Our 'In Case You Missed It' section of the Data, Privacy and Cyber Bulletin provides readers with a high-level digest of important regulatory and legal developments from March 2025.
Firstly, we are delighted to invite readers to an in-person seminar on 6 May 2025 in our London office, which will unpack the evolving world of cybersecurity law and practice by focusing on three key areas:
- Understanding the regulatory framework – An introduction to UK and EU cybersecurity law, including NIS 2, DORA, and the forthcoming UK Cyber Security and Resilience Bill.
- The impact of AI on cybersecurity – An overview of how artificial intelligence is shaping cybersecurity risks, regulatory responses and key legal considerations for risk management and compliance.
- Security provisions in commercial contracts – A practical guide to identifying and negotiating critical provisions in information and data security clauses within commercial agreements.
We are also pleased to direct readers to episodes 3 and 4 of our podcast, the Data, Privacy and Cyber Digest, covering issues of importance in the data and privacy landscape.
High-risk AI systems - Preparing for the year ahead
2025 will be a key year for organisations preparing for the phased requirements of the EU AI Act. With provisions relating to "high-risk" AI systems effective from 2 August 2026, this podcast episode guides you through the actions you should be taking over the course of 2025 to prepare. DACB partner, Chris Air, and BLD partner, Dr. Alexander Beyer discuss what high risk AI systems are, what the key obligations are for deploying a high risk AI system, and what timelines need to be considered for deployment.
The podcast can be accessed here.
AdTech - The accelerating exposure from online tracking technologies
DACB partners Charlotte Halford and Rowena McCormack provide an overview of the current AdTech landscape through a privacy lens, including recent regulator activity and look at projections for the next six months. Together, they consider what AdTech is, why it raises privacy concerns, and provide some practical tips for compliance with AdTech regulations.
The podcast can be accessed here.
Contents
Case Law Updates
Stuart Angel & Ors & v Black Horse Limited [2025] EWHC 490 (KB)
The High Court has handed down a decision in an appeal relating to 'omnibus claim forms', being a single claim form issued by many claimants. The first instance decision had ordered that each of the claimants in question were required to issue a separate claim form, which was overturned on appeal, with the High Court issuing guidance on the use of omnibus claim forms.
Although this specific decision related to ongoing motor finance claims, our detailed analysis article on omnibus claim forms considers the wider impact of this decision of mass data breach claims.
Meta Platforms Ireland Limited v The Data Protection Commissioner [2025] IECA 60
The Irish Court of Appeal has overturned a 2024 High Court decision which prevented Meta from appealing a Data Protection Commission decision ("the Decision") relating to breaches of GDPR, which included the imposition of a €265 million fine.
The High Court had ordered that the proceedings be adjourned to allow for the outcome of proceedings in the Court of Justice of the European Union brought by Meta in respect of a €225 million fine imposed on WhatsApp (referred to below). The High Court stated that awaiting the CJEU outcome would allow it the application of the CJEU's interpretation of the relevant provisions of the GDPR, and "thus avoid any risk of conflicting rulings."
The Court of Appeal found that the GDPR required that the challenge to the Decision's validity be brought in the Irish courts, and that any queries regarding the interpretation of GDPR should be made by reference to the CJEU. The decision to adjourn prevented the progress of the Irish proceedings and deprived the parties of an effective remedy as required by Article 78 of the GDPR. The Court of Appeal judgment can be found here.
Opinion of Advocate-General Cápeta in WhatsApp Ireland Ltd v European Data Protection Board (C-97/23 P)
Earlier this year, the General Court clarified the authority of the EDPB to compel lead supervisory authorities to open new investigations in certain circumstances. The decision prevented WhatsApp from seeking to overturn a binding EDPB decision which had increased a proposed fine Irish Data Protection Commission fine up to €225 million. The General Court decision is subject to appeal.
Advocate-General Capeta has provided an Opinion stating that the General Court decision should be overturned. The opinion states that the correct approach was to consider whether the EDPB decision could bind the DPC's final decision, as opposed to whether the EDPB decision qualified as a 'challengeable act' by WhatsApp. The opinion concludes that the CJEU should refer the action back to the General Court for a further decision on the merits. The Opinion in WhatsApp can be found here.
For clarity, opinions from Advocate-Generals are not binding on the CJEU but are often followed by the court when judgment is handed down.
Opinion of Advocate-General Sanchez-Bordona in IP v Quirin Privatebank AG (C-655/23)
Following a referral to the Court of Justice of the European Union by the German Federal Court of Justice, Advocate-General Sanchez-Bordona has provided an opinion concluding that a data subject is entitled to bring an action for an injunctive order preventing a data controller from processing data to prevent repeat infringements of the GDPR.
