2025 UK data protection cases overview

Introduction

In 2025, privacy cases in the UK courts gave rise to some wrinkled brows. These included a judgment that consent to a cookie banner may be invalid depending on the subjective state of mind of the user and a Court of Appeal decision rejecting the notion that data protection claims are subject to a “threshold of seriousness”, allowing compensation for non-material damage such as distress or fear of misuse.

However, we also saw some common-sense rulings, including helpful clarity around data subject access requests and the scope of exemptions that use the “significant prejudice” language, as well as confirmation that information that is disclosed orally is still personal data if it is read and retrieved from a file.

As with our previous round-ups in 2021, 2022, 2023, and 2024, in this edition we provide an overview of some of the most notable cases from 2025, alongside key takeaways. 

January

RTM v. Bonne Terre Ltd and Hestview Ltd [2025] EWHC 111 (KB)

This case concerned a data protection claim brought by a recovering gambling addict against an online gambling operator. The claimant alleged that the operator unlawfully processed his personal data over several years by tracking, profiling, and targeting him with personalised marketing, which exacerbated his gambling addiction.

The claimant had gambled with this operator for almost a decade, losing substantial sums of money. As part of his recovery, he made data subject access requests to the operator and related third parties, which revealed the scale and granularity of the data collected about him. The disclosures showed that the operator had hundreds of data points on him, supplemented by extensive third-party data, and had used this information to construct behavioural and “propensity” models designed to predict and influence his gambling behaviour through targeted marketing.

The operator argued that much of this data processing was justified by its “safer gambling” obligations and, in any event, was carried out on the basis of the claimant’s consent. The High Court rejected that position. While safer gambling objectives may justify certain data collection, they do not legitimise the reuse of the same data for personalised marketing. The court also found that the operator continued to market to customers displaying markers of harm unless they crossed a high internal threshold for “suppression”, with financial triggers set unrealistically high.

A central issue was whether the claimant had given valid consent under the UK General Data Protection Regulation (UK GDPR). The court emphasised that online gambling is a high-risk environment in which users’ autonomy and discernment may be impaired, requiring a particularly demanding standard of consent. Although the claimant had clicked through cookie banners and other consent mechanisms, the court held that he had not validly consented to the profiling and marketing carried out by the operator, as both his understanding of the processing and his ability to make a genuinely free and informed choice were compromised.

In reaching that conclusion, the court articulated a tripartite framework for assessing consent, focusing on the individual’s subjective state of mind, their autonomous ability to make a decision, and the controller’s ability to demonstrate valid consent. Drawing on authority from the Court of Justice of the European Union (CJEU) and principles under Article 8 of the European Convention on Human Rights (ECHR), the court held that consent standards under the UK GDPR are “relatively high”, particularly where processing risks compounding harm to vulnerable individuals. The judgment has been criticised for departing from established regulatory guidance and offering limited clarity as to its practical application.

The court also rejected the operator’s attempt to rely on legitimate interests as an alternative lawful basis for personalised marketing. It found an obvious imbalance between the parties’ rights and interests, particularly where marketing is directed at problem gamblers and held that, absent valid consent, the operator had no legitimate interest in profiling customers for personalised direct marketing. The claim therefore succeeded. The judgment did not address damages, and in March 2025 the operator was granted permission to appeal to the Court of Appeal, with a hearing expected in 2026.

Key Takeaways:

• Consent under the UK GDPR must be assessed in its full factual and sectoral context, with heightened standards in environments involving vulnerability or behavioural risk. The court introduced a novel, three-part approach to consent, incorporating subjective and autonomy-based considerations not expressly reflected in the UK GDPR or Information Commissioner’s Office (ICO) guidance, which came as a surprise. How a controller might be able to determine a subjective state of mind when an individual gives consent via a cookie banner remains a real practical conundrum as a result.
• Safer gambling objectives do not justify the reuse of personal data for personalised marketing, and high thresholds for intervention may undermine reliance on consent.
• The decision casts significant doubt on the availability of legitimate interests as a lawful basis for personalised marketing in the online gambling sector.

