Data Dispatch - June 2025

Welcome to the latest edition of Data Dispatch from the Data Advisory team at RPC. Our aim is to provide you on a regular basis with an easy-to-digest summary of key developments in data protection law.

Please do feel free to forward on the publication to your colleagues or, better still, recommend that they subscribe to receive the publication directly.

If there are any issues on which you'd like more information (or if you have any questions or feedback), please do let us know or get in touch with your usual contact at RPC.

Key developments 

ICO's new AI and biometrics strategy

On 5 June 2025, the UK Information Commissioner’s Office (ICO) published its updated AI and Biometrics Strategy, including its regulatory priorities for 2025–26. Entitled “Preventing harm, promoting trust”, the strategy aims to foster responsible innovation by clarifying how AI and biometric technologies—including automated decision-making (ADM) systems, facial recognition, and AI foundation models—can be deployed lawfully and transparently, while addressing public concerns around fairness and accountability.

In the strategy, the ICO identifies three cross-cutting areas of regulatory concern:

• Transparency and explainability: Individuals must be informed when AI is used and how it affects them. However, across ADM, facial recognition, and generative AI, research shows that opacity remains a significant issue, undermining public trust.
• Bias and discrimination: The ICO is particularly concerned about the risk of structural bias being replicated or amplified through unrepresentative training data. This risk is especially acute in unproven AI systems such as emotion recognition tools used in recruitment.
• Rights and redress: Individuals must have accessible mechanisms to challenge and rectify decisions made by AI systems, particularly where such decisions result in significant harm. Accuracy, appropriate safeguards, and effective redress mechanisms are essential to maintaining public confidence.

The ICO’s plan of action for 2025–26 reflects this ambition. It will update its existing guidance on ADM and profiling, and commence the development of a statutory Code of Practice on AI and ADM to support compliance with data protection principles. This guidance will also need to take into account recent changes introduced by the new Data (Use and Access) Act that allow for ADM in a wider range of situations if appropriate safeguards are in place. The ICO also intends to enhance oversight in high-risk sectors, including the use of ADM in recruitment processes. It will examine how developers of AI foundation models address privacy and safety concerns during training. Looking ahead, the ICO will take a proactive approach to emerging AI risks, including assessing the data protection implications of agentic AI and setting a high threshold for the lawful use of AI systems that infer subjective traits, intentions, or emotions.

(ICO AI and Biometrics Strategy)

Enforcement Actions

German privacy regulator imposes major fines (EUR 45 million) on Vodafone

In June 2025, Vodafone’s German subsidiary, Vodafone GmbH, faced fines that sum up to EUR 45 million by the German Federal Privacy Regulator due to infringements of privacy law (GDPR). Some headlines even referred to it as the “highest fine ever imposed in Germany” which is not fully accurate as it comprises two independent actions of 1.) EUR 15 million and 2.) EUR 30 million, thus each still falling short of the EUR 35 million fine imposed on Swedish retailer H&M in 2020. Nevertheless, it shows again that even large organisations with a major budget for privacy compliance and long-established processes need to continuously review and evaluate their compliance efforts in particular with regard to supply chain management and technical interfaces.

The Ruling and Imposed Fines

 The actual actions against Vodafone are due to incidents involving fraudulent activities by employees in independent partner agencies. These employees brokered contracts with customers on behalf of Vodafone, leading to fictitious contracts or unauthorised contract changes, causing financial harm to customers. Additionally, Vodafone exhibited security deficiencies in the authentication process for its online portal 'MeinVodafone' and the Vodafone Hotline, which exposed eSIM profiles to unauthorised third parties.

The German Federal Commissioner for Data Protection and Freedom of Information (BfDI), Prof. Dr. Louisa Specht-Riemenschneider, imposed two fines totaling EUR 45 million on Vodafone GmbH:

• EUR 15 million: For failing to adequately review and monitor partner agencies, violating Article 28(1) sentence 1 of the GDPR.
• EUR 30 million: For security deficiencies in the authentication process, violating Article 32(1) of the GDPR.

Additionally, the BfDI issued a warning to Vodafone regarding vulnerabilities in certain distribution systems.

What are the reasons for the BfDI's Decisions?

The BfDI's decisions were driven by serious concerns about data protection and security lapses within Vodafone. The regulator identified that Vodafone did not sufficiently oversee its supply chain, namely the independent partner agencies, leading to fraudulent activities. Moreover, the shortcomings in the authentication processes posed significant risks, allowing unauthorised access to sensitive eSIM profiles.

Vodafone's Reaction to the Decisions

Vodafone has responded proactively to the BfDI's decisions by improving and, in some cases, completely replacing its processes and systems to eliminate future risks. The company has revised its procedures for selecting and auditing partner agencies and terminated relationships with fraudulent partners. Additionally, Vodafone has donated several million euros to organisations promoting data protection, media competence, digital literacy, and combating cyberbullying.

The BfDI in its press release explicitly acknowledged Vodafone’s efforts to cooperate with the regulator and to mitigate the risks it created for the customers. The regulator made it quite clear that the fines could have been substantially higher if Vodafone had been less cooperative.