The data subject in question had his personal information disclosed to an unrelated third party during a recruitment selection process for a bank. The data subject had sought an order preventing the bank from processing his personal data relating to the selection process in the future. The Opinion in IP v Quirin can be found here.
Regulatory Developments
European Commission proposes UK adequacy decision extension of 6 months
Two adequacy decisions made by the EU in respect of the UK are due to expire on 27 June 2025, and the progression of the Data (Use and Access) Bill ("DUA Bill") raised concerns about their renewal. In order to allow the legislative process for the DUA Bill to conclude, and to allow an assessment of the new legal framework, the Commission has proposed an extension of the existing adequacy decisions to 27 December 2025. The draft extension document can be found here. The draft extension decisions have been referred to the European Data Protection Board for its opinion, and once approved, the extension will become valid.
Data (Use and Access) Bill progresses to report stage in House of Commons
The DUA Bill has passed committee stage in the House of Commons and will now progress to report stage, with the date to be confirmed. A number of amendments made during discussions in the House of Lords were removed during committee stage.
Of note for data protection practitioners, a Lords amendment introducing a public interest test for scientific research was removed. The Minister for Data Protection and Telecoms, Chris Bryant commented that "Such a test would be a new burden on many researchers… [and] could have a chilling effect [on research]."
A further Lords amendment establishing transparency requirements on the use of web crawlers and the specific works scraped was also overturned. The Minister stated that the introduction of transparency requirements would require some form of enforcement, and that the Information Commissioner did not have the "expertise or resources" to wield that power. Instead, it was suggested that this was a question for a proper primary legislation process, not as an addendum to the DUA Bill.
The DUA Bill as amended in Public Bill Committee can be found here.
Amazon unsuccessful in challenging €746 million fine in Luxembourg
In June 2021, the data protection authority in Luxembourg (the CNPD) issued a fine against Amazon of €746 million following infringements of GDPR, which at the time represented the largest GDPR fine issued in the European Union. Amazon appealed the decision, with a hearing taking place before the Luxembourg Administrative Tribunal in January 2024. Handing down their decision in March 2025, the Tribunal rejected the appeal and upheld the original decision, meaning the fine and other corrective measures imposed will stand, albeit subject to any further appeal. The CNPD confirmed that the effects of the decision will remain suspended during the appeal period, and during any subsequent appeal procedure.
The press release from the CNPD confirming the decision, along with a link to the Administrative Tribunal decision (in French) can be found here.
Private Members Bill on AI introduced in the House of Lords
A new Private Members Bill, the Artificial Intelligence (Regulation) Bill, has been introduced into the House of Lords. The Bill was previously introduced during the previous Parliamentary session but was not concluded due to the 2024 General Election. If passed, the Bill would establish a new body, the AI Authority, which would have various functions to help address AI regulation in the UK. The current version of the Bill, and Parliamentary progression can be followed here.
It should be noted that few Private Members' Bills become law but, by creating publicity around an issue, they may affect legislation indirectly and the introduction of these Bills is reflective of certain concerns around the use of AI system. The Bill will create further discussion on the need for further government intervention in the space.
European Commission opens infringement proceedings in respect of DORA
The European Commission has announced it has opened infringement procedures against 13 Member States for failing to transpose the Digital Operation Resilience Act fully into national law.
Letters of formal notice will be sent to those Member States, giving them two months to respond, complete their transposition of DORA, and notify their measures to the Commission. In the absence of a satisfactory response, the Commission may choose to issue a reasoned opinion.
Data & Privacy Developments
Settlement of O'Carroll vs Meta privacy action
In 2022, the privacy campaigner Tanya O'Carroll issued proceedings against Meta challenging whether targeted advertising systems used on Facebook involved the processing of her data for direct marketing purposes. Prior to an expected trial, the parties confirmed that a settlement had been reached, with Meta agreeing to stop directing targeted adverts to Ms O'Carroll based on her data.
A press release issued by the legal representatives of Ms O'Carroll can be found here. Having made its own submissions to the court as part of the action, the ICO issued a statement following the settlement, confirming that "People have the right to object to their personal information being used for direct marketing, and [the ICO has] been clear that online targeted advertising should be considered as direct marketing."
The outcome has prompted further discussions of whether Meta will introduce a paid ad-free tier of its platforms in the UK, referred to as 'consent or pay' models. Earlier this year, the ICO laid out the framework of factors that organisations must consider when identifying if a 'consent or pay' model meets the standard of consent. The full suite of guidance can be found here.
