dpas bulletin - November 2025
Welcome back to our monthly DPAS bulletin, where we cover the latest data protection news and developments from around the world.
Is Europe ready to break free from Big Tech, or are governments losing control of data and AI? Is the ICO too passive as a regulator? Will the EU stand firm in the face of external pressure when it comes to AI regulation? Is the UK ready for economic warfare? How much are you willing to sell your data for?
Read about all this and more in our latest DPAS Data Protection Bulletin.
ICC Says Bye Bye Bye To Microsoft
Following on from months of calls for Europe to become less reliant on American technology giants, the International Criminal Court appears to be moving ahead with their plans to move on from Microsoft. Chief Prosecutor Karim Khan led the charge when he changed to Proton Mail from Outlook, which came after his Microsoft Outlook email was ‘lost’.
It is believed that to replace Microsoft software the ICC will move to Opendesk, an open-source software suite. This is to protect the ICC from further sanctions they expect to be authorised by the US President. Microsoft have refuted any claim that they have acted on behalf of such an order. Regardless, since Microsoft was not there for them, the ICC has decided it’s time to leave and make it alone. Can the rest of Europe take any more?
Read more about this here.
ICO: Information “Collapser’s” Office
A coalition of academics, legal experts and civil liberties groups have called for a parliamentary inquiry into the Information Commissioner’s Office (ICO). A letter submitted to the chair of Parliament’s Science, Innovation and Technology Committee alleges “structural failures” at the ICO. The criticism comes in the wake of the ICO’s refusal to investigate the Ministry of Defence over the 2022 leak of Afghan contractor data.
The signatories argue that the ICO’s cautious approach to enforcement extends beyond the public sector, highlighting cases where fines were drastically reduced or replaced with mere reprimands. They also note a sharp decline in ransomware investigations, with only 87 of 1,253 reported incidents investigated in 2023, compared to over 99% in 2019–2020. The letter states that a “culture of passivity” has left many victims unprotected and urges the Science, Innovation and Technology Committee to use its oversight powers to force meaningful change.
Read more about this here.
EDPB Backs Brazil
The European Data Protection Board (EDPB) has given an opinion to the European Commission’s draft adequacy decision for Brazil. The EDPB praised Brazil’s data protection framework for aligning closely with EU law, while also calling on the Commission to clarify specific issues, such as Data Protection Impact Assessments, transparency limits related to commercial secrecy, and rules on onward transfers.
However, the EDPB also flagged gaps around Brazil’s national security exemptions and the application of data protection rules to public authorities handling criminal investigations or public safety. It emphasised the need for the Commission to define the scope of Brazil’s Data Protection Authority powers and the national security concept more clearly. This is a major step toward legal certainty for companies transferring personal data to Brazil, but it comes with a reminder that oversight and clarification are still required.
Read more about this here.
UK Cyber Security Resilience Bill Receives First Reading
The UK’s Cyber Security and Resilience (CSR) Bill targets essential services including the NHS, transport, energy networks, and key digital infrastructure. The legislation will expand regulatory scope to data centers, large load controllers, managed service providers, and other designated critical suppliers, bringing up to 1,100 new organisations under oversight. Key provisions include enhanced incident reporting, requiring operators of essential services to notify regulators within 24 hours and provide full reports within 72 hours.
The CSR Bill will strengthen regulatory powers, allowing the Secretary of State to set objectives across 12 regulators and enabling targeted enforcement, including simplified penalty bands and higher turnover-based fines. The legislation also lays the groundwork for rapid updates to include more sectors, updated security standards, and third-party risk requirements.
Read more about this here.
UK Deemed Not Ready For Economic Warfare
Along with the aforementioned Bill, the House of Commons also published a report from the Business and Trade Committee. It warns that the UK’s current approach to economic security is outdated, leaving sensitive data, technology, and critical infrastructure vulnerable to exploitation. The report frames economic security as inseparable from information governance, stressing that supply chains, digital platforms, and technology transfers are increasingly strategic targets.
The Committee calls for a new “Economic Security Doctrine” built on six principles: diagnose, develop, diversify, defend, deter, and dovetail, to ensure that data protection, cyber resilience, and responsible technology use are central to national economic policy.
