PUBLICATIONS circle 07 May 2025

Digital Governance, Cyber and Privacy | Quarterly Roundup | April 2025

By Katherine Jones, Lana Remedi, Amelia Sakaris, Jessica Yazbek and Sofia Xu

In this edition, you will find our regular roundup of recent digital governance news* and developments in Australia and across the globe.


Welcome to the latest edition of our quarterly Digital Governance, Cyber and Privacy newsletter.

In 2022, Australia had its first cybersecurity prosecution in ASIC v RI Advice.

In March 2025, ASIC filed proceedings against FIIG Securities. ASIC allege that FIIG failed to take sufficient steps between March 2019 and June 2023, enabling hackers to breach FIIG's network in May 2023 with 385GB of confidential data compromised and 18,000 clients having to be notified. ASIC seek declarations for breaches of the Corporations Act, a pecuniary penalty and a compliance order involving review of its cybersecurity measures and an independent expert to report on those measures back to ASIC.

ASIC has repeatedly flagged to directors that it expects directors to assess and proactively manage the cyber security threats that face an organisation. ASIC indicated in its key issues outlook for 2025 that it had a number of investigations underway in the cyber security space and will provide further information on how ASIC are bringing the full force of the law against those who have failed their duties throughout the year.

Here is your roundup of relevant news from around the world:

Australia

Cyber Security Act Rules

On 30 May 2025, the Ransomware Payment Reporting obligations will come into effect. The Cyber Security Act requires a business entity to make a report within 72 hours of making the ransomware payment (or becoming aware that the ransomware payment has been made). The new Cyber Security (Ransomware Payment Reporting) Rules 2025 list the information required when reporting that a ransom payment has been made. 

Two further sets of Rules authorised pursuant to the Cyber Security Act have also been introduced this quarter - the Security Standards for Smart Devices Rules covering consumer-grade smart devices and the Cyber Incident Review Board Rules.

OAIC accepts Oxfam Australia enforceable undertaking

Oxfam experienced a data breach in January 2021 which resulted in the loss of up to 1.7 million Oxfam records. The enforceable undertaking highlights the need for charities and not-for-profits to remain vigilant and follow responsible privacy practices including not storing certain personal information longer than 7 years, avoiding the use of shared credentials, implementing password security controls and training.

UK

DUA Bill moves closer

The Data (Use and Access) Bill, introduced in Parliament on 24 October 2024, has completed its passage through the House of Lords and will now be debated in the House of Commons. On 10 February 2025, the ICO updated its response to the DUA Bill. A public interest test has been added to the processing of personal data for the purposes of scientific research. The Bill was also amended to include further duties in respect of children's data.

UK Lecturers Trade Union injunction against hackers

In University College Union v Persons Unknown [2025] EWHC 192 (KB), the High Court granted summary judgment and issued a final injunction against a group of unknown threat actors following a ransomware incident. The injunction prohibits the threat actors from publishing, disclosing or using the stolen data, and orders the threat actors to deliver/up delete the information.  

EU Cybersecurity Act consultation

On 15 January 2025, the EU adopted a targeted amendment to the EU Cybersecurity Act first proposed in April 2023. The amendment is for the adoption of a certification scheme for managed security services. Following this adoption, the EU has now sought further consultation on further changes to the EU Cybersecurity Act with submissions closing June 2025.

UK judgment on consent required for direct marketing (Sky Betting and gambling data)

In the case of RTM v Bonne Terre Limited and Hestview Limited [2025] EWHC 111 (KB), the UK High Court ruled in favour of an individual who asserted that his gambling history was processed through advertising cookies without consent, which fed a gambling addition. The Court held that data protection law require consent to be of "relatively high" quality. The judgment focuses lawful basis of consent to process personal data under various pieces of legislation including UK Data Protection Act 1998, the GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Asia

China proposes amendments to Cybersecurity Law

One of the three pillars to China's cybersecurity, the Cybersecurity Law received proposed amendments in March 2025. The amendments propose penalties and enforcement for data compliance.

China's Data Security Management Regulations came into effect 1 January 2025

The Data Security Management Regulations, introduced in September 2024 became effective on 1 January 2025. The Regulations seek to define what is 'important data' and a focus on the cross-border exchange of such information

Japan's Cyber Response Capability Strengthening Bill 2025

In February 2025, the Japanese Cabinet approved two legislative bills to strengthen coordination and information sharing between the private and public sector regarding cyber incidents.

USA

2025 Annual Threat Assessment of the U.S. Intelligence Community

In March 2025, the US published its intelligence community report which highlighted China, Russia, Iran and North Korea as threats for cyber warfare.

SentinelOne security clearance cancelled

President Trump ordered the cancellation of the security clearance of SentinelOne executives and employees in April 2025.

US Cyber Trust Mark

Akin to a health rating on food, or energy rating on appliances, the cyber mark is intended to demonstrate the security level of your internet enabled device.

Europe

UK Cyber Security and Resilience Bill

In March 2025, the Secretary of State for Science, Innovation and Technology presented to Parliament the proposed Cyber Security and Resilience Bill first mentioned in the King's July 2024 speech. The Bill seeks to align with the NIS2 directive, strengthen supply chain security, and improve reporting with a two-stage reporting structure.

Artificial Intelligence

Google releases report on Adversarial Misuse of Generative AI

Google's threat intelligence group has recently released a report on misuse of its generative AI model (Gemini) by bad actors.

UK Response on Cyber Security of AI

In January 2025, the UK published the response to the Call for Views on 'Cyber Security of AI' which outlined a proposed 'two-part intervention' approach, and 12 principles aimed at enhancing and maintaining cyber security standards for AI technology. 

US Executive Order regarding AI

One of the executive orders made by President Trump in January 2025 was said to be for the removal of barriers to American leadership in AI. The National Conference of State Legislatures keeps a tracker of AI legislation in the US which demonstrate over time any impact of the order. 

Japan AI Regulation

The Japanese Cabinet as introduced a bill focused on research and development of AI which calls for cooperation and includes a potential 'name and shame' approach to AI developers who infringe the rights of Japanese citizens. There are no other proposed penalties.

We also extend our congratulations to Special Counsel Lana Remedi, who has been named Cyber Security Professional of the Year in the Professional and Financial Services category at the 2025 Australian Cyber Awards, presented by Cyber Daily. This recognition affirms the growing strength and reputation of our practice in cyber security—a field of increasing significance to both our clients and the broader community.

*Note: for some publications, you may require a current subscription to read the full article.

This is commentary published by Colin Biggers & Paisley for general information purposes only. This should not be relied on as specific advice. You should seek your own legal and other advice for any question, or for any specific situation or proposal, before making any final decision. The content also is subject to change. A person listed may not be admitted as a lawyer in all States and Territories. Colin Biggers & Paisley, Australia 2025

Stay connected

Connect with us to receive our latest insights.