Data Protection Update - Autumn 2025

ICO proposes changes to how it handles complaints

The ICO has proposed a new framework to prioritise complaints about organisations’ data protection practices which carry higher risk or where the ICO can have a bigger impact. The new framework aims to improve the process of spotting systemic issues and to reduce the referral of complaints back to organisations.

The framework sets out the criteria for deciding when to conduct a further investigation into a complaint, and the scope of the investigation. The criteria focuses on the level of harm caused, the impact on (vulnerable) people, whether an investigation could lead to meaningful change within an organisation or support the ICO’s strategic priorities, and what action the organisation is already taking in response to the complaint.

If an organisation is the subject of a consistently high number of complaints or sees a significant increase in complaints over a defined threshold, “a deeper review of that organisation’s practices” may be triggered. There will continue to be a right for complainants to seek a case review if they are not satisfied with the outcome.

The ICO’s proposal has emerged in parallel with provisions in the Data (Use and Access) Act 2025, requiring organisations to set up their own data protection complaint channels.
For more information, see the ICO’s consultation on the new framework here.

ICO issues guidance on data protection in distributed ledger technologies (DLT)

The ICO has issued its guidance on data protection considerations in relation to DLT. DLTs are digital systems that allow simultaneous access, validation and record-keeping across a distributed database maintained by multiple users. Notably they create an immutable record of their content in that they cannot be amended. Perhaps the most well-known example of DLT is blockchain technology, so-called as it records transactions in “blocks” that are linked by cryptographic references. Records relate to transactions, smart contracts and metadata and may include personal data.

It is important for participants in a blockchain to assess which data protection laws apply to their processing of personal data on the blockchain, based on their territorial scope. The ICO states that organisations building, participating in or providing infrastructure (including blockchain-as-a-service) could be subject to UK data protection law. While the ICO does not provide prescriptive guidance, it states that blockchain participants creating transactions and sending them for validation are likely to be controllers, whereas participants who operate validator nodes will likely be processors. The ICO notes in particular that personal data captured on a blockchain may include online identifiers such as unique transaction identifiers, wallet addresses and smart contract addresses. When considering whether “on-chain” data is personal data, it is necessary to consider whether that data could be combined with “off-chain” data (such as Know-Your-Customer information) to identify the relevant data subject.

If UK data protection laws apply, the following aspects of compliance are likely to present particular challenges: international transfers, data minimisation and storage limitation. The ICO emphasises the importance of data protection by design in addressing these challenges.

For more information, see the guidance here.

EU launches Digital Omnibus consultation: includes AI Act measures, cookie rules, and proposed GDPR simplifications

On 16 September 2025, the European Commission opened a call for evidence to inform its upcoming Digital Omnibus package expected at the end of this year. The consultation covers the EU’s data acquis and ePrivacy Directive as well as measures to ensure “the smooth application of the AI Act rules”. On 15 September 2025, just before the launch of the consultation, the Commission presented its ideas on cookie rules and online advertising consent to a number of online advertising companies, publishers and tech firms. The consultation is open for feedback until 14 October 2025.

Although the full scope of the simplification package will only be revealed later this year, some proposals have already been formalised. On 24 September 2025, the Council agreed on a position for several proposals which form part of the package. While the European Commission initially proposed extending the exception to GDPR record-keeping obligations from companies with 250 employees to those with 500 employees, this threshold was later raised to 750 employees (and either up to €150 million in turnover or up to €129 million in annual balance sheet total) in the official proposal. The Council now wishes to further increase this threshold to companies with up to 1,000 employees (and either an annual turnover of up to €200 million or up to €172 million in annual balance sheet total).

For more information, see the consultation here and the Council position here.

EU launches Digital Omnibus consultation: includes AI Act measures, cookie rules, and proposed GDPR simplifications

On 16 September 2025, the European Commission opened a call for evidence to inform its upcoming Digital Omnibus package expected at the end of this year. The consultation covers the EU’s data acquis and ePrivacy Directive as well as measures to ensure “the smooth application of the AI Act rules”. On 15 September 2025, just before the launch of the consultation, the Commission presented its ideas on cookie rules and online advertising consent to a number of online advertising companies, publishers and tech firms. The consultation is open for feedback until 14 October 2025.

Although the full scope of the simplification package will only be revealed later this year, some proposals have already been formalised. On 24 September 2025, the Council agreed on a position for several proposals which form part of the package. While the European Commission initially proposed extending the exception to GDPR record-keeping obligations from companies with 250 employees to those with 500 employees, this threshold was later raised to 750 employees (and either up to €150 million in turnover or up to €129 million in annual balance sheet total) in the official proposal. The Council now wishes to further increase this threshold to companies with up to 1,000 employees (and either an annual turnover of up to €200 million or up to €172 million in annual balance sheet total).

