Autumn Data Wrap: A Snapshot Of Key Regulatory Developments

In June 2021, the European Commission adopted two adequacy decisions (the "Adequacy Decisions") for the UK (under the EU GDPR and the Law Enforcement Directive). The Adequacy Decisions grant the UK adequate protection status, enabling the flow of personal data from the EU to the UK without additional safeguards. They are due to expire on 27 December 2025.

The European Commission has now issued two new draft decisions proposing to extend the UK's adequacy status until December 2031 and noting that the UK's data protection standards continue to be "essentially equivalent" to the EU's data protection standards.

Since publication of the proposed new decisions, the European Data Protection Board ("EDPB") has issued its opinion on the proposed renewal. The EDPB signalled general approval and welcomed the "continuing alignment between the UK and EU data protection framework". However, the EDPB noted areas of the UK data protection framework that should be monitored by the European Commission, including:

• international commitments entered into by the UK, noting that these should be taken into account in assessing the renewal of the Adequacy Decisions;
• the Secretary of State's ability to amend the UK data protection framework via secondary legislation, noting that these powers are "broad";
• the removal of the principle of primacy of EU law through the Retained EU Law (Revocation and Reform) Act 2023;
• changes to the Information Commissioner's Office's ("ICO") rules for the appointment and dismissal of directors and the application of the ICO's corrective powers; and
• changes to the rules governing the international transfer of personal data, including to third countries.

Following the EDPB's opinion, the proposed extension of the Adequacy Decisions will need to be approved by representatives of EU countries and adopted in final form by the European Commission.

For more detailed commentary on the EDPB opinions please refer to our blog here and this Lexology PRO article to which we contributed.

For further information regarding the Data (Use and Access) Act please see our blog How much does the Data (Use and Access) Act reform UK GDPR? Let me count the ways.

The European Court of Justice has set aside the previous judgment of the General Court in the Banco Popular Espanol case (C-413/23 P), but has confirmed that the General Court was correct in its position that pseudonymised data should not be considered personal data in the hands of a recipient where the risk of re-identification of the data subject is 'non-existent or insignificant', using 'reasonable means'.

The CJEU clarified that "pseudonymised data must not be regarded as constituting, in all cases and for every person, personal data for the purposes of the application of Regulation 2018/1725, in so far as pseudonymisation may, depending on the circumstances of the case, effectively prevent persons other than the controller from identifying the data subject in such a way that, for them, the data subject is not or is no longer identifiable."

This finding goes against the EDPB's draft guidelines on pseudonymisation, which state that pseudonymised data will always be considered personal data, and instead brings the European position more into line with the position adopted in the UK where the ICO has previously confirmed in its regulatory guidance that data which undergoes anonymisation or pseudonymisation techniques should only be treated as effectively anonymised where the likelihood of identifiability is sufficiently remote. The resulting status of the data will depend on the context and respective 'hands' of those who process it. Accordingly, this means that pseudonymised data held by organisations which have the means and additional information to 'decode' it and therefore re-identify data subjects, will be classified as personal data; but pseudonymised data held by organisations without such means or additional information will not be personal data as it is 'effectively anonymised'

From the judgment of the CJEU, there appear to be two tests to assess whether pseudonymised data will no longer constitute personal data:

• firstly, is the 'additional information' that would allow reidentification kept separately from the pseudonymised data and subject to certain technical and organisational measures to avoid reidentification;
• secondly, the courts will also consider 'all the means reasonably likely' to be used by a party to identify the data subject directly or indirectly. In assessing what means are 'reasonably likely', parties should consider 'all objective factors, such as the cost of and the amount of time required for identification, taking into consideration the available technology at the time of processing and any technological developments'. The CJEU indicated that a means of identifying a data subject is not 'reasonably likely to be used' where the risk of identification would be impossible in practice, including where such means would involve a disproportionate effort in terms of time, cost and labour.

Finally, the CJEU has also reiterated the Advocate General's position that the GDPR places obligations on data controllers, and noted that 'such obligations cannot be imposed on an entity which is in no way in a position to carry out that identification'.

The position appears to be a rare and welcome win for common sense (how can data be personal data if an organisation cannot identify a person from the data?) but it will be interesting to see if the EDPB responds and amends its guidance in any way to row back from the current position.

The recent Upper Tribunal decision in the long-running Clearview AI GDPR enforcement case in the UK overturned the pervious decision of the First Tier Tribunal and found that the Information Commissioner's Office (the "ICO") had jurisdiction to take enforcement action against Clearview AI Inc, an American technology company incorporated in Delaware and with no corporate presence in the UK.

The Upper Tribunal adopted a broad interpretation of the extra-territoriality provisions of the UK GDPR so that they can apply not only to controllers outside of the jurisdiction undertaking behavioural monitoring, but also to companies undertaking processing activities which relate to the behavioural monitoring undertaken by another (controller) organisation.

