This month in review:
June has seen the introduction of one of the biggest changes of the last few years to the UK’s approach to data protection, direct marketing and cookies. On 19 June 2025, the Data (Use and Access) Act 2025 (“DUAA”) received Royal Assent and its impact on data protection law will be rolled-out over the next year. Our Breakfast Briefing covered this in detail with practical tips – check the recording link below!
Alongside this, we continue to see evolving guidance and principles in data protection legislation:
In the European Union (“EU”), the European Commission (“EC”) published its State of Digital Decade 2025 report that calls for ongoing efforts in digital infrastructure, skills, and services, with a strong focus on protecting minors online. The European Data Protection Board (“EDPB”) published new guidelines to clarify the conditions for lawful data transfers to third-country authorities, emphasising that judgment from these authorities cannot be automatically recognised in Europe.
The EDPB also published a generative artificial intelligence (“AI”) outlook report that evaluates the impact and risks of generative AI in the EU. Additionally, we have seen several updates from multiple data protection regulators across the EU, including recommendations from the French data protection authority (“CNIL”) on AI, and legitimate interests, and an influx of enforcement fines from the Italian data protection authority (“Garante”).
In the UK, there have been significant developments in the data protection landscape and digital regulation in June. The DUAA introduces reforms to personal data use, consent and enforcement powers as well as increasing the maximum direct marketing fine from £500,000 to £17m or more. The Information Commissioner’s Office (“ICO”) launched a public consultation on draft guidance for consumers of the Internet of Things (“IoT”) products and services, while also publishing its AI and biometrics strategy to guide the responsible deployment of emerging technologies.
The National Cyber Security Centre (“NCSC”) released new principles to strengthen the cyber security culture across organisations. Meanwhile, the Competition and Markets Authority (“CMA”) opened a consultation on whether to release Google from its Privacy Sandbox commitments, and the Office of Communications (“Ofcom”) unveiled its strategic approach to AI regulation for 2025/26. Additionally, the ICO published its AI and biometrics strategy which focuses on regulating foundational models, automated decision-making in recruitment, and public services, and the use of facial recognition by law enforcement. The ICO has also fined 23andMe £2.31 million for data security failures following a major data breach.
Our trends
We have recently seen trends emerge in the issues brought to us by our clients – we have outlined some of these issues below. Please reach out if you would like our support with these or any other data protection-related issues:
Data subject rights requests: We continue to see complex data subject rights requests, and in particular, data subject access requests (DSARs), emerge as a problematic issue for many of our clients. We continue to offer advice on how you should approach these requests, provide understanding on how and when any exemptions apply, how you can organise to manage a DSAR, and continue to communicate with the ICO to ensure our advice is in line with their expectations. Our advice is practical and pragmatic whilst being acutely aware of the wider risk profile, given DSARs are routinely weaponised for ulterior means. We have considerable experience in dealing with these weaponised DSARs.
Transformation and streamlining: we enjoy working on process optimisation and have done so with DSARs as well as PIAs and complex ticketing systems for data protection-related internal operations management.
Due diligence relating to mergers and acquisitions: We continue to support other teams at DWF, including in conducting comprehensive due diligence checks on corporate entities to identify any risks that a prospective buyer may need to be aware of prior to a purchase.
- Meet our Data Protection Extend & Accelerate Team
- Our events and articles
- General updates
- Adtech and direct marketing
- AI and innovation
- Cyber, breach and ransomware
- Employment and data subject rights
- Data transfers
Meet our data protection extend & accelerate team
DWF's DPEA service is an innovative solution that offers rapid, flexible access to high-quality resources to support our clients with their data protection needs – all at a low cost. If you're experiencing a 'crunch', needing to upscale your data protection resources or wanting to find out more about how your organisation could benefit from this service, you can read about the service here or contact your usual DWF data protection contact or one of the authors of this article.
We'd like to introduce you to one of our DPEA team members – Daria Ciak:
Daria is a CIPP/E-certified legal intern in DWF Poland’s Data Protection & Cyber Security team and a current participant in DWF’s Data Protection Extend & Accelerate programme. She holds a law degree from the University of Warsaw and is pursuing studies in ethnology and cultural anthropology, with a focus on qualitative research methods. Before joining DWF, she gained legal experience in both public institutions and the private sector, including work on DSA and NIS 2 implementation, and ESG-related legal matters. She recently presented at one of DWF’s Breakfast Briefing Webinars to nearly 200 attendees. Known for her analytical mind-set and strong communication skills, she engages effectively with diverse stakeholders. She continues to expand her expertise in data protection by supporting client work and participating in internal training and diversity, equity and inclusion initiatives.