For more information, see the consultation here and the Council position here.

EU expands data flow partnerships: reciprocal agreement with South Korea and draft adequacy decision for Brazil

On 16 September 2025, Commissioner McGrath and the Chairperson of the South Korean Personal Information Protection Commission (PIPC) issued a joint statement celebrating the entry into force of the PIPC’s decision to recognise the EU’s personal data protection framework as equivalent. This decision, following the European Commission’s 2021 adequacy decision on South Korea, establishes a comprehensive area of reciprocal free personal data flows between the EU and South Korea.

Meanwhile, on 5 September 2025, the European Commission published its draft adequacy decision for Brazil, concluding that Brazil ensures a level of personal data protection essentially equivalent to that of the EU. The draft decision has now been submitted to the European Data Protection Board (EDPB), Member States and the European Parliament for review. Once adopted, it will enable unrestricted data flows between the EU and Brazil, further expanding the EU’s network of adequacy partnerships.

For more information, see the EU-Korea press statement here and the Brazil adequacy decision here.

Belgian DPA dismisses NOYB complaints over abuse of rights

On 26 June 2025, Belgium's Data Protection Authority dismissed 16 complaints filed by the privacy litigation organisation NOYB, ruling that interest groups like NOYB can only lodge complaints if they act on behalf of individual citizens, rather than on their own behalf. The DPA deemed the complaints an abuse of rights, citing NOYB’s use of automated tools and the artificial generation of complaints within the organisation. In its decision, the DPA emphasised the importance of ensuring that complaints are grounded in genuine individual grievances. NOYB announced it would appeal.

These rulings follow a decision from the Brussels Market Court from March 2025, which overturned a prior decision by the Data Protection Authority against NOYB. The Court found that NOYB had violated the national prohibition of abuse of rights by approaching one of its interns to act as the data subject in order to bring the complaint. It seems that the Court’s decision inspired the Data Protection Authority.

For more information, see the relevant decisions (in French) here.

DIFC strengthens data protection law with extraterritorial scope, private right of action and increased fines

On 15 July 2025, the amendments to the DIFC Data Protection Law, introduced through Amendment Law No. 1 of 2025, came into effect. These amendments enhance protections for data subjects in the DIFC and introduce significant new rights and obligations, including the following:

• Extraterritorial scope: Article 6 of the Data Protection Law has been revised to broaden its application. The Data Protection Law now applies to all data processing activities conducted within the DIFC, irrespective of whether the controllers, processors, or sub-processors involved are incorporated in the jurisdiction or whether such entities process personal data outside the DIFC.
• Private right of action: a new Article 64A has been introduced, granting data subjects the right to bring claims for data protection breaches directly before the DIFC Courts. This provides an alternative to filing a complaint with the DIFC Commissioner, which remains an available option.
• New and increased fines: the amendments introduce a new maximum financial penalty of USD 25,000 for failing to complete an annual assessment, in addition to increasing existing fines for other breaches of the Data Protection Law.

For more information, see the Amendment Law here.

ADGM clarifies rules for processing sensitive data in public interest

On 9 September 2025, the ADGM issued the Data Protection Regulations (Substantial Public Interest Conditions) Rules 2025, which introduced amendments to provide greater clarity on the processing of special categories of personal data under specific public interest grounds. These updates directly impact the insurance sector and organisations which process the data of children or individuals at risk.

Key features include:

• Establishing conditions under which insurance companies may process special categories of personal data for insurance purposes, provided such processing supports a substantial public interest.
• Defining “insurance contract” and “insurance purpose” with greater clarity to promote uniformity across the sector.
• Establishing safeguards to permit the processing of special categories of personal data without consent when required to safeguard children or individuals vulnerable to emotional or physical harm.
• Specifying the criteria for assessing when individuals aged 18 or older may be deemed “at risk” and eligible for protection under the Substantial Public Interest Rules.

For more information, see the Substantial Public Interest Rules here.

Qatar introduces stricter penalties under updated Cybercrime Law

On 4 August 2025, Qatar published Law No. 11 of 2025 to specifically combat the unauthorised publication or distribution of images and videos of individuals on the internet without their consent, knowledge or in contexts deemed unlawful, even if such material was captured in public spaces.

