April Data Wrap: A snapshot of key regulatory developments

On 28 April 2025 , the Information Commissioner's Office ("ICO") and the Office of the Privacy Commissioner of Canada ("OPC") published a joint letter to the US based trustee overseeing the bankruptcy proceedings of 23andMe, advocating for the protection of customer personal data. Following a data breach reported by 23andMe in October 2023, the ICO and OPC launched a joint investigation into the impact of the breach affecting six million users, and have issued a notice of intention to fine the company £4.59m (see our previous data wrap posts for details on the breach here and here).

In the letter (which can be read in full here), the ICO and OPC stressed the importance of any potential purchaser of 23andMe continuing to comply with both UK GDPR and PIPEDA (Canada's privacy law). The regulators emphasised the potential for significant harm and distress to be caused to individuals in the event of any 'inappropriate use of, or access to, such personal information', noting that the 2023 breach allowed unpermitted access to the 'raw genetic data' of some customers as well as other forms of sensitive personal information being offered for sale on hidden web platforms.

The regulators welcomed 23andMe's statement indicating that all potential buyers would be required to agree to and comply with 23andMe's privacy policy and applicable law, but expressed concern that the privacy policy allowed for 23andMe to 'make changes from time to time', thus undermining the value of any commitments given by a purchaser. The ICO and OPC were clear in their expectations of any buyer: strict compliance with privacy laws, and robust security measures to prevent any similar breach from occurring in the future. Going forwards, the ICO and OPC will continue to monitor the situation closely, and commended the trustee for appointing a Consumer Privacy Ombudsman to protect the personal data involved in the bankruptcy proceedings.

The UK Office of Communications (the "Ofcom"), on 24 April 2025 published the Protection of Children Codes and Guidance (the "PCC Code"), which include more than forty (40) practical measures for technology firms to meet their duties under the Online Safety Act, 2023 (the "OSA").

Ofcom undertook extensive consultation with over 27,000 children and 13,000 parents as well as conducting consultation workshops and interviews with school children, and taking feedback from industry stakeholders, civil society, charities and child safety experts. The PCC Code will now be presented to Parliament, with approval expected by 24 July 2025.

Online service providers likely to be accessed by children (including social media, search, and gaming platforms) must now assess and record the risks their services pose to children by 24 July 2025 and implement safety measures in the PCC Code (or other effective measures) to mitigate these risks by 25 July 2025. Ofcom has warned that if technology firms fail to comply with their duty, the regulator not only has the power to issue fines but in serious cases it can apply for a court order to prevent the violating service from being available in the UK.

The PCC Code demands a 'safety-first' approach in how technology firms design and operate their services in the UK, by introducing the following broad measures:

• Safer feeds: Any provider that operates a recommender system and poses a medium or high risk of harmful content must configure their algorithms to filter out harmful content from children’s feeds.
• Effective age checks: High-risk services must use strong age verification to protect children while ensuring adults retain access to legal content.
• Fast action: Sites and apps must have processes to review, assess, and swiftly remove harmful content when detected.
• More choice and support for children: Children must be able to control their online experience and services must provide supportive information for children who encounter or search for harmful content.
• Easier reporting and complaints: Platforms must make it easy for children to report harmful content or file complaints.
• Strong governance: All services must have a named person accountable for children’s safety.

The Ofcom’s introduction of the PCC Code forms part of a broader regulatory push for online protection of children.

The Information Commissioner's Office (the "ICO") on 14 April 2025, issued a fine of £60,000 against DPP Law Solicitors LLP ("DPP"), a law firm headquartered in in Bootle, northwestern England for breach of the UK General Data Protection Regulation (the "GDPR") following a cyber- attack on DPP in June 2022.

In June 2022, cyber-attackers used brute force to gain access to a DPP administrator account that lacked multi-factor authentication ("MFA"), resulting in the theft of over 32 gigabytes of highly confidential data across DPP's network. The data, including court bundles, PDFs, Word documents, photos, videos relating to clients and expert evidence from legal proceedings was then posted on the dark web affecting 791 individuals.

DPP was made aware of the cyber-theft only when the National Crime Agency contacted the firm to advise that information relating to their clients had been posted on the dark web. Prior to this, DPP did not consider that the loss of access to personal information constituted a personal data breach, hence they did not report the incident to the ICO until 43 days after they became aware of it.

In its penalty notice, the ICO noted that DPP's inadequate account management and delayed notification constituted violations of Articles 5(1)(f), 32(1), 32(2), and 33(1) of the GDPR.

