Related Articles
How the Medical Device Regulations will impact manufacturers’ processing of personal data
Find out more
Data Protection Update - November 2025
Welcome to the final edition of the Stephenson Harwood Data Protection update for 2025, covering the key developments in data protection and cyber security law in November.
In data regulation news, the European Commission publishes its “Digital Omnibus” package; further provisions under the Data (Use and Access) Act 2025 (“DUAA”) come into force; and India finalises its first digital privacy law.
In cyber security news, the UK Cyber Security and Resilience Bill is introduced to Parliament; and China tightens its cyber security with a revised law and incident reporting measures.
In enforcement and civil litigation news, the European Court of Justice (“ECJ”) rules that the ePrivacy Directive takes precedence over the GDPR for direct marketing purposes; and the FCA prosecutes an employee for selling customer personal data.
Data Regulation
- The “Digital Omnibus”: Ten Key Changes to the EU GDPR and AI Regulation
- Further DUAA provisions come into force
- India finalises first digital privacy law
Cyber Security
- UK Government introduces long-awaited cyber security legislation into Parliament
- China tightens cyber security: revised law and incident reporting measures raise compliance stakes for businesses
Enforcement and Civil Litigation
- ECJ rules that ePrivacy Directive takes precedence over GDPR for direct marketing purposes
- FCA prosecutes employee for selling customer personal data
Data Regulation
The “Digital Omnibus”: Ten Key Changes to the EU GDPR and AI Regulation
On Wednesday 19 November 2025, the European Commission published its Digital Omnibus Regulation proposal as part of its Digital Omnibus package (the “Digital Omnibus”).
The Digital Omnibus proposes reforms across EU data, AI and cyber legislation, aimed at simplifying existing laws and boosting innovation, whilst maintaining high standards. It proposes significant amendments to the EU General Data Protection Regulation (“GDPR”), ePrivacy Directive, Data Act, Data Governance Act and NIS2 Directive, as well as the EU AI Act.
Whilst the details will need to be negotiated in trilogue between the EU institutions before anything comes into force, organisations should monitor developments and prepare for change.
We have prepared summaries of the ten key changes proposed to the GDPR and AI regulation here.
Further DUAA provisions come into force
Provisions of the DUAA relating to law enforcement processing and digital verification services have now come into force. We are nearing the conclusion of the second stage of the DUAA’s implementation timeline, which comprises a four-stage phased approach to bringing the DUAA into force. We covered the first stage of implementation in detail in our July edition. We are expecting to see the bulk of the key data protection amendments coming into effect in early January 2026, and will provide an update on this in due course.
Stage two has seen two developments in November, with the entry into force of sections 89 and 90 of the DUAA as of 17 November 2025 covering joint processing of personal data for law enforcement purposes and by the intelligence services. The Data (Use and Access) Act 2025 (Commencement No. 4) Regulations 2025 were also made on 19 November 2025. This regulation brought Part two of the DUAA (digital verification services) into force as of 1 December 2025, with the exception of sections 45 to 48 (which deal with public authorities sharing information with registered digital verification service providers).
For further details on upcoming changes introduced by the DUAA, along with the ICO’s progress in updating its guidance to reflect these changes, you can visit our DUAA implementation tracker here.
India finalises first digital privacy law
On 13 November 2025, India officially notified the Digital Personal Data Protection Rules 2025 (the “Rules”) to operationalise the Digital Personal Data Protection Act 2023 (the “Act”).
The Act is India’s first comprehensive statute governing the processing of digital personal data. The Act is principles-based and sets out practical compliance requirements for organisations handling digital personal data in India. The Act will be implemented in phases over the next 12 to 18 months through a series of notifications to give businesses a transition period for compliance.
The Rules establish the Data Protection Board (“DPB”) (the adjudicatory body established under the Act) and its operational procedures, which take effect immediately. Obligations of “Consent Managers” (regulated intermediaries tasked with managing consent for personal data processing) begin in 12 months. Core compliance requirements including provisions on consent notices, security safeguards, data retention, children’s data requirements, and data processing restrictions will take effect in 18 months, from 13 May 2027.
Key features of the Act include:
- Consent Managers: A consent manager will allow individuals to give, manage, review and withdraw consent relating to the processing of their personal data. Consent managers must be registered with the DPB, operate independently, and implement robust security safeguards.
