Coming Soon: Coordinated Pan-European Enforcement of the ‘Right to Erasure’

The European Data Protection Board (EDPB) recently announced the launch of its 2025 Coordinated Enforcement Framework (CEF) action, which will focus on the right to erasure, also known as the “right to be forgotten,” or, in the United States, the “right to delete.”
This initiative marks a significant shift in enforcement priorities for Europe’s Data Protection Authorities (DPAs) and reflects an increased focus on ensuring compliance with Article 17 of the General Data Protection Regulation (GDPR), which grants individuals the right to have their personal data deleted in certain situations.

Quick Hits

EDPB’s 2025 Enforcement Focus: The CEF will prioritize enforcement of the right to erasure under Article 17 of the GDPR and involve coordination among thirty-two DPAs across Europe.
Increased Scrutiny of Compliance: Organizations may face increased information requests, investigations, and follow-up actions to evaluate their erasure practices and identify compliance gaps.
Preparing for Enforcement: Organizations will likely want to review and refine their erasure request processes to ensure timely responses, proper application of exceptions, and effective data deletion across all systems, including backup systems, and also review their broader GDPR compliance framework to mitigate possible risk in the event of a broader request for information.

The right to erasure is one of the most frequently exercised rights under the GDPR. However, it is also a common source of complaints to DPAs and, when exercised in conjunction with other rights, such as the right to portability, is one of the more visible areas of GDPR noncompliance. The 2025 CEF action involves thirty-two DPAs across the European Economic Area that will begin contacting organizations directly to engage in formal and informal activities aimed at evaluating how the organizations handle and respond to erasure requests. A particular focus of the CEF action will be:

assessing organizational compliance with the conditions and exceptions outlined in Article 17 of the GDPR;
identifying gaps in the processes used by data controllers to manage data subject requests to erase; and
promoting best practices for organizations’ handling of such requests.

Organizations across various sectors can expect increased scrutiny from DPAs. This may include simple information requests from DPAs to evaluate their current erasure practices and procedures, but will also, in some circumstances, result in formal investigations and regulatory follow-up actions. Because this is a coordinated, pan-European enforcement focus, organizations can expect more targeted follow-ups both nationally and internationally as the year progresses.
Organizations can prepare for the heightened attention due to be paid to their erasure request handling processes by taking proactive steps to ensure that their data management practices align with GDPR requirements, particularly regarding:

timely and accurate responses to erasure requests (i.e., within one month of the request);
accurate application of exceptions, such as when data retention is necessary for legal compliance, or tasks carried out in the public interest or in the exercise of official authority;
appropriate notification of erasure requests to other organizations where relevant personal data has been disclosed or made public;
comprehensive processes to effectively erase data, such as erasure of personal data on backup systems in addition to live systems; and
transparent communication with individuals who submit requests for erasure about their rights and the outcomes of their requests.

Organizations may also want to review their broader GDPR compliance frameworks, as a pulled thread on a single identified non-compliance issue could unravel further areas of scrutiny and potentially trigger a larger and broader investigation into the business’s compliance posture on the whole.

Kryptofonds in Deutschland – Was Verwahrstellen und Kapitalverwaltungsgesellschaften (voraussichtlich) beachten müssen

