Data and cyber security - 2025 roundup

UK

Data (Use and Access) Act 2024 (DUA)

On 19 June 2025, the Data (Use and Access) Act 2024 was passed by Parliament. It amends the UK GDPR and PECR, and provides frameworks for rules on sharing of business and customer data, and for digital identity verification. Read more.

The new data legislation has been a long time coming as a version was originally proposed by the Conservative government but the legislation failed as a result of the general election. Passage of Labour's Data (Use and Access) Bill had been relatively smooth until the House of Lords began introducing successive amendments relating not to data but to the use of copyright materials to train AI. Amendments to require transparency provisions, either in the Bill itself or under separate legislation, ultimately failed although some changes were made.  The rest of the DUA Act passed with little controversy or change (see here for more detail). The Lords were, however, able to get the government to agree to publish a report on its copyright and AI proposals, including on enforcement and AI models trained abroad, within nine months of the DUA Bill getting Royal Assent, with an interim report to be published within six months.

The majority of the DUA Act has to be brought in under secondary legislation although some elements came in immediately.  The timetable for implementation suggests GDPR changes will be brought in in early 2026.  Read more about the full expected timetable.

Secondary legislation introduced under the DUA Act to date includes:

• The Data (Use and Access) Act (Commencement No.1) Regulations 2025 were made on 21 July 2025. They brought into force a number of DUA Act provisions on 20 August 2025, notably Part 1 which covers access to customer data and business data in relation to smart data schemes. However, this still requires a framework to be introduced under secondary legislation. The government launched a call for evidence on Smart Data opportunities in digital markets on 28 July 2025.
• The Data (Use and Access) Act 2025 (Commencement No.2) Regulations 2025 were made on 2 September 2025. They brought s124 DUA Act into force on 30 September to the extent that it was not already in force (part of it came in on the day of Royal Assent). Section 124 DUA Act amends the Online Safety Act. It means that online platforms must retain information about deceased children when required to do so on notice by Ofcom.
• The Data (Use and Access) Act 2025 (Commencement No.3 and Transitional and Saving Provisions) Regulations 2025 were made on 4 September. They brought into force s79 (legal professional privilege exemption), s88 (national security exemption), s89 (joint processing by intelligence services and competent authorities) and s90 (joint processing consequential amendments) of the DUA Act subject to transitional and saving provisions. Sections 79 and 88 came into force on 4 September. Sections 89 and 90 came into force on 17 November 2025. These sections all deal with amendments to the Data Protection Act 2018 (not the UK GDPR) and relate to law enforcement and national security data processing.

The government  also published a range of factsheets on the Data (Use and Access) Act 2025. They set out the main changes to the UK GDPR and PECR, and to the role of the ICO.

Cyber Security and Resilience (Network and Information Systems) Bill

The UK's Cyber Security and Resilience (Network and Information Systems) Bill was presented to Parliament on 12 November 2025. Much of what the Bill contains was trailed in the government's April 2025 policy statement. The Bill will largely expand and update the scope of the current 2018 NIS Regulations which implemented the EU NIS Directive, now replaced in the EU by the NIS2 Directive which was enacted after Brexit. This means the focus of the planned UK Bill is on operators of essential services (OESs), relevant digital service providers (RDSPs), relevant Managed Service Providers (RMSPs) and related supply chains, with certain data centres also being brought into scope. Read more.

Other

• On 27 January 2025, the Data Protection (Charges and Information) (Amendment) Regulations 2025 were laid before Parliament. The Regulations came into force on 17 February 2025 and revised the annual fees paid by controllers to the ICO.
• The Product Security and Telecommunications (Infrastructure) (Security Requirements for Relevant Connectable Products) (Amendment) Regulations 2025 were made on 24 February 2025 and came into force on 25 February 2025, passing without amendment.  They amend the PSTIA Regulations 2023 to correct an error in Schedule 1 to clarify that a manufacturer must publish any extended date for the length of time for provision of security updates as soon as practicable, and add three new exceptions relating to certain types of vehicles from being considered as relevant connectable products under the PSTIA.
• The UK's Planning and Infrastructure Bill was published on 11 March 2025. Among other planning reforms, it re-classifies data centres as nationally significant infrastructure projects. This means the planning process to build them will be fast-tracked and streamlined and limits how it can be challenged in court.
• DSIT laid the draft Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) (Amendment) (No 2) Regulations 2025 for approval by both Houses of Parliament on 13 October 2025. The amendments modify the 2023 Regulations that implemented security requirements for manufacturers of relevant connectable products in the UK from 29 April 2024.  The security requirements are based on ETSI EN 303 645. 

EU

The most significant data-related legislative developments in the EU during 2025 were the application of the majority of the Data Act, and the publication of the Digital Omnibus which proposes reforming the EU data acquis, including the GDPR.  Developments include:

• On 15 January 2025, two pieces of EU cyber security legislation approved at the end of 2024, were published in the Official Journal: the Cybersecurity Amending Regulation 2025/37 – this amends the Cybersecurity Act to enable the adoption of EU certification schemes for managed security services; and the Cyber Solidarity Regulation – this establishes EU capabilities to strengthen resilience against cyber threats and cross-border cooperation. It makes provision for a pan-European cyber security alert system to share information, detect and act on cyber threats. Both came into force 20 days following publication in the Official Journal.
• After years of deadlock the ePrivacy Regulation was dropped from the European Commission's 2025 Work Programme on 11 February 2025.
• On 20 February 2025, the rules on the notification and reporting of major ICT-related incidents and of significant cyber threats under the Digital Operational Resilience Act, were published in the Official Journal. These comprise Implementing Regulation 2025/302 which sets out standard forms, templates and procedures for reporting, and 2025/301 which sets out technical standards specifying the content and time limits for reporting major ICT-related incidents as well as the voluntary notification regime for significant cyber threats.
• The European Health Data Space Regulation (EHDS) came into force on 26 March 2025.  General provisions will take effect from 26 March 2027, with key rules on primary and secondary use of health data following on 26 March of 2029 and of 2031. Certain technical, organisational, and regulatory measures will be implemented in stages by 26 March 2035.
• On 24 March 2025, the rules concerning the examination teams for oversight activities under DORA were published as a delegated regulation in the Official Journal, coming into force 20 days later. The rules set out details about how the teams are composed and designated, the tasks they need to complete and their working arrangements.
• On 21 May 2025, the EC published its Omnibus IV proposal which is intended to simplify environmental aspects of the Single Market but also touches on GDPR. Read more.
• The bulk of the EU Data Act became applicable on 12 September 2025 although it will not apply in full until September 2027. The Data Act removes barriers to data sharing in order to give businesses access to data they contribute to creating and individuals more control over their data. Users of connected devices can access and share data they generate with third parties. The Data Act also facilitates cloud and edge service switching. See more about the Data Act here.  The Commission published final versions of the model contractual terms on data access and standard contractual clauses on cloud computing under the Data Act on 19 November 2025.
• On 21 October 2025, the European Parliament approved the GDPR procedural Regulation which will introduce additional rules to speed up and clarify cross-border GDPR enforcement. The Council adopted it on 17 November 2025. It will now be published in the Official Journal, enter into force 20 days after publication and apply 15 months after that.

