The Government has published its long-awaited Cyber Security and Resilience Bill, which will amend the existing Network and Information Systems Regulations 2018 and grant new powers to regulators and the Government in relation to cybersecurity.

The Bill aligns with the Government’s recognition that cybersecurity is a critical enabler of economic growth and cyber incidents—such as Jaguar Land Rover, Marks and Spencer, Royal Mail and the British Library—are costing UK businesses billions annually and causing severe disruption. Inside Privacy set out the five major changes to the regulation of cybersecurity this Bill seeks to achieve.

Internet and Social Media

The Technology Secretary Liz Kendall has warned that Ofcom is at risk of losing public trust if it fails to use its powers to tackle online harms. Ofcom has insisted the delays to its enforcement of parts of the Online Safety Act were beyond its control and that “change is happening”. But Kendall told the Guardian: “They know that if they don’t implement [and] use the powers that they’ve got in the act, they will lose the trust of the public.”

The LSE Media Policy Project has an article presenting the role of X in the UK riots of summer 2024. Research indicates that accounts that had been ‘verified’ by the platform played a significant part in spreading content that incited violence.

Data Privacy and Data Protection

The Cyberleagle blog has an article examining the Information Commissioner’s Office (ICO) submission to Ofcom’s consultation on additional safety measures under the Online Safety Act.

Researchers in Austria used a flaw in WhatsApp to gather the personal data of more than 3.5 billion users in what they believe amounts to “the largest data leak in history.” The messaging platform allows users to look up others’ details by inputting their phone numbers. The feature, which has been part of the platform for years, can be abused to enumerate user data, including phone number, name, and in some cases their profile image if they have one set. The Register has more information here.

Artificial Intelligence

The IAPP blog has an article examining the European Union’s legal and regulatory response to the disruptive potential of widespread AI integration into everything from health care to finance. The piece argues that a pivotal question lies at the heart of this evolving legal landscape: should AI systems be classified as products or services? The answer carries significant consequences for how liability is assigned, how consumers are protected, and how safety standards are enforced throughout the AI lifecycle.

IAPP has a further article that considers how the use of AI agents to complete user tasks can blur distinctions between data controllers and processors due to their ability to make and execute decisions with limited human input. The use of these tools raises concerns about technology’s potential impact on user choices and how individuals can protect their privacy while using these agents.

IPSO

Statements in Open Court and Apologies

On 21 November 2025, the Chief Constable of Lancashire Constabulary apologised in the High Court today to Mr Ali Ahmed for broadcasting a video on TikTok which contained his private information and, by its juxtaposition with a different video of another  man whose face was disguised throwing a firework at a police car, wrongly appeared to suggest that he was that other man. The videos had been broadcast in a post on TikTok with the soundtrack of Rihanna singing “you look so dumb right now”. The Chief Constable has also agreed to pay substantial damages and to publish an apology on TikTok to the Claimant.

New Issued Cases

There was one Data Protection claim and two Miscellaneous claims filed on the Media and Communications list in the last week.

Last Week in the Courts

On Monday 17 November 2025 there was a half day hearing in the case of Stedman-v-Syztmz KB-2024-002972.

On Tuesday 18 November 2025 there was the hearing of an application for summary judgment in the case of Munim v Rahman [2025] EWHC 3051 (KB). Steyn J found that there was no defence to the claim which has a realistic prospect of success and summary relief was granted to the claimant in the form of a declaration of falsity, an order to publish a correction and apology, damages in the sum of £10,000 and an injunction. The claim for libel was issued in respect of comments posted on Facebook by the defendant in May 2018 alleging, in essence, that the claimant stole the design of an industry awards logo and trophy from him and that the claimant unlawfully stole the defendant’s business. The posts were held to be seriously defamatory [48]. The truth defence was held to be “hopeless” in the face of the binding findings of fact in a parallel copyright and company claim between the parties, which were dismissed by HHJ Jarman KC on 21 November 2022: Munim v Rahman & ors [2022] EWHC 2870 (Ch) [55]. The honest opinion defence was not available because Steyn J found that an honest person with the knowledge of the facts, as held by the defendant, could not have held the opinion that the claimant was a “dishonest exploitative crook” [62]. Finally, Steyn J found that the defendant had no realistic prospect of establishing that, assuming he honestly believed publishing the statements complained of was in the public interest, that his belief was reasonable [72].

