This month in review:
February and March saw a wide range of data protection-related developments across the EU and UK:
In the EU, the Court of Justice of the European Union (“CJEU”) published an Opinion on pseudonymisation and clarified the information to be provided in relation to automated decisions. The European Commission ("EC") has published a blueprint for cyber security cooperation across Europe and guidance on AI prohibited practices and AI literacy, which has recently become applicable. The European Data Protection Board ("EDPB") has also published its 2025 Coordinated Enforcement Framework ("CEF"), focusing on the right to erasure (commonly known as the 'right to be forgotten'). Across Europe, we've also seen various enforcement action taken by the Polish Data Protection Authority ("DPA") for GDPR infringements and the intention to withdraw the ePrivacy Regulation. We also saw the publication of the European Health Data Space Regulation in the Journal of the EU. March also saw the Interactive Advertising Bureau ("IAB") submit a position paper on the EDPB’s pseudonymisation guidelines.
In the UK, the Data (Use and Access) Bill ("DUAB") has been progressing through the House of Commons and could potentially become law as soon as May. The Public Authority Algorithmic and Automated Decision-Making Bill is set to be transferred to the House of Commons for consideration. The ICO has published guidance on the use, sharing and retention of employment records, as well its new initiatives for economic growth in the UK. The Department for Science, Innovation and Technology ("DSIT") has also published a world-first Code of Practice for Cybersecurity for AI to form part of an emerging global standard. A new set of obligations set out under the Online Safety Act came into force placing a greater onus on the platforms providers to cut down on criminal content.
Our trends:
In the last two months, we have seen several trends emerge in the support that we have been providing to our clients – we've outlined some of these below so do reach out if you would like our support with any data protection-related issues:
- Deployment of tailored solutions – we've been supporting our clients with the deployment of tailored solutions to meet their legal and practical data protection needs – our legal team can partner with our Data Protection Extend & Accelerate team members to provide a high quality data protection service at a great cost. Please reach out to us for more details.
Our contents this month:
- Our events and articles
- General update
- Adtech and direct marketing
- AI and innovation
- Cyber, breach and ransomware
- Employment and data subject rights
- Data transfers
- Public sector
Our events and articles
Data Protection and Cyber Security Breakfast Briefings
In February and March, we hosted our monthly Breakfast Briefings where we delved into some of the recent developments in data protection across Europe and the UK. Key updates included the high-profile DSAR challenge in Ashley v HMRC. In case you missed them, you can watch the recording of the February session here, and the March session here.
Our next Breakfast Briefing will take place on Thursday 5 June from 9am to 10am, where we will be discussing some of the latest developments featuring our new “Headlines” section, “Deeper Dive” into some key developments and a “Quick Fire Round” answering some of your questions. If you would like to join this session live (and ask some of those questions!) please RSVP here, or contact your usual DWF contact or send an email to dpcs@dwf.law.
DWF Leaders joined NetDiligence Cyber Risk Summit 2025
During February, James Manari and Thomas Morse from our US Legal Operations team attended the NetDiligence Cyber Risk Summit in Miami. The three-day conference brought together over 100 thought leaders from cyber insurance, data security, technology and data breach law who explored emerging risks and trends in the cyber space. You can find out more information about the event
US : Cybersecurity Incidents in Education
The education sector in the US has observed a rise in targeted cybercrime due to these educational establishments storing large amounts of Personally Identifiable Information and Protected Health Information. The impacts of cyberattacks can range from the large-scale exposure of sensitive data, non-compliance with key regulatory bodies, system disruptions, financial implications, and reputational damage. These severe consequences can have short-term effects, such as regulatory fines and system downtime, and long-term effects such as the loss of credibility amongst staff, students and parents. You can read the full article here.
EU: DWF France explores the latest news of interest in technology and data.
The January-February 2025 edition of DWF's Technology and Data Insights delves into significant advancements and regulatory updates in AI and data protection. The French DPA, CNIL, has issued comprehensive recommendations to ensure AI systems comply with GDPR, stressing the importance of transparency, accountability, and safeguarding user rights. The EC has outlined guidelines on prohibited AI practices, aiming to prevent misuse and ensure ethical AI development. In the US, the Copyright Office has clarified its stance on protecting AI-generated content, highlighting the complexities of intellectual property in the digital age. Additionally, CNIL's strategic plan for 2025-2028 emphasises privacy by design, responsible AI development, and robust data protection measures to foster trust and innovation in the tech industry. You can find the full breakdown here.
