United Kingdom
Health data of 500,000 UK residents up for sale on a Chinese website
- Medical data from 500,000 UK volunteers has been advertised for sale on a website owned by China’s Alibaba after a breach in Biobank UK’s health information database.
- Biobank confirmed that that the data itself was not posted on the website and the advertisment for it was quickly removed. Furthermore, three Chinese research institutions and the individuals responsible for the advertisement have been suspended from using Biobank.
- Ian Murray, the data minister, stated in the House of Commons that the breach “was not a leak- this was a legitimate download by a legitimately accredited organisation”. Biobank itself allows researchers to download the anonymised data along with the results of their analysis.
- Biobank is now investigating the breach and has said that it will put in place stronger curbs on size of the files that can be downloaded from its platform and monitor all exported files daily for any suspicious behaviour.
- The Court of Appeal overturned a judgment by the High Court, stating that proof valid consent is based on “purely objective” questions, rather than any subjective test that gave weight to a gambler’s vulnerability and compromised autonomy.
- This case was brought by an anonymous claimant, a gambling addict, who claimed that Sky Betting and Gaming (SBG) had placed cookies on his devices, thereby processing his personal data to send him personalised and targeted direct marketing without consent.
- The Court of Appeal stated that the question of valid consent is a purely objective one which requires that consent must be freely given, specific, informed and unambiguous.
- Lord Justice Warby concluded that the High Court’s decision was “vitiated by error of law” and allowed the appeal.
UK Government is considering an early exit from Palantir’s NHS contract
- The UK Government reportedly is considering an early exit from the Palantir contract by exercising the ‘break clause’ amid data protection concerns.
- The contract was awarded to Palantir to help establish a centralised hub for NHS staff and patient data, but has been met with significant opposition from MPs.
- Specifically, the MPs have highlighted that the contract involves a subscription service with Palantir, with no deliverables or intellectual property rights retained by the NHS upon termination.
- Palantir’s UK executive vice-chair is continuing to assure MPs however concerns around a “a permanent lock-in and single point of failure” persist. This has further been exacerbated by the recent contract signed with Palantir by the UK’s Financial Conduct Authority.
United States
- On 22nd April 2026, U.S. House Energy and Commerce Committee Vice Chairman John Joyce, R-Pa, introduced the new ‘SECURE Data Act’ with the aim of establishing comprehensive consumer privacy rights.
- As it a partisan Republican Bill, it does not include a private right of action but the ability of the U.S. Federal Trade Commission and state attorneys general to enforce the its provisions.
- This Act, if enforced, would apply to any company, processing the data of more than 200,000 US consumers. Companies earning less than USD 25 million adjusted gross annual revenue will be exempt from compliance with the Act.
- The Bill, if approved, would grant consumers the right to access (portable and usable formats), correct and delete their personal data. Additionally, the Bill allows consumers with the right to opt-out from sales, targeted advertising. Consumers will also be given the right to opt-out form profiling to make a decision that has legal or similarly significant effect on them.
- Teen data, under the Bill, is considered ‘sensitive data’ meaning data processing requires opt-in consent, and parents would have to provide verified parental consent for this age group.
Europe
EU Commission’s plan to protect minors online with a new age-verification system
- According to the State of the Digital Decade Eurobarometer 2025, 92% of EU citizens have identified cyberbullying as the major online threat to children’s mental health.
- Last week, the EU Commission announced a new age verification app that citizens will soon be able to use.
- This system requires citizens to verify their age to access online platforms without sharing any personal data.
- Meanwhile, France has already enacted a ban on social media use for children under 15 while Spain, Austria, Greece, Ireland, Denmark, and the Netherlands are preparing to introduce similar rules soon.
- Opposing political figures consider these bans to be excessive government intervention, arguing that education, parental control, and digital literacy may be more effective.
International
South Korean matchmaking firm, Duo, receives fines for major personal data breach
- Duo following a cybersecurity breach experienced a leak of sensitive data such as weight, blood type, marital history.
- South Korea’s Personal Information Protection Commission (PIPC) held that the breach resulted from failure to implement adequate security measures to protect its database. Additionally, it also found that Duo was slow to respond after hackers breached its systems last year.
- The authority found that the company also failed to delete the data of 300,000 former users even though the law requires such data to be deleted within five years.
- The company has been fined 1.21 billion won (£665,000) and has been ordered to revamp its data protection systems and fully disclose technical details of the breach to affected users.
For the latest updates on the UK Biobank data breach, Court of Appeal rulings on gambling and consent, NHS concerns over Palantir, the US SECURE Data Act, and EU age-verification plans, visit our Data Protection News hub.