On the same day there was a preliminary issues trial in the malicious falsehood case of Digital Isle Limited v Marcos Enterprise Limited and another KB-2024-000614.

On 19 November 2025 there was a preliminary issues trial in the case of Andy Ngo v Guardian News and Media KB-2025-002764.

On 20 November 2025 there was a PTR in the misuse of private information case of Feldman v Gambling Commission KB-2024-003588 and a preliminary issues trial in the case of Rashed v Deane KB-2022-004580.

On the same day, Collins Rice J handed down judgment in Garrett v Schestowitz and Schestowitz [2025] EWHC 3063 (KB). Mr Garrett is a software engineer who issued libel proceedings over a sustained campaign of defamatory publications by the defendants, a married couple who each publish extensively on the subject of free software (and other topics) on their blogs Techrights and Tuxmachines. The blog posts accused him of, amongst other things, criminality (including that he had abused, harassed, and blackmailed many people, sent death threats, and was a user of crack cocaine), and that he had widely published grossly offensive material in harassing the defendants (which included misogynistic, racist, homophobic, or paedophiliac language). Mr Garrett strenuously denied the truth of all of the allegations. The Defendants’ truth, public interest, and honest opinion defences all failed, with Collins Rice J finding that there was no evidential basis for any of them. A counterclaim against Mr Garrett for harassment was dismissed. Mr Garrett was awarded £70,000 in damages. The Judge said in the absence of any indication that the Defendants would voluntarily desist from further defamation, remove the material objected to, and give satisfactory undertakings not to repeat the same or similar allegations, that it was appropriate for an injunction to be imposed compelling the removal of material/publication of further content. Brett Wilson and 5RB have more information.

Also on 20 November 2025, the Court of Appeal published judgment in the appeal in Hemming v Poulton & Ors [2025] EWCA Civ 1494. The appeal was allowed in part. The original libel claim was brought in respect of two publications from 2019; a YouTube Video (the Video) showing a recorded interview with journalist Sonia Poulton (Respondent) and a statement title “Police Update” (the Update) which Ms Poulton posted on her website. Speaking for the court, Bean LJ substituted clarified determinations on meaning for both publications and adjusted the trial judge’s order concerning the YouTube video. Bean LJ held that the natural and ordinary meaning of the Video is that “there are reasonable grounds to investigate whether John Hemming abused Esther Baker when she was a child” and that this is a defamatory factual imputation” [49]. For the Update, Bean LJ set aside the trial judge’s determination and substituted its own conclusions that (a) the Update referred to Mr Hemming, (b) it conveyed three related defamatory meanings about Mr Hemming (that he tried to stop Ms Poulton exposing child abuse by members of the Establishment by  taking part in the application of inappropriate and excessive pressure; his motivations for this behaviour were improper; and there are reasonable grounds for investigating whether those motivations include a desire to cover up his own criminal activities) and (c) that part of these meanings were factual [60-62]. These modifications clarify the precise defamatory imputations that frame the rest of the litigation.

As mentioned above, on 21 November 2025 there was a statement made in open court in Ali Ahmed (“Muhammed Ali”) v The Chief Constable of the Lancashire Constabulary KB-2025-001753.

Media Law in Other Jurisdictions

Australia

The Chief Justice of the High Court has warned that judges around Australia are acting as “human filters” for legal arguments created using AI. Stephen Gageler said there was increasing evidence to suggest the courts had reached an “unsustainable phase” of AI use in litigation, requiring judges and magistrates to act “as human filters and human adjudicators of competing machine-generated or machine-enhanced arguments” run by both litigants-in-person and legal professionals. The Guardian has more information here.

The Herald Sun has apologised to Victorian MP Sam Groth as part of a settlement of a court case brought by Mr Groth. Mr Groth and his wife, Brittany, sued the newspaper for defamation over a series of articles it published about their relationship. In the apology published 17 November 2025, the newspaper said it was sorry for the hurt the articles caused.

