According to an editorial, NHS patients may be cushioned from the worst impacts of exploitative health data practices, unlike in US, but they are not immune. It notes that an EU ePrivacy regulation that extends the General Data Protection Regulation (GDPR) to web trackers and profiling is under development, although it has been described as “sitting in the sidings, being mobbed by lobbyists.” Furthermore, the capacity of regulators such as the Information Commissioner’s Office to enforce the rules on privacy is severely constrained by lack of manpower and penalties for exploitative data practices are typically applied only after incidents have occurred, been spotted, and been reported, and it is likely that the majority slip under the radar. It adds that on a positive note, this study showed that companies were more likely to declare their data sharing partnerships after the GDPR had come into force, albeit with an eye on the back door, and more importantly, show the value of digital forensic research methods, for uncovering illicit practices and business relations.