Data Protection News Update 09 June 2025

IGS
June 9, 2025

United Kingdom

Preparing for change: how the Data (Use and Access) (DUA) Bill will transform UK data practices

The DUA Bill was introduced to the House of Lords on 23rd October 2024 and is intended to modernise the UK’s data regime to everyday compliance easier.
Primarily, the Bill gives the Secretary of State the power to make businesses in the energy, telecoms and healthcare sector to share business and customer data within a legal framework.
The Bill will also introduce a more flexible regime for using solely automated decision-making, unless it deals with special category data.
The most significant change relates to international data transfers wherein the standard of data protection to a different country will be that is “not materially lower” than the UK rather than “essentially equivalent”. The current EU-UK adequacy decision is set to expire on the 27th of December 2025, and this change may mean that the European Commission could revoke the UK’s adequacy status.
The Bill also turns the ICO’s current advice on handling Data Subject Access Requests (DSARs) into law. It also gives the people the right to ask the ICO to review the organisation’s decision to withhold the information requested. Additionally, if the organisation seeks to rely on the exemption that the information requested is legally protected, they will have to clearly explain this to the user.
The Bill also introduces additional exceptions to consent requirements for specific low-risk cookies provided the users are supplied with enough information and have the option to opt-out.
Finally, the bill increases the penalty for non-compliance with Privacy and Electronics Communications Regulations (PECR) requirements to GDPR level, that is, a fine of up to £17.5 million or 4% of the global annual turnover, whichever is higher.

Big four firms race to develop audits for AI products

The big four accountancy firms, that is, PWC, EY, Deloitte and KPMG, plan on introducing a new ‘AI Assurance’ service for their clients which would audit their AI systems, such as those used in self-driving cars and cancer-detecting programmes, work and are safe.
The firms adopted a similar approach a few years ago when companies sought assurance for their ESG metrics.
This change directly stems from insurance agencies offering cover for losses caused by malfunctioning AI tools such as customer service chatbots.
Whilst firms like PWC have stated that they plan on launching this service soon, EY’s technology risk leader cautioned that developing AI assurance systems could take time, especially given the liabilities the firms would face if the AI product did not work as expected.
Finally, unlike financial audits, there is no standardisation in the AI assurance space, meaning that any level of verification provided would likely differ from firm to firm.

United States

Judge shuts down Amazon Prime privacy lawsuit for good

Amazon Prime subscribers alleged in a proposed class action lawsuit that Amazon improperly disclosed their personal viewing information to third-party affiliates for marketing and analytical purposes.
The court found their claims failed to plausibly demonstrate that Amazon Services disclosed personally identifiable information to affiliates or third parties.
Judge Robart had previously allowed the plaintiffs three opportunities to revise their claims under the Federal Video Privacy Protection Act and California’s Section 1799.3, but even the latest amended complaint failed to show any plausibility in their claim.

Nevada Becomes the 21st State to Strengthen Donor Privacy Protections

The Assembly Bill 197 prohibits the state from demanding non-profit organisations or releasing personal information of non-profit, thereby protecting the citizens’ First Amendment Rights (right to free association).
These rights were previously confirmed in the Supreme Court’s unanimous National Association for the Advancement of Coloured People v. Patterson ruling and Americans for Prosperity Foundation v Bonta.
The bill passed through both chambers of the legislature with only one vote against it. Moreover, non-profits from across the political spectrum supported the measure.
Including Nevada, 20 other American states have passed similar legislation since 2018.

Europe

Vodafone fined €45 million in Germany over data privacy violations

The Federal Commissioner for Data Protection (BFDI) have imposed a fine on Vodafone citing ‘malicious behaviour’ by partner agencies and security flaws that allowed unauthorised access to customer accounts.
Vodafone was fined €15 million under EU GDPR because investigators found that some of the company’s partner agencies altered or forged contracts to the detriment of the customers.
The remaining €30 million fine was levied due to vulnerabilities in Vodafone’s customer authentication systems, which potentially allowed outsiders to access sensitive services like eSIM profiles.
Vodafone has expressed their regret and attributed the violations to lack of adequate data protection checks at the time.

Finnish pharmacy chain fined €1.1 million for sharing customer data with tech giants

The Finnish Data Protection Ombudsman found that Yliopiston Apteekki used website tracking tools (including cookies) which shared health data such as prescriptions and over-the-counter medication data to Google and Meta.
The information shared to the tech giants also included data on customer behaviour such as adding medicines to a shopping cart or clicking purchase, the users’ IP addresses and other identifiers.
The breach affected the transactions processed by the pharmacy between May 2018 and September 2022, after which they stopped using Google and Meta tracking tools.
The pharmacy plans on challenging the ruling in administrative court.

International

Global CBPR and PRP Certifications Launched: A New International Data Transfer Mechanism

Earlier this week, the Global CBPR Forum launched the Global CBPR (for data controllers) and PRP (for data processors) certifications to support cross-border transfers.
To obtain the certification, approved accountability agencies would need to assess organisations’ privacy and data protection standards. Particularly, controllers would have to show compliance with principles like notice, purpose limitation and accountability, while the processors would have to meet security safeguards and accountability standards.
Japan, Singapore, Bermuda and DIFC already recognise this certification, and more are expected to follow as the existing APEC CBPR-certified organisations will be automatically recognised under this system.
Countries like the US, UK, Canada, Japan and Mauritius are members of the Global CBPR Forum, with the UK ICO and US FTC.

Data Protection News Update 06 January 2026

United Kingdom EU renews adequacy decision with United Kingdom Update on the November Cyberattacks against London Councils United States Disney to Pay $10M over Alleged

Data and AI Ethics 2025: An IGS Roundup

As 2025 draws to a close, it’s a natural moment to pause and reflect on a year that has been transformative, for the data and AI ethics

Data Protection News Update 22 December 2025

United Kingdom Investigation after data breach affects thousands United States US pauses implementation of $40 billion technology deal with Britain Can law enforcement access Google

Data Protection News Update 15 December 2025

United Kingdom ICO warns of legal action over distressing UK care-record access process Data of Royal Cornwall Hospital’s staff disclosed in a data breach United