Data Protection News Update 11 August 2025

IGS
August 11, 2025

United Kingdom

Australian Scaleup will provide the MOD with AI-led data protection

The UK’s Ministry of Defence (MOD) has appointed Castelpoint Systems to operate its data environment and prevent breaches. This comes after a major data breach at the MOD’s Afghan Relocations and Assistance Programme (ARAP) which led to the details of thousands of Afghan asylum seekers being leaked.
The cause of the breach was a human error wherein an MOD staffer mistakenly sent a spreadsheet outside the organisation which contained much more data than they were aware. A small portion of this spreadsheet then appeared online. Later, the MOD was able to secure a superinjunction (which expired this year), to prevent this data breach from getting wider media attention.
Castlepoint’s solution is an ‘explainable AI’ which reads through the entirety of any and every document regardless of format, whether structured or unstructured.
Based on the content the AI then suggests the appropriate and fully traceable security classification and protection measures for each document considering the applicable regulatory environment, organisational risk profile, or both.
The system works on legacy systems as well and retrospectively inspects documents/files to determine what may have been over or under secured.

The High Court rejects libel and data protection allegations against the Spectator

Mohammed Hegab a social media personality claimed that the Spectator published an inaccurate article about him in relation to his role in the 2022 Leicester riots between Muslim and Hindu communities.
Mohammed Hegab brought two claims to the court, one that the article published by the Spectator was false and defamatory, and was therefore also in breach of the UK General Data Protection Regulation (GDPR) and the Data Protection Act (DPA) 2018.
The court found that the article published by the spectator though may have caused reputational harm or financial losses to Mohammed Hegab, was in fact substantially true.
Given that the processing of the personal data- publishing the article- turned out to be substantially accurate, his data protection claims failed as well. Further, the court found that the plaintiff, Mohammed Hegab, was not able to present any credible evidence suggesting loss of income.

United States

DaVita- largest dialysis provider in the US falls victim to a massive healthcare data breach

DaVita confirmed that it suffered a data breach earlier this year which led to hackers stealing sensitive personal, financial and medical data. Interlock ransomware gang took credit for this attack claiming that it managed to steal 1.5TB of data from DaVita.
The breach occurred when the hackers gained unauthorised access to servers, primarily located in DaVita’s laboratories.
The information leaked includes names, addresses, date of birth, social security numbers, health insurance information, medical information, tax ID numbers and images of checks made to the company.
DaVita is offering the impacted individuals access to Experian’s IdentityWorks- an identity theft protection service. If the impacted individuals’ social security number or other data is used to commit fraud, IdentityWorks will help them regain the lost funds and restore their identity.

Europe

As the October vote approaches, the EU’s proposal to control chats gains momentum

The European Union’s Child Sexual Abuse Material (CSAM) regulation introduced in 2022 has gained momentum after Denmark’s push for its adoption. The said regulation would force messaging services in the EU to scan messages, photos, videos etc on the user’s device before they are sent to the receiver.
Since its introduction the regulation has not been popular among some member states which has led to countries like Belgium and Poland make suggestions that would require such scanning to be done with consent or voluntarily.
Denmark which gained its EU presidency in July 2025 will be holding a vote on this regulation in October 2025.
Major encryption and messaging services have taken a stand against this regulation stating that they would cease operations in the EU. Moreover, a report by the Swiss Federal Police found that nearly 80% of the reported items in such scans turns out to be legal content, such as family beach photos.

An noyb survey found that only 7% of users want Meta to use their data for AI training

Meta recently started sharing personal data of European users for AI training without asking their consent by relying on ‘legitimate interests’ as the lawful basis. To rely on legitimate interests Meta would have to show that this activity was within the reasonable expectation of the users which prompted noyb to conduct a survey of 1000 Meta users in Germany.
The results showed a stark difference: nearly 27% of the users had never even heard of Meta’s plans to use their data for AI training. Subsequently it was not within their reasonable expectations. Particularly, only 7% of the users would actually want their personal data to be processed for such purposes.
Importantly, Meta ensured that not many people were aware of this data sharing by isolating the information in a notification menu in the app as opposed to a pop banner, email or other means of communication.
The survey also found that while 10% of the men were willing to feed their data to the AI system only 4% of the women were ready to do the same.
The survey shows that Meta is clearly in violation of the GDPR (General Data Protection Regulation) which has prompted noyb to send them a cease-and-desist letter and also evaluate the launch of a class-action lawsuit.

International

US expands security cooperation by signing biometric data sharing agreements with Chile and Ecuador

The US and Ecuador have finalised a bilateral agreement to share biometric and related biographic information which would enable a cooperated effort against transnational organised crime and irregular immigration flows.
This biometric data will include fingerprints, iris scans and facial recognition data of people identified as possible security risks, that is, criminals or ‘irregular immigrants’. Ecuador will be submitting this data to the Department of Homeland Security (DHS) who will then be forwarding it to Homeland Advanced Recognition Technology (HART) system which allow DHS to cross-reference the data against US records. This agreement was signed between the US and Chile as well.
Similar pacts, whether binding or non-binding, have been signed between the US and other countries like Costa Rica, Mexico, Guatemala, Honduras, and El Salvador. However, privacy advocates have warned against the misuse of such sensitive data given the broad scope of its use and insufficient human rights protections.
Ecuador has data protection regulations which allow sharing of data under certain lawful basis similar to the UK GDPR (General Data Protection Regulation). Moreover, such data transfer is done with the certain safeguards in place which requires the originating country’s explicit consent and tagging of all biometric data with metadata specifying its purpose (immigration enforcement, counter-terrorism etc) along with regular audits.

Data Protection News Update 18 May 2026

United Kingdom HMRC to deploy AI to detect fraud and tax return mistakes South Staffordshire Water fined nearly £1m following major cyber-attack and data breach

Data Protection News Update 11 May 2026

United Kingdom How does live facial recognition work and how many UK police forces use it? United States NYC public schools get lousy grade on

Data Protection News Update 05 May 2026

United Kingdom ICO confirms that charities are given new flexibility to contact supporters under DUAA change UK Government survey reveals education sector under constant cyber

Data Sharing Agreements: Health and Care Sector

This is a practical guide to data sharing agreements in health and social care, covering roles, requirements, examples, sector context and drafting challenges. Data Sharing Agreements (DSA) in the health