Hong Kong PCPD Arrests Two for Suspected Doxxing
The Hong Kong Office of the Privacy Commissioner for Personal Data (PCPD) arrested two men for suspected doxxing and disclosure of personal data without consent, in contravention of the Personal Data (Privacy) Ordinance. The arrests stem from a monetary dispute where personal data and family photos were posted online.
Privacy Commissioner Warns of Construction Worker Recruitment Fraud
The Hong Kong Privacy Commissioner's Office issued a warning regarding fraudulent recruitment advertisements targeting construction workers. The office received 42 complaints in two weeks involving scams that requested sensitive personal data, including construction site "Three Essentials." The PCPD urges vigilance and provides guidance on safeguarding personal data during job applications.
Privacy Commissioner Reports 2025 Work and Data Security Incidents
The Office of the Privacy Commissioner for Personal Data (PCPD) reported on its 2025 activities, including a 23% increase in complaints and a 21% rise in data breach notifications. The PCPD also intervened in three data security incidents and conducted 435 compliance checks.
AI Security and Cybersecurity Summit for Enterprises Registration Open
The Office of the Privacy Commissioner for Personal Data (PCPD) and HKIRC are co-organising an AI Security and Cybersecurity Summit for Enterprises on March 31, 2026. Registration is now open for organizations to address AI security and cybersecurity risks. The event aims to raise awareness and readiness among businesses, including SMEs.
Global Privacy Authorities Joint Statement on AI-Generated Imagery
The Office of the Privacy Commissioner for Personal Data (PCPD) and 60 other global privacy authorities have issued a joint statement expressing concern over AI-generated imagery and its potential for harm. The statement urges organizations to develop and use AI content generation systems lawfully, with specific measures to protect data subjects, particularly children.
AI Chatbots Provide Biased Voting Advice, Ignoring Local Parties
The Dutch Data Protection Authority (AP) released a study showing AI chatbots rarely recommend local political parties when providing voting advice. The AP warns that this bias makes chatbots unreliable voting aids and calls on providers to implement measures to prevent their systems from being used for voting advice, especially in light of the EU AI Act.
PDPC Steps Up NRIC Misuse Enforcement and Issues New Advisory
The Singapore Personal Data Protection Commission (PDPC) is stepping up enforcement against private organizations misusing NRIC numbers for authentication starting January 1, 2027. New advisories are also being issued to guide organizations on data protection lapses and recommend more secure authentication methods.
Data Breach Decision Highlights Security Lapses
The Singapore Personal Data Protection Commission (PDPC) issued a decision regarding a data breach affecting 665,000 individuals due to system misconfiguration. The case highlights lapses in security practices and emphasizes the need for robust technical and governance measures.
PDPC Publishes Four Undertakings on Ransomware and Unauthorized Access
Singapore's Personal Data Protection Commission (PDPC) has published four undertakings from organizations that experienced ransomware attacks and unauthorized access. These undertakings detail remediation measures to strengthen cybersecurity defenses and data protection practices.
Data Protection Breaches Result in Financial Penalties
Singapore's Personal Data Protection Commission issued financial penalties to four organizations for data protection breaches affecting over 1 million individuals. These breaches stemmed from inadequate security measures, including poor patch management and lack of data protection policies. An additional organization committed to an undertaking following a ransomware attack.
Ransomware Incident Data Breach and Security Lapses
Singapore's Personal Data Protection Commission issued a decision regarding a ransomware incident affecting 39,000 individuals' data due to security lapses. Three separate undertakings were also accepted for similar incidents. The Commission directed the organization to strengthen its security posture and highlighted key takeaways for all organizations to prevent future breaches.
OAIC Highlights Improved Transparency in Government Automated Decision-Making
The Australian Information Commissioner (OAIC) has released a report highlighting opportunities for government agencies to improve transparency in automated decision-making (ADM). The report follows a review of 23 agencies and identifies a significant gap in public disclosure of ADM use, with only 17% of agencies disclosing it.