This could be seen as a warning to foreign controllers and processors who had considered themselves beyond the reach of the law. Although it is worth noting that regulatory enforcement against foreign companies has been few and far between since the GDPR was implemented in 2018, and in many cases the jurisdictional scope of the law would be more clear cut than in the Clearview case.

The Upper Tribunal also sought to define parameters around "behavioural monitoring", again with a broad interpretation that will likely have even broader implications for companies in an AI-focussed landscape.

For further information and analysis, please see our article in Practical Law Magazine, available here (behind a paywall).

The UK Information Commissioner's Office ("ICO") confirmed in an update published 30 September that it has issued a notice of intent on 10 September 2025 to impose a monetary penalty on MediaLab AI Inc (Imgur) for alleged failures in protecting children's personal data. This follows the ICO's announcement in March 2025 of investigations into how social media and video sharing platforms use UK children's personal information.

The ICO notes in its update that Imgur has restricted access to its platform in the UK following the notice of intent, but confirms that this will not impact its enforcement, stating that "exiting the UK does not allow an organisation to avoid responsibility for any prior infringement of data protection law, and our investigation remains ongoing". The statement refers out to the ICO's Children's code strategy which sets out the ICO's priorities in this area.

The ICO's enforcement action is a timely reminder of the importance of clear compliance for organisations which process, or may process, children's data.

On 31 October 2025, the UK Information Commissioner's Office (the "ICO") launched a public consultation on its draft Data Protection Enforcement Procedural Guidance, signalling a significant update to the UK's data protection enforcement landscape. The draft guidance, aimed at organisations processing personal data and their advisers, sets out in detail how the ICO will approach investigations and exercise its enforcement powers under the UK GDPR, Data Protection Act 2018, and the Data (Use and Access) Act 2025.

Key features include a clearer explanation of how the ICO decides whether to open an investigation; the expanded information-gathering powers now available under the Data (Use and Access) Act 2025, including the ability to require answers to questions and organisational reports; and the process for determining outcomes – ranging from informal resolution to warnings, reprimands, enforcement notices, and monetary penalty notices. Notably, the draft guidance introduces a formal settlement process, allowing for reduced fines in appropriate cases, and clarifies the rights of appeal against statutory notices.

Once finalised, the new guidance will replace the existing statutory guidance about information notices, assessment notices, enforcement notices, penalty notices, and privileged communications Regulatory Action Policy (2018) alongside the ICO's Data Protection Fining Guidance.

The consultation is open until 23 January 2026. The ICO is seeking feedback from law firms, DPOs, privacy professionals, and other stakeholders.

On 15 October, the Information Commissioner's Office ("ICO") in the UK issued a penalty notice decision, fining two companies within the Capita Group a total of £14 million for breaches of UK GDPR (£8 million for the parent, Capita plc, as data controller and £6 million for a subsidiary, Capita Pension Services Limited "CPSL", as data processor).

The ICO identified several failings which it said amounted to breaches of UK GDPR and in particular the duties to use and implement appropriate technical and organisational measures under Articles 5(1)(f) and 32. Specifically, these included failures to:

• prevent privilege escalation and unauthorised lateral movement across the Capita network;
• remedy vulnerabilities known about before the incident, which facilitated privilege escalation and unauthorised lateral movement, which the ICO viewed as making this contravention "particularly egregious";
• respond appropriately to security alerts, especially considering the 58 hour time to respond to a high priority security alert raised within ten minutes of breach; and
• conduct adequate penetration testing and, in particular, failure to have regard to the importance of the types of data being processed when deciding whether or not penetration testing was necessary.

The fine ranks as one of the most substantial levied by the ICO to date in respect of cyber breaches (after appeals are taken into account), below the c.£20 million ultimately levied against British Airways, but well above the average level of fine for UK GDPR breaches. In fact, the final figure represents a discount from the ICO's starting point of a combined £58 million fine. Capita settled with the ICO to reduce the penalty by admitting breaches of the UK GDPR and agreeing not to appeal the decision, along with a discount applied to reflect the fact that these were two group companies and to avoid suggestions of "double punishment".

For further analysis of the monetary penalty notice, please see our blog post, available here.

Four athletes have challenged the Austrian Anti-Doping Legal Committee (the "ÖADR") and National Anti-Doping Agency ("NADA") over plans to publish their names, sporting discipline, length of suspension and reasons for exclusion on their websites. Under Austrian Anti-Doping Law, both ÖADR and NADA are permitted to disclose this personal data with the objective of: (i) deterring athletes from violating anti-doping rules; and (ii) preventing circumvention by informing relevant persons.

On 25 September 2025, Advocate General Spielmann issued an opinion in Case-474/24 before the Austrian Federal Administrative Court, considering whether such disclosure is appropriate for the achieving the public interest objectives (outlined above), and whether it was necessary and proportionate to those objectives.