• On 19 November 2025, the European Commission published its Digital Omnibus proposal.  The aims to streamline EU digital laws and reduce the compliance burden. The first part deals with reforms to the EU AI Act, while the second part focuses on the EU data acquis, most notably the GDPR, the ePrivacy Directive and the Data Act. The standout points are delays to the rules on high-risk AI under the EU AI Act, and a new GDPR lawful basis of legitimate interest for processing personal data when developing or operating AI systems (subject to safeguards), changes to cookie rules, and a new single-entry point for incident reporting. Read more.

UK

ICO and the growth agenda

On 16 January 2025, the ICO published a letter sent to the government setting out its plans to help stimulate the UK economy. This was followed in March by a package of measures to support the government's growth agenda. These commitments were also published in an Annex to the government's New approach to ensure regulators and regulation support growth, published on the same day. This sets out the government's plan to reform the UK's regulatory landscape to support the growth agenda. Read more.

On 10 March 2025, the ICO and FCA published an open letter to trade association chairs and CEOs of financial services firms saying the regulators understand the need for regulatory clarity on use of AI in financial services. The FCA and ICO are holding roundtables with industry leaders to discuss areas of uncertainty and challenge and look at how the regulators can work together with industry to support growth.  The regulators published a joint blog on related issues on 2 June 2025.

Government

• On 26 September 2025, the UK government announced plans to introduce a Digital ID scheme. This will be available to all UK and legal residents who will be required to produce the ID for right to work checks by the end of this Parliament. There will be no requirement for individuals to carry their ID or to produce it (except in relation to right to work checks), but the ID will also be used to make it easier to access government services and streamline access to tax records. The digital ID will be held on people's phones. This is unrelated to the digital ID verification parts of the DUA Act.
• On 7 April 2025, the government announced an investment with the Wellcome Trust of up to £600m to create a new health data research service. This is intended to transform access to NHS data by providing a secure single access point to national-scale data sets and cutting red tape for researchers. Clinical trials will also be fast tacked with the aim of cutting the time it takes to set up a trial to 150 days by March 2026. This will be done by cutting bureaucracy and standardising contracts across different NHS organisations, as well as ensuring transparency by publishing trust-level data for the first time.
• On 23 October 2025, the government announced OpenAI will expand its British AI offer for businesses that want their data stored in the UK. The deal, secured through the Ministry of Justice, will allow OpenAI's business customers to have their data stored in Britain on secure, sovereign servers to enhance privacy and accountability and reinforce national resilience. 

EU

On 11 February 2025, the EC published a Communication on a simpler and faster Europe, which sets out a five-year plan for simplifying the way the EU works and reducing red tape and bureaucracy. The Omnibus packages announced in the Work Programme will be a key deliverable. On 23 May 2025, the EC launched a call for evidence and consultation on a Communication on the EU Data Union Strategy. This covers the use of data in AI and simplifying EU data rules, particularly in relation to sharing data both within and outside the EU and encouraging data importing to the EU.  The Data Union strategy will focus on enabling the development of high-quality, interoperable datasets necessary for AI, and increase trust in data sharing.  Responses were requested by 18 July 2025.

UK ICO and government

Government

• On 18 March 2025, DSIT launched a call for evidence on data brokers and national security. It also launched a call for evidence on barriers to the role of data intermediaries and data portability. Both closed on 12 May 2025.
• On 6 June 2025, the government published three Codes of Practice relating to aspects of the Investigatory Powers Act covering third party personal datasets, bulk personal datasets with low or no reasonable expectation of privacy, and the investigatory Powers Act notices
• On 17 July 2025, the DRCF published an article by the ICO and FCA looking at technologies shaping the future of open finance. It focuses on APIs, AI, DLTs, smart contracts and digital identity verification. It looks at issues including control over consumer and business data, trust in new products and services, positive consumer outcomes, and data protection compliance including relating to lawful basis, data minimisation and transparency.
• On 25 November 2025, the Department for Business and Trade published a report evaluating existing data standards to support future smart data schemes. This is part of the work ahead of creating smart data schemes under the Data (Use and Access) Act.

