Data Protection update - April 2025

Data Protection update - April 2025

Welcome to the latest edition of the Stephenson Harwood Data Protection update, covering the key developments in data protection and cyber security law in April 2025.

In data protection news, the ICO has released new guidance on anonymisation and pseudonymisation, and published a report recommending that the financial services sector can do more when dealing with children's data.

In cybersecurity news, the UK Cyber Governance Code of Practice has been published; the EU Cybersecurity Act is open for consultation amid global focus on tech regulation; the parameters of the UK Cyber Security and Resilience Bill have been set out; and Apple's challenge to UK data requests is now to be heard publicly.

In enforcement and civil litigation news, the DPC fined TikTok €530 million and threatened to order a suspension of its transfers to China, and the recent case of McShane v Irish Data Protection Commission confirmed that an employer was not a controller of non-work-related personal data on a work phone.

Data Protection

Cyber Security

Enforcement and Civil Litigation

Key US Update

Data Protection

ICO releases new guidance on anonymisation and pseudonymisation

The Information Commissioner's Office (the "ICO") has published guidance on anonymisation and pseudonymisation (the "Guidance"). The Guidance is relevant for those considering anonymising personal data so that it would no longer constitute personal data, whether for research purposes, because it is a legal requirement, or for accountability reasons. The Guidance highlights that the process of anonymising personal data is still considered a processing activity under data protection law, which means it must be carried out in line with data protection law.

The Guidance outlines various techniques to achieve anonymisation, highlighting the strengths and weaknesses of each, and provides appropriate use cases, including case studies, for each technique. There are two main approaches to anonymisation techniques: (i) generalisation, which changes information that identifies an individual person to information that relates to multiple people; and (ii) randomisation, which changes identifying information so that it cannot be conclusively attributed to a particular person. The benefits of anonymisation include protecting identities, enhancing security, and reducing risks associated with data disclosure.

Pseudonymisation involves replacing direct identifiers like names with a pseudonym or number. The ICO emphasises that pseudonymisation mitigates risk by limiting the level of identifiability of the data subject, which can accordingly reduce the risk of harm that may arise from personal data breaches. However, pseudonymous information is still personal data, and data protection law still applies to it.

While not legally binding, the ICO will consider this Guidance when dealing with anonymisation-related inquiries into organisations. The Guidance can be found here.

ICO report finds that financial services sector can do more when dealing with children's data

Last month, a report published by the Information Commissioner's Office (the "ICO") into the financial services sector underscores the need for the improved handling of children's data. The report sets out "areas of good practice" for financial service organisations, which are in line with UK General Data Protection Regulation ("UK GDPR") requirements, stating "children merit specific protection with regard to their personal data" because they might be less aware of the risks and outcomes of the processing of their personal data.

The report examines the data protection practices in, among others, services offering current accounts, savings accounts, ISAs, and prepaid cards to children. A key finding was that there was limited monitoring of compliance with policies concerning the use of children's data. In addition, while 97% of the participating organisations held general data protection training, only 18% of such training covered the use of children's personal data.

In the report, the ICO recommends updating privacy information as children mature and their understanding evolves, providing specialised training to staff on children's data protection to increase awareness and understanding of the best way to handle children's data, differentiating between parents and children in marketing efforts, and putting processes in place to ensure that consent for children's data processing is valid.

The handling of children's data is coming under increased scrutiny by regulators and lawmakers alike. The ICO is currently investigating Tiktok, Reddit and Imgur's handling of children's personal data (see our update on this here) and the Data (Use and Access) Bill (our most recent article on this can be found here) has recently been amended to put in place safeguards for children's personal data, imposing additional duties on the ICO in this regard.

A link to the ICO's report can be found here.

Cybersecurity

UK Cyber Governance Code of Practice published

On 8 April, the Department for Science, Innovation and Technology published a Cyber Governance Code of Practice (the "Code"), the aim of which is to support boards and directors with governing cyber security risks. You can access the Code and its accompanying resources here. The government has also published practical guidance that can be found in the Cyber Governance Training programme here.

