Our 'In Case You Missed It' section of the Data, Privacy and Cyber Bulletin provides readers with a high-level digest of important regulatory and legal developments from September 2025.
Contents
Case Law Updates
Latombe v Commission (T-553/23)
This was an action by a French MEP, seeking the annulment of the EU-US Data Privacy Framework. The applicant claimed that the adequacy agreement failed to address issues raised in the Schrems II judgment and left EU citizens’ data at risk of surveillance by US authorities.
Links are provided to the press release and full judgment.
The action alleged a lack of effective remedies for data subjects that are affected by surveillance, and ineffective oversight of any automated decision-making by US entities. The General Court dismissed the action for annulment. The activist group, noyb, issued a statement that the challenge was targeted and narrow, and a further challenge alleging a broader set of arguments may be successful.
EDPS v Single Resolution Board (C413/23)
The decision clarifies the scope of the concept of personal data in the context of a transfer of pseudonymised data to third parties. The SRB had organised for the transfer of comments from a bank's former creditors and shareholders to a third party advisor in the form of pseudonymised data. The former creditors and shareholders submitted that SRB had not informed them that data relating to them would be transmitted to third parties.
The Court of Justice of the European Union ("CJEU") held that precedent provides that the relevant perspective for assessing the identifiable nature of the data subject depends on the circumstances of the processing of the data in each individual case. The CJEU held that the identifiable nature of the data subject must be assessed at the time of collection of the data and from the point of view of the controller. In this instance, SRB’s obligation to provide information was applicable prior to the transfer of the data, irrespective of whether it was personal data, from the recipient's point of view after any potential pseudonymisation.
Links are provided to the press release and full judgment.
IP v Quirin Privatbank (C-655/23)
An employee of Quirin Privatbank mistakenly disclosed sensitive personal data of a job applicant to a third party, external to the recruitment process. The third party, a former colleague of the job applicant, forwarded the message, asking whether he was seeking employment. The job applicant brought an action seeking an order that Quirin Privatbank refrain from any processing of his personal data in connection with his application. The CJEU did not consider a separate claim for compensation.
The CJEU determined that, by itself, the GDPR does not grant individuals the specific remedy of a prohibitory injunction. This decision clarifies that while individuals can seek compensation for damages resulting from unlawful data processing (under GDPR Article 82), they cannot use the GDPR as a standalone legal basis to force a data controller to stop future violations.
The judgment can be found here.
Regulatory Developments
Second and third commencement regulations issued for Data (Use and Access) Act
Stage 2 of the commencement regulations for the Data (Use and Access) Act have been issued. Per guidance from the government, the Data (Use and Access) Act 2025 (Commencement No.2) Regulations 2025 commenced section 124 of the Data (Use and Access) Act 2025 on 30 September 2025. Section 124 amends the Online Safety Act 2023, including a duty on Ofcom to issue notices requiring the retention of information by social media providers and other regulated services when required by the coroner or procurator fiscal in connection with an investigation into the death of a child.
The Data (Use and Access) Act 2025 (Commencement No. 3 and Transitional and Saving Provisions) Regulations bring into force sections 79, 88, 89 and 90 of the DUAA on 5 September 2025 the day after the Regulations were made. These amend Parts 3 and 4 of the Data Protection Act 2018 (DPA) which govern the processing of personal data for law enforcement purposes and by the intelligence services.
Bristol City Council issued with enforcement notice following subject access request failures
The Information Commissioner's Office has issued an enforcement notice to Bristol City Council ("BCC") for failing to comply with its legal obligations to respond to subject access requests ("SAR"). The notice requires to take a number of actions, including outstanding SARS to be addressed within set deadlines, weekly progress reports, an action plan to address any continuing backlog and appropriate system and process changes within 12 months to prevent a repeat.
The enforcement notice to BCC can be accessed here.
ICO comments on investigation into Imgur
The Information Commissioner's Office has provided an update on the investigation into Imgur, following the decision by the company to restrict access in the UK. The investigation relates to how the Imgur social media platform uses children’s information and its approach to age assurance. The ICO statement, found here, confirms that a notice of intent to impose a monetary penalty was issued to MediaLab (who own Imgur) ahead of a final decision.
European Commission launches call for evidence on 'Digital Omnibus' package
The Commission launched a call for evidence in mid-September, scheduled to end 14 October 2025, on the upcoming Digital Omnibus package. Our team has commented on this call for evidence along with wider moves to simplification in the EU as part of a detailed analysis this month.
The Digital Omnibus aims to cut compliance costs for organisations and promote consistent rules with clear legal guidance. The initiative will potentially include simplifications to the following areas,
- The data acquis / Data Union strategy (Data Governance Act, Free Flow of Non-Personal Data Regulation, Open Data Directive)
- Rules on cookies and other tracking technologies currently laid down by the ePrivacy Directive
- Cybersecurity related incident reporting obligations and
- Application of the AI Act rules
EDPB launches consultation on guidelines covering interplay between the DSA and GDPR
Following the adoption of guidelines covering the interplay between GDPR and the Digital Services Act, the European Data Protection Board ("EDPB") has commenced a public consultation allowing stakeholders to comment and provide feedback. Consultation responses on Guidelines 03/2025 are sought by 31 October 2025.
The guidelines "aim to contribute to the consistent interpretation and application of the DSA and of the GDPR insofar as some provisions of the DSA concern the processing of personal data by intermediary service providers and include references to GDPR concepts and definitions."
