Data Dispatch - April 2025
Welcome to the latest edition of Data Dispatch from the Data Advisory team at RPC. Our aim is to provide you on a regular basis with an easy-to-digest summary of key developments in data protection law.
Please do feel free to forward on the publication to your colleagues or, better still, recommend that they subscribe to receive the publication directly.
If there are any issues on which you'd like more information (or if you have any questions or feedback), please do let us know or get in touch with your usual contact at RPC.
ICO launches investigations into use of children's data by social media and video-sharing platforms
As part of its campaign to ensure digital services are designed to safeguard children's personal data and in line with its 2024/2025 focus area on social media and video sharing platforms, the UK's Information Commissioner's Office (ICO) has recently launched investigations into TikTok, Reddit and Imgur to assess how the platforms handle children's personal data.
The ICO's investigation of TikTok, a video-sharing app that has gained immense popularity among younger audiences, is focused on TikTok's use of the personal data of 13-17 years olds to make recommendations and deliver tailored content. The investigation was triggered by the ICO's concerns about how young people's online activity is being used to provide potentially unsuitable and dangerous content to them.
Reddit and Imgur, both widely used for sharing images and participating in online communities, are under scrutiny by the ICO for their use of age assurance measures (i.e. methods to estimate or confirm the age of users), which play a crucial role in maintaining safe online environment for children's personal data.
This is the latest in a series of actions taken by the ICO since its Children’s Code was launched in 2021 and which are aimed at protection of children's privacy rights. On the back of the ICO's campaign, various platforms like X, Sendit, BeReal, Dailymotion, and Viber have implemented stronger privacy measures to safeguard children’s data.
Along with the announcement of the investigations into TikTok, Reddit and Imgur, the ICO provided a progress report on its Children's Code strategy, including an overview of the results of its enforcement activity and a table showing the compliance of 34 social media and video sharing platforms against key metrics. It is also worth noting that the new Data (Use and Access) Bill contains new requirements in relation to the offering of information society services to children.
In a sign of the increasingly cross-regulatory nature of enforcement, the ICO will be coordinating its work on children's data with Ofcom (which enforces the Online Safety Act), particularly in relation to age assurance. Ofcom's significant online safety enforcement powers include the ability to levy large fines and, in serious cases, restrict services or access to the offending platform. Coupled with the serious potential sanctions under data protection law, the risks are heightened for platforms that fail to comply with the law in this area.
(ICO's Website)
(ICO's Children's Code strategy progress update - March 2025)
CJEU - Data protection fines imposed on a subsidiary must be determined based on the total annual revenue of its parent company
In a case before the Court of Justice of the European Union last month, the court found that data protection fines against subsidiary companies should be calculated based on the group's total annual worldwide turnover, but the actual fine imposed should be determined by reference to additional factors.
The case concerned a request for a preliminary ruling from the High Court of Western Denmark in respect of Articles 83(4) to (6) of GDPR. It related to a fine levied on a furniture retail chain for breaches of GDPR (specifically retention of former customer data) and whether or not the fine should be calculated based on the turnover of the furniture company's group or just of the company in breach. The court also addressed the meaning of "undertaking" (used in the relevant fining calculation provisions of GDPR (Article 83)).
The Court found that an "undertaking" refers to the competition law Treaty on the Functioning of the European Law (TFEU) meaning of the term, i.e. that it is "an economic unit" and relates to "any entity engaged in an economic activity, irrespective of the legal status of that entity and the way in which it is financed". The level of the fine should be assessed as a percentage of the group's (i.e. the "undertaking's") total annual worldwide turnover in the previous year.
The Court however drew a distinction between the basis for calculating the maximum fine and assessing what fine actually to impose in each case for breach of GDPR. Fines must be "effective, proportionate and dissuasive". The subsidiary's "actual or material economic capacity" must be considered to assess if the fine is proportionate. This includes taking into account if the company in breach is part of an undertaking/group. Other factors that should be considered when deciding on the level of fine are the type, severity and duration of the infringement, the number of data subjects impacted, and the extent of the damage to the individuals incurred. Authorities should also take account of whether the violation was negligent or intentional, the steps taken by the relevant controller or processor to mitigate the breach, an assessment of the controller or processor's responsibility for the breach and the types of personal data affected by the breach. In this way, the fine imposed will reflect the relevant circumstances and achieve its intended purpose (of being "effective, proportionate and dissuasive").
