Data Privacy

AEPD Fines Entity for Failure to Respond to GDPR Right of Access Request

The AEPD issued a resolution in case EXP202520411 finding that a data controller failed to respond to a data subject's exercise of the Right of Access under GDPR Article 15 and LOPDGDD Article 13. Following admission of the complaint on 22 December 2025, the AEPD confirmed the entity did not respond to the original request nor to agency inquiries. The resolution orders the entity to provide the legally required response to the access request.

AEPD Fines Real Estate Company €4M for Failure to Respond to Data Protection Information Request

The AEPD imposed a €4,000,000 administrative fine on SERVICIOS INMOBILIARIOS Y GESTIÓN RCL-MADRID, S.L. (NIF B87801262) for failure to respond to two formal information requests sent by the Subdirección General de Inspección de Datos in connection with a data subject complaint (expediente EXP202315840). The company, notified on January 28 and February 20, 2025, provided no response. The fine is assessed under Article 83.5.e GDPR, which carries a maximum penalty of €20,000,000 or 4% of global annual turnover, whichever is greater. The company did not submit any representations during the procedure.

Hypertherm Data Breach Notice to Consumers

Hypertherm filed a data breach notice with the Vermont Attorney General's Office on March 13, 2026, notifying consumers of unauthorized access to personal information. The notice is available as a 260 KB PDF attachment on the AG's security breach notices page. Vermont's security breach notification law requires entities to notify the AG when state residents' personal information is involved in a breach.

Grayback Forestry Data Breach Notice to Consumers

Grayback Forestry filed a security breach notice with the Vermont Attorney General's Office, posted on March 13, 2026. The notice informs Vermont consumers about a data breach involving the company's systems. Consumers potentially affected by the breach should review the full notice for details on what information was involved and recommended protective steps.

Philadelphia Corporation for Aging Data Breach Notice to Consumers

The Vermont Attorney General's Office posted a security breach notice on March 13, 2026, notifying consumers of a data breach involving Philadelphia Corporation for Aging. The notice references an attached PDF document containing full details of the breach, including affected individuals and types of information involved. Consumers who may have been impacted should review the linked document for specifics and recommended protective actions.

Trinity Health Data Breach Notice to Consumers

Trinity Health filed a data breach notice with the Vermont Attorney General's Office on March 13, 2026, notifying consumers of a security incident involving unauthorized access to personal information. The full details of the breach scope, number of affected individuals, and types of data exposed are contained in the accompanying PDF filed with the state. Healthcare organizations experiencing data breaches must file notices with the Vermont AG under state security breach notification law.

Shambhala USA Data Breach Notice to Consumers

Shambhala USA, operating as Karme Choling, filed a data breach notice with the Vermont Attorney General's Office on March 12, 2026. The notice concerns unauthorized access to consumer personal information, triggering notification obligations under Vermont's data breach and security law. Consumers in Vermont who may have been affected should monitor their accounts and credit for suspicious activity.

Iowa AG 2026 Security Breach Notifications

The Iowa Attorney General's office published its 2026 Security Breach Notification page, listing five organizations that reported security breaches to the state. The breaches were reported between January 6 and February 12, 2026, spanning organizations in management services, healthcare, education, skilled trades, and financial services. Each listed organization links to the original breach notification document filed with the AG's office, which consumers may consult for details on the nature of each incident.

2023 Iowa Security Breach Notifications Listing

The Iowa Attorney General published a comprehensive list of 2023 security breach notifications submitted to the office, covering organizations that experienced data breaches between January and December 2023. Notified entities span multiple sectors including healthcare, financial services, retail, education, and insurance, with organizations such as Community Health Systems Inc., Bank of America N.A., Yum! Brands Inc., Harvard Pilgrim Health Care, and Des Moines Public Schools appearing on the list. Some notifications include supplemental information filed on later dates as breach details evolved.

