Data Protection update - May 2025

In data protection news, the House of Commons scraps amendments to the Data (Use and Access) Bill; the ICO publishes draft updates to its encryption guidance; the EDPB adopts an adequacy opinion on the European Patent Organisation and extends the deadline for renewal of the UK's adequacy decision; EU GDPR reforms are proposed; EU regulators are set to provide tech gatekeepers with guidance on EU data portability rules; UK and Canadian data protection authorities call for 23andMe customer protections; and the CBPR Forum launches its certification for data transfers.

In cyber security news, the UK government considers legislating on the cyber security of enterprise connected devices; and EU states are urged to transpose NIS2.

In enforcement and civil litigation news, TikTok could be fined 6% of its global turnover due to a preliminary finding that it has breached the DSA; Microsoft's alleged adtech data breach sparks the first Irish claim under the Collective Redress Directive; the victims of a Post Office data breach are set to receive compensation; Meta is given the green light by a German court and the Irish regulator to use user data to train AI; Croatia is probing into DeepSeek's potential GDPR violations; judicial authorities' obligations to provide access to personal data in court files is addressed by the Netherlands Supreme Court; and Meta's challenge on the EDPB's consent or pay opinion is dismissed.

Data Protection

• House of Commons scraps amendments to the Data (Use and Access) Bill
• ICO publishes draft updates to encryption guidance
• EDPB adopts Opinions on the Commission's adequacy decisions relating to the UK and the European Patent Organisation
• EU GDPR reforms proposed
• EU regulators to provide tech gatekeepers with guidance on DMA data portability rules
• UK and Canadian data protection authorities call for 23andMe customer protections
• Global CBPR certification announced

Cybersecurity

• UK government considers legislating on cyber security of enterprise connected devices
• EU states urged to ensure a high common level of cybersecurity

Enforcement and Civil Litigation

• TikTok faces preliminary findings of DSA breaches
• Microsoft's alleged ad tech data breach sparks first Irish Collective Redress Directive claim
• Compensation for Post Office data breach victims
• Meta given the green light from German court and Irish regulator to continue to use EU user data to train AI
• Croatia probing into DeepSeek's potential EU GDPR violations
• Judicial authorities' right of access obligations in respect of court files addressed by Dutch Supreme Court
• Meta's challenge EDPB's consent or pay opinion dismissed
• Round up of enforcement actions

Key US updates

• Connecticut passes new data-privacy law and introduces new protections for children
• Meta owed $168 million by intelligence-gathering company
• Google on the hook for $1.38 billion in Texas

Data Protection

House of Commons scraps amendments to the Data (Use and Access) Bill

In a recent development in the fiercely-debated Data (Use and Access) Bill (the "DUA Bill"), the Lords voted 289 votes to 168 in favour of amending the DUA Bill to, among other things, (i) narrow the definition of "scientific research"; (ii) introduce a threshold for the reasonableness test in relation to the use of personal data for scientific research; and (iii) grant the power to introduce safeguards to fulfil the reasonableness test.

The amendment narrows the definition to "any creative and systematic work undertaken in order to increase the stock of knowledge, including knowledge of humankind, culture and society, and to devise new applications of available knowledge" and introduced safeguards stating that any scientific research "must be conducted according to appropriate ethical, legal and professional frameworks, obligations and standards". The amendment appears aimed at narrowing the ability to rely on the scientific research provisions in UK data protection law in respect of commercial research.

In contrast, the government's definition deemed "scientific research" as any research that can "reasonably" be described as scientific, regardless of funding source or whether it's carried out as a commercial or non-commercial activity.

Negotiations on the DUA Bill between the Houses continue. We discussed Baroness Kidron's amendments to the DUA Bill on AI and copyright in our most recent edition of Neural Network, and the most recent article in our DUA Bill series can be read here.

ICO publishes draft updates to encryption guidance

On 13 May 2025, the Information Commissioner's Office ("ICO") released draft updated guidance on encryption in the context of the UK GDPR (the "encryption guidance"). Article 32(1)(a) of the UK GDPR identifies encryption as a specific data security measure that controllers and processors should consider implementing, to manage potential processing risks.

The encryption guidance is designed to help organisations use encryption and comply with Article 5(1)(f) of the UK GDPR, which requires controllers to process personal data in a way that ensures appropriate security.

