Data and cyber security – 2025 roundup

admin December 19, 2025 0
Data and cyber security – 2025 roundup

UK cases

High Court ruling on consent by vulnerable individuals

On 23 January 2025, the High Court handed down a ruling looking at the consent requirement under the GDPR and PECR in relation to a vulnerable recovering gambling addict in a claim against Sky Betting and Gaming operators Bonne Terre Ltd and Hestview Ltd. The Court found the claimant’s consent was not freely given or sufficiently informed given his vulnerability, so use of cookies and subsequent direct marketing was unlawful.

The Court stated consent had to be of a “relatively high” quality and that this was context-specific, taking into account the individual’s subjective state of mind as to what they thought, understood and desired, the individual’s autonomous choice about consent based on external circumstances, and the evidential basis on which the controller relied. This cannot rest on generic probabilities where vulnerability may impair autonomy. It cautioned that gambling marketing presents an obvious risk of defective consent, while stressing the decision is fact and time specific. While the scope of the judgment was limited to the facts of the case, it raises issues when relying on consent, particularly in the online gambling sector. 

Court of Appeal clarifies rules on claims for non-material damage under the UK GDPR

On 22 August 2025, the Court of Appeal handed down judgment in the case of Farley & Ors v Paymaster (1836) Ltd (trading as Equiniti) [2025] EWCA Civ 1117.  The judgment is significant as it clarifies issues around claims for non-material damages under the UK GDPR.  The main substance of the appeal related to whether claims for compensation for data breaches under the UK GDPR had to pass the threshold of seriousness set out in the Lloyd v Google case which was concerned with the Data Protection Act 1998. The Court said the Lloyd v Google case threshold of seriousness did not apply to UK GDPR claims and that the UK should follow the CJEU’s approach as set out in the 2023 Österreichische Post case in which it was held that there was no threshold of seriousness to be passed in relation to non-material damages claims for breaches of the GDPR.  While clarification of the application of the seriousness threshold (or not) to UK GDPR claims is helpful, it does not open the floodgates to opt-out representative actions in data claims as it does not overcome the difficulty of demonstrating that all claimants have the same interest.

ICO does have jurisdiction in Clearview AI case

On 8 October 2025, the ICO reported that the Upper Tribunal upheld three of its four appeal grounds against the First-tier Tribunal in the Clearview AI case, confirming that Clearview’s processing relates to monitoring the behaviour of UK residents and falls within UK data protection law, even when Clearview services are supplied to foreign law enforcement or government agencies. The decision is legally binding and clarifies the material and territorial scope of the UK GDPR. It reaffirms that organisations monitoring UK residents’ behaviour are in scope irrespective of where they are established. The case was remitted to the First-tier Tribunal to determine the substantive appeal on the basis that the ICO had jurisdiction to issue the monetary penalty and enforcement notices. Clearview may seek permission to appeal. 

ICO enforcement

Beyond the continuing enforcement action relating to unlawful marketing, and cyber security enforcement action (see below), 2025 highlights include:

  • On 3 March 2025, the UK’s ICO announced three investigations as part of its wider interventions into how social media and video sharing platforms use children’s data.
  • In March, it was reported that the ICO is joining others in investigating DeepSeek’s data practices.  South Korea’s privacy regulator has suggested DeepSeek has engineered its system to cover up data flows, relying more heavily on hard coding than other GenAI models, making it harder to analyse the data being processed.  Reports suggest DeepSeek is rapidly being embedded in China’s government services, causing concerns around privacy and cyber security.
  • On 25 September 2025, the ICO confirmed fining two energy companies a total of £555,000 for making ‘robo calls’ using avatar software. This made calls leading recipients to think they were being made by real people.
  • On 10 September 2025, the ICO issued a notice of intent to fine MediaLab AI Inc for data protection breaches relating to its social media platform Imgur. The ICO provisionally found that Imgur’s use of children’s personal data and its approach to age assurance were non-compliant. Imgur now directs UK users to a help page which tells them the site is not available in the UK. The ICO said on 30 September that this is a commercial decision by MediaLab AI and that it will consider any representations from the company before reaching a final decision on sanctions.
CJEU judgements and AG opinions

EC ordered to pay €400 in damages for unlawful transfer of personal data

On 9 January 2024, the EC was ordered to pay Thomas Bindl €400 in respect of unlawful transfer of his personal data to the USA by the General Court of the EU. Bindl is appealing.  The European Commission has also appealed aspects of the decision. Read more.