FCA and ICO to host roundtable on challenges faced in deploying AI in financial services
The FCA and ICO published a joint letter to trade association chairs and CEOs, in response to recent surveys about business confidence on the development of AI.
The regulators will be hosting a roundtable with industry leaders on 9 May covering:
- The broad areas of regulatory uncertainty and challenge in respect of AI adoption and wider innovation
- How the ICO and FCA can work together with industry to provide greater regulatory certainty and support growth, and
- the specific areas of data protection and financial regulation in which greater regulatory support is needed to enhance innovation and adoption of new technologies
ICO publishes anonymisation and pseudonymisation guidance
The ICO has published guidance on the issues of anonymisation and pseudonymisation. The guidance is intended to assist all organisation who wish to anonymise personal data, by identifying the issues that should be considered in order to use anonymisation techniques effectively. Similarly, the guidance also offers clarity on those pseudonymisation techniques which can be used to replace, remove or transform personal data.
The guidance can be found here, and the ICO is hosting a webinar to clarify the guidance on 22 May 2025.
ICO announces investigations into use of children's personal data
The ICO has announced a number of investigations into how social media and video sharing platforms are using the personal data of children residing in the UK. The investigations are directed at how platforms use personal information to deliver recommendations and suggested content, and the use of age assurance measures.
The investigations will initially consider whether there have been any infringements of data protection legislation, with any further steps to be taken if necessary.
ICO announces new measures to support UK growth
The ICO has announced it has committed to a number of measures to support the Government's growth agenda. The measures include:
- Publication of free data essentials training for small business
- Piloting an experimentation regime to enable businesses to trial data-driven solutions
- Introduction of a statutory code of practice for businesses in the public and private sector developing or deploying AI, and
- Publication of new guidance on international transfers of data
The ICO press release can be found here.
Privacy International issues challenge to UK Government order for Apple data access
Privacy activists including the groups Privacy International and Liberty have issued a challenge to reports that the Home Secretary served a Technical Capability Notice under the Investigatory Powers Act to Apple. The reports followed the decision by Apple to remove Advanced Data Protection (ADP) encryption for UK users.
The Liberty press release on the challenge can be found here.
EDPB adopts statement on implementation of Passenger Name Record Directive
The EDPB has issued its second statement on the implementation of the Passenger Name Record Directive following a 2022 CJEU judgment which stated that the Directive needs to be interpreted as including important limitations to the processing of personal data.
The statement provides recommendations on key aspects such as how European countries should select the flights from which PNR data is collected, or how long PNR data should be retained. The EDPB statement can be found here.
EDPB launches coordinated enforcement on the right to erasure
The EDPB has launched its Coordinated Enforcement Framework (CEF) action for 2025, shifting focus to the right to erasure or the “right to be forgotten" as set out within Article 17 GDPR.
The EPDB noted that this is one of the most frequently exercised GDPR rights, and one which data protection authorities frequently receive complaints from individuals. As part of this launch, 32 data protection authorities across Europe will contact controllers and consider how they handle and respond to requests for erasure. The EDPB press release confirming the new CEF is here.
Cyber Developments
UK Government publishes response on software vendors code of practice
The Government has published its response to the call for views on the code of practice for software vendors, which forms part of the modular approach adopted to cyber security, including codes of practice for AI and cyber governance. The draft code for software vendors was published by the Department of Science, Innovation and Technology (DSIT) in May 2024 as part of a call for views. In their response, the Government confirms that minor edits will be made before the code is published in 2025, providing further clarity on the content. Further work on areas such as implementation guidance and an assurance regime will be developed between DSIT and the National Cyber Security Centre.
The full response to the call for views can be found here, and our March article on further recent updates in respect of two other key codes of practice (AI and governance) can be found here.
NCSC publishes roadmap for post-quantum cryptography migration
The NCSC has issued new guidance to protect organisations against future quantum computing threats. The guidance emphasises the importance of post-quantum cryptography, which is designed in response to quantum computing risks, proposing a three-phase timeline for key sectors and organisations to transition by 2035.
The NCSC press release can be found here.
Automotive vehicles excluded from PTSI regime
Updated regulations have now taken effect confirming that certain categories of vehicles are now excluded from the Product Security and Telecommunications Infrastructure (PSTI) Act regime. The regulations intend to ensure that undue burden is not placed on the automotive industry, as the
Government intends to bring forth sector-specific regulatory frameworks to address the cyber security of certain vehicles such as connected and autonomous vehicles.
The following vehicles are now exempt:
- passenger vehicles, commercial goods vehicles and trailers
- two and three wheeled vehicles and quadricycles
- agricultural and forestry vehicles
The updated guidance published in March can be found here, and the Regulations can be found here.
