DPAS Data Protection Bulletin – April 29 2025

dpas bulletin - APRIL 29

Welcome back to our monthly DPAS bulletin, where we cover the latest data protection news from all around the world.

Why has Noyb filed a complaint against Ubisoft? What 40th anniversary exhibition is the ICO hosting in Manchester? And why is the Irish DPC launching a GDPR investigation into xAI?

Read about all this and more in our latest DPAS Data Protection Bulletin.

Ofcom fines OnlyFans provider £1 million

Ofcom has imposed a £1.05 million fine on Fenix International Limited, the operator of OnlyFans, for providing inaccurate information regarding its age verification measures.

The regulator’s investigation revealed that Fenix misreported the ‘challenge age’ (the age threshold used in facial estimation technology to determine if additional age verification is needed). Fenix claimed this threshold was set at 23 years, but it was actually set at 20 years from November 2021. This persisted for over 16 months before being corrected. Ofcom criticised the delay and the lack of robust fact-checking processes, emphasising the importance of accurate data in regulatory oversight. The fine includes a 30% reduction due to Fenix’s cooperation and acceptance of the findings.

Read more about this here.

UK Government announces Cyber Security and Resilience Bill

The UK government has unveiled plans for a new Cyber Security and Resilience Bill, aiming to bolster the nation’s defences against escalating cyber threats. This legislation seeks to modernise existing frameworks, ensuring critical infrastructure and digital services are better protected from malicious activities.​

Some of this bill’s key proposals are expanding the scope of current regulations to encompass a broader range of digital services and supply chains, enhancing the powers of regulators, and mandating more comprehensive incident reporting. These measures are designed to provide a clearer picture of the cyber threat landscape and enable swifter responses to emerging risks. This initiative comes in the wake of significant cyber incidents, such as the ransomware attack on Synnovis, a pathology services provider for the NHS, which led to thousands of medical procedures being postponed. Such events have highlighted numerous vulnerabilities and a pressing need for strengthened cybersecurity measures.

Read more about this here.

Ex-Dorset police officer “repeatedly” breached Data Protection Act

A former Dorset Police officer has been found to have breached the Data Protection Act by unlawfully accessing and sharing personal information.

This incident, which came to light following an internal investigation, involved the misuse of sensitive data without proper authorisation. The ex-officer’s actions have raised concerns about data handling practices within the force.

Read more about this here.

Concerns around China’s data protection rules pause Europe research funders

Several major European research funding agencies have suspended collaborative projects with China due to concerns over the country’s Data Security Law enacted in 2021. This includes the German Research Foundation, Swedish Research Council, and Swiss National Science Foundation, who halted co-funding with China’s National Natural Science Foundation (NSFC). The law prohibits sharing of “important data” with foreign entities without Chinese government approval, but lacks clear definitions, causing legal uncertainty and risking penalties for breaches.

The ambiguity around what qualifies as “important data” has raised significant barriers for international data sharing, particularly affecting joint research in critical areas such as health and environmental sciences. The pause in funding threatens to slow global scientific cooperation, for which data sharing is crucial for addressing pandemics and other global health threats.

Read more about this here.

Noyb files complaint against Ubisoft for mandatory online connection

Ubisoft, the French video game publisher, is facing a potential £79 million (€92 million) fine after being accused of unlawfully collecting player data without consent. The complaint, filed by privacy advocacy group Noyb, alleges that Ubisoft’s single-player games require an internet connection to harvest gameplay data (such as player actions and habits) without clear user permission. One player reported that Far Cry Primal connected to external servers, including those of Amazon and Google, 150 times within just 10 minutes. Noyb argues this practice violates the GDPR.

The encrypted nature of Ubisoft’s data transfers makes it difficult for players to know what’s being shared, raising concerns about privacy in gaming. Noyb is calling for the deletion of unlawfully collected data and a significant overhaul of Ubisoft’s data practices, including the removal of mandatory online connections for single-player titles. If upheld, this case could set a precedent for the gaming industry, prompting other publishers to follow suit in reconsidering their data collection methods.​

Read more about this here.

