Data Protection update - July 2025

In data protection headline news, the UK Government has made its first set of commencement regulations to bring certain provisions of the Data (Use and Access) Act 2025 ("DUAA") into force; the European Commission (the "Commission") is set to adopt new adequacy decisions for the UK and has granted an adequacy decision to the European Patent Office; Ofcom has published transparency reporting guidance; the Commission has published guidelines to protect children under the DSA; the Dubai International Financial Centre ("DIFC") has reformed its data protection laws; and we discuss the impact of the Information Commissioner's Office's ("ICO") online tracking strategy.

In cyber security news, guidance for NIS2 cybersecurity risk management measures has been published.

In our enforcement and civil litigation section, the CJEU has ruled that access to EDPB decision files should be granted; a class action is on the horizon in connection with the Afghan data breach; and TikTok has lost its appeal against the ICO.

Data Protection

• DUAA Commencement Regulations released
• Commission deems UK data protection regime "adequate"
• Commission approves European Patent Office data adequacy decision
• Ofcom publishes transparency requirements
• Commission publishes guidelines to protect children under the DSA
• DIFC reforms its data protection laws
• Impact of the ICO's online tracking strategy 

Cybersecurity

• Guidance for NIS2 cybersecurity risk management measures published

Enforcement and Civil Litigation

• CJEU rules that access to EDPB decision files should be granted
• Class action on the horizon for Afghan data breach
• TikTok loses appeal against ICO
• Round up of enforcement actions

Key US updates

• Trump issues first Cyber Security executive order
• Key US Cybersecurity law set to expire

Data Protection

DUAA Commencement Regulations released

Following the enactment of the DUAA on 19 June 2025, which we reported on last month, The Data (Use and Access) Act 2025 (Commencement No 1) Regulations (the "Commencement Regulations") were made on 24 July 2025, which will bring several - primarily administrative - provisions of the DUAA into force with effect from 20 August 2025.

Notable provisions being brought into effect via the Commencement Regulations include:

• Section 74, empowering the Secretary of State to add and tailor new special categories of data under the UK General Data Protection Regulation ("UK GDPR");
• Section 84, which mandates the ICO to encourage expert public bodies to develop and produce codes of conduct on using personal data for law enforcement purposes;
• Sections 91-95 and 102, which update the ICO's (soon to be the Information Commission ("IC")) duties, including establishing panels to consider codes of practice and producing and publishing annual reports; and
• Section 104, which introduces a court procedure for data subject access requests.

Amendments to the Privacy and Electronic Communications Regulations (“PECR”) will come into effect, which will extend the existing PECR notification period for communications service providers to notify the IC of a personal data breach from 24 hours to "without undue delay and where feasible, not later than 72 hours after having become aware of it", aligning it with the existing requirements of the UK GDPR.

The Commencement Regulations also formally establish the IC, albeit currently without function until further secondary legislation abolishes the ICO and brings into force the IC's enhanced investigative and enforcement powers. The remaining substantive data protection changes are expected to be phased in on or around December 2025 via additional commencement regulations, with minority provisions thereafter.

We have prepared a helpful summary of the key changes being introduced by the DUAA, available here.

In addition, the final article in our DUAA series, where we deep-dive into certain miscellaneous provisions of the DUAA, can be found here.

Commission deems UK data protection regime "adequate"

The Commission has begun the process of adopting new adequacy decisions for the UK, under the EU GDPR and the Law Enforcement Directive, to enable the continued free flow of personal data between the European Economic Area and the UK.

After reviewing the recently enacted DUAA, the Commission has determined that the UK’s data protection framework continues to provide data protection safeguards that are "essentially equivalent" to European Union ("EU") standards. The UK's current adequacy decisions were due to expire on 27 June 2025 but were extended to 27 December 2025. In announcing their assessment, Executive Vice-President for Tech Sovereignty, Security and Democracy, Henna Virkkunen, emphasised the importance of data protection and strong EU-UK cooperation, while Michael McGrath, European Commissioner for Financial Services, highlighted the significance of "unobstructed" personal data flow for businesses and law enforcement.

