Data Protection News Update 12 January 2026

IGS
January 12, 2026

United Kingdom

UK government launches cyber action plan to strengthen public-sector security and protect digital services

The new Government Cyber Action Plan aims to strengthen minimum cyber-security standards across public services to reduce the risk of cyber-attacks that could expose personal data or disrupt essential systems. A Government Cyber Unit will coordinate cyber-risk management and incident response across departments, enabling faster containment of breaches and limiting harm to citizens’ data and access to digital public services.
In addition to the Cyber Unit, the Software Security Ambassador Scheme seeks to reduce software supply-chain vulnerabilities by promoting secure-by-design development practices and help prevent cyber incidents that could compromise sensitive public-sector and customer data.
Backed by £210 million in funding, the plan reflects a growing focus on resilience, accountability, and proactive cyber defence, although experts warn that sustained investment will be needed to adequately protect public services and personal information from escalating threats.

Ofcom scrutinises X and Grok over non-consensual AI images

Grok AI has been widely used to generate sexualised images of women and children without consent, raising serious online safety and child protection concerns. Some of this content may constitute illegal material, including child sexual abuse imagery.
The ability to upload and manipulate photos of identifiable individuals exposes personal data to misuse, highlighting gaps in privacy-by-design and content moderation safeguards within AI systems.
Ofcom has made urgent contact with Elon Musk’s companies X and xAI to assess compliance with UK online safety duties, while delayed implementation of new UK laws on non-consensual deepfakes limits immediate enforcement.

United States

US threatens retaliation over EU enforcement of digital regulation

The US claims that the EU’s Digital Services Act and Digital Markets Act unfairly target American tech and services firms, particularly through fines and lawsuits linked to platform governance, transparency and data handling.
EU regulators maintain that these laws are designed to protect users, competition and fundamental rights, including data protection and online safety, by imposing stricter obligations on large digital platforms regardless of nationality.
To fight back, the US has warned it could impose fees or restrictions on major European service companies operating in the US if EU enforcement continues, although the European Commission rejects claims of discrimination, stating that its rules apply equally to all companies.

New York enacts AI transparency and safety law for frontier model developers

The state of New York has enacted the Responsible AI Safety and Education Act, requiring large frontier AI developers to publish safety and risk management plans, report safety incidents within 72 hours, and submit to ongoing regulatory oversight.
The law applies to companies generating more than $500 million in annual revenue and comes into force on 1 January 2027, positioning New York as a leading state-level regulator of advanced AI systems.
While the final version softens earlier proposals by reducing fines and removing the requirement to publish safety plans prior to model release, it preserves core transparency, disclosure and accountability obligations.
By closely aligning with California’s AI transparency framework, the Act reduces regulatory fragmentation for major developers and establishes a baseline standard for AI safety as federal regulation remains limited.

Europe

EU AI Code of Practice on transparency and labelling of AI-generated content

The European Commission is developing a voluntary Code of Practice to help companies and professional users clearly label AI-generated or AI-manipulated content, supporting the transparency requirements from Article 50 of the EU AI Act.
The Code is expected to be finalised in June 2026, and sets practical standards for watermarking, metadata, labelling and disclosure so users can identify deepfakes and other synthetic media more easily, even when the content itself is lawful.
AI providers must ensure machine-readable marking and detectability, while deployers must clearly disclose when realistic synthetic content is AI-generated.
Although non-binding, the Code acts as a soft-law instrument that shapes industry behaviour, bridges the gap to enforceable rules under the AI Act, and strengthens protections against misleading or deceptive AI content online.

EU countries to share biometric data with US to preserve Visa-free travel

EU member states have agreed to let the European Commission negotiate a framework enabling US authorities to access national biometric databases as part of US’ “Enhanced Border Security Partnerships,” a condition for maintaining visa-free travel.
The EU-level framework will define the categories of data and databases that may be shared, while individual member states will negotiate bilateral agreements with the US specifying which national databases and citizens’ data are accessible.
Biometric, genetic, ethnic, political and religious data could be transferred where deemed strictly necessary and proportionate for preventing crime or terrorism, with safeguards such as limits on data retention.
Data protection authorities raise concerns about the arrangement setting a major precedent for large-scale transfers of personal data to foreign border agencies.

International

China-linked threat actor tied to espionage campaigns in South Asia

A series of espionage-focused cyber intrusions was attributed to a China-nexus threat actor called UAT-7290, active since at least 2022 and targeting organisations primarily in South Asia, with recent expansion into Southeastern Europe.
The group is characterised by extensive pre-attack reconnaissance and the use of one-day exploits and brute-force techniques against public-facing edge devices, particularly in the telecommunications sector, to gain and escalate initial access.
Researchers believe that UAT-7290 also helps other China-linked hackers by breaking into networks first and setting up relay systems that can later be used in additional cyber operations.

For the latest updates on the UK cyber action plan, Ofcom’s investigation into X and Grok, EU AI transparency rules, and new US AI safety laws, visit our Data Protection News hub.

Data Protection News Update 08 June 2026

United Kingdom OpenAI expands bank access to AI cybersecurity tool NHS Trust reveals patient data exposed in ransomware attack ICO secures £118,000 from former RAC

Retina scan of female eye, collage with futuristic data on virtual screen. User biometrical identification system

Data Protection News Update 01 June 2026

United Kingdom The UK government signed a three-year contract with to develop and trial AI facial estimation technology at borders, aiming to prevent adult migrants

3D Isometric Flat Vector Conceptual Illustration of Fine, Administrative Monetary Penalty.

GDPR Breach Fines: Understanding the Penalties

If your organisation processes personal data, which virtually every organisation does today, understanding the General Data Protection Regulation (GDPR) breach fines is crucial. While high-profile

New patient medical record form and stethoscope medical.

Data Protection News Update 26 May 2026

United Kingdom ICO puts forward recommendation to extend cookie consent exemptions to contextual advert cookies only 11 NHS staff members sacked for inappropriately accesses medical