UK: Artificial Intelligence: Navigating Risks for Insurance Leaders
Insurance leaders face unique challenges with AI, needing to manage risks both in their operations and for those they insure. The subject is broad, but some actionable ideas can help. Leaders need to establish capabilities to monitor regulatory developments to stay compliant and avoid fines or reputational damage. The rapid changes and differing regulatory approaches across regions add to the complexity. The full article is available here which addresses further risks and practical ideas.
General Updates
UK: ICO Introduces New Initiatives to Boost Economic Growth and Innovation
The ICO has announced several new measures to support the Government’s growth agenda. As part of its new measures, the ICO has committed to launching a free data essentials training programme for small businesses, piloting an experimentation regime for innovative data-driven solutions which will provide assurances that certain data protection requirements will not be enforced for this period, and introducing a statutory code of practice for AI development for both the private and public sector. These initiatives aim to boost business confidence, enhance technological advancement, and ensure data protection compliance while promoting economic growth.
UK: Illegal content obligations under the Online Safety Act come into force
On 17 March 2025, the Office of Communications ("Ofcom") announced that platforms covered by the Online Safety Act must now implement measures to swiftly remove illegal material and reduce the risk of priority criminal content. Providers must have conducted illegal harm risk assessments by 16 March 2025, to determine the likelihood of users encountering illegal content or how user-to-user services could facilitate criminal offences. Ofcom will evaluate platforms' compliance with these new obligations and take targeted enforcement action if necessary. They will prioritise sites that pose significant risks due to their size or nature. Additionally, Ofcom has launched an enforcement program to assess the safety measures taken by file sharing or storage providers to prevent the dissemination of child sexual abuse material. You can read the explanatory information from the Government here.
UK: Updates on the Data (Use and Access) Bill
Since our last article, the Public Bill Committee has proposed several amendments to DUAB – key changes include: raising the age of consent for children in the case of information society services; new obligations for operators of web crawlers and AI models to disclose certain information; and the requirement to provide an non-digital alternative to digital verification services (where practicable). The DUAB is yet to progress through the report stage, although there is anticipation that the Bill could become law as soon as May. The current version of DUAB can be found here.
The European Health Data Space Regulation (2025/327) was published in the Journal of the EU on 5 March 2025, and came into force on 25 March 2025. It complements many of the rights enshrined in the GDPR and allows subjects to obtain information on the healthcare provider who accessed their health data, the date and time data was accessed, and which data was accessed. It establishes and regulates the “primary use of data”, which includes treatment of patients, prescriptions, and related services, as well as the “secondary use of data”, which allows the health data to be “re-used” for research, innovation, policy making, and regulatory activities, all within a new electronic health record standardisation across the EU. Infringement of the Regulation could result in fines of up to €20 million or 4% of total worldwide turnover.
EU: IAB Associations submit position paper on EDPB pseudonymisation guidelines
The IAB associations have criticised the EDPB's Guidelines 1/2025 on pseudonymisation, on the basis that they overreach and misinterpret the EU GDPR. They recommend issuing consolidated guidance, withdrawing the guidelines to avoid legal uncertainty, aligning pseudonymisation understanding with current CJEU case law, encouraging technological innovations, and providing more actionable examples. You can read the article here.
EU: Polish DPA imposed over €1m worth of fines for GDPR infringements
The EDPB has published several decisions from the Polish DPA to fine organisations for various infringements of the GDPR. These included: a €928,498 fine to a bank that had failed to inform data breach victims; fines of €81,000, €5,700 and €5,625 to companies which had failed to implement appropriate technical and organisational measures to ensure security; fines of €19,800 and €6,800 to organisations which had failed to notify a personal data breach to the Supervisory Authority; and a fine of €5,814 to a company that had failed to designate a Data Protection Officer, publish their contact details and notify the Supervisory Authority.