The draft decisions now need to be reviewed by the European Data Protection Board ("EDPB") and EU Member States before final adoption. We reported on the EDPB's opinion that resulted in a six month extension to adequacy decisions in a previous edition of this update.

The adequacy decisions can be read here.

Commission approves European Patent Office data adequacy decision

On 15 July 2025, the Commission announced the adoption of its adequacy decision for the European Patent Office (the "EPO"), confirming that the EPO ensures a level of personal data protection equivalent to the EU GDPR. This is the first time an adequacy decision has been adopted by the EU for an international organisation. This is a historic and crucial step for the EPO, which processes significant volumes of personal data in its patent-granting activities. This decision has set a standard for data adequacy that will be reviewed by the Commission at least every four years. Companies and public entities will now be able to transfer data to the EPO without the need for additional safeguards.

Ofcom publishes transparency requirements

On 21 July, UK communications, and online safety, regulator Ofcom, which oversees sectors including telecommunications, post, broadcast TV, radio, and online services, released a transparency statement (the "Statement") alongside its final transparency reporting guidance (the "Transparency Guidance") following its Online Safety Transparency Consultation on the draft guidance.

The Transparency Guidance set outs obligations to be observed under the transparency reporting framework of the Online Safety Act 2023 ("OSA") by providers of particular services regulated under the OSA. Ofcom is in the process of categorising these regulated services as either: (i) user-to-user services; or (ii) search services, with a public register of categorised services, expected to be released this summer.

Whilst all online services within the scope of the OSA must protect UK users from illegal content and, where applicable, protect children from online harm, providers of categorised service will have additional compliance duties focussed on enhancing safety, transparency, and accountability, including the requirement to publish an annual transparency report in response to an Ofcom-issued transparency notice. Ofcom must also publish its own transparency report summarising industry trends and setting out good practice. The Transparency Guidance provides examples of information Ofcom may require in a transparency report, such as the frequency of illegal or harmful content appearing on user-to-user services, the number of users exposed to such content within a given period, and the effectiveness of content moderation systems.

The accompanying Statement addresses all relevant feedback from the consultation period and explains Ofcom's final decisions about certain changes and clarifications to its position, and how it expects to operate its transparency reporting regime. The three main areas of the Transparency Guidance addressed in the Statement are:

• Ofcom's approach to determining the information requirements in transparency notices – including confirmation that Ofcom will have regard to the capacity of the provider when deciding the information required in a notice, which will focus primarily on providers’ financial resources and available technical expertise.
• Ofcom's plans to engage with providers and non-platform stakeholders – including an amendment to the Transparency Guidelines to confirm that it plans to engage with civil society organisations and other relevant non-platform stakeholders throughout the annual transparency cycle to gather insights that may be useful for transparency notices, for Ofcom’s transparency report, and to request feedback to improve its transparency reporting; and
• Ofcom's plans for its annual transparency reports – which includes an amendment to the Transparency Guidelines to emphasise that, where Ofcom seeks to make comparisons between services in its annual report, it will take appropriate steps to mitigate, where possible, the risk of audiences misinterpreting the findings by providing appropriate context to its findings.

The full Statement is available here, and the Transparency Guidance is available here.

Commission publishes guidelines to protect children under the DSA

In Europe, the Commission has also published comprehensive guidelines aimed at enhancing the protection of minors in the digital environment; a timely response to the increasing exposure of children and young people to online risks. These guidelines have been developed under the framework of the EU Digital Services Act ("DSA") and set out clear expectations for online platforms and service providers regarding the safeguarding of young users' rights and well-being. The recommendations provide appropriate measures depending on the online risks facing children and young people such as cyberbullying, grooming and harmful commercial practices.