Privacy Commissioner Statement on Bunnings Facial Recognition Decision
The Australian Privacy Commissioner has issued a statement regarding the Administrative Review Tribunal's decision on Bunnings' use of facial recognition technology. The statement clarifies that while the Tribunal allowed Bunnings to use the technology for specific crime prevention purposes, significant privacy safeguards and notification requirements remain crucial.
Cambridge Analytica Payment Program Registration Deadline
Eligible Australian Facebook users impacted by the Cambridge Analytica matter must register for a payment program by December 31, 2025. The program, established by Meta Platforms as part of an enforceable undertaking with the Australian Information Commissioner, offers payments to over 300,000 affected individuals.
OAIC Statement on Bunnings Facial Recognition Technology Decision
The Australian Information Commissioner (OAIC) issued a statement regarding the Administrative Review Tribunal's decision on Bunnings' use of facial recognition technology (FRT). The Tribunal affirmed findings that Bunnings contravened privacy principles by failing to provide adequate notice and conduct a formal risk assessment for its FRT system.
Hungary Ratifies Council of Europe Convention 108+
Hungary has become the 30th party to ratify the Council of Europe's Convention 108+, an international treaty concerning data protection. This action signifies Hungary's commitment to aligning its data protection laws with international standards.
Hungarian Data Protection Authority Launches Freedom of Information Development Project
The Hungarian National Authority for Data Protection and Freedom of Information has launched a development project funded by an EU grant to enhance the enforcement of freedom of information. The project aims to investigate current practices, identify obstacles, and develop proposals for optimisation.
Publication Obligation for Public Data Registry and Transparency Procedure
Hungary's National Authority for Data Protection and Freedom of Information has issued a notice regarding a new publication obligation for budgetary organs. All budgetary organs, except national security services, must publish financial management data bi-monthly on a new online platform, with potential fines for non-compliance.
NAIH launches AWARE project for GDPR awareness
The National Authority for Data Protection and Freedom of Information (NAIH) has launched the EU-funded AWARE project to increase GDPR awareness among micro and small enterprises, particularly in the beauty and private healthcare sectors. The project will run from 2025 to 2027 and includes research, an information website, webinars, and training.
Hungarian Information Rights System 30th Anniversary Celebration
The Hungarian data protection authority celebrated the 30th anniversary of the country's information rights system with an international conference on September 17, 2025. The event reviewed past achievements, challenges, and future tasks in data protection and freedom of information.
Real Estate Agency Fined 100,000 EUR
The Croatian Personal Data Protection Agency (AZOP) has fined a real estate agency 100,000 EUR for violations related to data protection. The agency also announced a conference on Data Protection in AI Systems.
Real Estate Agency Fined for GDPR Violations
The Croatian Personal Data Protection Agency has fined a real estate agency EUR 100,000.00 for processing personal data in violation of the General Data Protection Regulation (GDPR). The agency acted as a controller in this case.
Real Estate Agency Fined EUR 100,000 for GDPR Violations
The Croatian Personal Data Protection Agency has imposed a EUR 100,000 fine on a real estate agency for processing personal data in violation of the General Data Protection Regulation. This action highlights the agency's commitment to enforcing data protection laws.
Croatian Data Protection Agency Fines Real Estate Agency
The Croatian Personal Data Protection Agency has imposed a EUR 100,000 fine on a real estate agency for processing personal data in violation of the GDPR. The agency acted as a data controller and processed data contrary to the regulation's provisions.
Real Estate Agency Fined EUR 100,000 for GDPR Violations
The Croatian Personal Data Protection Agency has fined a real estate agency EUR 100,000 for violating GDPR provisions. The agency acted as a controller and processed data contrary to the regulation.
Data Protection Authority Joint Database Launched
The Austrian Data Protection Authority and the Parliamentary Committee for Data Protection (PDK) have launched a joint database for their decisions within the legal information system (RIS). This new application, named 'Datenschutz-Aufsichtsbehörden', aims to streamline access to data protection rulings.
