United Kingdom
- The UK Cyber Security and Resilience Bill, placed in front of the Parliament on the 12th of November 2025, seeks to modernise the UK’s cyber laws and close vulnerabilities across public services and critical industries.
- Hospitals, power networks, the NHS, water companies, as well as medium to large scale companies that provide IT, cyber security and digital support to these essential organisations are within the scope of this Bill.
- Regulators will have the power to identify these ‘designated suppliers’ who will have to meet strict minimum security requirements to prevent vulnerabilities from being exploited throughout the supply chain.
- Organisations affected by the cyber incidents would have to notify the relevant regulatory authority and the National Cyber Security Centre (NCSC) within 24 hours, and provide a full report within 72 hours.
Police in Yorkshire to begin using facial recognition vans
- Yorkshire Police for the first time have begun using facial recognition technology in Briggate, Leeds.
- Two Live Facial Recognition vans will scan people’s faces as they pass to compare them to an authorised watchlist.
- Such use gives rise to privacy concerns as the people on these watchlists are not just criminals but also victims and witnesses of crime.
- The Police force said that data which does not match anyone on the watchlist will be immediately deleted.
- Although the Police have assured that they will respect people’s rights and freedoms, a report published by the Met Police showed that eight out of ten people who had been wrongly flagged by such systems were black.
United States
US law enforcement seeking direct access to EU member state police and immigration database
- The US law enforcement authorities want direct access to police and immigration databases of EU member states, to identify people as a threat to the US.
- Some member states have raised questions over the legal basis and data protection, however none have fundamentally questioned the proposal.
- The European Commission published a proposal for such an agreement in July 2025 which would govern the details of access to national systems by the US authorities.
- There is a strong incentive for EU countries to sign up to this agreement, as in exchange the US is offering visa-free travel to the US for citizens of participating countries.
- Some member states such as France, Italy, the Netherlands and Austria have raised data protection concerns arguing that instead of automated data transfer from the national database, only the data of individuals under suspicion by the US should be transferred.
Europe
Leaked documents show the EU Commission’s intention to massively reform the EU GDPR
- The EU Commission plans on simplifying several EU laws through the ‘Omnibus’ reform tool, by bypassing normal safeguards such as impact assessments and institutional feedback.
- The draft of the envisaged reforms appears to be heavily influenced by German and American interests, suggesting that these changes are politically driven rather than evidence based.
- The proposed amendments would significantly weaken core EU GDPR protections, such as narrowing the definition of personal data, restricting data subject rights, enabling broad AI training using EU residents’ data. Furthermore, these developments may undermine protections for sensitive data. Specifically, the AI reforms would provide developers with special legal bases for AI training and exceptions to the application of data subject rights.
- These amendments would not only affect the applicability of the EU GDPR, but also risk long term harm to SMEs, regulators, and the EU’s credibility.
- Earlier this year, LinkedIn proposed plans to use public posts, comments and user profile data dating back to 2003, for generative AI improvement from November 3rd.
- The Irish Data Protection Commission (DPC), responsible for supervising LinkedIn’s compliance with the EU laws has raised concerns and made recommendations to the company to address the data protection impacts of its plans.
- According to the DPC, LinkedIn will be making changes to its plans, including improved transparency notices and reducing the type of personal data it will use for its AI model.
- LinkedIn will also have measures in place to prevent the use of children’s data and have filters in place to stop other sensitive data from being collected.
- Last year, LinkedIn was fined €310 million by the DPC for breaching the EU GDPR by processing personal data of registered users for marketing and analytic purposes.
International
Bahamas’ MPs consider a new data protection bill aiming to aid the digital transformation process
- In Australia, Facebook, Instagram, TikTok, and other platforms have been formally notified that, from December 2025, they must prevent users under 16 from creating accounts to reduce children’s exposure to online harms.
- Platforms that fail to take reasonable steps to verify users’ ages and comply with the Online Safety Act may face penalties of up to AUD $49.5 million.
- eSafety will continuously review and update which platforms fall under these rules, recognising that new features or changes in data use can alter how services interact with young users’ information.
- Commissioner Julie Inman Grant said the measures form part of a digital safety strategy, giving children time to build resilience and ensuring tech companies design safer, more privacy-conscious online environments.
For latest updates on the UK Cyber Security and Resilience Bill, facial recognition use, EU GDPR reforms, and global privacy changes, visit our Data Protection News hub.
