dpas bulletin - October 2025
Welcome back to our monthly DPAS bulletin, where we cover the latest data protection news and developments from around the world.
Last month, the digital world threw up some monstrous surprises. When Amazon Web Services went down, did Europe suddenly realise that its data sovereignty was more illusion than reality? And what about the ghostly footprints of children’s educational data? As the ICO consults on new enforcement guidance, one question lingers: will the rising tide of nationally significant cyber attacks and regulatory scrutiny leave any data unscathed.
Read about all this and more in our latest DPAS Data Protection Bulletin.
Amazon cloud outage brings EU data sovereignty to the forefront
When Amazon Web Services went down last week, it didn’t just crash websites, it crashed confidence in Europe’s control over its own data. For years, regulators have warned about the risks of relying on US cloud giants. The outage turned that theory into a very public problem as hospitals, public agencies and critical infrastructure across Europe suddenly went dark.
Brussels was quick to respond, calling for renewed focus on data sovereignty and local cloud alternatives. Amazon said no data was lost, but that wasn’t the point. The outage has become proof that as long as Europe’s data lives on American servers, its digital independence is still an illusion.
Read more about this here.
Microsoft compelled to stop tracking children’s educational data
If you are a parent or have young relatives, you may recall the quite dramatic shift during the pandemic when seemingly overnight Microsoft propelled school environments onto the cloud. When making these arrangements, Microsoft left the responsibility of local data laws to the schools. After all, if they had to comply with these laws then they wouldn’t have been able to place all those tracking cookies.
Unfortunately, the house of cards has come tumbling down thanks to an Austrian student’s data request. When requesting their data from Microsoft, Microsoft referred them to the school who had responsibility for this request. The school, not having access to this data, referred them to Microsoft. At which point the Austrian DSB got involved and unlike the ever flexible Irish DPC, issued a finding that Microsoft was tracking students illegally and using that data for its own purposes.
Find out more about this here.
Bad month at Camp Clearview (AI) Lake
Perhaps a little less frightening than Jason, Clearview AI have had a rough month as campers fight back. noyb has filed a criminal complaint against Clearview AI, accusing them of illegally collecting photos and videos of EU residents to build their facial-recognition database of over 60 billion images.
In a banner month for the Austrian data protection scene, they aim to succeed where the likes of the UK, France, Greece, Italy and the Netherlands have failed. The case brought by noyb will test whether criminal enforcement can be applied to non-EU companies as administrative fines brought by the aforementioned countries appear to have done little to dissuade the yanks.
Read more about this here.
Camp Clearview (AI) 2: UK GDPR Boogaloo
As the war against Clearview’s intrusive tool rages on, the ICO have won a key battle at the Upper Tribunal. Appealing Clearview’s appeal to the First Tier Tribunal against the ICO’s 2022 fine, the Upper Tribunal found in favour of the ICO. This finding confirms that Clearview’s data processing of UK residents did fall within the scope of UK data protection law.
The Upper Tribunal’s decision reaffirms that companies can b e held accountable to the UK GDPR, regardless of where they are based. The case will now return to the First Tier Tribunal to determine the substantive appeal.
Read more about this here.
Capita issued £14m penalty for 2023 data protection failings
Given the recent influx of cyber attacks in the UK, you may have forgotten about the 2023 attack in which 6.6m people had their data stolen. The original fine, levied at £45m, was cut after Capita demonstrated that it had made security improvements and engaged with regulators.
The March 2023 attack was discovered within ten minutes. However, they did not shut down the affected device that had been targeted for over 58 hours. As a result, one terabyte of data was stolen, ransomware was installed and all passwords were reset to lock out staff.
Read more about this here.
ICO opens consultation on new enforcement procedural guidance
The ICO has opened a consultation on their draft data protection enforcement procedural guidance. The guidance details how the ICO decides whether to begin investigating, what organisations can expect once one is opened, and how they use their information-gathering and enforcement powers.
It is a welcome look into how the ICO functions and provides some clarity and transparency into the enforcement process.Along with the fining guidance previously issued, this new guidance will be considered update statutory guidance, as per the ICO’s requirement to publish under section 160(1) of the Data Protection 2018.
Read more about this here.
UK has a second go at bobbing for Apple user data
Not one to be deterred by the British public wanting to keep their data private, the UK once again ordered Apple to create a backdoor into the cloud storage service. This time, they wanted to target only British users. Apple withdrew their advanced data protection feature from UK users earlier this year after the first technical notice was issued.
In regards to that previous technical notice, the Investigatory Powers Tribunal has dismissed Apple’s appeal following a “change in circumstances”. Apple have stood firm about their refusal to build a backdoor into their technology, however it remains to be seen whether there has been some agreement between Apple and the UK government that has led to this change.
Read more about this here.
EDPB adopts opinion on UK adequacy extension
The European Data Protection Board (EDPB) has adopted two opinions on the European Commission’s draft decisions to extend the validity of the UK’s adequacy decisions under the GDPR and Law Enforcement Directive until December 2031. The extension will allow organisations and authorities in the EU to continue transferring personal data to the UK without additional safeguards.
In its opinions, the EDPB noted that many recent UK reforms clarify compliance but also introduce potential divergence risks. The Board called on the Commission to closely monitor new ministerial powers to amend data protection rules, the UK’s approach to third-country data transfers, and government use of Technical Capability Notices that could undermine encryption.
Read more about this here.
UK ‘nationally significant’ cyber attacks rise drastically
The NCSC has published their annual review covering August 2024 to August 2025. They found that ‘nationally significant’ cyber attacks have risen from 89 in 2023-2024 to 204 in 2024-25. A substantial portion of these were linked to nation-state actors or highly capable criminal groups.
In response, the NCSC has launched the Cyber Action Toolkit, which is designed to help sole traders and small organisations put in place some of the basic cyber security measures. There has also been another call for businesses to implement Cyber Essentials which echoes the call from the government to take concrete action in order to protect themselves from cyber attacks.
Read more about this here.
GET IN TOUCH WITH US!
If you need any support in ensuring your organisation is complying with the relevant legislation, or require training in the areas of data protection and information security, get in contact with us.
Either call us on 0203 3013384, email us at info@dataprivacyadvisory.com, or fill out our contact form. Our dedicated team will get back to you as soon as possible.