Das Inkrafttreten des Zukunftsfinanzierungsgesetzes markierte bereits 2023 die Geburtsstunde der „Kryptofonds“ in Deutschland, indem die unmittelbare Anlage in Kryptowerte auch für Publikumsfonds (i.S.d. §§ 221 bzw. 261 KAGB) ermöglicht wurde. Mit dem Ende 2024 in Kraft getretenen Finanzmarktdigitalisierungsgesetz hat man diese Idee vor dem Hintergrund der MiCAR mit einem Verweis auf dessen Kryptowerte-Begriff nun vollendet.
Da ein Investment in Kryptowerte mit neuen, spezifischen Risiken einhergeht, hat die BaFin den ersten Entwurf eines Rundschreibens zu den Pflichten von Verwahrstelle und Kapitalverwaltungsgesellschaft bei in Kryptowerte investierenden Investmentvermögen zur Konsultation (06/25) gestellt. Es soll einen grundlegenden Rahmen an regulatorischen Mindestanforderungen für Direktinvestitionen in Kryptowerte durch Fonds setzen und ist damit höchst praxisrelevant. Als Rundschreiben hat es nicht die Qualität einer echten Rechtsnorm bildet aber die von der BaFin angewandte Verwaltungspraxis ab.
Pflichten der Verwahrstelle
Grundsätzlich gelten die Pflichten der Verwahrstelle, die sich bereits aus dem Gesetz und dem Verwahrstellenrundschreiben ergeben, weiterhin und sollen durch das Rundschreiben ggf. vorrangig ergänzt werden.
Zusätzlich verlangt die BaFin laut dem Rundschreiben außerdem:
• Pflichten bereits vor der Übernahme eines Mandats. Insofern seien – angesichts der hohen Volatilität von Kryptowerten – bereits im Vorfeld Prozesse zu schaffen, die der Verwahrstelle ermöglichen, informiert das Marktrisiko zu erfassen und kontinuierlich zu bewerten.• Ausreichende sachliche und personelle Ressourcen. Dies betreffe grundsätzlich alle Ebenen und in besonderem Maße die fachliche Eignung der Geschäftsleiter. Hier erkennt die BaFin an, dass insbesondere praktische Vorerfahrungen in Bezug auf eine solch junge Asset-Klasse regelmäßig nur eingeschränkt vorhanden seien. Sie ermöglicht daher einen auf theoretischem Wissen fundierten Aufbau über einen Zeitraum von 6 Monaten.• Geeignete organisatorische Vorkehrungen und zwingend technische Vorkehrungen. Dies schließe IT-Systeme und -Prozesse ein und gelte in besonderem Maße, wenn die Verwahrstelle private Schlüssel zu den Kryptowerten verwahrt. Dann bedürfe es eines darauf ausgerichteten speziellen „Kryptokonzepts“.
Außerdem sei, wie auch bei anderen Assets, zu unterscheiden, je nachdem ob die Kryptowerte verwahrfähig i.S.d. §§ 72 bzw. 81 KAGB sind. Maßgeblich wird es hier auf die Einzelfallprüfung ankommen. Insofern fällt auf, dass die BaFin in ihrem Rundschreiben einen weiten „Kryptowert“-Begriff anwendet und etwa MiFID-Finanzinstrumente i.S.d. Artikel 2 Abs. 4 MiCAR nicht bereits von vornherein aussteuert. Die MiCAR unterscheidet hier konsequent zwischen „Kryptowerten“ und (ggf. auch auf DLT-Basis emittierten MiFID-)„Finanzinstrumenten“, für die die MiCAR entsprechend nicht gilt. Die überwiegend aus 2022 stammenden und inzwischen längst überholten Ausführungen der BaFin zu ihrem Verständnis von „Kryptotoken“, auf die die BaFin im Rundschreiben verweist, sind entsprechend wenig hilfreich.
Gleiches gilt mit Blick auf die Ausführungen zur Verwahrung von (BaFin-)Kryptowerten, weil eine begrifflich klare Unterscheidung verdeutlichen würde, dass DLT-basierte MiFID-Finanzinstrumente gleichsam MiFID-Finanzinstrumente und eben keine MiCAR-Kryptowerte sind. Wo das KAGB und die AIFMD auf den Begriff der MiFID-Finanzinstrumente zur Annahme der Verwahrfähigkeit abstellen, hätte es hier keiner Erörterungen bedurft.
Schließlich weist die BaFin darauf hin, dass ggf. zusätzliche Erlaubnisse erforderlich sein können, insbesondere für eine etwaige Erbringung des Kryptoverwahrgeschäfts in Bezug auf MiCAR-Kryptowerte.
Lautet das Ergebnis der Einzelfallprüfung, dass es sich um nicht verwahrfähige (MiCAR-)Kryptowerte handele, träfen die Verwahrstelle entsprechend die Pflichten für nicht-verwahrfähige Assets aus § 81 Abs. 1 Nr. 2 KAGB (bzw. § 72 Abs. 1 Nr. 2 KAGB). Diese umfassen eine Feststellungspflicht bzgl. des Eigentums bzw. einer entsprechenden Rechtsposition, die Prüfung und Sicherstellung der Zuordnung und Zugriffsmöglichkeiten des Kryptowerts (einschließlich etwaiger Rechte Dritter), die Erfassung in einem kontinuierlich gepflegten Bestandsverzeichnis. Zudem sei ggf. vertraglich sicherzustellen, dass die Verwahrstelle Zugang zu den Systemen des Kryptoverwahrers erhält.
Daneben würden die allgemeinen Kontrollpflichten der Verwahrstelle (vgl. §§ 76 und 83 KAGB) gelten. So müsse sie insbesondere prüfen, ob ein Erwerb von Kryptowerten mit den Anlagebedingungen vereinbar und ob die Erwerbsgeschäfte marktgerecht sind.
Pflichten der Kapitalverwaltungsgesellschaft
Die Kapitalverwaltungsgesellschaft („KVG“) muss den gleichen Risiken Rechnung tragen wie die Verwahrstelle, sodass in Bezug auf einen Direkterwerb von Kryptowerten auch ähnliche Konsequenzen folgen.
Zunächst sei ggf. eine Erweiterung der Erlaubnis zu beantragen, die den direkten Erwerb von Kryptowerten umfasst, weil bisherige Erlaubnisse auf andere Vermögensgegenstände lauten dürften. Insofern stellt die BaFin hier klar, dass der Katalog nach ihrem Verständnis statisch sei und Änderungen nicht von einer bisherigen Erlaubnis gedeckt seien. Insofern sei auch zu beachten, dass eine Verwahrung durch die KVG selbst nicht möglich wäre.
Auch in der KVG seien entsprechend hinreichende Ressourcen und Kenntnisse und Erfahrungen des Personals, ggf. unter Einstellung fachkundiger, externer Experten, sicherzustellen. Auch müssten die Geschäftsleiter ausreichende fachliche Eignung haben, wobei die gleiche Frist von sechs Monaten gelte wie für Geschäftsleiter der Verwahrstelle.
Zudem seien die Prozesse der KVG entsprechend anzupassen und zwingend vor der erstmaligen Investition in Kryptowerte ein Neue-Produkte-Prozess durchzuführen. Dieser müsste vor allem die einhergehenden ggf. erhöhten Risiken und deren Management abbilden sowie Vorgaben zur Best Execution und der Marktgerechtigkeitskontrolle und Wertermittlung machen.
Rundschreiben als Leitplanke
Sowohl Verwahrstellen als auch Kapitalverwaltungsgesellschaften, vor allem wenn sie bereits etablierte Prozesse für andere Finanzinstrumente haben, sollten anhand der Vorgaben des Rundschreibens als Leitplanke und unter Berücksichtigung der spezifischen Risiken von Kryptowerten funktionierende und aufsichtsfeste Strukturen für Direktinvestments schaffen können.
Wer Kryptofonds in Deutschland anbieten will, sollte zunächst prüfen, ob die dahingehende Erlaubnis ausreicht. Besonderes Augenmerk ist dann auf die (technischen) Ressourcen und das Know-How der Mitarbeiter zu legen – und darauf, in welcher Form der Entwurf nach Abschluss der Konsultation veröffentlicht wird.