ICO

• The ICO published a blog 'myth busting' popular misconceptions around personal data and AI in February.
• On 5 February 2025, the ICO launched a direct marketing advice generator tool. It provides free advice about how to carry out direct marketing across a range of methods in compliance with UK law. It is aimed primarily at small organisations and is currently in beta phase.
• The ICO published guidance on how to keep employment records safe on 5 February 2025. It is intended to help employers understand how the law applies to employment records and how to balance the need to keep these records with the right to a private life.
• On 19 February 2025, the ICO published the Tech Horizons Report 2025.The report looks at key technologies likely to be adopted in the next two to seven years with a significant impact on privacy. The 2025 report focuses on connected transport, quantum sensing and imaging, especially in healthcare and medical research, digital diagnostics, therapeutics and healthcare infrastructure and synthetic media, its identification and detection.
• The ICO published its Anonymisation and Pseudonymisation guidance on 28 March 2025. The guidance is intended to help organisations wanting to anonymise personal data for any purpose and identify the issues they should consider to use anonymisation techniques effectively. The guidance is voluntary and sits alongside the ICO's data sharing Code of Practice. Read more.
• On 1 April 2025, the ICO published the results of its review of the use of children's data by financial services providers (for example, when providing bank accounts, ISAs and prepaid cards). In general, the ICO found considerable compliance gaps, particularly in terms of implementing policies.
• On 29 April 2025, the ICO and the California Privacy Protection Agency signed a declaration of co-operation. This will enable them to carry out joint research, share best practice and experience and develop appropriate mechanisms for mutual collaboration.
• On 5 June 2025, the ICO published its new AI and biometrics strategy which aims to ensure organisations are developing and deploying new technologies lawfully, and supporting them to innovate while ensuring the public is protected. The two main challenges are identified as a lack of regulatory certainty and of confidence for organisations, and a lack of transparency and confidence in how personal data is used which undermines public trust.
• On 16 June 2025, the ICO published draft guidance for consultation on Internet of Things products and services. This is intended to give the industry regulatory certainty, outlining clear expectations about how to comply with data protection law and use personal data responsibly. The guidance covers issues including how to ask for informed consent, transparency, and the tools needed for people to be able to exercise their data rights. It also looks at accountability, data accuracy and retention, and security.
• On 7 July 2025, the ICO launched a consultation on a new chapter in the draft updated guidance on storage and access technologies (SATs), previously known as the 'detailed cookies guidance'. The guidance has been updated to take account of the DUA Act. The ICO also launched a call for views on its approach to regulating online advertising, specifically in relation to the consent requirements under Regulation 6 of PECR. The consultations closed on 29 August 2025. Responses will inform the ICO's final guidance and a formal statement on its enforcement approach, which are expected in early 2026.
• On 2 July 2025, the ICO announced its first registered trade mark for users of owners of ICO-approved and published UK GDPR schemes. The trade marks act as a visible signal to inspire trust.
• The ICO published new guidance on 30 July 2025 looking at data protection-compliant use of profiling tools. This is substantially aimed at user-to-user services using profiling tools to comply with age assurance obligations under the Online Safety Act but can also be used more widely by anyone using profiling tools as part of their trust and safety processes. The guidance should be read alongside the Content Moderation Guidance where relevant.
• On 31 July 2025, the ICO published new guidance to help organisations disclose documents securely. This covers public authorities responding to FOI requests and organisations responding to DSARs.
• On 21 August 2025, the ICO launched the first two in a series of planned consultations relating to draft guidance on amendments made to the UK GDPR by the Data Use and Access Act (DUA Act). They covered recognised legitimate interests and data protection complaints. The consultations closed in October 2025.
• On 28 August 2025, the ICO published a consultation on draft guidance on distributed ledger technology (DLT). The guidance mostly refers to blockchain but is applicable to all DLTs. The consultation closed on 17 November 2025.
• On 22 August, the ICO opened a consultation on draft changes to how it handles data protection complaints.  The consultation sets out the ICO's proposed framework for deciding the extent to which it is appropriate for it to investigate complaints.  The framework is intended to ensure a consistent approach and the ability to focus resources on cases which can have the biggest impact. The consultation closed on 31 October 2025.
• On 16 October 2025, the ICO launched a consultation on its approach to the charitable purpose soft opt-in which will enable charities to send direct marketing emails and texts to people who have expressed interest or offered support without prior consent provided the organisations meet the necessary requirements. The change is expected to take effect in January 2026 under the Data (Use and Access) Act 2025 which will amend Regulation 22 of PECR to give charities the same soft opt-in rules as apply to businesses.  Views were invited by 27 November 2025.
• On 31 October 2025, the ICO published a call for views on new guidance on how it approaches investigations and takes enforcement action.  The guidance, once finalised, will sit alongside the Data Protection Fining Guidance and together the guidance will replace that set out in the current Regulatory Action Policy.  The consultation closes on 23 January 2026.
• On 12 November, the ICO published guidance on sharing information to safeguard children and young people in the education sector.  The guidance is aimed at education sector organisations and complements the ICO's 10-step guidance. The ICO intends to publish additional guidance on sharing data for safeguarding purposes aimed at other sectors including the health sector.
• On 1 December 2025, the ICO announced it would be scrutinising how popular mobile games played by children in the UK protect children's online privacy. The ICO will launch a monitoring programme targeting ten popular mobile games to assess their compliance with default privacy settings, their geolocation controls, their targeted advertising and other data protection issues. 
• At the end of November 2025, the ICO published a report of its interim impact review of the Children's Code strategy. The report looks at the impact of the Children's Code and is broadly positive about the results of its engagement with 32 platforms.  A final impact review will be published in 2026/27.
• On 4 December 2025, the ICO published an update on enforcing cookie rules across the UK’s top 1,000 websites after its latest sweep.  95% of websites passed compliance tests, with 979 compliant and 21 still failing. 564 were initially non-compliant but improved after ICO engagement, including 17 preliminary enforcement notices.
  
   

EU – EDPB, EDPS and European Commission

• On 17 January 2025, the EDPB adopted guidelines on pseudonymisation which were open for consultation until 28 February 2025. The EDPB stressed that the guidelines provide two important legal clarifications: pseudonymised data which could be attributed to an individual by the use of additional information is still personal data - if the data can be linked back to an individual by the data controller or someone else, it remains personal data. In addition, pseudonymisation can reduce risks and make it easier to rely on legitimate interests as a legal basis as long as all other GDPR requirements are met. Similarly, pseudonymisation can help implement the data protection principles, particularly data protection by design and default and security. Note, however, subsequent changes proposed to the definition of personal data under the Digital Omnibus in line with the decision in EDPS v SRB.
• On 15 January 2025, the EDPS published a 'concept note' setting out proposals for a consistent, cooperative and coherent approach to enforcing the EU's laws on digital markets. This looks at the incoming EU digital rulebook and notes the risks of inconsistent and contradictory approaches and requirements.
• On 20 January 2025, the EDPB published a report following its Coordinated Enforcement Framework investigation into the implementation of the right of access under Article 30 GDPR. The EDPB found that more awareness raising about the EDPB guidelines on the right of access is needed and there are key challenges to be tackled.
• On 5 March 2025, the EDPB launched its fourth co-ordinated enforcement action which will focus on the right to erasure.  32 EU DPAs are expected to participate and to look at how controllers deal with right to erasure requests, including the application of exemptions.  They will carry out fact-finding exercises and may also open formal investigations.
• The EDPB adopted a statement on age assurance on 12 February 2025. The statement aims to form a basis for consistent application of age assurance across the EU.
• On 6 March 2025, the EDPS published its 2020-24 mandate review setting out its enforcement actions and its enforcement priorities.  It has said it will continue its enforcement efforts, particularly around online harms, child sexual abuse material, and cyber security.
• On 7 March 2025, EU Supervisory Authorities, the EBA, ESMA and Eiopa, published an Opinion in which they approved the European Commission's updated Draft Regulatory Technical Standards specifying the elements that a financial entity has to determine and assess when subcontracting ICT services supporting critical or important functions under Article 30(5) of the Digital Operational Resilience Act (DORA).
• On 10 April 2025, the EDPB published a report on AI Privacy Risks & Mitigations setting out a comprehensive risk management methodology and practical mitigation measures for common risks in LLMs. The report is intended to help DPAs have a comprehensive understanding of the functioning of LLMs and associated privacy risks.
• On 3 April 2025, the EDPB also released a study on secondary use of personal data for research purposes which discusses the lack of uniform approach across Member States and perceived gaps in the GDPR.
• On 14 April 2025, the EDPB adopted guidelines on processing personal data through blockchain technologies. The guidelines were subject to consultation up to 9 June 2025.
• On 23 April 2025, the EDPB published its annual report 2024. On the same day, the EDPS published his annual report for 2024.
• On 2 July 2025, the EDPB adopted the 'Helsinki Statement' on enhanced clarity, support and engagement. This sets out new initiatives agreed by the EDPB to facilitate easier GDPR compliance, enhance dialogue with a broad range of stakeholders, strengthen consistency and develop cross-regulatory cooperation in the digital landscape.
• On 9 July 2025, the EDPB and EDPS published a joint Opinion on the data-related aspects of the Omnibus IV proposal. The EDPB and EDPS are generally supportive but make a number of suggestions on clarity and emphasis. Read more.
• On 12 September 2025, the EDPB adopted guidelines on the interplay between the DSA and the GDPR for public consultation (read more). They were open to comments until 31 October 2025 and the IAB was among those to push back, essentially saying the EDPB should stick to its remit.
• On 12 September 2025, the European Commission published a Communication providing guidance on the key Data Act obligations applying to vehicle data.  It covers data falling within Chapter II of the Data Act ie data access and use rights of users of connected products and related services – in this case product data generated by a vehicle's use, and applicable access rules.  The guidance relates only to the automotive sector including to original equipment manufacturers, suppliers, aftermarket service providers and insurance providers.  It cannot be extrapolated to other industries or the public sector.
• On 23 September 2025, the EDPS published a TechDispatch on Human Oversight of Automated Decision-Making (ADM). It looks at common assumptions about how humans interact with and monitor decision-making systems, including on the overly optimistic nature of many of them and the risks of not examining them critically. It also explores practical measures for providers and deployers of ADM systems to take to ensure human oversight supports democratic values and safeguards human rights. It does not offer legal interpretation. 
• On 14 October 2025, the EDPB announced  that its fifth co-ordinated enforcement action will focus on GDPR transparency and information duties (Articles 12 to 14).  The action will be launched over the course of 2026 and following opt-in from DPAs.
• On 9 October 2025, the European Commission and the EDPB endorsed joint guidelines on the interplay between the Digital Markets Act and the GDPR. The guidelines were open to consultation up to 4 December 2025 and the final version will now be published. Read more about the guidelines here.

