guardians of Data podcast have featured Jon Baines, reflecting on his career as a Data Protection Specialist and the hot issues in information governance,  Lynn Wyeth discussing the recent controversy around Grok AI, Maurice Frenkel looking back at 20 years of the Freedom of Information Act, Olu Odeniyi analysing recent cyber breaches and discussing the lessons to learn and Raz Edwards talking about how to succeed as an IG leader.

The Right to Erasure and Unfounded Malicious Allegations

The Victims and Prisoners Act 2024 (Commencement No. 10) and Data (Use and Access) Act 2025 (Commencement No. 8) Regulations 2026 brings into force an important change to Article 17 of the UK GDPR (the right to erasure).    

In 2023, Stella Creasy MP was subjected to a social services investigation after a man complained to Leicestershire Police that the MP’s children should be taken into care due to her “extreme views”. The Labour MP told Today on BBC Radio 4 that the complaint was made because the man disagreed with her campaign against misogyny. 

Waltham Forest Council launched an investigation, as it was legally required to do, following a referral from Leicestershire Police. But despite Ms Creasy being cleared, the council said it was legally prevented from removing the man’s complaint from its records. 

The MP then tabled an amendment to the Victims and Prisoners Bill which was going through Parliament. This was enacted as section 31 of the Victims and Prisoners Act 2024.  Section 31 inserts a new Article 17(1)(g) into the UK GDPR. It extends the grounds upon which a data subject has a right to erasure, to cases of unfounded malicious allegations where: 
 
“the personal data have been processed as a result of an allegation about the data subject- 

(i) which was made by a person who is a malicious person in relation to the data subject (whether they became such a person before or after the allegation was made),

(ii) which has been investigated by the controller, and 

(iii) in relation to which the controller has decided that no further action is to be taken” 
 
New Article 17(4) of the UK GDPR defines a “malicious person” as one who has been convicted of a specified offence or who is subject to a stalking protection order. 

At the same time, the 2026 order also commenced paragraph 32 of Schedule 11 of the Data (Use and Access) Act 2025, which extends the same provisions to Scotland and Northern Ireland. 

Listen to the Guardians of Data Podcast for the latest news and views on data protection, cyber security, AI and freedom of information.   

This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update workshop.