DSB Circular on Freedom of Information Act
The Austrian Data Protection Authority (DSB) issued a supplementary circular on December 12, 2025, regarding the Freedom of Information Act. This circular clarifies a previous communication, adjusting a reporting deadline for data submissions.
Data Protection Authorities of Slovakia and Austria Meet
Data protection authorities from Slovakia and Austria met on December 10, 2025, in Bratislava to discuss cooperation and upcoming regulatory changes, including GDPR amendments and new EU digital laws. This meeting follows previous bilateral and regional discussions.
Data Protection Authority 2026 Focus Audits on Processing Security
The Austrian Data Protection Authority (DSB) announced its 2026 focus audits will target processing security under Article 32 GDPR. Procedures against selected controllers and processors are scheduled to begin in March 2026, with a second part announced in June 2026.
Irish and Austrian Data Protection Authorities Meeting
The Austrian Data Protection Authority hosted officials from the Irish Data Protection Commission for a meeting on January 13, 2026. The meeting aimed to discuss matters of mutual interest and further strengthen the close cooperation between the two regulatory bodies, particularly concerning cross-border data protection cases.
Seminar on Privacy Risks from Personal Data Processing
The Hellenic Data Protection Authority and the University of Piraeus are organizing an online seminar on privacy risks associated with personal data processing, particularly concerning Artificial Intelligence. The seminar is part of the byRisk project and is open to the general public.
Hellenic Data Protection Authority Holds Dialogue Day with Research Community
The Hellenic Data Protection Authority (HDPA) successfully held its "1st Dialogue Day with the Research Community" on October 1, 2025. The event focused on strengthening cooperation with academic and research institutions on data protection issues, including AI applications and privacy-friendly digital wallets.
byRisk Project Newsletter 2 Supports SMEs with Data Protection Risks
The Hellenic Data Protection Authority has released the second newsletter for the European byRisk project, which aims to support small and medium-sized enterprises (SMEs) in identifying and analyzing data protection risks. This issue details project progress, including risk categorization and the design of a new risk assessment tool.
Hellenic DPA byRisk Project: Data Protection for SMEs and Public Awareness
The Hellenic Data Protection Authority has launched the byRisk project, co-funded by the European Commission, to support SMEs in data protection risk assessment and raise public awareness. The project aims to develop tools for SMEs and the general public, with pilot operations expected by March 2026 and an international conference planned for October 2026.
Hellenic DPA Information Day 2026 on Data Protection and AI
The Hellenic Data Protection Authority (HDPA) held an Information Day on Data Protection Day 2026, discussing the GDPR, the proposed AI Act, and the HDPA's role. The event highlighted the need for effective implementation of regulations and adequate resources for the HDPA.
Data Protection Basics Training Session
The CNPD of Luxembourg is offering a free 'Data Protection Basics' training session in French on June 16, 2026. The 5-hour session is designed for individuals new to data protection and aims to explain the core principles of the RGPD. Registration is required via email.
Data Protection Basics Training - RGPD Introduction
The CNPD (Luxembourg's data protection authority) is offering a 5-hour introductory training session on data protection basics and the RGPD. The training is aimed at individuals new to data protection and will be held in French on April 14, 2026, in Belval.
CNPD AI Data Protection Training Session
The CNPD is offering a 4-hour in-person training session on Data Protection Basics: Artificial Intelligence. The training aims to help participants understand the challenges of AI concerning data protection and the GDPR, and is scheduled for May 5, 2026.
CNPD Workshop on DAAZ Diploma Ceremony
The CNPD is hosting a workshop and DAAZ diploma ceremony on April 29, 2026, in Luxembourg. The event aims to provide feedback on a previous workshop and recognize participants' achievements in the DAAZ tool.
CNPD AI Data Protection Training Session
The CNPD is offering a 4-hour in-person training session on Data Protection Basics: Artificial Intelligence. The session, held on April 7, 2026, aims to explain the challenges of AI in relation to data protection and the GDPR.