Iowa Attorney General 2022 Security Breach Notifications

The Iowa Attorney General's office published a comprehensive list of security breach notifications reported to the office throughout 2022. The listing includes 43 or more entries spanning January through June, each containing a date-reported field and an organization name, with some entries containing multiple supplemental notifications. Reported entities span healthcare, financial services, legal, education, manufacturing, insurance, and retail sectors, including Medical Review Institute of America, TBK Bank, Lakeview Loan Servicing LLC, Midland University, and Aon Corporation PLC among many others.

Iowa Security Breach Notifications - 2025

The Iowa Attorney General's office publishes a chronological list of security breach notifications filed by organizations in 2025, covering incidents reported from January through June 2025. Notified organizations span diverse sectors including dental services (Medusind/Aspen Dental), education (PowerSchool, Lewis Central Community School District), legal services (Wolf Haldenstein, Berman & Rabin, Day Rettig Martin), financial services (Quad City Bank & Trust, Oxford Life Insurance), and healthcare (Hillcrest Convalescent Center, Balance Autism). Some entries include supplemental letters providing additional breach details. Each notification links to a PDF filed with the AG's office containing specifics about the breach and affected individuals.

Iowa Security Breach Notifications 2024

The Iowa Attorney General published its 2024 Security Breach Notifications compilation page, listing over 50 organizations that filed breach notifications with the office throughout 2024. Reported entities include Oak View Group (1-10-2024), Milliman Inc. (1-12-2024), First Financial Security Inc. (1-19-2024), Deli Management Inc. dba Jason's Deli (1-22-2024), Bankers Life and Casualty Company (1-29-2024), Texas Wesleyan University (1-29-2024), GEICO Corporation/Delta Dental of California (1-30-2024), TRISTAR Insurance Group (2-1-2024), Planet Home Lending LLC (2-9-2024), Golden Corral Corporation (2-16-2024), loanDepot.com (2-23-2024), Northwestern Mutual Life Insurance Company (2-29-2024), AT&T Inc. (4-9-2024), JPMorgan Chase Bank N.A. (5-6-2024), and many others through December 2024. The page also links to supplemental information for several entities including Financial Business and Consumer Solutions Inc. (FBCS) with multiple updates through July 2024. For businesses and government agencies that collect or maintain personal information of Iowa residents, this page serves as the official reference for tracking reported data compromises that may affect their operations, customer relationships, or compliance reporting obligations.

EU Officials Discuss Digital Rulebook Simplification and Regulatory Interplay

This IAPP news article covers the European Data Protection Board's 17 March 2026 workshop on regulatory interplay, featuring remarks from Commission Executive Vice-President Henna Virkkunen and European Parliament Committee on Civil Liberties, Justice and Home Affairs Chair Javier Zarzalejos. The workshop examined how EU GDPR interacts with competition themes, the Digital Markets Act, and the Digital Services Act. Virkkunen outlined proposed harmonization of data breach reporting through a single portal under the Digital Omnibus, covering GDPR, NIS2 Directive, DORA, CER Directive, and Cyber Resilience Act. Zarzalejos framed the intersections of targeted advertising and social media harms as representing a structural shift requiring coordinated enforcement across regulatory scopes.

EU AI in Healthcare Market Study and Recommendations

The European Commission has published a comprehensive study on AI in the EU healthcare market, commissioned by DG CONNECT and serving as a priority workstream for the EU AI Office. The study surveyed 300 healthcare providers and 70 digital health vendors, mapped 690 vendors across 45 technologies, and analysed over 46,000 investment records. Key findings include 94% of EU healthcare providers already using or planning to adopt AI, the EU digital health market projected to grow from EUR 11 billion (2023) to EUR 61.2 billion by 2035 (15.1% CAGR), and estimated net cost avoidance of EUR 252 billion from clinical decision support systems and EUR 192 billion from automated medical image analysis over ten years. Policy recommendations focus on boosting frontier technology innovation, SME and scale-up support for cross-border expansion, interoperability and data infrastructure upgrades, and workforce digital training.