Our events and articles
Data protection and cyber security – June breakfast briefing and deep dive into the implications of the data (Use and Access) act
Please click here to watch the recording of our June Breakfast Briefing, covering a range of topics but particularly the DUAA.
Data protection and cyber security – July breakfast briefing: July insights into developments in data protection
On 31 July 2025, the DWF team will host a Breakfast Briefing that will cover a selected number of key developments in the data protection landscape that took place recently. If you are interested in attending this Breakfast Briefing or any of our future sessions, please visit this registration link, contact your usual DWF Data Protection & Cyber Security contact, or send an email to dpcs@dwf.law.
Explore the evolving world of IP with DWF’s June 2025 international intellectual property magazine
The latest edition of DWF's IP magazine highlights EU design reforms, landmark copyright rulings and AI’s legal intersections.
Our global team shares insights from across Europe, offering practical guidance and legal foresight. Stay informed on the latest trends shaping IP law across jurisdictions and sectors. You can download a copy of the magazine using this link: International Intellectual Property Magazine | DWF Group
General updates
UK: The DUAA receives Royal Assent and becomes law
On 19 June 2025, the DUAA received Royal Assent and became law. It introduced several amendments to the UK data protection framework. For example, the DUAA clarifies how personal information can be used for research, lifts restrictions on some of the aspects of automated decision-making, sets out how to use specific cookies without consent and, in certain circumstances, permits charities to send electronic mail marketing to people without the need to obtain consent.
The DUAA also introduces an updated list of recognised legitimate interests for processing, conditions for secondary processing, provisions for data subject access requests and automated decision-making. Furthermore, it grants the ICO new powers including, but not limited to, issuing fines of up to £17.5 million or 4% global group annual turnover under the Privacy and Electronic Communications Regulations (“PECR”). The ICO has published guidance as support for organisations and the public with the implementation of the DUAA. The provisions of the DUAA will be introduced in a phased manner over the next 12 months.
You can read the DUAA here and more about its legislative history here.
EU: EC releases State of digital decade 2025 report
On 16 June 2025, the EC published the State of the Digital Decade report for 2025 that highlights both the progress and the critical challenges in achieving the EU’s 2030 digital decade policy programme. While Member States have proposed over €288 billion in digital investments and advancements in areas such as 5G coverage, public services, and AI uptake, the EU still faces significant gaps in high-quality connectivity, digital skills and technological sovereignty in, for example, cloud infrastructure and cybersecurity. The report underscores the urgent need for deeper public-private collaboration, structural reforms, and accelerated implementation of national roadmaps to ensure Europe remains competitive, secure and digitally resilient.
You can read the EC's press release here and the full report here.
UK: ICO consultation on draft guidance and impact assessment on consumer IoT products and services
On 16 June 2025, the ICO launched a public consultation on its draft guidance and impact assessment on consumer IoT products and services. The guidance is aimed at organisations including manufacturers, AI service providers, and developers involved in the design and deployment of connected devices in the consumer market. The guidance covers data protection principles for IoT technologies, PECR requirements, delivery of privacy information, lawful bases of data processing, common compliance challenges, and the role of organisations in the IoT ecosystem. The guidance also provides practical advice on designing privacy into IoT products, managing consent and ensuring secure data handling throughout the IoT supply chain.
You can read the ICO's draft guidance here and the press release here.
International: G7 data protection and privacy authorities publish joint statement
On 19 June 2025, following a roundtable discussion, the G7 Data Protection and Privacy Authorities (“DPPAs”) published a joint statement on the ways in which prioritisation of privacy supports the promotion of responsible innovation and protection of children. The DPPAs urge responsible innovation and strong privacy protections for children online through measures such as limiting tracking, ensuring clear communication of privacy practices, avoiding deceptive design patterns, adapting privacy impact assessments to the needs of children and their parents, and requiring parental consent for certain data processing practices. Furthermore, the DPPAs call for organisations to make privacy a priority by building it into the design, development, and deployment of new technologies to promote trust and economic support.
You can read the DPPAs’ joint statement here.
Adtech and direct marketing
Italy: Garante fines Realmaps €100,000 for general data protection regulation (“GDPR”) violations regarding telemarketing practices without consent
On 30 May 2025, Garante finalised its decision to impose a fine of €100,000 on Realmaps for breaching the GDPR by supplying real estate agents with detailed personal data of property owners. This information was then used for telemarketing purposes without the valid consent of the data subject. Garante also fined several estate agencies involved, with penalties ranging from €2,000 - €40,000 issued.
