United Kingdom
The enforcement gap between the UK ICO and EU Data Protection Authorities (DPAs)
- UK ICO fines since the enactment of the UK GDPR have amounted to £65 million being surpassed by fines issued by the EU totalling to €7.1 billion since 2018.
- According to a report published by DLA Piper, EU’s Data Protection Authorities (DPAs) receive an average of 443 personal data notifications a day, up 22% from last year.
- The UK ICO on the other hand, have reached £19.6 million in 2025 mainly from seven major cases, including the October 2025 settlement with Capita.
- In the EU, the Irish DPA has been the most active, handing down the biggest single penalty of 2025- a €530 million fine against TikTok for unlawful international data transfers.
North West Ambulance Service witnesses a sharp rise in data breaches
- The North West Ambulance Service NHS Trust has been increasingly exposed to cyber security risks, reporting nearly 400 data breach incidents in the last three years.
- This is especially a challenge as Ambulance trusts process highly sensitive information such as details shared during emergency calls, medical assessments carried out at the scene, and patient data transferred during hospital handovers.
- The NCC Group, a cybersecurity firm highlighted a 15% rise in ransomware attacks since 2024 which can significantly affect critical services offered by the Ambulance trust.
- Given the rise in digital patient records across the NHS, securing personal data against such attacks has become a nationwide challenge.
United States
- A majority American owned entity will now control and operate TikTok’s US business. The new owners include Larry Ellison, Chief Technology Officer of Oracle, Silver Lake, US based Private Equity firm, and a UAE based investment firm, MGX. China’s ByteDance will retain a 19.9% stake in TikTok’s new US entity.
- The platform was supposed to be banned in January 2025 unless the Chinese owners sold to American investors.
- The main source of this ban was the app’s algorithm which recommends content to the users. Now, with this deal the app’s algorithm will only be trained on US data.
- Experts have highlighted that the training of US TikTok’s algorithm solely on US user data may mean a ‘slower or lighter app that operates differently from the global version.
Europe
- Aena will be appealing Spain’s Data Protection Authority’s fine of €10,043,002 for allegedly using facial recognition boarding gates without a compliant Data Protection Impact Assessment (DPIA).
- Aena claims that the passengers’ facial recordings are encrypted, stored locally on the device and erased post-boarding, arguing that its DPIA followed EU guidance.
- Further, Aena claims that since the beginning of the use of these facial scan systems in 2023, no data leaks or breaches have been reported.
- Madrid-Barajas, one of the airports operated by Aena, will revert to manual checking of documents adding five to seven minutes per passenger.
Germany to draft new legislation expanding intelligence surveillance
- Germany is in the process of drafting a law to expand its federal service hacking and internet surveillance powers inclusive of full-content interception and a six-month data retention period.
- The aim of the German officials with this proposed law is to decrease reliance on US intel and simultaneously operate on the same level as peers such as UK, France, Italy and the Netherlands.
- Essentially, this would involve Germany granting licences to its federal service so that they have greater ability to address cybercrime and survey criminals both domestically and globally.
- The draft legislation would also provide Germany a pre-emptive hacking mandate, allowing it to access foreign companies’ systems if they refuse to cooperate or provide the requested data.
International
Kazakhstan proposes to introduce criminal liability for large-scale data breaches
- Kazakhstan is considering on enacting legal responsibility, including criminal liability for large-scale leaks of personal data, and a significant increase in administrative fines for failure to adhere to information security requirements.
- These amendments would apply to government agencies, the quasi-public sector, financial institutions, and private companies responsible for handling large volumes of personal data.
- These proposed amendments are a direct result of a series of large-scale data breaches. In 2024, for instance, the country suffered a data breach affecting more than 2 million clients of ziamer.kz, a microfinance company.
- Furthermore, in 2025 the Kazakh government confirmed the largest data breach in the country’s history affecting nearly 16 million people.
For the latest updates on the White House TikTok agreement, the UK ICO–EU DPA enforcement gap, rising NHS ambulance service data breaches, Spain’s biometric data fine appeal, and emerging global data-protection laws, visit our Data Protection News hub.
