Two-Minute Recap of Data Protection Law Matters Around the Globe - May 2025

California Health Data Breach

Covered California, the state’s health insurance marketplace, has been found to have shared sensitive personal data, including users’ names, the last four digits of their Social Security numbers, and pregnancy status with LinkedIn via an embedded advertising tracker. This data transfer occurred despite LinkedIn’s own policy stating that its tracking tools should not be used on pages containing sensitive information. In response, the state has removed all advertising tags from the website. Representative Kevin Kiley has called for a federal investigation, citing a potential violation of the Health Insurance Portability and Accountability Act.

Big Fine for TikTok

TikTok has been fined €530 million by the Irish Data Protection Commission for violating the EU’s General Data Protection Regulation (“GDPR”) by unlawfully transferring personal data of European users to China. The investigation revealed that TikTok failed to adequately protect access to EU users’ data from its China-based employees and did not properly assess the risks posed by Chinese data access laws. Additionally, the company did not clearly inform users that China was a target destination for data transfers and failed to meet transparency obligations. TikTok stated it will appeal the decision and highlighted its ongoing reforms under its “Project Clover” initiative to enhance data protection.

Temu Fined in South Korea Over User Data Handling Failures

South Korea’s Personal Information Protection Commission has fined Chinese e-commerce platform Temu $2 million for failing to properly safeguard user data and for lacking transparency in its data collection practices. The company reportedly did not clearly inform users about the types and purposes of data collected, and fell short in protecting personal data transferred abroad. The case reflects growing regulatory scrutiny in Asia over cross-border data flows and user privacy.

Cyberattack Hits Pearson: Student and Teacher Data Compromised

Education giant Pearson disclosed a cyberattack resulting in unauthorized access to customer data, including personal information of students and teachers. The company promptly identified the breach and notified affected individuals. The incident underscores the critical importance of digital security in education and raises expectations for Pearson to strengthen its data protection measures.

UK Legal Aid Agency Hit by Cyberattack, Personal Data Exposed

The UK’s Legal Aid Agency announced that a recent cyberattack compromised some personal data. The breach potentially exposed identity and contact details of individuals using the agency’s legal services. Officials responded swiftly to contain the attack and confirmed they will notify affected users. The incident has once again highlighted the critical importance of personal data protection in public institutions.

Google Hit with $391.5 Million Fine Over Unauthorized Location Tracking in the US

Google has agreed to pay $391.5 million following lawsuits from 40 US states accusing the company of collecting users’ location data without proper consent or transparency. Despite users disabling location history, Google continued to track their movements. As part of the settlement, Google committed to providing clearer disclosures and enhancing user control over location settings, effective starting from 2023. This penalty marks a significant milestone in the growing regulatory scrutiny of tech giants’ data privacy practices in the United States.

EDPS Issues New Guidance: “Data Protection Must Be More Than Just a Principle”

The European Data Protection Supervisor (“EDPS”) has released a new guidance emphasizing that EU institutions must ensure legislative acts involving personal data processing are clear, precise, and foreseeable.

The guidance outlines the necessity for explicit definitions of data processing purposes, legal bases, durations, and safeguards. EDPS President Wojciech Wiewiórowski highlighted that this document serves as a practical tool for enhancing data protection standards across EU institutions. Published as part of the EDPS’s 20th-anniversary initiatives, the guidance underscores the importance of safeguarding individuals’ digital rights in an increasingly complex regulatory landscape.