Key recommendations include the implementation of robust age verification mechanisms, the minimisation of data collection and profiling of minors, and the prioritisation of safety-by-design principles in digital products and services. The Commission underscores the necessity for transparency in content moderation and algorithmic processes, ensuring that minors are not subjected to harmful or inappropriate material. Platforms are also encouraged to provide accessible reporting tools and effective parental controls.

Importantly, these guidelines advocate for the empowerment of minors through digital literacy initiatives, equipping them with the knowledge to navigate online spaces safely and responsibly. The Commission calls for ongoing collaboration between industry, regulators, and civil society to foster a secure digital ecosystem for young people.

DIFC reforms its data protection laws

The DIFC has formally enacted a number of substantive amendments to its Data Protection Law 2020 ("DPL") through the DIFC Laws Amendment Law, DIFC Law No. 1 of 2005 ("Amendment Law"), following a period of public consultation earlier this year, which we covered in our March 2025 edition.

The Amendment Law, which was enacted on 8 July 2025 and came into effect on 15 July 2025, amends the DPL in order to align its regulatory framework with international best practices. In particular it:

• introduces a key new private right of action through the DIFC courts that will enhance the rights and remedies available to data subjects if their personal data has been processed in contravention of the DPL, mirroring equivalent rights granted to data subject under the GDPR. Previously, data subjects were required to bring their complaint to the DIFC Commissioner, who would then decide whether the issue should be brought before the courts;

• clarifies the scope of application and extra-territorial scope of the DPL. The Amendment Law confirms that the DPL applies to:

  • controllers or processors incorporated in the DIFC, regardless of where they process personal data; and
  • the processing of personal data in the DIFC (including any transfers outside the DIFC) as part of "stable arrangements" by any controller, processor (or any of their sub-processors), whether or not they are incorporated in the DIFC.

  This change essentially codifies existing interpretation and previous guidance on the scope of the DPL, but now also explicitly provides that an organisations' sub-processors may also be subject to the DPL; and

• makes minor updates to Article 28 on data sharing with public authorities confirming that data sharing is only permitted after a controller, or its processor or sub-processor, as applicable, has satisfied itself that the request is valid and proportionate.

Updates to Article 28 aim to impose greater responsibility on controllers or processors when sharing personal data to third countries; namely conducting a risk assessment to ensure that data subjects' personal data is proportionately protected before it is transferred to the requesting authority.

Notably the penalties and enforcement consequences have increased for specific breaches. The failure to carry out a data protection impact assessment ("DPIA") could result in fines up to $50,000 (up from $20,000) and maximum fines for non-compliance with data-sharing obligations to a public authority under Article 28 has increased from $10,000 to $50,000.

These reforms mark a decisive step in elevating data protection standards in the DIFC and reinforce its position as a leading jurisdiction for privacy and compliance in the region.

It will now be important for businesses operating in the UAE to take steps to review their data collection and processing practices to assess whether they now fall under the expanded territorial scope of the DPL.

The Amendment Law can be found here.

Impact of the ICO's online tracking strategy

At the beginning of 2025, the ICO pledged to enhance individuals' control over online tracking, while giving businesses the confidence to innovate responsibly. As part of its online tracking strategy, the ICO reviewed the cookie banners of the top 1000 most popular websites in the UK. Where the banners did not give the user meaningful control, concerns regarding the compliance of those sites were communicated to their operators. The ICO is in the process of assessing its responses against its compliance criteria and has emphasised that enforcement action will follow where practices are non-compliant.

The ICO is now consulting on revised guidance for storage and access technologies ("SATs"), such as cookies and tracking pixels, reflecting changes introduced by the DUAA. Simultaneously, the ICO is inviting feedback on proposals to relax the enforcement of consent requirements for certain types of privacy-preserving online advertising, aiming to support a shift away from intrusive tracking models. This is in line with amendments to SATs requirements under the DUAA and shows the ICO's commitment to balancing the rights of individuals with the business needs of organisations to use analytics.