NY AG Sues Attyx for False Solar Incentive Promises and Hidden Loan Charges

The New York Attorney General filed a civil complaint in New York County Supreme Court against solar installer Attyx LLC, its co-founders Grant Young and Benson Payne, and lending partners Solar Mosaic LLC and WebBank, alleging a scheme to defraud consumers through false advertising of 'free' roof replacements and HVAC systems funded by government incentives, deceptive electronic signature practices, and concealed loan surcharges described as 'kickbacks.' The complaint, brought under New York Executive Law § 63(12) and the federal Truth in Lending Act, 15 U.S.C. § 1601, seeks restitution, injunctive relief, and civil penalties for consumers targeted through social media advertising, in-home sales pitches, and fraudulent financing arrangements. Attyx operated from offices in Syosset, New York and Levi, Utah, and marketed primarily to elderly customers on fixed incomes and low- to middle-income homeowners.

PCPD Publishes AI Storybook for Primary School Students

The PCPD published a Chinese storybook titled "Adventure in the AI Labyrinth" (《AI迷城歷險記》) for primary school students on March 17, 2026, as part of its 30th anniversary celebrations. With support from the Education Bureau, the storybook will be distributed to all primary schools in Hong Kong as teaching and learning materials for information literacy, covering topics including proper AI use, safe social media practices, cyberbullying response, and personal data privacy protection. This publication represents an educational resource initiative rather than a binding regulatory instrument, with no compliance obligations imposed on schools, students, or other parties.

London Borough of Southwark FOI Decision Notice: Partly Upheld

The ICO has partially upheld a Freedom of Information complaint against the London Borough of Southwark. The Commissioner found the Council does not hold information about the merging of Rye Hill Park and Rye Hill Estate, but does hold information showing Rye Hill Park is part of Rye Hill Estate. The Council has also failed to demonstrate it does not hold information within scope of part 2 of the request. The Council must issue fresh responses to both parts of the request within 30 calendar days.

ICO Upholds FOI Complaint Against Epping Forest Council

The ICO has upheld a Freedom of Information (FOI) complaint against Epping Forest Council for failing to respond to a request within the statutory 20-working-day limit. The Council has been ordered to provide a response to the complainant within 30 calendar days.

ICO Orders BBC to Respond to FOI Request Within 30 Days

The Information Commissioner's Office has issued an enforcement decision against the British Broadcasting Corporation for failing to respond to a freedom of information request within the statutory 20 working days prescribed under FOIA. The Commissioner has ordered the BBC to provide a substantive response to the complainant within 30 calendar days of the decision date. This is a binding compliance obligation on a public authority under FOI legislation.

Department for Communities Breached FOIA for Universal Credit Information Requests

The Information Commissioner's Office issued a decision notice finding that the Department for Communities (DfC) breached sections 1, 10, and 17 of the Freedom of Information Act 2000 in responding to three separate requests for information about Universal Credit claimants. DfC initially stated it did not hold the requested information but later confirmed during the investigation that it did hold the information at the time the requests were received, and should have issued a refusal notice under section 12 citing the appropriate cost limit. The ICO found the breaches occurred but has not required any specific remedial steps from DfC as a result of this notice.

ICO Upholds Complaint Against DCMS for Vexatious FOI Request Refusal

The Information Commissioner's Office has upheld a complaint against the Department for Culture, Media & Sport (DCMS) regarding the refusal of seven Freedom of Information Act 2000 requests as vexatious under section 14(1). The ICO found that DCMS failed to demonstrate that complying with the requests would impose a grossly oppressive burden, as assertions of burden were not supported with meaningful evidence or quantification. This decision clarifies the evidentiary standard public authorities must meet when refusing FOI requests on vexatious grounds.