Data Protection Authority Fines iHUNT TECHNOLOGY for Privacy Violations
The National Supervisory Authority for Personal Data Processing in Romania has fined S.C. iHUNT TECHNOLOGY IMPORT-EXPORT SA 20,000 lei for violating data protection laws regarding cookie consent. The investigation found that the company stored non-essential cookies without user consent.
National Supervisory Authority Fines Lenjeria Magică SRL for Data Processing Violation
The National Supervisory Authority for Personal Data Processing in Romania has fined Lenjeria Magică SRL 15,000 lei for violating data processing laws related to website cookies. The company stored non-essential cookies without explicit user consent, breaching provisions of Law no. 506/2004 and Regulation (EU) 2016/679.
GDPR Sanction for Ordonul Asistenților Medicali Neamț
The National Supervisory Authority for Personal Data Processing in Romania sanctioned Ordonul Asistenților Medicali Generaliști, Moașelor și Asistenților Medicali din România – Filiala Neamț for GDPR violations. The entity received a fine of 2,000 euros and two reprimands for issues related to video surveillance and data subject information.
CJEU Judgment: Online Marketplace Operator as Data Controller
The Court of Justice of the European Union ruled in Case C-492/23 that an online marketplace operator is a data controller under GDPR. The operator must identify and verify sensitive data in advertisements before publication and obtain explicit consent.
GDPR Sanction for Roumasport S.R.L.
The National Supervisory Authority for Personal Data Processing in Romania has sanctioned Roumasport S.R.L. with a fine of 10,000 euros for violating GDPR provisions related to data security. The investigation followed a personal data security breach due to unauthorized access following cyberattacks.
Italian Privacy Authority Fines Intesa Sanpaolo €17.6 Million
The Italian Privacy Authority has fined Intesa Sanpaolo €17.6 million for unlawfully processing the data of approximately 2.4 million customers. The fine stems from the transfer of customer data to its wholly-owned subsidiary, Isybank, as part of a corporate operation.
Garante Privacy Fines Acea Energia €2 Million for Unauthorized Contracts
The Italian Garante privacy has fined Acea Energia spa €2 million for significant violations of personal data protection laws. The company was found to have used inaccurate customer data to activate over 1,200 unsolicited energy contracts through door-to-door agents.
Italian DPA Newsletter: Aldilapp Fine, Camera Rules, Delegation Platform, AI Concerns
The Italian Data Protection Authority (Garante) issued a newsletter on March 9, 2026, detailing several key actions. It includes a fine against Aldilapp for digital cemetery services, new rules for non-compliant cameras, approval for a delegation management platform, and global data protection authorities' concerns about AI-generated intimate content.
Garante Monitors 'Family in Woods' Case, Recalls Child Protection
The Italian Data Protection Authority (Garante) is monitoring the "family in woods" case and has issued a press release reminding media outlets of their obligations regarding child protection and data privacy. The Garante urges caution in disseminating information that could identify minors.
Garante Privacy Orders Amazon to Stop Worker Surveillance
The Italian Data Protection Authority (Garante privacy) has ordered Amazon Italia Logistica to immediately stop its worker surveillance system. The authority found that Amazon collected sensitive information on employees, including health conditions, union activities, and personal/family life, violating data protection regulations.
PIPEDA Investigation into Google Search Compliance
The Office of the Privacy Commissioner of Canada (OPC) has concluded its investigation into Google's search engine compliance with PIPEDA. The investigation found that Google's accuracy obligations do not extend to the underlying content of linked articles, but it must ensure personal information in search results is accurate.
Loblaw PC Optimum Data Retention Investigated Under PIPEDA
The Office of the Privacy Commissioner of Canada has concluded an investigation into Loblaw Companies Ltd.'s retention of PC Optimum loyalty program member data. The findings highlight the importance of ensuring anonymized data cannot be re-identified and that personal information is destroyed or anonymized when no longer necessary.
