Our 'In Case You Missed It' section of the Data, Privacy and Cyber Bulletin provides readers with a high-level digest of important regulatory and legal developments from April 2025.
Contents
Case Law Updates
Court of Appeal grants permission to ICO to appeal Upper Tribunal decision
The Court of Appeal has granted the ICO permission to appeal the judgment of the Upper Tribunal in respect of DSG Limited. The background to the appeal was the initial decision of the ICO to fine DSG £500,000 under pre-GDPR powers following a data breach. The fine was then halved by the First-tier Tribunal (FTT). The Upper Tribunal ordered the FTT reassess the case on the basis that the FTT had failed to properly assess if the exfiltrated data would be 'personal' in the hands of the hackers.
The ICO submitted that the Upper Tribunal interpreted the law incorrectly in finding that DSG was not required to take appropriate measures against unauthorised or unlawful processing of data by a third party, where the data is personal data in the hands of the controller but not in the hands of the third party.
The Court of Appeal case tracker indicates that the hearing is expected to be heard before 23 March 2026.
General Court of EU holds first hearing for annulment of EU-US Data Privacy Framework
The French MP, Philippe Latombe, lodged an application challenging the adequacy finding made in respect of the EU-US Data Privacy Framework (DPF) before the EU's General Court. Our team discussed those initial challenges to the DPF in October 2023.
Although the Court dismissed the request for an emergency suspension, Mr Latombe's action for annulment of the DPF has continued. The action argues that the DPF adequacy finding, among other things:
- fails to guarantee the right to an effective remedy and access to an independent tribunal as the US appeal body is not independent
- does not provide a framework in US law for automated decision-making, and
- fails to provide safeguards relating to the security of personal data once transferred to the US
A hearing took place on 1 April 2025 and a decision is expected in the coming months. The General Court has the authority to invalidate the DPF, and therefore the decision will be of great interest.
Regulatory Developments
Data (Use and Access) Bill report stage to proceed in House of Commons
The DUA Bill will proceed to report stage in the House of Commons on 7 May 2025. The DUA Bill as amended in Public Bill Committee can be found here.
The report stage will provide MPs a further opportunity to consider proposed amendments and debates may take several days. The report stage is usually followed by a Bill's third reading.
European Commission fines Meta for Digital Markets Act breaches relating to 'consent or pay' models
The European Commission has fined Meta EUR200 million for breaches of the EU Digital Markets Act (DMA). The fine relates to the 'consent or pay' advertising model used for EU users of Facebook and Instagram. The Commission found that this model is not compliant with the DMA, with users not given the required specific choice to opt for a service that uses less personal data but is otherwise equivalent to the ‘personalised ads' service. Meta's model did not allow users to exercise their right to freely consent to the combination of personal data used.
The fine relates to the time period between March 2024 (in which end users in the EU were only offered the binary ‘Consent or Pay' option and when DMA obligations became legally binding) and November 2024. The Commission is still investigating a new advertising model introduced by Meta at that time.
A EUR500 million fine was also issued to Apple for breaches of anti-steering obligations under the DMA. The press release accompanying the decisions can be found here.
ICO issues statement on British Library ransomware attack
The ICO confirmed that no further investigation is to be undertaken into the 2023 ransomware attack affecting the British Library. In response to the incident, escalated due to a lack of multi-factor authentication, the British Library issued a cyber incident review commenting on the attack and key lessons learned. The Information Commissioner concluded that in light of the British Library's response, and due to "current priorities, further investigation would not be the most effective use of [the ICO's] resources."
The ICO statement can be found here.
ICO issues statement on police use of facial recognition technology
The ICO has issued a short statement on police use of facial recognition technology, acknowledging its benefits and referencing its "AI and biometrics strategy" which will be launched in Spring 2025. The ICO statement can be found here.
ICO fines law firm following cyber attack
The ICO fined DPP Law Limited £60,000, following the publication of highly sensitive personal data following a cyber-attack. The investigation concluded that DPP Law had failed to put appropriate measures in place to ensure the security of personal data held electronically.
