dpas bulletin - april 2026
Welcome back to our monthly DPAS bulletin, where we cover the latest data protection news and developments from around the world.
What’s the ICO been up to? Will we finally know what to do with cookies? What’s UK health data doing for sale on Alibaba? Can I go a month without finding reports of big tech doing duplicitous things? How old is the GDPR?
Read about all this and more in our latest DPAS Data Protection Bulletin.
Information Commissioner temporarily steps back
Many of us follow Information Commissioner John Edwards on LinkedIn for varying reasons. We all would have been surprised to see a post from the Commissioner stating that he had stepped back from his duties for the last few weeks while an investigation was underway.
A spokesperson for the ICO has clarified that a few weeks actually extends back to late February. An independent investigation that ‘relates’ to the Commissioner is expected to produce a report with recommendations to the Department for Science, Innovation and Technology. Chief Executive Paul Arnold has been leading alongside the board in the Commissioner’s absence.
Read more about this here.
ICO publishes new cookie guidance
The ICO has recently published their finalised guidance on cookies and other tracking technology, in line with their promise following the implementation of the Data Use and Access Act. Cookies, tracking pixels, device fingerprinting and similar technologies are all addressed in the update, though online advertising under Regulation 6 of PECR remains in the works.
With this guidance, the ICO also states that they are “taking direct action to drive compliance” to develop a “fairer, more transparent online tracking ecosystem”. Clarity on this front will be welcomed by many, with the changes implemented by the DUAA having caused some uncertainty without the regulator’s stance being known.
Read more about this here.
Biobank says bye bye to data published on Alibaba
The UK Biobank project, a voluntary database used to drive medical research, has faced another breach. The Guardian previously reported on several breaches, but the latest has been by far the worst. All 500,000 records had been found in a dataset published on the Chinese-owned website Alibaba. The records have since been removed after the UK government politely asked the Chinese government to intervene.
UK Biobank has since reported themselves to the ICO for the data breach, though the data purported to be stolen has been listed as de-identified. Alarmingly, UK Biobank chose to rely on telling researchers not to download entire datasets rather than implementing appropriate technical measures.
Read more about this here.
Big tech to stop scanning platforms for messages related to child sexual abuse
For those brave enough to cast their minds back to 2021, you may recall the European Parliament allowing Meta, Google and the like to scan messages for content related to grooming or other forms of abuse. That has now lapsed. The big tech firms have cited the European Parliament as the reason for the failure to reach a new agreement.
The European Parliament will focus on their own legislation. Spokesman across the big tech companies have claimed this is the wrong approach, as there is now a regulatory gap that could result in reports of child sexual abuse material falling by over 58%.
Read more about this here.
Digital Omnibus gets a two-for-one on opinions
The EDPB and EDPS have released another Joint Opinion. This Joint Opinion, 2/2026, provides a critical assessment of the European Commission’s Digital Omnibus Package. For those not keeping up with the Digital Omnibus, this is a proposal designed to streamline the EU data protection rulebook and improve organisational competitiveness. Seems a familiar promise!
While they welcome the objective of reducing administrative burdens, the EDPB and EDPS warn that the current proposal risks introducing new legal uncertainty and could potentially reduce the level of protection afforded to individuals. There is a concern that some of the proposed changes might actually make EU data protection laws harder to apply in practice.
Read more about this here.
Environmental cost? What environmental cost?
DigitalEurope, or, as I like to imagine them, big tech firms wearing a trench coat and standing on each other’s shoulders, have managed to get something else they wanted out of European lobbying. The European Commission has been collecting statistics around data centres since the EU’s commitment to triple its data centres over the next five years. Luckily for Amazon, Facebook and the like, those statistics will go unreported.
This information will not be allowed to be released as the data is deemed to be commercially sensitive, as per an amendment to the EU legislation. With a layer of opaqueness that would make a British government blush, the EU has also directed members that any public requests for this information should be refused.
Read more about this here.
(EU) GDPR turns 10
April 27th 2016 was the introduction of the General Data Protection Regulation, displacing the Article 29 working party and founding the European Data Protection Board. A world leading piece of legislation, so say the EDPB, though we (the UK) stopped listening to them after a while.
As an aside to this month’s bulletin, I want to coin this part as the bloggetin, I am firmly in the camp that treats the GDPR as eight years old, as I don’t count down the gestation period. 2018 was also the time I became aware of the GDPR, because in another life the manager at the warehouse I worked at came back from a meeting with a shredder and told me we had better shred all the customer credit details we kept or we were going to be in trouble. No, it was not UK Biobank.
For those not in data protection roles in 2018, when did you become aware of GDPR?
Read more about this here.
GET IN TOUCH WITH US!
If you need any support in ensuring your organisation is complying with the relevant legislation, or require training in the areas of data protection and information security, get in contact with us.
Either call us on 0203 3013384, email us at info@dataprivacyadvisory.com, or fill out our contact form. Our dedicated team will get back to you as soon as possible.
