Our 'In Case You Missed It' section of the Data, Privacy and Cyber Bulletin provides readers with a high-level digest of important regulatory and legal developments from May 2025.
Contents
Case Law Updates
GDPR damages for loss of control: One loss, two harms
Our data, privacy and cyber colleagues, Hans Allnutt and Isabel Becker have authored a detailed analysis piece considering the complicated picture in respect of potential damages for loss of control as a result of data breaches. The detailed review can be found here.
Regulatory Developments
Data (Use and Access) Bill continues in parliamentary 'ping pong'
The Data (Use and Access) Bill has entered the final stages of its parliamentary journey, as various proposed amendments are discussed between the Houses of Commons and Lords, in a process known as 'ping pong'. Once an agreement is reached on the final text of the Bill, then Royal Assent will be given, and the Bill will become law.
The process is currently a battleground regarding proposals to insert additional provisions covering AI transparency requirements and protection for copyright holders. Parliamentary discussions have continued following the conclusion of the Parliamentary recess on 2 June 2025, and at the time of writing, remain ongoing.
European Data Protection Board adopts opinion on UK data adequacy
The European Data Protection Board (EDPB) has adopted an opinion on the proposed six-month adequacy extension in respect of the UK until 27 December 2025. The opinion makes clear that this extension is considered exceptional due to the current legislative position in the UK as noted above, and should not, in principle, be extended further.
The EDPB Opinion 06/2025 is here and accompanying press release here.
European Commission publishes formal proposals to simplify GDPR record-keeping requirements
The European Commission has published formal proposals to simplify GDPR record-keeping as part of the omnibus process. The proposal will simplify existing requirements requiring each controller and processor must maintain a record of processing activities and sets out what information this record should contain. An existing exemption for SMEs and organisations with fewer than 250 employees would be broadened to fewer than 750 employees. In addition, there will be a simplification of existing record-keeping obligations under Article 30 by making the record-keeping mandatory only when the processing activities are likely to result in a ‘high risk’ to data subjects’ rights and freedoms.
The full details of the proposal can be found here. Prior to the publication of the proposal, the EDPB and European Data Protection Supervisor adopted a letter stating they could "express preliminary support to this targeted simplification initiative, bearing in mind that this would not affect the obligation of controllers and processors to comply with other GDPR obligations." The letter is here.
Italian Data Protection Authority issues fine to Replika AI chatbot creator
The Italian data protection authority, Garante, has fined Luka Inc, the creator of the Replika chatbot, EUR5 million for failing to identify the legal basis of processing operations in February 2023. Garante has also launched an independent investigation to verify the processing of personal data carried out by the generative AI at the heart of the Replika service.
The press release from the Garante is here (in Italian).
Data & Privacy Developments
Data Protection Commission issues statement on Meta AI
The Irish Data Protection Commission has issued a statement in response to Meta's plans to begin training its generative AI model(s) using public content shared by adults on Facebook and Instagram across the EU/EEA from the end of May 2025. The statement notes that Meta has implemented a number of measures and improvements in response to requests from the DPC such as updated transparency notices, simplified Objection Forms, and updated risk assessments. The DPC will require Meta to compile a report on these measures and safeguards, expected in October 2025.
The DPC statement is here.
First representative action in Ireland commenced against Microsoft
The first action has been commenced in Ireland under legislation introduced to transpose the EU Representative Actions Directive into Irish law.
The Irish Council for Civil Liberties has been granted permission by the High Court of Ireland to pursue Microsoft in respect of its online advertising business. The claim is pursued in respect of Microsoft's Real-Time Bidding advertising system, which is alleged to expose users to 'malicious profiling and discrimination'. The ICCL is pursuing the action on behalf of all affected people in Ireland.
The ICCL press release is here.
ICO issues reprimand to local authority following exposure of personal information
The ICO has reprimanded the London Borough of Hammersmith and Fulham following the exposure of the personal data of over 6,500 over a period of two years. The breach occurred following a Freedom of Information request which resulted in the publication of a number of hidden Excel workbooks which contained personal information. The Reprimand sets out a number of recommendations including the use of the ICO's sign off checklist when releasing Excel spreadsheets and considering whether material for disclosure is signed off by a manager.
The ICO press release is here, and the full Reprimand is here.
ICO issues reprimand to Greater Manchester Police over CCTV failings
The ICO issued a reprimand to Greater Manchester Police for failing to ensure that appropriate technical or organisation measures were in place to protect against the accident loss of CCTV data. In addition, GMP had failed to provide the complainant with their personal data without undue delay and by the end of the applicable period of one month.
The ICO press release is here, and the full Reprimand is here.
ICO published consultation on updated guidance on encryption
The ICO is consulting on draft updated guidance on encryption. The consultation will remain open until 24 June 2025, and seeks respondents view on encryption and data protection law. The ICO consultation page is here, and the updated guidance is here.