“Glass Ceilings Have Been Shattered”: Analysing the Impact of Kirsty Coventry’s Election as the Next IOC President

“Seismic”, “groundbreaking”, “landmark”. These are all words that have been used to describe Kirsty Coventry’s appointment as the next IOC President, after she swept to victory in the leadership election on 20 March 2025, winning more votes than the other six male candidates combined. The 41-year-old Zimbabwean will become the second youngest[1], first female and first African to hold the role in the IOC’s 130-year history.
“I hope that this vote will be an inspiration to many people… Glass ceilings have been shattered today, and I am fully aware of my responsibilities as a role model.”
(Kirsty Coventry, 20 March 2025)

The reaction of the global sports community to Ms Coventry’s election has largely been positive, with her rivals magnanimous in defeat. However, as outlined below, there are some commentators who point to the alleged airbrushing of political controversies, and others who say that her appointment will ensure a “continuation of the same” given that Ms Coventry is already on the IOC Executive Board[2] and was acknowledged as the favoured candidate of outgoing President Thomas Bach.
In this article I will examine:

Why Ms Coventry’s electoral success has divided opinion in some quarters;
The bases on which she campaigned, and how her manifesto differed to those of her rivals;
The potential impact of her appointment on a practical level; and
What Ms Coventry’s immediate challenges may be when she formally takes up the IOC Presidency in June.

Immediate reaction to Ms Coventry’s “landslide” victory
Only one round of voting was required for Ms Coventry, a five-time Olympic swimmer herself, to win the election outright. She secured more than 50% (49 votes of the total 97 votes), with Juan Antonio Samaranch Jr (28 votes) and Lord Sebastian Coe (8 votes) second and third respectively. Whilst Ms Coventry was one of the favourites, the emphatic nature of the result did come as a surprise to many.
Few, if anyone, can deny that the appointment of a woman from Africa to the most senior executive position in international sport sends a positive message.  In the immediate aftermath of the election, Ms Coventry herself remarked that “it’s a really powerful signal; a signal that we’re truly global, and that we have evolved into an organisation that is truly open to diversity.”
Amongst those who have publicly praised Ms Coventry’s appointment have been:

President of the New Zealand Olympic Committee, Liz Dawson, who commented that “her fresh perspective and innovative approach will enhance the Olympic Movement and strengthen its global influence“.
President of the Brisbane 2032 Organising Committee, Andrew Liveris, who said that the vote was a “resounding proclamation of [Ms Coventry’s] leadership” and that she had “been incredibly positive, supportive and instrumental in promoting Brisbane 2032’s progress across the IOC movement and beyond”.
The African Paralympic Committee, who stated: “her election to the highest office in the global sports community is a source of pride for Africa. As the continent’s first daughter and a former athlete, [she] symbolise[s] the resilience of African women, breaking barriers and inspiring generations across the continent and beyond”.

However, not everyone has been so effusive. Questions have been raised about to her connections to the Zimbabwean Government, a regime that remains under both UK and US sanctions. First, she reportedly accepted a $100,000 cash reward from former President Robert Mugabe for winning four medals (including Gold in the 200m backstroke) at the 2008 Beijing Olympics. And then, in September 2018, she accepted a governmental position as Zimbabwe’s Minister of Youth, Sport, Arts and Recreation under current President Emmerson Mnangagwa[3].  The risk of being tarnished by association is a real one, but Ms Coventry has defended her connection with President Mnangagwa’s government, publicly stating:
“I don’t believe you can really create change if you don’t have a seat at the table… Having to navigate very sensitive issues has definitely given me extra ‘armour’ if I can put it that way for what [the IOC] will face in in the future, and we’re going to have to navigate difficult leaders that have different opinions on things.” 

Away from Zimbabwean politics, some have questioned Ms Coventry’s impact within IOC circles to date, particularly as a member of the IOC’s Athletes’ Commission (which she chaired from 2018-2021). Indeed, notwithstanding that Ms Coventry has pledged to protect the female category (see below), former British swimmer Sharron Davies MBE took aim at her apparent passivity on this issue, stating “sadly for me Kirsty Coventry has… not spoken up before to protect female athletes coming behind her”.
Ms Coventry’s manifesto vs her rivals
Ms Coventry’s election manifesto, titled “Unleashing the Transformative Power of Sport” (with an accompanying strapline, “A Stronger, Sustainable, Relevant Olympic Movement”) emphasised challenging the status quo, embracing modernity, promoting sustainability and, in particular, protecting female sport.  Below are key elements she campaigned on:

Empowering and protecting female athletes: Implementing stronger safeguards against gender-based violence and increased support for athlete mothers, including facilities like dedicated nursing rooms during the Games. On the complex issue of transgender participation, she advocated for policies that ensure fairness in women’s competitions based on current scientific research.
Technological integration: Emphasis on the integration of new technologies, such as online streaming and artificial intelligence, to keep the Olympics relevant and accessible to a broader audience.
Financial prioritisation: Reallocation of prize money to programmes that benefit a larger segment of the athlete community, focusing on access to training, health, and mental health support.
Inclusive participation: Highlighting the importance of IOC neutrality, she opposes the exclusion of athletes from the Olympics due to their nationality.
Embracing new regions: Expanding Olympic hosting regions, particularly in Africa and the Middle East. This would increase global engagement, create new revenue opportunities and make the Olympics more inclusive.

