Global Data Privacy And AI Case Law Review – June 2026

Welcome to the June edition of Dentons’ Global Data Privacy and AI Case Law Review.

This update contains submissions from Dentons colleagues across the world, from the UK and EU to North America and Asia. Recent developments show courts and regulators continuing to test the boundaries of privacy, cybersecurity and AI governance across jurisdictions. In the UK, the focus remains on cybersecurity duties, ICO enforcement, digital identity systems, and the risks of AI-generated legal authorities and consumer-facing GenAI tools.

Internationally, AI remains central, with significant developments in China, India and the US on AI liability, governance, misinformation, high-risk systems and synthetic precedents. Privacy litigation and enforcement also continue to evolve (see our notes with respect to Canada, Italy and Singapore). Taken together, these updates highlight the increasing need for organisations to manage privacy, cybersecurity and AI risks across the full data lifecycle and across borders.

Please feel free to get in touch if it would be helpful to discuss any of the issues raised.

Explore developments by jurisdiction:

• UK
• China
• United States
• India
• Canada
• Italy
• Singapore

United Kingdom

Cybersecurity and the ICO: Court of Appeal backs a broad security duty

In DSG Retail Limited v Information Commissioner [2026] EWCA Civ 140, the Court of Appeal considered whether the obligation on a data controller to keep personal data secure applies even where, following an attack, a hacker is unable to ascertain the identity of the individual data subjects ultimately affected.

This appeal was the latest instalment in the long-running litigation arising out of a cyberattack on DSG's POS systems in 2017/18. Although that attack resulted in criminals being able to access data subjects' card numbers, the associated cardholder names were not compromised. The ICO nonetheless imposed a fine of £500,000 (US$675,000) on DSG (the maximum available at the time) for failure to put in place appropriate technical and organisational measures to prevent the incident. Following an appeal by DSG, the Court of Appeal had to decide whether a controller's data security duty applies notwithstanding that a hacker has been unable to identify individual data subjects as a result of the attack in question. The court determined that it did and that the perspective of a third-party hacker should not impact upon the scope of a controller's obligations. Although the case was decided under the Data Protection Act 1998, it seems likely that the court's reasoning applies equally to UK GDPR and the Data Protection Act 2018.

ICO enforcement activity continues to build

The ICO has also been busy, both appearing in a number of First-tier Tribunal cases and issuing fines and open letters to social media platforms and other bodies. Recent examples include a £66,000 (US$89,000) fine and reprimand for Police Scotland following serious data mishandling (link here) and a £14.47 million (US$19.5 million) fine for Reddit for unlawfully using children's personal information (link here). The ICO reported that Reddit failed to check the age of its users properly, putting children at risk of being exposed to inappropriate and harmful content online.

Digital identity and online status checks: the eVisa case

In R (on the application of (1) BSC (2) Janice Cabahug Suarez) v Secretary of State for the Home Department [2026] EWHC 705 (Admin), the High Court upheld the Home Office's digital-only eVisa policy, finding it lawful and not irrational despite acknowledged system errors, delays and hardship caused when individuals could not access or correct their online status. This is a significant UK ruling on digital identity infrastructure and access rights. The court accepted the risks inherent in digital-only government systems, but confirmed that public law challenges will turn on rationality, support mechanisms and error-correction processes rather than any general right to an offline alternative.

AI – in the spotlight again in the UK courts

Courts take a strict approach to AI-generated legal authorities

The courts in England and Wales are continuing to take a strict approach to the use of AI in court. In BCP Council v A Mother [2026] EWFC 71 (B), the Family Court treated unverified AI-generated citations as a serious risk to the administration of justice, stressing that all parties, including litigants in person, must check authorities and not mislead the court. The case also had a privacy dimension. The court refused to erase a non-party's personal data from the bundle, holding that retention was justified under judicial and data protection exemptions because the material remained relevant to the proceedings and to future assessments.

Confidentiality, privilege and consumer-facing GenAI tools

The confidentiality risks of AI were addressed more directly in UK v Secretary of State for the Home Department (AI hallucinations; supervision; Hamid) [2026] UKUT 81 (IAC).

