Privacy Roundup: Top 10 Stories of February 2025

From AI-driven privacy risks to government surveillance measures and major enforcement actions, catch all the stories in our privacy roundup.

Despite imposing over €1 billion in fines last year, GDPR enforcement continues to face criticism. Privacy advocacy group noyb argues that many violations still go unpunished, with only 1.3% of cases resulting in financial penalties. noyb claims that national data protection authorities are failing to act decisively, weakening the effectiveness of the landmark regulation. Read more

Following the official implementation of the EU AI Act’s prohibition on certain AI practices, the European Commission has issued guidelines detailing which technologies are now illegal. These include manipulative AI, social scoring systems, and real-time biometric surveillance in public spaces. The guidelines aim to help member states enforce the law consistently while ensuring companies comply with the new regulations. Read more

Meta’s revised paid subscription model, which allows users to opt out of ads in exchange for a monthly fee, is under scrutiny from European regulators. The European Consumer Organisation (BEUC) argues that this model does not provide a fair choice, as it forces users to pay to protect their privacy. Consumer advocates warn this approach may breach EU data and competition laws, risking legal action. Read more

Apple will disable its Advanced Data Protection (ADP) encryption for UK users after the government reportedly demanded backdoor access to iCloud data. The feature, which provides end-to-end encryption for files, photos, and notes, is no longer available to new UK users and will be phased out for existing ones. Read more

Thomson Reuters Corp. has agreed to pay $27.5 million to settle allegations that it collected and sold Californians’ personal information without their knowledge or consent. The lawsuit accused the company’s CLEAR platform of scraping sensitive data and making it available for commercial purposes, violating the California Consumer Privacy Act (CCPA). Read more

Security researchers discovered that Chinese AI startup DeepSeek left two large databases publicly accessible, exposing over a million user chat logs, API keys, and backend operational data. The breach raises serious concerns about AI companies’ handling of sensitive user data, especially as generative AI tools become more widely adopted. Read more

The California Privacy Protection Agency (CPPA) is pursuing a $46,000 fine against National Public Data, a Florida-based data broker, for failing to register in the state. This action comes after a significant breach involving the exposure of Social Security numbers, highlighting the importance of regulatory compliance in data brokerage activities. Read more

Luxembourg’s National Commission for Data Protection (CNPD) has warned that DeepSeek AI poses serious privacy risks for European users. The regulator noted that the tool was not designed with European data protection laws in mind and lacks transparency about how user data is processed. The CNPD advises users against entering sensitive or personally identifiable information into the platform. Read more

The Office of the Privacy Commissioner of Canada has launched an investigation into X, formerly known as Twitter, to assess whether the platform’s use of Canadians’ personal data for training artificial intelligence models complies with federal privacy laws. This inquiry follows a formal complaint received by the commission. Read more

US President Donald Trump removed three Democratic members from the Privacy and Civil Liberties Oversight Board, raising concerns about the future of the EU-US Data Transfer Framework. This agreement, established after years of negotiations, allows businesses to transfer personal data between the two regions. Privacy watchdogs, including Max Schrems and noyb, warn the removals could undermine the framework and spark legal battles over data flows. Read more