The Code is primarily aimed at board members and senior leaders of medium to large organisations, though it encourages smaller organisations, especially in the technology and AI sectors, to adopt its principles. It outlines five core governance pillars (risk management; strategy; people; incident planning, response and recovery; and assurance and oversight), each with specific actions for improving cyber resilience. These include:

  • ensuring the organisation's cyber strategy aligns with business objectives;
  • fostering a positive cyber culture;
  • ·overseeing organisation-wide education and awareness efforts;
  • implementing and regularly testing response and recovery plans; and
  • identifying critical assets in an organisation.

The Code emphasises the importance of directors actively overseeing cyber risks and ensuring their organisations are properly prepared for potential cyber-attacks.

As we can see from current events in the UK's retail sector, cyber-attacks are increasingly prevalent in the UK so the Code will no doubt provide some welcome guidance on risk mitigation measures that both public and private organisations alike can implement where feasible.

EU Cybersecurity Act open for consultation amid global focus on tech regulation

On 11 April the European Commission (the "Commission") announced that it has opened a consultation regarding the EU Cybersecurity Act (the "Act"). In its announcement, the Commission stated that the aim of the consultation is to "seek input to evaluate and revise the 2019 Cybersecurity Act". The Act has been in force since 2019, but this consultation seeks to relax reporting obligations and reduce unnecessary bureaucracy on businesses, reflecting the Commission's commitment to "simplifying rules".

The consultation will initially take a three-pronged approach, focussing on:

  • the mandate of the European Union's cyber agency, ENISA;
  • the European Cybersecurity Certification Framework; and
  • addressing IT supply chain challenges.

Parties interested in providing their opinions on the consultation have until 20 June to do so here.

Parameters of the UK Cyber Security and Resilience Bill set out

On 1 April the UK Government (the "Government") published a policy statement with details of the measures to be included in its Cyber Security and Resilience Bill (the "Bill"), which forms part of the Government's plan to enhance economic growth through secure services and aims to improve UK cyber defences as well as protecting essential public services.

In its press release, the Government highlighted that the Bill will ensure that firms that provide IT services to public authorities and the wider economy are no longer an "easy" target for cyber criminals. The press release also notes that the Technology Secretary shall be given greater powers and flexibility to update the regulatory framework to keep pace with the ever-changing cyber landscape. This could include extending the framework to new sectors or updating security requirements.

The policy statement on the Bill, which can be read here, sets out its key proposals. These include:

  • allowing regulators to designate certain suppliers as "designated critical suppliers", imposing stronger supply chain duties on them, including enhanced reporting obligations;
  • bringing critical suppliers, data centres and managed service providers (i.e. providers that offer core IT services to businesses) into the scope of the Bill, recognising that they are an attractive target for cyber-attacks, to ensure that they are required to strengthen their data protection and network security defences; and
  • placing regulators on a stronger footing to enhance their oversight of cyber safety measures.

Apple's challenge to UK data requests to be heard publicly

On 7 April, a London court ruled that Apple’s challenge against the UK Government’s request to access encrypted data would not be held in secret. The UK Government sought to conduct proceedings in secret, citing potential damage to national security, but the Investigatory Powers Tribunal (the "Tribunal") disagreed. Whilst measures can be implemented to limit the public dissemination of certain information if, for example, it is a threat to national security, a blanket ban on a public hearing for an issue impacting a significant proportion of the UK public does not strike a balance between government accountability and the public's right to information.

In dismissing the UK Government's claim, the Tribunal emphasised that secret hearings would severely interfere with open justice and required compelling justification, which was not present in this case. It was further stated that revealing the details of the case wouldn't harm the public interest or compromise national security.

Apple is challenging the UK Home Office's use of the Investigatory Powers Act, under which it issued a "technical capability notice" requesting Apple to provide access to users' encrypted data. In response, Apple removed its optional end-to-end encryption feature for UK users, making their cloud data less secure. We discussed this case in a previous issue of our Data Protection update, which can be found here.

Enforcement and Civil Litigation

The DPC fines TikTok €530 million and threatens to order a suspension of its transfers to China

The Irish Data Protection Commission ("DPC") has concluded its inquiry into TikTok Technology Limited ("TikTok"), focusing on the legality of TikTok's data transfers from the EEA to China and its transparency obligations under the EU GDPR. The DPC found that TikTok failed to ensure personal data of EEA users, which was transferred to China, received protection equivalent to EU standards.