These initiatives build on previous steps by the ICO to respond to SATs, including its December 2024 draft guidance on cookies and fingerprinting, and January 2025 final guidance on "consent or pay" models. An ongoing consultation seeks views on the revised guidance on SATs, which reflect certain updated rules introduced by the DUAA. This includes exceptions to the prohibition on storing or accessing information on people’s devices for low-risk uses, such as statistical analysis and improving website functionality. Another ongoing consultation, launched on 7 July, is exploring extending consent exemptions for certain advertising functions where the use of storage and access technologies for advertising poses demonstrably low privacy risks.

The ICO's approach aims to ensure clarity for organisations while maintaining the requirement for freely given consent for targeted advertising. It is hoped that this will result in a digital economy that is both robust and privacy friendly.

Cyber Security

Guidance for NIS2 cybersecurity risk management measures published

On 26 June the European Union Agency for Cybersecurity published technical guidance (the "Cybersecurity Guidance") aimed at supporting member states and in-scope entities to implement mandatory technical and methodological requirements as part of the cybersecurity risk management measures which will apply to some entities under the NIS2 Directive. Data centre service providers, cloud computing service providers, domain name system service providers and content delivery network providers are all covered under, and could be affected by, the NIS2 Directive, which applies to entities providing "essential" services (e.g. digital infrastructure) or "important" services (e.g. digital providers including social networks and search engines) within the EU.

The Cybersecurity Guidance, which was developed in collaboration with the NIS Cooperation Group and the Commission, is not legally binding and is not intended to replace any guidance, frameworks or tools which are already in place at national level among different member states. However, the Cybersecurity Guidance does offer practical advice and examples which may be of value to those to whom the NIS2 Directive applies. It considers thirteen technical and methodological requirements, including risk management policies, incident handling, supply chain security and human resources security.

The following are provided as examples of evidence for establishing and maintaining an effective risk management framework:

• Documented action plans developed in response to review findings;
• Key personnel knowing the main risks (e.g. evidence from emails, interviews and awareness-raising sessions);
• Documented risk treatment plan implementation exceptions; and
• Maintaining a risk register.

A key aim of the Cybersecurity Guidance is to improve cybersecurity maturity in Europe's critical sectors. We recently reported on the consultation on the evaluation and revision of the 2019 EU Cybersecurity Act, which together with the Cybersecurity Guidance, highlights the EU's clear commitment to advancing cybersecurity.

The full Cybersecurity Guidance can be found here.

Enforcement and Civil Litigation

CJEU rules that access to EDPB decision files should be granted

The Court of Justice of the European Union ("CJEU") has ruled that an individual claimant should have access to the EDPB decision files related to her GDPR complaint against Facebook Ireland Ltd.

The claimant, through NOYB (the non-profit organisation co-founded by Austrian privacy activist, Max Schrems), filed a GDPR complaint in 2018 with the Austrian data protection authority against Facebook, alleging unlawful data processing. Due to its cross-border nature, the case was referred to the Irish Data Protection Commission ("DPC") as the lead authority. In 2021, the DPC raised an objection by way of a draft decision which was then shared with other EU authorities. The claimant was excluded from further proceedings and denied access to documents, preventing her from commenting on the DPC's objections or Meta's responses.

The DPC then referred the matter to the EDPB for a binding decision, which was issued in December 2022. The claimant's request for access to the EDPB file was rejected in February 2023. However, the CJEU set aside the EDPB's decision, granting the claimant access to the file, finding that she has a legitimate interest in accessing the file to verify if her complaint influenced the EDPB's decision. In doing so, the CJEU emphasised that she has a direct interest in ensuring GDPR compliance in her case, because the issue related to the way her personal data was processed.

Class action on the horizon for Afghan data breach

In February 2022, the Ministry of Defence ("MoD") suffered a catastrophic data loss incident (the "Breach"), due to human error by an unnamed individual at the MoD. The Breach exposed the personal details of almost 19,000 Afghans who had helped the UK military in Afghanistan, consequently putting the lives of thousands of Afghan people and their families at risk under Taliban rule. The Breach was only discovered by the MoD in 2023.

