dpas bulletin - MAY 28
Welcome back to our monthly DPAS bulletin, where we cover the latest data protection news from all around the world.
What was the nature of the recent retail cyber attacks? How did the family of a murder victim use AI of his likeness in court? And what new act signed by Trump will tackle the deepfake issue?
Read about all this and more in our latest DPAS Data Protection Bulletin.
Google tests ad placements in chat conversations with AI startups
Google has begun placing adverts directly within chatbot conversations, working with AI startups such as iAsk and Liner through its AdSense for Search programme. This marks a significant move as more users turn to chatbots for information instead of traditional web search.
The ads appear as sponsored responses embedded within the conversation itself, designed to be clearly labelled but seamlessly integrated into the chat experience. Google says this approach helps developers monetise their AI tools while giving advertisers new channels to reach users. This shift reflects Google’s broader strategy to maintain its dominance in online advertising amid the rise of generative AI and conversational search, but also raises questions about transparency, user trust, and the blending of commercial content with seemingly organic AI replies.
Read more about this here.
AI version of Arizona shooting victim addresses his killer in court
The family of Chris Pelkey, who was fatally shot in a road rage incident in Arizona three years ago, employed AI technology to have him ‘speak’ at his killer’s sentencing. Through voice recordings, videos, and photos, they created a digital representation of Pelkey delivering a victim impact statement. The AI-generated message, crafted by his sister to reflect Pelkey’s forgiving nature, expressed remorse over the encounter and extended forgiveness to the perpetrator.
The presiding judge, Todd Lang, acknowledged the emotional impact of the AI statement, sentencing the offender to ten and a half years for manslaughter. While some experts view this as a compassionate application of technology, others raise concerns about the ethical implications and potential misuse in such legal settings.
Read more about this here.
Press Club of India concerned about impact of data protection law on press freedom
The Press Club of India (PCI) has raised concerns about the Digital Personal Data Protection Act (DPDPA), warning it could threaten press freedom. The Act lacks clear exemptions for journalists, potentially requiring them to obtain consent before reporting on individuals, which complicates coverage of events like protests or deaths in custody.
The PCI also flagged risks to source confidentiality and access to information under amended RTI provisions. It is urging the government to clarify the law’s scope, amend restrictive clauses, and restore protections vital for investigative journalism.
Read more about this here.
Irish data protection watchdog fines TikTok for illegally sending user data to China
TikTok has been fined €530 million (£452 million) by Ireland’s Data Protection Commission for unlawfully transferring European user data to China, and failing to protect it from potential access by Chinese authorities. The regulator found TikTok lacked transparency and breached GDPR rules, with outdated policies that didn’t clearly disclose international data transfers.
TikTok plans to appeal, saying the issues pre-date major reforms under its “Project Clover” initiative, which now localises data in Europe and includes third-party oversight. The company has six months to comply or stop transfers entirely.
Read more about this here.
M&S, Co-op and Harrods fall victim to cyber attacks
In April 2025, major UK retailers Marks & Spencer (M&S), Co-op, and Harrods were targeted in a series of cyberattacks, highlighting vulnerabilities in the retail sector’s cybersecurity measures.
M&S experienced a significant ransomware attack attributed to the hacking group “Scattered Spider,” leading to disruptions in online orders, contactless payments, and internal communications. The breach resulted in the theft of customer data, including contact details and order histories, though payment information remained secure. The company anticipates a £300 million hit to its profits and is working to mitigate losses through insurance and cost management strategies.
Co-op faced a cyberattack that compromised its back-office systems and call centre services. Staff were instructed to implement heightened security measures, such as keeping cameras on during remote meetings and avoiding the sharing of sensitive information online. The breach led to the exposure of a significant amount of customer data.
Harrods also reported a cyberattack but managed to thwart the intrusion with the help of cybersecurity specialists. The incident prompted the retailer to restrict internet access at its sites as a precautionary measure.
Read more about this here.
The Ministry of Justice falls victim to a cyber attack, impacting the Legal Aid Agency
The Legal Aid Agency’s online digital services fell victim to a cyber attack on the 23rd April. The Ministry of Justice (MoJ) have since informed the public that the attack was more extensive than was initially understood, and that the group behind it had accessed and downloaded large amounts of information relating to legal aid applicants who had applied through the digital service since 2010. This data may have included contact details and addresses of applicants, their dates of birth, national ID numbers, criminal history, employment status and financial data such as contribution amounts, debts and payments.
Read more about this here.