Ashley v. The Commissioners for His Majesty’s Revenue and Customs [2025] EWHC 134 (KB)

The High Court considered the scope and operation of data subject access requests (DSARs) under the UK GDPR following a claim by Mike Ashley concerning access to personal data processed during an HMRC tax enquiry. Mr Ashley submitted a DSAR seeking all personal data relating to an investigation by HMRC’s Wealthy and Mid-Sized Business Compliance department (WMBC) into his tax affairs, which had concluded that he owed additional tax following the alleged overvaluation of certain properties. The DSAR was made to understand how HMRC had reached that conclusion.

HMRC initially refused to disclose any personal data, relying on exemptions relating to tax and legal professional privilege. After proceedings were issued, HMRC accepted it had breached Article 15(3) of the UK GDPR and disclosed five schedules of personal data processed by the WMBC and the Valuation Office Agency (VOA). The remaining dispute concerned the scope of the DSAR, the definition of personal data, the adequacy of HMRC’s searches, the application of exemptions, and whether the data provided was intelligible.

The court held that HMRC had wrongly limited the scope of the DSAR by treating the VOA as a separate entity. Internal organisational boundaries cannot restrict a DSAR, and the request extended to all personal data processed in connection with the enquiry, including data held by the VOA. HMRC was therefore required to search across all relevant departments.

On personal data, the court adopted a broad interpretation, holding that information is personal data if linked to an individual by content, purpose, or effect. Valuations of Mr Ashley’s properties were personal data because they directly informed his tax assessment, whereas information about unrelated comparable properties was not. 

HMRC’s reliance on the tax exemption under Schedule 2 of the Data Protection Act 2018 (DPA 2018) was rejected, as it had not demonstrated that disclosure would cause “significant prejudice” to tax assessment or collection.

The court also found that HMRC’s disclosure of decontextualised snippets of data was insufficient. Personal data must be provided in a manner that is transparent and intelligible, with sufficient context to allow data subjects to understand how their data is processed and to exercise their rights effectively. Judgment was given in favour of Mr Ashley on all issues.

Key takeaways:

• DSARs are not limited by internal boundaries and data controllers cannot restrict access to personal data based on organisational divisions; all relevant data must be included.
• Information is personal data if linked to the individual by content, purpose, or effect, including property valuations impacting tax liability.
• The requirement to supply contextual data depends greatly on the facts of the case, but in the future, data controllers will likely struggle to justify releasing heavily redacted documents that reveal only small fragments of personal information.
• The “prejudice” exemption to DSAR disclosure is narrow and fact-specific and should not be relied upon without clear evidence that disclosure would cause real and significant prejudice to the protected interest. This is useful as one of the few interpretations of what “significant prejudice” means and could be applied to various other exemptions which are frequently relied on by data controllers and use the same phrase.

June

Raine v. JD Wetherspoon plc [2025] EWHC 1593 (KB)

This case concerned a former employee of JD Wetherspoon (Wetherspoons) whose emergency contact details were disclosed to her abusive ex-partner following a deceptive telephone call, giving rise to claims for misuse of private information, breach of confidence, and breach of data protection law.

During her employment, the claimant provided her mother’s mobile number as an emergency contact. The number was stored in her personnel file, which was marked “Strictly Private and Confidential” and kept in a locked filing cabinet. In 2018, the claimant informed her employer on three separate occasions that she was experiencing serious abuse and harassment from her partner and feared further contact. After her employment ended, the ex-partner telephoned the pub where she had worked, impersonating a police officer and claiming an urgent need to contact her. Despite having received training on “pretexting”, a manager authorised staff to disclose the emergency contact number orally. The ex-partner subsequently used the number to further harass the claimant.

The claimant brought proceedings in the county court for misuse of private information, breach of confidence, and breach of the UK GDPR and the DPA 2018. The recorder found in her favour on misuse of private information and breach of confidence but dismissed the data protection claim on the basis that purely oral disclosure did not constitute processing under the UK GDPR. Wetherspoons appealed on liability, damages, and costs, while the claimant cross-appealed the dismissal of the data protection claim.