The ICO focused on three key points:

• The ICO emphasized the importance of MFA as a necessary technical and organisational tool to secure data.
• The ICC highlighted DPP’s failure to assess risks related to an infrequently used service-based administrator account with excessive privileges.
• For the first time, the ICO commented upon the delay in notifying a personal data breach under Article 33 of the GDPR. The ICO stated that DPP missing the 72-hour deadline under the GDPR was an aggravating factor that led to an increased fine.

DPP have confirmed that they will be appealing against the fine.

On 11 April 2025, the European Commission launched a public consultation on potential revisions to Regulation (EU) 2019/881 (the "Cybersecurity Act"). The review forms part of the EU's broader push to modernise its cybersecurity framework in response to the increasing scale and complexity of cyber threats and the rapid evolution of digital technologies.

The Cybersecurity Act, adopted in 2019, established a permanent mandate for the European Union Agency for Cybersecurity ("ENISA") and created the European Cybersecurity Certification Framework ("ECCF"), which implements service-specific certification schemes. Since then, the regulatory landscape has shifted significantly, with the introduction of new instruments such as the NIS2 Directive, the Cyber Resilience Act ("CRA"), and the Digital Operational Resilience Act ("DORA").

Against this backdrop, the Commission is seeking to revise the Cybersecurity Act and the consultation considers whether ENISA's role should be expanded to reflect its growing importance within the EU's cybersecurity architecture. Options include a greater coordinating role in incident response, enhanced technical assistance to Member States, and increased capacity to advise on emerging trends.

The review will also assess the performance of the ECCF. While certification remains voluntary under the current regime, the Commission is exploring whether specific schemes should be made mandatory for high-risk products and services. This could signal a move towards certification as a baseline requirement in certain sectors and their associated ICT supply chains, particularly where resilience is critical.

The consultation also considers whether certification could serve as a tool to demonstrate compliance under other EU frameworks (eg, NIS2, CRA, DORA) with the aim of reducing fragmentation and streamlining requirements.

The Commission has indicated that, at this stage, it is open to a wide range of policy options, ranging from maintaining the status quo to a complete legislative overhaul. The consultation is open for submissions until 20 June 2025, with legislative proposals expected by the end of the year.

In recent years, the 'pay or ok' model used by many online platforms has come under scrutiny, particularly in the context of the EU data protection law. The binary nature of the 'pay or ok' model has been criticised by some for creating a system that benefits those with financial means to protect their data, while imposing financial barriers on others, consequently undermining individuals' right to provide free and informed consent, as required by the GDPR.

In 2024, the European Data Protection Board (the "EDPB") issued an opinion on the 'pay or ok' model, stating that online platforms should provide users with a genuine choice and that offering only a paid alternative should not be the default approach for data controllers. For further information, see our previous blog here.

Following the EDPB's opinion, on 5 May 2025, the Italian data protection authority (the “Garante”), announced a consultation on the lawfulness of the 'pay or ok' model. The consultation focuses on three key questions being:

1. whether the 'pay or ok' model aligns with the principle that consent must be freely given and informed;
2. whether there are alternatives to the current binary nature of the 'pay or ok' model and, if so, what their impact would be on the right to the privacy of data subjects; and
3. how online platforms can ensure that data subjects are fully aware of and understand the implications of consenting to the use and processing of their data.

The consultation is open to responses from all stakeholders within 60 days of the publication of the consultation notice in the Official Gazette (published on 12 May 2025).

On 1 April 2025, the ICO released its findings on the use of children’s data in the financial services sector (the "Report"). The Report highlights key compliance challenges and offers guidance on protecting this vulnerable group when supplying current accounts, savings accounts, trust accounts, ISAs and prepaid cards to children or otherwise using children's data in their administration.

The Report notes that, while most participants had policies in place for processing children’s data, only 45% actively monitored compliance, and few provided their staff with training on children-specific data issues. Transparency is a key concern, with less than half of organisations providing age-appropriate privacy notices. Many organisations relied on parental acknowledgment, potentially leaving children uninformed about how their data is used. The ICO recommends that organisations prepare accessible, tailored notices that evolve as children age.

In addition, the ICO reported that parental consent is rarely refreshed as children mature, risking non-compliance. The ICO advises organisations to ensure ongoing, separate consent mechanisms and assess the competence of children to provide consent or exercise their rights on a case-by-case basis.

Most organisations reviewed conducted robust age verification using official documents. However, some marketing practices, including profiling based on children’s transactional data, lacked sufficient safeguards. The Report stresses the importance of conducting Data Protection Impact Assessments and complying with the Privacy and Electronic Communications Regulations when it comes to marketing to children.

More generally, the Report encourages organisations to incorporate the “best interests of the child” principle into their policies, to ensure decisions are both ethical and compliant with data protection laws.