Welcome to the Final Edition of the Stephenson Harwood Data Protection Update for 2025
As November unfolds, so too do significant developments in the world of data protection and cyber security. In this final update of 2025, we dive into a plethora of updates and legislative changes, shining a light on areas ranging from Europe’s regulatory advancements to India’s groundbreaking digital privacy law.
Data Regulation
The “Digital Omnibus”: Key Changes to EU GDPR and AI Regulation
On November 19, 2025, the European Commission unveiled its long-anticipated Digital Omnibus Regulation. This initiative aims to reform EU data, AI, and cyber legislation, promoting innovation while upholding high compliance standards. The proposed amendments will affect various legal frameworks, including the GDPR and the ePrivacy Directive.
While the specifics of these reforms will be hashed out in trilogue negotiations among EU institutions, organizations should start preparing for these imminent changes. Key amendments to keep an eye on have been summarized comprehensively here.
Further DUAA Provisions Come Into Force
Significant provisions under the Data (Use and Access) Act 2025 (DUAA) have been activated, particularly those relating to law enforcement processing and digital verification services. As we approach the second phase of implementation, organizations are advised to monitor developments closely.
Notably, sections 89 and 90 of the DUAA, which address joint processing of personal data for law enforcement and intelligence purposes, came into effect on November 17, 2025. With further updates expected in January 2026, companies should stay tuned for regulatory changes affecting their operations. Our DUAA implementation tracker offers further insights into these developments here.
India Finalizes Its First Digital Privacy Law
As of November 13, 2025, India has officially enacted the Digital Personal Data Protection Rules 2025, operationalizing the Digital Personal Data Protection Act of 2023. This comprehensive statute establishes principles and compliance requirements for handling digital personal data within the country.
The phased implementation of the Act over the next year and a half allows organizations a crucial transition period. Key features revolve around duties of "Consent Managers" who oversee personal data consents, mandatory security standards, and stricter data breach reporting procedures. This landmark legislation serves as a significant step forward in ensuring robust data privacy measures in India.
Cyber Security
UK Government Introduces Long-Awaited Cyber Security Legislation
On November 12, 2025, the UK government introduced the Cyber Security and Resilience (Network and Information Systems) Bill into Parliament. This proposed legislation is a response to the increasing threats posed by cyber attacks, which impacted over 600,000 UK businesses last year.
The Bill not only expands the scope of existing NIS Regulations but also enhances regulatory powers and accountability, including mandatory incident reporting and penalties for breaches. This legislative initiative aims to fortify the UK’s essential services and digital infrastructure, ensuring resilience against cyber threats.
China Tightens Cyber Security Measures
Recent developments in China have led to heightened compliance risks for businesses operating within its jurisdiction. Effective January 1, 2026, the Revised Cybersecurity Law introduces tougher penalties and broader enforcement powers, requiring companies to adapt quickly to new obligations.
Additionally, the Measures for the Administration of National Cybersecurity Incident Reporting, which took effect on November 1, 2025, establish stringent requirements for incident reporting, emphasizing the necessity for timely disclosures and proactive compliance strategies.
Enforcement and Civil Litigation
ECJ Rules on ePrivacy Directive Supremacy
On November 13, 2025, the European Court of Justice ruled that the ePrivacy Directive takes precedence over the GDPR for direct marketing purposes. This notable ruling allows businesses to use email addresses for direct marketing under certain conditions without additional GDPR lawfulness obligations, providing clarity on indirect marketing strategies.
This ruling provides a vital insight for companies leveraging free or freemium models, confirming their ability to use the "soft opt-in" exemption under ePrivacy rules without the need for extra consent from users, provided they offer an opt-out option.
FCA Prosecutes Employee for Data Breach
A groundbreaking case highlighted the pressing issue of insider data theft when Mr. Coleman, a former Virgin Media O2 employee, was convicted of unlawfully selling confidential customer data. His actions led to significant fraud affecting multiple investors and posed severe ramifications in the realm of data protection.
Despite the significant implications, Mr. Coleman received a relatively minor financial penalty. This serves as a critical reminder of the evolving legal landscape around data protection enforcement, showcasing the FCA’s commitment to tackling misuse of personal data and financial crime.
In this busy month of significant regulatory developments and enforcement actions, it becomes apparent that both data protection and cyber security will continue to be crucial elements for organizations across jurisdictions. From preparing for new regulations to ensuring compliance with existing laws, businesses must stay informed and agile in the face of evolving legal landscapes.