The DPC considered TikTok’s October 2021 EEA Privacy Policy (the "Policy") and found that it was not adequate for two reasons: firstly, the Policy did not name the third countries, including China, to which personal data was transferred, and second, the Policy did not explain the nature of the processing operations that constitute the transfer. In relation to the second reason, the Policy did not specify that TikTok allowed remote access to personal data, which is stored in Singapore and the United States, by personnel based in China. There was also evidence that certain data was stored on servers located in China. TikTok has since updated its Policy.

Further, TikTok's assessment of Chinese laws, such as the Anti-Terrorism and Cybersecurity Laws, revealed significant divergence from EU standards, which impacted TikTok's ability to implement adequate safeguards. TikTok did not properly assess the level of protection provided by Chinese law and practice, which meant TikTok was not able to provide appropriate safeguards, much less an equivalent level of protection.

The DPC imposed fines totalling €530 million on TikTok, mandating it to be in compliance within six months and threatened to require suspension of its transfers if not. The DPC's decision is the first big enforcement action relating to China, and indicates that overseas data transfers are once again in the spotlight.

McShane v Irish Data Protection Commission – Employer not a controller of non-work personal data stored on work phone

In April, the Irish High Court rejected an application for judicial review of the DPC's refusal to investigate a personal data breach complaint allegedly arising out of a cyber-attack on the Health Service Executive’s ("HSE") information and communication technology systems in May 2021. The decision may be of interest to employers whose staff use their work phones for personal purposes.

The applicant, an employee of HSE at the time, complained to the DPC in 2021, arguing that the data breach compromised data stored on his work-issued phone for his personal purposes, in particular, in his own Gmail, Yahoo, Fitbit, and Binance accounts. The applicant used his work phone to log into his personal email and cryptocurrency accounts and found that: (i) his information on both platforms was compromised; and (ii) €1,400 in cryptocurrency was stolen from his account.

In 2022, the DPC concluded that the HSE was not the controller of the applicant's non-work-related personal data stored on his work phone. Under the HSE's policies, personal use of a work-phone was not permitted without prior authorisation. The complaint was accordingly dismissed.

The applicant filed a judicial review against the DPC decision requesting the Court to quash the DPC's dismissal of his complaint and compel the DPC to investigate further. The Court refused, noting that the applicant made his complaint about non-work-related personal data, which meant the DPC did not have an obligation to investigate in relation to work-related personal data. The DPC's decision was found not to warrant the High Court's intervention.

The decision provides helpful clarification that the employer in this case was not a controller in respect of its employees' non-work-related personal data stored on work devices.

Round up of enforcement actions

CompanyAuthorityFine/enforcement actionComment
Advanced Computer Software Group Ltd ("Advanced")UK£3.07 million

In 2022, hackers accessed some of Advanced's systems through a customer account that did not have multi-factor authentication.

The personal information of 79,404 people was taken, including details of how to gain entry into the homes of 890 people who were receiving care at home. It was held that Advanced, as processor of the personal data, infringed Article 32(1) of the UK GDPR by failing to have appropriate technical and organisational measures in place to keep its health and care systems fully secure. Advanced cooperated with authorities and attempted to mitigate the attack's impact. This encouraged the ICO to reduce the fine issued to Advanced, which was initially proposed to be £6.09 million in 2024 after an investigation.

23andMeUK£4.59 million (potentially)

The ICO issued a notice of intent to fine genetic testing company 23andMe £4.59 million following a data breach reported in October 2023.

The fine and enforcement notice are provisional, pending 23andMe's representations, including affordability considerations. The ICO, in a joint investigation with the Office of the Privacy Commissioner of Canada, determined that 23andMe must maintain high security standards for sensitive genetic data under UK GDPR.

We previously reported on the ICO's joint investigation against 23andMe here.

DPP Law Ltd ("DPP Law")UK£60,000

DPP Law was fined for not implementing appropriate data security measures following a cyber-attack in June 2022. 32GB of data was stolen and client information was posted on the dark web.