ICO Upholds FOI Complaint Against North Tees & Hartlepool NHS Foundation Trust for Delayed Response

The Information Commissioner's Office issued a Decision Notice finding that North Tees and Hartlepool NHS Foundation Trust breached sections 1(1) and 10(1) of the Freedom of Information Act by failing to provide a response within the statutory 20 working day period. The ICO determined on the balance of probabilities that the Trust does not hold any further information within scope of the request, and the complaint about inconsistent information was not upheld. The Commissioner does not require further steps to be taken.

ICO Decision: NHS England FOI Response Time Failure

The ICO has issued a decision notice finding NHS England failed to respond to a Freedom of Information (FOI) request within the statutory 20 working days. The ICO requires NHS England to respond to the complainant within 30 calendar days.

Bedford Borough Council FOI Section 40(2) Not Upheld, Section 17(1)(b) Breach Recorded

The Information Commissioner's Office has issued a decision regarding Bedford Borough Council's handling of a Freedom of Information request for data on individuals housed in private properties. The ICO upheld the council's reliance on section 40(2) of FOIA to withhold the information, finding the exemption was correctly applied. However, the ICO recorded a breach of section 17(1)(b) of FOIA for failing to provide proper notice of the exemption reliance in the council's response. The ICO determined no further steps are required.

ICO Upholds FCDO Refusal on Guantanamo Bay FOIA Request

The Information Commissioner's Office issued a Decision Notice on 11 March 2026 resolving a Freedom of Information complaint against the Foreign, Commonwealth and Development Office. The complainant requested correspondence and internal documents about Guantanamo Bay. The FCDO had refused to confirm or deny whether it held the requested information, citing sections 23(5), 24(2), and 27(4) of FOIA. The ICO found the FCDO entitled to rely on section 27(4) (international relations) to refuse the confirmation, and does not require any remedial steps from the department.

Mid Sussex District Council EIR Request Decision Notice

The Information Commissioner found that Mid Sussex District Council correctly applied Regulations 12(4)(e) and 12(5)(b) to withhold information relating to a poisoning investigation, and that the council does not hold further information within the scope of the request. However, the Commissioner found that the council breached Regulation 5(2) by failing to provide its initial response within 20 working days of receiving the request. No further steps are required of the council.

DfE Withholds Student Finance Cost Projections Under FOIA Section 35(1)(a) — Complaint Not Upheld

The Information Commissioner's Office has issued a decision in case IC-400967-N7L2 finding that the Department for Education (DfE) was entitled to withhold projected cost information relating to an alternative student finance (ASF) system under section 35(1)(a) of the Freedom of Information Act. The exemption covers the formulation or development of government policy. DfE disclosed costs already incurred but withheld forward-looking cost projections including those arising from defaulted and unpaid student loans. The complaint is not upheld and no further steps are required of the public authority.

ICO Upholds Cabinet Office Refusal of Trump-Starmer Golf Course Communication Records

The Information Commissioner's Office has upheld the Cabinet Office's refusal to disclose records concerning communications between Donald Trump and Keir Starmer about an incident at Trump Turnberry golf course in Scotland. The Cabinet Office cited section 27 (international relations) of the Freedom of Information Act as the basis for withholding the information, and the ICO agreed this exemption applies. The Commissioner has determined no further steps are required, closing the complaint.

ICO Decision Notice: NPCC FOI Complaint Not Upheld

The ICO has issued a decision notice finding that the National Police Chiefs' Council (NPCC) does not hold any further information falling within the scope of an FOI request concerning cross-force access. The complaint was not upheld; NPCC provided information for parts 5a and 5b of the request and confirmed it does not hold additional responsive records. No further steps are required of NPCC.

ICO Upholds FOI Complaint Against Barking and Dagenham Council

The Information Commissioner's Office has upheld a Freedom of Information complaint against London Borough of Barking and Dagenham Council, finding that the authority failed to respond to a request within the statutory 20 working day timeframe under FOIA. The ICO has issued a Decision Notice requiring the Council to provide the complainant with a response to their FOI request within 30 calendar days of the decision date. Public authorities receiving similar decisions should treat this as a reminder that missed FOI response deadlines will result in formal enforcement action from the ICO.

