European Data Protection Roundup – January 2025

Our top five European data protection developments from January are:

• UK ransomware reporting proposals. The UK Government released a consultation on ransomware related legislative proposals, including possible reporting obligations and payment bans for cyber ransom incidents.
• DeepSeek investigated by Italian DPA over AI chatbot data collection practices. The Italian DPA opened an investigation into DeepSeek for possible GDPR non-compliance associated with its AI chatbot service’s data collection and processing activities. Businesses might consider reviewing their own AI training methodologies to ensure compliance with GDPR rules on the use of personal data, particularly those that rely on web scraping to train their AI systems.
• DORA becomes applicable. The EU Digital Operational Resilience Act came into force on 17 January 2025. EU regulated financial entities must now, inter alia, contend with onerous ICT incident reporting requirements that may require regulator reporting on timelines as short as four hours.
• EDPB issues guidelines on pseudonymisation. The EDPB adopted guidelines on pseudonymisation, which clarify the definition of pseudonymised data and how the GDPR applies to it, as well as exploring the advantages of using pseudonymisation. Per the guidelines, businesses may wish to consider using pseudonymisation as a tool that can help mitigate data protection-related risks to data subjects as it gives a higher degree of protection to individuals.
• UK ICO acts on cookie compliance. The UK ICO announced plans to assess the top 1,000 websites for compliance of with UK data protection laws, with a particular focus on whether companies are providing users meaningful choice on how their personal information is used. At the same time, UK Parliament is considering legislation that would reduce the types of cookies that require user consent under UK law. Given this renewed focus on cookies and consent, businesses may wish to assess whether their cookies policy is compliant.

These developments are covered below.

UK Government publishes consultation on ransomware payments

What happened: The UK Government commenced a consultation on proposals to reduce the threat posed by ransomware attacks to UK organisations and individuals. The consultation outlines three main proposals:

1. A targeted ban on ransomware payments for all public sector bodies and critical national infrastructure (which could be extended to all UK entities). The scope of covered entities is yet to be confirmed, although the UK also is exploring a nation-wide ban as an alternative. This would extend the UK government principle that central government departments cannot make ransomware payments. The government is considering whether essential suppliers to these sectors should also be included in the presumptive ban.
2. A payment prevention regime for all other ransomware payments. This would require any victim of ransomware (not covered by the proposed ban in Proposal 1) to engage with the authorities and report their intention to make a ransomware payment before making any payment. The National Crime Agency would then support victims to increase the likelihood of them navigating an incident without needing to pay.
3. A mandatory incident reporting regime for suspected victims of ransomware. The mandatory reporting requirement would apply regardless of whether the victim intends to pay the ransom. Entities would be required to provide an initial report within 72 hours, including information on whether a ransom demand has been received, if the organisation can recover from existing resilience measures and if the ransomware group is identifiable. A full report would be required within 28 days, covering the access vector, if resilience measures have been implemented and further details on the attack. The government is currently considering whether the reporting obligation should apply to all ransomware incidents, or only where the incident meets certain thresholds, such as the size of the organisation or the ransom value.

What to do: The consultation illustrates a trend towards ransomware reporting frameworks, following the Australian lead with the introduction of mandatory reporting of ransomware demands under the Cyber Security Act 2024. Businesses may wish to monitor developments in this area given the potential legal implications of a nation-wide ban and incident reporting requirements, and may wish to comment on the consultation, which is open until 8 April 2025.

Italian DPA opens investigation into DeepSeek

What happened: The Italian Data Protection Authority, Garante, launched an investigation into Hangzhou DeepSeek Artificial Intelligence and Beijing DeepSeek Artificial Intelligence (“DeepSeek”), over concerns regarding the personal data collection and processing practices of its AI chatbot.

The Garante’s investigation aims to assess the chatbot’s GDPR compliance, and will focus on the type, source, method, purpose, legal basis and storage of the personal data collected. Additionally, the investigation seeks to determine how personal data—both from registered and non-registered users—was used in training the AI system; a hot topic, following the EDPB’s opinion on the interaction between the GDPR and AI models in December.

DeepSeek was given 20 days to provide the requested information. However, the Garante subsequently ordered the limitation of processing of Italian user’s personal data by DeepSeek after the company declared it was not subject to the GDPR. Following the Garante’s lead, data protection authorities in Ireland, Belgium and several other European countries have also launched their own investigations into DeepSeek, highlighting the coordinated approach European regulators are taking to safeguard EU citizens’ personal data.

What to do: Businesses that develop and use AI models may wish to proactively review their data processing activities to ensure compliance with GDPR, particularly regarding the method, purpose, legal basis, and storage of personal data. In particular, businesses that rely on web scraping to train their AI systems may wish to pay close attention to transparency and data collection best practices to avoid unauthorised use of personal data or copyrighted materials, both of which could lead to regulatory scrutiny and operational restrictions.

DORA becomes applicable to EU financial entities

What happened: On 17 January 2025, the Digital Operational Resilience Act (“DORA”) became came into force. It applies to EU financial entities and critical service providers (together, “Covered Entities”) and aims to strengthen the IT security and operational resilience of the European financial sector.

