Vodafone Penalized for Data Failures
Germany's data protection authority ("BfDI") has imposed a total fine of 45 million euro on Vodafone Germany. 15 million euro of the fine relates to Vodafone's failure to adequately monitor its sales partners, resulting in unauthorized or fraudulent contracts with customers. The remaining 30 million euro concerns insufficient identity verification measures in Vodafone's "MeinVodafone" portal and call center systems, which created risks of unauthorized access to eSIM profiles. BfDI stated that these shortcomings violated General Data Protection Regulation ("GDPR") provisions.
A New Era for Global Data Transfers
On June 2, 2025, the Global Cross-Border Privacy Rules ("CBPR") Forum officially launched CBPR and Privacy Recognition for Processors certifications. These systems are built on the Asia-Pacific Economic Cooperation ("APEC") CBPR framework but have been expanded to include non-APEC jurisdictions. Countries such as Japan, Singapore, Bermuda, and Dubai have already recognized CBPR as a valid mechanism for cross-border data transfers. The certifications allow data controllers and processors to demonstrate compliance with international privacy standards through audits conducted by approved Accountability Agents. By the end of 2025, new requirements concerning sensitive data, children's data, and breach notifications will be introduced. Certifications held under the APEC system will remain valid under this new framework. The certification mechanism aims to offer an alternative to existing GDPR mechanisms such as Standard Contractual Clauses and Binding Corporate Rules.
DNA Data Hack Triggers 2.3M Pounds Fine for 23andMe
The UK Information Commissioner's Office ("ICO") fined 23andMe 2.31 million pounds for failing to safeguard the sensitive personal and genetic data of 155,592 UK users during a 2023 cyberattack. Hackers exploited reused credentials in a credential stuffing attack, gaining access to data such as names, ethnicity, health reports, and family history. The joint UK-Canada investigation found that 23andMe lacked multifactor authentication and had weak monitoring and response measures. The company dismissed early warnings and only acknowledged the breach after stolen data was posted on Reddit. The breach exposed individuals to serious risks, including discrimination and surveillance.
Massive AT&T Data Leak Deal
AT&T has agreed to a 177 million dollar settlement to resolve lawsuits stemming from two separate data breaches it disclosed in 2024. The settlement received preliminary approval from a federal judge in Dallas. One of the breaches involved the unauthorized extraction of call and text records of around 109 million customers from AT&T's environment on the Snowflake cloud platform. The second incident concerned a large batch of older customer data, reportedly involving over 73 million accounts, which surfaced on the dark web. Without admitting any liability, AT&T committed to compensating affected users with up to 2,500 or 5,000 dollars, depending on the breach and proof of loss. After addressing direct claims, the remaining funds will be allocated to customers whose personal information was exposed.
Faster GDPR Action Across Borders in Sight
On 16 June 2025, the European Parliament and the Polish Presidency of the Council of the EU reached a provisional agreement on a longanticipated regulation to improve cross-border enforcement of the GDPR. The new rules aim to strengthen cooperation between national data protection authorities, introduce procedural clarity, and reduce delays in handling complaints involving multiple countries.
The agreement includes stronger procedural rights for both complainants and companies, such as access to case files and the right to be heard. It also introduces strict deadlines: straightforward cases must be resolved within 12 months, and complex ones within 15 months, with limited room for extensions.
Aflac Faces Cyberattack
Health and life insurance provider Aflac has launched an investigation following a cyberattack on its U.S. systems that may have exposed customers' personal information. The breach was identified on June 12 and is believed to be the work of a sophisticated cybercrime group. Aflac manages sensitive medical, financial, and personal data for over 50 million policyholders in the U.S. and Japan. The company has not disclosed how many customers were affected, but files containing Social Security numbers and health data may have been accessed.
UK Introduces New Data Act
The Data (Use and Access) Act 2025, which received Royal Assent in the UK on 19 June 2025, introduces significant changes to data protection law. The new legislation provides greater flexibility in areas such as research-related data use, automated decision-making, and certain cookie and marketing permissions. It also introduces a new lawful basis called "recognised legitimate interests" and requires organisations to implement formal data protection complaints procedures. Additionally, the ICO has been granted expanded powers, including the ability to compel witness interviews, request technical reports, and issue substantial fines.
The law will be implemented in phases, with most provisions expected to take effect within 2 to 12 months. To support the transition, the ICO has published summaries, guidance materials, and public resources. In the coming months, it will release further guidance, launch consultations, and provide practical tools. The goal is to ensure that data is used responsibly to enhance service delivery, support economic growth, and build public trust.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
