Data Privacy

Croatian DPA Marks GDPR 10th Anniversary, Participation in Locked Shields 2026

The Croatian Personal Data Protection Agency (AZOP) marks the 10th anniversary of the General Data Protection Regulation (GDPR) and announces the participation of Dr. Matija Kontak in Locked Shields 2026, described as one of the most important, demanding, and largest international cyber exercises. The legal team achieved notable results during the exercise, which tested participants' cyber defence capabilities in a realistic scenario.

AZOP Marks 10th Anniversary of GDPR Adoption

Croatia's Personal Data Protection Agency (AZOP) commemorates the 10th anniversary of the General Data Protection Regulation (GDPR) adoption by the European Union on April 27, 2016, with the regulation entering into application on May 25, 2018. GDPR unified data protection rules across all EU member states and granted citizens greater control over their personal data. AZOP, as Croatia's national supervisory authority, continues to oversee compliance with GDPR within Croatian jurisdiction.

10th Anniversary GDPR Marks European Data Protection Evolution

The European Data Protection Board marks the 10th anniversary of GDPR adoption on April 27, 2016, recalling that GDPR established the first comprehensive data protection framework spanning an entire continent, creating clear rights for individuals and obligations for organisations. The EDPB notes that GDPR gave Data Protection Authorities stronger enforcement powers and expanded their scope from national compliance complaints to handling cross-border cases, while situating GDPR within the broader European digital framework alongside the Digital Services Act, Digital Markets Act, and AI Act.

GPAI Taskforce Meets on Safety and Security Chapter Measures

The Signatory Taskforce for the General-Purpose AI (GPAI) Code of Practice met on March 27 to discuss two topics under the Safety and Security Chapter: aggregate forecasts of risk tiers and harmful manipulation risk scenarios. Providers of GPAI models with systemic risk are required to include in their frameworks estimates of timelines when they reasonably foresee their model will exceed the highest systemic risk tier already reached by any existing models. The AI Office will provide a concrete approach to aggregate forecasting, including standardised forecasting exercises conducted across providers, with cadences discussed ranging from semi-annually to annually. Signatories discussed categorising risk scenarios for harmful manipulation by context of exposure, including GPAI chatbots, third-party applications, agents, or disseminated AI-generated content.

Opinion 12/2026 on Spanish Controller BCRs of Santander Group

The European Data Protection Board adopted Opinion 12/2026 regarding the draft decision of the Spanish Supervisory Authority on the Controller Binding Corporate Rules of the Santander Group. The opinion was issued under Article 64 GDPR consistency mechanism and addresses international transfers of data. The EDPB opinion is non-binding and will inform the Spanish SA's final decision on Santander's BCR application.

Opinion 10/2026 on Dutch Supervisory Authority Draft Decision Regarding Controller Binding Corporate Rules of the SLB Group

The European Data Protection Board issued Opinion 10/2026 regarding the Dutch Supervisory Authority's draft decision on the Controller Binding Corporate Rules of the SLB Group. The opinion was adopted pursuant to Article 64 of the GDPR. SLB Group, a multinational corporation, requires approved BCRs to lawfully transfer personal data from EU operations to countries without an adequacy decision. The EDPB's opinion provides guidance to the Dutch SA on whether the BCR application meets GDPR requirements.

Opinion 11/2026 on Belgian Draft Decision on Controller BCRs for Kuwait Petroleum Group

The European Data Protection Board issued Opinion 11/2026 on the Belgian Supervisory Authority's draft decision regarding Controller Binding Corporate Rules (BCRs) for the Kuwait Petroleum Group. BCRs enable multinational corporate groups to transfer personal data from the EU to countries outside the European Economic Area under internally approved data protection policies. The EDPB's opinion addresses the consistency mechanism under Article 64 GDPR to ensure uniform application of data protection standards across EU supervisory authorities.

Opinion 9/2026 on Dutch Draft Decision for Jacobs Douwe Egberts Controller Binding Corporate Rules

The European Data Protection Board adopted Opinion 9/2026 on 27 April 2026 regarding the Dutch Supervisory Authority's draft decision on the Controller Binding Corporate Rules of the Jacobs Douwe Egberts Group. BCRs enable multinational groups to transfer personal data from the EU to countries outside the European Economic Area under standardised internal data protection policies approved by a supervisory authority. The opinion, issued pursuant to Article 64 GDPR, assesses whether the draft decision meets the requirements established in the GDPR and EDPB guidelines for controller BCRs.