One key point that emerged from the update is the need for proper management and algorithm strength to ensure effective protection. In addition, the encryption guidance also clarifies and defines the encryption process by reference to practical scenarios in line with the ICO's "must, should, could" framework. For example, where encryption can be used as a risk mitigation measure when using body cameras, the updated encryption guidance notes that users "should" make sure that data is protected by using an encrypted wireless communication link, while the older guidance merely notes that encrypted wireless communication links "may" be used. Similar updates are in place for the encryption of emails, the cloud, CCTV and drones, among others.

The encryption guidance highlights the need for organisations to keep encryption processes up to date and to be aware of the security risks that come with technological advancement.

You can read the updated guidance here. Feedback on the draft guidance can be submitted here, until 24 June 2025.

EDPB adopts Opinions on the Commission's adequacy decisions relating to the UK and the European Patent Organisation

On 5 May 2025, the European Data Protection Board (the "EDPB") announced its adoption of two Opinions, both of which were requested by the European Commission (the "Commission").

The first Opinion concerns the Commission's Draft Implementing Decision on the adequacy of personal data protection by the European Patent Organisation (the "EPO"), which - once formally adopted by the Commission - would be the first adequacy decision focused on an organisation, rather than a country or region. The EPO is a public international organisation and receives personal data in connection with its authority to grant patents in Europe under the European Patent Convention.

The second Opinion concerns the UK's adequacy decisions under the EU GDPR and the Law Enforcement Directive, which were due to expire on 27 June 2025. This Opinion grants a six-month extension to the adequacy decisions, allowing the Commission time to evaluate the updated UK legal framework under the DUA Bill, which is expected to be enacted into law later this year. The EDPB clarified that this Opinion does not aim to assess the level of personal data protection in the UK, but to merely ensure that adequate protection for data transferred from the European Union to the UK continue until 27 December.

While this Opinion creates short-term certainty for organisations transferring data to the UK, businesses should be alive to the fact that there might still be regulatory shifts, particularly in light of the DUA Bill, which is still being negotiated.

EU GDPR reforms proposed

As the EU GDPR approaches its ninth anniversary, the Commission is proposing targeted reforms aimed at easing compliance burdens, particularly for growing businesses (the "Proposal"). The Proposal is designed to support business competitiveness without diluting data protection standards.

The Proposal considers, among other things, amending Article 30 of the EU GDPR in two ways. Currently, Article 30 exempts SMEs with fewer than 250 employees from maintaining a record of data processing activities ("RoPA") unless the processing is likely to result in a risk to data subjects' rights and freedoms. The Proposal raises this threshold to 750 employees and narrows the exemption to processing likely to result in a "high risk" to individuals' rights or that involves special category data.

This Proposal has been cautiously welcomed by the EDPB and the European Data Protection Supervisor, who stress that even small entities can conduct high-risk processing.

On a separate note, additional reforms aim to encourage the drafting and implementation of data protection codes of conduct and certification schemes in line with Articles 40 and 42 of the EU GDPR, with a new focus on the needs of small and mid-cap companies.

These changes, while limited, mark a potential shift in how EU GDPR obligations are scaled to business size and risk. Businesses should monitor developments closely and prepare to reassess compliance strategies as legislative changes unfold.

The Proposal can be accessed here.

EU regulators to provide tech gatekeepers with guidance on DMA data portability rules

Ireland's Data Protection Commission ("DPC") has confirmed that companies Alphabet, Amazon, ByteDance, Meta and Microsoft are due to receive guidelines from EU regulators on the interplay between the EU's data protection rules and the Digital Markets Act ("DMA"), which is targeted at tech "gatekeepers".

This guidance, drafted by both the Commission and the EDPB, will focus on the interaction between the DMA and the EU GDPR. This is because both pieces of legislation contain rules governing how companies should share data. Under the DMA, data provided by a user and generated by a user's activity on the platform including via messages, history and preferences must be provided to the user (or any third parties authorised by the user). In contrast, under the EU GDPR, data can only be shared in a lawful, fair and transparent manner, and with specific, explicit and legitimate purposes. Companies are struggling to comply with both pieces of legislation when, for example, the authorised third parties are data brokers or entities outside the EU. The guidelines will hopefully provide some clarity on this issue.

UK and Canadian data protection authorities call for 23andMe customer protections

On 1 May 2025, the Information Commissioner's Office ("ICO") and the Office of the Privacy Commissioner of Canada ("OPC") issued a joint letter to the US Trustees involved in 23andMe's bankruptcy proceedings. The letter emphasises the need to protect the sensitive personal data of 23andMe's customers during and after the bankruptcy process, highlighting the need for compliance with data privacy laws in the UK and Canada.

