May Data Wrap: A snapshot of key regulatory developments

On 2 June 2025, the Federal Commissioner for Data Protection and Freedom of Information ("BfDI"), issued a fine of €45 million against Vodafone GmbH ("Vodafone") for breaching the GDPR, including having security vulnerabilities in its systems.

The fine comprised of two parts:

1. €15 million was imposed for breach of Article 28(1) of the GDPR because Vodafone failed to adequately monitor partner agencies that provide contracts to customers on behalf of Vodafone, resulting in the creation of fraudulent or modified contracts that negatively impacted customers. Under Article 28, controllers are obligated to engage processors that provide sufficient guarantees of implementing appropriate technical and organisational measures for processing to comply with the GDPR.
2. €30 million was imposed for having security vulnerabilities in the authentication process of the online portal ‘MeinVodafone', which allowed unauthorised individuals to access customer eSIM profiles, exploiting insufficient verification processes when using the portal and the 'Vodafone Hotline' simultaneously. Article 32(1) GDPR requires data controllers to implement technical and organisational measures to provide security suitable to the risk.

In response to these issues, Vodafone terminated collaborations with fraudulent partner companies, re-designed its processes and strengthened its systems to prevent incidents from recurring. Vodafone paid the fine in full and donated to organisations committed to data protection and digital literacy. The BfDI acknowledged Vodafone's proactive cooperation in addressing these issues.

In the BfDI's press release, the BfDI highlights the importance of:

• focusing on security processes, particularly for companies facing an investment backlog of modernising and consolidating IT systems;
• adequately monitoring the use of data processors; and
• being aware of, and mitigating the risk of, new technological possibilities and more complex threats.

Vodafone's fine serves as reminder that controllers must take proactive steps to strengthen their security posture, manage thirs parties, and maintain consumer trust.

On 2 May 2025, the Irish Data Protection Commission (the "DPC") fined TikTok Technology Limited ("TikTok") €530 million for breaching GDPR requirements. Beyond the fine, the DPC ordered the suspension of data transfers to the People's Republic of China ("China") and required TikTok to bring its data processing practices into full compliance with Chapter V of the GDPR within six months.

The breaches related to: (i) an infringement of Article 46 (1) GDPR relating to the unlawful transfer of EEA users' personal data to China; and (ii) an infringement of Article 13(1)(f) GDPR relating to TikTok's lack of transparency regarding its international data transfer activities in its October 2021 EEA Privacy Policy.

In April 2025, TikTok disclosed to the DPC that a limited number of EEA users' personal data was stored on servers in China, making it remotely accessible to staff. The DPC found this to have breached Article 46(1) of the GDPR.

Under the GDPR, transfers of personal data outside the EEA are only permitted where the third country has been granted an EU adequacy decision by the European Commission or where appropriate safeguards, such as standard contractual clauses, are implemented. The DPC's Deputy Commissioner, Graham Doyle, stated that TikTok “failed to verify, guarantee and demonstrate” that the personal data of EEA users was safeguarded with the necessary level of protection. In addition to insufficient safeguards and supplementary measures, the DPC cited concerns about Chinese laws, such as its anti-terrorism and cybersecurity laws, which they considered to be significantly different from EU data protection standards.

The DPC found that TikTok’s October 2021 EEA Privacy Policy also failed to meet Article 13(1)(f) of the GDPR as it did not name the third countries receiving personal data or explain the nature of the processing. Although TikTok updated the policy in 2022 to meet compliance standards, the earlier version was deemed non-compliant.

Following the DPC's ruling, TikTok applied for and was granted by a High Court Judge, a stay on the suspension of data transfers to China until early October. The court is expected to hear a further application from TikTok seeking an extension, pending its full challenge to the DPC's decision.

The European Commission has published its proposal for the first significant amendments to the EU GDPR since its enactment, with the aim of reducing the compliance burden for smaller businesses. This follows the publication of the Draghi Report on EU Competitiveness, which recommended that the EU reduces the regulatory burden on smaller companies to increase competitiveness.

On 21 May 2025, as part of the 'Simplification Omnibus IV' package, the European Commission proposed certain exemptions from the EU GDPR for small mid cap enterprises ("SMCs"). The proposals include exemptions for SMCs from record-keeping obligations under Article 30(5) of the EU GDPR, which requires companies to record the purposes and categories of processing of personal data. Currently, only organisations with fewer than 250 employees where processing is 'occasional' are exempt from these duties, but this proposal would mean that organisations with fewer than 750 employees, an annual net turnover not exceeding €150m and whose processing activities are not 'high risk' would also be exempt. Interestingly, this proposal is not dissimilar to the Conservative Government's propels to relax the ROPA requirements before the UK General Election last year. Those proposals were abandoned potentially because they deviated too far from the GDRP. The proposal also required that the EU and its Member States consider the needs of SMCs must when drafting codes of conduct or establishing data protection certification mechanisms.

