Data Protection News Update 16 June 2025

IGS
June 16, 2025

United Kingdom

UK Parliament advances Data (Use and Access) Bill, awaits Royal Assent

The UK Parliament passed the proposed Data (Use and Access) Bill, which reforms the existing UK General Data Protection Regulation (UK GDPR) and the Privacy and Electronic Communications Regulations (PECR). It now awaits Royal Assent to be implemented.
This comes after a month-long discussion between the House of Commons and the House of Lords, with the main issues involving AI and copyright, and calls from the House of Lords to include transparency obligations.
According to Hunton Andrews Kurth, the Parliament reached a compromise that “includes provisions requiring the Secretary of State to, amongst other things, draft legislation containing proposals to provide transparency to copyright owners regarding the use of their copyright works as data inputs for AI models.”
Notably, the Bill’s passage comes as the EU-UK adequacy agreement is up for renewal. The original adequacy review deadline was moved from June to December to give UK lawmakers time to advance the reform package and allow EU officials to examine updated provisions. The UK government does not believe the agreement would be at risk due to the approval of the Bill.

WhatsApp backs Apple in legal row with UK over user data

WhatsApp has told the BBC it is supporting fellow tech giant Apple in its legal fight against the UK Home Office over the privacy of its users’ data. Apple went to the courts after receiving a notice from the Home Office demanding access to the data of its global customers if required in the interests of national security.
WhatsApp has applied to submit evidence to the court which is hearing Apple’s bid to have the Home Office request overturned. According to Will Cathcart, head of the messaging app, WhatsApp “would challenge any law or government request that seeks to weaken the encryption of our services and will continue to stand up for people’s right to a private conversation online.”
This intervention from the Meta-owned platform represents a major escalation in what was an already extremely high-profile and awkward dispute between the UK and the US.
Some US politicians said the UK’s move is a “dangerous attack on US cybersecurity” and an “egregious violation” of US citizens’ privacy. Civil liberties groups also attacked the UK government, saying what it was demanding had privacy and security implications for people around the world.

United States

US Supreme Court grants DOGE access to sensitive Social Security data

The United States Supreme Court has sided with the administration of President Donald Trump in two cases about government records and who should have access to them.
On June 6^th, the six-member conservative majority overturned a lower court’s ruling that limited the kinds of data that Trump’s Department of Government Efficiency (DOGE) could access through the Social Security Administration (SSA). In a separate case, the majority also decided that DOGE was not required to turn over records under the Freedom of Information Act (FOIA).
DOGE’s push to access Social Security data is one of the agency’s controversial initiatives, in the name of rooting out waste, fraud and abuse. In March, US District Judge Ellen Lipton Hollander blocked DOGE from having unfettered access to Social Security data, citing the sensitive nature of such information, but the ruling did allow DOGE to view anonymised data.
The Trump administration, nevertheless, appealed that decision to the Supreme Court, arguing that Judge Lipton Hollander had exceeded her authority in blocking DOGE’s access. The Supreme Court granted its emergency petition on Friday, lifting Lipton Hollander’s temporary restrictions on the data in an unsigned decision.

Europe

Support for AI Act pause grows but parameters still unclear

A delay in enforcing parts of Europe’s landmark AI regulation looks more likely after member states and the European Commission’s technology leader supported the idea during a recent ministerial meeting. But a division is likely on how far any changes to the rule should go.
Reports of the Commission considering a “stop the clock” proposition for the EU AI Act came as major implementation deadlines loom at the end of the summer and a key set of guidelines on general practice AI have been delayed. Some countries have yet to establish a lead regulatory body to enforce the regulation, and the EU has been wrestling with how to manage its various digital laws.
According to Henna Virkkunen, Executive Vice-President of the Commission, any possibility of a delay should not be seen as waffling on the implementation itself, but merely a step to provide legal certainty for the industry.
It is still unclear what course of action the Commission will ultimately pursue. Whatever the course of action the Commission takes, any changes to the act would have to go back through the legislative process, said Kai Zenner, the head of staff for German Member of European Parliament Axel Voss.

Macron wants to ban kids from social media. Can he?

In the wake of a fatal stabbing of a teaching assistant at a high school in Paris, President Emmanuel Macron said France “can’t wait” any longer in banning social media for children under 15. The government has launched a campaign to pressure other European countries to follow its example.
However, European Union officials are not entirely favourable to the idea of an all-out ban for kids. The protection of minors online is covered by the Digital Services Act, an EU-wide regulation that gives supervisory powers over social media companies to the European Commission. The Commission is readying its own measures on age verification, but a social media ban is not foreseen.
Under the GDPR, EU countries can set a minimum user age for platforms to process their data, provided it is over 13, but data can still be processed if parents give their consent. On paper, this bars minors under that age from accessing social media, but it leaves it up to the platforms to decide how to comply with this “digital majority.” Ultimately, the Commission may have to challenge any French law imposing a ban, which could lead to a long legal tussle.
To block kids from porn sites, France passed measures requiring that platforms verify age online using a double-blind method: where an independent age checker knows the person’s details, but not what platform they want to visit. This was approved by the French data protection regulator (CNIL), but the privacy watchdog has stressed that age checks on the internet should only happen in specific contexts, such as when there are risks to minors, in order to not present further risks to users’ privacy.

International

Colossal breach exposes 4B Chinese user records in surveillance-grade database

A colossal data breach has reportedly exposed approximately four billion records containing personal information of hundreds of millions of users, primarily from China. The 631-gigabyte database was discovered sitting wide open on the internet, lacking even the most basic password protection, according to cybersecurity firm Cybernews, which first reported the incident.
At four billion records, it is believed to be the largest single-source leak of Chinese personal data ever found. Researchers managed to peek inside 16 distinct data collections. One of them had the financial data of over 630 million people, including payment card numbers, birthdate, name, and phone number.
According to the researchers, the level of meticulous organisation and the sheer scope of the databases suggests someone was building detailed dossiers on Chinese citizens. Beyond the financial and contact information, there were collections covering everything from gambling habits to vehicle registrations, employment details, and pension information.
Despite extensive investigation, the database’s owners and operators could not be identified and the database was quickly taken offline after discovery. The scale and sophistication of the data aggregation suggest significant resources and technical capabilities behind the operation, typical of nation-state actors, organised threat groups or well-resourced research organisations.

Data Protection News Update 12 January 2026

United Kingdom UK government launches cyber action plan to strengthen public-sector security and protect digital services Ofcom scrutinises X and Grok over non-consensual AI images United

Data Protection News Update 06 January 2026

United Kingdom EU renews adequacy decision with United Kingdom Update on the November Cyberattacks against London Councils United States Disney to Pay $10M over Alleged

Data and AI Ethics 2025: An IGS Roundup

As 2025 draws to a close, it’s a natural moment to pause and reflect on a year that has been transformative, for the data and AI ethics

Data Protection News Update 22 December 2025

United Kingdom Investigation after data breach affects thousands United States US pauses implementation of $40 billion technology deal with Britain Can law enforcement access Google