The ODPA’s monthly round-up of data-related developments from around the world.
7 January: The UK information watchdog issued a statement in response to serious concerns raised about content produced by Grok AI and hasn’t ruled out taking further action: A statement in response to Grok AI on X | ICO
7 January: IAPP, an international not-for-profit organisation for privacy, AI governance and digital responsibility, has provided a summary of California’s privacy trends and legislation for the previous year. California 2025 legislative wrap-up: More privacy and first-of-its kind AI laws adopted | IAPP
9 January: The UK government says Elon Musk's platform X limiting Grok AI image edits to paid users is "insulting" to victims of misogyny and sexual violence. Downing Street said the move "simply turns an AI feature that allows the creation of unlawful images into a premium service". Limiting Grok AI image edits to paid users 'insulting' to victims, says No 10 - BBC News
9 January: Forbes discusses the disconnect between agentic AI aspirations and reality: Beyond Secure: Reimagining Data Protection For Agentic AI
12 January: The UK Information Commissioner’s Office shares its early thoughts on the data protection implications of agentic AI in its ICO tech futures: Agentic AI report. The report considers the novel data protection risks presented by agentic AI. It also considers how adoption could impact the risks and the effect that will have on the ICO’s work and priorities: Agentic AI: the ICO’s early thoughts on the data protection implications | Data Protection Report
12 January: Ireland’s Data Protection Commission is owed more than €4 billion in fines that have not been collected or are subject to legal challenge. The DPC hit companies – including firms in Big Tech – with more than €530 million in fines last year. However, just €125,000 of that has been collected so far, according to data released under FOI laws: Data Protection Commission owed more than €4 billion in fines – The Irish Times
14 January: A case seeking to provide clarity on EU General Data Protection Regulation requirements governing when pseudonymized data is to be considered personal information has concluded without locking in a firm definition under the law. SRB pseudonymization case withdrawn from EU General Court | IAPP
14 January: UK newspaper the Independent published an interview with a mother who has accused Google of “asserting authority” over its teenage users by contacting them and outlining the steps they can take to update their account so that they “get access to more Google apps and services” once they turn 13: Google accused of ‘grooming’ 13-year-old by telling them to ditch parental controls on their birthday | The Independent
16 January: Guernsey’s government is set to discuss an update to the island’s sexual offences legislation which will address the creation of ‘deepfake’ images in March. Laws to tackle deepfakes are set to be debated soon
20 January: UK based privacy information service PL&B reports that the government has launched a consultation to seek views on whether under 16s should be banned from accessing social media: PL&B News – UK Government consults on social media ban for under 16s
21 January: The European Commission says that TikTok has agreed to provide advertising repositories (central locations) in which data is stored and managed to ensure full transparency around ads on its services, as required by the Digital Services Act (DSA): PL&B News - TikTok makes ad transparency commitments to comply with EU DSA
26 January: The European Commission has launched an investigation, external into Elon Musk's X over concerns its AI tool Grok was used to create sexualised images of real people. It follows a similar announcement in January from the UK watchdog Ofcom: EU investigates Elon Musk's X over Grok AI sexual deepfakes - BBC News
28 January: On Data Protection Day 2026, authorities from around the world issued updates on key privacy issues. Here’s what Canada’s OPC had to say: Statement by Privacy Commissioner of Canada to mark Data Privacy Week - Office of the Privacy Commissioner of Canada
29 January: The EU and Brazil adopted, on 27 January, mutual adequacy decisions which confirm that their levels of data protection are comparable. This recognition allows for personal data to flow freely between the EU and Brazil: EU and Brazil agree a mutual adequacy decision
31 January: Jersey’s Information Commissioner publishes its three-year strategic plan with a focus on swift enforcement: Jersey Information Commissioner outlines three-year plan and signals swift enforcement - Channel Eye