The Amendment Law adds a new provision, Article 8, to Cybercrime Law No. 14 of 2014. Under this article, individuals found guilty of privacy violations may face the following penalties: (i) imprisonment for up to one year; and / or (ii) a fine not exceeding 100,000 Qatari Riyals. The new amendment will require companies and individuals to reassess and, if necessary, update their internal procedures regarding the capturing and distribution of images and videos of individuals to ensure compliance and avoid any penalties.

For more information, see the Amendment Law here (Arabic only).

Draft amendment to Cybersecurity Law released for public comment

On 12 September 2025, the draft amendment to China’s Cybersecurity Law was published for a one-month public consultation, following the review by the Standing Committee of the National People’s Congress on 8 September 2025.

The existing Cybersecurity Law was enacted in June 2017, providing extensive security obligations in relation to network operation, network information, risk monitoring and emergency disposal. Fines under the Cybersecurity Law can be up to CNY 1 million (approx. GBP 103,800).

The changes proposed by the draft amendment are primarily about penalties, including increasing the fine limit to CNY 10 million (approx. GBP 1.04 million), clarifying the penalties for specific violations and providing for the conditions where penalties may be mitigated, reduced or waived.

Data regulator issues rules on cybersecurity incident reporting

On 11 September 2025, the Cyberspace Administration of China (CAC) issued the National Administrative Measures on Cybersecurity Incident Reporting, which shall take effect on 1 November 2025.

China’s existing Cybersecurity Law, Data Security Law and Personal Information Protection Law provide that cyber/data incidents must be reported to the competent regulators but do not specify detailed requirements on reporting threshold, timeline, channel, format, etc.
The administrative measures categorise cybersecurity incidents into four levels: catastrophic, severe, considerable and normal. Incidents at or above the “considerable” level (e.g. personal information breach involving 1 million individuals or security incident causing direct economic loss of over CNY 5 million (approx. GBP 519,000)) shall be reported within 4 hours after the network operator becomes aware of the incident, while stricter timelines may apply to specific entities such as critical information infrastructure operators. The timeline requirement for reporting “normal” incidents is not specified.

The measures also provide for the matters to be included in cybersecurity incident reports, the reporting channel and the criteria for incident categorisation.

For more information, see the measures here (in Chinese only).

Singapore High Court clarifies limits of deemed consent under the Personal Data Protection Act (PDPA)

On 29 August 2025, the Singapore High Court delivered a decision which clarifies the scope of deemed consent under the PDPA and the standard of reasonableness that organisations must meet when handling personal data.

The case arose after the Singapore Kindness Movement (SKM) disclosed a complainant’s personal data (name and email address) to the subject of his complaint during an investigation. The court found that while the complainant was deemed to have consented to the collection and use of his data for the purpose of investigating his complaint, SKM’s disclosure of the data to the subject exceeded the scope of his deemed consent and was not considered by the court to be objectively reasonable.

This decision underscores the importance of adhering to the principle under the PDPA that organisations must only collect, use or disclose personal data for purposes that a reasonable person would consider appropriate under the given circumstances and for which the individual has given consent. While the court did not conclusively address the protection of whistleblower personal data, it reaffirms the need for organisations to exercise caution in sensitive contexts, such as complaints or investigations.

For more information, see the full grounds of decision here.
.

Protection of Critical Infrastructures (Computer Systems) Ordinance to come into effect on 1 January 2026

The Government has announced on 27 June 2025 that the Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653), will come into operation on 1 January 2026. The Ordinance imposes statutory obligations on designated operators of Critical Infrastructures (CI Operators) to ensure adequate protection on computer systems and minimise risks of cyberattacks. The key obligations of CI Operators include submitting and implementing computer-system security management plan and emergency response plan, conducting risk assessment, arranging audits and computer-system security incidents notifications.

For more information, see the Press Release and Ordinance.

Office of the Privacy Commissioner for Personal Data released the “Guide to Getting Started with Anonymisation”

In July 2025, the Office of the Privacy Commissioner for Personal Data (PCPD) approved the release of the “Guide to Getting Started with Anonymisation” with multiple privacy protection authorities in other jurisdictions. The guide introduces basic anonymisation concepts and outlines the recommended steps for organisations to follow when anonymising data. It set out a five-steps anonymisation process:

1. identifying the nature of the data (distinguishing between direct and indirect identifiers)

2. removing direct identifiers

3. applying anonymisation techniques to indirect identifiers

4. assessing re-identification risks

5. managing residual risks through mitigation measures such as restricting data use and access.

For more information, see the Press Release and the Guide.