The ICO and OPC are jointly investigating a data breach at 23andMe, with the ICO having issued provisional findings and a Notice of Intent to impose a £4.59 million fine, as noted in a previous edition of this update. The ICO and OPC stress that both the trustees for 23andMe and any potential buyer must adhere to the UK GDPR and the Canadian Personal Information Protection and Electronic Documents Act.

23andMe holds highly sensitive data, including genetic data and self-reported health conditions, and both the ICO and OPC have released statements expressing concern over the protection of the data. The ICO insists that any buyer must comply with UK GDPR, ensuring personal data is used only for its original purposes and safeguarded with strong security measures – this is seen as integral in preventing unauthorised use or misuse.

The ICO and OPC welcome the appointment of a Consumer Privacy Ombudsman to oversee data protection during the bankruptcy proceedings, as it underscores the importance of safeguarding consumer data amidst financial restructurings.

It will be interesting to see how this plays out, given that case law in the UK at least, states that it is potentially lawful for an insolvency practitioner to determine that it is not in the interests of creditors to comply with certain data protection law obligations.

Global CBPR certification announced

On the 28 May 2025, the Global Cross-Border Privacy Rules ("CBPR") Forum, consisting of nine member countries including the Australia, Canada, Japan, Republic of Korea, Mexico, Philippines, Singapore, Chinese Taipei, and the United States, announced the launch of the first global CBPR certification.

The certification was proposed to address the fragmentation of data transfer restrictions worldwide. Although it does not safeguard transfers as required by the EU or UK GDPR, it will allow organisations to transfer data smoothly across all participating countries, in line with national law requirements of those jurisdictions.

Companies headquartered in a participating country can apply for the certification from 2 June 2025. Applicants must demonstrate that they follow the requirements issued by the CBPR Forum, which map to the OECD privacy guidelines. This will be verified by an Accountability Agent prior to the applicant being granted the certification.

The certification builds on the original Asia-Pacific Economic Cooperation CBPR system, which means around 100 APEC certified organisations, such as IBM and Mastercard, will be permitted to convert their certifications into the global one.

Cybersecurity

UK government considers legislating on cyber security of enterprise connected devices

On 12 May 2025 the Department for Science, Innovation & Technology ("DSIT") published a call for views on the cyber security of enterprise connected devices (the "Call for Views").

In May 2022, in conjunction with the National Cyber Security Centre, DSIT published eleven principles aimed at guiding manufacturers in the secure design of enterprise connected devices. DSIT is proposing to turn these principles into a voluntary Code of Practice for Enterprise Connected Device Security (the "Code of Practice"), which would then be used as the foundation for a series of proposed policy interventions.

The Call for Views is open between 12 May to 7 July 2025 and gives stakeholders the chance to provide feedback on (i) the proposal to repurpose the principles; and (ii) the proposed policy interventions that may be enacted if the Code of Practice is created.

Through an online survey form, DSIT is encouraging stakeholders to provide any data that considers the financial and wider impact associated with the proposed interventions (which they assure will be treated confidentially). Once the Call for Views has closed, DSIT plans to publish a government response that provides an overview of the key themes arising from the Call for Views.

EU states urged to ensure a high common level of cybersecurity

The Commission sent a reasoned opinion to 19 Member States (Bulgaria, Czechia, Denmark, Germany, Estonia, Ireland, Spain, France, Cyprus, Latvia, Luxembourg, Hungary, the Netherlands, Austria, Poland, Portugal, Slovenia, Finland and Sweden) for failing to notify the Commission of the full transposition of the NIS2 Directive ("NIS2"). A reasoned opinion is a formal request sent by the Commission to a Member State, stating the Commission's belief that the Member State is failing to comply with EU law and setting a deadline for the Member State to rectify the situation. EU Member States were required to transpose the NIS2 into national law by 17 October 2024 and were given 21 months' notice to do so.

NIS2 is an update to and expands the scope of the Directive on the security of network and information systems ("NIS"). NIS2 aims to enhance cybersecurity across the EU, targeting entities in critical sectors like communications, ICT, digital services, waste management, space, health, energy, transport, manufacturing, postal services, and public administration. Effective implementation is crucial for boosting resilience and incident response capabilities in these sectors and the EU overall.