The High Court dismissed Wetherspoons’ appeal in full and allowed the claimant’s cross-appeal. The court upheld the finding of misuse of private information, applying the two-stage test from ZXC v. Bloomberg. It held that the claimant had a reasonable expectation of privacy in the emergency contact number, notwithstanding that it belonged to her mother. The court emphasised the confidential nature of the information and the context in which it was provided, rejecting the argument that the information was not the claimant’s or that deception by a third party prevented a finding of misuse.

The court also upheld liability for breach of confidence. It found that the information had the necessary quality of confidence, was imparted in circumstances giving rise to an obligation of confidence, and was disclosed without authorisation. Any implied consent to share emergency contact details with authorities did not extend to disclosure in response to a deceptive request from a third party.

Importantly, the High Court overturned the dismissal of the data protection claim. It held that oral disclosure of personal data retrieved from a recorded system constitutes processing under Article 4(2) of the UK GDPR. The court distinguished Scott v. LGBT Foundation, where the information had never been recorded or stored, and confirmed that accessing a personnel file and orally disclosing the recorded data engaged data protection obligations. Wetherspoons was therefore found to have breached data protection law. The award of damages and costs made by the county court was upheld.

Key takeaways:

• Emergency contact details can constitute an employee’s private and confidential information, even where the data relates to a third party.
• Oral disclosure of personal data obtained from a recorded system can amount to processing under the UK GDPR.
• Deception by a third party does not excuse an organisation from liability where it positively discloses private or confidential information. The judgment highlights the importance of ensuring that data protection training, particularly around “pretexting”, is effectively implemented in practice, not merely documented in policies.

August

Farley and Others v. Paymaster (1836) Limited (trading as Equiniti) [2025] EWCA Civ 1117

This case concerns a collective data protection claim brought by 432 current and former Sussex Police officers following the misdelivery of pension benefit statements in 2019. As previously discussed in our 2024 summary of the High Court proceedings (Farley & Ors v. Paymaster (1836) Ltd (Trading As Equiniti) [2024] EWHC 383 (KB)), the High Court struck out the claims on the basis that only claimants who could show that their statements had been opened and read had a real prospect of success. The statements, which were sent to out-of-date addresses, contained sensitive personal data, including dates of birth, national insurance numbers, salary information, length of service, and accrued pension benefits. The claimants alleged misuse of private information and infringements of the UK GDPR and the DPA 2018, seeking compensation for distress and fear of third-party misuse of their data.

The claimants appealed, and the Court of Appeal overturned the High Court’s decision. It held that proof of disclosure to a third party is not a necessary element of an infringement of data protection law. The court emphasised that the UK GDPR defines processing broadly, and that the collection, organisation, storage, printing, and posting of the pension statements constituted processing in themselves, regardless of whether the envelopes were opened.

The Court of Appeal also rejected the argument that data protection claims are subject to a “threshold of seriousness” akin to that applied in misuse of private information claims. Drawing on established CJEU jurisprudence, the court held that no such threshold exists under the UK GDPR or the DPA 2018. While mere “loss of control” is insufficient, compensation may be awarded for non-material damage such as distress or fear of misuse, provided that fear is objectively well-founded and not purely speculative.

Finally, the court rejected the argument that the claims should be struck out as an abuse of process under the principles in Jameel v. Dow Jones. It held that the permissibility of such claims cannot be determined generically or in the abstract and must instead be assessed on a claimant-by-claimant basis. The case was remitted to the High Court to determine whether data protection infringements occurred and, if so, what level of compensation may be appropriate. In December 2025, Paymaster was granted permission to appeal to the Supreme Court on the issue of compensation.

Key takeaways:

• Proof that personal data was accessed by a third party is not required to establish a UK GDPR infringement.
• Unlike claims for misuse of private information, data protection claims under the UK GDPR and DPA 2018 are not subject to a minimum threshold of seriousness before compensation can be awarded. Non-material damage may include distress or an objectively well-founded fear of misuse, but purely hypothetical or speculative concerns will not be sufficient.
• Group data breach claims should not be struck out on a generic basis as an abuse of process, and questions of liability and compensation must be assessed on an individual claimant basis.
• The decision represents a significant departure from the restrictive approach adopted in earlier data breach litigation and aligns English law more closely with established CJEU jurisprudence on compensation under EU data protection law.