• On 5 November 2025, the EDPB launched a consultation to develop ready-to-use templates to support GDPR compliance. The consultation seeks input on which templates would be most useful for organisations. The EDPB will develop templates for core requirements including Data Protection Impact Assessments and personal data breach notifications. It invites suggestions on further templates, such as privacy notices and records of processing activities. The consultation was open until 3 December 2025.
• On 4 December 2025, the EDPB adopted recommendations on when e-commerce sites may require mandatory account creation. It concluded that, in the majority of cases, guest checkout should be offered, with mandatory accounts limited to narrow cases such as subscriptions or exclusive offers,  most likely under the lawful basis of contractual necessity or legal obligation.

UK cases

High Court ruling on consent by vulnerable individuals

On 23 January 2025, the High Court handed down a ruling looking at the consent requirement under the GDPR and PECR in relation to a vulnerable recovering gambling addict in a claim against Sky Betting and Gaming operators Bonne Terre Ltd and Hestview Ltd. The Court found the claimant’s consent was not freely given or sufficiently informed given his vulnerability, so use of cookies and subsequent direct marketing was unlawful.

The Court stated consent had to be of a "relatively high" quality and that this was context-specific, taking into account the individual's subjective state of mind as to what they thought, understood and desired, the individual's autonomous choice about consent based on external circumstances, and the evidential basis on which the controller relied. This cannot rest on generic probabilities where vulnerability may impair autonomy. It cautioned that gambling marketing presents an obvious risk of defective consent, while stressing the decision is fact and time specific. While the scope of the judgment was limited to the facts of the case, it raises issues when relying on consent, particularly in the online gambling sector. 

Court of Appeal clarifies rules on claims for non-material damage under the UK GDPR

On 22 August 2025, the Court of Appeal handed down judgment in the case of Farley & Ors v Paymaster (1836) Ltd (trading as Equiniti) [2025] EWCA Civ 1117.  The judgment is significant as it clarifies issues around claims for non-material damages under the UK GDPR.  The main substance of the appeal related to whether claims for compensation for data breaches under the UK GDPR had to pass the threshold of seriousness set out in the Lloyd v Google case which was concerned with the Data Protection Act 1998. The Court said the Lloyd v Google case threshold of seriousness did not apply to UK GDPR claims and that the UK should follow the CJEU's approach as set out in the 2023 Österreichische Post case in which it was held that there was no threshold of seriousness to be passed in relation to non-material damages claims for breaches of the GDPR.  While clarification of the application of the seriousness threshold (or not) to UK GDPR claims is helpful, it does not open the floodgates to opt-out representative actions in data claims as it does not overcome the difficulty of demonstrating that all claimants have the same interest.

ICO does have jurisdiction in Clearview AI case

On 8 October 2025, the ICO reported that the Upper Tribunal upheld three of its four appeal grounds against the First-tier Tribunal in the Clearview AI case, confirming that Clearview’s processing relates to monitoring the behaviour of UK residents and falls within UK data protection law, even when Clearview services are supplied to foreign law enforcement or government agencies. The decision is legally binding and clarifies the material and territorial scope of the UK GDPR. It reaffirms that organisations monitoring UK residents’ behaviour are in scope irrespective of where they are established. The case was remitted to the First-tier Tribunal to determine the substantive appeal on the basis that the ICO had jurisdiction to issue the monetary penalty and enforcement notices. Clearview may seek permission to appeal. 

ICO enforcement

Beyond the continuing enforcement action relating to unlawful marketing, and cyber security enforcement action (see below), 2025 highlights include:

• On 3 March 2025, the UK's ICO announced three investigations as part of its wider interventions into how social media and video sharing platforms use children's data.
• In March, it was reported that the ICO is joining others in investigating DeepSeek's data practices.  South Korea's privacy regulator has suggested DeepSeek has engineered its system to cover up data flows, relying more heavily on hard coding than other GenAI models, making it harder to analyse the data being processed.  Reports suggest DeepSeek is rapidly being embedded in China's government services, causing concerns around privacy and cyber security.
• On 25 September 2025, the ICO confirmed fining two energy companies a total of £555,000 for making 'robo calls' using avatar software. This made calls leading recipients to think they were being made by real people.
• On 10 September 2025, the ICO issued a notice of intent to fine MediaLab AI Inc for data protection breaches relating to its social media platform Imgur. The ICO provisionally found that Imgur's use of children's personal data and its approach to age assurance were non-compliant. Imgur now directs UK users to a help page which tells them the site is not available in the UK. The ICO said on 30 September that this is a commercial decision by MediaLab AI and that it will consider any representations from the company before reaching a final decision on sanctions.

CJEU judgements and AG opinions

EC ordered to pay €400 in damages for unlawful transfer of personal data

On 9 January 2024, the EC was ordered to pay Thomas Bindl €400 in respect of unlawful transfer of his personal data to the USA by the General Court of the EU. Bindl is appealing.  The European Commission has also appealed aspects of the decision. Read more.

CJEU says DPAs must consider all claims

In a preliminary ruling in a reference from Austria in January 2025, the CJEU said DPAs are not allowed to limit the number of claims made by an individual but must review each claim on its merits.  The background to the claim is the Austrian DPA's rejection of a claim on the basis that the claimant had made 77 claims between 2018 and 2022.  The ADPA wanted to allow a maximum number of two complaints per data subject per month.  The CJEU said that as long as complaints are not vexatious or abusive, frequency is not sufficient to classify a claim as "excessive".