- Government bodies processing personal data: Government bodies are able to process personal data for certain purposes. The processing must be lawful and for necessary purposes, limited to specific need, with appropriate safeguards and retention limitations.
- Security safeguards: Minimum security standards, encryption and access controls are mandated. Overall, this will formalise the practices that businesses already follow.
- Reporting data breach: There is a two-stage reporting and notification process. All data breaches must be reported to both affected individuals and the DPB, with detailed follow-up within 72 hours from when the company becomes aware of the breach.
- Data retention: Large platforms must erase inactive user data after three years, while all Data Fiduciaries (any organisation, company, or individual that determines the purpose and means of processing personal data) must retain certain data for at least one year.
- Children’s data: Parental consent is required for processing children’s data, with specific verification pathways and limited exemptions for healthcare and education.
- Significant Data Fiduciaries (“SDFs”): SDFs are designated by the government based on the volume and sensitivity of data processed, as well as potential risks. SDFs are subject to enhanced obligations such as annual impact assessments and audits, and restrictions on certain cross-border data transfers.
- Penalties: Non-compliance can result in large fines – up to INR 250 crore (approx. USD 30 million) for serious breaches. The DPB will oversee enforcement and handle grievances.
The Act applies to data processed within Indian territory or, if processed outside, in connection with any activity relating to the offering of goods and services to individuals within India. Those caught by the Act should begin mapping data flows, updating policies, and preparing for compliance, as enforcement and further government guidance are expected in the coming months.
Cyber Security
UK Government introduces long-awaited cyber security legislation into Parliament
On 12 November 2025, the Department for Science, Innovation and Technology introduced the long-awaited Cyber Security and Resilience (Network and Information Systems) Bill (the “Bill”) into Parliament. The Bill aims to modernise and strengthen the country’s cyber security regime. This move follows a sharp increase in cyber threats, with over 600,000 UK businesses affected by cyber attacks last year and major incidents impacting the national economy.
The Bill updates and expands the existing Network and Information Systems Regulations 2018 (“NIS Regulations”), ensuring that critical sectors are better protected against cyber incidents and enabling a more effective government response to threats. Key measures in the Bill include new duties for regulated organisations to identify and manage cyber risks, mandatory incident reporting to authorities and affected customers, and enhanced powers for regulators to investigate and enforce compliance. The Bill also introduces tougher financial penalties for breaches, with fines of up to £17 million or 4% of global turnover for the most serious failures.
The Bill applies to a broad range of organisations providing relevant services in the UK, regardless of where they are established, including:
- Operators of essential services (such as energy, transport, health, and water);
- Data centre providers;
- Providers of digital services (like cloud computing, online marketplaces, and search engines);
- Managed service providers (companies managing IT systems for others); and
- Critical suppliers to these sectors.
By expanding the scope of the NIS Regulations and strengthening enforcement, the Bill aims to ensure the UK’s essential services and digital infrastructure are robust, resilient, and able to recover quickly from cyber incidents.
The EU has already carried out its own updates to its own equivalent of NIS, which created “NIS 2”. These reforms illustrate the EU and UK further developing independent regimes.
We will provide a more detailed analysis of the Bill and its measures in due course.
China tightens cyber security: revised law and incident reporting measures raise compliance stakes for businesses
Two key cyber security developments have emerged from China: the amended Cybersecurity Law (the “Revised Law”), effective 1 January 2026, and the Measures for the Administration of National Cybersecurity Incident Reporting (the “Measures”), effective 1 November 2025.
Revised cyber security law
China’s Revised Law heightens compliance and enforcement risks for businesses with operations in China. Key updates include:
- substantially increased penalties for non-compliance, with fines up to RMB 10 million (approx. GBP 1.074 million) for critical information infrastructure (“CII”) operators and RMB 2 million (approx. GBP 214,000) for non-CII;
- regulators such as the Cyberspace Administration of China now possess expanded enforcement powers, including the ability to suspend or shut down non-compliant apps;
- liability is extended beyond organisations to individuals, who may face fines up to RMB 1 million (approx. GBP 107,000);
- stricter personal data requirements, including local data storage and mandatory security assessments for cross-border transfers, in line with China’s Personal Information Protection Act 2021 and the Civil Code 2020;
- broader extra-territorial reach, enabling action against overseas entities whose activities threaten China’s network security (including freezing assets and imposing sanctions); and
- introduction of high-level principles for AI governance and encouraging the use of AI for cyber security.