Clarke v. Guardian News & Media Ltd [2025] EWHC 2193 (KB)

This case concerns libel and data protection claims brought by the actor Noel Clarke against Guardian News & Media Ltd in relation to eight articles published between April 2021 and March 2022. The articles reported allegations of sexual misconduct, harassment, and bullying by Clarke made by multiple women over a period of approximately 15 years. Clarke issued proceedings seeking £70 million in damages, alleging that the publications were false and had caused serious harm to his reputation.

Alongside his libel claim, Clarke pursued a parallel claim under the UK GDPR and the DPA 2018. The data protection claim arose from the same publications and factual allegations as the defamation claim and was closely aligned with it throughout the proceedings. Clarke alleged that the Guardian had unlawfully processed his personal data by publishing allegations of sexual misconduct, contending that much of the information amounted to special category data relating to his sex life. He also pleaded that the data was inaccurate and that the processing was not lawful, fair, or transparent. The damages sought under data protection law mirrored those claimed in libel.

The Guardian denied any breach of data protection law, maintaining that the articles were accurate and that the processing was carried out for journalistic purposes in the public interest. It relied on the statutory journalism exemption under the UK GDPR and the DPA 2018. In response, Clarke relied on the same allegations of inaccuracy and lack of public interest that underpinned his libel claim, reinforcing the overlap between the two causes of action.

During the trial, the duplication between the claims became explicit. On the first day of the hearing, Clarke accepted that the meanings of the data for the purposes of the data protection claim should be the same as those determined for libel, abandoning alternative pleaded meanings. The Guardian submitted that the data protection claim added nothing of substance beyond the defamation claim. Following the conclusion of the evidence, Clarke’s counsel accepted that the libel and data protection claims would “stand or fall together”. On 7 April 2025, Clarke confirmed that the data protection claim did not add anything of substance and did not seek a determination on it. The claim was therefore formally withdrawn, and the court’s final judgment addressed only the libel claim.

Key takeaways:

• Allegations of inaccuracy and unfairness under data protection law closely track defamation issues where the same publications are relied upon.
• The court in this case did not examine the scope or application of the journalism exemption in detail, as the data protection claim was withdrawn before determination. As a result, the decision provides limited guidance on how the journalism exemption will be assessed in contested UK GDPR claims.
• The withdrawal of the data protection claim highlights the limits of using UK GDPR claims to supplement defamation proceedings where the factual and legal bases overlap entirely.

September

R v. Jason Blake (Bridlington Lodge Care Home)

Jason Blake, director of Bridlington Lodge Care Home in Yorkshire, was prosecuted under the DPA 2018 after failing to comply with a DSAR submitted in April 2023. The request, made by a daughter acting under a lasting power of attorney for her father, sought incident reports, CCTV footage, and care notes relating to his treatment at the home. The court heard that between 12 April and 12 May 2023, Blake deliberately concealed, erased, or blocked records to prevent their disclosure – conduct falling squarely within Section 173 of the DPA 2018, which makes it a criminal offence to alter, deface, block, erase, destroy, or conceal information with the intent of preventing its disclosure following a DSAR.

Blake was prosecuted by the ICO at Beverley Magistrates’ Court. During the proceedings, various defence arguments were raised, including that the requested records had already been provided by staff, that responsibility lay with the care home manager, and that the company was no longer registered with the ICO. The court rejected all of these arguments, emphasising that directors and senior managers retain personal responsibility for compliance with data protection law once a DSAR has been received. On 3 September 2025, Blake was found guilty, fined £1,100, and ordered to pay costs of £5,440. The ICO confirmed that the requested data was ultimately provided to the requester.