CJEU says a customer's gender identity is not necessary data for transport ticket purchase

On 9 January 2025. The CJEU held that it is not necessary to collect data on customers' titles, particularly where the purpose of the collection is to personalise commercial communications.  The French Council of State asked the CJEU whether collecting title data was consistent with the data minimisation principle.  The CJEU said for the data processing to be necessary it had to be objectively indispensable for performance of a contract, or in attainment of a communicated legitimate interest.  In this instance, the CJEU found the data collection was not objectively indispensable.

CJEU decision on transparency of ADM

On 27 February 2025, the CJEU ruled in a reference from Austria about the use of automated decision making and credit scoring.  An individual asked for information about the logic involved in the automated decision-making under Article 15(1) GDPR.  The referring court asked the CJEU to determine how detailed the response had to be and asked for clarification on how the balance between protecting trade secrets and the right of access under the GDPR should be assessed.  The CJEU ruled that information provided to data subjects had to be sufficiently clear so that they could understand what personal data was used to obtain a specific result.  It was not sufficient to provide complex information which the individual would be unable to understand.  The data subject's rights cannot be overridden by the controller's desire to protect trade secrets.  In the event of concern or doubt, the controller should apply to a court or the supervisory authority for clarification. Read more. 

AG Opinion in Meta v EDPB

On 27 March 2025, Advocate General Ćapeta handed down a non-binding Opinion in WhatsApp Ireland Ltd v European Data Protection Board. WhatsApp was appealing the General Court's decision which held that it could not appeal to a national court regarding the EUR 225m fine issued to it by the Irish Data Protection Commission following an EDPB decision that the fine should be higher than originally proposed. The AG opined that EDPB decisions are challengeable whereas the General Court held that the case was inadmissible. If the CJEU follows the Opinion, organisations will be able to challenge EDPB Article 65 decisions directly before the General Court rather than going through national proceedings and potentially a preliminary reference to the CJEU. See our article for more.

CJEU ruling on nature of pseudonymised data

On 4 September 2025, the CJEU handed down a significant decision which clarified treatment of pseudonymised data in EDPS v SRB. The most notable aspect of the case relates to clarification of when pseudonymised data is personal data, particularly in relation to data transferred to a third party by a controller.  Read more.

CJEU AG Opinion on GDPR limits to publishing athletes’ anti-doping sanctions online

On 25 September 2025, Advocate General Spielmann issued an Opinion in Case C-474/24 discussing whether Austrian rules requiring online publication of athletes’ names, sport, sanction duration and reasons for anti-doping infringements comply with the GDPR.  The AG considers that it is not necessary to publish athletes' names. Pseudonymised publication would achieve the objectives of deterring athletes from infringing anti-doping rules and preventing circumvention of those rules so publication should be limited to relevant bodies and sports federations. Publication should be proportionate in terms of scope and duration of availability. Controllers must conduct a case-by-case balancing exercise of different interests involved before processing. The Opinion is not binding and the CJEU judgment will follow.

Advocate General Opinion on whether an initial SAR can be excessive

On 18 September 2025, AG Szpunar handed down an Opinion in response to a reference from Germany relating to the abuse of subject access rights. The AG opined that an initial request for information under a subject access request can, in exceptional circumstances be considered excessive. However, the threshold for assuming an abuse of rights in an initial request is high. The AG said that the mere fact that a person has made numerous previous requests does not make a request abusive. Nor does exercising the right to compensation. The issue is the underlying purpose of the individual's actions. Read more about the Opinion here.

CJEU ruling on direct marketing to readers of free newsletters

In a reference from Romania, the CJEU ruled on 13 November 2025, that signing up to receive a free newsletter with links to articles which might only be accessible with a paid-for subscription, constituted a 'sale' of a product or service for the purposes of the ePrivacy Directive – a direct monetary payment was not required. Where Article 13(2) ePrivacy applied, the publisher of that newsletter was entitled to send direct electronic marketing to the user of the service's email address without requiring a lawful basis under the GDPR. Read more.

Online marketplace is controller of personal data in user-generated ads on its platform, says CJEU

On 2 December 2025, the ECJ handed down its judgment in X v Russmedia Digital and Inform Media Press. It concluded that online marketplaces are (joint) data controllers for GDPR purposes where they process personal data in user-generated content for their own commercial purposes.  The judgment makes it clear that this is a very low bar which many platforms are likely to meet.  (Joint) controllers will need to check UGC for personal data ahead of publication, verify that any personal data belongs to the user placing the UGC and, if it doesn't, ensure there is an Article 6 GDPR lawful basis and an Article 9 GDPR exemption from the prohibition on processing special category data (where relevant).  Where they are joint controllers, they will need to deal with Article 26 GDPR requirements relating to joint controllership in their user terms. In addition, and importantly, they will not be able to rely on liability shields (the hosting exemption and the 'no monitoring obligation' in the e-Commerce Directive/Digital Services Act). This judgement raises complex issues for online marketplaces and platforms. Read more.

Cyber resilience continues to be a focus in the UK and EU, particularly in light of a renewed focus on defence and concerns about malicious state actors.  See here for in-depth articles on some of the year's main issues, and here for more on defence tech.