Access was gained via an infrequently used administrator account lacking multi-factor authentication (MFA). The full details of the ICO Penalty Notice can be found here, and the ICO press release is available here.
ICO publishes review into use of children's data by the financial services sector
The ICO has published the findings of its review into the use of children's data by the financial services sector, concluding that more should be done. Read the findings here.
Irish DPC commences investigation into X and processing of personal data in LLM training
The Data Protection Commission has commenced an inquiry into the processing of personal data within publicly accessible posts posted on X. These posts are processed for the purposes of training generative AI models, including the Grok LLMs. The investigation will consider whether the personal data in question was lawfully processed in order to train the Grok LLMs. The press release confirming the investigation can be found here.
Ofcom launches investigation under the Online Safety Act
Ofcom has launched an investigation into the provider of an online suicide forum, considering whether it has failed in its duties under the Online Safety Act. The investigation will consider whether the provider has:
- Put appropriate safety measures in place to protect its UK users from illegal content and activity
- Completed a suitable and sufficient illegal harms risk assessment, and
- Adequately respond to a statutory information request
Ofcom's announcement of the investigation details the expected investigation process and enforcement powers. The regulator also published the final Protection of Children Codes of Practice under the Online Safety Act. Laid before Parliament for approval, the Codes are required to be implemented by in-scope tech firms by 25 July 2025.
Compensation company fined £90,000 for unlawful marketing calls
The ICO fined AFK Letters £90,000 for unlawful marketing practices conducted in breach of the Privacy and Electronic Communications Regulations, which resulted in over 95,000 spam calls being made over a 9 month period. AFK Letters could not demonstrate compliant marketing consents, specifically in respect of data obtained from a third party supplier. Read the Monetary Penalty Notice here.
Data & Privacy Developments
UK and Japan issue statement on data adequacy expansion
The Department for Science, Innovation and Technology (DSIT) has issued guidance confirming that the UK and Japan intend to expand data adequacy arrangements between the two nations.
The expansion will extend protections to new areas such as academia and the public sector, facilitating collaborative research and administrative cooperation. The expanded framework is expected to be delivered in spring 2026, providing that additional technical work, and a review of the current arrangements is successful.
A similar statement was issued by the EU Commissioner Michael McGrath and the Japanese data protection commissioner, confirming that similar extensions are under discussion between the EU and Japan, with further meetings expected.
ICO and California Privacy Protection Agency sign Declaration of Cooperation
The ICO and the CPPA have signed a declaration which will allow the respective agencies to facilitate joint research, and share best practices, knowledge, and investigative methods.
A CPPA press release can be found here.
EDPB publishes draft guidelines on blockchain technologies for consultation
The EDPB has published draft guidelines on blockchain technologies which are open for public consultation until 9 June 2025. Draft Guidelines 02/2025 can be found here.
Simplification to GDPR expected
The European Commission is expected to present proposals to simplify the GDPR in the coming months as part of a wider and ongoing simplification program aimed at easing compliance burdens.
During an interview with the Center for Strategic & International Studies, Commissioner Michael McGrath confirmed that the GDPR is expected to undergo a simplification process as part of a future omnibus package.
EDPB publishes 2024 Annual Report
The European Data Protection Board has published its 2024 Annual Report. The report provides an overview of the Board's activities throughout the year, highlighting the publication of consistency opinions under Articles 64(1) and 64(2) including determining a controller's main EU establishment, and requirements to ensure that valid consent has been obtained in the context of 'consent or pay' models.
The report also sets out general guidance provided by the EDPB and contributions to legislative developments. Access to an executive summary and the full report can be found here.
EDPB publishes report on AI Privacy Risks
The EDPB has published the AI Privacy Risks & Mitigations Large Language Models (LLMs) report. The document sets out comprehensive risk management methodologies for LLM systems and a number of practical mitigation measures for common privacy risks.