The courts are treating the use of consumer-facing GenAI tools with confidential legal material as a serious confidentiality and privilege risk, even for routine tasks such as summarising client or Home Office documents. The tribunal suggested that uploading such material to a publicly available AI tool may amount to placing it in the public domain, potentially breaching confidentiality, waiving privilege and triggering regulatory reporting to the ICO and SRA. The practical takeaway is clear: avoid entering confidential material into public AI tools unless the relevant data-use terms have been carefully assessed and prefer ring-fenced enterprise tools with stronger contractual protections. Even then, privilege is not guaranteed. Under English law, privilege can be lost if access is shared too widely internally and these risks apply across legal research, drafting and administrative uses of AI alike. That cautious approach was reinforced in October 2025, when the judiciary updated its guidance on the use of AI and warned that "any information that you input into a public AI chatbot should be seen as being published to all the world".

Other notable UK data and privacy decisions

Mixed personal data and rectification rights

In East Dunbartonshire Council, Appellant [2026] SLT (SAC) 33, the Sheriff Appeal Court in a significant judicial decision confirmed that the same information can be "mixed personal data", belonging to more than one person at once. The court held that a father could rely on UK GDPR rights where a school risk assessment about his daughter also directly related to him as the parent involved in the process. The local authority was found liable for failing to rectify inaccurate data without undue delay, reinforcing that organisations must identify and manage overlapping personal data rights carefully and may face compensation claims for non-compliance.

China

AI-related court cases in China

Liability for disseminating AI-generated misinformation – AI hallucinations do not exempt operators from legal responsibility

A self-media operator, Li, used an AI tool to generate an article containing largely false information about a company, exploiting its brand name and logo for follower growth and commercial gain. The court held that users bear a duty to review and verify AI-generated content, and that Li could not escape liability merely because the content was AI-generated. Li was ordered to issue a public statement to mitigate reputational harm and to pay RMB 30,000 (US$4,400) in compensation for economic losses.

Copyright protection of AI-generated images – single-step AI outputs do not qualify as protected "works"

Cui generated four images via a single text-to-image command and sued a company for unauthorised use of one image on its WeChat account. The court ruled that the images lacked originality, as the generation process was predominantly algorithm-driven with considerable randomness, and Cui's creative input bore no distinctive correlation to the final outputs. Accordingly, the images did not meet the statutory threshold for copyright protection and Cui's claim was dismissed.

AI voice imitation and unfair competition – replicating a well-known character's voice may constitute unfair competition

A Guangdong company sued a Chongqing company over its "XXX Good Voice" app, which offered AI-generated images and voices closely resembling famous cartoon characters to paying users. The court partially upheld the claims: the unauthorised use of substantially similar images infringed the plaintiff's right of online dissemination and the imitation of the characters' voices was likely to mislead the public into believing an association with the original cartoon, thereby constituting unfair competition. However, the court found that voice timbre alone is not a protectable "work" under copyright law. The Chongqing company was ordered to pay compensation for economic losses and reasonable legal fees.

Criminal liability for AI-generated obscene content – China's first criminal conviction of an AI service provider

Shanghai prosecutors brought criminal charges against the operators of "Alien Chat," an AI companion app, for enabling the mass generation of sexually explicit content by modifying system prompts and disabling model safety guardrails. The court held that AI-generated obscene chat records constitute "obscene materials" under the Criminal Law; that the operators, by exercising decisive control over content generation, qualified as "producers" of such materials; and that the platform's large user base, paid business model and volume of obscene content established sufficient social harm to ground criminal liability, notwithstanding the private nature of individual chats. The first-instance court rejected the "technology neutrality" defence, marking China's first criminal conviction of an AI service provider. The case is currently under second-instance review.

Law enforcement in the AI sector

Failure to register algorithmic recommendation services

A company in Sanya was found to have launched algorithmic recommendation services with public opinion or social mobilisation attributes without completing algorithm registration as required under applicable regulations. The unregistered services posed risks to online information order and user rights. Sanya CAC interviewed the company's responsible person, issued a rectification order and set a deadline for completing the mandatory algorithm registration procedures.

Unauthorised deployment of generative AI services via filed LLM API

A company in Wuxi was found to be offering generative AI services on its website by calling the API (requesting a service or information from the API server) of a separately filed large language model, without independently registering its own generative AI application or completing the required security assessments. Wuxi CAC determined that such conduct violated applicable generative AI regulations, interviewed the company's responsible person, ordered the immediate takedown of the generative AI services and directed the company to complete the proper filing and security assessment procedures before resuming operations.

