Data Privacy

Dartford Borough Council Ordered to Reply to EIR Request

The ICO has issued a Decision Notice finding Dartford Borough Council in breach of Regulation 5(2) of the Environmental Information Regulations 2004. The council failed to respond to a freedom of information request within the statutory 20 working day timeframe. The Commissioner has ordered the council to provide a substantive response to the complainant within 30 calendar days, failing which further enforcement action may follow.

ICO Finds Manchester City Council FOIA Breach for Inadequate Disclosure and Searches

The Information Commissioner's Office has issued a Decision Notice finding Manchester City Council in breach of the Freedom of Information Act 2000 (FOIA). The Commissioner determined that the Council failed to disclose information within scope of a request regarding the cancellation and rescheduling of the Voices of Resilience event, constituting a breach of section 1(1)(b). Additionally, the Council was found to have not conducted adequate searches for the requested information. The Council is required to conduct fresh searches and disclose the email sent to ticket holders contained in document 'Email 2'.

London Borough of Islington FOI Request Not Upheld

A complainant requested information regarding works for a named street over a certain period from London Borough of Islington. The council disclosed documents it stated met the scope of the request. The ICO Commissioner determined that, on the balance of probabilities, the council provided all relevant information it held within scope of the request. No further action is required as the complaint was not upheld.

ICO Orders NHS Trust to Respond to FOI Request

The UK's Information Commissioner's Office (ICO) has ordered the South London & Maudsley NHS Foundation Trust to respond to a Freedom of Information (FOI) request. The Trust failed to respond within the statutory 20 working days.

ICO Requires South London & Maudsley NHS Foundation Trust to Provide Substantive FOI Response

The ICO issued a Decision Notice finding South London & Maudsley NHS Foundation Trust breached FOIA by failing to respond to a freedom of information request within the statutory 20 working days. The Trust must now provide the complainant with a substantive response within 30 calendar days. This is the second consecutive ICO decision notice referencing FOI non-compliance by a public authority within the same week of publication.

ICO Upholds FOI Complaint Against NHS Trust

The UK's Information Commissioner's Office (ICO) has upheld a Freedom of Information (FOI) complaint against South London & Maudsley NHS Foundation Trust for a delayed response. The Trust is now required to provide a substantive response to the complainant within 30 calendar days.

ICO Upholds FOI Complaint Against NHS Trust

The ICO has upheld a Freedom of Information (FOI) complaint against South London & Maudsley NHS Foundation Trust for a delayed response. The Trust is required to provide a substantive response to the complainant within 30 calendar days.

ICO Upholds FOI Complaint Against Pentraeth Council

The ICO has upheld a Freedom of Information complaint against Pentraeth Council for failing to respond to a request within the statutory 20 working days. The Council has been ordered to respond to the complainant within 30 calendar days.

ICO Upholds FOI Complaint Against NHS Trust

The ICO has upheld a Freedom of Information (FOI) complaint against South London & Maudsley NHS Foundation Trust for a delayed response. The Trust is required to provide a substantive response to the complainant within 30 calendar days.

Italian DPA Sanctions Stup, Municipalities for GDPR Violations

The Italian Data Protection Authority (Garante) issued multiple enforcement actions on March 9, 2026. In the primary case, Garante sanctioned Stup (Aldilapp distributor), the municipalities of Ancona and Velletri, and cemetery operators for GDPR violations arising from a digital cemetery application that automatically created 'digital profiles' of deceased persons using municipal databases, enabling public dedications, virtual candles, and commercial services without adequate legal basis. Fines ranged from €2,000 to €6,000. In a second case, the Municipality of Mazara del Vallo was fined €4,000 for using an unapproved video surveillance system to detect traffic violations without informing affected individuals or conducting a required data protection impact assessment. Additionally, Garante joined 60 global data protection authorities in a joint declaration expressing concern over AI-generated intimate imagery of real persons without consent.

DSA Transparency Reports Bring Harmonised Standards for Content Moderation Practices

The first round of harmonised transparency reports under the Digital Services Act was published last week by providers of intermediary services. The reports use a new machine-readable template standardised by the EU Commission's Implementing Regulation on Transparency Reporting, adopted in July 2025, which replaced the previously varying reporting formats across platforms. The harmonised template enables researchers, journalists, and citizens to compare content moderation decisions across platforms in areas including cyber violence, protection of minors, and scams and frauds, and aligns categories with the DSA Transparency Database for consistency checks at scale.

