Privacy In Focus | March

March 31, 2025

by Olena Nechyporuk

We bring you a round up of articles and updates in the data sphere

Monday, 31st of March 2025

Less ChatGPT Restrictions: a New Era?

Now with the Trump administration in power, several tech giants are attempting to distance themselves from previous 'safe' guidelines to 'trusting user creativity'. ChatGPT has now launched native image generation. Although so far this has resulted only in a flood of Ghibli-studio style memes, the ramifications for this are huge. Where will the data for image generation be taken from? ChatGPT can now create images of public figures like Donald Trump and Elon Musk - how does this fit in with privacy principles? Joanne Jang, who leads model behavior at OpenAI, says that with the new approaches to ChatGPT, the company is trying to 'find ways to responsibly increase user freedom.' The following quote summarises their current approach:

“Ships are safest in the harbor; the safest model is the one that refuses everything. But that’s not what ships or models are for.”

Let's watch this space. We hope ChatGPT takes on privacy in a responsible and safe way.

Read more

---

The ICO Fine that could have been Avoided

When the Information Commissioner fined Advanced Computer Software Group £3.07m for security failings last month, it marked the culmination of a two-year investigation into one of the NHS's most disruptive cyber incidents. The ransomware attack exposed the personal information of nearly 80,000 people, as well as leaving healthcare staff unable to access patient records. Most alarming was the theft of data revealing how to enter the homes of 890 vulnerable individuals receiving care.

The attack's entry point could hardly have been more basic: Advanced's health and care systems were hacked through a customer account lacking multi-factor authentication. An investigation revealed a long list of security shortcomings – inadequate vulnerability scanning, poor patch management, and inconsistent deployment of basic protections that might have prevented the breach.

Could the penalty have been even higher? The ICO certainly thought so, announcing a provisional intention to fine Advanced £6.09m back in August. The company's swift engagement with the National Cyber Security Centre, National Crime Agency and NHS following the attack helped halve that figure. Now, Advanced has agreed to a voluntary settlement, paying the reduced penalty without appeal – a quiet end to a case that exposed just how vulnerable our healthcare data infrastructure remains due to insufficient data protection compliance. The question is whether other NHS suppliers are taking note. Privacy is important - and robust security is the gateway to good privacy.

Read more

---

The Ongoing 23andMe Investigation…

Genetic testing firm 23andMe has filed for Chapter 11 bankruptcy. The looming £4.59m fine from British regulators may have hastened its collapse. The Information Commissioner's Office revealed yesterday it had issued provisional findings earlier this month against the company following a devastating data breach first reported in October 2023.

"Genetic information is among the most sensitive personal data a person can entrust to a company," says Stephen Bonner, ICO Deputy Commissioner, and we agree. ICO's joint investigation with Canada's Privacy Commissioner had found serious privacy shortcomings in how 23andMe protected its customers' most intimate biological data.

The ICO insists the UK's data protection laws still apply regardless of 23andMe's financial troubles, and says it's "monitoring the situation closely." But for the millions who sent their DNA samples to the company over the years, the bankruptcy raises troubling questions about who might eventually control access to the genetic information that makes them who they are. "The protections of UK GDPR continue to apply" – regardless of who emerges as the new owner.

We will continue to monitor this case with interest.

Read more

---

CJEU Clarifies Data Correction Procedures for LGBTQ

The CJEU has ruled that proof of gender surgery is not required for the rectification of data relating to gender identity.

In 2014, VP, an Iranian national, obtained refugee status in Hungary. According to their medical certificates, although that person was born female, their gender identity was male. That person was nevertheless registered as female in the asylum register, which is kept by the Hungarian asylum authority and contains identification data.

In 2022, the VP requested, inter alia, that the asylum authority rectify the entry in respect of their gender in that register, on the basis of Article 16 of the General Data Protection Regulation (GDPR). That request was rejected on the ground that VP had not proved that they had undergone gender reassignment surgery, and VP brought an action against that rejection before the Budapest High Court (Hungary).

The CJEU has ruled that for the purposes of exercising their right to rectification, a person may be required to provide relevant and sufficient evidence that could reasonably be required in order to establish that the data is inaccurate. However, a Member State may not, under any circumstances, make the exercise of the right to rectification conditional upon the production of evidence of gender reassignment surgery.

A requirement to produce gender reassignment surgery undermines, in particular, the essence of the right to the integrity of the person and the right to respect for private life, referred to in Articles 3 and 7 of the Charter Fundamental Rights of the European Union.

Read More

ICO Outlines Plans for Driving Economic Growth

Today, the Information Commissioner John Edwards met with Chancellor of the Exchequer Rachel Reeves to discuss the ICO's commitments for the next year, aimed at driving economic growth.

The ICO has plans to:

• Publish a free data essentials training programme for small businesses, helping them save at least £9.1m over three years.

• Pilot an experimentation regime for data essentials training, to enable businesses to trial innovative new data-driven solutions under rigorous oversight.

• Introducing a statutory code of practice for private and public sector businesses developing or deploying AI, allowing them to unleash the possibilities of the technology while safeguarding the public’s privacy, and strengthening the UK’s position as a global AI leader.

• Cutting red tape for businesses by paving the way for privacy-friendly online advertising and driving investment in unintrusive advertising models.

• Publishing new guidance on international transfers of data (underpinning around 40% of UK exports and 20% of imports) and making it easier for UK businesses to access new markets and partners.

Read more

Is Your Children's Data Safe?

Children are increasingly being exposed to Internet feeds, whether that be a simple Google search or a TikTok video. While it can be helpful to receive personal recommendations, this can come with a trade-off.

From the moment a child opens a website or an app, large amounts of information are collected to potentially determine the content that will be shown. There is always an inherent risk that the content may be inappropriate for some children to see. This is why companies should be very transparent about how they use personal information to recommend content.

Due to this reason, the ICO has announced that they have launched three investigations looking into how TikTok, Reddit and Imgur protect the privacy of their child users in the UK. We look forward to the results of this investigation.

It is imperative that children engaging with online content are able to do so in a safe and lawful way.

Read more

EDPB to Focus on the 'Right to Erasure' as Part of CEF 2025

As part of the Coordinated Enforcement Framework (CEF), Data Protection Authorities (DPAs) across Europe focus on one aspect of the GDPR every year to streamline enforcement and cooperation. The CEF creates a structure for DPAs to work together, coordinate or facilitate enforcement actions on a pre-defined topic and with an agreed-upon methodology.

Today, the EDPB has announced that the right to erasure, or the “right to be forgotten” (Art.17 GDPR), will be the focus in 2025. It is, by far, the most common GDPR right that individuals exercise, and the right with the most complaints from individuals that DPAs receive.

Throughout 2025, the European DPAs will:

- contact a number of controllers from different sectors across Europe, either by opening new formal investigations or doing fact-finding exercises.

- check how controllers handle and respond to the requests for erasure that they receive and, in particular, how they apply the conditions and exceptions for the exercise of this right.

- will stay in close contact to share and discuss their findings throughout the year. The results of these national actions will be aggregated and analysed together to generate deeper insight into the topic.

Read more