Our 'In Case You Missed It' section of the Data, Privacy and Cyber Bulletin provides readers with a high-level digest of important regulatory and legal developments from July 2025.
Contents
Case Law Updates
Department for Business and Trade v The Information Commissioner [2025] UKSC 27
The Supreme Court has held that when information falls under multiple qualified exemptions (QEs) in the Freedom of Information Act 2000 (FOIA 2000), public authorities may consider the cumulative public interest in maintaining all applicable exemptions.
FOIA 2000 provides a right of access held by public authorities, subject to those exemptions covered by the Act. QEs are subject to a public interest balancing test under s2(2)(b) which states that ‘in all the circumstances of the case, the public interest in maintaining the exemption outweighs the public interest in disclosure of the information’.
Following a request on post-Brexit trade deals, the ICO, First-tier Tribunal and Upper Tribunal disagreed on the correct approach on how to approach information that falls within multiple QEs. The Supreme Court was asked to rule on whether on an aggregated 'cumulative' approach or a separate 'independent' approach should be used. The Supreme Court found that the 'cumulative' approach is correct.
The judgment can be found here, and the accompanying press summary.
Quick Tax Claims Ltd v Information Commissioner [2025] UKFTT 869 (GRC)
The UK First-tier Tribunal ("FTT") dismissed an appeal by a claims management company against a Monetary Penalty Notice (MPN) of £120,000 issued by the ICO. The MPN was issued as result of breaches the Privacy and Electronic Communications Regulations (PECR). Over 7 million unsolicited SMS marketing messages, contrary to Regulations 22 and 23 of PECR, were transmitted.
The FTT affirmed the ICO's discretion in issuing the MPN and concluded that the penalty was justified and proportionate. The FTT noted the significant number of messages sent and that although the breaches were not deliberate, they were negligent. The FTT dismissed the appeal, the decision can be found here.
Regulatory Developments
European Commission adopts draft decision renewing UK adequacy agreement
The European Commission has adopted draft decisions, which can be found here, for renewing the adequacy agreement for the UK until December 2031. The Commission assessed the recent reforms introduced by the Data (Use and Access) Act ("DUA Act") and concluded that the UK's data protection framework continues to provide data protection safeguards essentially equivalent to those in the EU.
The draft decisions will now be transmitted to the European Data Protection Board (EDPB) for its opinion. The Commission will also seek approval from a committee composed of representatives of EU Member States.
The European Commission also approved a data adequacy decision for the European Patent Office, representing the first decision covering an international non-government organisation.
Government publishes steps to give effect to DUA Act provisions
A summary of plans for bringing into force specific provisions in the Data (Use and Access) Act 2025 has been published. The government plans to commence these provisions in four stages.
The first stage, The Data (Use and Access) Act 2025 (Commencement No. 1) Regulations 2025, will bring into force specified provisions of the DUA Act 2025 on 20 August 2025. These include technical provisions, new statutory objectives for the Information Commissioner’s Office when carrying out its function; and provisions requiring the government to prepare a progress update and a report on copyright works and artificial intelligence systems.
European Commission publishes guidelines and code of practice for general-purpose AI models
Despite suggestions that the AI Act's implementation timeline may be tweaked, the introduction of obligations relating to General-Purpose AI Models ("GPAI") has remained unaltered, taking effect as expected from 2 August 2025. These obligations will be enforceable in August 2026 for new AI models and August 2027 for existing AI models.
As part of this process, in July, the European Commission published the Code of Practice for GPAI Models, a voluntary and non-binding code designed to help GPAI model providers demonstrate compliance with their obligations under the EU AI Act. The Guidelines on the scope of obligations of GPAI models, also issued in final form in July, complement the Code of Practice, setting out the Commission’s interpretation and application of the AI Act, which will guide its enforcement actions.
Our colleagues, Charlotte Halford and Amanda Mackenzie, have commented on these developments in detail here.
Meta and Apple to appeal Digital Markets Act fines
Both Meta and Apple have confirmed their intention to appeal fines levied against them by the European Commission in respect of breaches of the Digital Markets Act. Meta was fined EUR200 million and Apple EUR500 million. Meta has stated that its fine in respect of the 'pay or consent' advertising model, is 'incorrect and unlawful'.
Further, it has been reported that the Commission is considering whether to impose further fines on Meta under the Digital Markets Act in addition to the EUR200 million fine.
ICO issues statement in response to 2022 Ministry of Defence data breach
The ICO has confirmed it has been supporting and overseeing the MoD's internal investigation into a data breach from 2022. The Information Commissioner has issued a statement confirming that "the causes of the breach were identified, and rectified, that lessons were learned, and everything possible was done to mitigate the effects on the affected individuals."
The statement, which can be found here, indicates that no further action will be taken against the MoD having regard to the context, including the substantial costs to the public expended already.
ICO fines charity following destruction of irreplaceable personal records
The ICO has fined the Scottish charity Birthlink £18,000 for the destruction of approximately 4,800 personal records, up to 10% of which may be irreplaceable. In August 2023, the charity became aware that records had been destroyed and reported the incident to the ICO.