Lorenzo Cotino 10th GDPR Anniversary Speech Highlights AI and Rights

AEPD President Lorenzo Cotino delivered the opening address at the '10th Anniversary of the GDPR: A Decade of Challenges' conference on 24 April 2026. Cotino emphasised that the 27 EU member states are stronger coordinated against those processing personal data at scale, and that data protection is the right most exposed to disruptive technologies. He highlighted AEPD's internal policy on generative AI use and the launch of the AEPD Laboratory as tools for responsible, transparent AI adoption in public administration. EDPB President Anu Talus underscored that the GDPR is not a static instrument but continues to evolve through practice, cooperation, and interpretation.

Site Map for Czech Data Protection Office

The Czech Data Protection Office (Úřad pro ochranu osobních údajů / UOOU) publishes a site map listing its website navigation structure. The map links to sections covering the office's legal position, history, organisational structure, biographies of its chairman Jiří Kaucký and vice-chairmen Petr Jäger and Josef Mička, mandatory public-disclosure information, freedom-of-information request procedures, and prior responses to information requests from 2021. The page serves as a navigation index only; it contains no substantive regulatory content, decisions, guidance, or enforcement actions.

Commissioner Kosseim Opposes Proposed FIPPA Changes in Ontario

Ontario's Information and Privacy Commissioner Patricia Kosseim issued a statement on March 13, 2026, opposing proposed amendments to the province's Freedom of Information and Protection of Privacy Act (FIPPA). The proposed changes would prevent Ontarians from accessing government information held by the Premier, cabinet ministers, elected officials, and political staff, and would significantly reduce oversight of government data integration programs. Commissioner Kosseim characterized the amendments as an attempt to evade public accountability, particularly in light of an ongoing court case concerning call logs from the Premier's personal cellphone.

IPC Criticizes Proposed FIPPA Changes Excluding Top Officials

The Information and Privacy Commissioner of Ontario (IPC) released an updated statement on March 25, 2026, expressing continued concern about proposed amendments to Ontario's Freedom of Information and Protection of Privacy Act (FIPPA). The proposed changes would exclude all government records held by the premier, cabinet ministers, parliamentary assistants, and their political staff from access requests, including retroactively. The IPC argues this would not modernize FIPPA, as existing exemptions already protect personal information and cabinet confidences, while removal would increase cybersecurity risks and diminish public accountability. The IPC urges the government to reconsider the proposal.

Health Data Regulations Expand, Create Compliance Obstacles

This IAPP analysis, published 24 April 2026, surveys four U.S. health data regulations targeting foreign adversary access: the DOJ Preventing Access to Americans' Bulk Sensitive Personal Data rule (effective 8 April 2025, enforceable 6 Oct. 2025), Florida's Electronic Health Records Exchange Act (effective 1 July 2023), the Texas Genomic Act of 2025 (effective 1 Sept. 2025), and Utah's Genetic Information Amendments (effective 1 Jan. 2028). The analysis covers scope and data types, equipment and software restrictions, data storage requirements, enforcement mechanisms including Texas's private right of action (up to USD 5,000/violation) and the DOJ rule's civil penalties up to USD 377,700 and criminal penalties up to USD 1 million and 20 years imprisonment, and certification and compliance reporting requirements.

FISA 702 Reauthorization Stalls in Congress as Stopgap Expires April 30

U.S. House Speaker Mike Johnson's attempts to secure a five-year reauthorization of FISA Section 702 surveillance authorities failed on April 17, 2026, when a coalition of 20 dissenting Republicans joined most Democrats to block the measure. Congress instead passed a 10-day stop-gap measure expiring April 30. Johnson subsequently released updated legislation titled the Foreign Intelligence Accountability Act, proposing a three-year reauthorization with reforms including monthly Civil Liberties Protection Officer reviews of U.S. person queries, attorney-level approval requirements replacing field supervisor approvals, and expanded congressional access to FISA Court proceedings.

