This month in review:
September has seen progress in several areas of data protection, including direct marketing, artificial intelligence and innovation, as well as cyber breach and ransomware incidents.
The European Data Protection Supervisor (“EDPS”) released an opinion concerning the conclusion of the United Nations (“UN”) Convention against Cybercrime, highlighting several recommendations for EU Member States and institutions. The European Data Protection Board (“EDPB”) adopted guidelines that clarify how the Digital Services Act (“DSA”) interacts with the GDPR. These guidelines aim to create a coherent and effective EU digital rulebook to help uphold the fundamental rights and freedoms of individuals.
On the international stage, the Federal Data Protection and Information Commissioner (“FDPIC”), along with data protection authorities from Brazil and Canada, entered into a Memorandum of Understanding (“MoU”) with the Information Commissioner’s Office (“ICO”). This marks an important step towards greater collaboration on international data protection standards.
The ICO provided clarification on guidance regarding storage and access technologies, supporting organisations in their compliance efforts. In addition, the Interactive Advertising Bureau (“IAB”) published a report addressing the impact of AI on digital advertising, reflecting on the need to enhance AI training.
The Department for Science, Innovation and Technology (“DSIT”) published a paper outlining the AI assurance road map. The European Commission (“EC”) initiated consultations on its digital simplification agenda and the Code of Practice concerning transparency requirements under the AI Act. Furthermore, the European Parliament released a briefing on the continent's AI action plan.
The National Cyber Security Centre (“NCSC”) published guidance on recovering from cyber incidents, providing practical support for affected organisations. The ICO also released final guidance on encryption, reinforcing best practices for data protection.
Our contents this month:
- Meet our Data Protection Extend & Accelerate Team
- Our events and articles
- General updates
- Adtech and direct marketing
- AI and innovation
- Cyber, breach and ransomware
Meet our Data Protection Extend & Accelerate Team – Stanislaw Mucha
DWF's DPEA service is an innovative solution that offers rapid, flexible access to high-quality resources to support our clients with their data protection needs – all at a low cost. If you're experiencing a 'crunch', needing to upscale your data protection resources or wanting to find out more about how your organisation could benefit from this service, you can read about the service here or contact your usual DWF data protection contact or one of the authors of this article.
Stanislaw is a CIPP/E-certified Staff Lawyer at DWF Poland, currently on the path to becoming a qualified solicitor in England and Wales. An LLB and LLM graduate from the University of Bristol, Stanislaw has legal experience in data protection, cybersecurity, technology, and ESG. Bilingual in English and Polish, Stanislaw brings a multijurisdictional background and experience collaborating with diverse international teams. He is consistently committed to delivering high-quality legal support and exceptional client service.
Our events and articles
On 25 September 2025, we hosted our monthly Breakfast Briefing where we delved into some recent developments in data protection across Europe and the UK. Key updates covered ICO’s consultation on PECR and regulatory approach to online advertising, EC’s guideline on GPAI models, and the first provision of the DUAA. In case you missed this webinar, you can watch the recording here.
Our next Breakfast Briefing will take place on Thursday 04 December from 9am to 10am, where the DWF team will cover a selected number of key developments in the data protection landscape that took place recently. If you are interested in attending this Breakfast Briefing or any of our future sessions, please visit this registration link, contact your usual DWF Data Protection & Cyber Security contact, or send an email to dpcs@dwf.law.
General updates
EU: EDPS publishes Opinion on signing and conclusion of UN Convention against Cybercrime
The EDPS has issued its opinion on the two Proposals on the signing and conclusion of the UN Convention against Cybercrime. EDPS outlined several recommendations for EU institutions and Member States, including the assessment of whether transfers fulfil the conditions under the Law Enforcement Directive, avoiding measures that could weaken cybersecurity for users of electronic communications services and removing Article 16 of the Treaty on the Functioning of the European Union (the right to the protection of personal data) as a legal basis. Additionally, it was recommended that data protection experts be included in future reviews.
You can read the press release here and Opinion 23/2025 here.
EU: Interplay between the DSA and the GDPR
On 12 September 2025, the EDPB adopted guidelines clarifying how the DSA interacts with the GDPR. The EDPB stressed that the DSA complements the GDPR and must be applied consistently to safeguard fundamental rights in the digital space. The guideline explains how GDPR concepts apply to DSA obligations involving personal data processing, including notice-and-action systems for illegal content, recommender systems, safeguards for minors (such as restrictions on profile-based advertising), transparency of advertising, and the prohibition of using special categories of data for profiling. You can provide your feedback on the guideline until 31 October 2025.
You can read the press release here and the Guidelines here.
International: Data protection authorities sign MoU
In September 2025, the FDPIC and the Brazilian data protection authority announced that it signed an MoU with the ICO during the 47th Global Privacy Assembly in Seoul. The MoU aims to increase FDPIC and the ICO’s cooperation in data protection.
You can read the MoU here.
Adtech and direct marketing
UK: ICO debunks myths on storage and access technologies
On 11 September 2025, the ICO published a blog post debunking common myths about how the law applies to both storage and access technologies. The ICO stated that ‘strictly necessary’ means storage or access must be essential to provide the service the user requests. This differs from what a service provider might consider strictly necessary, such as using storage and access technologies to generate revenue through online advertising. Additionally, legitimate interests cannot be used for non-exempt storage and access technologies, and consent must be obtained.