The report will assist Data Protection Authorities in understanding the functioning of and risks associated with LLMs, and can be accessed here.
European Commission publishes AI Continent Action Plan
The European Commission has published the AI Continent Action Plan, which aims to promote initiatives in five key areas. The keys areas include building large-scale AI computing infrastructure, increasing access to high-quality data, promotion of AI in strategic sectors and strengthening AI skills and talents.
Of particular interest is the proposal to simplify the implementation of the AI Act, noting "the Commission will build on the lessons learned during the current implementation phase and identify further measures that are needed to facilitate a smooth, streamlined and simple application of the AI Act, particularly for smaller companies." Access to the full Action Plan can be found here.
The Commission has also opened a public consultation to clarify the scope of rules for providers of general-purpose AI models as defined under the AI Act. Those rules will take effect from 2 August 2025. Details of the consultation, open until 22 May 2025, can be found here.
Cyber Developments
Government sets out expected scope of Cyber Security and Resilience Bill
In anticipation of the publication of the Cyber Security and Resilience Bill, the Government has published a policy statement setting out the expected legislative proposals. Measures expected within the Bill when published include:
- Bringing more entities into scope of the regulatory framework (Managed Service Providers), strengthening supply chain security and enabling the designation of 'Critical Suppliers', with threshold criteria to be established
- Empowering regulators and enhancing oversight through technical and methodological security requirements, improving incident reporting, improving the ICO's information gathering powers and improving regulators costs recovery mechanisms, and
- Ensuring the regulatory framework keeps pacing the changing cyber landscape through the delegation of powers to the Secretary of State for DSIT
Links can be found here to the Government's press release and policy statement. We will provide detailed commentary and our views on the Bill when it is published.
Government publishes final version of the Cyber Governance Code
The final version of the Cyber Governance Code has been published by the Government. The Code is designed for boards and directors of medium/large organisations and to highlight relevant responsibilities. The Code is supported by Cyber Governance Training materials and the Cyber Governance Toolkit.
Our team commented earlier this year on the then-draft Cyber Governance Code as part of DSIT's modular approach to codes of practice formalising expectations around cyber risk response in specific sectors.
UK Finance publishes response to ransomware consultation
UK Finance, a group representing more than 300 financial institutions including major banks, has published its response to the recently concluded Home Office consultation on ransomware. The consultation concluded on 8 April 2025, with responses currently being analysed.
The consultation response confirms that the group supports the Government's objective of reducing the ransomware threat but emphasises that the financial sector has a critical reliance on digital infrastructure. The group stresses that any legislation should be carefully tailored and subject to a phased and evidence-based approach, warning that ransomware activity may be driven into harder-to-track channels. The response can be found here.
Bank of England Financial Policy Committee reports on AI in the financial system
The Financial Policy Committee has published a report considering the potential implications of more widespread, and changing, use of AI within the financial system. The FPC is focused on greater use of AI in banks' and insurers' core decision-making and in financial markets. The report also considers the changing external cyber threat environment, noting that it could increase the capacity for malicious actors to conduct successful cyberattacks against the financial systems.
The report titled 'Financial Stability in Focus: Artificial intelligence in the financial system' can be found here.
DSIT publishes results of Cyber Security Breaches Survey 2025
The DSIT study explores policies, processes and approaches to cyber security taken by businesses, charities and educational institutions, as well as considering cyber attacks and crimes faced by them.
The headline figures indicate over four in ten businesses (43%) and three in ten charities (30%) experienced some form of cyber security breach or attack in the last 12 months. Of those, phishing attacks remain the most prevalent and disruptive type of breach or attack (experienced by 85% of businesses and 86% of charities).
The survey concludes that "larger organisations and specific sectors exhibit relatively mature cyber security practices, smaller organisations and certain sectors are less developed, highlighting persistent disparities and vulnerabilities." The full results of the survey and DSIT analysis can be found here.
