The FILED 2025 Midyear Report

Hi there,  

Welcome to FILED Newsletter, your round-up of the latest news and views at the intersection of data privacy, data security, and governance.  

This month:

• Why the Qantas hack should send chills around corporate Australia

• What’s next for the evolution of AI regulation?

• The trial between Meta shareholders and current and former company leaders kicks off

But first, we just ticked over the midway point of the year. What’s happened so far?

If you only read one thing:  

2025 in privacy, security, and AI

We’re somehow halfway through 2025, and if you’re like us, you've forgotten everything that has happened. Let’s look back at five of the most important themes of the year.

1. The rise and fall of DOGE  

Is there an acronym we heard more often in 2025 than DOGE? And is there a quasi-governmental agency that has had a bigger impact on the US government? Elon Musk’s Department of Government Efficiency, created by Executive Order at the beginning of US President Donald Trump’s second term, oversaw a sharp program of job cuts and program closures; an enormous level of disruption to the federal sector.

There were also lawsuits filed over its access to government (citizen) data, as well as its own transparency. Last month, the US Supreme Court allowed DOGE to access Social Security data and reports suggest DOGE may be seeking to create a centralized government database, raising concerns about how this information could be used.

After stepping away from the agency in May, June saw Musk feud with the US President over the latter’s “Big, Beautiful Bill”. Recently, Trump suggested the agency could be turned against its former leader. Meanwhile, reports suggest DOGE 2.0 has become a quieter, more subtle force.

2. China enters the AI race

As 2025 began, Chinese firm DeepSeek made quite a fuss when its R1 “reasoning” model showed performance comparable to ChatGPT and Gemini models but apparently built for a fraction of the cost (though this was disputed). The announcement spooked the market, with U.S chipmakers like Nvidia suffering massive market losses. In the months since, despite the US and other countries banning DeepSeek on government devices, tech giants like Amazon Web Services, Microsoft and Google continue to offer the model to customers, global banking giants HSBC and Standard Chartered launched internal testing of the model, and Saudi Aramco recently installed the bot in its main data center.

But aside from the technology, China is also quietly building a case for itself as a global AI regulator-in-waiting, with a steady series of laws enacted, as well as public comments published the state organ China Daily that the US and China must work together to address some of the potential problems. It is encountering little resistance from the US, as the West pursues “innovation-friendly” regulation.

3. Western regulatory “simplification” and a move towards business-friendly law  

Western governments have spent the year increasingly focused on “simplifying” privacy and AI laws and encouraging growth.

The Trump White House has issued new policies on federal agency AI use and procurement, but significant legislative action remains stalled. The aforementioned Big, Beautiful Bill briefly contained a 10-year moratorium on regulation of AI technology, but at the 11^th hour, senators voted to remove the provision. The overall tone remains business-friendly, with a light-touch approach favoring innovation.

Across the Atlantic, The European Union is pursuing a strategy of simplifying the GDPR, a move that privacy advocates fear could result in weakened protections. This proposed simplification aims to reduce compliance burdens, particularly for small and medium-sized businesses, and increase EU competitiveness in the AI race. This represents a significant shift in the EU's narrative and tone on tech regulation, moving away from its traditional focus on fundamental rights protection.

And what of AI regulation? February saw the first measures of the European AI Act take effect, but since then industry leaders have pushed the European Commission to enact a pause on implementing the next stage, targeting makers of General-Purpose AI. But on July 4, a spokesperson for the bloc confirmed there would be no pause, and the law would go into effect next month as planned, following up last week with the (voluntary) General-Purpose AI Code of Practice. Don’t count the EU’s out yet, then.

4. AI goes “agentic”, which may disrupt it all

And what of all this AI innovation? In 2025, agentic AI – autonomous systems capable of executing complex tasks with minimal human intervention – transitioned from concept to widespread application across various industries. Rather than a better chatbot, AI agents are able to obtain up-to-date information, optimize workflows and autonomously plan and execute subtasks to achieve complex goals.  

