The EDPB just published its opinion on the UK's adequacy decision and it's pretty critical of the country's post-Brexit direction on data protection. But does the EDPB's opinion matter?

Probably not—directly, at least.

The Commission's draft adequacy decision now goes to a vote at the Comitology Committee and is very unlikely to be voted down, despite the EDPB's reservations.

But the opinion might provide some ammunition in potential future political or legal challenges to the UK's "adequate" status.

Here's a look at some of the long list of UK-related stuff that the EDPB wants the Commission to "monitor", including:

• Extensive new executive powers over data protection regulation

• The controversial Technical Capability Notices (TCNs)

• The UK's new "data protection test" for international data transfers 

What is going on between Clearview AI and the ICO?

Actions against Clearview have been a test of how far digital regulation actually has extraterritorial effect. 

This month, we got an answer on this from the UK’s Upper Tribunal, and it’s an important judgment about the territorial reach of the UK GDPR—at least on paper.

In May 2022, the ICO fined Clearview AI £7.5 million and ordered it to delete the data of UK residents. Clearview appealed. Then, in a quite surprising move in October 2023, the First-tier Tribunal overturned that fine. 

The FTT found that the ICO lacked jurisdiction because Clearview's service was used by foreign law enforcement for their national security and criminal law functions—activities which, the tribunal said, fell outside the material scope of the UK GDPR.

The ICO appealed that decision to the Upper Tribunal, resulting in a win for the regulator. The Upper Tribunal found that the First-tier Tribunal had made a material error of law.

The judgment hinged on two key questions about the UK GDPR's material scope and definition of "behavioural monitoring".

So, the result was a win for the ICO. The appeal was allowed, the First-tier Tribunal's decision is set aside, and the case is sent back to be decided on its merits—but on the clear basis that the ICO does have jurisdiction over Clearview AI.

But of course, the ICO now has to actually get some money out of Clearview, which might present some difficulties.

Discord's recent data breach exposed photo IDs used to verify users' ages. Should we blame the Online Safety Act, the Children's Code, or the UK GDPR? It's complicated. (Please excuse the unsightly cut on my forehead in this one).

While this breach probably just boils down to vendor security, I wanted to consider whether Discord was obliged to collect users' ID documents, and whether it should have been retaining them.

This story does involve some competing obligations under the OSA and the UK GDPR.

I think Discord was required to verify ages—not necessarily via photo ID, but I can see why they landed on that method.

And while it assures users that ID documents are deleted immediately after verification, this appears to only apply to the initial automated age assurance process, not the manual appeal procedure.

But that manual appeal procedure is arguably required under Article 22 UK GDPR, so it's hard to see a way around retaining this data for some period.

This isn't the last time we'll see this sort of data exposed. Resolving the tensions between these requirements means thinking things through very carefully, both in terms of data security and data protection.

Tractor Supply: The first CCPA case about job applicants' privacy (and the largest CPPA settlement yet). Don't forget: Unlike other states, California's privacy law applies to data about employees and job applicants.

Tractor Supply settled for $1.35 million for failing to tell job applicants about their rights (among other, more commonplace violations—GPC, Do Not Sell, the usual stuff).

The company provided a "notice at collection" telling applicants what types of data it collected and why. But the notice neglected to mention Californians' CCPA rights.

Counting applicants and employees as "consumers" is one of several things that makes California's privacy law—if not the strictest—the most complicated to comply with.

I think this is an area that has failed to reach many companies' compliance radars.

Can we expect more HR-related cases from the CPPA?

Or maybe a B2B data case will come next? That can be "personal information" too under the CCPA!

LinkedIn's AI training settings don't affect all users equally. Did you notice that LinkedIn will share UK users' data with Microsoft, but not EEA users? 

In this video, Rob looks at the background, the broader context, and the details.

LinkedIn first floated the idea of training its AI models on users' personal data last summer and has since encountered several bumps in the road.

Complaints were submitted to regulators in Ireland and the UK, and the company responded by putting the project on hold for EEA and UK users in September 2024.

Incidentally, the EDPB published an opinion in December on the use of "legitimate interests" to train AI models. The Board did not rule out that this could be lawful on a case-by-case basis, with safeguards attached, and people's reasonable expectations taken into account.

--

Other social media platforms have met with similar issues.

Meta's AI training saga is too complicated to recount here in full, but suffice to say that the company also paused and has now resumed its policy of relying on "legitimate interests" for this processing.

X faced court action from the Irish DPC and gave an undertaking confirming that it would not use EU users' data in this way.

--

There are some interesting details around how LinkedIn plans to share data with Microsoft:

• UK: Profile data and public content may be shared with Microsoft for model training, unless the user opts out.

• EU/EEA/Switzerland: The data will be used by LinkedIn itself for AI training, but there's no mention of any sharing with Microsoft.

• Canada/Hong Kong: There's a much more expansive approach to sharing data with Microsoft, including for advertising purposes (profile data, feed activity, ad engagement), but there's an opt-out available.

• Other countries (including the US): There's no explicit opt-out. If you don't like it, close your account.