Newport City Council Entitled to Withhold Homelessness and LGBTQ+ Report Under Section 41 FOIA

The ICO issued a decision notice on 13 March 2026 finding that Newport City Council was entitled to withhold redacted portions of a research report on homelessness and LGBTQ+ people in Gwent. The council cited section 41(1) of the Freedom of Information Act (information provided in confidence) as the basis for the redactions. The ICO's decision is that the exemption was properly applied and the council's handling of the FOI request was lawful. No further action is required of the council.

DFE FOI Decision: Section 40(5B) Personal Information Exemption Upheld

The Information Commissioner's Office has issued a Decision Notice in favour of the Department for Education in IC-405867. The ICO determined that DFE was correct to refuse to confirm or deny holding information about a referral to the Teaching Regulation Agency, citing section 40(5B) (personal information) of FOIA. The Commissioner ruled that confirming or denying the existence of the requested information would itself breach the data protection principles. No further regulatory steps are required from the public authority.

Khalsa Academies Trust Breaches FOIA Sections 1, 10, and 17

The ICO found Khalsa Academies Trust Limited breached sections 1, 10, and 17 of FOIA by failing to issue a valid substantive response to an information request dated 1 August 2022. The Trust refused disclosure on the grounds that the request was 'manifestly unfounded and excessive' — terminology that does not exist within FOIA — and failed to cite any recognised exemptions or provide a valid refusal notice. The Trust also refused to conduct an internal review when requested. Public authorities subject to FOIA obligations should ensure their responses use correct exemption language and provide valid refusal notices where information is withheld.

South Gloucestershire Council FOI Decision: Upheld

The ICO has upheld a complaint against South Gloucestershire Council for failing to respond to a Freedom of Information request within the statutory 20 working day timeframe prescribed by FOIA. The Commissioner has ordered the Council to provide the complainant with a substantive response within 30 calendar days. Public authorities should treat this decision as a reminder that strict adherence to FOIA response deadlines is mandatory and enforceable.

ICO Decision: Wychavon District Council Correctly Withheld Legal Advice Under EIR

The Information Commissioner's Office has issued a decision notice finding that Wychavon District Council was correct to withhold legal advice under Regulation 12(5)(b) of the Environmental Information Regulations 2004, which permits withholding information where disclosure would adversely affect the course of justice. The Commissioner determined that the council properly applied this exception and does not require the council to take any further steps. This decision clarifies the scope of the 'course of justice' exemption under EIR for local government information requests.

Potto Parish Council Ordered to Provide Fresh FOI Response Without Identity Proof

The Information Commissioner's Office has upheld a complaint against Potto Parish Council for improperly refusing a Freedom of Information request for invoice and audit information. The Council had refused to comply unless the complainant provided proof of identity, which the ICO found to be an invalid ground for refusal under FOIA. The Commissioner requires the Council to provide a fresh response within 30 calendar days that confirms or denies whether the requested information is held, and either discloses it or issues a valid refusal notice, without demanding proof of identity. Failure to comply may result in the Commissioner certifying this fact to the High Court for contempt proceedings.

ICO Upholds FOI Complaint Against Waltham Forest Council

The Information Commissioner's Office has upheld a Freedom of Information complaint against the London Borough of Waltham Forest. The council failed to respond to an FOI request within the statutory 20 working days prescribed under FOIA. The ICO has issued a Decision Notice requiring the public authority to provide the complainant with a response to their information request within 30 calendar days.