Generally, DORA imposes broad and onerous requirements on Covered Entities:

• Policies & Procedures: DORA imposes wide-ranging risk management and digital operational resilience testing obligations. Obligations include establishing board oversight of Information and Communications Technology (“ICT”) governance, implementing a comprehensive ICT risk management framework, putting in place and maintaining appropriate ICT systems and tools to identify and mitigate ICT risks, and establishing business continuity policies and disaster recovery plans.
• Incident & Threat Reporting: Covered Entities are also required to classify incidents and report “major” ICT-related incidents to the regulator and, depending on the nature of the impact, also to clients or the public. This includes a requirement to establish and implement a management process to monitor, manage, and report incidents.

DORA also requires Covered Entities to assess and classify “cyber threats” based on certain criteria, and to notify potentially affected clients of “significant cyber threats” while encouraging voluntary notification to regulators. Covered Entities must notify potentially affected clients of significant cyber threats and any “appropriate protection measures” those clients may consider taking, and also may voluntarily notify regulators of significant cyber threats where “they deem the threat to be of relevance to the financial system, service users or clients”.

• Third-Party Risk Management: Covered Entities are required to contract only with ICT service providers that are in compliance with appropriate information security standards and termination clauses. Additional requirements include conducting due diligence on prospective ICT service providers and auditing existing providers, assessing and documenting potential ICT risks associated with ICT service providers, and implementing exit strategies for ICT services supporting critical or important functions.

What to do: For a closer look at DORA’s ICT-related incident and cyber threat reporting obligations and how entities can address them within their existing incident response plans, please see our previous post here, alongside a more general overview of DORA’s requirements here. In particular, businesses should be aware of the tight reporting deadlines for major ICT-related incidents, where initial notifications to a business’s national competent authority are due within four hours of classifying an incident as “major” and no later than 24 hours after detecting the incident.

EDPB releases guidelines on the use of pseudonymisation for GDPR compliance

What happened: The EDPB published draft guidelines on pseudonymisation under the GDPR. The guidelines clarify the definition of pseudonymised data and how the GDPR applies to it, as well as exploring the advantages of using pseudonymisation.

Under the GDPR, personal data is any information that can be used to directly or indirectly identify an individual. Unlike anonymised data, which cannot be attributed back to an underlying individual (and therefore falls outside the scope of the GDPR), pseudonymised data cannot be directly attributed to an individual but can be used to indirectly identify them when combined with other information. According to the guidelines, this remains true even where the pseudonymised data and additional information are not in the hands of the same person.

Pseudonymised data therefore is still classified as personal data under the GDPR, however because it is possible only to indirectly identify individuals it gives a higher degree of protection to them. In particular, it can be used to fulfil certain data protection obligations, such as the data minimisation and confidentiality requirements, as well as potentially assisting businesses in fulfilling the GDPR’s lawfulness, fairness, purpose limitation, and accuracy principles. The guidelines also highlight that, where businesses are processing personal data under the legitimate interests lawful basis, using pseudonymised data may help tip the balance in favour of the business’ processing activities given the reduced risks presented by this type of data, provided the other GDPR requirements are met.

What to do: For those not already familiar with the concept, businesses may wish to reassess pseudonymisation and, in particular, whether there are any data processing risks that could be addressed or mitigated through this technique. Businesses should also be mindful that pseudonymised data is still subject to the GDPR and should be handled accordingly, including by ensuring it is subject to adequate security measures.

UK ICO to tackle website cookies non-compliance

What happened: The ICO announced plans to assess the top 1,000 UK websites for compliance of with cookie consent requirements, with a particular focus on whether companies are providing users meaningful choice on how their personal information is used online. Under the Privacy and Electronic Communications Regulations (“PECR”), businesses are required to, among other things, get consent to deploy non-essential cookies (or other similar tools such as tracking pixels) on a user’s device, with consent being defined to the GDPR standard (i.e., freely given, specific and fully informed). In its announcement, the ICO reported that it had already assessed the compliance of the top 200 UK websites and communicated concerns to 134 of those organisations, illustrating potential wide-spread noncompliance with the cookie requirements.

At the same time, UK Parliament is considering a legislative proposal – the Data (Use and Access) Bill – which would, among many other things, reduce the types of cookies that require user consent under UK law. For example, businesses would not need to obtain consent for the sole purpose of carrying out a transmission of a communication over an electronic communications network, or to collect information for statistical purposes to make improvements to the service, provided that users are informed of the purpose for placing these cookies.

To the extent businesses can create UK-specific cookies policies (and do not, for example, apply the same policies across the UK and EEA), these potential changes could simplify the compliance requirements. Nonetheless, the Bill is currently progressing through the legislative process and may be subject to further change before it’s finalised (potentially later this year).

What to do: Cookie compliance continues to be a focus area for the ICO and other EU DPAs. Businesses should consider (re)assessing whether their cookies policy and cookies practices are compliant with PECR and the GDPR. is compliant. In particular, businesses may consider reviewing their cookies banners to ensure consent allows users to give consent that is specific, informed, and freely given.

***

To subscribe to the Data Blog, please click here.

The cover art used in this blog post was generated by Dall-E.