Data Privacy

NDPC and INEC Form Joint Working Group for Voter Privacy

Dr. Vincent Olatunji, National Commissioner/CEO of the Nigeria Data Protection Commission, inaugurated a joint working group with the Independent National Electoral Commission (INEC) to safeguard the personal data of approximately 94 million registered Nigerian voters. The working group will sensitise stakeholders on data protection responsibilities, ensure responsible data processing by political parties and third-party vendors, and promote the engagement of Data Protection Officers by registered political parties ahead of the 2027 elections. INEC's Deputy Director of Management Information System, Dr Uzunma Aja Nwachukwu, noted that INEC was a beneficiary of NDPC's first data protection training and certification programme.

NDPC Offers Specialized DPO Certification and Privacy Training to Federal Character Commission Staff

The Nigeria Data Protection Commission (NDPC) led by National Commissioner/CEO Dr. Vincent Olatunji offered capacity-building support to the Federal Character Commission (FCC), including Data Protection Officer (DPO) certification training, privacy training programmes, and access to the Virtual Privacy Academy (VPA). The FCC, under Executive Chairman Honourable (Alhaja) Hulayat Motunrayo Omidiran, is recognised as a key data controller and processor given the sensitivity and volume of data it manages. NDPC framed the collaboration as supporting the effective delivery of the Renewed Hope Agenda of President Bola Ahmed Tinubu, GCFR, while enhancing transparency, accountability, and public trust in FCC's activities.

NDPC Kicks Off 2nd Edition of DPO Certification in Abuja and Lagos

The Nigeria Data Protection Commission (NDPC) has commenced the second edition of its Data Protection Officers (DPOs) training and certification programme in Abuja and Lagos. National Commissioner/CEO Dr Vincent Olatunji noted the global scarcity of DPOs and stated the Commission is committed to creating globally competitive human capital to position Nigeria as a hub for privacy experts. Participants in the first edition are now working as DPOs, and current participants will be offered internship opportunities upon completion, with a Faculty for DPOs to be established for ongoing guidance.

Italian DPA Press Releases 2008–2026: Fines, Bans, AI Actions

The Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) publishes an indexed compilation of its press releases from 2008 through February 2026, covering enforcement actions including fines against major technology companies, AI system investigations, and data protection bans. Notable actions include EUR 20 million fine against Clearview AI for biometric data violations, EUR 26.5 million sanction against Enel Energia for aggressive telemarketing, and multiple AI enforcement actions against ChatGPT, DeepSeek, and Meta. The index documents the Garante's regulatory trajectory across two decades of privacy enforcement.

High-Level Debate: From Omnibus to Opportunity - Driving Data Protection and Innovation

The European Data Protection Supervisor (EDPS), the German Federal Commissioner for Data Protection and Freedom of Information (BfDI), and the Bavarian Data Protection Commissioner (BayLfD) are co-organising a high-level debate on 8 June 2026 in Brussels on the European Commission's Omnibus proposals and their implications for the GDPR and the AI Act. The event runs from 18:30 to 20:30 at the Representation of the Free State of Bavaria to the EU, followed by a reception. Representatives from the European Parliament, Council, European Commission, EDPB, EDPS, national and regional DPAs, private sector, academia, and civil society will attend. The debate will address legal certainty, regulatory coherence, preservation of GDPR's protection level, and strengthening fundamental rights, innovation, and competitiveness.

AI Act Practice, Data Governance - EDPS Newsletter 19

EDPS Newsletter Digest Episode 19, dated 26 March 2026, covers three areas: the AI Act moving into practice, new regulatory proposals where fundamental rights are at stake, and moves to strengthen data protection governance inside EU institutions. Speakers Miriam Cakurdova and John McLean discuss these developments shaping data protection in Europe.

EDPB Guidelines on Scientific Research Data Processing Open for Public Consultation Until June 2026

The European Data Protection Board (EDPB) has adopted Guidelines 1/2026 on processing personal data for scientific research purposes, with contributions from Italy's Garante privacy authority. The guidelines clarify that personal data may generally be reused for scientific research even if initially collected for different purposes, provided an adequate legal basis is respected. The consultation runs until 25 June 2026.