--

As a LinkedIn user, you have until 3 November to opt out. If you opted out the last time LinkedIn tried this, check your settings.

As a data protection professional, you now have another interesting test case about whether "legitimate interests" will stand up for large-scale AI training.

The ICO has yet MORE draft guidance, this time on the UK's upcoming changes to the law on cookies (etc). At the same time, it's running a "call for views" about whether it should enforce that law in certain contexts.

The updated cookies guidance includes a new chapter on the consent exceptions provided by the Data Use and Access Act (DUAA).

We also get new material reflecting the ICO's view that a "Reject" option should be accessible on the first layer of your cookie banner.

There's also guidance on cookie walls and freely-given consent that does not sit easily with the ICO's position vis-a-vis "consent or pay".

An individual has been criminally prosecuted for "ignoring" or having "blocked, erased, or concealed" a subject access request. A rare (perhaps unprecedented) case, but Rob wonders if this behaviour is more common than we might think.

This care home director was prosecuted under Section 173 of the Data Protection Act 2018, which makes it a criminal offence to "alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure" following an access request.

He reportedly attempted various unsuccessful defences, ranging from claiming the care home was merely a "building" and not a controller, to stating that the care home's ICO registration had lapsed.

—

Subject access requests can be very stressful.

It can be very painful for people to realise that they must disclose uncomfortable or potentially compromising information they would much rather keep private.

Not to mention the huge request backlogs that many organisations have accumulated, which can invite corner-cutting.

—

This sounds like a particularly bad case, and we might not expect a flurry of prosecutions under Section 174 DPA 2018—but we can reasonably call this one a "learning opportunity".

Please do get in touch if you need additional support with data subject rights management: [email protected]

All over EU and UK law, we see a requirement to report certain stuff "without undue delay", often coupled with a hard deadline period (e.g., within 72 hours). A CJEU case from last month explored what these dual obligations mean in practice.

IL v Veracash (Case C‑665/23, 1 August 2025) concerned the old Payment Services Directive (PSD). 

The PSD requires cardholders (consumers) to notify payment services provider about suspected fraudulent transactions "without undue delay" upon becoming aware of the transaction and within no more than 13 months.

The complainant notified the provider within two months: Easily beating the "hard" 13 month deadline. But he was refused a refund for allegedly failing to meet the "without undue delay" requirement.

The case explores how these deadlines work and has broader implications.

For example, we see "without undue delay" provisions in the following laws:

GDPR Article 33 (1)

“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority…”

AI Act Article 26 (5)

“Where deployers have reason to consider that the use of the high-risk AI system in accordance with the instructions may result in that AI system presenting a risk within the meaning of Article 79(1), they shall, without undue delay, inform the provider or distributor and the relevant market surveillance authority, and shall suspend the use of that system.”

Cyber Resilience Act Article 14 (2) (a)

“(The manufacturer shall submit) an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it…”

Can you think of any others?

More draft ICO guidance! This time, about one of the Data (Use and Access) Act's most important concepts: "Recognised legitimate interests". 

The "recognised legitimate interests" are data processing activities that, frankly, the government would like you to do more of.

Unlike regular old legitimate interests, you won't need to conduct a "balancing test" before processing personal data for these purposes: So long as the processing is "necessary", you can just go right ahead and do it.

So far we have five "recognised legitimate interests":

• Public task disclosure request

• National security, public security and defence

• Emergencies

• Crime

• Safeguarding

Some of these, namely "emergencies" and "safeguarding", are defined quite tightly.

Others are not. There's no definition of terms like "national security", "defence", or "crime", so expect to see controllers relying on these conditions in a broad range of circumstances.

As always, please get in touch if you need any help preparing for these provisions to take effect. 

In advance of new obligations under the Data (Use and Access) Act, the ICO has published some draft guidance on handling data subject complaints. This episode breaks down some of the ICO's expectations in this area.

As always, the ICO sets out three tiers: 

• "Must": Legal duties, for example, under UK GDPR or DPA 2018. 

• "Should": Good practice stuff that you should do unless there's a good reason not to.

• "Could": Optional steps to help you comply. 

According to the ICO, core obligations include: 

• Giving people a way to complain directly to your organisation

• Acknowledging complaints within 30 days (NOT one month, as with data subject rights) 

• Investigating the complaint and responding without undue delay

• If the complaint was raised on the data subject's behalf, checking that the person has the authority to act for them.

• Keeping records about the complaint while respecting data minimisation. 

The "shoulds" include publishing a clear complaints procedure, training staff to recognise complaints, and ensuring cover during absences. 

Special considerations apply for children, such as using child-friendly language and handling safeguarding concerns (if relevant). 

The ICO has long told data subjects that they must approach organisations first before coming to the regulator. This remains ICO policy only, as neither the UK GDPR nor DPA 2018 requires the data subject to do this.

But the DUAA will codify this practice, and will give controllers new statutory duties around complaint handling.

I would suggest reviewing your complaints with these new obligations in mind. 

Although—for whatever reason—it does not mention the DUAA at all, the ICO's draft guidance is probably a good place to start.

The guidance is open for comments until 19 October.

As always, feel free to get in touch if you need help implementing any of this.