Unsurprisingly, there was a degree of overlap between most of the candidates’ campaigns on certain issues, with almost all highlighting environmental sustainability and recognising the challenges to hosting the Games in a changing climate. Nevertheless, each manifesto had its own particular focus or USP, as summarised below:

Juan Antonio Samaranch Jr (IOC Member and son of a former IOC President, 28 votes): Focused on strengthening the role of IOC members, ensuring sustainability, and maintaining political neutrality. He proposed extending the retirement age of IOC members, conducting operational reviews to optimise resources, and creating a $1 billion investment fund for the IOC’s sustainability.
Lord Sebastian Coe (President of World Athletics, 8 votes): Proposed decentralising power within the IOC, leveraging the talents of its members, and enhancing the organisation’s efficiency. He also focused on sport as a powerful social tool and highlighted his extensive experience in athletics and sports administration.
David Lappartient (Head of International Cycling Union and French NOC, 4 votes): Advocated for greater involvement of IOC members in decision-making processes and proposed achieving gender parity among the IOC membership by 2036. He also emphasised the need for the IOC to lead on sustainability and climate initiatives, arguing that it should tie financial support to international federations, at least in part, to their commitment to climate issues.
Morinari Watanabe (President of International Gymnastic Federation, 4 votes): Offered unique ideas, such as hosting the Summer Games across five cities on five continents simultaneously to reduce the burden on host cities and provide continuous global coverage. He also proposed a bicameral governance system within the IOC to enhance decision-making processes.
Prince Feisal al Hussein (President of Jordan Olympic Committee, 2 votes): His manifesto centred on modernising the Olympic movement through technology and innovation. He proposed integrating esports into the Olympic framework, utilising artificial intelligence to improve sports experiences, and engaging youth throughout the Olympic cycle.
Johan Eliasch (President of International Ski Federation, 2 votes): The only candidate to broach the idea of a rotational Winter Games to address environmental concerns and ensure the event’s future viability. He offered the most “restrictive” proposal regarding the ring-fencing of women’s sport, proposing that only athletes born female should be permitted to compete in that category.

The likely impact of Ms Coventry’s election on a practical level
For all the talk of, to use Ms Coventry’s own phrase, “challenging the status quo”, a common thread in the media is that her success was built on positioning herself as a “continuity candidate”, rather than a “reformer”. She has fulfilled a number of IOC roles[4] (including being on the IOC Executive Board) since first becoming a member in 2013, and is therefore regarded as an “IOC insider”. Reuters journalist Karolos Grohmann suggested that Ms Coventry’s election ensures “smooth continuity for the IOC after Bach” as she has “towed the company line and is not expected to rock the IOC boat”.
That said, Ms Coventry should certainly enable the IOC to present itself as a progressive, diverse and “relevant” organisation. We know sport can have a unifying power, some of which can be intangible and difficult to measure, at least in the short term.
It obviously remains to be seen which elements of her manifesto she will prioritise (curating proposals can be much easier than implementation), but one area we might expect to see robust action concerns the protection of women’s sport.  As it stands, the IOC permits each international federation to set its own gender eligibility rules, which has led to a range of approaches as they try to navigate inclusion on one hand, and concerns regarding fairness and safety on the other. 
Ms Coventry has pledged to implement a ban on transgender athletes competing in the women’s category at the Olympics, stating in February 2025:
“I want to ensure that front and foremost, we protect (the) female category. I don’t believe that transgender female athletes should be competing at the Olympic Games [in female categories]”… I do believe everyone has the right to play sport, 100%, but when it comes to the Olympic Games … being a former female athlete and having two young girls, I want to ensure that category is protected.”

Although Ms Coventry has previously not been as outspoken on gender issues as the likes of Lord Coe[5], her position on transgender Olympic participation is an emphatic one, drawing on her own experiences as a former female athlete.  In the short-term, we know that she intends to set up a taskforce to address how best to protect women’s sport. Looking further ahead, it would not be surprising if the IOC decided to take some of the decision-making authority away from the international federations and implement tighter, more uniform, rules.
In terms of the impact on the continent of Africa, Michael Payne, the former IOC Director of Marketing, commented: “there is no doubt that the influence of Africa in world sport will grow because of [Ms Coventry’s] appointment.”  Historically, African nations have faced challenges in influencing Olympic policies, but Ms Coventry’s leadership could bring more attention to the continent’s needs and priorities, including the development of grassroots and youth programmes. One of her key manifesto points was expanding the Olympic hosting regions and her leadership could accelerate efforts to bring major sporting events (and ultimately, maybe even an Olympic Games) to her home continent, improving infrastructure and investment in African sports.
The immediate challenges
When Ms Coventry takes up her new role in June, the 2026 Milan-Cortina Winter Olympics will be just eight months away. The climate crisis has raised a number of existential questions for winter sports, as well as the need for greater flexibility around scheduling major events within the existing sporting calendar. Amongst other pressing items in her in-tray will be the selection of the host nation for the 2036 Summer Olympics (India, Qatar, Turkey, South Africa and others have all expressed interest) – specifically, how that process will work.
Perhaps her biggest immediate challenge of all will be one of diplomacy, given the complex and unpredictable geopolitical landscape she will be inheriting. It is virtually impossible to divorce sport and politics, regardless of Olympic ideals around neutrality, and the status of Russia and Belarus continues to loom large. Ms Coventry’s manifesto expressly referenced her opposition to banning any countries from the Games but, as it stands, only a handful of Russians will be competing as neutral athletes in the 2026 Winter Olympics. Sean Ingle, writing in The Guardian, contemplated whether Russia’s reintegration into Olympic sport could be part of a potential peace deal with Ukraine.
And finally, of course, Ms Coventry will need to engage, and build a relationship with, President Donald Trump ahead of the 2028 Los Angeles Games. The US President has reportedly threatened permanent visa bans on trans athletes based on sex markers. When asked about the prospect of engaging with Trump, Ms Coventry said “I have been dealing with, let’s say, difficult men in high positions since I was 20 years old… we will not waiver from our values”. 
Ms Coventry’s meteoric rise from swimmer to IOC President has been remarkable and is widely welcomed, but even bigger challenges lie ahead. 