Joint Investigation of TikTok by Canadian Privacy Commissioners
Canadian privacy commissioners have concluded a joint investigation into TikTok's collection, use, and disclosure of personal information, particularly concerning children. The findings address appropriate purposes for data handling and the validity of user consent for ad targeting and content personalization.
Staples Canada ULC Investigated for Privacy Practices on Resold Devices
The Office of the Privacy Commissioner of Canada investigated Staples Canada ULC regarding its Openbox program for resold electronic devices. The investigation found deficiencies in data wiping procedures and employee training, leading to recommendations for Staples to improve its practices within nine months.
EU Cooperation on Artificial Intelligence at India Summit
The European Union, represented by Executive Vice-President Henna Virkkunen, will attend the AI Impact Summit 2026 in New Delhi to strengthen cooperation with India on AI governance and innovation. The visit aims to advance the EU's approach to AI, emphasizing trust, innovation, and international collaboration.
Draft Code of Practice on AI Content Marking Published
The European Commission has published a second draft Code of Practice on AI content marking, intended to help providers and deployers meet AI Act requirements. This revised draft aims to streamline processes, reduce compliance burdens, and incorporate feedback from various stakeholders.
New Delhi Declaration on AI Endorsed by 92 Countries
92 countries and international organizations endorsed the New Delhi Declaration on AI Impact at the AI Impact Summit 2026. The declaration outlines a shared global vision for collaborative, trusted, and resilient AI, structured around seven pillars of action and supported by voluntary global initiatives.
EU Endorses AI Declaration and Launches Legal Gateway Office
The European Union has endorsed the Leaders' Declaration at the AI Impact Summit in India and launched the European Legal Gateway Office to connect EU companies with India's ICT talent. The initiative also aims to strengthen global AI governance and promote AI innovation.
EU Commission Launches €75 Million EURO-3C Project for Telco-Edge-Cloud
The European Commission has announced the EURO-3C project, a €75 million initiative to build a federated Telco-Edge-Cloud infrastructure. This project aims to enhance Europe's digital service capabilities and reduce reliance on third-country providers.
CPPA Seeks Comments on Reducing Privacy Rights Friction
The California Privacy Protection Agency (CPPA) is seeking preliminary comments on potential regulatory changes to reduce friction in how consumers exercise their privacy rights. The comment period is open from March 6, 2026, until April 6, 2026.
Accessible Deletion Mechanism for Data Brokers
The California Privacy Protection Agency has finalized regulations establishing an Accessible Deletion Mechanism (DROP) for data brokers, effective January 1, 2026. This system allows consumers to request the deletion of their personal information from registered data brokers through a single request to the agency.
California Adopts CCPA Regulations on Risk Assessments and Cybersecurity
The California Privacy Protection Agency has adopted final regulations updating the CCPA. These regulations implement requirements for risk assessments, annual cybersecurity audits, and consumers' rights regarding automated decision-making technology, effective January 1, 2026.
Data Broker Registration Fee Regulations
The California Privacy Protection Agency (CPPA) is now responsible for the state's data broker registry, effective January 1, 2024. Data brokers must pay an annual registration fee, which the CPPA may adjust. Final regulations for the fee structure have been published for 2024, 2025, and 2026 registrations.
CPPA Seeks Comments on Opt-out Preference Signals Rulemaking
The California Privacy Protection Agency (CPPA) is seeking preliminary public comments on potential rulemaking regarding Opt-out Preference Signals (OOPS). The agency is gathering information to explore whether regulatory changes are necessary to reduce friction in exercising privacy rights. Comments are due by April 6, 2026.
MMG Fusion Settles HIPAA Violations for $10,000
The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has reached a resolution agreement with MMG Fusion, LLC, a business associate handling protected health information (PHI). MMG Fusion will pay $10,000 to settle alleged violations of HIPAA's Privacy, Security, and Breach Notification Rules following a data breach that exposed patient information.
HHS - Syracuse ASC Pays $250,000 for HIPAA Violations
The U.S. Department of Health and Human Services (HHS) has reached a resolution agreement with Syracuse ASC, L.L.C. for violations of HIPAA Rules. Syracuse ASC will pay $250,000 and comply with a Corrective Action Plan to address failures in risk analysis and timely breach notifications.