CJEU says DPAs must consider all claims

In a preliminary ruling in a reference from Austria in January 2025, the CJEU said DPAs are not allowed to limit the number of claims made by an individual but must review each claim on its merits.  The background to the claim is the Austrian DPA’s rejection of a claim on the basis that the claimant had made 77 claims between 2018 and 2022.  The ADPA wanted to allow a maximum number of two complaints per data subject per month.  The CJEU said that as long as complaints are not vexatious or abusive, frequency is not sufficient to classify a claim as “excessive”.

CJEU says a customer’s gender identity is not necessary data for transport ticket purchase

On 9 January 2025. The CJEU held that it is not necessary to collect data on customers’ titles, particularly where the purpose of the collection is to personalise commercial communications.  The French Council of State asked the CJEU whether collecting title data was consistent with the data minimisation principle.  The CJEU said for the data processing to be necessary it had to be objectively indispensable for performance of a contract, or in attainment of a communicated legitimate interest.  In this instance, the CJEU found the data collection was not objectively indispensable.

CJEU decision on transparency of ADM

On 27 February 2025, the CJEU ruled in a reference from Austria about the use of automated decision making and credit scoring.  An individual asked for information about the logic involved in the automated decision-making under Article 15(1) GDPR.  The referring court asked the CJEU to determine how detailed the response had to be and asked for clarification on how the balance between protecting trade secrets and the right of access under the GDPR should be assessed.  The CJEU ruled that information provided to data subjects had to be sufficiently clear so that they could understand what personal data was used to obtain a specific result.  It was not sufficient to provide complex information which the individual would be unable to understand.  The data subject’s rights cannot be overridden by the controller’s desire to protect trade secrets.  In the event of concern or doubt, the controller should apply to a court or the supervisory authority for clarification. Read more. 

AG Opinion in Meta v EDPB

On 27 March 2025, Advocate General Ćapeta handed down a non-binding Opinion in WhatsApp Ireland Ltd v European Data Protection Board. WhatsApp was appealing the General Court’s decision which held that it could not appeal to a national court regarding the EUR 225m fine issued to it by the Irish Data Protection Commission following an EDPB decision that the fine should be higher than originally proposed. The AG opined that EDPB decisions are challengeable whereas the General Court held that the case was inadmissible. If the CJEU follows the Opinion, organisations will be able to challenge EDPB Article 65 decisions directly before the General Court rather than going through national proceedings and potentially a preliminary reference to the CJEU. See our article for more.

CJEU ruling on nature of pseudonymised data

On 4 September 2025, the CJEU handed down a significant decision which clarified treatment of pseudonymised data in EDPS v SRB. The most notable aspect of the case relates to clarification of when pseudonymised data is personal data, particularly in relation to data transferred to a third party by a controller.  Read more.

CJEU AG Opinion on GDPR limits to publishing athletes’ anti-doping sanctions online

On 25 September 2025, Advocate General Spielmann issued an Opinion in Case C-474/24 discussing whether Austrian rules requiring online publication of athletes’ names, sport, sanction duration and reasons for anti-doping infringements comply with the GDPR.  The AG considers that it is not necessary to publish athletes’ names. Pseudonymised publication would achieve the objectives of deterring athletes from infringing anti-doping rules and preventing circumvention of those rules so publication should be limited to relevant bodies and sports federations. Publication should be proportionate in terms of scope and duration of availability. Controllers must conduct a case-by-case balancing exercise of different interests involved before processing. The Opinion is not binding and the CJEU judgment will follow.

