Our 'In Case You Missed It' section of the Data, Privacy and Cyber Bulletin provides readers with a high-level digest of important regulatory and legal developments from October 2025.
Contents
Case Law Updates
The Information Commissioner v Clearview AI Incorporated [2025] UKUT 319 (AAC)
In 2023, the First-tier Tribunal has ruled that the Information Commissioner did not have the jurisdiction to issue a £7.5 million GDPR fine to Clearview AI, or a GDPR enforcement notice ordering the prevention of the use of publicly available UK-resident data, and the deletion of that data from their systems. Our team commented on the FTT decision here.
The Information Commissioner appealed the FTT decision to the Upper Tribunal. The Upper Tribunal upheld three of the four grounds of appeal. It has been reported that Clearview AI will be appealing the decision.
Our team has analysed this decision in greater detail here [INSERT LINK].
OC v European Commission (Case T-384/20)
The General Court ordered that the European Commission pay EUR 50,000 in damages to a Greek scientist following the publication of a press release in 2020 by OLAF, the European Anti-Fraud Office. The General Court found that although not named, the scientist was identifiable based on the information contained in the press release including her nationality, gender and age.
The scientist alleged that the press release resulted in the unlawful processing of her data and conveyed false information about her, namely an implication that she had committed fraud. The scientist was able to establish the existence of non-material damage to her reputation and her professional career, and damage to her physical and psychological health.
The judgment can be found here.
Regulatory Developments
Capita fined £14 million by ICO for 2023 data breach
The ICO has issued a fine in the total sum of £14 million to Capita for failing to ensure the security of personal data that resulted in a 2023 data breach. The personal information of around 6.6 million individuals was stolen, including sensitive data such as criminal records, as well as financial and special category data.
The ICO's provisional intention was to fine Capita £45 million, but following representations from Capita and mitigating factors, a voluntary settlement was agreed.
For clarification, a fine of £8 million was issued to Capita plc in its capacity as data controller, and Capita Pension Solutions Limited was issued a fine of £6 million, in its capacity as data processor. The full Monetary Penalty Notice can be accessed here, and the ICO press release is here.
ICO issues enforcement notice to South Wales Police
The ICO has issued an enforcement notice to South Wales Police having found serious delays in handling subject access requests (SARs). As of August 2025, South Wales Police had over 350 overdue SARs. The ICO has ordered the clearance of the backlog by June 2026. The enforcement notice can be accessed here.
EDPB adopts opinion on the proposed extension of UK adequacy decisions
The European Data Protection Board had adopted two opinions on the European Commission’s draft decisions on the extension of the validity of the UK adequacy decisions under the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED) until December 2031.
In respect of the GDPR, the EDPB noted that the changes "introduced to the UK’s data protection framework [via the Data (Use and Access) Act] aim to clarify and facilitate compliance with the law. Some aspects of the draft decision could be further clarified."
The EDPB notes the regulatory powers granted to the Secretary of State in respect of automated decision-making, governing of the ICO and international transfers require further monitoring by the Commission. The EDPB encourages the Commission to further elaborate its assessment and monitor the rules on transfers from the UK to third countries, as the new adequacy test this test does not refer to the risk of government access, the existence of redress for individuals and the need for an independent supervisory authority. The EDPB press release and link to the opinion can be found here.
First civil penalties ordered under the Australian Privacy Act
The Federal Court in Australia has issued the first civil penalties under the Privacy Act 1988 following a data breach resulted in the unauthorised access and exfiltration of over 223,000 individuals. Medlab Pathology, a subsidiary of Australian Clinical Labs (ACL) was the subject of a cyber attack in 2022. ACL was found to be in breach of 11.1(b) of the Australian Privacy Principles established by the Privacy Act, constituting an interference per Section 13 of the Act with the privacy of the 223,000 individuals whose personal information was accessed.
ACL was found to have failed to take reasonable steps to protect personal information held by Medlab, assess whether a data breach had occurred, and failed to provide a statement to the Office of the Australian Information Commissioner (OAIC). Penalties totalling AU$5.8 million were imposed on ACL.