AI in the PRC legal sector: China has recently raised the bar for AI governance

On 20 March 2026, 10 Chinese ministries jointly issued the Administrative Measures for the Ethical Review of Artificial Intelligence Science and Technology and Related Services (Trial), establishing a mandatory ethics review framework for AI research and development activities. The measures took effect upon issuance.

Any entity developing AI systems that may give rise to risks or challenges in the area of science and technology ethics – particularly those affecting human dignity, public order, life and health, the ecological environment or sustainable development – will fall within the scope of the measures. Such entities are required to submit their relevant AI R&D activities for ethical review, either to their internal Ethics Committee or, where no such committee exists or where it lacks the requisite capability, to an external Science and Technology Ethics Review Service Centre.

Dentons acknowledges and thanks partner Pascal Jiang and Vanessa Zhao for their contribution to the article.

United States

The United States continues to lack a comprehensive federal privacy law, leaving the regulatory landscape defined by a growing patchwork of state statutes and increased enforcement activity. While hundreds of consumer privacy bills were introduced, 2025 marked the first year since 2020 with no new comprehensive state privacy laws enacted, though nine states passed amendments to existing frameworks. At the same time, multiple laws took effect, including Maryland's Online Data Privacy Act and laws in Delaware, New Jersey, Minnesota and others. Regulators also expanded coordination through the Consortium of Privacy Regulators, signalling a more unified enforcement approach.

State enforcement accelerates

California and Texas led enforcement activity in 2025. California authorities secured settlements with Healthline for alleged CCPA violations tied to online tracking and with Tractor Supply Company for failing to provide privacy rights to job applicants. Texas reached a US$1.4 billion settlement related to biometric data and brought actions against electronics manufacturers over data collection through automated content recognition in smart TVs.

Privacy litigation continues to surge

Privacy litigation, particularly involving website tracking technologies, remained active, with thousands of cases filed across dozens of jurisdictions. Courts remain divided on key issues under the Video Privacy Protection Act, including the definition of "consumer" and what constitutes personally identifiable information, with the Supreme Court set to address the former. Claims under the California Invasion of Privacy Act continue to drive significant exposure.

AI in the US – innovation-first meets state regulation

AI governance remains fragmented. In the absence of federal legislation, several states enacted laws effective in 2026, including measures in Texas, California and Colorado, the latter representing the first comprehensive statute addressing high-risk AI systems. Federally, the administration has taken an "innovation-first" approach, issuing an AI Action Plan and Executive Order 14365, which seeks to challenge state-level regulation. However, because federal pre-emption typically requires congressional action, companies must continue to navigate and comply with evolving state requirements.

India

The Apex Court of India and various High Courts have addressed several significant cases on data privacy and AI in recent months.

WhatsApp's privacy journey in India

In WhatsApp LLC v Competition Commission of India & Ors (I.A. No. 6817 of 2025 in Competition Appeal (AT) No. 1 of 2025), the National Company Law Appellate Tribunal New Delhi (NCLAT) clarified that the directions requiring user choice, transparency, opt-out and revocable consent apply to WhatsApp user data collection and sharing activities for all non-WhatsApp purposes, including both advertising and non-advertising purposes.

In 2021, WhatsApp updated its privacy policy, which allegedly imposed "take-it-or-leave-it" consent to data-sharing without any effective opt-out, thus enabling cross-platform data-sharing. Acting on its own motion, the Competition Commission of India (CCI), by its order dated 18 November 2024, found that WhatsApp and Meta abused their dominant position and levied a penalty of INR 2,131.4 million (US$23 million) and a five-year ban on advertising-related data-sharing.

On an appeal to the NCLAT, in its judgment dated 4 November 2025, the NCLAT upheld the findings of the CCI in relation to abuse and sustained remedial directions which emphasised user choice, effective opt-out, transparency and purpose limitation. However, the NCLAT set aside the five-year ban on the sharing of user data for non-WhatsApp purposes of advertising, holding that once users are given an opt-in/opt-out choice, a specific ban becomes redundant. Subsequently, when the CCI approached the NCLAT for clarification, the NCLAT reiterated the core principle that non-essential collection or cross-use of data should occur only with the user's express and revocable consent, and clarified that the remedial directions extend to all user data collection and sharing for all non-WhatsApp purposes, including both advertising and non-advertising uses. WhatsApp was granted three months to implement the compliance measures.