AEPD Resolves ICIRED Credit Services GDPR Rights Violation Case EXP202515306

The AEPD resolved case EXP202515306 filed by claimant A.A.A. against ICIRED Credit Services for failing to properly handle data subject rights under Articles 15-22 GDPR and Article 20 LOPDGDD. The claimant was notified of their inclusion in ICIRED's defaulters' file on June 14, 2025, and immediately exercised access, opposition, erasure, and limitation rights via email, demanding documentation of the alleged debt and cancellation of their data. ICIRED's only response was a reiteration without providing any supporting documentation. The company later attributed its failure to a system error, claimed data was not published due to ongoing suspension, and ultimately published the data after the creditor supplied invoices without directly notifying the data subject of this final action.

Colorado AG Joins Coalition Lawsuit Challenging HUD Fair Housing Funding Cuts

Colorado Attorney General Phil Weiser joined a coalition of 16 attorneys general and the District of Columbia filing a lawsuit against HUD challenging guidance issued in September 2025 threatening to decertify and cut off funding to state and local fair housing enforcement agencies unless they stop enforcing state-level protections against housing discrimination based on sexual orientation, gender identity, language, criminal records, and source of income. The coalition alleges HUD's actions violate the Spending Clause of the U.S. Constitution and the Administrative Procedure Act. Attorney General Weiser stated that if unchallenged, discrimination in housing is almost certain to increase.

OneMain Financial Sued for Hidden Loan Add-Ons

Colorado and 12 other attorneys general filed a multistate lawsuit against OneMain Financial, Inc. on March 16, 2026, alleging the company engaged in deceptive lending by hiding costly add-on products—including Guaranteed Asset Protection (GAP) insurance exceeding the 150% loan-to-value limit under Colorado law—in loan agreements, resulting in consumers paying hundreds of millions of dollars in excess charges. The coalition is seeking full restitution for affected borrowers, disgorgement of profits obtained through unlawful practices, civil penalties, and court orders to halt the alleged practices, remove negative credit reporting tied to add-on products, and halt related collection actions.

Dutch DPA AI Impact Barometer Turns Red, Calls for Accelerated AI Regulation

The Dutch DPA (Autoriteit Persoonsgegevens) has published its sixth Report AI & Algorithms Netherlands, showing four of nine indicators in the AI Impact Barometer are now red, doubling from two in the prior report. The AP warns of significant risks from unsafe and discriminatory algorithms that cannot be adequately enforced due to lagging implementation of AI rules. The AP calls on the new government to accelerate EU AI Act implementation by adopting Dutch implementing legislation, designating supervisory authorities, and securing structural funding for enforcement. High-risk AI systems used in recruitment and selection face August 2026 compliance deadlines under the EU AI Act.

EDPB and EDPS Joint Opinion on European Biotech Act

The European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) adopted a Joint Opinion on the European Commission's proposed European Biotech Act. The Opinion supports the Proposal's objective of harmonising clinical trial rules and establishing a single legal basis for processing personal data by sponsors and investigators. However, the bodies call for safeguards to protect sensitive health and genetic data, including clarifying controller roles, limiting the 25-year data retention requirement to trial master files only, and ensuring coherence with the AI Act. The Opinion provides six key recommendations addressing data protection in clinical trials.

EDPB-EDPS Joint Opinion 2/2026 on Digital Omnibus Framework

The European Data Protection Board and European Data Protection Supervisor issued Joint Opinion 2/2026 on the EU Digital Omnibus legislative proposal. The opinion supports simplification and competitiveness objectives in the framework while raising key concerns about specific provisions. The joint opinion addresses topics including GDPR application, e-Privacy rules, AI-related data processing, legal basis requirements, and automated decision-making and profiling. EDPB-EDPS joint opinions provide authoritative regulatory interpretation that influences implementation of EU digital single market rules.

PCPD Alerts on OpenClaw and Agentic AI Privacy Risks

The PCPD issued an alert on 16 March 2026 regarding privacy risks associated with OpenClaw and other agentic AI systems. The regulator noted that agentic AI poses higher privacy risks than ordinary AI chatbots due to its broad access to files, emails, account credentials, and browser contents. The alert recommends organisations adopt minimum access rights, use official versions only, separate runtime environments, exercise caution with plugins and skills, and conduct continuous risk assessments when deploying agentic AI tools.