In 2022, the Privacy Act was amended to increase the maximum penalties and provide the OAIC with enhanced enforcement and information sharing powers. The penalties were imposed under the penalty regime in force at the time of the contravention, with penalties under the new regime potentially must higher.
The Federal Court judgment can be found here, and the OAIC press release can be found here.
Dutch court orders Meta to offer chronological content feeds
In early October, the Amsterdam District Court ordered Meta to provide users of Facebook and Instagram with a chronological content feed that can be preserved and does not revert back to a timeline based on profile recommendations. The existing structure was found to be in violation of the Digital Services Act. Users were able to choose a chronological or other non-profiled timelines, but this choice would not be maintained when users navigate to different sections of the platforms in question or closes then reopens the app or website.
Meta was ordered to introduce the changes within 2 weeks of the judgment, with a daily fine of EUR100,000 applicable to each day after the deadline that the changes are not introduced (up to a maximum of EUR5 million). However, in late October, the Amsterdam Court of Appeal confirmed that the order had been suspended until 31 December 2025, providing Meta more time to make the necessary amendments. The Court of Appeal summary (in Dutch) can be found here, as well as the judgment (also in Dutch).
European Parliament approves rules to refine cross-border GDPR enforcement
The European Parliament has approved a number of measures aimed at improving cooperation between national data protection authorities when they enforce the GDPR in cross-border cases. The proposals include:
- The harmonisation of requirements for the admissibility of cross-border actions, and the requirements and procedures for a complainant to be heard should a complaint be rejected
- The right to be heard by the company or organisation under investigation at key stages throughout the procedure
- New deadlines for the completion of investigations, with an overall investigation deadline of 15 months agreed, capable of extension up to 12 months in the most complex cases
- A simplified cooperation procedure obligating the lead authority to send a summary of key issues to their counterparts
The approval follows an agreement between the European Parliament and Council in June 2025 on the proposed changes, which were first discussed in 2023.
Data & Privacy Developments
ICO launches consultation on enforcement procedure
The ICO has launched a consultation on new guidance setting out the process it will follow when carrying out investigations and taking enforcement action using its powers in the UK GDPR and Data Protection Act 2018. The guidance aims to explain the process the ICO follows throughout an investigation, from opening the case to information gathering to finally, the decision on whether to use statutory enforcement powers.
Following the recent agreed Capita settlement set out above, the guidance sets out the circumstances in which a settlement can be agreed in an investigation. As set out within the draft guidance, "Settlement is a voluntary process where a controller or processor under investigation admits that it has infringed the data protection legislation and confirms that it accepts that a streamlined administrative procedure will govern the remainder of our investigation." The guidance sets out the percentage reduction that may be agreed in the event of a settlement such as 40% before a notice of intent is issued, 30% after the issue of a notice of intent but prior to receipt of written representations, through to 20% after the receipt of written representations.
The consultation will close on 23 January 2026. The full draft enforcement guidance can be found here.
ICO launches consultation on 'charitable purpose soft opt-in' rules
To support the ability of charities to fundraise, the ICO has launched a consultation in light of changes from January 2026 that will enable charities to use a new 'charitable purpose soft opt-in'. Introduced about by the Data (Use and Access) Act, charities will be permitted, in certain circumstances, to send direct marketing messages such as emails and texts without prior consent to supporters. The consultation is open until 27 November, and can be accessed here.
ICO publishes guidance for the public on consent or pay models
The ICO has issued guidance for the public on consent or pay models, providing details on how they operate, the limits on organisations using consent to use personal data, and how to seek redress if a user has concerns over how an organisation has handled their personal data. The guidance follows the ICO's statement issued last month on the proposed changes to Meta's advertising models in the UK. The ICO issued updated guidance for organisations on these models in January 2025.
EDPB and European Commission endorse guidelines on interplay between DMA and GDPR
The EDPB and the European Commission have endorsed joint guidelines on the interplay between the Digital Markets Act (DMA) and the GDPR. The guidelines been opened for public consultation, to be concluded on 4 December 2025.
The summary to the guidelines notes that "The DMA and GDPR are complementary in terms of goals and in terms of the protections provided to individuals. Compliance with obligations under the GDPR goes together with the objective of addressing gatekeepers’ data-driven advantages that the DMA, among other objectives, aims to tackle."