Malaysia to tighten data protection laws in June 2025

Malaysia is set to implement significant enhancements to its Personal Data Protection Act (PDPA) starting 1 June 2025, aiming to align more closely with international standards such as the GDPR.​

One of these reforms is the mandatory appointment of a Data Protection Officer (DPO) for organisations handling substantial or sensitive personal data. The DPO must be a Malaysian resident (for at least 180 days per year) fluent in both Bahasa Malaysia and English, with expertise in local data protection laws and practices. Another example of what’s included in the updated PDPA is a compulsory data breach notification framework. Much like in the GDPR, organisations are required to notify the Commissioner within 72 hours of identifying a breach and inform affected individuals within seven days if there’s a risk of significant harm.

These amendments further empower individuals with data portability rights, allowing them to request the transfer of their personal data between service providers, as long as it’s technically feasible and secure.

Read more about this here.

ICO opens exhibition in Manchester for 40th anniversary

The Information Commissioner’s Office (ICO) is celebrating its 40th anniversary with a compelling exhibition titled “Our Lives, Our Privacy”, now open at Manchester Central Library until 30 June 2025. The exhibition shares how data privacy has evolved over time, and the ICO’s role in protecting personal information over the past four decades.​

Visitors can explore significant moments in privacy history, including the News of the World phone hacking scandal and the rise of smart devices, as well as contemplate future challenges posed by emerging technologies like AI.

Read more about this here.

ICO fines compensation firm for unlawful marketing calls

AFK Letters Co Ltd has been fined £90,000 by the Information Commissioner’s Office (ICO) for making over 95,000 unsolicited marketing calls to individuals registered with the Telephone Preference Service (TPS).

Between January and September 2023, the company failed to provide valid consent records for these calls, citing a data retention policy that deletes customer information after three months. However, the ICO found that even within this timeframe, AFK could not demonstrate proper consent. Additionally, the company’s third-party data supplier did not specifically name AFK in consent statements, and AFK’s own privacy policy only mentioned email contact, not phone calls.

Read more about this here.

Irish DPC launches GDPR investigation into xAI’s Grok data training

The Irish Data Protection Commission (DPC) has launched an inquiry into X Internet Unlimited Company (XIUC), formerly Twitter International Unlimited Company, over its use of publicly available posts from EU/EEA users on the ‘X’ platform to train its Grok AI models.

The investigation aims to assess whether this data processing complies with GDPR requirements, particularly regarding transparency and lawful basis.

Read more about this here.

Noyb predicts GDPR Procedural Regulation will “fail miserably”

The EU’s attempt to streamline GDPR enforcement through the proposed “GDPR Procedural Regulation” has received criticism from privacy advocacy group Noyb.

Instead of simplifying cross-border data protection cases, the draft legislation is said to introduce greater complexity and potential legal challenges. Noyb highlights that the current cooperation mechanism among Data Protection Authorities (DPAs) is already plagued by delays and inefficiencies, with some cases taking over five years to resolve. The proposed regulation, as it stands, may exacerbate these issues rather than resolve them. Noyb urges EU institutions to reconsider the approach to ensure effective and timely enforcement of data protection rights.​

Read more about this here.

 

Subject access requests (SARs) can build up quickly and unexpectedly, and before you know it, there’s a sizeable backlog of requests to respond to before their respective deadlines.

Organisations are required to comply with SARs without undue delay, or at the latest, within one month of receiving the request (or any information required to confirm the requesters identity, or even a fee in certain cases). And when you’re busy and have a million other tasks to focus on, this month can feel like no time at all.

So how do you beat the clock while responding to each request with the attention, accuracy, and care they deserve?

In this hour-long session, you’ll learn how you can respond to SARs appropriately, and in a timely and efficient manner that makes worrying about SAR deadlines a thing of the past.

 

Our panel will be discussing:

  • When and how to apply extensions or pause the clock effectively.
  • Knowing exactly what to redact – and what not to.
  • Anonymised case studies of poor redaction and the serious consequences (including complaints, breaches, and enforcement action).

 

…and more!

 

Register for free here.

GET IN TOUCH WITH US!

If you need any support in ensuring your organisation is complying with the relevant legislation, or require training in the areas of data protection and information security, get in contact with us.

Either call us on 0203 3013384, email us at info@dataprivacyadvisory.com, or fill out a contact form. Our dedicated team will get back to you as soon as possible.

related posts

Get a Free Consultation