CCTV in Workplace Canteen Ruled GDPR Breach

The Information and Data Protection Commissioner found that a controller violated the General Data Protection Regulation by installing CCTV cameras in its workplace canteen, unlawfully capturing employees during their break and rest time. The Commissioner rejected the controller's legitimate interest justification under Article 6(1)(f), determining that the processing was excessive and not necessary or proportionate to ensure workplace safety. The CCTV footage was subsequently used in disciplinary proceedings against the complainant for consuming alcohol during his break. Employers relying on legitimate interest for workplace surveillance should conduct thorough necessity and proportionality assessments, particularly in areas designated for employee rest and breaks, to ensure compliance with GDPR principles of data minimisation and purpose limitation.

ANPD Participates in Brazilian Delegation Europe Mission on Digital Regulation

ANPD Director Iagê Miola participated in a Brazilian delegation mission to Europe from April 20–24, 2026, under the EU Commission's TAIEX program. The mission included visits and meetings with European regulatory institutions covering algorithmic transparency, platform regulation, and digital protection of children and adolescents. The delegation included representatives from multiple Brazilian federal bodies: the Secretary of Digital Policies, the Secretary of Digital Rights, the Attorney General's Office, and the Ministry of Science, Technology and Innovation. The agenda directly supports Brazil's regulatory priorities including the Digital ECA law, AI advancements, and LGPD implementation.

Slovenia Information Commissioner Active at Privacy Symposium Venice 2026

The Slovenia Information Commissioner actively participated in Privacy Symposium Venice 2026 from April 20-24, bringing together over 400 experts from across Europe and beyond at Ca' Foscari University. Information Commissioner Dr. Jelena Virant Burnik spoke on the 'Age Assurance in Practice' panel addressing proportionate and privacy-friendly approaches to age verification for digital services, while Deputy Commissioner Andrej Tomšič presented on privacy-enhancing technologies from data protection authorities. The Commissioner's office also exhibited the EU CERV-funded 'PrivacyPRO' project aimed at educating children, teachers, and parents about data protection rights.

CNPD Active at Privacy Symposium, Venice, Apr 20-24, 2026

The Luxembourg data protection authority (CNPD) announced its active participation in the Privacy Symposium 2026, held in Venice from April 20 to April 24, 2026, under the patronage of the CNPD. The event brings together the international privacy protection community to discuss key challenges shaping digital governance, including GDPR certification and cross-border enforcement, digital governance and regulatory innovation, cybersecurity and emerging threats, and AI governance. CNPD staff will moderate and speak at multiple sessions throughout the week and will host compliance and certification booths.

EDPB DPIA Template Adopted, Consultation Until June 9

The European Data Protection Board (EDPB) has adopted a template document and detailed explainer to assist data controllers and processors in conducting Data Protection Impact Assessments (DPIA) required under GDPR Article 35. The documents are currently available in English via links provided on the EDPB website. A public consultation has been initiated by the EDPB, with comments accepted until June 9, 2026 through the official reply form.

EDPB 1/2026 on Research Data: Comment by June 25

The European Data Protection Board adopted Guidelines 1/2026 on the processing of personal data for scientific research purposes at its latest plenary session on April 24, 2026. The EDPB has opened a public consultation on the guidelines, inviting stakeholder feedback until June 25, 2026. The guidelines are currently available in English via the EDPB website, with a response form accessible through the EDPB's public consultations portal.

DVI Director Participates in Venice Privacy Symposium on Digital Markets Act

The Data State Inspectorate (DVI) director participated in a privacy symposium held in Venice, organized by Venetian institutions. The symposium focused on practical implementation of the Digital Markets Act (DMA). The event represents Latvia's engagement with broader EU regulatory discussions on digital market compliance and privacy standards.

Ukrainian Judges Training in Latvia on Data Protection Practices

Ukrainian judges visited the Latvian Data State Inspectorate on 22-23 April 2026 for a training programme under the European Council project 'Support to Ukraine for the Implementation of Judicial System Standards'. The delegation studied Latvian data protection experience and EU standard implementation across ten topics including data subject rights, lawful bases for processing, DPIA, and international transfers. The visit ran 20-24 April and included sessions with the Constitutional Court, Supreme Court, Ministry of Justice, and DVI.