While Meta has agreed to implement and comply with the remedial directions issued by the NCLAT, an appeal has been filed under Meta Platforms, Inc. v Competition Commission of India & Ors Civil Appeal Nos. 301-302 of 2026 before the Apex Court of India, where the matter is presently pending with respect to the quantum of penalty imposed by the CCI i.e. INR 2,131.4 million (US$23 million).

Balancing press freedom and right to be forgotten

In IE Online Media Services Pvt. Ltd v Nitin Bhatnagar & Ors FAO 346/2025, CM APPLs. 78829/2025 & 78831/2025, the Delhi High Court held that the "right to be forgotten" and the "right to be left alone" are inherent facets of right to privacy under the Indian Constitution. The Delhi High Court further held that freedom of speech and expression guaranteed to the press is not absolute and must yield to an individual's right to dignity, privacy and the right to be forgotten, where continued dissemination of content causes disproportionate harm to an individual.

The respondent had been arrested in connection with alleged financial irregularities, following which several media houses and digital platforms, including the appellants, published reports associating his name with the alleged offence. The respondent was subsequently discharged by the competent court on the grounds that no legally admissible evidence existed against him. Notwithstanding such discharge, the impugned articles and reports remained hosted, indexed and in active circulation, thereby continuing to inflict harm upon his reputation, dignity and professional standing. The trial court had, accordingly, restrained further circulation of the said content and directed its de-indexing, holding that perpetual digital availability of such reports would cause irreparable reputational harm.

On appeal, the Delhi High Court upheld this order, observing that while the media enjoys the freedom of speech and expression under the Indian Constitution, such right is not absolute and can be limited by the right of an individual to dignity and reputation under Article 21 of the Indian Constitution. The Delhi High Court held that the continued online accessibility of such reports after the factual foundation underlying them had ceased to exist raises compelling concerns of enduring stigma and reputational prejudice.

Use of phantom precedents in judicial decision-making

In Gummadi Usha Rani and Another v Sure Mallikarjuna Rao & Anr (SLP (C) No. 7575/2026), the Apex Court of India held that Indian courts' reliance on non-existent, fake or synthetic judgments generated by AI in judicial decision-making is not merely an error but may amount to misconduct entailing legal consequences.

The matter originated from a property injunction suit in which the trial court dismissed objections to an Advocate Commissioner's report by relying on several Apex Court judgments which the petitioners later contended were non-existent and AI-generated. In appeal, although the Andhra Pradesh High Court noted that the cited judgments appeared to be AI-generated fake precedents and cautioned against such reliance, it nevertheless affirmed the trial court's order on merits.

The Apex Court of India noted that the deployment of AI-generated, non-existent judgments is not a mere adjudicatory error but may amount to misconduct, as it strikes at the integrity of the judicial process. Recognising the broader systemic implications, the Apex Court issued notices to the Attorney General for India, the Solicitor General of India and the Bar Council of India. It also directed that the trial court should not proceed on the basis of the Advocate Commissioner's report.

Canada

Recent developments assert Canadian jurisdiction over foreign organisations, scrutinise data governance across the full data lifecycle and refine the boundaries of privacy class actions.

Extra jurisdictional power and cross-border data reach

Canadian courts have consistently confirmed the application of Canadian privacy law to foreign organisations based on the existence of a "real and substantive link" with Canada. Foreign and particularly European organisations were surprised by an Ontario Court decision in September 2025 upholding a lawful-access request to data held outside Canada based on the meaningful connection to Canada.

In King v OVH, OSCJ, 19 September 2025, Court File No: 24-000659, the Ontario Court of Justice upheld a production order compelling OVH Canada, an affiliate to OVH group, a France-based cloud services provider, to disclose subscriber information and related metadata to Canadian law enforcement, notwithstanding that the data was stored on servers located outside Canada. The court found that OVH's commercial presence and operations in Canada created a real and substantial link to Canada, and that OVH Canada's technological access to the data stored in France constituted "lawful and effective control" over the data, rendering physical server location and corporate separateness insufficient to defeat jurisdiction. The decision reinforces that data localisation alone does not insulate foreign service providers or their customers from compelled disclosure under Canadian law.