Canada

Amendments to the Personal Information Protection and Electronic Documents Act have been taking place behind-the-scenes courtesy of the federal government’s Budget 2025 Implementation Act. Sections 72 and 123 from the now defunct Bill C-27 have been resurrected; an amended version of Section 124 has resurfaced and a data mobility framework has been introduced. The IAPP blog has more information here.

Public bodies in Alberta will be required to implement a privacy management programme by 11 June 2026, when a one-year grace period in the province’s Protection of Privacy Act. In addition to privacy management programs, Alberta’s POPA requires privacy impact assessments, introduces new rules permitting data matching and the “creation of non-personal data,” and establishes privacy breach notification requirements in the public sector — applying the “real risk of significant harm” threshold.

ECtHR

Strasbourg Observes has an article on the recent case of Mortensen v Denmark 16756/24, in which the ECtHR had another opportunity to assess whether calling someone a ‘Nazi’ falls within the boundaries of freedom of expression. The Court not only had to balance the right to reputation against freedom of expression, but also, from a broader perspective, assess what forms of speech are acceptable in a democratic society. The Court underlined that the condemnation of hate can itself constitute an act of defending democratic values and therefore merits protection under Article 10 of the Convention.

Europe

On 19 November 2025, the European Commission released its Digital Omnibus Regulation Proposal and Digital Omnibus on AI Regulation Proposal. The draft proposals outline a course correction to Brussels’ approach to digital regulation as set out in its new European Data Union Strategy. With the rapid rise of artificial intelligence and the proliferation of digital regulations in the EU, competitiveness concerns outlined in the Draghi report and geopolitical pressure from the US and China, the Commission is peeling back some rules it considers onerous. IAPP and the Privacy and Information Law blogs have more information.

On 17 November 2025, the Council of the European Union adopted new rules designed to strengthen cooperation among national data protection authorities, enhancing the enforcement of the EU GDPR. According to the Council, these reforms aim to streamline how cross-border data protection complaints are handled, reducing delays and improving consistency for individuals and businesses across the European Union. The Privacy and Information Law blog has more information here.

India

India’s government has operationalized a Personal Data Protection Framework specifically designed to meet the needs of residents and businesses alike. With the Ministry of Electronics and Information Technology’s official notification of the Digital Personal Data Protection Rules 2025, India’s Digital Personal Data Protection Act has come into effect. IAPP has analysis here and here, as does Hogan Lovells.

Russia

A Russian telecom company that develops technology to allow phone and internet companies to conduct web surveillance and censorship was hacked, had its website defaced, and had data stolen from its servers. TechCrunch has more information here.

United States

The US House Committee on Energy and Commerce’s Oversight and Investigations Subcommittee held a hearing 18 November 2025 to ask experts about the safety risks chatbots pose and what should be done from a legislative or regulatory perspective to mitigate them. Lawmakers expressed concern over the number of chatbot users who have developed various forms of psychosis — with some, including adolescents, dying by suicide following periods of prolonged engagement. Their line of questioning to witnesses and the responses they elicited suggest there is ample room for Congress to pursue bi-partisan legislation to ensure chatbots interacting with the public are safe in both recreational and therapeutic applications. IAPP has more information here.

Research and Resources

Next Week in the Courts 

On Monday 24 November 2025 there will be a statement in open court in the case of Mueen-Uddin v Secretary of State for the Home Department QB-2020-002120 before Hill J.

On Wednesday 26 November and Thursday 27 November 2025 there will be a two day trial in the libel case of Ali v Hussain KB-2024-000959.

On the same two days there will be a PTR in the case of Baroness Lawrence v Associated Newspapers Ltd KB-2022-003316.

On Wednesday 26 November 2025 there will be an application in the case of Slobada v Rayden KB-2025-003528

On Friday 28 November 2025 the court will hear an application for costs in the case of  Full Colour Black Ltd v Pest Control Ltd & anr KB-2022-003469. 

The same day there will be an application in the case of CFL Limited v Fraser KB-2025-003877

Reserved Judgments

Optosafe Ltd v Robertson,  heard 11 and 12 November 2025 (Steyn J)

This Round Up was prepared by Colette Allen, the host of Newscast on Dr Thomas Bennett and Professor Paul Wragg’s The Media Law Podcast (@MediaLawPodcast).