CNIL Closes Order Against KASPR Following GDPR Compliance

The CNIL restricted committee closed its enforcement order against KASPR on March 4, 2026, after the company demonstrated full compliance with corrective measures issued in December 2024. KASPR, which had been fined €240,000 for GDPR violations involving unauthorized collection of LinkedIn user data from profiles with limited visibility settings, chose to delete its entire database and cease all LinkedIn data collection rather than implement granular remediation. The company also removed automatic data retention renewal mechanisms and now provides information in all EU official languages. The CNIL decided not to liquidate the €10,000-per-day penalty that would have applied for non-compliance, concluding the enforcement proceeding.

AEPD Archives Case Against Orange Spain Over Unauthorized Portability

The AEPD archived proceedings against Orange Spain after the company admitted that a customer's fixed telephone line was ported to a competitor without authorization due to a clerical error. The porting was reversed on 27 February 2024, services were restored, and Orange Spain demonstrated that the incident was covered by pre-existing technical procedures. Citing the CJEU's C-768/2021 ruling, the AEPD declined to exercise corrective powers under Article 58 GDPR, finding the breach had been remedied and conformity with the GDPR was restored.

AEPD Fines ORNITOLÓGICA DE ANDALUCÍA FOA €900 for Undisclosed Mass Email Data Breach

The AEPD issued Resolution EXP202316565 finding ORNITOLÓGICA DE ANDALUCÍA FOA liable for violating Article 5.1.f) of the GDPR by sending a mass email to at least 25 recipients that disclosed a blocked party's full name, surname, and national ID number (DNI). The federation failed to respond to the complaint notification, did not contest the findings, and voluntarily paid the reduced fine of €900 (down from the proposed €1,500 after applying a 40% reduction for voluntary payment and recognition of responsibility). The resolution also orders the entity to adopt within three months measures ensuring the confidentiality of personal data in compliance with Article 5.1.f) of the GDPR.

Judge Rejects All Reddit Claims Against Dutch DPA Investigation Ruling

The District Court in The Hague on March 5, 2026 rejected all claims in summary proceedings initiated by Reddit against the Autoriteit Persoonsgegevens (Dutch DPA). Reddit sought rulings on whether the AP had received legally privileged information during its investigation into Reddit's data processing practices, and sought preservation of all AP-held information. The judge dismissed all requests. The AP is continuing its investigation, launched in 2025, into whether Reddit unlawfully shared or sold personal data of Dutch users to algorithm developers for training purposes. Reddit's European office is located in the Netherlands.

California Privacy Agency Fines Ford $375,703 for Opt-Out Process Friction

The California Privacy Protection Agency Board issued a decision requiring Ford Motor Company to pay a $375,703 fine and change its practices following a settlement reached by CalPrivacy's Enforcement Division. Ford was found to have violated the CCPA by requiring consumers to verify their email address before processing opt-out requests, adding unnecessary friction that discouraged consumers from exercising their privacy rights. The decision establishes that creating barriers in the opt-out process constitutes a violation of the California Consumer Privacy Act.

PlayOn Sports Fined $1.10M for Privacy Violations

The California Privacy Protection Agency Board issued a decision requiring PlayOn Sports to pay a $1.10 million fine and change its business practices following a settlement with CalPrivacy's Enforcement Division. The enforcement action addresses the company's use of tracking technologies to collect personal information and deliver targeted advertisements to ticketholders, including students at approximately 1,400 California schools, without providing lawful opt-out options. The Board found that PlayOn Sports forced users to click "agree" to tracking before accessing tickets or viewing websites, directing them to external opt-out mechanisms instead of providing its own compliant method.

EDPB Conference on Cross-Regulatory Cooperation in EU Data Protection

The European Data Protection Board announced its upcoming conference "Cross-regulatory interplay and cooperation in the EU: a data protection perspective" scheduled for 17 March 2026 from 9.15 to 15.30. The event will provide a high-level overview of the EDPB's work in the EU's cross-regulatory landscape, examining how regulatory frameworks interact and how cooperation between authorities is ensured. Registration is now closed, but the event will be livestreamed on the EDPB website.