EU: CJEU publishes AG opinion on pseudonymisation
On 6 February 2025, the CJEU published its Opinion in which it reiterated the position that pseudonymised data is personal data and, therefore, falls within the scope of the GDPR, if the data subject remains identifiable, irrespective of the accessibility of the additional identification data. The CJEU stated "it is only where the risk of identification is non-existent or insignificant that data can legally escape the classification as personal data".
EU: CJEU issues decision on data controller status
The CJEU received a request from the Supreme Administrative Court in Austria for a preliminary ruling on whether an auxiliary administrative entity without legal personality or a legal capacity, was a data controller. In the main dispute, the Office of the Tyrolean State Government (an auxiliary administrative entity without legal personality or legal capacity) was found to have unlawfully processed the personal data of residents for COVID-19 vaccination reminder letters. In its judgment, the CJEU held that such an auxiliary administrative entity (without a legal personality or legal capacity) can in fact be a data controller, if (i) it can fulfil those obligations and (ii) the relevant national law clearly defines the extent of data processing that the entity oversees.
EU: CJEU clarifies calculation of GDPR fines for undertakings
In Case C-383/23 the CJEU emphasised that fines issued to an 'undertaking' under the GDPR should be calculated based on its total worldwide group annual turnover to be "effective, proportionate, and dissuasive".
Adtech and direct marketing
UK: New Direct Marketing Advice Generator from the ICO
The ICO has published a direct marketing advice generator which is designed to help companies comply with the Privacy and Electronic Communications Regulations and the UK GDPR when considering sending direct marketing messages to individuals or organisations. The generator comprises a series of 'yes or no' questions and is currently in its beta phase, so it is still being tested and ICO is keen to receive user feedback. We would note that this is a complex area and especially where organisations have already made policy decisions around their approach to direct marketing specific advice should be sought.
UK: ICO issues enforcement notice against Smart Home Insured Limited for unsolicited direct marketing calls
On 25 February 2025, the ICO issued an enforcement notice to Smart Home Ensured Limited (“SHEL”) for making over 14,500 unsolicited direct marketing calls to individuals registered on the Telephone Preference Service (“TPS”) between 4 July 2023 and 24 August 2023. SHEL was ordered to cease calls to TPS subscribers as well as those who have indicated that they do not want to be called, and ensure that all recipients of their direct marketing communications are provided with the name of the person calling and, upon request, an address or telephone number on which they can be reached free of charge.
The Advocate General ("AG") of the CJEU published its opinion on Case C-654/23 regarding the preliminary ruling against Inteligo Media in Romania, which was then overturned by the Court of Appeal. Inteligo Media was fined by the Romanian DPA for the unnecessary processing of personal data by distributing direct marketing emails under Articles 5(1), 6(1) and 7 of the GDPR. The AG interpreted Article 13(2) of the ePrivacy Directive to specify that email addresses obtained during online account creation can be used to send daily newsletters for direct marketing purposes. The AG clarified that Article 13(2) of the ePrivacy Directive sufficiently deals with consent and that the lawful bases under Article 6(1) of the GDPR are not relevant in this context. You can read the opinion of the AG here.
AI and innovation
UK: DSIT publishes its Code of Practice for the Cyber Security of AI
DSIT has published a world-first cyber security standard 'Code of Practice for the Cyber Security of AI', which is designed to "protect AI systems from cyber threats, securing the digital economy". The voluntary code outlines measures to enhance AI security and forms the foundation for an emerging global standard. You can read the press release here and the Code of Practice in full here.
UK: Treasury Committee opens consultation on its inquiry into AI in financial services
On 3 February 2025, the UK Treasury Committee initiated an inquiry into AI in the financial services industry, focusing on its benefits, risks and regulatory balance. The consultation process, which closed on 11 April 2025, aimed to understand how AI can be utilised whilst protecting consumers against potential risks. The inquiry focuses on the application of AI in various areas of financial services, including retail banking, investment banking, insurance, and pensions. It also seeks evidence on AI’s impact on productivity, financial stability and consumer protection, especially for vulnerable customers. You can read the press release here and access the submission page here.