Similarly, in Clearview AI Inc. v British Columbia (Information and Privacy Commissioner), 2026 BCCA 67, the British Columbia Court of Appeal upheld an order issued against a US-based facial recognition company requiring it to cease collecting and to delete images of British Columbians obtained through mass web-scraping. The court confirmed that provincial privacy legislation can apply extraterritorially where a foreign organisation's activities have a real and substantial connection to the province. The court found that foreign-based companies cannot escape Canadian privacy laws when they collect, use and disclose Canadians' personal information.

Class action update

Privacy-related class actions continue to be filed across Canada, particularly in relation to alleged misuse of personal information and cybersecurity incidents. Recent decisions demonstrate that courts are applying a more disciplined and fact-specific approach at the certification stage.

In Trueman v Rogers Communications Canada Inc. 2025 ONSC 5972, the Ontario Court certified a proposed class action arising from alleged repeated "soft" credit checks conducted on customers' credit files without meaningful consent. The court found that allegations of intentional and repeated access to personal information by the defendants themselves were sufficient to support claims for breach of contract, breach of confidence, intrusion upon seclusion in Ontario, and Quebec statutory privacy violations. Importantly, the court also held that regulatory complaint mechanisms were not a preferable alternative to a class proceeding given their limited remedial scope.

In Litvin et al. v Mackenzie Financial Corporation et al. 2025 ONSC 6138, the court certified a national, multi-jurisdictional class action arising from a cybersecurity incident involving the compromise of highly sensitive financial information, including social insurance numbers. While the court declined to certify stand-alone statutory privacy claims for wilful invasion of privacy due to jurisdictional and mens rea constraints, it certified claims in negligence, breach of contract and breach of fiduciary duty. The decision confirms that traditional common-law causes of action remain the primary vehicles for privacy and data breach class actions in Canada.

Office of the Privacy Commissioner of Canada update

In the absence of federal legislative reform, the Office of the Privacy Commissioner of Canada (OPC) continues to play a central role in shaping privacy compliance expectations through enforcement activity and guidance.

Social media platform (children's data investigation): Following a joint investigation with provincial regulators, the OPC concluded that a major social media platform's collection, use and disclosure of personal information for targeted advertising and personalised content did not constitute an appropriate purpose under PIPEDA, particularly in relation to children. The OPC further found that the organisation failed to obtain meaningful consent and did not meet applicable transparency and accessibility requirements. The findings reflect increasing regulatory focus on platform design, profiling practices and age-assurance mechanisms where minors are likely users.

Loblaw Companies Ltd (PC optimum loyalty programme): The OPC found that Loblaw breached PIPEDA by retaining former loyalty programme members' transaction-level purchase histories following account deletion and by relying on insufficient anonymisation measures. The OPC emphasised that anonymisation requires eliminating any serious possibility of re-identification, whether alone or in combination with other reasonably available data. Importantly, the OPC characterised anonymisation as an ongoing governance obligation that must be reassessed over time, rather than a one-time technical exercise.

Italy

Italian Court of Cassation confirms the peremptory nature of the 120-day deadline in sanction proceedings conducted by the Italian Data Protection Authority

With judgment no. 759/2025, issued on 16 December 2025, the Italian Court of Cassation provided further clarification on the time limits applicable to sanction proceedings conducted by the Italian Data Protection Authority. Confirming its previous position expressed in judgment no. 18583/2025, the court held that the 120-day deadline provided under Regulation no. 2/2019 of the Italian Data Protection Authority must be considered peremptory and runs from the notification of the initiation of the sanction proceedings, following the completion of the investigative phase, until the adoption of the final decision. The court specified that the deadline begins once the Authority formally communicates to the controller (and, where applicable, the processor) the opening of the sanction procedure pursuant to Articles 58(2) and 83 GDPR, following the definitive ascertainment of the alleged infringement. According to the court, failure to adopt the sanction within the 120-day timeframe results in the exhaustion of the Authority's sanctioning powers, rendering any decision adopted thereafter invalid, in line with the principles of legal certainty and the right of defence.