The Advocate General concluded that publishing the athletes' personal data goes beyond what is required to meet the objectives. In his view, these could be achieved in a manner more consistent with GDPR and the principle of data minimisation, for example, by using pseudonymised data and limiting disclosure to relevant sports bodies.

This opinion opens an interesting discussion around balancing the principles of sporting integrity with the need to safeguard personal data. The forthcoming judgment from the Court of Justice will provide further clarity on this issue.

On 18 September 2025, the Advocate General ("AG") delivered an opinion for a preliminary ruling in a case concerning data access requests under the EU GDPR (Case C-526/24 Brillen Rottler). The request for a preliminary ruling arose out of a data controller arguing that there are circumstances in which data subject access requests can be invoked in an excessive, even abusive, manner.

Under the EU GDPR, data subjects have the right to request information regarding the personal data collected about them from data controllers. However, controllers may refuse to provide such information if the request is '"manifestly unfounded or excessive, in particular because of their repetitive character". The question of when a subject access request is "excessive" has however never been clearly answered.

The AG's opinion provided commentary on when data subject access requests can be considered "excessive". Specifically, it highlighted that the exceptions for data controllers under Art 12(5) EU GDPR should be interpreted strictly, and that abusive intention on the part of the data subject must be made out. The mere fact that a data subject has previously made many data subject access requests and subsequently claimed compensation is not sufficient to characterise a request as "excessive". Further, the AG's opinion argued for a broad interpretation of the compensation mechanism under the EU GDPR, asserting that a right to compensation can arise from any infringement of the EU GDPR.

The case is still pending final judgment, which can take several months. Although AG opinions are not binding, they are often followed by the court.

On 5 September 2025, the European Commission published a draft adequacy decision recognising Brazil as a country that ensures an adequate level of protection for personal data. Currently, under the EU GDPR, flows of personal data from the EU to Brazil must go through one of the prescribed safeguarding mechanisms, which include: (i) standard contractual clauses; (ii) binding corporate rules; and (iii) certification. If adopted, the proposed adequacy decision would mean that flows of personal data from the EU to Brazil would be treated as if they had taken place within the EU. There would be no need to use the safeguarding mechanisms, making it much faster to effect cross-border transfers of personal data to Brazil.

The European Data Protection Board ("EDPB") adopted an opinion on the draft decision on 5 November 2025, inviting the Commission to provide further information in relation to certain areas of Brazilian data protection legislation. The next steps in the process towards adoption of the adequacy decision are approval by representatives from EU Member States followed by adoption by the European Commission.

In parallel, the Brazilian data protection authority (Autoridade Nacional de Proteção de Dados) is finalising its own adequacy decision, recognising the EU as equivalent under Brazilian national data protection law. If the adequacy decisions are adopted on both sides, there will be a mutual recognition regime ensuring the free flow of personal data between the EU and Brazil.

In September 2025, the Court of Justice of the European Union ("CJEU") delivered an important ruling on what remedies data subjects can seek under the GDPR. The CJEU confirmed that individuals do not have a standalone right to obtain an injunction to prevent future data processing. Instead, GDPR provides specific rights—such as the right to erasure (Article 17) and restriction of processing (Article 18)—which must be exercised within their defined scope.

The judgment also clarified the rules on compensation for non-material damage. The clarification was that non-material damage can include "negative feelings" like annoyance or fear caused by loss of control over data, but only if they are demonstrable and can be attributed to the violation. While the controller's level of fault may influence the amount of compensation, it does not change the basic requirement for actual damage.

On 7 November 2025, the Financial Conduct Authority ("FCA") announced its first successful prosecution under the Data Protection Act 2018 ("DPA 2018").

Luke Coleman, a former employee of Virgin Media O2, pleaded guilty to unlawfully obtaining and disclosing personal data, contrary to section 170(1) of the DPA 2018. Coleman sold confidential customer information to a family friend, Nicholas Harper, who used the data to facilitate a boiler room fraud linked to a crypto investment scam. The fraud defrauded at least 65 investors of over £1.5 million, and two individuals involved were sentenced to a combined 12 years' imprisonment earlier this year. Coleman received the maximum penalty for this offence: a £384 fine, plus a £38 surcharge and £500 towards prosecution costs. Harper had previously pleaded guilty to assisting the offence but was acquitted of conspiracy to defraud.

This case is significant as it represents the FCA's first enforcement action under the DPA 2018, demonstrating its willingness to extend enforcement beyond traditional financial misconduct and actively pursue cases where misuse of personal data facilitates fraud. It also serves as a reminder that liability for mishandling personal data does not rest solely with organisations - individuals can face criminal prosecution under the DPA 2018 as well as related legislation such as the Computer Misuse Act 1990.

In light of this development, firms should review insider risk controls, strengthen monitoring of privileged access, and ensure employees understand that personal data misuse can lead to criminal liability.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.