UK: Overview of the UK's draft AI Regulation Bill
The UK's AI Regulation Bill was introduced to the UK Parliament on 4 March 2025. If passed, it will establish an AI Authority to oversee AI regulation, ensuring ethical standards, transparency, and accountability. The Bill as drafted currently mandates businesses to appoint a designated AI officer and sets principles for AI use, including safety and fairness. It also defines AI as technology approximating cognitive abilities, including generative AI, and allows for the creation of offences and imposition of penalties for enforcement. This marks a significant step towards responsible AI governance in the UK.
EU: Advancing Responsible AI Procurement: Updated EU AI Model Contractual Clauses
The updated EU AI model contractual clauses mark a significant advancement in responsible AI procurement. These clauses, aligned with the EU AI Act adopted on 13 June 2024, offer comprehensive guidelines for both high-risk and non-high-risk AI solutions. The full version caters to high-risk AI, while the customisable light version is designed for non-high-risk AI. Accompanying these clauses is a detailed commentary providing practical guidance on their application and customisation. This update aims to enhance trustworthiness, fairness, and security in AI-enabled solutions. Translations of the clauses will be available soon.
EU: The AI Act's provisions on AI literacy and AI prohibited practices became applicable, followed by EC guidance
On 2 February 2025, Articles 4 and 5 of the EU AI Act became fully applicable. As a reminder, Article 4 imposes obligations on providers and deployers of AI systems to ensure that the intended users have sufficient knowledge and understanding of how the system works. Article 5 sets out number of practices that are prohibited due to the level of risk they pose to individuals.
On 4 February 2025, the EC released guidelines clarifying prohibited artificial intelligence practices under the AI Act. These guidelines define key terms such as 'placing on the market,' 'putting into service,' and 'use,' and also clarify the roles of providers and deployers. Exclusions from the AI Act's scope include national security purposes, judicial co-operation, and AI systems used for research, testing, or development before being placed on the market. AI systems used for medical, or safety reasons are not subject to the prohibition under Article 5 of the EU AI Act.
EU: CJEU mandates explanation of automated decision-making logic
In Case C-203/22, the CJEU reiterated that data subjects are entitled to "meaningful information about the logic involved" in decisions made about them by automated means, including profiling. The CJEU also held that where a data controller is concerned that this information contains third party data or would reveal trade secrets, it must provide the information to the competent Supervisory Authority which must then determine whether the information should be disclosed to the data subject having balanced the "rights and interests at issue".
EU: CJEU receives a request for a preliminary ruling on AI Act
In Bulgaria, the Sofia District Court referred to the CJEU for a preliminary ruling on several questions relating to automated decision-making, including whether consumers have the right to know the algorithm and parameters of automated invoicing, whether automated decisions can be reviewed by a human and the extent to which the requirements of the EU AI Act apply to AI systems in consumer contracts. The CJEU's decision is awaited.
EU: EC intends to withdraw ePrivacy Regulation and AI Liability Directive
On 11 February 2025, the EC announced its decision to withdraw the ePrivacy Regulation and AI Liability Directive, citing outdated proposals and a lack of foreseeable agreement among co-legislators. The ePrivacy Regulation, aimed at governing privacy and electronic communications, was deemed obsolete due to recent technological and legislative advancements. In its announcement, the EC introduced the AI Continent Action Plan to cover AI factories and the Apply AI strategy.
EU: European Parliament Research Services ("EPRS") publishes a report on algorithmic discrimination under AI Act and GDPR
The EPRS has published a report which highlights the legal challenges between the AI Act and the GDPR regarding algorithmic discrimination, emphasising the need for legislative reform or guidance to address uncertainties. The EPRS noted that the processing of special category data under the EU AI Act should be aligned with the more rigorous requirements of the GDPR (including implementing robust cybersecurity measures, adherence to the data protection principles, the necessity requirement, and ensuring at least one of the Article 9 conditions is satisfied).
International: DPAs sign joint declaration on building data governance framework for AI
On 11 February 2025, the Office of the Australian Information Commissioner announced that data protection authorities from Korea, Ireland, France, and the UK have signed a joint declaration to reaffirm their commitment to establishing data governance that fosters innovative and privacy-protective artificial intelligence. The declaration acknowledges the significant opportunities AI presents across science, the economy, and society, while also recognising the risks such as privacy violations, discrimination, misinformation, and AI hallucinations caused by improper data processing.