Italian Court of Cassation clarifies the limits of de-indexing and the required balancing between the right to be forgotten and public interest

With its order of 19 November 2025 (no. 25066/2024), the Italian Court of Cassation provided clarification on the right to be forgotten and the de-indexing of online content, with reference to Article 64-ter of the implementing provisions of the Italian Code of Criminal Procedure and Article 17 GDPR. The court clarified that the annotation of a favourable criminal decision (such as an order of dismissal) does not automatically trigger an obligation to de-index, but constitutes a legal basis to request de-indexing, ensuring the updating of the information without implying automatic removal from search engines. The assessment must be carried out on a case-by-case basis, through a balancing exercise between the right to be forgotten and the right to freedom of information, allowing the content to remain indexed where the information is truthful and still of public interest, particularly where the criminal proceedings have concluded only recently.

Singapore

In recent months, the Personal Data Protection Commission (PDPC) and the Singapore courts have issued a series of decisions concerning data breaches involving personal data. These decisions provide useful guidance on the PDPC's expectations regarding reasonable security arrangements, particularly for organisations handling large volumes of personal data, sensitive personal data or data through SaaS, cloud or shared IT environments.

Re Marina Bay Sands Pte. Ltd [2025] SGPDPC 6

The PDPC considered a large-scale data breach arising from a middleware migration exercise undertaken by Marina Bay Sands Pte. Ltd. The incident resulted in unauthorised access to, and exfiltration of, the personal data of approximately 665,495 Sands Rewards Lifestyle members. The threat actor first used password spraying against member accounts with default four-digit PINs derived from birthdates, then exploited a migration-related misconfiguration to retrieve personal data in bulk. The PDPC found a breach of the Protection Obligation, emphasising that organisations handling large volumes of personal data cannot rely solely on individual employee competence where independent verification and secondary checks are required. It imposed a financial penalty of S$315,000 (US$247,000).

Re Singapore Data Hub Pte Ltd [2025] SGPDPC 2

Singapore Data Hub Pte Ltd, a POS and CRM software provider, suffered two incidents affecting approximately 698,112 individuals. The incidents involved SQL injection attacks against vulnerable web applications, including a dormant training application, and exposed databases, configuration files with hardcoded credentials and some health-related information. The PDPC identified systemic deficiencies, including inadequate access controls, lack of pre-launch and periodic security testing, outdated software, poor credential management, and inadequate logging and monitoring. It imposed a financial penalty of S$17,500 (US$13,700).

Re People Central Pte. Ltd [2025] SGPDPCS 4

People Central Pte. Ltd, a cloud-based HR SaaS provider, suffered unauthorised access to, and deletion of, client employee data in its AWS environment, with affected data later found for sale on the dark web. The incident placed the personal data of approximately 95,000 employees and 24,765 emergency contacts and children at risk, including NRIC numbers, salary data, bank account details and minors' personal particulars. The PDPC found that the absence of a web application firewall, weak access controls, remote desktop access without two-factor authentication, overbroad inbound traffic settings, and lack of periodic security reviews and vulnerability assessments breached the Protection Obligation. It imposed a financial penalty of S$17,500 (US$13,700).

Re SESAMi (Singapore) Pte Ltd and Abecha Pte Ltd [2025] SGPDPCS 1

The PDPC considered a ransomware incident in which a threat actor accessed SESAMi's servers and encrypted files on a shared drive used by SESAMi and its subsidiary, Abecha. Approximately 39,000 individuals' personal data, including bank and credit card details, was rendered inaccessible. The PDPC found that SESAMi had breached the Protection Obligation, including through insufficient password and access control management, failure to implement or keep important security software up to date and lack of file-level encryption. Directions were also issued to Abecha, and SESAMi was fined S$8,750 (US$6,900).

Conclusion

Taken together, these decisions reinforce that the PDPC expects organisations to adopt security arrangements that are proportionate to the volume, sensitivity and nature of the personal data they process. Key themes include the need for appropriate access controls, multi-factor authentication, secure credential management, regular vulnerability assessments and security testing, effective logging and monitoring, and proper oversight of system changes or migration exercises. The decisions also underline the importance of maintaining accurate application inventories, decommissioning dormant or unsupported systems, and ensuring that shared IT or group-level arrangements clearly allocate data protection responsibilities. They further demonstrate that negligent failings, even in the absence of intentional or reckless misconduct, can attract financial penalties where basic safeguards are not implemented.