Cyber, Digital & Data Protection: Key Updates from Scotland

Following on from his article in The Scotsman newspaper earlier this year (linked below), on cyber, digital resilience, and data protection issues in the European, UK, and Scottish arenas, Angus Gilles explores these issues as they continue to develop, with a focus on Scotland.

A Digital Assets Bill for Scotland?

The First Minister’s Programme for Government, announced on 6 May 2025, included a commitment to introduce a Digital Assets Bill in the 2025/26 Scottish parliamentary legislative programme. It has been acknowledged for some time that the legal position on digital assets, such as crypto currency and digitally identified “non-fungible tokens” (NFTs), in Scotland has been unsatisfactory so this development will be welcome news in many sectors.

The background here is that Scottish Government launched a consultation in November 2024 following work from 2019 by an Expert Reference Group (EFG) chaired by Lord Hodge, the current Scottish Deputy President of the UK Supreme Court.

Following the consultation, the EFG recommended a standalone Bill for Scotland with the aims of providing legal certainty to encourage investment and growth in the FinTech sector, to help ensure regulatory consistency, create more certainty around the use of digital assets in financing and lending and strengthen the rights of owners in recovering assets in insolvency and theft cases. 

Property law in Scotland is distinct from property law in England and Wales, with the former devolved to the legislative competence of the Scottish Parliament. A Property (Digital Assets etc) Bill is already going through its legislative process at the UK Parliament, with this Bill to enable certain digital assets to be treated as personal property in England and Wales. So, Scotland is “playing catch-up” on this on England & Wales yet the case for Scottish legislation in this area is arguably stronger. This is because, in the English case AA v Persons Unknown [2019] EWHC 3556 (Comm), crypto assets such as bitcoin and other crypto currencies were recognised as property at common law, with associated legal remedies, with this matter not yet tested in any reported Scottish case law.

Data Breaches and “Non-Material” Damages

In Scotland, there continues to be a steady stream of claims for non-material damages for alleged breaches of the UK GDPR. Article 82 of UK GDPR establishes the right of individuals to claim compensation for data breaches, with further detail on this given in section 168 of the Data Protection Act 2018 (“DPA”).

Claimants must establish that a breach has occurred, that damage has been sustained (usually in the form of anxiety or distress) and that there is a causal link between the two. These are not always easy hurdles for claimants to overcome.

Scots law has yet to fully grapple with all issues on what constitutes loss or damage in data breach claims and on valuation for qualifying loss or damage. Certain courts abroad have been active in this area. For example, earlier this year, a German court referred to the Court of Justice of the European Union the question “Does the mere and possibly short-term loss of control over one’s data constitute a non-material damage” for GDPR purposes? Further detail on this is provided in the Clyde & Co insight here.

Data Subject Access Requests in the Scottish Courts

In Kenneth Prentice v Chief Constable of Police Scotland, Sheriff McGlennan, Lanark Sheriff Court, 30 April 2025, the pursuer sought a court declaration (“declarator”) that the Chief Constable had failed to comply with section 45(1) and (2) of the DPA by failing to properly respond to a data subject access request (“DSAR”). The pursuer also sought £5,000 for damage and distress allegedly suffered because of the failure to respond.

After legal argument on the written pleadings alone, the sheriff in Prentice dismissed both the request for a declarator and the claim for damages. It was not, as the sheriff saw it, competent to seek a declarator of the type sought because it did not relate to establishing a right. On the damages claim, although the existence of distress, stress, anxiety and frustration were pled, no detail was provided on how or when such things may have manifested themselves. A claim for “financial loss” or “detriment” in the incurring of legal expenses was also dismissed because it lacked sufficient detail and, for the same reason, a purported “disadvantage” claim was dismissed too. The pursuer’s claim for an order directing the defender to comply with the DSAR was allowed to continue to “proof”, the Scots term for a civil evidential hearing before a sheriff or judge.  

Marks and Spencer Cyber Attack

Thompsons, solicitors in Scotland, recently announced their intention to bring “group proceedings”, the Scottish name for a multi-claimant or “class action” lawsuit, against Marks & Spencer, following a recent high-profile data breach. 

Currently, Scottish “group proceedings” operate on an “opt-in” basis, meaning that claimants must actively join the group for their claim to be considered. Such proceedings may only, at present, be brought at the Scottish Court of Session and only with permission from a judge there. 

UK GDPR and the DPA place various obligations on organisations to take steps to safeguard the integrity of personal data. The pursuers in the intended group proceedings will presumably try to establish that the data breach was caused by internal failures in breach of these obligations on the part of Marks & Spencer.

The ransomware attack on Marks & Spencer, estimated to have had a financial impact of up to £440 million, is believed by some well-informed observers to have been carried out by the decentralised cyber threat actor “Scattered Spider”. Scattered Spider are especially known for their expertise in social engineering and their persistence in gaining access to their targets. Despite recent arrests, the group remains an active threat.

Ban on Paying Ransom Demands

The UK Government has announced that it will introduce a ban on public sector bodies and operators of critical national infrastructure - including the NHS, local councils and schools - paying cyber criminals’ ransom demands.

Under the proposals, businesses not covered by the ban would need to notify the government of any intention to pay a ransom. The government would then provide those businesses with advice and support, including notifying them if any such payment would risk breaking the law on sending money to sanctioned cyber-criminal groups.  

The proposals are aimed at striking at the business model fuelling cyber-attacks, especially in making public sector bodies a less attractive target.

A total ban on ransom payments, across all sectors, might seem like a good idea to some but this would deprive private businesses of operational flexibility and the ability to manage their own affairs in data retrieval and reputation management. A total ban might also risk pushing breaches of it “underground” rather than encouraging businesses to be open with government, with a view to developing a full understanding of the threats, learning lessons and minimising harm all round.

The targeted ban proposed probably strikes the right balance although there is more work to be done, for example around penalties for non-compliance and jurisdictional scope.

Now is certainly the time for ever-increasing vigilance in this area, and effective investment in cyber resilience across all sectors. The law reform agenda in this area is also worth keeping a close and continuing eye on.