The ICO investigation revealed a limited understanding of data protection law in the organisation and poor record keeping meant that some individuals affected by the breach could not be identified and contacted. A fine was considered appropriate and was reduced from £45,000 following representations from the charity. The full ICO penalty notice is here.
EDPB and EDPS issue joint opinion on proposed simplification of GDPR
The European Data Protection Board (EDPB) and Supervisor (EDPS) adopted an Opinion outlining support for proposals to simplify EU GDPR compliance, in particular the obligation to keep a record of data processing operations. Currently, an exception from record-keeping obligations only applies to enterprises and organisation under 250 employees, except in certain cases. Under the proposal, the exception would apply to an enterprise or organisation employing fewer than 750 people.
The Opinion can be found here, commenting although the proposals are supported, both bodies note that an assessment of the consequences should be undertaken.
The EDPB also adopted a statement outlining plans to support simplification of compliance with EU GDPR. The EDPB agreed to develop templates to streamline aspects of compliance, such as data breach reporting. Board members committed to "enhance consistency of the application and enforcement" of the GDPR.
Data & Privacy Developments
ICO proposes new enforcement approach to unlock privacy-first adtech
The ICO is reviewing its approach to enforcement of the PECR consent requirements, and has issued a call for views. Currently, publishers deploying online advertising technologies must secure user consent; the ICO is considering whether a risk-based approach to enforcing PECR would allow publishers to deliver online advertising to users who have not granted consent, where there is a low risk to their privacy.
The ICO has stated that in early 2026, it will publish a statement confirming those activities that are unlikely to trigger enforcement action and support the government in developing planned secondary legislation to amend PECR consent requirements, create a new exception for low-risk advertising purposes. The call for views can be found here.
ICO publishes new guidance on disclosing documents to the public
The ICO has published new guidance, representing the ICO's most comprehensive resources of avoiding accidental data breaches when disclosing documents to the public. The guidance includes a number of checklists and how-to videos, and is designed or organisations processing personal information under the UK GDPR to help address the risks of disclosing documents containing hidden personal information to the public.
The guidance can be found here.
ICO consults on new guidance on storage and access technologies
The ICO has commenced a consultation, open until 26 September 2025, on a new chapter within the draft updated guidance on storage and access technologies. The proposed new chapter follows the introduction of the DUA Act, explaining the exceptions to the prohibition on storing or accessing information on people’s devices.
The consultation can be found here.
FCA and ICO publish joint paper on Open Finance and smart data
Through the Digital Regulation Cooperation Forum Horizon Scanning and Emerging Technology project, the FCA and ICO have provided an update on their collaboration in exploring Open Finance. Open Finance is an extension of data sharing used in Open Banking to a wider range of financial products such as savings, investments, pensions and insurance. In light of the recent passage of the DUA Act, the organisations have emphasised that a privacy by design and default approach will be crucial to building trust in Open Finance.
The FCA and ICO have published an article summarising ongoing insights from their work, confirming that work is continuing in this area.
ICO publishes Annual Report 2025
The ICO has published its Annual Report for 2025 highlighting ongoing activities and strategic objectives. The report emphasises some of the key milestones from the last year, noting the publication of guidance and consultation relating to artificial intelligence and the work undertaken to address compliance with data protection law for the UK's top 1000 websites.
The Annual Report can be accessed here.
European Parliament publishes study on AI and civil liability
The European Parliament has published a report analysing the EU’s evolving approach to regulating civil liability for artificial intelligence systems. In order to avoid regulatory divergence between Member States in the absence of EU legislation, the study advocates for a strict liability regime targeting high-risk systems and structured around a single responsible operator.
The study can be accessed here.
noyb files GDPR complaints against AliExpress and WeChat
The consumer rights group, noyb, has confirmed that it has filed complaints a number of Chinese companies, including AliExpress and WeChat. The complaints relate to access requests under Article 15 EU GDPR, with noyb arguing that a failure to comply make it difficult for European users to exercise their right to privacy, and to understand how their personal data is being processed.
Cyber Developments
UK Government publishes response to ransomware consultation
Earlier this year, the UK Home Office consulted on a package of measures to fundamentally alter the UK's approach to ransomware. Summarised as 'prevention, reporting and payments', the proposals included three key measures to deal with threats posed by ransomware.
Following the conclusion of the consultation in April, the Government's policy response has now been published, alongside stakeholder views and key findings. A detailed analysis of the response has been prepared by our colleagues, Patrick Hill and Heasha Wijesuriya, and can be found here.
ENISA publishes technical guidelines to support implementation of NIS2
The European Union Agency for Cybersecurity (ENISA) has published technical guidelines to support companies in those critical sectors affected by the implementation regulation of the NIS2 Directive.
The document provides guidance on a number of requirements including risk management policies, incident handling, business continuity and crisis managements, and supply chain security.
UK Chronic risk analysis emphasises cyber risk
The UK's first bespoke risk assessment of medium to long term risks, the Chronic risk analysis, has noted the issues associated with technology and cyber security. The analysis highlights that cyber risks pose a significant and ongoing threat to individuals, business and critical national infrastructure. The guide notes the support provided by the National Cyber Security Centre in issuing advice and guidance for organisations to respond to threats and protect their systems.
The Chronic risk analysis can be found here.