[1] Pierre de Coubertin was 33 years old when he was appointed the second President of the IOC in 1896.
[2] Ms Coventry has been on the IOC Executive Board from 2018-2021 and 2023-present.
[3] Ms Coventry was re-appointed to the role in September 2023, following President Mnangagwa’s re-election.  Ahead of the 2023 election, Human Rights Watch found that “rights critical for Zimbabwe’s election, such as to freedom of expression, association, and assembly, [were] imperilled… the environment for a credible, free, and fair election has been grossly diminished.”
[4] The full roster of Ms Coventry’s IOC roles since 2013 are set out on page 2 of her manifesto, which include: IOC Executive Board Member (2018-2021, 2023-present), Chair of the Coordination Commission for the 2032 Brisbane Olympic Games (2021-present), Chair of the Games Optimisation Working Gorup (2022-present), and Chair of the Athlete Commission (2018-2021).
[5] Oliver Brown, ‘Lord Coe’s defeat by “Mugabe’s golden girl” proves IOC has no desire to change’ (The Telegraph, 21 March 2025): “[Lord Coe] has consistently argued that biology trumps gender, while accusing the IOC of caving in to “second-rate sociologists” in its pursuit of inclusion of all costs.”

High Court Upholds Use of Omnibus Claims in Mass Motor Finance Litigation

A recent High Court decision in claims brought by thousands of claimants against motor finance providers has reaffirmed the validity of using omnibus claim forms in large-scale consumer litigation. The ruling has implications both for the many motor-finance mis-selling claims pending before the courts and also for mass claims in a variety of other contexts.
Background
The case involved eight omnibus claim forms issued on behalf of over 5,800 claimants against eight defendants. While the claims were at an early stage procedurally, the core allegations were that the defendants had paid undisclosed, variable commissions to motor finance brokers (car dealers), creating conflicts of interest which the claimants argued rendered the ensuing credit agreements unfair under Section 140A of the Consumer Credit Act 1974 (CCA).
Shortly after the claims were issued, and before filing any defence, the defendants objected to the use of omnibus claim forms and invited the court to sever the claims, such that the claimants’ solicitors would need to issue a separate claim form (and pay a court fee) for each claim.
Initially, a County Court judge ruled that the claims should be severed into individual cases, following Abbott v Ministry of Defence [2023] 1 WLR 4002. This would have required a separate claim form to be issued (and court fee paid) for each case. The claimants appealed, arguing that the claims could and should more appropriately be commenced under omnibus claim forms, as contemplated by CPR 7.3 and CPR 19.1.
Key Legal Considerations
CPR 7.3 allows a single claim form to be used for multiple claims if they can be “conveniently disposed of” in the same proceedings. CPR 19.1 provides that any number of claimants may be joined as parties to a claim.
In Morris v Williams & Co Solicitors [2024] EWCA Civ 376 the Court of Appeal clarified that no gloss should be put on the words of CPR 7.3 and 19.1, which should be given their ordinary meaning. The exclusionary “real progress,” “real significance,” and “must bind” tests proposed in Abbott were factors to consider but should not be viewed as exclusionary tests – the omnibus claim form jurisdiction was not as restrictive as the Group Litigation Order regime in CPR 19.21-28, and should not be treated as “GLO-light”. Abbott was overruled.
Factors Supporting Omnibus Claims
The High Court carried out a detailed analysis of the factors to be taken into account in deciding whether the claims could conveniently be disposed of together per CPR 7.3. Key points cited in favour of allowing omnibus claims to proceed included:

The large number of claimants and small number of defendants.
The claims arose from the same or similar transactions, with broadly common allegations and the same legal causes of action, raising a number of common legal and factual issues.
The likelihood that case managing the cases together by way of lead or test cases would likely facilitate the disposal of many or all of the following cases. Whereas if separate claims were issued it would be random chance which claims were heard first and whether they were appropriate test cases.
Managing the claims together would be more efficient and just, in line with the CPR 1.1 overriding objective. Costs would likely be saved overall, and court time would likely be reduced. The imbalance of financial power between individual claimants and defendants would be mitigated. There were advantages to omnibus claims management in terms of the timing and usefulness of disclosure, and the availability of expert evidence.  

Practical Implications
For Defendants facing mass claims this ruling will be a concerning precedent for the use of omnibus claim forms by claimants as a strategy, with obvious advantages for claimant law firms in terms of cost, use of case management applications to gain early disclosure, and selection of common issues and test cases.
For Claimants and their advisers the decision will encourage the use of omnibus claims over the impracticality of litigating individual cases, and the relative restrictiveness of the GLO regime.
For the Courts omnibus claim forms could see large volumes of individual claims taken out of the County Courts and case managed collectively and in a less haphazard fashion than has so far been the case, with potential for many following cases to be settled out of court once lead claims have been determined. This may help with significant delays and backlogs often experienced in the County Courts.
Wider Significance
The significance of this decision in the context of motor finance claims may to some extent be rendered moot by the outcome of the Supreme Court appeal in Johnson v FirstRand and the FCA’s decision on a whether and to what extent to impose a consumer redress scheme. But in reaffirming the broad scope and flexibility of CPR 7.3 and 19.1, the ruling may pave the way for more mass claims in financial services and other contexts.

OFAC Final Rule Extends Recordkeeping Requirements to 10 Years

Highlights

U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) published a new final rule to extend recordkeeping requirements to 10 years, effective March 21, 2025
The new recordkeeping requirement is consistent with last year’s statute of limitations extension for most OFAC violations from five years to 10 years
OFAC affirmed that a conflict such as EU regulations mandating a shorter recordkeeping period would not excuse compliance

