United Kingdom
The European Commission proposes to renew the UK’s data protection adequacy decision
- The current EU-UK adequacy decision is set to expire on the 27th of December 2025 which has now led to the Commission issuing a draft implementation decision which essentially continues to assess the UK’s data protection standards as being largely equal to the EUs. The Commission has therefore recommended renewing the adequacy decision for another six years.
- In order to provide this recommendation, the Commission assessed the UK’s recently introduced Data Use and Access (DUA) Act 2025, which diverges from the EU’s position on some key aspects.
- Particularly, the Commission assessed the changes introduced by the DUA Act in terms of automated decision making, international transfers and the new structure of the ICO concluding that the UK law continues to give adequate protection.
- The Commission’s draft decision will then be presented in front of the representatives of the EU member state governments who will have to formally approve it. Additionally, the draft decision will also be considered by the European Data Protection Board (EDPB) who will be presenting their non-binding opinion.
A data protection claim brought by personal injury clients dismissed by county court judge
- Three individuals claimed that DWF Law LLP violated their data subject rights by using their health data when acting for insurers.
- DWF made a witness statement in court which included analysis of claims provided to them by the insurers which disclosed the claimants’ names.
- Justice Eady confirmed that she was satisfied that DWF processed the personal data in accordance with the data protection principles whilst performing its professional obligation, pursuing the legitimate interests of its clients and for the public interest task, that is, to ensure administration of justice.
- Additionally, the Judge recognised that DWF’s website is transparent about the potential use of personal data to perform its professional obligations, which may involve disclosing information to third parties. Additionally, it would be reasonable to assume that the claimants would have realised that any information disclosed as part of the litigation would be scrutinised in court.
United States
- TADTS provides alcohol and drug testing services in Texas and other US states for individual and workplace use.
- TADTS identified the breach in July 2024, which was then followed by a nearly yearlong investigation into the potentially compromised information in collaboration with a data mining team.
- The potentially compromised information includes names, date of births, social security numbers, driver’s license numbers, passport numbers, financial and credit card information, biometric information, login credentials, emails and passwords and USCIS numbers.
- The information was collected with the consent of the individuals as part of their current or past employment.
- Since the breach TADTS has incorporated measures such as resetting passwords, implementing additional monitoring tools and detection protocols and reporting the attach to the relevant authorities. TADTS also recommended that the affected individuals should monitor their credit reports and account statements and report suspicious activity.
Europe
EU resident’s data stored with Microsoft is not protected from US access
- Microsoft testified under oath before the Frech Senate that it cannot guarantee that European user data is safe from US authorities even if the data resides in the EU data centres.
- The US’ Cloud (Clarifying Lawful Overseas Use of Data) Act gives the US authorities powers to compel American companies like Microsoft to share data regardless of where it is stored. Microsoft’s technical and organisational measures cannot protect against such orders.
- The Cloud Act applies to all American companies and its overseas subsidiaries who can be ordered hand over data to law enforcement agencies like the FBI, NSA etc. Although ‘unfounded requests’ can be challenged, the decision lies with US courts.
- This reveals a bigger problem, that is, the EU is heavily reliant on US technology providers like Microsoft, Amazon Web Services, Google Cloud and so on which are all subject to the Cloud Act.
- The pay-or-okay, also known as Consent-or-pay model does not provide users with a genuine choice to refuse tracking because the alternative requires paying a charge.
- The European Data Protection Board (EDPB) previously stated in a non-binding opinion that such models do not provide a ‘real choice’. It is now considering releasing formal guidelines regarding the use of these models.
- This model was introduced by an Austrian newspaper caller Der Standard which was then adopted across the EU and UK.
- Meta too adopted the model in 2023 essentially offering EU users the choice to subscribe to Facebook and Instagram or consent to the use of tracking for direct marketing. Meta now faces daily fines of up to 5% of its global revenue until it addresses its consent model.
International
Indonesia and the US agree to a US data transfer framework
- As part of a trade deal Indonesia announced that it will recognise the US as country/jurisdiction which provides adequate protection under its data protection laws.
- Earlier, data transfers from Indonesia to the US required incorporating data transfer mechanism into commercial contracts.
- Indonesia would first have to complete implementing certain regulations from its Personal Data Protection Law which was enacted in 2022. This legislation specifically, states that certain types of data including public data cannot be transferred outside Indonesia under the current frameworks.
- This change is part of a bigger trade deal which would reduce the US reciprocal tariffs on Indonesian exports to 19% while requiring Indonesia to eliminate 99% of the tariff barriers on US products.
