Our 'In Case You Missed It' section of the Data, Privacy and Cyber Bulletin provides readers with a high-level digest of important regulatory and legal developments from November 2025.
Contents
Case Law Updates
Farley v Paymaster: Application for permission to appeal made to the Supreme Court
A permission to appeal application has been lodged with the Supreme Court. This follows the groundbreaking Court of Appeal decision that no de minimis threshold applies to UK GDPR compensation claims and that fear of misuse of personal data can amount to non-material damage.
Details of the application can be found on the Supreme Court website.
Regulatory Developments
Cyber Security and Resilience Bill published
The Cyber Security and Resilience (Network and Information Systems) Bill has been introduced in Parliament, setting out a major overhaul of the UK regulatory framework underpinning the cyber defence of essential public services.
Colleagues from our cyber team have reviewed the measures included in the Bill, and how they fit in the wider UK ecosystem on cyber security.
EU Digital Omnibus package published
The European Commission has published the EU Digital Omnibus, a package of measures made up of two proposed regulations. The first covers data, cybersecurity and privacy measures, and the second sets out targeted simplification measures, amending the AI Act.
The Digital Omnibus proposals are the most recent in a series put forward by the Commission as part of their efforts to recalibrate and simplify certain EU rules to boost economic growth and reduce administrative burdens.
Colleagues from our Dublin office have reviewed the package of measures and summarised the key issues for our readers.
Cyber Resilience Act: Implementing act on technical descriptions related to important and critical products published
The European Commission has published an implementing regulation relating to the Cyber Resilience Act. The regulation sets out the technical description of the categories of important and critical products with digital elements. The regulation includes examples (but not an exhaustive list) of products with digital elements whose core functionality meets the technical description of certain important or critical products with digital elements.
These technical descriptions will be relevant from December 2027 when full applicability of the CRA takes effects. From that date, important and critical products must meet stricter requirements and undergo appropriate conformity assessment procedures.
Data & Privacy Developments
ICO publishes public sector approach
The ICO has published the policy to accompany its public sector approach. The approach is directed at improving data protection standards in the public sector, and the use of discretion when fining public authorities.
The full policy can be found here, as well as an accompanying blog from the Information Commissioner. The blog set outs that the public sector approach carries three advantages, namely: a focus on improvement rather than punitive action, minimising unintended consequences to public services and regulatory certainty.
However, a fine may be considered in the event of an 'egregious' infringement, which may be accompanied by factors such as actual or potential harm to people, the infringement being intentional or negligent and other relevant or recent infringement by the same controller or processor.
Letter sent to Select Committee questioning ICO enforcement approach
A number of civil society organisations, academics and data protection experts have written to the Chair of the Select Committee for Science Information and Technology requesting an inquiry into the ICO's enforcement activity.
The letter highlights the decision not to investigate the Ministry of Defence following the Afghan data breach as an example of a broader trend of the ICO allegedly electing not to use its enforcement powers.
European Parliament approves non-binding resolution proposing minimum age for social media use
The European Parliament has approved a non-binding resolution calling for a harmonised digital minimal age of 16 for access to social media, video-sharing platforms and AI companions. The resolution calls under the Commission to ban addictive practices for minors such as harmful gamification, as well as action on persuasive technologies such as targeted ads.
In addition, urgent action was requested in respect of the ethical and legal challenges posed by AI tools such as deepfakes, AI agents and companionship chatbots. Details of the resolution can be found here.
Google submit proposals to European Commission to address antitrust rules breaches
Following the issue of a EUR2.95 billion fine against Google by the European Commission, the company has submitted a plan to changes its adtech policy which fell foul of the EU antitrust laws. The details of the fine can be found here.
Google's proposals address the Commission's decision but falls short of a divestment of the relevant parts of the business allegedly causing conflicts of interest. The plan proposes giving publishers the option to set different minimum prices for different bidders, and increasing the interoperability of Google's tools to give publishes and advertisers more choice and flexibility. Google's press release can be found here.
EDPB issues opinion regarding Brazil data adequacy decision
The European Data Protection Board has issued Opinion 28/2025 regarding the European Commission's draft adequacy decision for Brazil. The EDPB notes that the Brazilian data protection framework is closely aligned with GDPR and case law from the Court of Justice of European Union.
However, the opinion suggests that the Commission monitor the practical implementation of various measures relating to the accountability principle and the requirements for data protection impact assessments.
EDPS issues guidance for EU institutions on risk management of AI systems
The European Data Protection Supervisor (EDPS) has issued a new guidance document designed to support controllers in the EU institutions in conducting data protection risk assessments when developing, procuring, and deploying Artificial Intelligence systems under Regulation 2018/1725.
This guide aims at providing valuable insights and practical recommendations to help identify and mitigate common technical risks associated with AI systems, helping in the protection of personal data.
Kenya close to EU adequacy decision
It has been reported by Privacy Laws and Business that Kenya is identifying gaps within its regulatory framework; it is anticipated that the European Commission will conclude that Kenya offers an adequate level of data protection in the near future.
Cyber Developments
Ministerial letter on cyber security issued to small businesses
A letter has been issued to Britain's small business calling upon them to take the necessary steps to protect their business from cyber attacks. The correspondence suggests that the companies use the Cyber Action Toolkit and Cyber Essentials resources developed by the National Cyber Security Centre.
The letter highlights statistics that suggest that over half of small businesses have suffered a cyber attack in the last 12 months. The letter can be found here.
Business and Trade Select Committee comments on state-backed cyber reinsurer
The Business and Trade Select Committee have published their 11th report, 'Towards a new doctrine for economic security'. Within it, the committee discusses the prospect of a state-backed reinsurer for cyber threats. Their recommendation is that "The Government should urgently consider expanding the scope of reinsurance schemes such as Pool Re to support private markets which enhance business resilience, particularly in respect of cyber threats."
The reference can be found on pages 69 and 70 of the report here.
ENISA publishes details of public administration risks
The EU agency for cybersecurity, ENISA, has published analysis stressing the targeting of EU public administrations by hacktivists through DDoS attacks.
The analysis highlights a number of key findings that DDoS attacks accounted for 60% of all incidents on public administrations, and that central governments were the most targeted. Details of the analysis can be found here.