You can read Garante's decision on Realmaps here, access the decisions on the other agencies here and read the press release here, only available in Italian.
France: CNIL requests public comments on draft recommendations on tracking pixels in emails
On 12 June 2025, the CNIL issued a draft recommendation regarding the use of tracking pixels in emails and has invited public feedback until 24 July 2025. The draft emphasises that email senders are considered data controllers under the GDPR and must obtain the recipients’ consent for using tracking pixels for purposes like marketing, personalisation and fraud detection. The CNIL advises that consent should be specific, informed, and revocable, with mechanisms in place to demonstrate the collection of valid consent.
You can read CNIL's press release here, only available in French.
UK: CMA considers releasing Google from privacy sandbox commitments
On 13 June 2025, the CMA launched a consultation to consider releasing Google from its Privacy Sandbox commitments. These commitments were established to ensure that Google's modifications to Chrome, specifically the transition from third-party cookies to Privacy Sandbox tools, do not compromise competition or provide Google with an unfair advantage in the digital advertising sector. The CMA believes that since Google has now abandoned plans to prompt users to decide if they want to block third party cookies, the commitments may no longer be necessary.
You can read the press release here and a summary of Google's Privacy Sandbox proposals here.
AI and innovation
EU: EC publishes Generative AI (“GenAI”) outlook report
On 14 June 2025, the EC published a report examining how GenAI is influencing society, the economy and EU regulations. The report highlights GenAI’s potential to boost innovation and productivity across sectors like healthcare, education, science and the creative industries. At the same time, it highlights the risks associated with its use such as misinformation, bias, job losses, and privacy issues. This report calls for strong transparency and accountability measures, supported by technical solutions such as watermarking AI-generated content. The report also emphasises the role of laws like the EU AI Act and GDPR in ensuring responsible AI use.
You can read the report published on the EU Commission website in detail here.
France: CNIL publishes recommendations on AI and legitimate interest
On 19 June 2025, following a public consultation, the CNIL published its recommendations to guide the development of AI systems based on legitimate interests. The guidance emphasises that consent is not always required for AI development if strong safeguards are in place to protect personal data. Key recommendations include strict conditions for relying on legitimate interest as a legal basis for processing, including in the case of online data scraping. The recommendations also include practical examples to help organisations understand when relying on legitimate interest is appropriate, reinforcing the importance of transparency and facilitation of the exercise of data subject rights.
You can read the press release here and the recommendations here, only available in French
UK: Ofcom publishes strategic approach to AI
On 6 June 2025, Ofcom published its strategic approach to AI for 2025/26, focusing on supporting innovation and managing AI-related risks across its regulated industries, including telecoms, online platforms, broadcasters, and postal companies. The strategy outlines several key initiatives that will support AI innovation such as the creation of safe spaces for technology experimentation and collaboration with other institutions to ensure regulatory alignment for new AI applications.
You can read Ofcom’s published strategy here and the report here.
UK: ICO publishes AI and biometrics strategy
On 5 June 2025, the ICO published its AI and biometrics strategy which focuses on foundation models, automated decision-making (“ADM”) in recruitment and public services, and the use of facial recognition technology (“FRT”) by law enforcement. The ICO's strategy emphasises transparency, accountability, and fairness in AI systems, particularly regarding systems that process biometric data. The strategy aims to guide organisations in responsibly deploying AI while safeguarding an individual’s rights.
You can read the press release here and the strategy here.
EU: Parliament releases EU AI Act implementation timeline factsheet
On 10 June 2025, the European Parliament released the implementation timeline for the EU AI Act, which is to be in full enforcement by 2027. Some key provisions, such as those banning certain AI practices, have been in effect since February 2025. Guidelines for high-risk AI systems are scheduled for release in February 2026. The European Parliament's published timeline also includes the rollout of rules on governance, penalties, confidentiality, and the finalisation of codes of practice for general-purpose AI.
You can read more about the timelines of the EU AI Act implementation here.
UK: ICO releases guidance for consumer IoT products and services
On 16 June 2025, the ICO released its first guidance for developers and manufacturers of smart products, which outlines responsible ways to collect, use, and share personal information. In April 2024, the ICO also published research showing that many people are concerned about the amount of personal data smart products collect and feel they have little control over its use. This new guidance aims to help manufacturers design smart products that follow data protection laws and focus on user privacy.
You can read the ICO’s guidance here and its research here. The ICO has also provided tips for making privacy-conscious purchases here.