UK: ICO publishes third edition of Tech Horizons Report
The ICO’s third edition of the Tech Horizons Report was published in February 2025, which examines four technologies that are likely to be adopted in the next two to seven years:
- Connected transport – which transforms how vehicles operate with the environment and people;
- Quantum sensing and imaging – which improves sensors and imaging, especially in healthcare and medical research;
- Digital diagnostics, therapeutics, and healthcare infrastructure – which includes smart pills, digital twins, and AI assisted diagnostics;
- Synthetic media and its detection – that is, how AI generated images and audio can be detected.
Cyber, breach and ransomware
EU: EC publishes draft cybersecurity blueprint for enhancing EU cyber crisis coordination
On 24 February 2025, the EC unveiled a new cybersecurity blueprint aimed at enhancing EU cyber crisis coordination. The proposal updates the EU framework for Cybersecurity Crisis Management, outlining roles for relevant actors throughout the crisis lifecycle. It emphasizes preparedness, detection, response, and recovery from large-scale cyber incidents. The blueprint also promotes collaboration between civilian and military entities, including NATO, and aligns with recent initiatives like the Critical Infrastructure Blueprint.
EU: EC launched public consultation on Cyber Resilience Act ("CRA") Implementing Regulation
On 13 March 2025, the EC launched a public consultation to seek feedback on the draft Implementing Regulation for the CRA. The Implementing Regulation highlights that important products with digital elements are subject to stricter assessments than other products with digital elements. It also provides examples of products with digital elements whose core functioning fits the description of critical products with digital elements. The list of examples provided is only illustrative and a full list can be located under Annexes III and IV of the CRA. The press release and access to the draft Implementing Regulation can be located here.
EU: European Union Agency for Cybersecurity ("ENISA") publishes NIS360 report on criticality of NIS 2 sectors
On 5 March 2025, the ENISA published the NIS360 report on cybersecurity maturity under the NIS 2 Directive. Key recommendations included enhancing sector collaboration, developing sector-specific guidance for NIS 2 implementation, and aligning cross-border requirements. The report also identified electricity, telecoms, and banking as the most mature sectors, while digital infrastructures were less mature. Sectors at risk included ICT service management, space, public administration, maritime, health, and gas. You can read the press release here.
EU: Cybersecurity Solidarity Act enters into force
On 4 February 2025, the Cybersecurity Solidarity Act took effect following its adoption by the Council of the European Union and its publication in the Official Gazette of the European Union. The Act aims to enhance the EU’s response to cybersecurity threats by establishing a European Cybersecurity Alert System, a Cybersecurity Emergency Mechanism and a European Cybersecurity Incident Review Mechanism. The Act addresses different phases of cybersecurity threats, including detecting and preparing for threats, responding to live threats, and reviewing and assessing threats after their occurrence.
UK: The ICO fines an IT software company £3.07M for failing to implement appropriate data security measures.
The ICO has fined Advanced Computer Software Group Ltd for inadequate data security, leading to a ransomware attack in August 2022. Hackers accessed systems via a customer account that did not have multi-factor authentication, compromising the personal data of around 80,000 people. The fine was reduced from an initial £6.09 million due to the company’s cooperation with authorities and mitigation efforts. You can read the monetary penalty notice here.
Employment and Data Subject Rights
UK: ICO publishes guidance regarding managing employment records
On 20 February 2025, the ICO released guidance on keeping and using employment records. This guidance assists employers in managing employment records and complying with their obligations under the UK GDPR and the Data Protection Act 2018, including the challenges with relying on a worker's consent, the right of subject access and the circumstances in which employee information can be shared.
UK: Government launches consultation on data intermediaries
On 17 March 2025, the DSIT announced the UK Government's consultation on data intermediaries. Input sought by the consultation relates to areas such as the exercise of data subject rights, the delegation of those rights to third parties, and the activity of data intermediaries, as well as the wider regulatory framework for these activities. Details on the call for evidence and DSIT’s publication can be found here.
Ireland : The Data Protection Commission ("DPC") publishes a blog on handling of DSARs
On 7 March 2025, the DPC (Ireland's data protection regulator) published a blog on the rules around handling DSARs and providing the mandatory information required by Article 15 of the GDPR. It also shares an insight into how the DPC considers complaints from data subjects, whilst respecting particular sensitivities and balancing the rights of all parties involves. At the end of the blog, the DPC reminds organisations that it is available to discuss and advice organisations on the best approach to respond to a DSAR. You can find the full publication here.