A Manchester-based law firm says that it is gearing up to represent the individuals affected by way of a mass claim. According to a lawyer at the firm, the number of individuals joining the mass claim is growing by more than 100 a day.

The application process to join the class action was made public following the lifting of a "super-injunction" on 15 July which had prevented any discussion and reporting of the data breach since late 2023. It is likely that the removal of this injunction is a big factor to the increase in interest in joining the class action. Anyone wishing to join the class action is required to submit a copy of the Breach letter sent by the MoD, and thousands of claims have already been verified.

TikTok loses appeal against ICO

The First-tier Tribunal ("FTT") has provided authoritative guidance on the application of the "special purposes" exemption under the Data Protection Act 2018 ("DPA 2018"), in the context of TikTok’s appeal against a £12.7 million monetary fine imposed by the ICO.

TikTok contended that its processing of personal data - particularly in delivering its platform services - was for "artistic purposes," which is one of the "special purposes" that attracts heightened procedural safeguards under the DPA 2018. TikTok argued that the ICO was therefore required to obtain leave from the court before issuing the monetary penalty notice.

However, the FTT rejected TikTok's appeal against the ICO. It held that the relevant processing at issue concerned the personal data of under-13s, and this was in breach of Articles 8 and 5(1)(a) UK GDPR and was not for "special purposes." The FTT emphasised that the mere facilitation of user-generated artistic content does not suffice, and the processing must be intentionally and directly for artistic purposes ensuring that it is not merely incidental to commercial service delivery or advertising.

This judgment affirms that the "special purposes" exemption is construed narrowly and will not shield platforms from regulatory enforcement where their primary processing is not for those protected purposes. The decision provides welcome clarity for controllers navigating the intersection of data protection and freedom of expression.

Round up of enforcement actions€

 
Key US updates

Trump issues first Cyber Security executive order

The Trump administration has issued its first cybersecurity-focused executive order, outlining key policies to strengthen national cybersecurity. The order, issued on 6 June, prioritises defending digital infrastructure, combating foreign cyber threats, reducing fraud, promoting private sector AI innovation, and securing digital services. It calls for federal agencies to update incident response protocols and improve transparency regarding cyber incidents. Among other things, conducting routine cybersecurity drills is also requested.

The executive order impacts numerous federal entities, including the Department of Defense, Cybersecurity and Infrastructure Security Agency ("CISA"), National Institute of Standards and Technology ("NIST"), and others, with deadlines set for 2025-2026 to implement updated cybersecurity frameworks and AI vulnerability management.

This order revises previous directives from earlier administrations, narrowing the scope of cyber threat actors to "any foreign person" and refocusing AI policies toward private sector innovation and federal agency adoption. It makes clear the administration's plan to create a straightforward approach to cybersecurity rules and AI management and points out how AI and cybersecurity are becoming more connected.

Despite these changes, core cybersecurity principles from prior executive orders remain, including the CISA's oversight role and compliance with NIST supply chain risk management practices. Overall, the order reflects a strategic shift towards streamlined compliance, while still maintaining a level of continuity for the US's broader cybersecurity goals.

Key US Cybersecurity law set to expire

Lawmakers in the US have until 30 September to reauthorise the Cybersecurity Sharing Information Act ("CSIA 2015"), which encourages information sharing on cyber threats between the private sector and federal government through a number of legal safeguards. While renewal of CSIA 2015 was championed in both the private and public sectors in the US, the former chair of the House Homeland Security Committee did not make the cyber law's reauthorisation a priority.

In a statement released this month, Gary Peters, the top Democrat on the Senate Homeland Security Committee argued that failing to reauthorise CSIA 2015 would "weaken our cybersecurity defences and send the wrong message to foreign adversaries, cybercriminals, and hacktivists looking to exploit vulnerabilities".

It remains to be seen whether those with legislative control will renew CSIA 2015, and what could come in its place if its authority lapses.