EU Commissioner McGrath Discusses Digital Fairness Act, EU Inc. Initiative

EU Commissioner Michael McGrath outlined the Commission's upcoming Digital Fairness Act proposal and EU Inc. initiative at an event in San Francisco, describing efforts to patch gaps in digital consumer protection laws and create a unified corporate legal structure that can be established in 24-48 hours online. McGrath stated the DFA aims to extend DSA-style requirements to companies not currently subject to the Very Large Online Platforms regime, while addressing enforcement gaps for children's data in targeted advertising. The EU-U.S. Data Privacy Framework remains intact despite ongoing trade tensions, with McGrath noting mutual recognition that too much is at stake to allow it to lapse.

Dutch Authorities Call for Complete EU Ban on AI Nudify Apps Without Exceptions

The Dutch Authority for Consumers & Markets, Authority for Online Terrorist and Child Pornographic Material, Autoriteit Persoonsgegevens, Dutch Media Authority, Public Prosecution Service, and police have jointly called for a complete European ban on AI nudify tools without exceptions. Currently, these tools are permitted if the person in the image allegedly gives consent, which authorities say undermines enforcement. Under existing legislation, only individual perpetrators who create and distribute such images can be prosecuted, which authorities describe as an inadequate structural solution to the underlying problem. The Dutch authorities say a ban without exceptions is necessary, though specific details and timelines remain under negotiation at the European level.

Opinion 14/2026 Europrivacy Certification Criteria GDPR Seal Approval

The European Data Protection Board issued Opinion 14/2026 on the Europrivacy certification criteria regarding their approval by the Board as a European Data Protection Seal pursuant to Article 42.5 GDPR. The opinion was published on 16 April 2026 and addresses whether the Europrivacy certification scheme meets the requirements for use as an approved European Data Protection Seal under the GDPR. A related Opinion 15/2026 was also published covering the use of the same criteria as a transfer tool pursuant to Articles 42 and 46 GDPR.

Opinion 15/2026 on Europrivacy Certification Criteria for European Data Protection Seal

The European Data Protection Board issued Opinion 15/2026 on the Europrivacy certification criteria regarding their approval as European Data Protection Seal to be used as a tool for transfers pursuant to Articles 42 and 46 GDPR. The opinion evaluates whether Europrivacy meets the requirements under Article 42(5) GDPR to serve as an approved certification mechanism. EDPB also simultaneously issued Opinion 14/2026 addressing the same certification criteria under Article 42.5 GDPR.

Guidelines 1/2026 on Processing Personal Data for Scientific Research Purposes

The European Data Protection Board has opened a public consultation on Guidelines 1/2026 concerning the processing of personal data for scientific research purposes. The consultation runs from 16 April 2026 to 25 June 2026, during which stakeholders may submit comments on the draft guidelines. The guidelines address legal bases, consent requirements, data subject rights, and controller/processor obligations specifically in the scientific research context, including health research.

Europrivacy Seal Approved as Appropriate Safeguard for International Data Transfers Under GDPR

The European Data Protection Board (EDPB) adopted two Article 64 GDPR opinions at its April 15–16, 2026 plenary session, approving the Europrivacy certification scheme as an appropriate safeguard for international data transfers. The Europrivacy European Data Protection Seal can now be used under GDPR Articles 42 and 46, and the scheme has been extended to cover organizations established outside the EEA but subject to GDPR under Article 3(2). The CNPD submitted the certification criteria as the competent authority overseeing the scheme.

EU Digital Omnibus Deidentification Requirements Under GDPR Recital 26

This IAPP analysis examines the EU Digital Omnibus proposal's amendment to Article 4(1) GDPR, which would codify the 'relative concept' of personal data into binding law. The proposed change clarifies that information does not become personal for an entity merely because a subsequent recipient has means reasonably likely to identify a person, resolving tension between GDPR and EU Data Act obligations. Authors Noemie Weinbaum, Flora Garcia, and Roy Kamp explain that organizations processing deidentified data will increasingly need to articulate and document why they cannot identify individuals — a shift from theoretical to practical burden of proof. The article frames this as 'not deregulation; it is redistribution of responsibility.'

xAI Sues California AG Rob Bonta to Block AB 2013 Training Data Transparency Law

IAPP analysis examines xAI LLC's pre-enforcement lawsuit challenging California AB 2013, the Generative Artificial Intelligence training data transparency law that took effect 1 January 2026. The complaint asserts First Amendment, Fifth Amendment (takings clause), and 14th Amendment claims. The U.S. District Court for the Central District of California denied xAI's motion for preliminary injunction on 9 April 2026, finding the company had not adequately alleged its datasets constitute trade secrets warranting constitutional protection. xAI has appealed to the 9th Circuit Court of Appeals. A parallel action challenges Colorado's AI Act.