UK consultations, guidance and policy

• The UK National Cyber Security Centre published guidance to help operational technology owners and operators choose products and manufacturers that follow security by design principles on 13 January 2025.  The guidance contains 12 security considerations for procurement processes.
• On 31 January 2025, the government published a Code of Practice for the Cyber Security of AI (CoP) and an implementation guide. The CoP has been updated from the draft following a call for views, and an implementation guide has been published in response to stakeholder feedback.
• The previous government published a draft Code of Practice on Cyber Governance (CoP) as part of a call for views in January 2024. DSIT published the current government's response to the call for views on 31 January 2025. DSIT will now make minor edits to the draft Code. Together with the NCSC, DSIT will develop materials to support implementation and industry uptake.
• The National Cyber Security Centre published introductory guidance on the use of Content Credential technology on 29 January 2025 – a co-publication with the USA, Australia and Canada. The NCSC encourages adoption while recognising they do not necessarily provide a complete solution.
• On Friday 21 February, Apple announced it would no longer offer its highest level of data protection service in the UK. The optional service provided for end-to-end encryption of data stored in iCloud. This was largely presumed to be a result of a "technical capability notice" Apple received from the UK government under the Investigatory Powers Act, effectively requiring it to give law enforcement access to data worldwide in order to investigate terrorism and child sexual abuse material, subject to a court order.  Apple's appeal against a revised order relating to UK rather than global access, was ultimately dismissed due to a "change in circumstances". It is unclear whether Apple will submit a further challenge.
• On 25 March 2025, the NCSC published guidance to help organisations and cyber security professionals implement effective privileged access workstation (PAW) solutions in organisations.
• On 8 April 2025, the UK government published the Cyber Governance Code of Practice. This aims to support boards and directors in the private and public sector in governing cyber security risks and sets out the most critical actions for which directors are responsible. The Code is part of the government's package of support and is underpinned by the Cyber Governance Training and the Cyber Security Toolkit for Boards but it is the foundational code in the government's modular approach. It is complemented by the Cyber Essentials scheme.
• On 7 May 2025, the government published a new voluntary Software Security Code of Practice for software vendors together with an assurance process. The Code sets out fundamental security and resilience measures that should reasonably be expected from all organisations developing and or selling software to businesses or other organisations. This includes software services, standalone software or goods that contain software, but it is most relevant to the sale and distribution of proprietary software in the context of B2B relationships. While it is not aimed at open source software, the government suggests it may still be a useful tool in the open source context. The government is developing a certification scheme based on the compliance process. See more here.
• On 12 May 2025, the UK government launched a call for views on proposals to help protect connected devices used in a business context eg printers, internet-connected telephones, building entry systems and room booking systems. The government is concerned about vulnerabilities being used to attack business IT systems. The government will publish a response once it has considered the submissions.
• On 22 May 2025, the NCSC announced a new technical specification for baseline cyber security requirements for AI systems and models, and an accompanying report, developed working with DSIT and ETSI.  The specification is intended to address security vulnerabilities specific to AI and can be used by stakeholders throughout the AI supply chain. 
• On 4 June 2025, the NCSC published Cyber security culture principles which provide six suggestions as to how to create the right cultural conditions in an organisation to support and encourage people to carry out the desired cyber security behaviours, alongside some practical examples. 
• On 18 June 2025, the UK government announced a Cyber Growth Action Plan 2025 and £16m in funding for cyber sector programmes to kickstart growth.

• On 22 July 2025, the government published its response to the feedback on its consultation on ransomware legislative proposals. The government will proceed with legislating to achieve a targeted ban on ransomware payments for owners and operators of regulated-critical national infrastructure and the public sector, a ransomware payment prevention regime, and a mandatory incident reporting regime
• On 2 September 2025, the UK ICO published its final guidance on encryption following consultation.  The guidance explains how UK data protection law applies when using encryption and how to apply encryption in practice.  It focuses in particular on encryption in the context of data storage and data transfers.
• On 19 September 2025, a government-commissioned independent report – the Cyber Security Growth Action Plan – was published by Bristol University and Imperial College London.  It aims to turbocharge growth, unlock jobs and support innovation.  The report makes a set of nine recommendations and 24 associated suggestions on how to implement the recommendations. These include an expanded role for the NCSC and the appointment of a UK cyber growth leader. The government will formally respond via the forthcoming National Cyber Strategy.
• On 24 October 2025, the UK government published non-binding guidance together with international partners, in particular Singapore, on protecting against ransomware attacks in the supply chain. The guidance is intended to help organisations spot weaknesses in their supply chain and take steps to mitigate them. It was developed by the UK and Singapore at a global summit of the Counter Ransomware Initiative and has been endorsed by 67 members of the Initiative.

UK data breaches and sanctions

As always, data breaches continue to proliferate and they have been an enforcement priority for the ICO.  It's impossible to cover them all but here's a selection from 2025.

• UK mobile phone operator TalkTalk played down claims that credentials of 18.8m users had been hacked at the end of January. TalkTalk said it was investigating the breach but that the figure of 18.8m was considerably exaggerated. It also underlined that no financial or billing information had been accessed. TalkTalk suffered a high-profile breach in 2015 which resulted in a £400,000 (pre-GDPR) fine.
• Marks & Spencer suspended online sales following a suspected ransomware attack which led to problems with contactless pay and click and collect.  The attack also led to food availability issues in some stores and on Ocado. Following the cyber attack on Marks and Spencer, Co-op also suffered a ransomware attack. The attack was claimed by DragonForce who said they were also responsible for the M&S attack and an attempted hack of Harrods.  
• Details came to light in mid-July of a 2022 data breach by the MoD in which excerpts of a spreadsheet relating to applicants for its Afghan Relocations and Assistance Policy were shared online. The MoD reported the breach to the ICO within the required 72 hours of becoming aware of it in 2023, but an injunction prevented knowledge of the breach entering the public domain. The ICO made a statement on 15 July and wrote a blog on 17 July setting out its decision not to take further action.
• On 27 March 2025, the ICO confirmed its decision to fine Advanced Software Group Ltd £3.07m for security failings by one of its subsidiaries. The decision is notable as the first UK fine of a processor.  Read more.
• On 16 April 2025, the ICO announced it had fined Merseyside-based DPP Law Ltd £60,000 for failing to put appropriate measures in place to ensure the security of personal data.
• On 17 June 2025, the UK's ICO announced it had fined genetic testing company 23andMe £2.31m for failure to implement appropriate security measures to protect the information of UK users. The fine is the result of a joint investigation by the ICO and Canada's Privacy Commissioner into 23andMe's cyber security following a credential stuffing attack between April and September 2023 during which personal data (including special category data) of 155,592 UK individuals was accessed.
• On 1 September 2025, Jaguar Land Rover suffered a major cyber attack which is reportedly the most costly in UK history with an estimated cost of £1.9bn.
• Also in September, London Heathrow Airport was one of several European airports impacted by a cyber attack on Collins Aerospace which caused travel disruption after electronic check-in and baggage handling were impacted.
• On 15 October 2025, the ICO issued a £14m monetary penalty to Capita for a March 2023 cyber attack that stole nearly 1TB of data from 6.6 million people, impacting 325 pension schemes and other customers. Capita plc was fined £8m and Capita Pension Solutions Limited £6m.The ICO had initially proposed a £45m fine but accepted a voluntary settlement after representations. Capita admitted liability and will not appeal.
• On 3 December 2025, the ICO issued a reprimand to Post Office Limited for publishing an unredacted settlement agreement online that exposed personal data of 502 Horizon litigants for nearly two months. The ICO cited inadequate security measures and training. The ICO considered issuing a £1.094 million fine but decided the breach did not meet the "egregious" threshold under its public sector approach and so issued a reprimand instead.