The Commission has given the 19 Member States two months to respond to the reasoned opinion and transpose NIS2 into its national law. Failure to comply may lead the Commission to refer the case to the Court of Justice of the European Union (the "CJEU").

Enforcement and Civil Litigation

TikTok faces preliminary findings of DSA breaches

The Commission has issued preliminary findings indicating that TikTok could be in breach of its advertising transparency obligations under the EU Digital Services Act ("DSA"). It is alleged that TikTok has failed to publish a compliant advertisement repository - a digital library that contains details of ad contents, users targeted, and who pays for the advertising - which is a critical tool, designed to work in the public interest to detect scam and fake advertisements. TikTok's existing repository does not allow the public to effectively search and access the listed data, significantly undermining its transparency.

The Commission's preliminary findings are based on its investigation, including analysis of internal documents, practical testing of TikTok’s systems, and expert interviews. While these findings do not yet represent a definitive conclusion, they formally inform TikTok of the Commission's view that a breach of the DSA has occurred.

TikTok is reviewing the Commission's findings and has the opportunity to examine the evidence and respond in writing. Simultaneously, the European Board for Digital Services will be consulted. Should the Commission confirm its position, it may issue a decision that could potentially trigger a fine of up to 6% of TikTok’s global annual turnover plus periodic penalties. TikTok is only the second platform to receive a warning from the EU under the DSA, after a preliminary finding against social media site X was released in 2024.

Microsoft's alleged ad tech data breach sparks first Irish Collective Redress Directive claim

The Irish Council for Civil Liberties ("ICCL") has applied to the Irish High Court to launch Ireland’s first claim under the new Collective Redress Directive. This case has been brought by the ICCL on behalf of all affected Irish residents in connection with Microsoft's compliance with the EU GDPR. The lawsuit targets Microsoft’s use of real-time bidding ("RTB") in its advertising systems, which ICCL claims constitutes a major data breach affecting millions of data subjects in Ireland. ICCL alleges that highly sensitive information — including financial status, health, or even national security roles — was broadcast through Microsoft’s RTB system. RTB involves the sharing of personal data with third parties for ad placement by websites auctioning ad space in real time.

If successful, the outcome could have wide-reaching implications for Microsoft’s operations across the European Economic Area, whose European headquarters is in Ireland. Microsoft services potentially affected include Windows, Xbox, Office, Outlook, and any platform using its Xandr ad tech.

The lawsuit follows ongoing RTB-related investigations into Google and others since 2018.

Compensation for Post Office data breach victims

In June 2024, the Post Office accidentally leaked the names and addresses of hundreds of former post office operators, many of whom were wrongfully convicted in the Horizon IT scandal. As a result, the Post Office has agreed to compensate affected individuals, with payments capped at £5,000, although higher claims can be pursued. Victims will receive either £5,000 or £3,500 depending on whether the leaked address was current. It is reported that 348 victims have already received payments.

The breach is reported to have had an ongoing emotional and psychological toll on the victims, exacerbated by the delay in resolving the issue. The Post Office said that it is cooperating with the ICO and has issued an apology.

Meta given the green light from German court and Irish regulator to continue to use EU user data to train AI

Consumer protection groups aiming to block Meta from using Facebook and Instagram EU user data to train its artificial intelligence systems have seen their injunction rejected by a German High Court. The Higher Regional Court in Cologne (the "Court") ruled that Meta's data use does not violate EU law (in particular, the DMA) and Meta's use of publicly available user data is justified, as its interests in data processing take precedence over individual user concerns. The decision is not open to appeal.

The court found that training AI with user data is permissible even without individual user consent, emphasising that such training could not be achieved by less intrusive means. The judges noted that Meta plans to use only publicly available data on sites such as Facebook, Instagram and Whatsapp — such as content already accessible via search—and has taken steps to mitigate user impact, including providing notifications through its mobile apps about how user can opt-out of their data being used in this way. Any content shared on a public profile, for example photos, videos, captions, stories, or reels, may also be used to train Meta's AI systems. Users will be given the option to opt out, although this will not apply retrospectively.

Meta said it intended to begin using the data for AI model training on 27 May.

In Ireland, the DPC recently announced that it has approved Meta's use of users' personal data to train its AI model following Meta's implementation of several conditions, as also noted by the Court.

The Court's and the DPC's decisions indicate their support for reliance on legitimate interests as the legal basis for training certain AI models.