On April 24, 2024, former President Joe Biden signed into law the 21st Century Peace through Strength Act. Section 3111 of the Act extends the statute of limitations for civil and criminal violations of the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA) from five years to 10 years. These two statutes govern most sanctions programs enforced by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC).
Pursuant to this executive order, OFAC issued a final rule on March 21, 2025, extending recordkeeping requirements for covered parties from five to 10 years. This final rule, which was effectively immediately, followed an interim final rule published by OFAC in September 2024 soliciting public comment.
The newly extended recordkeeping requirements apply to all companies and persons engaging in transactions and holding blocked property subject to OFAC oversight. Such persons are required to keep a full and accurate record of transactions and blocked property and to ensure that these records are available for examination for at least 10 years.
OFAC also made clear that a conflict in law would not excuse compliance with these requirements. The final rule specifically addresses a scenario in which the 10-year recordkeeping period may conflict with the European Union’s regulations on anti-money laundering and counterterrorism financing that mandate deletion of records after five years. In such a scenario, OFAC points to its prior guidance that said although it would consider a conflict of law on a case-by-case basis when determining the appropriate administrative action or penalty, full compliance with OFAC requirements is still expected.
Takeaways
This rule is the most recent example of the U.S. government’s increasing use of sanctions in recent years in support of its foreign policy and national security objectives. Companies may experience higher costs related to compliance with this rule, especially as standard business record retention periods are usually shorter. Additionally, companies should consider updating training, compliance programs, and due diligence checklists to reflect the extended recordkeeping period.

Court of Appeal Reaffirms Stance on Fiduciary Duties in Half-Secret Commission Cases

Some years it seems like there are no cases of any real importance. 2025 is not one of those years.
Last week a strong Court of Appeal doubled down on a key element of the landmark Johnson v FirstRand decision on secret commissions in motor finance (about to be heard before the Supreme Court). In Expert Tooling and Automation Ltd v Engie Power Ltd [2025] EWCA Civ 292 the Court held that an energy broker owed fiduciary duties not to accept half-secret commissions for broking an energy supply agreement without getting fully informed consent from its client.
Although the client was aware that the broker would be paid a commission, it was not told the amount (which was substantial) or that the commission would be funded by increasing the energy unit rate paid by the client (an arrangement not dissimilar to the discretionary commission agreement in Johnson).
The key findings were:

Fiduciary duty: the broker, as the client’s agent, owed strict fiduciary duties including not profiting from the relationship without fully informed consent. The Court held that the broker breached this duty by failing to disclose material facts about the commission structure.
Informed consent: The Court confirmed that a principal’s informed consent requires full disclosure of all material facts – not mere awareness that a commission would be paid. The fact that the client could have asked for more information did not excuse the lack of disclosure.
Accessory liability: the energy supplier, which was the party paying the commission, could only be liable for procuring the broker’s breach if it acted dishonestly. As the client had not pleaded dishonesty or run that case at trial, the claim failed on that procedural point.
Limitation: The Court held that the cause of action accrued upon payment of the commission, not entry into the underlying contract. The decision of the first instance judge that the claim in respect of the first energy supply contract was time-barred was therefore overturned.

With the Supreme Court about to have its say on the Johnson appeal, this decision underlines the clear line at Court of Appeal level that brokers will commonly owe strict fiduciary obligations requiring clear, proactive disclosure of commission arrangements that may be said to give rise to conflicts of interest. That disclosure needs to be fulsome in order to obtain informed consent.
More hopefully for half-secret commission payers (be they lenders or energy suppliers) the judgment also confirms that accessory liability in equity (where third parties are said to have induced a breach of fiduciary duty) requires proof of dishonesty, consistent with established principles in Brunei and Twinsectra. This issue will inevitably be a key battleground in the Johnson appeal and other cases targeting the payers of half-secret commission instead of the receiving brokers.
The decision may well be subject to further appeal given the pending Supreme Court consideration of Johnson.

New U.S. Import Tariffs on Certain Automobiles and Parts

On March 26, 2025, President Trump signed an executive order directing new 25% tariffs on certain automobiles and automobile parts imported into the U.S. from all countries on or after April 3, 2025. This executive order comes as businesses await the outcome of the broader reciprocal trade plan also expected to be released on April 2.
The executive order builds on an investigation undertaken during President Trump’s first term focused on U.S. imports of passenger vehicles (sedans, sport utility vehicles, crossover utility vehicles, minivans and cargo vans), light trucks (collectively, automobiles) and certain automobile parts (engines and engine parts, transmissions and powertrain parts and electrical components — collectively, automobile parts) and their effect on the national security of the U.S. under Section 232 of the Trade Expansion Act of 1962, as amended (19 U.S.C. 1862) (Section 232). When the U.S. Department of Commerce (DOC) issued findings and recommendations to the President in February 2019, the President did not take any tariff action in response to the DOC’s determination that those imports threatened to impair the national security of the United States. Now, however, President Trump has determined that changes in import trends since the initial investigation and 2019 report have exacerbated risks to U.S. manufacturing, noting that “[t]oday, only about half of the vehicles sold in the United States are manufactured domestically[.]”
These new 25% tariffs, building on the prior investigation, will largely be effective for certain automobiles (to be identified in a subsequent notice in the Federal Register) on or after 12:01 a.m. Eastern Daylight Time on April 3, 2025. The effective date for parts could be deferred; the executive order specifies an effective date to be published in the Federal Register “but no later than May 3, 2025.
Automobiles and parts eligible for the U.S.-Mexico-Canada free trade agreement (USMCA) preferential treatment will be treated differently than all other imports. Where automobiles qualify for preferential tariff treatment under USMCA, importers of those automobiles may be permitted to submit documentation identifying or substantiating the amount of U.S. content in each model imported into the United States and pay duties only on the remainder. Where automobile parts qualify for preferential treatment under USMCA, those parts will be exempted from duties until such time that the DOC, in consultation with Customs, establishes a process to apply the tariff exclusively to the value of the non-U.S. content of such automobile parts and publishes notice in the Federal Register. “U.S. content” refers to the value of the automobile attributable to parts wholly obtained, produced entirely or substantially transformed in the United States.
The duties imposed by this order will be supplemental to duties on imports already imposed pursuant to other legal tools, including IEEPA (e.g. Canada, China and Mexico), Section 232 of the Trade Expansion of 1962 (e.g. steel and aluminum), Section 301 of the Trade Act of 1974 (e.g. China) and any other authority.
These duties will be imposed concurrent with other action taken under the President’s Reciprocal Trade Plan, which is expected to announce new tariffs on April 2, 2025, and with any new tariffs imposed under the President’s March 25, 2025 executive order granting the State Department discretion to impose 25% import duties on U.S. imports from countries that themselves import Venezuelan oil on or after April 2, 2025.