EU

• On 7 April 2025, the European Commission launched a targeted consultation on its January 2025 Action Plan for cybersecurity of hospitals and healthcare providers. This is intended to create a safer and more secure environment for patients and healthcare professionals by ensuring application of the EU's cyber security and data protection laws, and to improve threat detection, preparedness and response in the healthcare sector. The deadline for responses was 30 June 2025.
• On 11 April 2025, the EC opened a consultation on revising the Cybersecurity Act 2019. The review will focus mainly on the mandate of ENISA, the European Cybersecurity Certification Framework and security challenges within the ICT supply chain.
• On 26 June 2025, ENISA published voluntary technical guidance to support Member States and in-scope entities in implementing the technical and methodological requirements for cyber security risk management measures applying to critical entities under the NIS2 Directive. This includes cloud service providers, data centre service providers, online marketplaces, online search engines, social network platforms and trust service providers. ENISA stressed the guidance is not legally binding and is not intended to replace frameworks, guidance or tools provided at Member State level.
• On 25 June 2025, the European Commission published its proposal for an EU Space Act. The proposal includes rules on resilience of space infrastructure. See more.
• On 16 October 2025, the EC published a draft delegated act under the Cyber Resilience Act for feedback on the Have your say portal.  The draft act specifies the exceptional conditions and grounds under which a national computer security incident response team (CSIRT) acting as co-coordinator and receiving a notification of an actively exploited vulnerability or severe incident, can delay sending the notification to the CSIRTs of other EU countries.  The call closed on 13 November 2025.  Adoption is expected by the end of the year.
• On 19 November 2025, the European Commission published its Digital Omnibus proposal. The first part deals with reforms to the EU AI Act, while the second part focuses on the EU data acquis, most notably the GDPR, the ePrivacy Directive and the Data Act. The standout points are delays to the rules on high-risk AI under the EU AI Act, and a new GDPR lawful basis of legitimate interest for processing personal data when developing or operating AI systems (subject to safeguards), changes to cookie rules, and a new single-entry point for incident reporting. Read more.
• On 28 November 2025, the European Commission adopted an Implementing Regulation under the Cyber Resilience Act. It sets out technical descriptions of categories of important and critical products under the CRA.  Class I important products includes smart door locks, baby monitoring and alarm systems and home security cameras. Class II important products includes firewalls and anti-spam gateways.  Critical products include payment terminals and hardware products that generate and manage cryptographic elements.  The requirement for manufacturers to complete conformity assessments for these products will apply from 11 December 2027, although some reporting elements will be introduced earlier.

Arguably the hottest topic this year in digital advertising, was the viability of the 'consent or pay' model whereby users either consent to advertising or pay for an ad-free model, or, latterly, opt for less intrusive targeting. The year ended with a bang, however, with the publication of the Digital Omnibus which proposed a number of changes to cookie rules in an attempt reduce the frequency of cookie banners.

'Consent or pay'

UK

On 23 January 2025, the ICO published its online tracking strategy for the year. It outlined the ICO's plans to promote compliance with data protection laws in the online tracking ecosystem, with a focus on safeguarding and empowering people to have meaningful control over their data while promoting responsible innovation and sustainable economic growth.

The strategy outlined the ICO's plans to "go further and faster" in 2025, heralded as part of a broader package of measures announced by the ICO on 16 January 2025.  This was aimed at driving economic growth while maintaining high data protection standards (see here for more). It follows on from a series of actions the ICO took in 2024, including consulting on fresh guidance for storage and access technologies like cookies and fingerprinting, examining 'consent or pay' business models, reviewing the UK's top 200 websites, and concluding investigations and audits of data management platforms. Read more.

The ICO also published guidance on the 'consent or pay' advertising model on 23 January 2025. The guidance clarifies how these models can be deployed to give users meaningful control. The ICO says 'consent or pay' models can comply with data protection law as long as it can be demonstrated that consent is freely given and other requirements are complied with. The ICO's approach appears to be slightly more pragmatic than that of the EDPB which maintains that meeting the consent conditions when a binary choice of service is offered will be a high bar.

On 20 October 2025, the ICO published consent or pay guidance for the public. The brief guidance explains the 'consent or pay' model and stresses that it can be legal provided the organisation using it can demonstrate consent to personalised advertising is freely given. It also highlights what information must be given to individuals and the options that must be given to withdraw consent, as well has how to make complaints.

On 26 September 2025, Meta announced it would introduce a chargeable ad-free service on its Facebook and Instagram platforms in the UK. The ICO issued a statement welcoming the plan, saying this moves Meta away from relying on standard terms for targeted ads, which it considers non-compliant with UK law. The ICO expects Meta to assess user choices and the impact of the model, and to ensure ongoing compliance, transparency and freely given consent. The ICO will monitor the rollout and the wider use of 'consent or pay' models across online markets. Meta praised the ICO's engagement, comparing it favourably to the EU's approach which requires it to provide a 'middle ground' option between consent to advertising and paid services, where users receive a free service with ads based on more limited (contextual) targeting. However, Meta significantly lowered the UK subscription starting price to about half the EU level as a result of the ICO's input. The cost will be £2.99 per month online and £3.99 per month via iOS or Android.

EU

On 16 January 2025, IAB Europe published a feedback paper sent to the EDPB after the 8 November 2024 stakeholder event on the EDPB's pay or consent guidelines.  IAB Europe is concerned about the narrow interpretation given to "freely given" consent. It argues that with the 'consent or pay' model, users are given a clear choice between two options and are also able to choose to use alternative services.  It adds that there is no obligation on businesses to provide free services or services at a loss which could well transpire if they are required to offer ad-free services for free.

On 23 April 2025, the European Commission announced it was fining Meta EUR 200 million for breaching the Digital Markets Act (DMA) obligation to give consumers a choice of services which use less of their personal data. The fine (which Meta is appealing) related to the binary 'consent or pay' model for Facebook and Instagram which was offered in the EU between November 2023 and November 2024. The DMA requires gatekeepers to get user consent to combine their personal data across services and offer those who do not consent a less personalised but equivalent alternative. The Commission found that Meta's binary model did not give users the required specific choice to receive a less personalised, but otherwise equivalent service to the free personalised ad service and that Meta did not allow users to exercise free consent to the combination of their personal data across services.

In November 2024, Meta introduced an alternative free version of its Facebook and Instagram platforms which it said used less personal data to display ads. The Commission is still assessing this option and the fine relates to the period during which the binary offering was available once the DMA became applicable. An EC spokesperson has suggested changes made by Meta to its 'pay or consent' model may not go far enough to comply with the Digital Markets Act. In December, however, it was reported that the Commission was considering further proposals by Meta which it hoped would resolve the issue.

In 2023, the Austrian DPA held that the pay-or-consent model introduced by newspaper Der Standard was unlawful as it only provided a binary choice between global consent or a monthly subscription. The paper appealed the decision, arguing it was not practical to implement a granular consent model. In August 2025, the Austrian Federal Court dismissed the appeal but allowed a further appeal to the Supreme Administrative Court, making it likely the case will eventually reach the CJEU.

Read more about the 'consent or pay' model here.

Digital Omnibus – ePrivacy Directive reforms

Following the failure to introduce a new ePrivacy Regulation, the European Commission now proposes integrating cookie (and similar storage technology) requirements into the GDPR under its Digital Omnibus proposal.  It proposes requiring single-click acceptance/refusal for cookies and that cookie consent cannot be re-sought for the same purpose within a six-month period.  Read more.

Despite concerns that the EU might take issue with the UK's Data (Use and Access) Act, the path looks smooth for renewal of the EU-UK data adequacy decisions for a six-year period. 

