United Kingdom
Co-op admits hackers accessed customer details in cyberattack
- Following a cyberattack which disrupted the operations of Marks & Spencer, supermarket chain Co-op has admitted that hackers have accessed the details of its customers in another cyberattack.
- When the attack became publicly known, Co-op initially told the public the attack only had a “small impact” on operations and that there was “no evidence data was compromised”.
- However, hacker group DragonForce said it had infiltrated Co-op’s IT network and stolen both customer and employee data. They claim to have the private information of 20 million Co-op customers who signed up to the supermarket’s membership scheme.
- Since then, the supermarket has admitted that hackers “accessed data relating to a significant number of our current and past members”, including membership card numbers, names, home addresses, emails, and phone numbers. Co-op has since apologised to its customers and explained the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA) are assisting with the investigation.
79% of UK adults endorse data collection for security, survey reveals
- A survey by The Alan Turing Institute’s Centre for Emerging Technology and Security (CETaS) has found that 79% of UK adults support the collection and processing of personal data by national security agencies to investigate terrorism and serious crimes.
- The data shows that 75% of respondents endorse using personal data to detect foreign government spies, while 69% support its use in crime investigations involving suspected connections. However, the level of support varies with the intended use of the data; 28% of participants oppose using personal data to train automated tools for predicting behaviours.
- The report highlights a widespread lack of awareness about the intelligence agencies’ powers to collect data. Only 15% of respondents are fully aware that agencies can gather information about UK residents without their knowledge. The findings suggest a public interest in more education about these safeguards.
- The study, which included over 3,000 UK adults and a citizens panel, provides the first measurement of public trust in the data practices of UK intelligence agencies.
United States
California faces probe after sharing people’s health data with LinkedIn
- Covered California, which runs California’s health insurance marketplace, shared sensitive personal data of the state’s residents with LinkedIn through embedded tracking tools on its website. The data was transmitted to LinkedIn using Insight Tag, which uses code to track how visitors interact with websites.
- The agency confirmed it uses LinkedIn’s advertising tools to understand consumer behaviour, even though LinkedIn notes on its website that Insight Tag “should not be installed on webpages that collect or contain sensitive data”.
- Some of the data collected by the LinkedIn tags include names, the last four digits of Social Security numbers, and sensitive health information like pregnancy status. The agency added that all advertising-related tags on the website have been turned off as a “precautionary measure,” and that it would review the extent of the data shared.
- California Representative Kevin Kiley has called for Health Secretary Robert F. Kennedy Jr. to open an investigation over possible HIPAA violations. The Department of Health and Human Services has not yet responded publicly to Kiley’s call.
Europe
TikTok fined €530 million for illegally sending EU personal data to China
- After previous reports that TikTok was potentially facing fines for transferring EU personal data to China, the Irish Data Protection Commission (DPC) announced on May 2nd it is applying a fine of €530 million, the third largest ever imposed under the GDPR: Meta and Amazon have previously been fined €1.2 billion and €746 million, respectively.
- The decision marks the conclusion of an investigation launched in September 2021, in which TikTok had initially told the DPC it did not store users’ data on servers located in China. The DPC said TikTok informed them in April 2025 that this was inaccurate, and that the company had in fact found EU users’ data on China-based servers.
- TikTok’s fines under the GDPR now total €875 million, following a €345 million penalty in September 2023 for neglecting children’s data privacy. Besides the fine, the company was ordered to comply with the law within the next six months.
- TikTok plans to appeal the decision and stated that it never received a request from Chinese authorities to access European user data, according to a spokesperson. In a statement, the company criticised the move as it “delivers a blow to the European Union’s competitiveness”.
EU competition chief on digital regulation: ‘We’re not here to make enemies’
- The European Commission has no intention to “make enemies” with the implementation of its digital regulation, according to the European Commissioner for competition Teresa Ribera, during an event in Brussels organised by the Global Competition Law Centre and the College of Europe.
- The statement comes in the wake of the European Commission’s €500 million fine against Apple for violation of the Digital Markets Act (DMA). Meanwhile, Meta was fined €200 million for its “pay or consent” advertising model, which the Commission argued violates the DMA by forcing users to either consent to targeted advertising or pay a subscription.
- The tech giants claim the EU’s regulatory approach is discriminatory, and the regulation has become embroiled in the trade tensions between Brussels and Washington. Ribera said that the Commission does not aim to escalate intercontinental tensions but ensure that Big Tech plays fairly in digital markets.
- She said that fines are a “last resort” as the scope of DMA is to create a “culture of compliance” through dialogue, citing cases involving Outlook and Booking.com, where fines were avoided through compliance plans.
International
Latin America unlikely to see EU-style AI regulation, practitioners say
- European Union-style AI regulation is unlikely to take root in Latin America despite some influences from the AI Act in individual countries, according to a group of digital and privacy professionals speaking at the IAPP Global Privacy Summit 2025 in Washington, D.C.
- Although hundreds of AI bills are currently being discussed in the region, with many proposing to create legal frameworks with a risk-based approach, so far only Peru has managed to pass an AI law.
- Another notable AI governance-focused bill in Brazil has been moving slowly through the National Congress. While it was recently toned down, the forming of a special committee to further explore the bill indicates some level of priority.
- The region’s disparate cultural, economic, and regulatory capabilities would make porting the EU AI Act directly as impractical. For one, trust in government institutions is not nearly the same as the EU. Additionally, many countries are still building their regulatory capabilities and would be stressed if they had to handle a regulation like the AI Act, which relies on a multilevel enforcement scheme and places local enforcement in the hands of data protection authorities.
- The conversation highlights the tensions around where the world should go when it comes to AI legal frameworks nearly a year after the EU AI Act was approved. While international groups have studied best practices for governance, the AI Act is still the only major regulation of its kind.
