Insights

Brussels – April 21, 2026: Lauren Cuyvers has joined Crowell & Moring as a partner in its highly regarded Privacy and Cybersecurity Group, expanding the firm’s ability to provide critical legal counsel to clients managing a complex and rapidly changing privacy and cybersecurity landscape globally. She is the third addition to the firm’s Brussels office in the last six months and the fourth partner to join the firm’s Privacy and Cybersecurity Group in the last year.

London – November 11, 2025: Computer Weekly has named Emma Wright, co-chair of Crowell & Moring’s Privacy and Cybersecurity Group, to its “50 Most Influential Women in UK Tech” list for 2025. The annual list recognizes women who are driving innovation and leadership within the UK technology sector.

London – October 16, 2025: Chambers and Partners has ranked Crowell & Moring U.K. LLP and its lawyers across the United Kingdom as leaders in their respective practice areas in the Chambers UK 2026 Guide.

The first applications to lift an automatic suspension under the Procurement Act 2023 (the Act) have recently been decided. In Parkingeye Limited v Velindre University NHS Trust & Anor [2026] EWHC 1019 (TCC), handed down on 1 May 2026, HHJ Keyser KC dismissed applications by two NHS contracting authorities to lift the suspension preventing them from concluding a car park management services contract. This is the first judicial consideration of the new test under section 102(2) of the Act.

In March 2026, the UK Information Commissioner (ICO) published guidance on the new lawful basis for processing personal data introduced by the Data (Use and Access) Act 2025 (DUAA): the recognised legitimate interest (RLI) lawful basis. Controllers may now rely upon one of five pre-approved conditions, each focused on specific public-interest justifications, for personal data processing.

In a significant ruling on the application of data protection law in the United Kingdom, on 19 February 2026, the UK’s Court of Appeal (CA) ruled in favour of the UK Information Commissioner (ICO) in its appeal against the decision of the Upper Tribunal (UT) in the case of DSG Retail Ltd v The Information Commissioner [2026] EWCA Civ 140. This ruling clarifies the scope of data controllers’ security obligations with pseudonymised personal data and confirms that a controller’s duty to safeguard personal data is not diminished merely because a cyber attacker who exfiltrates that data would be unable to re-identify the individuals concerned.