AI Governance: Steps to Adopt an AI Governance Program

There are many factors to consider when assisting clients with assessing the use of artificial intelligence (AI) tools in an organization and developing and implementing an AI Governance Program. Although adopting an AI Governance Program is a no-brainer, no form of a governance program is insufficient. Each organization has to evaluate how it will use AI tools, whether (and how) it will develop its own, whether it will allow third-party tools to be used with its data, the associated risks, and what guardrails and guidance to provide to employees about their use.
Many organizations don’t know where to start when thinking about an AI Governance Program. I came across a guide that I thought might be helpful in kickstarting your thinking about the process: Syncari’s “The Ultimate AI Governance Guide: Best Practices for Enterprise Success.”
Although the article scratches the surface of how to develop and implement an AI Governance Program, it is a good start to the internal conversation regarding some basic questions to ask and risks that may be present with AI tools. Although the article mentions AI regulations, including the EU AI Act and GDPR, it is important to consider state AI regulations being introduced and passed daily in the U.S. In addition, when considering third-party AI tools, it is important to question the third-party on how it collects, uses, and discloses company data, and whether company data is being used to train the AI tool.
Now is the time to start discussing how you will develop and implement your AI Governance Program. Your employees are probably already using it, so assess the risk and get some guardrails around it.

CLP Changes And What They Mean For Commercial Operations — A Conversation with Karin Baron and Lioba Oerter [Podcast]

This week I had the pleasure of speaking with Lioba Oerter, Director of Expert Services, 3E Expert Service Processing Centre (ESPC), and Karin F. Baron, Director of Hazard Communication and International Registration Strategy at B&C and our consulting affiliate, The Acta Group, about the significant changes to product classification, labeling, and packaging (CLP) in the European Union (EU). Lioba and I shared a podium recently and found we also have a shared belief that these forthcoming CLP changes will have a profound commercial impact on product classification, labeling, and packaging globally and that with everything going on in the world these days, this impact may be a bit underappreciated. Karin and I spoke about these matters last year, and I welcomed an opportunity to consider them again with Karin and Lioba in light of the new CLP developments as of December 2024. Karin, Lioba, and I discuss the CLP changes, including those recently made, why they came to be, what they mean for commercial operations, and conclude with some tips on staying ahead of this coming storm.

China Releases New Rules Regarding the Use of Facial Recognition Technology

On March 21, 2025, the Cyberspace Administration of China and the Ministry of Public Security jointly released the Security Management Measures for the Application of Facial Recognition Technology (the “Measures”), which will become effective on June 1, 2025. Below is a summary of the scope and certain of the key requirements of the Measures.
Scope of Application of the Measures
The Measures apply to activities using facial recognition technology to process facial information to identify an individual in China. However, the Measures do not apply to activities using facial recognition technology for research or algorithm training purposes in China.
Facial information refers to biometric information of facial features recorded electronically or by other means, relating to an identified or identifiable natural person, excluding information that has been anonymized.
Facial recognition technology refers to individual biometric recognition technology that uses facial information to identify an individual’s identity.
Specific Processing Requirements for Facial Recognition Technology
The Measures include specific processing requirements which must be complied with when activities are in scope of the Measures. These include:

Storage: The facial information should be stored in the facial recognition device and prohibited from external transmission through the Internet, unless the data handler obtains separate consent from the data subject or is otherwise permitted by applicable laws and regulations.
Privacy Impact Assessment (“PIA”): The data handler should conduct a PIA before processing the data.
Public Places: Facial recognition devices can be installed in public places, subject to the data handler establishing the necessity for maintenance of public security. The data handler shall reasonably determine the facial information collection area and display prominent warning signs.
Restriction: The data handler should not use facial recognition as the only verification method if there is any other technology that may accomplish the same purpose or meet the equivalent business requirements.
Filing Requirement: If the data handler processes facial information of more than 100,000 individuals through facial recognition technology, it should conduct a filing with the competent Cyberspace authority at the provincial level or higher within 30 business days upon reaching that threshold. The filing documents should include, amongst other things, basic information of the data handler, the purpose and method of processing facial information, the security protection measures taken, and a copy of the PIA. In cases of any substantial changes of the filed information, the filing shall be amended within 30 business days from the date of change. If the use of facial recognition technology is terminated, the data handler shall cancel the filing within 30 business days from the date of termination, and the facial information involved shall be processed in accordance with the law.

Mexico’s New Personal Data Protection Law: Considerations for Businesses

On March 20, 2025, Mexico’s new Federal Law on the Protection of Personal Data held by Private Parties (FLPPDPP) published in the Official Gazette of the Federation. Effective March 21, the new law replaces the FLPPDPP published in July 2010.  
Among the key changes the decree and new FLPPDPP introduce is the dissolution of the National Institute of Transparency, Access to Information, and Protection of Personal Data (INAI). Before the decree’s publication, INAI served as an autonomous regulatory and oversight authority for matters related to transparency, information access, and personal data protection. As of March 21, 2025, these responsibilities will be transferred to the Ministry of Anticorruption and Good Governance (Ministry), a governmental body reporting directly to the executive branch. The Ministry will now supervise, oversee, and regulate personal data protection matters.  
Related to personal data protection, companies may wish to consider the following points when preparing to comply with the new FLPPDPP:

The definition of “personal data” is amended to remove the previous limitation to natural persons, expanding the scope to any identifiable individual—when their identity can be determined directly or indirectly through any information.   
The law now requires that the data subject give consent “freely, specifically, and in an informed manner.”   
Public access sources are now limited to those the law explicitly authorizes for consultation, provided no restrictions apply, and are only subject to the payment of the applicable consultation fee.   
The scope of personal data processing expands to encompass “any operation or set of operations performed through manual or automated procedures applied to personal data, including collection, use, registration, organization, preservation, processing, communication, dissemination, storage, possession, access, handling, disclosure, transfer, or disposal of personal data.”   
As a general rule, the data subject’s tacit consent is deemed sufficient for data processing, unless the law expressly requires obtaining prior explicit consent.   
Regarding the privacy notice, the new FLPPDPP requires data controllers to specify the purposes of processing that require the data subject’s consent. Additionally, the express obligation to disclose data transfers the controller carries out is eliminated.   
Resolutions the Ministry issues may be challenged through amparo proceedings before specialized judges and courts.

Takeaways

1.
 
Although this amendment does not introduce substantial changes with respect to the obligations of those responsible for processing personal data, companies should review their privacy notice and, if necessary, adjust it to the provisions of the FLPPDPP including, where appropriate, replacing references to the INAI.   

2.
 
If any data protection proceedings were initiated before the INAI while the previous law was in effect, the provisions of the prior law will continue to govern such proceedings, with the exception that the Ministry will now handle them.   

3.
 
The executive branch will have 90 days to issue the necessary amendments to the new FLPPDPP regulations. Companies should monitor for the amendments’ publication to identify changes that may impact their compliance obligations under the new law.

Read in Spanish/Leer en español.

HMRC Supports a UK Restructuring Plan with its Change in Approach – Good News for Future RPs?

You may have read our previous blog about the Outside Clinic Restructuring Plan (RP) which asked whether 5p was enough to cram down HMRC and thought, well surely if that’s not enough, 10p would work? The Enzen Restructuring Plans (RPs) that were sanctioned this week also sought to compromise HMRC’s secondary preferential debt proposing a payment that would see HMRC recover 10p in the £ compared to nil in the relevant alternative. The Enzen RPs were not only sanctioned but also supported by HMRC – does this signal a change in attitude by HMRC?
In 2022 and 2023 we saw a number of RPs seeking to compromise HMRC secondary preferential debt in one way or another, and HMRC opposing those. Their reasons for not supporting often centered around the fact that HMRC is an involuntary creditor and that it has preferential status (in respect of certain of its debts) in an insolvency and therefore should be treated differently to other unsecured creditors in an RP. 
The risk of HMRC challenge seemed to dissuade many (at least in the mid-market) from using the RP as a tool to restructure after plans proposed by the Great Annual Savings (GAS), Nasmyth and Prezzo were all opposed by HMRC. It was following those cases that HMRC then issued guidance outlining its expectations. Other RPs that have involved HMRC debt included Fitness First where HMRC’s debt was rescheduled, rather than compromised, and Clinton Cards, where HMRC’s debt also remained intact. It is perhaps not therefore surprising we haven’t seen many “HMRC” RPs since these due to the risk (and not to mention the cost) of a potential challenge from HMRC.  
The Enzen RPs therefore seem to signal a change in attitude by HMRC who, for the first time, positively supported the plans. But why the change?
There were two plans proposed by Enzen entities, (Enzen Global Limited (EGL) and Enzen Limited (EL).  HMRC was owed £5,286,674 by EGL in respect of preferential debts, and £4,319,890 by EL.
The EGL plan proposed to pay HMRC £250,000 in cash, equivalent to a return of 4.2p in the £ compared to 0.1p in the relevant alternative (in this case administration). Under the EL plan HMRC was also to receive a £250,000 cash payment resulting in a return of 5.6p in the £ compared to nil in the relevant alternative – which would also be administration. Essentially HMRC would receive a payment of approximately 10p in the £ under both plans. 
Certain other preferential debts (VAT, NIC and PAYE) which were being paid when they fell due, were treated as critical payments under the RPs so were not compromised.
Although HMRC made noises at the convening stage suggesting that it might oppose the RPs there was no indication as to the basis on which it would do so. At this point HMRC’s position was governed by the fact that it hadn’t had enough time to consider its stance ahead of the convening hearing, given the substantial amount of material they had to review.
Between the convening hearing and sanction, HMRC raised its concerns in correspondence with the plan companies (although there is no specific detail about those concerns) save that they highlighted:

that the court should not cram down HMRC without good reason (following Naysmyth)
HMRC has a critical public function, and its views should carry considerable weight (following GAS).

Following this HMRC negotiated an additional £100,000 payment from both EGL and EL which increased its returns under the RPs to 6.6p under the EGL plan and to 8.1p under the EL plan. On that basis HMRC voted in favour of the RPs.
At the sanction hearing HMRC made their position on the RP clear and made the following statements indicating a new approach:

HMRC told the court that they knew they had opposed plans in the past (referencing Naysmith and GAS in particular), but they wanted their stance to the Enzen plan to prove indicative of a more proactive approach in relation to RPs.
HMRC also made it clear it is looking to participate as fully as possible with RPs where it can in the future.

The main reason HMRC supported in this case was because of the increased payment EML and EL were willing to give them, which meant there was a material increase to them.
There are at least two more plans that are coming before the court for sanction soon – Outside Clinic and Capricorn – that include an element of HMRC debt. Following the Enzen RPs it will be interesting to see, in light of HMRC’s positive engagement on Enzen, whether HMRC will support those.
The Enzen RPs will no doubt spark interest from the mid-market given HMRC’s stance to date has arguably been a blocker on mid-market RPs, but the costs of tabling an RP are still likely to be a concern given the litigious nature of many. Also if it is HMRC’s policy to now participate in restructuring plan hearings (even if they support) who bears those costs?
Annabelle McKeeve also contributed to this article.