Cyber, breach and ransomware
UK: ICO welcomes guilty verdict of eight men related to unlawfully accessing personal information
On 26 June 2025, due to its thorough investigative efforts, the ICO confirmed that it helped secure guilty verdicts for eight men in its largest-ever nuisance call investigation. Over one million personal records were unlawfully obtained from vehicle repair garages and used for personal injury claims.
You can read the ICO’s press release for further details here.
UK: The National Cyber Security Centre (“NCSC”) publishes guidance on cyber security culture principles
On 4 June 2025, the NCSC unveiled a set of six core principles designed to make cyber security an integral part of how an organisation operates. The six principles focus on aligning cyber security with business goals, fostering a culture of openness, promoting adaptability to evolving threats, reinforcing positive behaviours and ensuring leadership leads by example. These principles encourage a holistic, human-centred approached where trust, transparency and shared responsibility drive behaviour. These principles stress that lasting transformation relies on ongoing collaboration among cyber experts, cultural specialists and senior leaders.
You can read the press release here and the guidance here.
UK: ICO fines 23andMe £2.31M for data security failures following data breach
On 17 June 2025, the ICO fined 23andMe £2.31million for not having appropriate safeguards in place to protect personal data. The penalty followed a 2023 cyber incident where attackers accessed sensitive information belonging to thousands of UK users. Following an investigation, the ICO determined that 23andMe infringed the UK GDPR by failing to, for example, implement appropriate mitigations against credential stuffing attacks, additional protections for special category data, and measures to ensure the confidentiality and integrity of the affected personal data.
You can read the press release here and the penalty notice here.
EU: EU Agency for Cybersecurity ("ENISA") launches NIS2 implementation tool to strengthen EU cyber resilience
On 26 June 2025, ENISA introduced a new tool to support the technical implementation of the NIS2 Directive across the EU member states. This new tool is designed to identify competent authorities and map national cybersecurity frameworks. The tool also aims to enhance co-ordination, transparency and compliance between the EU member states. You can read the guidance here.
Employment and data subject rights
EU: Parliamentary committee publishes recommendations and a draft directive on AI and algorithmic management in the workplace
On 12 June 2025, the EU Parliament’s Employment Committee proposed a draft directive to regulate AI and algorithmic management in workplaces. This directive aims to close gaps left by the EU AI Act and the GDPR, ensuring transparency and employee rights. Key measures include mandatory disclosures, limits on data use and protections for worker well-being with the aim to balance innovation with fairness and privacy. The Directive also emphasises inclusive participation in the labour market, particularly for individuals with disabilities, and calls for support mechanisms to achieve these targets.
You can find the draft directive here.
Italy: the Garante fines Lombardy region €50,000 for GDPR violations in workplace data processing
On 29 April 2025, the Garante fined the Lombardy Region €50,000 for GDPR breaches regarding its employee monitoring practices when an employee was working remotely. The investigation revealed that the Lombardy Region improperly tracked and stored employees’ internet browsing logs and email metadata without union agreements or sufficient safeguards, infringing on its workers’ privacy. This included data unrelated to work, alongside the Region's failure to conduct a mandatory data protection impact assessment. The Garante emphasised that, even in the workplace, employees have a legitimate expectation of confidentiality and the decision highlights the importance of lawful data handling practices.
You can read the decision here and the press release here, both only available in Italian.
Data transfers
EU: EC confirms applicability of EU-US data privacy framework (“DPF”)
On 12 June 2025, the EC confirmed the continued applicability of the DPF, emphasising that Executive Order 14086 remains in effect and provides vital safeguards such as limiting the US intelligence services access to EU data and established a Data Protection Review Court. This confirmation comes despite the earlier dismissal of three Democrat members from the US Privacy and Civil Liberties Oversight Board. The EC maintains ongoing communication with US authorities to ensure the DPF’s lawfulness.
You can read the Commission’s answer here and one of the questions here.
EU: EDPB publishes final version of the guidelines on data transfers to third country authorities
On 5 June 2025, the EDPB published the final version of the Guidelines 02/2024 (“Guidelines”), clarifying the conditions for lawful data transfers from third country authorities under Article 48 of the GDPR. The Guidelines emphasise that such requests must be based on an international agreement that is either recognised or enforceable in the EU.
In the absence of an agreement, third country data transfers must comply with GDPR requirements, particularly delving into Article 6 and Chapter V of the GDPR. The Guidelines note that Article 6(1)(b) of the GDPR cannot be relied upon for data transfers by private entities in the EU in response to requests for transfer or disclosure made from third country authorities.
You can read the press release here and the Guidelines here.
If you have any questions relating to this article, please reach out to our authors below.