Deer Oaks HIPAA Resolution Agreement and Corrective Action Plan
The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has entered into a Resolution Agreement and Corrective Action Plan with Deer Oaks, a covered entity under HIPAA. The agreement resolves allegations of impermissible disclosure of protected health information (PHI) and a subsequent data breach, requiring Deer Oaks to pay a resolution amount and implement corrective actions.
HHS Settles HIPAA Breach Case with BST CPAs for $175,000
The U.S. Department of Health and Human Services (HHS) has settled a HIPAA breach case with BST & Co. CPAs, LLP for $175,000. The settlement resolves allegations that BST failed to conduct a risk analysis following a ransomware attack that impacted the protected health information of 170,000 individuals.
Comstar, LLC HIPAA Resolution Agreement and Corrective Action Plan
The US Department of Health and Human Services (HHS) has entered into a resolution agreement with Comstar, LLC, a business associate under HIPAA. Comstar will pay $75,000 and comply with a corrective action plan to resolve alleged violations of HIPAA's Privacy, Security, and Breach Notification Rules following a ransomware attack affecting 585,621 individuals.
South Korea Overhauls PIPA with 10% Turnover Fines and CEO Accountability
South Korea has significantly amended its Personal Information Protection Act (PIPA), introducing fines up to 10% of total turnover and assigning direct supervisory liability to CEOs. These changes, effective September 11, 2026, aim to strengthen deterrence and promote proactive data protection investment.
Maine Privacy Bill Advances, Oregon AI Chatbot Bill Clears Legislature
Maine's legislature has advanced a comprehensive privacy bill, the Maine Online Data Privacy Act, through both chambers. Oregon's Senate Bill 1546, an AI chatbot safety bill, has also cleared its state legislature and is heading to the governor. Both bills represent significant state-level regulatory developments.
US House Committee Advances KIDS Act and Other Online Safety Bills
The U.S. House Committee on Energy and Commerce advanced the KIDS Act, Sammy's Law, and the App Store Accountability Act to a full House vote. These bills aim to enhance children's online safety by addressing issues like dangerous content, age verification, and app store policies.
EU AI Act Omnibus: New Compliance Deadlines and Deepfake Ban
Members of the European Parliament have reached a preliminary agreement on amendments to the EU AI Act, including extended compliance deadlines for high-risk systems and a ban on non-consensual deepfakes. The agreement aims to provide legal certainty and allow more time for technical standards and guidance development.
AI Training Compliance Guidance Post-SRB Ruling
This guidance analyzes the impact of the EU Court of Justice's Single Resolution Board ruling on AI training compliance for engineers. It outlines two pathways for compliance, emphasizing engineering choices in defining identifiability and data protection.
GDPR Rights Procedure Resolution Against CaixaBank Payments
The Spanish Data Protection Agency (AEPD) has issued a resolution regarding a GDPR rights procedure against CaixaBank Payments & Consumer. The case involves a consumer's complaint about inclusion in a debt collection file without proper notification or justification of debt assignment.
AEPD Resolution on GDPR Rights Procedure
The Spanish Data Protection Agency (AEPD) has issued a resolution regarding a GDPR rights procedure. The resolution addresses a complaint where a data subject exercised their right of access, and the data controller failed to provide a legally established response within the stipulated timeframe. The AEPD admitted the claim for processing.
EDPB Letter to EC on US Entry Privacy Implications
The European Data Protection Board (EDPB) has sent a letter to the European Commission expressing concerns regarding the privacy implications of recent US legislative developments affecting entry conditions for EEA citizens. The letter highlights potential risks to data protection and fundamental rights.
EDPB-EDPS Opinion on Biotech Act Privacy Implications
The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have issued a joint opinion on the privacy implications of the proposed European Biotech Act. The opinion provides guidance on the GDPR compliance aspects of the proposed legislation.