The legal issue before the court was whether Blake’s actions constituted a deliberate obstruction of the requester’s rights under Section 173 of the DPA 2018. The court held that intentionally concealing, erasing, or blocking records to prevent disclosure clearly fell within the scope of the offence, and that individual directors may be held personally liable regardless of organisational structure or delegation of duties. The court also considered the effect of Blake’s conduct on the fundamental privacy rights of the data subject, noting that timely and complete responses to DSARs are essential for maintaining transparency and accountability in the processing of personal data.

Key takeaways:

• Actively concealing, erasing, or blocking records to prevent disclosure constitutes a criminal offence under Section 173 of the DPA 2018.
• Directors and senior staff cannot avoid liability by delegating responsibility to subordinates or other employees. Frontline staff must be trained to recognise DSARs and escalate them appropriately, and organisations should maintain clear written procedures supported by audit trails to minimise the risk of both accidental and deliberate breaches.
• Failing to comply with DSARs can result in fines, costs, and significant reputational damage to both individuals and the organisation, highlighting the importance of robust data governance in sensitive sectors such as health care.

October

The Information Commissioner v. Clearview AI Incorporated [2025] UKUT 319 (AAC)

This case concerns an appeal by the UK Information Commissioner against a decision of the First-tier Tribunal (FTT) relating to Clearview AI Inc, a US-based facial recognition company. Clearview operates a commercial facial recognition service built from a database of billions of images scraped from the internet and social media, which it provides to foreign law enforcement and government bodies. In May 2022, the Commissioner fined Clearview £7.5 million and issued an enforcement notice requiring the company to stop collecting images of UK residents and to delete such data from its systems.

Clearview appealed the monetary penalty and enforcement notice, arguing that the Commissioner lacked jurisdiction. In October 2023, the FTT upheld that argument, concluding that Clearview’s processing fell outside the material scope of the UK GDPR because its services were provided exclusively to foreign law enforcement agencies carrying out functions beyond the scope of UK and EU law. Although the FTT accepted that Article 3(2)(b) of the UK GDPR could apply where behavioural monitoring is carried out by a third party, it nonetheless found that Clearview’s processing was excluded under Article 2.

The Commissioner appealed to the Upper Tribunal (UT), which in October 2025 overturned key aspects of the FTT’s reasoning and upheld three of the four grounds of appeal. The UT held that the FTT had erred in law by failing to provide adequate reasons for its conclusion that Clearview’s processing fell outside the material scope of the UK GDPR. It rejected Clearview’s argument that its processing was so fundamentally linked to the sovereign activities of its clients that it should be treated as outside the material scope, finding instead that Clearview’s data processing was distinct and carried out on a commercial basis.

On the material scope of the UK GDPR, the UT adopted a narrow interpretation of the exemption in Article 2, holding that it is concerned with the allocation of responsibilities between the UK and its former EU Member States and does not exclude the activities of private companies merely because their services are used by foreign state bodies. The UT also rejected the suggestion that principles of comity shield a private company from regulation simply because it provides services to foreign governments.

On territorial scope, the UT held that Clearview’s processing was related to the monitoring of the behaviour of UK residents within the meaning of Article 3(2)(b) of the UK GDPR. It confirmed that this provision applies not only where a controller itself monitors behaviour, but also where its processing is closely connected to monitoring carried out by another controller. The UT further held that Clearview itself engaged in behavioural monitoring, adopting a broad interpretation of the concept that includes the automated collection, classification, and storage of personal data for potential future profiling. The case has been remitted to the FTT to determine the substantive appeal on the basis that the Commissioner did have jurisdiction. In December 2025, Clearview was granted permission to appeal to the Court of Appeal.

Key takeaways:

• Overseas companies can fall within the scope of the UK GDPR where their processing is related to the monitoring of UK residents’ behaviour. Behavioural monitoring under Article 3(2)(b) can include passive, automated collection and classification of data for future use.
• The material scope exemption in Article 2 of the UK GDPR is narrow and does not shield private companies providing services to foreign state bodies.
• AI systems built on unlawfully obtained personal data are vulnerable to enforcement action that may undermine their commercial viability.

Client Alert 2026-015