Digital Governance, Cyber and Privacy | Quarterly Roundup | April 2025
By Katherine Jones, Lana Remedi, Amelia Sakaris, Jessica Yazbek and Sofia Xu
In this edition, you will find our regular roundup of recent digital governance news* and developments in Australia and across the globe.
Welcome to the latest edition of our quarterly Digital Governance, Cyber and Privacy newsletter.
In 2022, Australia had its first cybersecurity prosecution in ASIC v RI Advice.
In March 2025, ASIC filed proceedings against FIIG Securities. ASIC allege that FIIG failed to take sufficient steps between March 2019 and June 2023, enabling hackers to breach FIIG's network in May 2023 with 385GB of confidential data compromised and 18,000 clients having to be notified. ASIC seek declarations for breaches of the Corporations Act, a pecuniary penalty and a compliance order involving review of its cybersecurity measures and an independent expert to report on those measures back to ASIC.
ASIC has repeatedly flagged to directors that it expects directors to assess and proactively manage the cyber security threats that face an organisation. ASIC indicated in its key issues outlook for 2025 that it had a number of investigations underway in the cyber security space and will provide further information on how ASIC are bringing the full force of the law against those who have failed their duties throughout the year.
Here is your roundup of relevant news from around the world:
Australia
Cyber Security Act Rules
On 30 May 2025, the Ransomware Payment Reporting obligations will come into effect. The Cyber Security Act requires a business entity to make a report within 72 hours of making the ransomware payment (or becoming aware that the ransomware payment has been made). The new Cyber Security (Ransomware Payment Reporting) Rules 2025 list the information required when reporting that a ransom payment has been made.
Two further sets of Rules authorised pursuant to the Cyber Security Act have also been introduced this quarter - the Security Standards for Smart Devices Rules covering consumer-grade smart devices and the Cyber Incident Review Board Rules.
OAIC accepts Oxfam Australia enforceable undertaking
Oxfam experienced a data breach in January 2021 which resulted in the loss of up to 1.7 million Oxfam records. The enforceable undertaking highlights the need for charities and not-for-profits to remain vigilant and follow responsible privacy practices including not storing certain personal information longer than 7 years, avoiding the use of shared credentials, implementing password security controls and training.
UK
The Data (Use and Access) Bill, introduced in Parliament on 24 October 2024, has completed its passage through the House of Lords and will now be debated in the House of Commons. On 10 February 2025, the ICO updated its response to the DUA Bill. A public interest test has been added to the processing of personal data for the purposes of scientific research. The Bill was also amended to include further duties in respect of children's data.
UK Lecturers Trade Union injunction against hackers
In University College Union v Persons Unknown [2025] EWHC 192 (KB), the High Court granted summary judgment and issued a final injunction against a group of unknown threat actors following a ransomware incident. The injunction prohibits the threat actors from publishing, disclosing or using the stolen data, and orders the threat actors to deliver/up delete the information.
EU Cybersecurity Act consultation
On 15 January 2025, the EU adopted a targeted amendment to the EU Cybersecurity Act first proposed in April 2023. The amendment is for the adoption of a certification scheme for managed security services. Following this adoption, the EU has now sought further consultation on further changes to the EU Cybersecurity Act with submissions closing June 2025.
UK judgment on consent required for direct marketing (Sky Betting and gambling data)
In the case of RTM v Bonne Terre Limited and Hestview Limited [2025] EWHC 111 (KB), the UK High Court ruled in favour of an individual who asserted that his gambling history was processed through advertising cookies without consent, which fed a gambling addition. The Court held that data protection law require consent to be of "relatively high" quality. The judgment focuses lawful basis of consent to process personal data under various pieces of legislation including UK Data Protection Act 1998, the GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003.
Asia
China proposes amendments to Cybersecurity Law
One of the three pillars to China's cybersecurity, the Cybersecurity Law received proposed amendments in March 2025. The amendments propose penalties and enforcement for data compliance.
China's Data Security Management Regulations came into effect 1 January 2025
The Data Security Management Regulations, introduced in September 2024 became effective on 1 January 2025. The Regulations seek to define what is 'important data' and a focus on the cross-border exchange of such information
Japan's Cyber Response Capability Strengthening Bill 2025
In February 2025, the Japanese Cabinet approved two legislative bills to strengthen coordination and information sharing between the private and public sector regarding cyber incidents.
USA
2025 Annual Threat Assessment of the U.S. Intelligence Community
In March 2025, the US published its intelligence community report which highlighted China, Russia, Iran and North Korea as threats for cyber warfare.
SentinelOne security clearance cancelled
President Trump ordered the cancellation of the security clearance of SentinelOne executives and employees in April 2025.
Akin to a health rating on food, or energy rating on appliances, the cyber mark is intended to demonstrate the security level of your internet enabled device.
Europe
UK Cyber Security and Resilience Bill
In March 2025, the Secretary of State for Science, Innovation and Technology presented to Parliament the proposed Cyber Security and Resilience Bill first mentioned in the King's July 2024 speech. The Bill seeks to align with the NIS2 directive, strengthen supply chain security, and improve reporting with a two-stage reporting structure.
Artificial Intelligence
Google releases report on Adversarial Misuse of Generative AI
Google's threat intelligence group has recently released a report on misuse of its generative AI model (Gemini) by bad actors.
UK Response on Cyber Security of AI
In January 2025, the UK published the response to the Call for Views on 'Cyber Security of AI' which outlined a proposed 'two-part intervention' approach, and 12 principles aimed at enhancing and maintaining cyber security standards for AI technology.
US Executive Order regarding AI
One of the executive orders made by President Trump in January 2025 was said to be for the removal of barriers to American leadership in AI. The National Conference of State Legislatures keeps a tracker of AI legislation in the US which demonstrate over time any impact of the order.
The Japanese Cabinet as introduced a bill focused on research and development of AI which calls for cooperation and includes a potential 'name and shame' approach to AI developers who infringe the rights of Japanese citizens. There are no other proposed penalties.
We also extend our congratulations to Special Counsel Lana Remedi, who has been named Cyber Security Professional of the Year in the Professional and Financial Services category at the 2025 Australian Cyber Awards, presented by Cyber Daily. This recognition affirms the growing strength and reputation of our practice in cyber security—a field of increasing significance to both our clients and the broader community.
*Note: for some publications, you may require a current subscription to read the full article.