Advocate General Opinion on whether an initial SAR can be excessive

On 18 September 2025, AG Szpunar handed down an Opinion in response to a reference from Germany relating to the abuse of subject access rights. The AG opined that an initial request for information under a subject access request can, in exceptional circumstances be considered excessive. However, the threshold for assuming an abuse of rights in an initial request is high. The AG said that the mere fact that a person has made numerous previous requests does not make a request abusive. Nor does exercising the right to compensation. The issue is the underlying purpose of the individual’s actions. Read more about the Opinion here.

CJEU ruling on direct marketing to readers of free newsletters

In a reference from Romania, the CJEU ruled on 13 November 2025, that signing up to receive a free newsletter with links to articles which might only be accessible with a paid-for subscription, constituted a ‘sale’ of a product or service for the purposes of the ePrivacy Directive – a direct monetary payment was not required. Where Article 13(2) ePrivacy applied, the publisher of that newsletter was entitled to send direct electronic marketing to the user of the service’s email address without requiring a lawful basis under the GDPR. Read more.

Online marketplace is controller of personal data in user-generated ads on its platform, says CJEU

On 2 December 2025, the ECJ handed down its judgment in X v Russmedia Digital and Inform Media Press. It concluded that online marketplaces are (joint) data controllers for GDPR purposes where they process personal data in user-generated content for their own commercial purposes.  The judgment makes it clear that this is a very low bar which many platforms are likely to meet.  (Joint) controllers will need to check UGC for personal data ahead of publication, verify that any personal data belongs to the user placing the UGC and, if it doesn’t, ensure there is an Article 6 GDPR lawful basis and an Article 9 GDPR exemption from the prohibition on processing special category data (where relevant).  Where they are joint controllers, they will need to deal with Article 26 GDPR requirements relating to joint controllership in their user terms. In addition, and importantly, they will not be able to rely on liability shields (the hosting exemption and the ‘no monitoring obligation’ in the e-Commerce Directive/Digital Services Act). This judgement raises complex issues for online marketplaces and platforms. Read more.

link

More Stories

FortiOS and FortiSwitchManager Vulnerability Let Remote Attackers Execute Arbitrary Code

FortiOS and FortiSwitchManager Vulnerability Let Remote Attackers Execute Arbitrary Code

admin January 15, 2026 0
Q&A: What does cybersecurity look like in the quantum age?

Q&A: What does cybersecurity look like in the quantum age?

admin January 13, 2026 0
Threats to Critical Infrastructure Expected to Intensify

Threats to Critical Infrastructure Expected to Intensify

admin January 12, 2026 0

Leave a Reply

Your email address will not be published. Required fields are marked *

You may have missed

Apiiro Achieves 104% ARR Growth in 2025 as Fortune 500 Adopt Agentic AppSec to Reduce Massive Risk Across the Software Development Lifecycle

Apiiro Achieves 104% ARR Growth in 2025 as Fortune 500 Adopt Agentic AppSec to Reduce Massive Risk Across the Software Development Lifecycle

admin January 15, 2026 0
FortiOS and FortiSwitchManager Vulnerability Let Remote Attackers Execute Arbitrary Code

FortiOS and FortiSwitchManager Vulnerability Let Remote Attackers Execute Arbitrary Code

admin January 15, 2026 0
Finnish energy distribution company trusts Tieto’s NIS system

Finnish energy distribution company trusts Tieto’s NIS system

admin January 15, 2026 0
Why expert developers refuse to “vibe” with AI coding tools

Why expert developers refuse to “vibe” with AI coding tools

admin January 14, 2026 0
Salad.com and Golem Network Partner to Integrate Web2 Workloads with Decentralized Infrastructure

Salad.com and Golem Network Partner to Integrate Web2 Workloads with Decentralized Infrastructure

admin January 14, 2026 0