Norway Proposes Age Verification Law for Children on Social Media

The Norwegian government plans to introduce legislation requiring age verification for children accessing social media platforms, with tech companies responsible for implementing verification measures. Datatilsynet supports protecting children from potential harm but cautions that verification solutions must adequately safeguard privacy, warning that requiring extensive personal data (such as passport photos or biometrics) without proper safeguards could expose users to data misuse. The proposed law would require all social media users to verify their age to access services, which Datatilsynet notes represents an intrusion into privacy for all users, not just children.

Norwegian DPA Response on Immigration Law Audio-Visual Recording Proposal

Datatilsynet has submitted its consultation response to the Ministry of Justice's proposal to introduce routine audio-visual recording of all conversations in immigration proceedings. The DPA raises three principal objections: the proposal lacks adequate necessity and proportionality assessment, applies uniformly without distinguishing between case types, and fails to specify data retention periods. The DPA recommends narrower scoping of recording authority and clearer statutory limits on storage duration.

EDPB Guidelines on Processing Personal Data for Scientific Research Purposes

The European Data Protection Board (EDPB) has published new guidelines on the processing of personal data for scientific research purposes, now open for public consultation until 25 June 2026. The guidelines address six key criteria for defining scientific research, clarify when researchers may rely on 'broad consent', and resolve the previously unsettled question of whether a compatibility assessment is required for further processing of personal data for scientific research purposes. The EDPB has also issued a separate opinion on the EU Digital Omnibus legislative proposal and its implications for scientific research under the GDPR.

CNPD Contributes to Privacy Symposium Venice, Multiple Sessions

The CNPD (Luxembourg) is actively contributing to the Privacy Symposium in Venice from April 20–24, 2026. Sessions cover digital governance, GDPR certification, financial compliance risk, and cybersecurity, with booths on regulatory compliance tools and GDPR certification. Dedicated "meet sessions" are scheduled Tuesday through Thursday from 10:30 to 11:00.

Form Submission Unavailable Until 8 May 2026 Due to New Portal

The Belgian Data Protection Authority (APD) announces that electronic form submissions for information requests, mediation, or complaints are temporarily unavailable from 23 April 2026 until 8 May 2026 due to technical works for a new citizen portal. Old paper-based and electronic forms will be retired and replaced by dynamic digital forms in the new portal. The new citizen portal will become operational on 8 May 2026, at which point all users must submit requests through the updated system.

Sous la loupe: APD Inspection Service Launches Monthly News Series

The Inspection Service of the Belgian Data Protection Authority (APD) announced the launch of "Sous la loupe," a new monthly news series intended to increase transparency about the inspection service's activities, methodology, and strategic priorities. The publications will appear on the last Friday of each month (except July and August) and will cover recurring themes from investigations, procedural elements, audit practices, and general trends observed by inspectors. The inaugural edition, published on 24 April 2026, announced that the next subject will be chatbots.

RIPD Public Consultation on Ibero-American Data Protection Standards Update

The Red Iberoamericana de Protección de Datos (RIPD) is conducting a public consultation until May 1, 2026, on the first version of the Update to Ibero-American Data Protection Standards. The consultation seeks diverse perspectives from academia, scientific and technical communities, civil society, the private sector, and the general public via an online questionnaire. The updated standards aim to advance data protection policies across the region, strengthen data protection institutions, and specifically address safeguarding minors in digital environments through non-intrusive tools.

ANPD Director Discusses Data Transfer, Certifications, Convention 108+ at Privacy Symposium

ANPD Director-President Waldemar Gonçalves represented Brazil at the Privacy Symposium in Venice, Italy, from April 21–23, 2026, participating in panels on regional data protection legislation evolution, international data transfers, certifications and data protection seals, and health data transfers. The event followed the mutual adequacy recognition between Brazil and the European Union in 2026, which expanded legal certainty for international personal data flows between the two jurisdictions. Bilateral meetings were also held with regulators from multiple jurisdictions covering topics including mutual legal assistance, AI regulation alignment, and regulatory convergence.

