Our 'In Case You Missed It' section of the Data, Privacy and Cyber Bulletin provides readers with a high-level digest of important regulatory and legal developments from June 2025.
Contents
Case Law Updates
Equiniti group litigation appeal heard in Court of Appeal
The Court of Appeal has heard an appeal in respect of a High Court decision against Equiniti. The appeal relates to a claim by approximately 450 pension members who alleged a data breach had occurred through the sending of pension statements contained personal data to outdated addresses.
The High Court struck out all but 14 of the claims on the basis that only those 14 parties could show that their letters had been opened and/or read by third parties. The struck out claimants appealed on the basis that the High Court judge had been wrong to find that data protection claims could only proceed if a data breach resulted in publication of data to third parties.
We have previously commented on the High Court decision and the implications here.
Upper Tribunal hears Clearview AI appeal
The Upper Tribunal has heard an appeal from the Information Commissioner's Office (ICO) in relation to a 22023 decision by the First-tier Tribunal to overturn a £7.5 million fine issued to Clearview AI. We commented on the decision of the First-tier Tribunal here.
The intervener in the appeal, Privacy International, published a copy of its skeleton argument, which can be found here. We will comment on the decision of the Upper Tribunal when it is handed down.
Regulatory Developments
Data (Use and Access) Act passes
Following a lengthy period of ping-pong between the Houses of Commons and Lords, the Data (Use and Access) Act now reached the end of its journey through Parliament, and recent Royal Assent. Many of the key provisions, including those set out below, will take effect at a future date when regulations confirming commencement are laid by the Secretary of State.
Government guidance confirmed that the changes to data protection law within the Act will be commenced in stages, 2 to 12 months after Royal Assent.
The ICO also published a suite of guidance to support organisations and the public on the effects of the changes, which can be found here.
Some of the headline changes to be introduced include:
- The creation of a new lawful ground of 'recognised legitimate interests'. This is a limited, exhaustive list of necessary processing which will not require the usual balancing test to be carried out; the list consists of national security, public security and defence, emergencies, crime, and the safeguarding of vulnerable individuals.
- Clarification of the rules around purpose limitation principles. Whilst the concept of purpose limitation and incompatible purposes is maintained, specific provisions have been added to aid controllers when determining if a new purpose is compatible with the original purpose.
- Processing for research purposes is clarified, with definitions for "scientific research", "historical research" and "statistical research" now provided, together with tweaks to consent requirements for scientific research.
- Replacing the current 'rights' in relation to solely automated decision-making (ADM) with new Articles 22A-D, allowing for the use of ADM in lower-risk scenarios whilst maintaining the prohibition for ADM using special category data except in certain circumstances.
- Targeted amendments to the Privacy and Electronic Communication Regulations providing the Information Commissioner's Office (or the Information Commission as discussed below) with the same enforcement powers as under the UK GDPR or Data Protection Act.
- The reform of the regime for assessment the adequacy of third countries to a "data protection test" which focuses on risk-based decision-making and outcomes. That test will be met if the standard of data protection is "not materially lower" than that provided under UK law.
- Alternative transfer mechanisms will remain subject to appropriate safeguards but determined by reference to the data protection test and based on “reasonable and proportionate” assessment of the relevant recipient.
- The ICO will cease to exist in its current guise, to be replaced by the Information Commission with a statutory board, chair, and chief executive. This will bring the structure of the regulator into line with other UK regulators such as Ofcom and the FCA.
- The Information Commissioner (both prior to and after the structure change takes place) will now be required to provide of a strategy for the discharge of the ICO's functions and also an analysis of its performance. The Commission will also be given the power to compel witness to attend interviews, although the application and use of this power is likely to be limited.
23andMe fined £2.31 million for inadequate security measures
The genetic testing company, 23andMe, has been fined £2.31 million by the ICO for failing to implement appropriate security measures to protect the personal information of UK users, which was compromised during a cyber attack in 2023. The ICO penalty notice can be found here.
Concluding a joint investigation with the Office of the Privacy Commissioner of Canada, the regulators found that during the period of May 2018 and December 2024, 23andMe had breached GDPR by failing to implement appropriate authentication and verification measures, such as mandatory multi-factor authentication, secure password protocols, or unpredictable usernames. The company also did not have effective systems in place to monitor, detect or respond to cyber threats targeting customer sensitive information.
ICO secures eight convictions following nuisance call investigation
The ICO welcomed the convictions of eight individuals following an investigation into nuisance calls by the regulator. The defendants were found to have conspired to access and obtain the personal data of individuals from vehicle repair garages without their consent. This personal data was then used to make nuisance calls relating to the pursuit of personal injury claims.
The ICO press release following the convictions is here.
EDPB adopts guidelines on data transfers to third country authorities
The European Data Protection Board (EDPB) has adopted the final version of the guidelines on data transfers to third country authorities. The guidelines clarify how organisations can best assess under which they can lawfully respond to requests for a transfer of personal data from non-European countries. Judgments or decisions from these third country authorities cannot be automatically enforced or recognised in Europe, but as a general rule, an international agreement may provide for both a legal basis and a ground for transfer.
The finalised guidelines can be accessed here.
European Commission confirms UK data adequacy extension
As expected, the European Commission has confirmed the 6 month extension to the UK's data adequacy decision is now in place. The decision will now expire on 27 December 2025. The implementing decision is accessible here.