The reform proposal will now undergo the EU's legislative procedure, meaning that the final outcome could look significantly different from the changes set out in the European Commission's proposal.

The Data (Use and Access) Bill (the "Bill") has finally passed through Parliament and now awaits Royal Assent.

First introduced on 23 October 2024 (see our blog post for more detail), the Bill aims to simplify and modernise the UK's data regime follow the UK's exit from the European Union. Its progress has faced significant delays following amendments proposed by the House of Lords regarding copyright issues and AI. To address these concerns, the Government agreed to publish a report on the copyright and AI proposals within nine months of the Bill receiving Royal Assent. The intended date for Royal Assent has not yet been announced.

The Hanover Administrative Court’s (the “Court”) legal opinion on cookie banners, issued in a judgment (case reference: 10 A 5385/22) dated 19 March 2025, was recently made public.

The judgment centred around Neue Osnabrücker Zeitung ("NOZ") a major media company in Lower Saxony. The State Commissioner for Data Protection of Lower Saxony, had ordered NOZ to redesign its cookie banner, arguing that it failed to obtain valid, informed, and voluntary user consent before placing cookies and subsequently processing personal data. NOZ challenged the order, arguing that its consent process was effective, no personal data was processed, and cookie compliance was beyond the data protection authority’s remit.

The court found that NOZ made rejecting cookies deliberately harder than accepting them, with users facing repeated consent prompts and misleading language such as “optimal user experience” and “accept and close.” Crucially, the banner lacked the term “consent” and buried key information regarding data transfers to third countries and the number of third-party partners, behind scrolling. As a result, the court ruled that NOZ had failed to obtain informed, voluntary, and unambiguous consent as required under the General Data Protection Regulation (the "GDPR") and was also in violation of Section 25 of the German Telecommunications Digital Services Data Protection Act.

The Court emphasised that if a website displays an “accept all” option for cookie consent, it must also provide a clearly visible “reject all” button on the same initial layer of the banner. It ruled that consent obtained by websites would be invalid if cookie banners are designed to nudge users into giving consent, and obstruct or make it difficult for users to refuse cookies.

The decision echoes guidance from Germany’s Conference of Independent Federal and State Data Protection Authorities, which in 2021 clarified that banners offering only “Accept all” and “Settings” options are non-compliant due to unequal communication. Reinforcing this, an audit by the Bavarian Data Protection Authority in 2024 revealed widespread non-compliance among websites, many of which made rejecting cookies far harder than accepting them.

This trend is pan-European. The Dutch Data Protection Authority found five companies violating cookie rules in 2024, and the UK’s Information Commissioner’s Office in 2023, issued a 30-day warning to major websites, demanding equal ease in rejecting and accepting advertising cookies and has since written to the Top 100 websites in the UK, asking them to confirm their compliance with the cookie rules.

The Court’s decision therefore reinforces the growing regulatory consensus across Europe: cookie consent must be clear, informed, and genuinely voluntary. Website operators can no longer rely on dark patterns or imbalanced banner designs. As authorities tighten enforcement, businesses must prioritise transparent, user-friendly consent mechanisms to stay compliant and protect user rights.

The Brussels Market Court has upheld the EUR 250,000 fine initially imposed on IAB Europe by the Belgian Data Protection Authority in relation IAB Europe's Transparency and Consent Framework ("TCF"). 

The TCF is a mechanism that manages users' consent and preferences for online advertising.  It plays a central role in the Real Time Bidding("RTB") ecosystem that underpins personalised advertising.  A user's preference is recorded in the TCF using a string of numerical characters known as a 'TC String'. 

IAB Europe maintained that it was not a controller under the GDPR as the TC String does not constitute personal data.  The Belgian DPA disagreed, and found IAB Europe to be a joint controller of the TC String personal data. It decided that IAB Europe had not implemented the measures required by the GDPR on joint controllers.  On 2 February 2022, the Belgian DPA found IAB Europe had therefore committed various infringements of the GDPR and imposed an administrative fine of EUR 250,000. 