ANPD Participates in Global Age Assurance Standards Summit 2026

Brazil's ANPD participated in the Global Age Assurance Standards Summit 2026 in Manchester, England (April 14–16), joining regulators from England, Nigeria, and Fiji to discuss age verification mechanisms in digital environments. Coordinator-General Jorge Fontelles presented Brazil's approach under the ECA Digital and LGPD frameworks, emphasizing shared responsibility, platform design, and inclusion in age assurance. The event also featured discussions on Brazil's phased implementation timeline for age verification requirements.

Multi-Agency Regulation on Online Marketing of Financial Products

Eight Chinese regulatory bodies jointly issued the Management Measures for Online Marketing of Financial Products (Announcement No. 9 of 2026), effective September 30, 2026, establishing binding rules for financial institutions and third-party internet platforms engaged in online financial product marketing. The regulation covers all financial product categories including deposits, loans, securities, asset management products, insurance, foreign exchange, and payment services, and imposes content standards, algorithmic marketing restrictions, prohibited conduct, and third-party platform cooperation requirements. Enforcement mechanisms include regulatory warnings, interviews, corrective orders, administrative penalties, and referral to judicial authorities for criminal prosecution.

Financial Product Online Marketing Management Measures Q&A

Eight Chinese regulatory agencies (People's Bank of China, Ministry of Industry and Information Technology, State Administration for Market Regulation, National Financial Regulatory Administration, China Securities Regulatory Commission, National Intellectual Property Administration, Cyberspace Administration of China, and State Administration of Foreign Exchange) jointly issued the Financial Product Online Marketing Management Measures. The regulation prohibits financial institutions and third-party internet platforms from marketing illegal financial activities including virtual currency trading, illegal forex margin trading, and unlicensed offshore financial services to domestic residents. Loan marketing may not use terms such as "低门槛", "秒到账", or "低利率". Payment checkout pages must visually separate payment tools from loan products. Non-licensed entities may not use "金融" (financial) in their app names or trademarks, and unlicensed individuals may not market financial products via livestreaming, short videos, or WeChat public accounts. Third-party platforms must display the actual financial institution's name and redirect users to the financial institution's own platform, not other third-party platforms. The measures take effect 30 September 2026.

EDPB Stakeholder Event on Competition Law and Data Protection, April 23

The European Data Protection Board announced a remote stakeholder event scheduled for April 23, focused on upcoming guidelines addressing the interplay between competition law and data protection. The EDPB will launch a call for expressions of interest to participate, providing stakeholders an opportunity to inform and support the development of these guidelines. The event reflects the EDPB's commitment to stakeholder engagement and cross-regulatory cooperation as outlined in the Helsinki Statement and EDPB Strategy 2024-2027.

AEPD Wins Best Academic Research Contribution Award at 2026 Summit

La AEPD ha recibido el premio a la 'Mejor contribución académica y de investigación' en los Premios del Sector de la Verificación de la Edad 2026, en el marco de la Global Age Assurance Standards Summit 2026 celebrada en Manchester. El reconocimiento distingue su artículo de investigación 'Implications of Age Assurance on Privacy and Data Protection: A Systematic Threat Model', que explora las implicaciones de la verificación de la edad en materia de privacidad y protección de datos, analizando soluciones existentes y proponiendo un modelo integral de amenazas a la privacidad.

Spanish Data Protection Authorities Sign Joint Declaration on GDPR 10th Anniversary

The five Spanish data protection authorities (AEPD, APDCAT, AVPD, CTPDA, and CGPJ) have signed an institutional declaration on 24 April 2026, marking the first joint commitment among Spanish competent authorities in this domain. The declaration strengthens cooperation to address challenges related to digital transformation, the data economy, and emerging technologies, while promoting a privacy culture and regulatory compliance. The authorities also commit to protecting vulnerable groups in digital environments and anticipating risks from emerging technologies.