Law Commission launches Fourteenth Programme of Law Reforms
The Law Commission has announced recently released the Fourteenth Programme of Law Reform. One of the announced projects for the programme will consider 'Public sector automated decision making', making recommendations about the legal framework needed to promote lawful ADM. Potential outcomes from the project include recommendations for:
- An overarching legal framework for ADM
- Bespoke law reform for ADM in particular departmental areas, or
- Best practice guide on the lawful use of ADM and considerations to take account of when developing policy and legislation
The programme also discusses further potential projects, which are not marked for further work currently, but could be accepted in future. One of these projects is 'Data sharing and information law', with comments noting "Stakeholders regard the law as complex and unclear... exacerbated by the conversion of the UK GDPR from retained EU law to assimilated law. A project on data sharing and information law project would make recommendations to consolidate or streamline this legal framework."
Data & Privacy Developments
ICO statements on Meta's advertising model
The ICO has issue a statement on the proposed changes to Meta's advertising models in the UK. The statement, found here, confirms that Meta will now be asking users for consent to use their personal information to target them with ads on the Facebook and Instagram platforms.
This change will implement Meta's chosen 'consent or pay' approach, with users being offered a binary choice between consenting to personalised ads or paying for an ad-free service. The ICO states it will be monitoring the roll-out of the changes, along with the broader ecosystem of 'consent or pay' models. The ICO issued updated guidance on these models in January 2025.
The activist organisation, Open Rights Group, issued a statement arguing that the model would penalise those who want to exercise their data protection rights.
EPDB issues response to trade body on calculation of GDPR fines
The EDPB had issued a response to the Computer and Communications Industry Association on the calculation of administrative fines under the GDPR. The CCIA had contacted the EDPB following the ILVA decision handed down by Court of Justice of the European Union (CJEU) earlier this year which found that in order for a fine to be considered 'effective, proportionate and dissuasive', data protection authorities must have due regard to the factors in Article 83(2) GDPR.
The EDPB confirmed that it had reviewed the position, and EDPB Guidelines 4/2022 align with the ruling, meaning that no change to the guidance is required.
European Commission publishes draft adequacy decision for Brazil
The European Commission has launched the process for the adoption of a data adequacy decision with Brazil. The draft decision has been transmitted to the European Data Protection Board for its opinion, and approval will be sought from a committee of representatives of EU Member States.
The Commission press release can be found here.
European Union and Japan agree expansion of scope of adequacy decision
The European Union and Japan have successfully concluded an agreement on expanding the scope of the EU adequacy decision on Japan to academia and research. The possibility of expanding the scope to include the public sector is also ongoing.
The press release issued by the EU is here.
EPDB publishes Tech Dispatch on human oversight in automated decision-making
The EPDB Tech Dispatch on automated decision-making (ADM) examines common assumptions about how humans interact with and monitor decision-making systems, including the significant risks of harm to individuals cand potential violations of fundamental rights.
The guidance also explores practical measures that providers and deployers of ADM systems can take to ensure that human oversight supports democratic values and human rights.
EDPS publishes opinion on EU-US framework on exchange of information for security screening and identity verifications
The European Data Protection Supervisor ("EDPS") has published an opinion on proposals to commence negotiations on a framework agreement between EU and USA on the exchange of information for security screenings and identity verifications. The opinion stresses that any envisaged processing of personal data does not exceed that which is strictly necessary and proportionate.
The opinion makes a number of specific recommendations aimed at narrowing proposed data sharing as much as possible, and the need for clear accountability mechanisms, including the availability of judicial redress in the United States regardless of citizenship.
EU Advocate-General issues Opinion on 'excessive' subject access requests
In the action of Brillen Rotter GmbH v TC, Advocate General Szpunar has issued an opinion on the circumstances in which a subject access request made under GDPR can be refused. Advocate General held in his opinion that even a first initial access request may be characterised as 'excessive' in circumstances where the controller can demonstrate that the data subject "has consented to the processing of his or her personal data to be able to submit that access request and then claim compensation". However, the issue of multiple subject access requests is not sufficient to characterise such as request as 'excessive'.
The opinion can be found here.
Cyber Developments
ICO issues cyber security tips for small businesses
The ICO has published a number of tips for small businesses to ensure that they have the appropriate cyber security measures in place to protect personal information. The guidance, which can be found here, contains a number of practical steps such as using multi-factor authentication, limiting access to different types of information where appropriate and timely disposal of data and equipment.
ENISA publishes Threat Landscape 2025
The EU agency for cybersecurity, ENISA has published its annual Threat Landscape report. The report find that ransomware remains at the core of intrusion activity, with state-aligned groups continuing cyberespionage campaigns against a number of sectors including telecommunications, logistics and manufacturing.
Phishing is identified as the dominant intrusion route, with phishing-as-a-service highlighting the industrialisation of these operations. Artificial intelligence is noted as an increasingly important element in the threat landscape, with AI-support phishing campaigns becoming prevalent.
The report can be accessed here.
NCSC warns of malware campaign targeting Cisco devices
The National Cyber Security Centre has issued further advice to assist network defenders respond to malicious targeting of Cisco devices. The devices at risk have passed their last day of support as of 30 September 2025, and the NCSC recommends where feasible that these models be replaced or upgraded. The security advice can be found here.
NCSC issues statement on Collins Aerospace cyber incident
Following the disruption caused by the incident involved Collins Aerospace, the NCSC confirmed it was working with affected and interested parties, including the Department of Transport, to respond to the incident.