EU: EDPB launches its Coordinated Enforcement Framework (“CEF”) action for 2025, focusing on the right to erasure
On the 5 of March 2025, the EDPB launched its CEF for 2025 on one of the most frequently exercised, and complained about, data subjects’ rights, the right to erasure. 32 EU-based DPAs will voluntarily participate in this initiative and will be contacting several controllers across Europe and assessing their practices in handling such requests from data subjects. The findings will be shared in an aggregated form to provide a deeper insight into how this particular right is managed.
EU: GDPR and transgender identity: rectifying gender identity data cannot be contingent on proof of surgery
On 13 March 2025, the CJEU ruled that when a data subject is exercising their right to rectification, they may be required to provide relevant and sufficient evidence to verify the inaccuracy of the data. However, the exercise of such right cannot be made conditional upon the production of evidence of gender reassignment surgery. Details of the ruling can be found here.
Data Transfers
UK: ICO finds UK Government's assessment of LE adequacy for the Isle of Man reasonable
In its Opinion, the ICO agreed with the UK Government's assessment that the Isle of Man provides adequate data protection for law enforcement processing.
Public Sector
UK: Public Authority Algorithmic and Automated Decision-Making Systems Bill ("Bill")
The Bill), which was introduced to UK Parliament in September 2024, has passed its third reading in the House of Lords and will now be transferred to the House of Commons for consideration. The Bill aims to regulate the use of algorithmic and automated tools in public decision-making, mandates data protection impact assessments and implement appropriate transparency standards to mitigate risks such as bias and discrimination. We will provide further updates as the Bill progresses through Parliament.
EU: EPRS publishes document on challenges to UK data adequacy
, the EPRS published a document titled 'Navigating challenges to UK data adequacy' which discusses the potential challenges to the renewal of the UK's data adequacy decisions due to legislative changes; the pending DUAB and the Investigatory Powers (Amendment) Act have been amended, causing concern from critics. You can read the EPRS document here.
EU: EC publishes draft extension of UK adequacy decision
The EC has published a draft technical extension of the UK's data adequacy under the GDPR and the Law Enforcement Directive ("LED") until 27 December 2025. This extension follows the EC's previous conclusion that the UK ensures an adequate level of protection for personal data transferred from the EU to the UK. The extension will allow the EC to assess whether the UK continues to provide this level of protection. You can read the draft technical extension of adequacy under the GDPR here, and the draft technical extension of adequacy under the LED here.
Public sector
UK: The global consequences of Apple’s iPhone encryption dispute and the potential effects on the US
Privacy advocates are concerned about the UK’s demand for Apple to create a ‘backdoor key’ for encrypted data under the Investigatory Powers Act, which resulted in Apple removing its Advanced Data Protection feature for 35 million UK iPhone users. Apple has appealed the UK’s order under the act, and experts warn that the loss of end-to-end encryption poses significant security risks. Experts are also concerned that the situation may embolden the “Five Eyes” nations to make a similar demand of Apple, potentially weakening global security. Additionally, there is apprehension about the potential impact on the US/UK Privacy Shield. You can read the article here.
Meet the Team – JP Buckley
JP is a Partner and Regional Leader of the Data Protection & Cyber Security Team at DWF. JP undertakes a wide range of information law work including data protection, complex, contentious and volume DSARs (data subject access requests), AI, cyber, e-commerce, direct marketing and freedom of information/EIR - and has cross-sector experience in these areas. He also has extensive experience in IT outsourcing, overlapping with his data privacy practice.
JP delivers project, advisory and transactional work in these areas, with particular highlights being data protection compliance reviews, policy/process creation and dealing with ICO investigations and data breach reporting.
JP especially enjoys hosting and providing training sessions in data privacy, where he regularly provides clients, our teams and the wider business community with tailored, relevant advice and practical guidance, bring his topic area to life with practical, memorable examples. He ensures that the wider team is aware of data protection issues so that these can be proactively resolved before they become breaches.