EU Digital Omnibus Drops Legitimate Interest for AI Training

This IAPP opinion piece analyzes ongoing uncertainty in the EU regarding whether legitimate interest can serve as a legal basis for training artificial intelligence models under the GDPR. The European Commission's proposed Digital Omnibus would codify the EDPB's December 2024 opinion permitting legitimate interest for AI training under certain accountability conditions. However, the Council of the European Union is reportedly considering removing this proposed provision from the final text, contrary to the EDPB and European Data Protection Supervisor's February 2026 joint opinion that while agreeing with the premise, opposed the inclusion as unnecessary. Stakeholders across industry and civil society have raised concerns that the amendment could create a loophole enabling large-scale processing of personal data for AI without user consent.

China Consults on Simplified Data Protection Rules for Processors Under 100K Individuals

The Cyberspace Administration of China issued a consultation draft on 3 April 2026 proposing simplified personal information protection measures for small-scale processors handling data of fewer than 100,000 individuals. The consultation, open through 2 May 2026, would allow qualified entities to adopt streamlined privacy notifications, rely on platform-provided compliance support, and face relaxed impact assessment requirements. The same authorities simultaneously launched a special enforcement campaign targeting financial, education, healthcare, and transportation sectors for app-based data violations, with penalties including app-store removal, fines, and criminal liability.

Yau Yat Chuen Club Data Breach Investigation Report

The PCPD published an investigation report into a ransomware attack on Yau Yat Chuen Garden City Club Limited, finding that outdated remote access software with a known security vulnerability, absent user authentication, and outdated antivirus and firewall software enabled the threat actor to access and encrypt personal data stored on a server. A total of 9,045 data subjects were affected, including 1,553 active members, 1,723 supplementary card holders, 1,313 former members, and 4,456 former supplementary card holders, with exposed data including full names, Hong Kong Identity Card numbers and/or passport numbers, dates of birth, email addresses, contact numbers and addresses. The Privacy Commissioner found the Club contravened DPP 4(1) and DPP 2(2) of the PDPO and served an Enforcement Notice directing remedial measures.

CCTV Camera Installation in Malta Apartment Block Found Unlawful Under GDPR Article 6(1)

The Information and Data Protection Commissioner (IDPC) in Malta issued a decision on a GDPR complaint (CDP_COMP_245_2025) filed on 8 May 2025, finding that the installation of three CCTV cameras by a condominium controller in a residential apartment block constituted unlawful processing of personal data. The controller installed cameras pointing toward the street, front common entrance, and back common entrance without establishing a lawful basis under Article 6(1) of Regulation (EU) 2016/679. During the investigation, the controller failed to provide image grabs from the cameras despite multiple requests from the Commissioner and could not demonstrate that all condominium residents had consented to or authorised the installation.

UODO Requests Polish Law Enforcement Directive Amendments

The President of Poland's Personal Data Protection Office (UODO) has formally requested that the Minister of the Interior and Administration and the Minister of Justice initiate legislative work to fully implement the EU Law Enforcement Directive (Directive (EU) 2016/680) into Polish law. The request identifies critical gaps including: incomplete coverage of personal data processing for criminal justice purposes; absence of fundamental data subject rights in criminal procedure legislation (right to information, access, rectification, erasure, restriction of processing, and the right to lodge complaints); inadequate supervision mechanisms for courts and the Public Prosecutor's Office that fail to meet the Directive's requirement for independent oversight; and the lack of sanctioning instruments for the UODO President despite Article 57 requiring effective, proportionate, and dissuasive penalties.

Deputy President Komornicki Discusses AI Data at Banking Forum

On April 14, 2026, Deputy President Konrad Komornicki of the Personal Data Protection Office participated in a panel at the Banking & Insurance Forum, discussing 'AI-ready data in banks: how to build coherent and secure data ecosystems?' The forum brings together representatives from banking and insurance sectors, regulators, and financial market experts. Discussion topics included building trust in data processing, data sharing principles, ensuring data quality in AI environments, and data as a component of critical infrastructure.

Poland UODO News Page with Recent Announcements

The Polish Personal Data Protection Office (UODO) publishes a news and events listing featuring approximately 50 recent announcements spanning January–April 2026. Items cover court decisions (including Supreme Administrative Court rulings on fines against Santander Bank Polska and Radio Szczecin), GDPR enforcement actions, legislative amendments to the Act implementing the Law Enforcement Directive, conferences on AI and personal data protection, data retention standards, public procurement data protection, and training activities for doctors and court officials.

