UK ICO Clarifies New Complaints Handling Requirements Under the DUAA
Starting in June 2026, the UK’s Data (Use and Access) Act (“DUAA”) will require organisations to have a formal process for handling data protection complaints, and the Information Commissioner’s Office (the “ICO”) has now published guidance explaining what this complaint mechanism requirement means in practice. The guidance clarifies what constitutes a “data protection complaint” and stresses the importance of recognising complaints early, even where individuals do not use formal legal language. It also sets out expectations around making complaint channels accessible, including through online forms, email or telephone, and confirms that organisations must acknowledge and respond to complaints within specified timeframes. The ICO also notes that handling complaints effectively at an early stage may help reduce escalation to the regulator and encourages organisations to review their internal processes and governance arrangements ahead of the new requirements taking effect on 19 June 2026.
EU: Regulators Question Proposals to Narrow the GDPR’s Scope
On the 11th of February 2026, the European Data Protection Board (the “EDPB”) and the European Data Protection Supervisor (the “EDPS”) published a joint opinion on the Commission’s Digital Omnibus proposal, which was published back in November 2025, with the aim of simplifying the EU’s digital rulebook, and it included targeted amendments to the GDPR and related instruments.
In this joint statement, even though both bodies broadly welcomed the overall goal of making compliance easier and more consistent across the EU, particularly where the proposal could reduce unnecessary paperwork and bring greater legal clarity, they were clear that simplification must not come at the expense of fundamental rights. They welcomed several specific measures, including clearer rules for scientific research, a limited new exception for biometric authentication where users retain sole control, and more proportionate requirements for data breach notifications and data protection impact assessments, while stressing that common templates and thresholds should remain under the EDPB’s authority. At the same time, they raised serious concerns about proposals they consider harmful to the level of protection guaranteed under EU law, most notably proposals to narrow the definition of personal data or to exclude pseudonymised data from the scope of EU data protection law. On issues like AI, transparency obligations, access rights and automated decision-making, the EDPB and EDPS acknowledged the need for flexibility but called for tighter safeguards, clearer conditions and alignment with existing case law.
Overall, the joint opinion makes clear that simplification is acceptable only where it preserves legal certainty, trust and a high level of protection for individuals’ rights and freedoms.
UK ICO Fine Over Reddit’s Handling of Children’s Data
On the 24th of February 2026, the UK ICO fined Reddit £14.5 million for failing to adequately protect the personal data of children using its platform. The ICO found that Reddit did not have effective age verification measures in place, which meant that children under 13 were able to access the service and have their personal data processed without appropriate safeguards. According to ICO, Reddit also failed to properly assess the risks its platform posed to younger users or put in place measures to limit how children’s data was collected and used. The case highlights the ICO’s growing focus on children’s data and serves as a reminder to platforms that weak age verification measures are unlikely to be tolerated.
Nigeria Launches Data Protection Investigation into Temu
On the 17th of February 2026, Nigeria’s data protection regulator opened an investigation into e-commerce platform Temu over concerns about how it handles the personal data of Nigerian users. The regulator is looking at whether Temu’s practices comply with the Nigeria Data Protection Act, including how clearly the platform explains its data use to users, how much data it collects, and what happens to that data when it is transferred outside Nigeria. Even though the investigation is still at an early stage, it shows that Nigeria’s regulator is prepared to look closely at the data practices of major international platforms.
California Imposes $2.75m Privacy Penalty on Disney
The State of California reached a settlement with Disney under the California Consumer Privacy Act (the “CCPA”) , requiring the Disney to pay a a $2.75 million penalty, redesign its opt-out mechanisms, and report to the California Attorney General on its compliance efforts, in order to resolve allegations that it made it unnecessarily difficult for users to opt out of the sale or sharing of their personal data. The investigation found that Disney’s opt-out tools did not work consistently, forcing users to repeat the same choices across different devices and services instead of applying them across their account. The case stands out as a clear reminder that, under the CCPA, opt-out rights must work in practice and not just exist on paper
GP Surgery Reprimanded for Excessive Disclosure of Medical Records
On the 3rd of February 2026, the UK ICO reprimanded Staines Health Group after it disclosed far more patient information than was necessary in response to an insurance request. The GP surgery sent 23 years of medical records relating to a terminally ill patient to an insurer, despite the request covering only a five-year period, and did so without first giving the patient the opportunity to review the information. The ICO found that the practice lacked clear written procedures for handling insurance requests and had not provided regular data protection training to staff, contributing to the error. The incident shows how important it is to have clear checks in place when sharing sensitive health information.