Read more about this here.
EU Likely To Delay High Risk AI Regulation
After being the only institution with a strong enough backbone to attempt to regulate AI, the EU has been brought to heel by big US tech companies. Imposing obligations on high risk AI systems will see delays until 2027. This is in stark contrast to efforts of the last few years, bringing proposals to the table and countless negotiations to be the world leader in regulating AI.
Where has this turnabout come from? Unsurprisingly, the EU appears to have bowed to pressure both from within and outside. Countries within the EU had already been calling for a delay, some to give innovation a chance, some to equip their regulators. Externally, competition from America and China to be at the forefront of AI innovation will have played a part. A welcome change for some, but a marked one from the EU’s previous efforts to rely on building trust of AI systems.
Read more about this here.
AI Regulation’s Rough Month Continues
US President Donald Trump is considering an executive order to stop states from regulating artificial intelligence. Four states, Colorado, California, Utah and Texas, have passed laws requiring AI companies to limit personal data collection and increase transparency in automated decisions. Hundreds of organisations, including tech unions and consumer rights groups, oppose blocking state-level protections.
The draft order would direct federal agencies to challenge state AI laws and could withhold federal funding. It aims to create a lighter national framework that overrides stricter state rules. The White House may sign the order soon, and congressional Republicans are considering legislation to temporarily block state AI regulations.
Read more about this here (requires subscription).
CNIL Survey People’s Willingness To Sell Their Data
A CNIL (the French Data Protection Authority) survey of 2,082 French residents explored how much people value their personal data and whether they would be willing to sell access to it. 65% said they would be willing to provide their data for money. Of those, 28% valued their data at 10 to 30 euros per month, 14% expected more than 200 euros, and 6% would accept less than one euro per month. Overall, the most common valuation range was 10 to 30 euros per month.
Thirty-five percent of respondents refused to sell their data under any circumstances, rejecting monetisation on principle. Many who set higher prices for their data also placed a high value on privacy, suggesting that attitudes toward data monetisation reflect a trade-off between perceived privacy risks and offered compensation. Based on modelling, CNIL estimates a rough “market price” of around 40 euros per month per service for personal data, while cautioning that a commoditised data market cannot account for individuals who view privacy as a non-negotiable good.
Read more about this here.
OpenAI Planning Standup Tour
In perhaps the best joke of 2025, OpenAI has stated that they value transparency following a data breach involving their third-party analytics service, Mixpanel. The security breach allowed an attacker to export a dataset containing limited user information. The exposed data included account names, email addresses, approximate coarse locations (city, country) inferred from browser data, operating system and browser type, referring website, and user or organisation IDs tied to API accounts.
OpenAI said the breach was confined to Mixpanel’s systems and did not affect the company’s own infrastructure. Sensitive data such as passwords, API keys, payment information, chat logs, government IDs and actual API usage data were not exposed. For many users, this was the first instance they had heard of Mixpanel having access to their data. As such, scepticism around OpenAI’s statement of valuing privacy seems warranted.
Read more about this here.
ENGAGE, EDUCATE, EMPOWER 2026 – HAVE YOU SIGNED UP YET?
In case you missed it, in February, we’re bringing Engage, Educate, Empower back for 2026! This free data protection and information security conference is the perfect place for you to connect with new people, join the buzzing discussions about today’s challenges, and listen to a range of varying perspectives on the pressing topics and issues surrounding the modern privacy world.
Our 2026 conference will follow the same theme as previous years’ Engage, Educate and Empower events, aiming to educate colleagues across the industry on topics in data protection, information security and AI. We have a host of industry experts ready to deliver engaging sessions aimed at educating DPOs from a range of private, public and third sector organisations.
Read more about this conference and book your free ticket here.
GET IN TOUCH WITH US!
If you need any support in ensuring your organisation is complying with the relevant legislation, or require training in the areas of data protection and information security, get in contact with us.
Either call us on 0203 3013384, email us at info@dataprivacyadvisory.com, or fill out our contact form. Our dedicated team will get back to you as soon as possible.