This is a fascinating and exciting time to be in technology, with employees who harness the technology able to achieve far more effective outcomes. Though many businesses are struggling to adjust their strategy and processes, battling issues like “shadow AI”, a topic we discussed a lot on the FILED podcast this year.

One thing is for sure; these models are becoming more embedded into our working and personal lives. Businesses that prioritize governance – with a focus on data at the core – will be those best positioned to benefit from this transformation.

5. 23andMe’s busy year

Finally, the trajectory of 23andMe in 2025 – data breach, class-action lawsuit, fine, bankruptcy, rebirth – underscores the importance of robust data governance and privacy practices, especially for companies handling sensitive genomic information.

Between April-September 2023, a hacker carried out a credential stuffing attack on 23andMe’s platform, exploiting reused login credentials stolen from previous unrelated data breaches.

As a result, the company faced multiple class-action lawsuits were filed against 23andMe, alleging negligence. In September 2024, the company agreed to a $30 million settlement to resolve these lawsuits, offering compensation to affected users.

The financial strain from the breach and these subsequent legal actions contributed to 23andMe filing for Chapter 11 bankruptcy in March. Customers with data held by the company were (rightly!) concerned about what may happen to their data next.

The question of who would acquire the company out of bankruptcy was unsettled until June, when co-founder Anne Wojcicki eventually won a bidding war to acquire the company for £305m via her nonprofit, though the sale is pending court approval.

One of the first jobs for Wojcicki will be paying a £2.31 million fine to the UK's Information Commissioner's Office (ICO), for failing to implement appropriate security measures to protect user data.  

🕵️ Privacy & governance

To watch this week: the trial between Meta shareholders and current and former company leaders - including CEO Mark Zuckerberg, Sheryl Sandberg, Marc Andreessen and Peter Thiel - over the Cambridge Analytica scandal in 2018 over privacy of Facebook data. Shareholders want Zuckerberg and the other defendants to reimburse the company for more than $8 billion in FTC fines and other costs paid by Meta over the scandal.

A long-term analysis of whether the European General Data Protection Regulation (GDPR) adversely affected the ability of news and media websites to create new content.  

🔐 Security

🔓Breaches

Paddy Power and Betfair customers have been warned to "remain vigilant" after a hack of up to 800,000 users.

Louis Vuitton has said the data of some UK customers has been stolen, as it became the latest retailer targeted by cyber hackers. This is the third breach of French retailer LVMH’s systems in the last three months.

🧑⚖️Legal cases & breach fallout

British law enforcement arrested four young adults in connection with the loosely affiliated hacking collective Scattered Spider.

Google Gemini for Workspace can be tricked into generating email summaries that appear legitimate but include malicious instructions or warnings that direct users to phishing sites.

The Qantas hack should send chills around corporate Australia: if it can happen to them, it can happen to anyone.

As ransomware operators now see Linux as fertile ground for disruption and financial gain, CISOs can no longer afford to treat Linux environments as inherently secure or low risk.

🤖 AI governance

Artificial Intelligence Appreciation Day offers a reminder that AI governance is vital (RecordPoint CTO Josh Mason is quoted in this one!)

OK, so there was no moratorium on AI regulation in Donald Trump's Big Beautiful Bill. What does that mean for businesses concerned about adopting AI in a safe, compliant way?  

The latest from RecordPoint  

📖 Read

Juliet Hart has had a front seat to the rapid changes in the industry, both from a vendor and in-house perspective. She shares snapshot of the lessons she's collected along the way, and explains how unlocking next-gen innovation starts with great records management.

How and why you need to shift left on finops (feat. commentary from RecordPoint CTO Josh Mason)  

🎧 Listen

In this mid-season episode of FILED, Kris Brown and Anthony Woodward sit down with John Maloney, a barrister, Melbourne Law School lecturer, and co-host of the podcast Don't Praise the Machine, to discuss some of 2025’s biggest stories and what we can expect for the second half of the year.

RecordPoint CEO Anthony Woodward joined Alan Shimel at Techstrong.tv for a discussion about how organizations can navigate the complex world of data privacy, compliance, and innovation in the digital age.

‍