UK/EU data protection in financial services round-up – 2025 so far….

It has been a busy first quarter in the data protection world – to help you get up to speed, here is a round-up of some recent notable UK and EU data protection developments focused on financial services.

UK

ICO report on children’s data in financial services

The UK Information Commissioner’s Office (ICO) published a report on children’s data in financial services on 9 April 2025. This is part of the ICO’s ICO25 strategic plan.

The report is based on the views and information provided by 40 organisations via questionnaires and direct engagement. The participants included those who supply current accounts, savings accounts, trust accounts, ISAs and prepaid cards to children or use children’s data for their administration. 

The report sets out good practice findings and highlights areas of improvement (in particular, in relation to governance, transparency and consent).

Joint letter from the FCA and ICO on supporting AI, innovation and growth in financial services

On 10 March 2025, the Financial Conduct Authority (FCA) and the ICO wrote jointly to trade association chairs and CEOs in the UK financial services sector in recognition of the importance of regulatory clarity on the use of AI to support responsible innovation, create benefits for the public and foster economic growth.  The letter notes that a recent FCA and Bank of England survey identified data protection and the FCA Consumer Duty as significant regulatory constraints upon AI deployment in the sector, and invited industry leaders to attend a roundtable on 9 May to help the FCA and ICO develop an understanding of the challenges faced by firms in this area and enable them to provide effective guidance. 

UK Public Authorities (Fraud, Error and Recovery) Bill 2025

This Bill was introduced to Parliament on 22 January 2025 and includes provisions which give the UK Department for Work and Pensions (DWP) and the UK Public Sector Fraud Authority (PSFA) greater powers to recover losses due to fraud and error. DWP will be able to issue notices to banks and other financial institutions setting out the specific information required. The recipient of a notice will be required to look at their own data sets against specific benefit eligibility indicators outlined in the notice and provide the relevant data to the DWP. The ultimate aim is to verify a claimant’s entitlements to certain benefits and identify incorrect payments. Similar provisions were included in the now-defunct Data Protection and Digital Information Bill (DPDI Bill) last year. 

The ICO has issued a response to the Bill, noting that the Bill mitigates some of the concerns previously raised in relation to the DPDI Bill (including introduction of a requirement to issue a code of practice before any notice is given). The response emphasises that the code of practice should be sufficiently detailed – for example, the code should include details on the approach to ensuring that account holders who are not themselves in receipt of the specified benefits are able to exercise their data protection rights where their personal data is in scope. 

EU

European Data Protection Board guidelines on processing of personal data through blockchain technologies 

In April, the European Data Protection Board (EDPB) published its Guidelines 02/2025 on the processing of personal data through blockchain technologies to provide a framework for organisations considering the use of blockchain technology and outline the key General Data Protection Regulation (GDPR) compliance considerations. These guidelines are open for public consultation until 9 June 2025.

The guidelines provide an overview of the fundamental principles of blockchain technology and cover topics such as the roles and responsibilities of different actors in blockchains, data protection by design and default considerations, data minimisation techniques, the interplay between the technical aspects of blockchain and the Article 5 GDPR principles and data subject rights (particularly transparency, rectification and erasure). The guidelines also provide key aspects to be considered in any data protection impact assessment of blockchain processing. 

Court of Justice of the European Union decision on automated credit assessments

In a recent Court of Justice of the European Union (CJEU) case (C-203/22 Dun & Bradstreet Austria), the court interpreted the information requirement under Article 15(1)(h) GDPR in the context of a data subject access request relating to credit scoring information. Article 15(1)(h) GDPR requires the controller to provide a data subject with “meaningful information about the logic involved” in automated decisions, including profiling, that triggers Article 22 GDPR. 

In this case, a service provider refused to provide a product or service to an individual because of the individual’s credit score, having relied on an assessment carried out by automated means by a third-party consumer credit reporting agency. The case concerned the consumer credit reporting company’s response to a data subject access request.

The key findings were:

• The credit assessment provided by the credit reporting agency was a “decision” even though it wasn’t “made” per se by the service provider. This confirmed the CJEU’s Schufa decision.
• The wording of Article 15(1)(h) requires the controller “to explain, by means of relevant information and in a concise, transparent, intelligible and easily accessible form, the procedure and principles actually applied in order to use, by automated means, the personal data concerning that person with a view to obtaining a specific result, such as a credit profile”. The disclosure of a complex mathematical formula, such as an algorithm, or the detailed description of all the steps in automated decision-making used to come up with the credit assessment/score would not be sufficient, as it would not constitute a sufficiently concise and intelligible explanation. Rather, the controller must describe the procedure and principles actually applied in such a way that the data subject can understand which of his or her personal data has been used in what way in the automated decision-making at issue and the extent to which a variation in the personal data taken into account would have led to a different result. Where black-box type complex AI algorithms are used in decision-making, controllers may find it difficult to provide such explanations.
• If a controller considers that the ‘meaningful information’ which it must provide to the individual contains trade secrets and therefore wants to withhold it, it would need to disclose that allegedly protected information/trade secret to the competent supervisory authority or court for evaluation of the rights and interests at issue. It is unclear if the court or the supervisory authorities would have the expertise to assess the merits of the trade secrets or if they would rely on the controllers’ assertions. It is also unclear how the added process would impact the timelines under the GDPR to respond to data subject requests.