Navia Data Breach Notification Affects 319,208 Washington Residents

Navia Benefit Solutions, Inc. discovered suspicious activity on January 23, 2026, and determined that an unauthorized actor accessed and potentially acquired certain information between December 22, 2025, and January 15, 2026. The potentially affected data includes name, date of birth, Social Security number, phone number, email address, and health plan information (limited to HRA, FSA, and COBRA participation). On or about March 18, 2026, Navia began providing written notice to 319,208 Washington residents, offering 12 months of complimentary identity monitoring through Kroll. Federal law enforcement was notified, and notifications were sent to HHS pursuant to HIPAA.

Court of Audit Issues Positive Opinion for Slovenia Information Commissioner

The Slovenian Court of Audit (Računsko sodišče) issued a positive opinion for the Information Commissioner (Informacijski pooblaščenec) regarding the correctness of operations for 2024. The audit assessed compliance with regulations and proper use of public funds, specifically examining salary determination, calculation, and payment as well as procurement of goods, materials, services, and fixed assets. No response report was required as the Information Commissioner had already addressed minor irregularities identified during the audit process.

eSafety and OAIC Sign MOU on Privacy and Online Safety Cooperation

The eSafety Commissioner and the Office of the Australian Information Commissioner (OAIC) have signed a Memorandum of Understanding (MOU) formalising inter-agency cooperation on matters where privacy and online safety intersect. The agreement establishes communication pathways for coordinated regulatory responses, including age assurance requirements and Social Media Minimum Age compliance obligations under Australia's Online Safety Act. Online platforms and social media services subject to age restrictions should expect aligned regulatory scrutiny from both authorities as collaboration intensifies.

Italian Privacy Authority Calls Out Media for Publishing Names in Milan Escort Investigation

The Garante per la protezione dei dati personali (Italian Data Protection Authority) issued a press release on 23 April 2026 calling on media outlets and websites to comply with privacy regulations in reporting on a Milan luxury escort investigation. The authority specifically reminded journalists not to publish names of individuals involved in the case who were not under investigation, invoking the principle of essentiality of information (principio di essenzialità dell'informazione). The Garante emphasized that personal data must be limited to what is strictly necessary for understanding the facts of the case.

EDPB Adopts Scientific Research GDPR Guidelines, Anonymisation, Europrivacy Certification

The EDPB adopted Guidelines 1/2026 on processing personal data for scientific research purposes during its April 16 plenary session, providing a six-factor test to determine what qualifies as scientific research under GDPR. The Board also created a sprint team to finalise anonymisation guidelines by summer 2026 and issued two Europrivacy certification opinions, including the first certification recognised as a tool for international data transfers under Articles 42 and 46 GDPR. The scientific research guidelines are open for public consultation until June 25, 2026.

SECURE Data Act Would Establish Federal Privacy Law

On April 22, 2026, U.S. House Energy and Commerce Committee Vice Chairman John Joyce, R-Pa., introduced the SECURE Data Act (HR 8413), the first major attempt in the 119th Congress to establish comprehensive federal consumer privacy rules. The bill would preempt state consumer privacy laws, data broker registries, and possibly some sectoral state laws through a strong preemption regime. If enacted, the bill would grant consumers rights to access, correct and delete personal data, obtain portable copies, and opt out of sales, targeted advertising and profiling. The bill would treat personal data of teens under age 16 as sensitive data requiring parental opt-in consent, expanding COPPA by three years. Enforcement would fall to the FTC and state attorneys general, with no private right of action.

SECURE Data Act: Republicans Propose Federal Privacy Law Preempting State Laws

House Committee on Energy and Commerce Republicans introduced the discussion draft SECURE Data Act on April 22, 2026, proposing a federal comprehensive privacy standard that would preempt state laws including the CCPA and CPRA. The bill omits a private right of action and requirements for data protection impact assessments, data protection officers, or universal opt-out mechanisms. Key new provisions include an FTC-managed data broker registration, a Department of Commerce safe harbor program, and classification of children's data alongside health and geolocation as sensitive data. The bill was introduced jointly with a companion GLBA reform measure.