Croatia probing into DeepSeek's potential EU GDPR violations

DeepSeek, a Chinese artificial intelligence company, is being investigated by the Croatian privacy watchdog for possible violations of EU data protection laws. The director of the Croatian Data Protection Agency said that he was watching the outcome of a similar investigation into DeepSeek being conducted by the Irish DPC as DeepSeek was "obviously not complying with the GDPR".

This latest investigation in Croatia follows action taken by the South Korean privacy regulator – the first major regulatory action against DeepSeek globally - which flagged serious privacy issues regarding DeepSeek's conduct. This was discussed in our most recent edition of Neural Network.

DeepSeek restarted its services in South Korea in April 2025 after agreeing to carry out a series of recommended corrective measures.

Judicial authorities' right of access obligations in respect of court files addressed by Dutch Supreme Court

The Dutch Supreme Court has ruled that Article 15 of the EU GDPR (granting the right to access personal data) does not automatically require judicial authorities to grant access to, or provide copies of files, containing personal data. Instead, access to complete documents or files must be evaluated on a case-by-case basis, and the focus must be on whether the access allows the data subject to verify the accuracy and completeness of the data in the particular file, in line with Article 15's purpose. The case in question considered whether an applicant could access or obtain copies of documents from files relating to a case involving child protection measures. The decision provides insight into how the EU GDPR applies to judicial authorities.

Meta's challenge EDPB's consent or pay opinion dismissed

The EU's lower-tier General Court has dismissed the challenge by Meta Platforms Ireland ("Meta") to the EDPB's opinion on the "consent or pay" model. The EDPB's opinion included a statement that large online companies cannot give users a binary option between targeted advertising and payment.

Meta had claimed for damages and asked the General Court to declare the opinion null and void, arguing that that changing the status quo would significantly harm its advertising and subscription revenues. Although Meta's challenge was dismissed, the General Court ruled that this was because the opinion is not legally binding on Meta and is instead a method to guide EU data protection authorities. This means that the opinion could not be challenged, therefore making Meta's complaint inadmissible and lacking foundation in law.

Meta has two months to appeal to the CJEU on points of law, should it wish to do so.

Round up of enforcement actions

Key US updates

Connecticut passes new data-privacy law and introduces new protections for children

The Connecticut Senate has approved amendments to the state's consumer privacy law, enhancing protections under the Connecticut Data Privacy Act, and the House has passed a separate bill restricting online platforms from using algorithms to target minors without parental consent.

These changes broaden the definition of sensitive data to include precise geo-location, biometrics, and personal information of children, while establishing a data broker registry and tightening consent requirements. The applicability threshold now covers businesses processing data from 35,000 residents, down from 100,000.

The amendments also add consumer rights, such as the ability to know if their data is used for profiling and prohibiting targeted advertising to children.

In addition, the Connecticut House of Representatives passed a bill restricting algorithm-based content targeting minors without parental consent. Platforms must verify user age and limit algorithm-generated content access, however there are carve-outs which include streaming and educational services. The bill faces opposition from NetChoice, a tech industry group, citing First Amendment concerns and risks to minors' data privacy.

Connecticut's efforts reflect a broader trend to balance consumer privacy with technological advancements, emphasising data security and protection, particularly for minors.

Meta owed $168 million by intelligence-gathering company

A US federal judge has ruled that the owner of intelligence-gathering software Pegasus, NSO Group Technologies ("NSO"), must pay Meta Platforms almost $168 million in damages.

This decision comes after it was found that NSO had installed Pegasus on the phones of around 1,400 people through Meta's messaging app WhatsApp in contravention of US law. NSO had sent executable codes to the WhatsApp users, which caused their phones to reach out to a third-party server and download Pegasus. Once the software was installed, it gave the third-party unlimited access to the phone's data.

Meta sought $444,719 in compensatory damages (which was awarded) and an unspecified amount in punitive damages (this came to the sum of $167,254,000) in response to NSO's actions.

Google on the hook for $1.38 billion in Texas

Google has settled with the Texas Attorney General over privacy claims, agreeing to pay the state of Texas $1.38 billion. The settlement will be the biggest privacy settlement with a US regulator in Google's history. The settlement covers two separate claims that were filed in 2022 regarding "Incognito Mode", user's location history and biometrics-related allegations.

Despite the ruling, Google failed to admit any wrongdoing and maintained that the claim was based on out-of-date policies and frameworks that have already been amended.