Two-minute Recap of Data Protection Law Matters Around the Globe - March 2025

Apple Rejects UK Data Order

Apple has filed a legal challenge in the UK against a secret government order demanding access to users’ encrypted data, including content protected by its strongest privacy feature, Advanced Data Protection (“ADP”). Rather than weakening its security system by building a backdoor, Apple removed ADP from the UK market, stating it would not compromise user security. Apple has initiated a legal bid to challenge the directive, bringing the matter before the Investigatory Powers Tribunal, a specialized court responsible for reviewing allegations made against the country’s security agencies.

Meta AI Enters the EU with Privacy Restrictions

On March 20, 2025, Meta announced that its AI assistant, Meta AI, will be launched in the European Union (“EU”). While the assistant has been available in the U.S. since September 2023 with features like image generation and stylistic selfies, the EU rollout will be limited to chat- based functionalities only.

The launch follows a delay in 2024 after the Irish Data Protection Commission (“DPC”) raised concerns about Meta’s plan to use adult user data from Facebook and Instagram to train large language models without a valid legal basis under the General Data Protection Regulation (“GDPR”). Meta had relied on “legitimate interest” and introduced a burdensome opt- out mechanism, rather than obtaining users’ explicit consent through a simple opt-in model. As a result, Meta is currently offering a limited version of the assistant that provides only general content suggestions, without training on EU user data.

U.S. Launches Genomic Data Protection Act

The Genomic Data Protection Act (“GDPA”) was introduced on March 5, 2025, in the U.S. Senate to safeguard consumer rights regarding their genetic data. The bill applies not only to direct- to-consumer genetic testing companies but also to entities that purchase such data, aiming to ensure individuals’ rights to access and delete their genetic information. It requires companies to clearly inform consumers about data sharing, especially for scientific research under the Health Insurance Portability and Accountability Act, and to notify them in case of corporate acquisitions. Violations of the GDPA would be considered unfair or deceptive trade practices under the Federal Trade Commission Act. The bill only preempts state laws where direct conflicts exist.

NHS Software Firm Fined for Data Breach

The UK Information Commissioner’s Office (“ICO”) has fined Advanced Computer Software Group £3 million over a ransomware attack in 2022 that affected the National Health Service (“NHS”). The breach exposed the personal data of 79,404 individuals. Sensitive information, including phone numbers, medical records, and home entry instructions, was leaked for 890 people receiving care at home. The attackers gained access via a customer account that lacked multi-factor authentication. The ICO concluded that the company had failed to implement adequate security measures before the incident. The cyberattack disrupted critical services and prevented healthcare staff from accessing patient records.

EDPB Targets Data Erasure

The European Data Protection Board (“EDPB”) announced on 5 March 2025 that this year’s Coordinated Enforcement Framework (“CEF”) will focus on the “right to erasure”. This right allows individuals to request the deletion of their data under certain conditions and remains one of the most frequently raised concerns by data subjects. Throughout the year, data protection authorities across the European Economic Area will examine how erasure requests are handled. Ireland’s DPC will contribute by distributing questionnaires to selected organizations as part of a fact-finding exercise. The findings will be jointly analyzed at the end of the year and used to inform targeted follow-ups at both national and EU levels. This marks the fourth coordinated action under the CEF, following previous initiatives on cloud service use, the role of Data Protection Officers, and the right of access.

Massive Fine Stands for Amazon

Amazon was fined €746 million in 2021 by the Luxembourg Data Protection Authority (“CNPD”) for processing online user data without obtaining

proper consent, violating the GDPR. In 2025, the Luxembourg Administrative Court rejected Amazon’s appeal, upholding the record fine issued by the CNPD. The company has 40 days to decide whether to take the case to a higher court. Amazon criticized the decision, arguing that the CNPD imposed the unprecedented fine without providing prior interpretive guidance on the ambiguous provisions of the law. The effects of the fine remain suspended during the appeal process.

Honda Penalized for Privacy Breach

The California Privacy Protection Agency (“CPPA”) has fined American Honda Motor Co. $632,500 for violating the California Consumer Privacy Act. The CPPA found that Honda made it difficult for consumers to exercise their privacy rights, required excessive personal information, provided asymmetric privacy tools, and shared data with ad tech companies without proper contractual safeguards. Honda has been ordered to simplify its processes, train employees, and improve its data protection practices.

UK Investigates Child Data Use

ICO has launched three investigations into how TikTok, Reddit, and Imgur handle children’s personal data. The probe into TikTok focuses on how the platform uses data from 13–17-year- olds to deliver content recommendations, while the Reddit and Imgur investigations assess their age assurance measures. These efforts aim to determine whether the platforms are meeting their legal obligations to protect children’s privacy online. ICO has previously driven significant changes in platforms like X, BeReal, Dailymotion, and Viber to enhance child safety. The regulator will continue working closely with Ofcom to ensure children’s data rights are upheld.

Privacy Concerns Over EU Border Checks

EU interior ministers approved the phased launch of the Entry/Exit System (“EES”) on 5 March 2025, a digital system that will record the entry and exit of travelers from non-EU countries into the Schengen area. The EES will collect biometric data, including fingerprints

and facial scans, of third-country nationals upon entry. While the system aims to enhance border security and prevent illegal migration, it has raised concerns regarding data privacy, children’s rights, and the right to asylum.