European Commission seeks feedback on protection of minors
The European Commission is seeking feedback on guidelines aimed at protecting minors online in line with the requirements of the Digital Services Act. The consultation period ends on 10 June 2025. The guidelines provide a non-exhaustive list of measures that platforms (excluding micro and small enterprises) can adopt including:
- Implementation of age assurance measures to reduce exposure to age-inappropriate content
- Children's account to be private by default
- Enable children to block and/or mute any users and prevent the adding of children to groups without their explicit agreement
The press release and link to the guidelines for public consultation can be found here.
Cyber Developments
DSIT commences call for evidence on cyber security of enterprise connected devices
The Department for Science, Innovation and Technology (DSIT) has issued a call for views on the cyber security of enterprise connected devices. The call for views sets out a number of proposed interventions to improve the cyber security of enterprise connected devices, including the publication of a Code of Practice and legislation to enshrine some of that code into law.
The call of views defines enterprise connected devices as those used by organisations and/or their employees to process or hold an organisation’s data. Devices that fall within scope of this definition include, but are not limited to video conferencing systems, enterprise printers and room booking displays. The consultation will conclude on 7 July 2025, and details are here.
DSIT publishes Software Security Code of Practice
DSIT has published the Software Security Code of Practice which has been developed to improve the security and resilience of software relied upon by business and organisations. The Code is the result of work within the NCSC and industry experts and developed further following a public call for views in 2024. The Code of Practice contains 14 principles split across four themes; secure by design and development, build environment security, secure deployment and maintenance, and communications with customers.
The Code is part of the broader suite of cyber security guidance issued by DSIT in recent months, including the Cyber Governance Code of Practice, discussed by our cyber experts earlier this year, as well as our broader review of cyber security law in the UK.
European Commission issues opinion to Member States on NIS 2 implementation
The European Commission has issued a reasoned opinion to 19 Member States as a result of their failure to transpose the NIS 2 Directive into national law. The implementation should have taken place by 19 October 2024, in support of efforts to ensure a high level of cyber security across the EU. The Member States have two months to respond and take the necessary measures, failing which a referral can be made by the Commission to the Court of Justice of the European Union.
The Commission's press release is here.
In addition, five Member States have been referred to the CJEU for failing to designate and/or empower a national Digital Services Coordinator under the Digital Services Act, following a failure to take the necessary measures in response to letters of formal notice and reasoned opinions. The Commission's press release is here.
Legal Aid Agency cyber-security incident
The Ministry of Justice and Legal Aid Agency announced that an unknown group had "accessed and downloaded a significant amount of personal data" from legal aid digital applicants since 2010. The government page providing updates on the incident is here, as well as the Law Society page setting out information for affected members.
Cyber incidents impacting retailers
A number of retailers have been affected by a series of cyber incidents impacting their operations and supply chains. In response, the NCSC issued a statement confirming that it was providing support to the affected retailers. The NCSC CEO, Richard Horne, also issued commentary highlighting the reality of cyber risk faced by organisations, and urged organisations to follow NCSC guidance on preventing and responding to incidents.
The ICO statement on the incidents is here.
NCSC announces new ETSI standard to protect AI systems
The National Cyber Security Centre has confirmed the publication of two documents to detail transparent, high-level principles and provisions for securing AI. Published by the European Telecommunications Standards Institute, the NCSC worked with DSIT, and other governments and industry leaders to produce:
- A technical specification on ‘Securing Artificial Intelligence (SAI); Baseline Cyber Security Requirements for AI Models and Systems’
- An accompanying technical report that helps stakeholders implement the cyber security provisions in the above specification, including examples mapped to various international frameworks
The NCSC press release is here.
Cyber Security Agencies release Best Practices in AI Data Security
A joint information sheet, titled 'AI Data Security: Best Practices for Securing Data Used to Train & Operate AI Systems' has been published by a group of agencies including the NCSC, the US National Security Agency, Australian Cyber Security Centre and New Zealand National Cyber Security Agency.
The information sheet sets out general best practices that organisations can implement to secure and protect the data used in their AI-based systems. The press release is here, and the full report is here.
Australia: Mandatory ransomware reporting requirements introduced
In Australia, from 30 May 2025, companies with an annual turnover of greater than AU$ 3 million, must comply with the provisions of the Cyber Security Act 2024, specifically relating to ransomware and cyber extortion payments.
Organisations will have 72 hours from the making of a ransomware or cyber extortion payment by them or on their behalf, to make a report using the form of the Australian Signals Directorate website. This requirement captures both monetary and non-monetary payments (including the exchanges of gifts, services or other benefits).
Further measures set out within the Cyber Security Act, such as mandatory security standards for smart devices, will be introduced later this year. The Australian Department of Home Affairs has published a factsheet detailing the new requirements.