On 4 March 2022, IAB Europe appealed to the Brussels Market Court.The Belgian DPA's interpretation on IAB Europe's operations went before the CJEU.  On 7 March 2024 the CJEU issued its preliminary ruling, that: (1) as a TC String relates to an "identified or identifiable user", it can be considered personal data;  and (2) as IAB Europe "appears to influence data processing operations" in recording user preferences it can be qualified as a joint controller.  On 14 May 2025, the Brussels Market Court considered the CJEU's preliminary ruling and upheld the initial EUR 250,000 fine imposed by the Belgian DPA.  It confirmed IAB Europe's role as a joint controller for the purposes of processing user preferences within the TCF.  Hielke Hijmans, chair of the Litigation Chamber of the Belgian DPA welcomed the court's ruling, stating "… this clarification of key concepts in the GDPR has had and will continue to have a lasting positive impact on all those involved in the EU".

The UK’s National Cyber Security Centre ("NCSC") has issued guidance for retailers following a series of high-profile cyberattacks that have disrupted major brands such as Marks & Spencer, Co-op, and Harrods. These incidents underscore the escalating threat landscape and the need for robust cybersecurity measures within the retail sector. The NCSC guidance highlighted the following recommendations.

• Enhancing authentication protocols. Recent breaches have highlighted vulnerabilities in authentication processes, particularly those relying solely on passwords, and attackers have exploited weak or compromised credentials to gain unauthorised access. The NCSC advises retailers to implement multi-factor authentication ("MFA") comprehensively across all systems.
• Strengthening help desk security. Cybercriminals have increasingly targeted IT help desks, employing social engineering tactics to deceive staff into resetting passwords and granting system access. The NCSC recommends that retailers review help desk procedures, enhance verification protocols for administrative accounts and provide staff with training to recognise and respond to such threats.
• Monitoring for unauthorised account activity. Unusual login behaviour can indicate attempts to compromise user accounts, often going undetected until significant damage is done. The NCSC recommends that retailers actively monitor for ‘risky logins’ using tools such as Microsoft Entra ID Protection, which can flag potentially compromised sign-ins based on suspicious activity or atypical usage patterns.
• Regularly audit privileged accounts to verify legitimate access. Administrative accounts such as Domain Admin, Enterprise Admin, and Cloud Admin pose a high security risk if misused or compromised. The NCSC recommends that retailers regularly audit these privileged accounts to verify that access is appropriate, legitimate, and aligned with current roles and responsibilities.
• Monitoring atypical login sources. Cyber attackers often attempt to mask their activity using anonymisation tools such as VPNs, sometimes originating from residential IP ranges to mimic normal user behaviour. The NCSC advises retailers to identify and investigate logins from unusual sources to detect and block potential threats early.

The recent cyberattacks on UK retailers serve as a stark reminder of the vulnerabilities within the sector. By adopting the NCSC’s recommendations, retailers can strengthen their defenses, protect customer data, and ensure business resilience against future cyber threats.

As of 30 May 2025, Australian businesses are subject to mandatory ransomware and cyber extortion payment reporting obligations under the Cyber Security Act 2024 (the "Act").

These obligations apply to any "reporting business entity":

• with an annual turnover of AUD $3 million or more; and
• to all responsible entities for critical-infrastructure assets under the Security and Critical Infrastructure Act 2018.

Approximately 6.5% of Australian businesses fall within scope, but close to half of national economic output.

If a reporting business entity hands over money, or provides any other benefit, in response to a ransomware or cyber-extortion demand, it must submit an online report to the Australian Signals Directorate ("ASD") within 72 hours of first issuing the payment or benefit. Companies must also report if the entity is aware that a payment was made on its behalf.

The Government's Cyber Threat Report shows a 3% increase in ransomware-related attacks in 2023 as compared to 2022. This framework is intended to strengthen national cyber resilience, deter ransom payments, and improve threat intelligence and response coordination.

In addition, the ASD intend to aggregate and anonymise reports to map attacker tactics, quantify economic impact and tailor defensive advice. A “no-fault” Cyber Incident Review Board will mine the data for lessons learned and share de-identified insights with industry.

The reports submitted must include the:

• contact and business details of the reporting entity;
• amount demanded and paid;
• method of payment demanded and used;
• incident details and timing; and
• communications with the extorting party.

These reports are inadmissible in civil or criminal proceedings, except in specific instances such as providing misleading information.

Businesses should assess their cyber risk exposure, update incident response plans, and ensure staff are trained to meet these new obligations.