Two-Minute Recap of Data Protection Law Matters Around the Globe – April 2025

Big Fine from ICO

On 24 April 2025, the UK’s Information Commissioner’s Office (“ICO”) fined AFK Letters Co Ltd (“AFK”) 90,000 euros for breaching privacy laws by making over 95,000 unsolicited marketing calls to individuals listed on the Telephone Preference Service (“TPS”).

AFK, which offers compensation and refund services, used personal data collected via its own website and a third-party phone survey provider but failed to demonstrate valid, informed consent for these calls. AFK claimed it routinely deleted customer data after three months, but it could not produce proof of consent even for calls made within that period. The ICO concluded that AFK had violated the Privacy and Electronic Communications Regulations, which requires businesses to obtain explicit, informed, and specific consent for direct marketing calls.

Nigeria Confirms $220M Fine Against Meta

In April 2025, Nigeria’s Competition and Consumer Protection Tribunal upheld a $220 million fine imposed on Meta Platforms for violating national consumer protection, data privacy, and data processing laws. The penalty was originally issued by the Federal Competition and Consumer Protection Commission in July 2024 due to Meta’s discriminatory and exploitative practices toward Nigerian consumers, especially when compared to how it operates in jurisdictions with similar regulations. Meta’s appeal was dismissed.

New Data Standards in China

China’s data regulator, the Cyberspace Administration of China, has released a list of frequently asked questions to clarify common concerns multinational companies face regarding cross-border data transfers. According to the guidance, general data that does not fall under the category of personal or important data can be freely transferred abroad. However, the transfer of important data and large volumes of personal data will require a security assessment, standard contractual clauses, or certification, depending on the scenario.

Additionally, on 9 April 2025, China’s National Information Security Standardization Technical Committee published six new national standards in the fields of data protection and cybersecurity. These standards cover security requirements for operations and maintenance products, data security evaluation institutions, automated decision-making using personal data, government data processing, organizational requirements for personal data protection by large internet enterprises, and network equipment security requirements for programmable logic controllers. The new standards will take effect on 1 October 2025.

79M Euros Privacy Fine for Ubisoft

On April 24, 2025, privacy advocacy group Noyb filed a complaint with Austria’s data protection authority, accusing Ubisoft of unlawfully collecting player data in games like Assassin’s Creed Shadows and Far Cry Primal without users’ explicit consent. The complaint alleges that Ubisoft requires internet connections even for single-player games to harvest detailed gameplay data and transmit it to third-party servers like Amazon and Google. Noyb claims this practice violates the EU’s General Data Protection Regulation (“GDPR”) and is demanding a 79 million euros fine and deletion of unlawfully collected data. Ubisoft has not commented on the allegations. If the fine is upheld, the case could set a precedent for how the gaming industry handles user data in offline experiences, potentially forcing major changes across the sector.

X’s AI Model Grok Under Investigation

Ireland’s Data Protection Commission (“DPC”) launched an investigation into how X, the tech platform owned by Elon Musk, uses personal data to train its AI model, Grok. The probe focuses on compliance with key GDPR provisions, including the lawfulness and transparency of data processing. While X previously promised to halt such data processing and made the model available in the EU, the DPC deemed these changes insufficient. If found in violation, X could face fines of up to 20 million euros or 4% of its global annual turnover.

DeepSeek Returns to South Korea

As of April 28, 2025, Chinese AI service DeepSeek has become available again in South Korea’s app stores after a nearly two-month suspension. The app had been removed in February following an investigation by South Korea’s Personal Information Protection Commission, which found that DeepSeek transferred user data and prompts without consent upon its initial launch in January. Now available again via Apple’s App Store and Google Play, DeepSeek has revised its privacy policy to comply with South Korean data protection law. The company now allows users to opt out of sharing personal data with certain firms in China and the United States. Authorities confirmed that DeepSeek voluntarily resumed availability after partially implementing their recommendations.

Law Firm Fined 60K Euros Over Cybersecurity Failures

The ICO fined Merseyside-based law firm DPP Law Ltd. (“DPP”) 60,000 euros after a cyberattack exposed highly sensitive personal data on the dark web. The breach occurred due to weak security measures, including the use of an infrequently accessed administrator account without multi-factor authentication. Attackers gained access to the firm’s systems and stole 32GB of data, including confidential and legally privileged information. DPP delayed reporting the incident and failed to initially recognize it as a personal data breach. The ICO emphasized that data protection is a legal obligation, not optional, and organizations must maintain strong cybersecurity practices.

New Health Data Hub in UK

On April 7, 2025, UK Prime Minister Keir Starmer announced that up to 600 million pounds will be invested in a new health data research service aimed at accelerating clinical trials and supporting scientific studies. The service, expected to launch by the end of 2026, will provide a single, secure, and user-friendly platform to streamline researchers’ access to health data. The government believes this initiative could significantly advance treatments for cancer, dementia, and arthritis.