Irish Data Protection Commission launches 2024 Annual Report
Launching its Annual Report for 2024, the Data Protection Commission (DPC) confirmed that it had finalised 11 inquiry decisions which resulted in administrative fines of EUR652 million. Significant decisions included the issue of a EUR310 million fine on LinkedIn, and a combined EUR251 million in fines to Meta.
Breach notifications to the DPC also increased 11% compared to the previous year, with half of these notifications relating to correspondence being sent to the incorrect recipient. The full Annual Report can be accessed here.
DPC concludes investigation into facial matching technology
The DPC has announced its final decision in respect of any an inquiry into the Department of Social Protection (DSP). This inquiry, which commenced in July 2021, examined the DSP’s processing of biometric facial templates, and usage of associated facial matching technologies, as part of a registration process for the Public Services Card. The DPC concluded that the DSP had failed to identify a valid lawful basis for the collection of biometric data, failing to put in place suitably transparent information to data subjects, and failing to include details in the Data Protection Impact Assessment.
The DSP was reprimanded, fined EUR550,00 and ordered to cease the processing of biometric data in connection with the registration process within 9 months in the absence of a valid lawful basis. The DPC press release is found here. The full decision will be published in due course.
Data & Privacy Developments
ICO issues draft guidance on Internet of Things (IoT) products and services
The ICO issued draft guidance for developers of IoT products and services to ensure that they offer a legally adequate level of data protection. IoT products include those identified as 'smart' products such as smart speakers, fitness trackers, Wi-Fi fridges and interconnected air fryers. The guidance covers areas such as asking for informed consent, how to provide transparent privacy information and tools needed for people to be able to exercise their rights over their data.
Our team has prepared an analysis of this draft guidance, which can be found here.
ICO launches AI and biometrics strategy
The ICO has launched a new biometrics and AI strategy which aims to ensure that organisations are developing and deploying new technologies lawfully, supporting them to innovate and grow while protecting the public.
The strategy sets out the ICO will set clear expectations for responsible AI through a statutory code of practice, working with developers to ensure generative AI models are lawfully trained, and ensuring that automated decision-making and facial recognition technology protect people's rights.
European Commission launches consultation on high-risk AI systems
The European Commission has launched a consultation to collect practical examples and clarify issues relating to high-risk AI systems.
The Commission is required to provide guidelines specifying the practical implementation of Article 6 of the AI Act , which sets out the rules for high-risk classification, by 2 February 2026. Consultation feedback will used to support these guidelines, as they are required to be accompanied by a comprehensive list of practical examples of use cases of AI systems that are high-risk and not high-risk. The consultation will be open until 18 July 2025.
Data Protection Commission confirms WhatsApp advertising model in 2026
Meta, the owner of WhatsApp, recently confirmed that new features would be introduced into the application including targeted advertisements and a subscription model. It is understood that the targeted advertisements will be based on user data from Facebook and Instagram.
In response, consumer groups such as noyb expressed concern about these changes, stating that procedures would be initiated against Meta in the event that GDPR is breached. Responding to these concerns, the DPC advised news organisations (such as Politico) that the advertising model would not be introduced in the EU until 2026.
EDPB responds to Commission consultation on protection of minors
In May, the European Commission commenced a consultation, ending 10 June 2025, seeking feedback on guidelines aimed at protecting minors online in line with the requirements of the Digital Services Act.
The EDPB has published its' comments on those guidelines, which can be found here, ranging from general remarks to more concrete suggestions on parts of the guidelines.
French DPA publishes GDPR financial benefit assessment
The French data protection authority, CNIL, has published an analysis of the economic impact of GDPR on cybersecurity, identifying that GDPR has helped to combat underinvestment by companies in cybersecurity.
The quantified analysis into the financial impact of GDPR on the issue of identity theft noted that between EUR90 and 219 million in losses have been avoided since 2018 in France, up to EUR1.4 billion across the EU as a whole. The summary of the report is here (French language).
Cyber Developments
Insurance Europe calls for simplification of EU cybersecurity regulation
Following the conclusion of the European Commission's consultation on the Cybersecurity Act as part of the digital omnibus initiative, Insurance Europe has published its response. The response welcomes the proposals to simplify cybersecurity reporting, noting that "aligning cyber reporting mechanisms under different pieces of legislation and centralising the notifications would help companies to not repeat submissions of notifications."
NCSC urges response to post-quantum computing
The Chief Technology Officer of the NCSC has called on organisations to recognise the significant threat arising from post-quantum computing, arguing that preparation will require a "complex change programme that makes fixing the Millennium Bug look easy." The NCSC blog can be found here.
EU issues roadmap for use of post-quantum cryptography
EU Member States, supported by the Commission, have issued a roadmap and timeline to start using a more complex form of cybersecurity, so-called post-quantum cryptography (PQC). The document, prepared by the NIS Cooperation Group, sets out a number of recommendations for a synchronised transition to the use of PQC.
The document also presents a recommended timeline for the transition to PQC with reference to the current development stages for quantum computing. First steps are recommended by the end of 2026, with high-risk use cases transitioned to PQC by the end of 2030. The roadmap and timeline can be accessed via this link.
EU Cybersecurity Index published
The European Union Agency for Cybersecurity (ENISA) has published the EU Cybersecurity Index for 2024, in collaboration with Member States. The report can be accessed here.