What others can learn from the Vodafone decisions

 While Vodafone accepted the fines, other companies should learn from it in order to avoid similar financial and reputational damage:

• Companies should prioritise investments in modernising and consolidating IT systems to avoid security incidents and potential sanctions. The risk that an issue can create for the rights of the data subject determines the required level of protective measures and not the cost of the measures.
• Adequate oversight of the supply chain / data processors is crucial for actual compliance. Regulators as well as courts expect not only formal papertrail audits but documentation of actual checks and active oversight up to the weakest link in the chain of data processors.
• Proactive cooperation and transparency towards regulatory bodies can mitigate penalties.

Contributed by Matthias Orthwein, SKW Schwarz Rechtsanwaelte, Munich (Germany)

23andMe fined £2.31 million for failing to protect users' genetic data

 On 17 June 2025, the Information Commissioner's Office (ICO) announced a £2.31 million fine against genetic testing company 23andMe for failing to implement adequate security measures to protect the personal data of over 155,000 UK users following a major cyber attack in 2023. The ICO carried out their investigation alongside the Canadian data protection regulator.

The 2023 attack which exploited users' login credentials resulted in hackers accessing UK users' personal data, including names, addresses, family histories and other healthcare information. The ICO investigation found 23andMe to be in breach of UK data protection laws having failed to take the necessary basic steps to protect user data. The company had not implemented any multi-factor authentication or password protocols, their security systems were weak and unable to detect or manage cyber threats, and they had not proactively responded to obvious warning signs.

The ICO also found 23andMe's response to the breach to be inadequate. The cyber attack began in April 2023 but the company had failed to detect the breach and had then dismissed a report of data theft as a hoax. 23andMe had only launched a substantive investigation in October 2023.

The ICO received 12 consumer complaints to the ICO expressing concerns over personal data being exploited by malicious actors. In its report, the ICO recommends steps businesses should take to protect themselves against cyber attacks, in particular multi-factor authentication, vulnerability scanning, and security patching.

(ICO News)

Need to know

The EU proposes simplifying GDPR for smaller companies

On 21 May 2025, the European Commission published a proposal to extend certain GDPR exemptions previously available only to small and medium-sized enterprises (SMEs) to small mid-cap (SMC) enterprises.

The proposal seeks to amend Article 30(5) of the GDPR by extending the exemption from the obligation to maintain Records of Processing Activities (ROPA) to SMCs. SMCs are defined as organisations with fewer than 750 employees, an annual turnover not exceeding €150 million, and a balance sheet total not exceeding €129 million.

This change is intended to support enterprises that have grown beyond SME status, by allowing them to adopt a more simplified compliance approach. The Commission previously acknowledged that the existing ROPA obligations could be overly burdensome for such organisations.

The proposal also includes other changes to take into account the specific needs of SMCs in developing codes of conduct and certification mechanisms.

The proposal will now move through the EU’s legislative process, during which it may be further amended by the European Parliament or the Council.

(EU Commission proposal)

CBPR certification: A New Option for Cross-Border Data Governance

On 2 June 2025, the Global Cross Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) certification systems officially launched, marking a significant development in international data protection. Evolving from the APEC CBPR framework—originally established to facilitate responsible data transfers among Asia-Pacific economies—the Global CBPR framework aims to provide a scalable and interoperable mechanism for enabling secure data flows across jurisdictions. While CBPR certification does not in itself guarantee compliance with the data protection laws of participating jurisdictions, it is recognised in some jurisdictions—such as Singapore and Japan—as a valid mechanism for facilitating lawful international data transfers under local law.

Unlike its predecessor, which was limited to APEC members, the Global CBPR system is open to any jurisdiction. As of June 2025, nine countries have joined as founding members: Australia, Canada, Japan, Mexico, the Philippines, South Korea, Singapore, Chinese Taipei, and the United States. Its core objective is to establish a common baseline for privacy protections, enabling businesses to transfer data across borders while demonstrating compliance with internationally recognised principles. Certification is voluntary and based on an independent assessment by an approved Accountability Agent.

The United Kingdom became the first Associate member of the Global CBPR Forum in 2023. Although Associate members do not yet issue certifications domestically, the UK's early engagement reflects strong support for global cooperation on trusted data flows.

The Global CBPR framework is not currently recognised as equivalent to the EU or UK GDPR. However, the Forum is considering material updates to the assessment criteria pursuant to which an organisation is to be certified—many of which reflect principles already embedded in the GDPR, such as breach notification, sensitive data handling, consent withdrawal, and records of processing. This suggests a growing alignment with high-standard privacy regimes and may support greater interoperability over time.

In the near term, UK businesses cannot yet obtain Global CBPR certification through a UK-based process, as full participation awaits further developments in the UK’s membership status. However, the Global CBPR framework may already serve as a practical reference point when assessing the adequacy of safeguards for international data transfers. Furthermore, as more jurisdictions adopt or align with the framework, it may become a credible and practical mechanism for ensuring robust data protection and demonstrating compliance with legal requirements across multiple jurisdictions

(Global CBPR)

(UK government’s announcement in 2023)

Other important developments

Data (Use and Access) Bill Update

On 19 June 2025 the Data (Use and Access) Bill received Royal Assent. The new law introduces targeted business-friendly changes to the UK GDPR. The ICO has also published guidance to explain the impact of the new law on organisations.