European Parliament issues call for stronger enforcement of Digital Services Act
The European Parliament has issued a call to the Commission to enforce the Digital Services Act with stronger measures for those sites or applications that endanger minors. The European Parliament press release can be found here. Some of the measures proposed include:
- Personal liability for senior management in cases of serious and persistent breaches of minor protection provisions, with particular respect to age verification
- A ban on engagement-based recommender algorithms for minors and disable the most addictive design features by default
- A ban on gambling-like mechanisms such as “loot boxes” in games accessible to minors and
- The firm enforcement of AI Act rules against manipulative and deceptive chatbots
These proposed steps would be supported by the proposed Digital Fairness Act likely to be advanced by the Commission next year. This proposed legislation is expected to deal with persuasive technologies, such as targeted ads, influencer marketing, addictive design, loot boxes and dark patterns.
UK Parliamentary Committee questions Information Commissioner on MOD data breach
The Science, Innovation and Technology Committee recently questioned the Information Commissioner, John Edwards, as part of an examination into the 2022 Ministry of Defence Afghanistan data breach.
The statements made by the Information Commissioner can be found here.
European Commission confirms that ePrivacy Regulation proposal withdrawn
In a recently published list of withdrawn European Commission proposals, final confirmation has been provided that the proposed ePrivacy Regulation will not be advanced further.
This is a development we have highlighted in our recent deep dive articles on shifting cookie regimes in the UK and EU, and the EU's digital simplification efforts.
European Data Protection Supervisor releases revised guidance on generative AI
The European Data Protection Supervisor (EDPS) published its revised and updated guidelines on the use of generative Artificial Intelligence (AI) and processing of personal data by EU institutions, bodies, offices, and agencies (EUIs)
The guidance, accessible here, updated the definition of generative AI, and provides clarifications and compliance checklist for EUIs to understand whether they act as controllers, joint controllers or processors.
noyb makes criminal complaint against Clearview AI
The privacy activist group, noyb, has asked Austrian public prosecutors to open up criminal proceedings against Clearview AI for unlawfully scraping and collecting images of EU residents and ignoring previous administrative fines issued by European regulators.
The noyb press release can be accessed here, notes the progression of the action against Clearview in the UK by the ICO, and other fines issued by European data protection authorities.
Cyber Developments
Ministerial letter on cyber security issued to leading businesses
A letter has been issued to Britain's leading businesses, including all FTSE 350 companies calling upon them to take the necessary steps to protect their business from cyber attacks. The correspondence contains three specific requests for companies, namely:
- Make cyber risk a Board-level priority using the Cyber Governance Code of Practice
- Sign up to the NCSC's Early Warning service
- Require Cyber Essentials (a government-backed certification scheme) in their supply chain
The letter can be found here.
Home Office guidance on building supply chain resilience against ransomware
The Home Office has issued guidance for organisation on building resilience in their supply chains against ransomware threats. The guidance can be found here, and aims to reduce the likelihood of ransomware incidents through raising awareness of the threat posed, the promotion of good cyber hygiene and ensuring supply chain vulnerabilities form part of risk assessments and decisions.
Minister for Digital Economy comments on Cyber Security and Resilience Bill
The Minister for the Digital Economy, Liz Lloyd, speaking to a techUK cyber security event, confirmed that the Cyber Security and Resilience Bill "will be introduced as soon as Parliamentary time allows." The Minister confirmed that "the vast majority of UK businesses and organisations will not be covered by the Cyber Bill because we do not think it would be proportionate." The text of the speech can be found here.
ENISA publishes Threat Landscape 2025
On 1 October 2025, the EU agency for cybersecurity, ENISA has published its annual Threat Landscape report. The report find that ransomware remains at the core of intrusion activity, with state-aligned groups continuing cyberespionage campaigns against a number of sectors including telecommunications, logistics and manufacturing.
Phishing is identified as the dominant intrusion route, with phishing-as-a-service highlighting the industrialisation of these operations. Artificial intelligence is noted as an increasingly important element in the threat landscape, with AI-support phishing campaigns becoming prevalent. The report can be accessed here.