EU Workshop on Digital Services Act with Enlargement Countries

DG CONNECT and DG ENEST hosted a two-day TAIEX workshop on 12 and 13 March 2026 in Brussels with representatives from Albania, Bosnia and Herzegovina, Kosovo, Moldova, Montenegro, North Macedonia, Serbia, and Ukraine to discuss the Digital Services Act and support the EU accession process in platform regulation. The workshop was joined by EU Digital Services Coordinators, civil society, and TAIEX experts. A first workshop on this topic was held in June 2024.

NJ Scrap Tire Act Privacy Concerns

IAPP published an opinion article analyzing the regulatory conflict created by New Jersey Assembly Bill A5851 (Scrap Tire Act), which requires licensed haulers to use GPS-enabled electronic manifest systems to track scrap tire transfers. The article warns that compliance with this environmental tracking mandate may expose haulers to criminal liability under New Jersey A3950 (2022), which prohibits employers from using vehicle tracking devices without prior written notice—a fourth-degree crime punishable by up to 18 months imprisonment, $10,000 fines, and a permanent criminal record. The Scrap Tire Act carries civil penalties of $7,500 (first offense), $10,000 (second), and $25,000 (third/subsequent). The article proposes privacy-enhancing technology solutions including differential privacy, AI-based PII redaction, and NIST AI Risk Management Framework governance mapping.

Two Men Arrested for Doxxing Over Real Estate Investment Dispute

PCPD arrested two men aged 48 and 20 in Hong Kong's New Territories and Kowloon respectively for suspected doxxing under section 64(3A) of the Personal Data (Privacy) Ordinance. The arrests stem from a monetary dispute over a jointly purchased village house investment, where the accused posted flyers outside the victim's real estate agency disclosing his personal data including Chinese name and family photos, with negative comments accusing him of failing to repay a debt. Both individuals have been granted bail as the PCPD continues its investigation.

AI Chatbots Provide Biased Voting Advice, Ignoring Local Parties

The AP (Autoriteit Persoonsgegevens, Dutch DPA) published study findings on March 12, 2026, showing that AI chatbots rarely recommend local political parties (<1% of cases) despite these parties receiving over 30% of votes in Dutch municipal elections. Testing five chatbots (ChatGPT, Claude, Gemini, Grok, Mistral) found they provided voting advice in 93% of cases despite being unsuitable for this purpose. The AP calls on AI chatbot providers to implement safeguards against systems being used for voting advice, noting that under the EU AI Act, AI systems aiming to influence voting behavior are classified as high-risk systems subject to strict rules.

$50M Cambridge Analytica Payment Program Registration Deadline 31 December

Meta Platforms has established a $50 million payment program under an enforceable undertaking accepted by Australia's Information Commissioner in December 2024, resolving 7 years of investigation and litigation related to the Cambridge Analytica matter. More than 300,000 eligible Australian Facebook users have until 31 December 2025 to register under the program, which is being administered by KPMG as an independent administrator at www.facebookpaymentprogram.com.au. The OAIC does not administer the scheme, and any residual funds not exhausted will be paid into the Commonwealth's Consolidated Revenue Fund.

OAIC Statement on Administrative Review Tribunal's Bunnings Facial Recognition Decision

The Administrative Review Tribunal affirmed Privacy Commissioner findings that Bunnings Group Limited contravened Australian Privacy Principles (APP) 1 and 5 regarding facial recognition technology use, specifically finding failures in notice and risk assessment. The Tribunal departed from the Commissioner on APP 3.3, determining Bunnings could rely on exemptions for combatting retail crime and protecting staff and customers from violence, abuse and intimidation. OAIC welcomed the decision as reaffirming privacy protections for emerging technologies, including that even momentary collection of personal information by advanced digital tools constitutes a collection under the Privacy Act.