Similarly, while there were concerns about the future of the EU-US Data Privacy Framework at the start of the year, this does not look to be in any serious danger. On 25 September 2025, the US Privacy and Civil Liberties Oversight Board published a report looking at the US Intelligence Community's compliance with Executive Order 14086 which provides enhanced safeguards in relation to processing of personal data by intelligence authorities. The report finds that appropriate policies, procedures, supplemental guidance and training were adopted by the Intelligence Community and found no instances of non-compliance. This is an essential component of maintaining the EU-US Data Privacy Framework.

Notwithstanding the Commission's commitment to the EU-US DPF, it has been under challenge in the courts from French MP Philippe Latombe.  On 3 September 2025, the EU General Court dismissed his private action to annul the EU-US Data Privacy Framework.  The General Court confirmed that on the date of application of the Executive Order in question, the USA provided an adequate level of data protection for EU personal data.  Latombe is now appealing to the CJEU. Meta has been given permission to intervene on this and the joined appeal in the Bindl case.

Transfers of personal data from the EU to China have also been under scrutiny.  In particular, on 16 January 2025, NOYB filed complaints in Greece, Netherlands, Belgium, Italy and Austria asking for suspension of data transfers to China by six Chinese companies.  NOYB alleges that the transfers are unlawful because the data cannot be adequately protected from access by the Chinese government.  Read more about the complaints here. A spokesperson for the Ministry of Foreign Affairs said China does not require companies or individuals abroad to collect or provide data or other information to the Chinese government in breach of local law.

European regulators and the ICO were also concerned about the processing of EU/UK personal data by DeepSeek. There are concerns that personal data is being transferred to China with no controls over its use and no transparency over what is happening to the data, as well as over the lawful basis for processing.  So far though, there has been no enforcement action at EU level or from the ICO.

Other EU developments relating to data transfers during 2025 include:

• The EDPB approved a document setting out procedures for approval of Binding Corporate Rules for controllers and processors on 13 March 2025.
• On 5 June 2025, the EDPB published the final version of its updated guidelines on transfers to third country authorities following a public consultation. The guidance focuses on Article 48 GDPR and clarifies how organisations can best assess under which conditions they can lawfully respond to requests for a transfer of personal data from third country authorities.
• On 15 July 2025, the EC confirmed that the European Patent Organisation provides a level of data protection equivalent to that provided by the EU. This is the first time the EU has adopted an adequacy decision relating to an international organisation. The adequacy decision allows for frictionless transfers of personal data between the EU and the European Patent Organisation.
• On 5 September 2025, the EC announced a draft adequacy decision with Brazil.  Once concluded, it will allow for frictionless data transfers between the EU and Brazil without the need for additional measures. The EDPB published an Opinion on 5 November largely backing the decision but asking for some further clarification.
• On 16 September 2025, South Korea recognised the EU as having an equivalent data protection framework to its own allowing for frictionless transfers of personal data from South Korea to the EU. The EU recognised South Korea's regime as adequate in 2021.  This development makes the adequacy arrangement between the jurisdictions mutual.  It covers private and public sector data.

Meanwhile in the UK:

• On 23 April 2025, the UK and Japan published a joint statement on data adequacy. It commits to continuing free data flows with a high level of data protection and sets out plans to expand the scope of the current respective adequacy agreements to new areas including academia and the public sector.
• On 26 June 2025, the ICO published a Call for Views on its current international transfers guidance. The ICO may publish a summary of responses prior to using the information gathered to update its guidance in light of the DUA Act.

For general developments in AI, see the AI section of this update. There were, however, many data-related developments given the concern relating to the use of personal data to train AI.  Here we cover some of the highlights from the EU.

• On 27 February 2025, the European Parliament Research Service published a briefing on the interplay between the GDPR and the AI Act. In particular, the briefing looked at the requirement under the AI Act to mitigate discrimination and bias in high-risk AI systems. See our article on the interplay of the AI Act and the GDPR.
• Privacy advocacy group NOYB filed a complaint with the Norwegian data protection authority against OpenAI, relating to ChatGPT's hallucination in which a man was wrongly said to have murdered his daughters and been convicted. The information was presented alongside accurate information. OpenAI says it has since updated ChatGPT so that it uses the internet to search for information about individuals, but the complaint is concerned with the possibility that the hallucination may still be part of ChatGPT's dataset. The complaint suggests this is insufficient and alleges that by knowingly allowing ChatGPT to produce inaccurate and defamatory information, OpenAI is breaching the GDPR accuracy principle.
• On 14 April 2025, Meta announced it would soon begin training its AI models on the interactions that people have with AI at Meta as well as public content shared by adults on Meta products. EU individuals will be able to object to their content being used in this way. Meta says it does not use people's private messages to train AI nor public data from under-18s. The Irish DPC gave Meta the 'all clear' to start its Meta AI service in the EU from 27 May 2025.  The DPC was satisfied that Meta had implemented measures to protect EU citizens' data rights and could now use public data on its platforms to train its AI models.  A last-minute application in Hamburg to suspend this for three months was rejected.  Read more about the Hamburg decision here.
• On 11 April 2025, the Irish Data Protection Commissioner launched an inquiry into X's use of personal data to train its Grok Large Language Models. The DPC is concerned that Grok has used personal data available on the X platform. The inquiry will look at a range of compliance issues including transparency and lawfulness of processing.
• NOYB wrote to the Irish DPC asking for a cease and desist order against Meta's plan to use its users' public personal data on its Facebook and Instagram platforms for AI training. NOYB argues that Meta is wrongly relying on the legal basis of legitimate interest and should be asking for user consent. NOYB plans to move to an EU-wide class action if this step fails to produce the desired result. Meta is already facing an application for an injunction to stop the AI training from a German consumer group on the same issue and similar grounds.
• On 5 June 2025, the EDPB published a training curriculum on AI and data protection covering law and compliance in AI security and data protection.
• On 28 October 2025, NOYB filed a criminal complaint against Clearview AI and its managers with the public prosecutors in Austria under s63 of the Austrian Data Protection Act.  NOYB claims that Clearview has failed to respond to various EU Member State enforcement actions which have imposed fines and issued bans.  NOYB says Clearview's compliance has not been enforced and no changes have taken place.  If successful, Clearview AI executives could be held personally liable.

• On 7 November 2025, the Irish DPC issued a statement on LinkedIn’s plan to train its generative AI model using EU/EEA data. Following risk findings by the DPC, LinkedIn adopted changes.  The DPC requires a report within five months of processing commencement evaluating safeguards. It has not approved or found the processing to be compliant but will monitor the situation. 
• On 11 November 2025, the EDPS published guidance to help identify and mitigate common technical risks associated with AI systems. The guidance is for controllers conducting data protection risk assessments when procuring, developing and deploying AI systems under the EUDPR which governs the processing of personal data by EU institutions, offices and agencies.