United Kingdom
NHS software provider fined £3m over data breach after ransomware attack
- An NHS software provider, the Advanced Computer Software Group, has been fined £3m by the Information Commissioner’s Office (ICO) over security failings that led to a ransomware attack on the NHS that put the personal information of 79,404 individuals at risk.
- The cyberattack occurred in August 2022, when hackers exploited the lack of multi-factor authentication to access sensitive information, including patient phone numbers, medical records, and details on how to enter the homes of 890 individuals receiving home care. This breach disrupted critical services including NHS 111, staff access to patient records, and software to facilitate patient check-ins.
- The ICO’s investigation concluded that Advanced did not have appropriate security measures in place prior to the incident. While the company had installed multi-factor authentication across many of its systems, “the lack of complete coverage” was criticised by Information Commissioner John Edwards. “The security measures of Advanced’s subsidiary fell seriously short of what we would expect from an organisation processing such a large volume of sensitive information,” Mr Edwards said.
- He added the fine should serve as a “stark reminder” to organisations to ensure they have “robust security measures in place”.
More than two-in-five UK finance brands non-compliant with data protection laws
- A new study by digital consultancy firm 7DOTs suggests that nearly half of UK finance brands are not complying with data protection laws.
- The study was based on a detailed analysis of over 24,000 firms registered with the Financial Conduct Authority (FCA) across various financial services. The criteria for inclusion were firms with active websites, which were regulated for more than just consumer credit. The research was conducted using a custom cookie compliance testing tool developed by 7DOTs.
- The study found that 43% of finance firms were non-compliant with data protection laws by accessing browser storage for advertising or analytics without user consent, while another 70% may unknowingly be at high risk through non-compliance.
- Payday lenders were most at risk, with 67% non-compliant, followed by 64% of trading venues and 58% of open banking providers. While banks, building societies, and pension fund administrators had better compliance (over 60%), the fact that nearly 40% were still non-compliant highlights the significant risks within this sector, particularly given the sensitivity of the data they handle.
United States
- On January 8th, 2025, the U.S. Department of Justice (DOJ) introduced a landmark rule restricting U.S. entities from engaging in “covered data transactions”; defined as transactions involving access by “countries of concern” or “covered persons” to sensitive U.S. data.
- The rule, effective April 8, 2025, fully prohibits transactions involving data brokerages and bulk “human ‘omic data”, including genomic, proteomic and biospecimen data to these countries and entities.
- Restricted transactions (vendor, employment, or investment agreements) are allowed only if certain cybersecurity, recordkeeping, and audit requirements are met.
- The rule targets six “countries of concern”, (China, Cuba, Iran, North Korea, Russia, Venezuela) and defines “covered persons” as entities linked to these countries, including those owned 50% or more by them.
- Consequently, the many health care and life sciences companies that provide access to the data of US individuals to affiliates or vendors in China should assess their arrangements carefully.
- The rule includes exemptions for healthcare and life sciences transactions, such as those necessary for regulatory approval or FDA-regulated clinical investigations, and for collecting clinical care or post-marketing product surveillance data, provided the data is de-identified and specific requirements are met.
Europe
EU court adviser backs WhatsApp in fight against EU privacy watchdog
- Meta has confirmed that the version of the AI assistant currently being launched in the EU has not been trained on local users’ data, hence why it won’t be notifying EU users or otherwise seeking their consent.
- On March 27th, 2025, Meta’s platform WhatsApp received support from an adviser to the Court of Justice of the European Union (CJEU) in its dispute with Ireland’s data protection authority. In 2021, the Irish authority fined WhatsApp €225 million (£188 million) over complaints about its use of personal data in Ireland, with the higher penalty following intervention by the European Data Protection Board (EDPB).
- In 2022, a lower tribunal rejected WhatsApp’s challenge against the EDPB, ruling it lacked legal standing to sue the authority, though it could contest the Irish fine in a national court.
- WhatsApp then appealed to the CJEU, Europe’s highest court. On March 27, 2025, CJEU Advocate General Tamara Capeta criticised the lower tribunal’s decision, stating in a non-binding opinion that “WhatsApp’s challenge of the EDPB decision is admissible and the case should be referred back to the General Court for a decision on the merit.”
- The CJEU, which follows its advisers’ recommendations in four out of five cases, is expected to rule in the coming months.
International
DNA testing firm 23andMe files for bankruptcy as demand dries up
- 23andMe, a U.S.-based personal genomics company, has filed for bankruptcy in the U.S. following struggles with weak demand for its ancestry testing kits and a 2023 data breach that significantly damaged its reputation.
- The company’s shares dropped 50% to 88 cents after co-founder Anne Wojcicki resigned as CEO. The company recently secured $35 million in financing and will continue operations during the sale process, but did not confirm other bidders.
- Various stakeholders, including users and officials such as California Attorney General Rob Bonta, have raised concerns about the future of customers’ genetic data. He, amongst others, have recommended that users promptly delete their genetic data from the platform.
- Although 23andMe’s privacy policy states that the data could be sold, the company has stated that the bankruptcy will not affect data storage or protection and requires any potential buyer to follow data privacy laws.
- Historically, the company has made multiple deals with pharmaceutical and biotechnology firms, including British drug developer GSK, though most details, particularly on data protection, remain undisclosed.
Notes from the Asia-Pacific region: Regulatory developments in full swing
- Significant data protection regulatory developments have occurred in Vietnam and Malaysia over the past month.
- Vietnam’s draft Personal Data Protection Law has been fast-tracked to take effect in January 2026. The legislation is markedly detailed, and defines sensitive personal data, establishes consent requirements, and includes cybersecurity requirements for AI, blockchain, and VR. However, it only provides individuals with a right of erasure, and not of data portability.
- Malaysia has introduced a new guideline requiring businesses to appoint and register a locally residing, bilingual Data Protection Officer (DPO) if they process personal data of over 20,000 individuals or sensitive data of over 10,000.
- It has also issued a guideline for mandatory breach reporting if a data breach is likely to cause “significant harm,” and released three consultation papers on Data Protection Impact Assessments (DPIAs), data protection by design, and automated decision-making and profiling.
