Data & Privacy Matters: Legal Updates – March 2025

We kick off with quick updates on European legislation, including the GDPR, the Digital Fairness Act, and the European Health Data Space Regulation. Next, we discuss the European Data Protection Board's announcement on its coordinated enforcement action on the right to erasure.

We then explore EU data transfers, with updates on the EU adequacy decisions for the UK and Brazil, and the White House's firing of two Democratic FTC Commissioners, examining its impact on the EU-US data privacy framework. The team also delves into the European Commission's guidance on minors' online safety.

Turning to the UK, we dive into the ICO's new guidance on anonymisation and pseudonymisation, which contains tips for anonymising data. We also highlight the ICO's announcement on its regulatory approach and support for economic growth.

The episode then examines the recently settled Meta lawsuit involving a UK consumer opting out of user-profiling. We also look at the legal action faced by Reform UK for failing to comply with voters' data requests.

For our AI Update, we review the European Commission's third draft of its Code of Practice for general-purpose AI models and consider responses from NGOs and the creative sector.

Focus then shifts to the Court of Justice of the European Union, examining the Attorney General's statement on the case related to the DPC's decision to fine WhatsApp €225 million. We also consider the recent judgment on gender rectification.

We conclude with enforcement actions, discussing the fine against Advanced Computer Software Group for security failings related to a 2022 ransomware attack, and how they mitigated the fine from £6.09 million to £3.07 million. The ICO's statement on its joint investigation into 23andMe with its Canadian counterpart also features.

Resources

Europe

GDPR to undergo simplification process, Commissioner McGrath says | MLex (Paywall)

Online companies to see EU Digital Fairness Act’s consultations in late spring | MLex (Paywall)

European Health Data Space Regulation (EHDS) | European Commission

The new EU Heath Data Space Regulation: a turning point for EU health data access? | Fieldfisher

CEF 2025: Launch of coordinated enforcement on the right to erasure | European Data Protection Board

EDPB adopts statement on the implementation of the PNR directive | European Data Protection Board

EU Data Transfers

Removal of FTC commissioners fuels uncertainty | IAPP

Schrems: EU-US Data Privacy Framework at risk - Lexology Pro

European Commission proposes UK adequacy deadline extension | IAPP

Brazil, EU near agreement on mutual-adequacy deal, EU Commission official says | MLex (Paywall)

Online safety

MLex | Platforms to get recommendations for minors' safety under EU Digital Services Act (Paywall)

UK

Anonymisation | ICO

Package of measures unveiled to drive economic growth | ICO

Data brokers and national security - GOV.UK

Meta settles UK lawsuit over use of personal data for advertising | MLex (Paywall)

AI Update

Third Draft of the General-Purpose AI Code of Practice published, written by independent experts | European Commission

Data (Use and Access) Bill [ Lords ] (Fourth sitting) | Hansard | UK Parliament

Joint-Letter-CSO-CoP.pdf

Joint statement by a coalition of authors, performers and other rightsholders active across the EU’s cultural and creative sectors regarding the third draft of the EU AI Act’s GPAI Code of Practice | CISAC

Court of Justice of the European Union

EU court adviser backs WhatsApp in fight against EU privacy watchdog | Reuters

GDPR and transgender identity: the rectification of data relating to gender identity cannot be made conditional upon proof of surgery  | CJEU

Enforcement

Software provider fined £3m following 2022 ransomware attack | ICO

Statement on 23andMe investigation | ICO