United Kingdom
Guernsey patient’s medical data is shared without clear consent
- A Guernsey patient’s medical data was shared with their family member even though there were doubts regarding the permission to do so.
- Guernsey’s Office of the Data Protection Authority (ODPA) said that in the first half of 2025 it had received more than 100 of such self-reported data breaches.
- The ODPA stated that such incidents highlight the importance of proper authorisation when sharing patient information with third parties, even if it is a recognised family member.
- The ODPA also noted that in general, out of the high risk data breach cases it has received this year (self-reported and others) more than half have failed to inform the people who were affected.
Jaguar Land Rover’s production suffers as they are hit by a cyber attack
- Jaguar Land Rover (JLR), owned by India’s Tata Motors, was severely affected by a cyber-attack, with the most amount of disruption being experienced by the company’s plants in Merseyside and Solihull.
- The attack was detected while in progress which allowed the company to shut down its IT systems to reduce any further damage.
- Following the attack the workers of both UK plants were asked not to come into work. This halt in production would be particularly cumbersome for JLR as it recently reported a slump in profits.
- The company along with the National Crime Agency is still investigating the extent of the impacts, however at this stage there has not been any evidence of customer data being affected.
United States
EU upholds EU-US Data Privacy Framework and dismisses Latombe challenge
- Philipe Latombe, a French member of parliament, sought the annulment of the EU-US data transfer agreement before the General Court (the First Instance in the EU courts).
- The Court of Justice of the European Union (CJEU- the second instance in the EU courts) had ruled in “Schrems I” and “Schrems II” that the two previous agreements with the US were illegal and were therefore annulled.
- The new EU-US data transfer agreement has been structured similar to the previous annulled ones which may make it illegal as well. However, given that Latombe’s case was presented before the General Court he had to prove that the deal was substantively wrong and that he was directly affected by it.
- Although, Latombe’s case was not successful, given the narrow challenge to the EU-US data deal, it is not to say that another broader challenge would not be successful. This is especially true given the Trump administration’s latest abuse of power in issuing executive orders.
- This ruling shows that the General Court has significantly departed from the CJEU ruling, which is particularly concerning as in some cases they do not even posses up to date knowledge. For instance, the Court held that the US’ new Data Protection Court of Review would be independent even though its independence has been guaranteed through a Presidential Executive Order and not the law.
Europe
- The CJEU ruled in the European Data Protection Supervisor (EDPS) v Single Resolution Board (SRB) case that pseudonymised data in not automatically personal data in all circumstances. This depends on whether the recipient of the data has the means reasonably likely to reidentify the individuals.
- In this case SRB collected opinions from affected shareholders and creditors during a bank resolution, which was then pseudonymised by replacing names with alpha-numeric codes and then shared with Deloitte. The EDPS held that SRB was in breach of Regulation 2018/1725 (similar to the General Data Protection Regulation) as it did not inform individuals about Deloitte.
- The CJEU however found that as only the original controller (SRB) held the key to re-identify the individuals and not Deloitte, it would not be seen as personal data being shared to a third party.
- This decision is likely to be significant for areas like AI training where pseudonymised datasets are regularly and widely used.
Shein is fined €150 million by French data protection authority
- Shein was fined by the French data protection authority (CNIL) for improper use of cookies, as it failed to comply with regulations concerning collecting consumer data without consent- a decision the company said it would appeal.
- The CNIL found that even when users declined Shein’s cookies, the small files were still downloaded to track user behaviour for advertising purposes.
- Shein considered the fine to be “wholly disproportionate, given the nature of the alleged issues, our current full compliance, and the proactive corrective actions we have taken”.
- Shein, a company founded in China and headquartered in Singapore, has claimed to have fully cooperated with the CNIL since August 2023 and strengthened “all aspects” of its data protection practices.
- The company also claimed the size of the fine “appears politically motivated rather than the result of fair and balanced enforcement.”
International
- The FTC fined Apitor, a robot toy maker, for collecting children’s geolocation location data without parental consent. The complaint by the Justice Department alleges that the company’s privacy policy claimed to be in compliance with the Children’s Online Privacy Protection Act (COPPA) but in fact was in violation of it.
- The company’s product includes a free mobile app to control the robot which requires users to allow location sharing with the toy’s companion app. However, Apitor allegedly embedded a third-party software development kit (SDK) into the app which allowed the collection of children’s data to be then used for advertising.
- To settle the allegations the FTC has mandated that the company delete all data it collected without parental consent. Additionally, if the company is found to have misrepresented its finances it will also be forced to pay $500,000.
- The FTC has been aggressively enforcing the COPPA with the authority imposing a $10 million fine on Disney for improperly collecting children’s data for advertising.
