Insights

Two-Minute Recap – Data Protection Law Matters – Around the Globe – 2025 November

 Digital Omnibus Introduced

 On 19 November 2025, The European Commission has publicly announced the “Digital Omnibus” initiative, which includes proposed amendments to several core the Global Data Protection Regulation (“GDPR”) concepts. The package is composed two draft regulations sets out potential changes to the definition of personal data, the scope of data-subject rights on the GDPR, and the legal bases for processing personal data in the context of AI development and use on the Artificial Intelligence Act (‘’AI Act”). The aim of ,first step to optimise the application of the digital rulebook, is to make sure that compliance with the rules is cheaper, achieves the same results, and gives small businesses a competitive advantage.

The draft differs in that content will not be considered personal data if its owner cannot be identified. Furthermore, given that pseudonymous data may now be considered personal data by some organisations, some data may be excluded from GDPR. The draft also clarifies under what conditions personal data, including special category personal data, can be used for the development or operation of artificial intelligence systems.

The Package is at the proposal stage and will face rounds of revisions in the legislative process. Current expectations suggest a realistic timeline for adoption would be around mid-2027

 

ICO Investigates Tate Over Recruitment Data Breach

A data breach involving Tate Art Galleries exposed the personal information of 111 job applicants, including salaries, home addresses, and referees’ contact details, which were found on an unrelated website. The leaked records appear to originate from a 2023 recruitment process and likely resulted from human or procedural error rather than a cyberattack. The UK Information Commissioner’s Office (“ICO”) reminded organisations that they must report any personal data breach within 72 hours if it poses a risk to individuals’ rights. Tate stated that no breach of its internal systems has been identified, and the investigation is ongoing. The case underscores the need for strong data governance, staff training, and secure handling of applicant data under the UK GDPR.

 

UK proposal to expand the use of Covid-era data use raises doctors’ concerns 

The UK government is preparing to sign a direction that would allow patient information collected during the pandemic to be used in wider health research. The draft measure, known as “GP Data for Consented Research,” would permit NHS England to share this dataset with approved research programmes, provided that patient consent is obtained. Doctors’ representatives have raised concerns about whether patients will be properly informed and have warned that repurposing the data could undermine public trust. The Department of Health and Social Care said it is considering these concerns before finalising the direction and maintains that any use of the data will require explicit consent.

The United States has requested that EU member states provide direct access to their national police and immigration databases as a means of identifying individuals who pose security risks. For this purpose, the Commission has proposed a framework that allows member states to negotiate bilateral agreements on such access, linked to the US Visa Waiver Programme. This has been met with concerns in member states regarding the legal basis, timelines, and safeguards related to data protection; however, no objections in principle have been expressed. Deliberations on the proposal are continuing.

 

Swedish authorities review Miljödata breach after major data leak

 The Swedish Data Protection Authority (‘IMY’) has initiated investigations following a data breach at IT provider Miljödata, which exposed the personal information of over 1.5 million individuals. Attackers had stolen and later published large volumes of data on the Darknet. Several public bodies were affected, whose systems were serviced by Miljödata. IMY is investigating whether Miljödata and the organisations affected have complied with their obligations under the GDPR in respect of security controls and the protection of special categories of personal data, such as children’s and protected identities. At this stage IMY has not taken any enforcement actions as investigations continue.

 

Privacy concerns escalate over Flock Safety systems

Flock Safety is a company that offers automated license plate reader cameras used by police and local authorities in tracking vehicle movements. Two US lawmakers have called for a federal investigation into Flock Safety, citing concerns that the company’s cybersecurity shortcomings and data-handling practices expose Americans to privacy and safety risks.

Civil liberties groups have reported cases of misread license plates leading to wrongful stops and detentions, and some communities across several states have voted to remove Flock cameras due to privacy and accuracy concerns. The company’s systems have also been used in sensitive contexts, including abortion-related and immigration-related investigations. Lawmakers stated that the scale of Flock’s data collection poses significant risks if the technology is misused or a breach occurs.

For detailed information, you may reach us:

EBRU TEMİZER

SİNAN ABRA

IRMAK SEYMEN VARAT

SERAY APAK

LORIN TUTCI

Download PDF
Print Friendly, PDF & Email PrintFriendly

SEE More

  • Data Protection
The Administrative Fine Amounts under the PDPL Have Been Updated for 2026
  • Data Protection
Turkish DPA Publishes Guideline on Generative Artificial Intelligence and Personal Data Protection
  • Data Protection
Amendments Introduced to the Regulation on Personal Health Data
  • Data Protection
Personal Data Protection Authority’s Principle Decision on the Recording of Turkish ID Card Photocopies in the Tourism and Hospitality Sector

© 2024 Gen Temizer Erdoğan Girgin Avukatlık Ortaklığı – All rights reserved.

by mare.design