dpas bulletin - december 2025
Welcome back to our monthly DPAS bulletin, where we cover the latest data protection news and developments from around the world.
Data privacy and online rules are being shaped to change in Europe and beyond. The EU is updating how the GDPR works so that complaints across countries are handled more quickly and fairly, but what will that mean for businesses and everyday users? Will US court cases erode the shaky foundations of transatlantic data sharing? Why is the UK stepping back from broad AI regulations? Are we adequate?
Read about all this and more in our latest DPAS Data Protection Bulletin.
EU publishes GDPR reform package
The EU is reforming how the GDPR works in practice. Since the GDPR came into force, cross-border complaints have often been slow, inconsistent, and tangled in national procedures, especially under the one-stop-shop system. Regulation (EU) 2025/2518 aims to standardise the process by setting common rules for how complaints are assessed, how data protection authorities cooperate, and how companies and complainants are heard during investigations.
The regulation introduces clearer timelines for investigations, generally capping them at 15 months, with limited extensions for complex cases. It also creates options for faster resolution where problems have already been fixed and no authority objects, and a simplified cooperation track for more straightforward cases. This is set to take effect in April 2027.
Read more about this here.
EU set to limit further privacy reforms
In a similar vein, the Justice Commissioner has stated that further changes to those proposed already would put the GDPR’s high standards of data protection at risk. His statement echoes criticism directed at the EU’s proposals to amend the GDPR, AI Act and other data laws. The desire in Europe to amend data protection laws sounds familiar to those of us in the UK who anticipated the ill-fated Data Protection and Digital Information Act, as Brussels wishes to cut the ‘red tape’ for businesses.
The long awaited reform of cookie banners has been discussed for much of 2025, though we will have to wait until 2026 to hear further on this. The Justice Commissioner believes that the proposed changes will benefit both citizens and businesses. While some privacy advocates have labelled the proposed changes as a radical rollback of rights, the Commissioner has preferred to label them as positive. At the very least, there will be a respite period before the EU considers further change.
Read more about this here.
META aims to avoid daily fines
If you’ve had your ear to the ground in this area, you will have heard that Meta has been planning to shift to a pay-or-consent model for its targeted advertising from January 2026. In good news for social media users, Meta has been enjoying a close relationship with the EU since their 200 million euro fine in April for breaching the Digital Markers Act. The risk of daily fines and protracted discussions with the EU around the fine from April have had a positive effect.
In November, Meta submitted a proposal to the wording, design and transparency of their pay-or-consent system which would see less personal data being processed. The Commission acknowledged the proposal and will monitor its implementation. As it stands, it appears Meta will avoid the threat of the daily fines that were being levied if they had continued their targeted advertising in the manner that had resulted in the April fine.
Read more about this here.
EU-US data transfer mechanisms at risk
Max Schrems has published a blog highlighting the fragile foundations of the Transatlantic Data Privacy Framework and Standard Contractual Clauses (SCCs) that businesses rely on for EU-US data transfers. The first issue is the risk that a US case involving President Trump could overturn the Federal Trade Commission’s independence. The FTC’s independence is a significant aspect of the data transfer system, as required by Article 8(3) of the EU Charter of Fundamental Rights.
Similarly, the second issue Schrems highlights is that the the Data Protection Review Court in the US is not a legal body, but rely on an Executive Order for their existence. As the US case involving President Trump may find independent executive bodies unconstitutional, it stands to reason that the DPRC would fall. In turn, this poses a significant risk to the reliance on SCCs.
Read more about this here.
American express unlawfully leaves cookies
It’s unlikely that Santa will be getting any sweet treats from the folks at American Express Carte France, the French subsidiary of American Express, after the data protection authority continued their fine form by issuing a 1.5 million euro fine. The CNIL investigated the French arm of American Express in January 2023 and found that the company installed cookies as soon as visitors entered the company’s website.
Not only that, but those who refused cookies still had advertising cookies placed on their devices. Users who had previously accepted the cookies but then withdrew consent still had their information collected. With such infractions, Santa might not be visiting the subsidiary’s offices. Alas, Santa’s retention policy on naughty list occupants is at this time unknown.
Read more about this here.
UK adequacy is renewed
After the months of speculation from just about everyone in the field, the UK has had their adequacy status with the EU renewed until 2031. Despite the fears that the Data Use and Access Act may reduce the likelihood of an extension, the EU has reviewed the changes to the legal framework in the UK and given the green light.
Read the decision here.
ICO issues fine for insufficient security measures
In a rare instance of monetary penalty enforcement for data protection failure, the ICO has issued a £1.2 million fine for LastPass UK. The password manager did not implement sufficiently robust technical and security measures, which enabled a hacker to infiltrate the company’s backup database.
A laptop was accessed by a hacker in August 2022, before a senior employee was targeted after it was revealed they had access to decryption keys for the encrypted company credentials that the hacker was after. Personal data of 1.6 million people, including names, emails and phone numbers were extracted from the database.
Read more about this here.
UK Government no longer has the appetite for broad AI regulation
Cast your mind back to the 2024 election and you may recall one aspect of Labour’s manifesto promising strong regulation on AI companies. Fast forward to December and Tech Secretary Liz Kendall has confirmed that the government is no longer looking at a big bill to regulate AI.
Warning signs were present earlier this year when in February 2025 the UK joined the US in refusing to sign an international AI declaration at the AI Summit it founded in 2023. The warning flare went up in September when the UK signed the Technology Prosperity Deal with the US. The government instead appears to be addressing AI issues, such as nudification apps, in other strategies such as the Violence Against Women and Girls Strategy.
Read more about this here.
X Gon’ Get Fined By EU
Less DMX, more DSA. The EU has issued a 120 million euro fine for Elon Musk’s X platform after they breached the Digital Services Act (DSA). In its publication of the fine the Commission states that X’s blue checkmark was deceptive. As users can pay to obtain verified status, this breaches the DSA which prohibits online platforms from claiming users have been verified where no actual verification has taken place.
Their advertisement repository also failed to meet transparency and accessibility requirements, which are critical for the detection of scams, threat campaigns and coordinated information operations. Similarly to the Meta fine in April, if X refuses to comply with the non-compliance decision then they may face periodic penalty payments.
Read more about this here.
ENGAGE, EDUCATE, EMPOWER 2026 – HAVE YOU SIGNED UP YET?
In case you missed it, in February, we’re bringing Engage, Educate, Empower back for 2026! This free data protection and information security conference is the perfect place for you to connect with new people, join the buzzing discussions about today’s challenges, and listen to a range of varying perspectives on the pressing topics and issues surrounding the modern privacy world.
Our 2026 conference will follow the same theme as previous years’ Engage, Educate and Empower events, aiming to educate colleagues across the industry on topics in data protection, information security and AI. We have a host of industry experts ready to deliver engaging sessions aimed at educating DPOs from a range of private, public and third sector organisations.
Read more about this conference and book your free ticket here.
GET IN TOUCH WITH US!
If you need any support in ensuring your organisation is complying with the relevant legislation, or require training in the areas of data protection and information security, get in contact with us.
Either call us on 0203 3013384, email us at info@dataprivacyadvisory.com, or fill out our contact form. Our dedicated team will get back to you as soon as possible.