To prepare for the Revised Law, companies operating in or with China should aim to move from reactive crisis management to proactive risk mitigation. This includes localising compliance strategies, conducting regular security assessments, and maintaining thorough documentation to demonstrate compliance. With enforcement set to intensify, companies caught by the Revised Law should act swiftly to update their cyber security frameworks and ensure robust compliance.
Cyber security incident reporting measures
The Cyberspace Administration of China’s Measures establish the country’s first comprehensive, cross sector framework for cyber security incident reporting. The Measures expand the definition of a reportable cyber security incident to include events caused by network attacks, vulnerabilities, or system failures that harm networks, information systems, or data and have a negative impact on the country (including the economy).
This framework applies to all “network operators” in China and encourages proactive reporting of incidents classified as ‘relatively serious’ or higher. Although the Measures do not explicitly target foreign entities, organisations with operations or data processing in China must be vigilant to ensure compliance, especially with the one-hour reporting deadline for CII operators.
Enforcement and Civil Litigation
ECJ rules that ePrivacy Directive takes precedence over GDPR for direct marketing purposes
On 13 November 2025, the ECJ ruled in Inteligo Media SA v ANSPDCP (C-654/23) that where data controllers use an email address for direct marketing purposes within the meaning of Article 13(2) of the ePrivacy Directive, satisfying the conditions for lawful processing under Article 6(1) of the GDPR is not required. Instead, the ePrivacy Directive takes precedence over the GDPR for electronic communications.
The ECJ’s decision aligns with Advocate General (“AG”) Maciej Szpunar’s opinion, delivered on 27 March 2025. The AG opined that: (1) sending newsletters to free accounts is direct marketing if it promotes paid content; but (2) free account registration can be treated as a “sale” under Article 13(2) of the ePrivacy Directive, allowing email addresses to be used for direct marketing (without additional consent) provided users are given the opportunity to object.
This ruling is particularly relevant for companies offering free or “freemium” accounts (including limited free trials), as it confirms their ability to rely on the “soft opt-in” exemption under ePrivacy rules for sending direct marketing communications to users without additional GDPR lawfulness obligations. This ruling was given in the specific context of the tiered subscription model offered by Inteligo Media and therefore should be interpreted narrowly. Not all providers offering free accounts will automatically fall within the scope of this exception. Nevertheless, the judgment provides important clarification on the interplay between the GDPR and the ePrivacy Directive.
FCA prosecutes employee for selling customer personal data
A recent case has exposed the dangers of insider data theft and its role in enabling large-scale financial fraud. Mr Coleman, a former Virgin Media O2 employee, was convicted of unlawfully obtaining and selling confidential customer data, which was then used to defraud 65 investors out of over £1.5 million through a cryptocurrency scam.
Mr Coleman sold the sensitive information to family friend, Mr Harper, who passed it to fraudsters operating a boiler room scheme. Between 2017 and 2019, victims were cold-called and convinced to invest in fake crypto opportunities.
The FCA found that Mr Coleman’s actions constituted unlawful obtaining and disclosure of personal data, contrary to s.170(1) of the Data Protection Act 2018 (“DPA”) – marking its first ever case under the DPA. Despite the significant impact, Mr Coleman was fined just £384, plus a £38 surcharge and £500 in prosecution costs. Mr Harper received a £100 fine and a £30 victim surcharge. In the FCA’s press release, its Executive Director of Enforcement and Market Oversight stressed that Mr Coleman “abused his position of trust” and enabled crimes with serious financial and emotional harm for victims.
As the first case of its kind advanced by the FCA, this case serves as an important warning to organisations and their employees that the FCA will not hesitate to use its powers to tackle misuse of personal data that facilitates financial crime. Simply put, it is not just the ICO that will enforce on this issue. For firms regulated by the FCA, this also serves as a key indicator of the FCA’s continued focus in this area, including as an element of a broader compliance culture.
The outcome sends a clear message: regulatory authorities are intensifying efforts to protect consumers and deter both financial crime and data misuse in the digital economy.