Cyber attacks exploiting software backdoor hit UK companies
A sophisticated cyberattack, believed to originate from China, has compromised several UK companies, including critical infrastructure providers like gas distributor Cadent, according to cybersecurity firm EclecticIQ. The attackers exploited a previously unknown vulnerability in SAP NetWeaver software, enabling remote code execution to infiltrate systems and potentially exfiltrate sensitive data. This method differs from recent ransomware attacks on retailers such as M&S and Harrods.
The National Cyber Security Centre (NCSC) is actively monitoring the situation and has urged organisations to apply the latest security patches. Analysts have linked the breach to Chinese cyber-espionage units, citing the use of Chinese-named files and specific hacking techniques. The attackers’ objective appears to be the strategic compromise of critical infrastructure and the maintenance of persistent access to high-value networks.
Read more about this here.
Ministers block amendment requiring AI firms to disclose use of copyrighted content
The UK government has blocked a House of Lords amendment that would have required AI companies to disclose their use of copyrighted content in training models. The amendment, proposed by crossbench peer Beeban Kidron and passed in the Lords, aimed to increase transparency and protect creators’ rights. However, ministers removed it from the Data Bill by invoking “financial privilege,” arguing that there were no funds for new regulations.
The decision has sparked backlash from the creative sector, with figures like Sir Elton John criticising the move as undermining artists’ livelihoods. The government maintains that broader copyright reforms are needed and has committed to an economic impact assessment of its proposals.
Read more about this here.
Trump signs act to combat sharing of nonconsensual explicit images, like deepfakes
President Donald Trump has signed the bipartisan “Take It Down Act” into law, making it a federal crime to knowingly publish or threaten to publish intimate images without a person’s consent, including AI-generated deepfakes. The legislation mandates that online platforms remove such content within 48 hours of a victim’s request and take steps to delete duplicates. First Lady Melania Trump, who advocated for the bill, described it as a “national victory” to protect children from online exploitation. While the act received overwhelming support in Congress, some digital rights groups have raised concerns about potential overreach and impacts on free speech.
Read more about this here.
UK supermarket supplier falls victim to cyber attack
Peter Green Chilled, a Somerset-based logistics firm supplying major UK supermarkets including Tesco, Sainsbury’s, and Aldi, has fallen victim to a ransomware attack. The cyberattack disrupted order processing, prompting concerns over potential food waste. One client, The Black Farmer, reported that thousands of meat products risked spoilage due to delivery delays.
While larger distributors often have robust cybersecurity measures, smaller firms like Peter Green Chilled may lack such resources. Phil Pluck of the Cold Chain Federation noted a significant rise in cyberattacks on food distribution networks, with many incidents going unreported. He emphasised that hackers target these sectors, knowing their critical role in maintaining food supply chains.
Read more about this here.
Sole trader fined £50,000 for making over 194,000 spam marketing calls
The Information Commissioner’s Office (ICO) has fined Darian Bishop, a Newcastle-based sole trader trading as ECO4U, £50,000 for making over 194,000 unsolicited marketing calls. These calls, made between May and August 2023, were directed at individuals registered with the Telephone Preference Service (TPS), meaning they had opted out of such contact.
The calls promoted boiler and solar panel grants and often misleadingly implied links to official government schemes. Bishop claimed consent was gathered via Facebook forms, but the ICO found no evidence to support this. Many recipients had never completed such forms, and some didn’t even use Facebook. The investigation also revealed that Bishop lacked robust consent processes and had previously been investigated by the ICO in 2015 for similar activity. The regulator stressed that repeated breaches and failure to follow the rules show a disregard for people’s privacy.
Read more about this here.
Leicestershire special constable jailed for sharing sensitive photos and videos
Former Leicestershire Police special constable William Heggs, 23, has been sentenced to 12 months in prison after admitting to 11 offences under computer misuse and data protection laws. The charges stem from his unauthorised access to sensitive police materials, including body-worn footage of dying man William Harty, which he photographed and stored on his personal phone.
Heggs, who joined the force part-time in January 2021 while studying policing at De Montfort University, was described as an “exemplary” officer until his misconduct came to light. He attended the scene where Mr Harty was fatally injured in October 2021 and later accessed and shared images from the incident without authorisation. A colleague reported him after he showed her the graphic images, leading to an investigation that uncovered additional breaches, including sharing sensitive details from other cases via Snapchat.
Read more about this here.
GET IN TOUCH WITH US!
If you need any support in ensuring your organisation is complying with the relevant legislation, or require training in the areas of data protection and information security, get in contact with us.
Either call us on 0203 3013384, email us at info@dataprivacyadvisory.com, or fill out a contact form. Our dedicated team will get back to you as soon as possible.