It is worth noting that the ICO's fining guidance (March 2024) takes the same view on the meaning of "undertaking" as taken by the Court: "Where a controller or processor forms part of an undertaking, for example where a controller is a subsidiary of a parent company, the Commissioner will calculate the maximum fine based on the turnover of the undertaking as a whole". The ICO refers to Recital 150 UK GDPR which states that "Where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 TFEI for those purposes". The ICO guidance goes on to state that "While Articles 101 and 102 TFEU and EDPB decisions no longer apply to the UK following the UK’s exit from the European Union, the concept of an ‘undertaking’ is well established in UK competition law through UK and retained EU case law."
Although companies may take some comfort from the reasoning of the court in relation to calibrating fines based on the context/particular circumstances of the breach, the case highlights the importance of ensuring data protection law compliance across groups of companies and the potentially severe financial repercussions that can ensue if things go wrong.
(Judgment)
(ICO Fining Guidance)
ICO issues first fine against data processor for security failings
Advanced Computer Software, now trading as OneAdvanced (Advanced), has become the first data processor to be fined by the UK Information Commissioner’s Office (ICO) for security failings that resulted in a serious ransomware incident in August 2022. The fine, initially set at £6.09 million, was reduced to £3.07 million after the company made representations and agreed not to appeal. This marks a significant development under the UK GDPR and the Data Protection Act 2018, demonstrating the ICO’s readiness to hold processors directly accountable under the UK GDPR, particularly where there are substantial and prolonged security deficiencies.
Advanced was providing software and services to NHS organisations, which included processing special category personal data under Article 9 UK GDPR relating to health as well as the data of children, and vulnerable individuals. The ICO found that the company had failed to implement appropriate technical and organisational measures, as required under Article 32(1) UK GDPR, to ensure a level of security appropriate to the risk. This included not applying critical security updates, failing to follow National Cyber Security Centre (NCSC) guidance, and taking no action despite being aware of the relevant vulnerabilities as early as 2021. The breach, which occurred in 2022, resulted in the data of around 80,000 data subjects being accessed and disrupted services across the healthcare sector, classified as critical national infrastructure. The ICO concluded that Advanced had the resources and capability to prevent the incident but failed to do so over a four-year period.
The monetary penalty was issued under sections 149 and 155 of the Data Protection Act 2018, which empower the ICO to impose fines on a controller or processor that fails to comply with its obligations under Articles 25 to 39 of the UK GDPR. The Commissioner found a high level of culpability, particularly in light of Advanced’s role as a processor for public bodies and the sensitive nature of the data involved. This case serves as a warning that processors are not beyond the scope of enforcement and must meet their security obligations under the UK GDPR, especially when supporting public services that rely on the secure handling of special category data.
(ICO Fine)
RPC's Data Download Event: Insights from the ICO
At RPC's Data Download event on 27 February 2025, RPC's specialist data teams explored current and future challenges and risks in the field of data protection, including compliance, handling cyber incidents and data disputes. We were joined by Padi Dolatshahi, Principal Lawyer at the Information Commissioner's Office (ICO), who discussed the ICO's role in enforcing data protection law in the UK, particularly in relation to personal data breaches.
In her address, Padi urged companies to engage proactively with the ICO when breaches occur and provided recent statistics on reported cyber incidents, speed of reporting and categories of incident. The presentation also outlined how the ICO’s engages with organisations following such data breaches and how it assesses the sufficiency of security measures and an organisation's compliance with UK GDPR. Padi also gave an overview of the ICO's data protection fining guidance and upcoming regulatory changes, including the Cyber Resilience Bill.
A copy of her slides can be found here.
The ICO's remarks and the other sessions at Data Download underscored organisations' need to remain proactive, transparent, and compliant in their data governance practices to navigate the evolving regulatory environment effectively.
Other important developments
EDPB launches its 2025 Coordinated Enforcement on the Right to Erasure, with 30 data protection authorities across Europe participating in an assessment of how controllers handle erasure requests under the GDPR.
In a meeting with the British Retail Consortium which RPC attended, the Department of Science, Innovation and Technology announced that the DUA Bill is expected to be passed in May with most data protection provisions being enforceable 6 months after. The EU Commission has postponed its review of UK adequacy from June to December to allow for review of the DUA Bill.
The ICO has finalised its guidance on anonymisation and pseudonymisation. Separately, the ICO has published: (i) its 2025 Tech Horizons Report highlighting the most impactful technologies for the next few years; and (ii) a package of measures to support the UK government's growth agenda.
In our March episode of The Work Couch, Jon Bartley and Helen Yost joined host Ellie Gelder in a two-part series which delves into data protection compliance in the employment context. Listen here.
Stay connected and subscribe to our latest insights and views
Subscribe Here