DPP Law did not manage its administrator account adequately and delayed notifying the ICO, only making a report 43 days after the cyber-attack instead of the 72 hours mandated by the UK GDPR.

AmazonLuxembourg€746 million

Luxembourg's Data Protection Authority has fined Amazon Europe for violations of the EU GDPR. The claim was initially brought in 2021. Amazon was found to have infringed Articles 6, 12 and 17 of the EU GDPR when processing personal data for interest-based advertising i.e. personalised advertising.

Amazon is considering an appeal.

MetaThe EU€200 million

The Commission has deemed Meta's Consent or Pay model to be non-compliant. This model offered EU users of Facebook and Instagram a choice between consenting to their personal data being used for personalised advertising or paying a monthly subscription for an ad-free service.

Meta's model failed to allow users to freely consent to data combination, according to the Commission. Meta has 60 days to comply with the decision.

Marina SaludSpain€500,000

Marina Salud was fined for using a third-party information system software even though they did not have general authorisation from the controller, the Ministry of Health and Public Health of Valencia, to do so.

The Spanish data protection authority held that the processor did not have general authority to engage sub-processors from the controller.

Croatian companyCroatia€12,000

This fine was imposed as the Croatian data protection authority found that the company violated:

  • Article 37(7) of the GDPR by not publishing the contact details of the Data Protection Officer (the "DPO"); and
  • Article 38(6) of the GDPR, as the DPO performed other tasks that culminated in a conflict of interest with their DPO tasks.

 
Key US updates

Certain countries now prohibited or restricted from accessing Americans' bulk sensitive personal data

The US Department of Justice (the "DoJ") implemented Executive Order 14117 (known as the "Final Rule") on April 8, 2025. The Final Rule was issued by President Biden on 28 February 2024, directing the US Attorney General to regulate transactions involving foreign countries of concern. The Final Rule identifies six "countries of concern": China, Cuba, Iran, North Korea, Russia, and Venezuela and will restrict or prohibit their access to sensitive US personal and government-related data.

Those that will be impacted by the Final Rule include but are not limited to foreign entities that are 50% or more owned by the countries listed above, their nationals, or those who primarily reside there. The Final Rule is posed as a response to the "continuing effort" of the countries of concern to access US (citizen's) data, resulting in an "extraordinary threat" as initially mentioned by President Biden in Executive Order 14117.

Pursuant to the Final Rule, sensitive personal data is categorised into six types: personal identifiers, precise geolocation data, biometric identifiers, human genomic and related data, personal health data, and personal financial data. Bulk thresholds are set for each category, such as over 100 US persons for genomic data, and over 1,000 US persons for biometric data. If this threshold is met, a prohibition or restriction (depending on the circumstances) on the transfer of data is triggered.

Outright prohibited transactions include data brokerage and transactions involving bulk human 'omic data. Very broadly speaking, 'omics is the study and quantification of the structure, function, and behaviour of biological molecules. Restricted transactions, which require compliance with access security measures, include vendor, employment, and investment agreements. Many companies that have significant manufacturing hubs in China will likely face compliance difficulties. However, transactions conducted for US Government business are subject to exemptions under the Final Rule.

Enforcement of the Final Rule allows the DoJ to impose civil penalties of up to $368,136 or twice the transaction amount involved. Compliance with due diligence and audit requirements is mandatory by October 6, 2025. However, the enforcement policy released by the DoJ notes that civil enforcement actions for violations of the Final Rule are unlikely to be triggered before 8 July 2025 "so long as the person is engaging in good faith efforts to comply with or come into compliance…during that time."

Ohio age-gating law deemed unconstitutional

NetChoice, a technology industry association, has succeeded in having an Ohio judge permanently bar the state from enforcing the Parental Notification by Social Media Operators Act (the "Parental Act"). This would have required platforms to obtain "verifiable" consent from parents before allowing children under the age of 16 years to create an account on their platform or use their services. The judge found that the Parental Act curtails the First Amendment right of minors to free speech, as enforcing the statute would restrict minors from having access to all content on websites covered by the Parental Act.