Data Protection News Update 04 August 2025

IGS
August 4, 2025

United Kingdom

Scottish Charity Birthlink Fined £18,000 for Destroying Irreplaceable Personal Records

Scottish charity Birthlink was fined £18,000 by the ICO. The fine was issued for the unlawful destruction of approximately 4,800 personal records, with up to 10% of these records being irreplaceable.
The destroyed records included highly sensitive and personal documents such as handwritten letters from birth parents, photographs, and copies of birth certificates, which were vital for individuals seeking to understand their family histories and identities.
The ICO’s investigation found that Birthlink had a limited understanding of data protection obligations, lacked appropriate policies and procedures, and had not adequately trained its staff.
Since the breach, Birthlink has taken steps to improve its data protection practices, including digitally recording and storing physical records, appointing a Data Protection Officer, and initiating staff training.

Reform UK’s ‘Doge’ unit battles councils for access to sensitive data

Reform launched its Doge initiative at the start of June promising to use “Al, advanced data analysis and forensic auditing” to cut “wasteful” spending, but it has been reliant on publicly available information about council expenditures.
Senior lawyers and data handlers at some Reform-run councils in England have blocked access to sensitive information by unelected volunteers running the party’s so-called Department of Government Efficiency.
Primary areas of concern are GDPR, the use of personal data, and access to commercially sensitive information.

Introduction of Google’s AI Search in the UK Is Causing a Massive Traffic Decline

Google is rolling out a new tool in the UK that will generate results using artificial intelligence.
The new search tool will not replace Google’s existing search platform, but experts predict such tools will increasingly incorporate AI, a shift that is concerning organisations, firms and publishers, which rely on search traffic.
The Daily Mail claims the number of people who click its links from Google search results has fallen by around 50% on both desktop and mobile traffic since Google introduced its AI Overview feature.
Importantly, it was pointed out that although AI-generated summaries are often inaccurate, people are not clicking through to the original news items they were based on.

United States

OpenAI removes ChatGPT feature after user data is indexed by Google

OpenAI has removed a recently introduced feature in ChatGPT that allowed users to make specific conversations publicly searchable due to concerns about potential inadvertent sharing of sensitive information.
Although the tool required multiple opt-in steps and anonymised shared content, OpenAI acknowledged that users might unintentionally expose personal information.
The shared chats did not include usernames or identifying details, but the content itself could reveal sensitive topics.
The feature was originally intended to support the discovery of useful or informative chatbot interactions that might benefit a broader audience.

Does the Future of Femtech Privacy Hinge on Flo Health-Meta Trial?

Flo Health, a popular period tracking app, is facing a data privacy lawsuit the US for allegations that it unlawfully shared users’ personal data (including menstrual cycles, sexual activity, and pregnancy status) with Meta for targeted advertising.
The class-action lawsuit involves potentially billions of dollars in damages, with plaintiffs suggesting up to 38 million class members.
In a statement Flo said: “Flo is committed to protecting the privacy of its users, and any allegation otherwise has no merit. Flo has never sold user data and never will.”
This trial is a landmark case for the women’s health technology (Femtech) industry, highlighting the critical importance of data privacy practices for sensitive health information.

Scattered Spider Hacks Allianz Life, Exposing 1.4 Million Records

Hackers have stolen personal information from insurance firm Allianz Life’s of 1.4 million customers, financial professionals, and select employees in North America.
The breach occurred through a third-party, cloud-based Customer Relationship Management (CRM) system.
The disclosure of the breach follows a months-long international attack spree linked to the cybercrime collective Scattered Spider, known for using social engineering to infiltrate corporate systems across various sectors.
Affected data likely includes names and addresses, raising concerns about identity theft and fraud, though financial details were not explicitly confirmed as compromised.

Europe

EU Publishes Mandatory Template for Disclosing AI Training Data

European Commission on Thursday filled in one of biggest blank spaces in the AI Act with the release of the mandatory template providers of general-purpose AI (GPAI) models must use to disclose the data used in model training.
The purpose of the disclosure “is to increase transparency on the content used for the training of general-purpose AI models and to facilitate parties with legitimate interests to exercise and enforce their rights under Union law.”
The template is divided into three sections: general information; the data sources; and data processing.
The Commission clarified under what conditions providers of GPAI models released under a free and open-source licence and satisfying certain transparency conditions may be exempt.

French Telecom Giant Orange Fights Off Cyberattack on Internal Systems

On Friday, July 25th Orange Group identified a cyberattack targeting one of its internal information systems. Orange and Orange Cyberdefense teams promptly isolated potentially affected services to contain the incident and minimise impact.
While disruptions occurred, there’s no evidence of personal data exfiltration so far, and Orange is working to restore services.
While Orange has not attributed the attack to a specific group, the incident resembles other global telecom breaches linked to China’s “Salt Typhoon” cyber-espionage group.
Earlier this year, Orange Romania experienced a separate attack where a hacker claimed to have stolen a significant amount of data, including employee emails, internal documents, and partial customer payment details.

International

A New Era for Data Privacy in Uganda: First Criminal Conviction

Uganda’s Personal Data Protection Office (PDPO) has secured its first-ever criminal conviction under the Data Protection and Privacy Act, marking a significant step in enforcing data privacy laws in the country.
Ronald Mugulusi, director of Nano Loans Microfinance, pleaded guilty to two key breaches: operating without registration with the PDPO and processing individuals’ data without consent.
The conviction, despite a relatively small fine, sends a strong message to Ugandan companies and their directors that compliance with data protection laws is mandatory, demonstrating the government’s commitment to holding data controllers accountable.
This conviction follows other recent actions by the PDPO, including a separate ruling against Google for similar breaches of the Act, indicating a broader trend of increased enforcement of data privacy regulations in Uganda.

Data Protection News Update 07 April 2026

ICO fines pendant alarm company £100,000 for unlawful marketing calls NHS staff refuse to work on Palantir’s £330 deal platform over ethical concerns United States

Data Protection News Update 30 March 2026

MPs urge the UK Government to reconsider giving Palantir access to the Financial Conduct Authority (FCA) data ICO and Ofcom align on age assurance rules

Data Protection News Update 23 March 2026

Reform UK may breach data laws with free energy bills competition UK Investigates Leak of Information from Meeting about U.S. Base Request United States US

What Does The GDPR Accountability Principle Ensure?

Out of the seven data protection principles within the General Data Protection Regulation (GDPR), the accountability principle stands out as one of the broadest and