You can read the full blog post here.
EU: IAB Europe publishes report on AI and digital advertising
On 18 September 2025, the IAB Europe announced the release of the first pan-European Impact Report on the Impact of AI on Digital Advertising. The report focused on gathering responses related to AI usage statistics and internal privacy and governance frameworks. The report found that 85% of companies are already using AI-based tools for marketing and 68% of companies have general internal AI guidelines in place. Despite this, only 43% have internal guidelines specifically for marketing and advertising.
You can read the press release here and the report here.
AI and innovation
UK: DSIT publishes policy paper on trusted third-party AI assurance roadmap
On 3 September 2025, the DSIT published a policy paper, highlighting the new but high potential market for AI Assurance services. The DSIT recognised the UK as the third largest AI market in the world, with the opportunity to become a world leader for AI Assurance Services. The DSIT created this policy paper to address the barriers that restrict growth in this market; while also outlining the initial steps the government is taking to provide possible solutions for its advancement. For example, the AI Assurance Innovation Fund will focus on eight industrial sectors to develop novel assurance solutions to future proof the market.
You can read the press release here and the policy paper here.
EU: The EC launches consultation on program to simplify rules on digitisation
The EC recently launched a public consultation on the Digital Omnibus Package, which aims to simplify digitalisation regulations, minimise the costs of compliance, and ensure clear information and effective application of the acts specified in the package. The Digital Omnibus Package will focus on the following areas:
- Issues related to regulations on cookies and other tracking technologies;
- Obligations concerning the reporting of cybersecurity incidents;
- The legal acquis on data (including the Data Governance Act, the Regulation on the free flow of non-personal data, and the Open Data Directive);
- The smooth application of the provisions of the EU Artificial Intelligence Act; and
- Other aspects associated with, among others, electronic identification.
You can read the press release and Digital Omnibus here.
EU: EC launches consultation on guidelines and Code of Practice for AI transparency requirements
On 4 September 2025, the EC launched a consultation to develop guidelines and a Code of Practice on the practical implementation of transparency requirements of AI Systems. Following the introduction of the EU AI Act, deployers and providers of AI must ensure users are well informed, whether they are interacting with an AI system or not. As a result, the EC launched a consultation inviting mostly providers and deployers of interactive and generative AI models and systems to share their views. The consultation is also accompanied by a call for proposals, for stakeholders to take part in the formation of the Code of Practice.
You can read the press release here.
EU: European Parliament publishes briefing on AI continent action plan
On 22 September 2025, the European Parliament published an AI continent action plan briefing. The briefing provided updates on the progress made on the building of large-scale artificial intelligence data and computing infrastructure, strengthening AI skills and talent and fostering regulatory compliance and simplification. Additionally, the briefing highlighted the EC’s proposal for the ‘Apply AI’ strategy and emphasised that the European Parliament will play a key role in overseeing the EC’s activities and shaping forthcoming legislation.
You can read the briefing here.
Cyber, breach and ransomware
UK: The NCSC publishes guidance on recovering from cyber incidents
Recent cyber incidents targeting organisations have led to significant business and service disruptions. The NCSC advises not only to strengthen defences against attacks but also prepare recovery strategies. Key recommendations include:
- Implementing foundational security measures to counter common threats.
- Encouraging larger organisations to use the Cyber Assessment Framework to identify, manage, and plan for service continuity during disruptions.
- Developing recovery plans by safeguarding critical technologies, assessing operational impacts, and tailoring staff training for recovery scenarios.
- Sharing experiences of incidents and recovery strategies through sector-wide trust groups.
- Integrating cyber resilience into strategic decision-making at leadership level using the Cyber Governance for Boards guidance.
You can read the full article here.
UK: ICO publishes final guidance on encryption
Following the recent open consultation on the draft guidance for encryption, the ICO published its final version of the guidance on 2 September 2025. The publication provides a comprehensive explanation of what encryption is, as well as the section containing illustrative scenarios of its use. Moreover, the guidance concentrates on encryption interaction with data protection, data transfers, and data storage.
You can find the full publication here.
EU: EDPS publishes Opinion on signing and conclusion of UN Convention against Cybercrime
On 4 September 2025, the EDPS issued Opinion 23/2025 on the two proposals for EC decisions on the signing and conclusion of the United Nations Convention against Cybercrime (“Convention”). This follows its earlier Opinion 9/2022 of 18 May 2022 on the EC’s Recommendation for a Council Decision authorising the participation of the EC, on behalf of the European Union negotiations of the Convention. The EDPS notes that most of its recommendations from Opinion 9/2022 have been incorporated or addressed in the final text of the Convention. However, it also raises some concerns and offers further recommendations.
You can read the press release here.
EU: EDPB issues a response letter to CCIA Europe regarding its guidelines on calculation of fines
On 23 September 2025, the EDPB responded to CCIA Europe’s request to revise Guidelines 04/2022 on calculating administrative fines under the GDPR. After reviewing the CJEU ruling in case C-383/23 (ILVA), the EDPB concluded that the guidelines already align with the court's interpretation and do not require changes. The guidelines outline a step-by-step method for determining fines, factoring in turnover, the nature and seriousness of the infringement. Importantly, they also allow data protection authorities to assess each case individually based on its specific circumstances.
You can read the letter here.
If you have any questions relating to this article, please reach out to our authors below.