EU Age Verification App Technically Ready, Rollout Soon

European Commission President Ursula von der Leyen announced 15 April 2026 that the EU age verification app is "technically ready" and will be "soon available for citizens to use." The app is built on the European Digital Identity Wallet framework and aims to deliver anonymous, privacy-preserving age verification without revealing any other personal information. Online platforms are being encouraged to integrate the solution, with the Commission stating "there are no more excuses" for non-adoption.

Italian DPA Newsletter No. 546: Eni Fined €96k, Remote Exam FAQs, FaceBoarding Non-Compliance

The Italian Data Protection Authority (Garante) published Newsletter No. 546 on April 15, 2026. The newsletter covers a €96,000 fine against Eni for publishing a summons with personal data of 12 signatories along with Greenpeace Onlus and ReCommon APS without legal basis; clarification that employers must grant access to personal email after employment ends; and a finding of non-compliance against the FaceBoarding facial recognition system at Milano Linate Airport. The DPA also published FAQs on remote proctoring clarifying that universities and training entities can process participant data for remote exams and courses under applicable regulations, but automated behavioral analysis systems are prohibited.

Live Nation Found Illegal Monopoly by Jury in Antitrust Case

A federal jury in New York found Live Nation and Ticketmaster liable for monopolizing the live entertainment industry, marking a significant antitrust enforcement milestone. Colorado Attorney General Phil Weiser and a bipartisan group of state attorneys general pursued the case without the federal government after rejecting a settlement reached between the Justice Department and Live Nation. The verdict establishes that Live Nation violated state and federal antitrust laws, with Weiser committing to continue fighting to break up the monopoly, restore competition, and obtain restitution for concertgoers.

Newsletter 546: Privacy FAQ, Eni Fine 96K, Email Access, FaceBoarding, AscoltaMi

The Garante per la Protezione dei Dati Personali issued Newsletter N. 546 covering five distinct privacy matters: (1) new FAQs on remote exam proctoring clarifying that automated behavioral analysis systems are prohibited; (2) a 96,000 euro fine against Eni for publishing a court citation containing personal data of 12 signatories without a valid legal basis; (3) a ruling permitting employees to access their work emails after termination; (4) a finding that Milano Linate's 'FaceBoarding' facial recognition system is non-compliant with GDPR; and (5) approval of the AscoltaMi service for the MIM education ministry. The newsletter summarises enforcement actions, guidance, and compliance decisions issued by the authority.

California Cybersecurity Audit Rule: Class Action Discovery and Privilege Implications

The California Privacy Protection Agency adopted a cybersecurity audit rule effective 1 January 2026, the first such mandate among state data privacy laws of general applicability. This analysis examines how the rule affects data breach class action litigation, noting that audit reports and supporting materials may be discoverable since CCPA audits and risk assessments are not automatically privileged under California law. Companies subject to the CCPA should anticipate disclosure requirements for cybersecurity audits and supporting documentation, including drafts, internal emails, risk assessments and gap analyses.

OneDigital Investment Advisors data breach notice posted 8th Apr

OneDigital Investment Advisors data breach notice posted 8th Apr

Legend Senior Living Data Breach Notice to Vermont Consumers

Legend Senior Living, LLC filed a data breach notice with the Vermont Attorney General's Office notifying Vermont consumers of a security incident involving personal information. The notice was posted on April 10, 2026, and references an attached PDF containing specific details about the breach scope, data types affected, and recommended consumer steps. Organizations handling senior living, healthcare, or sensitive consumer data should monitor for similar breach notifications and review their own incident response procedures.

Buena Vista Management Services Data Breach Notice to Consumers

Buena Vista Management Services, LLC filed a data breach notice with the Vermont Attorney General on April 10, 2026, notifying consumers of a security incident involving personal information. The 315.16 KB notice PDF is available on the AG's security breach notices portal and contains details about the nature of the breach and affected individuals.

Data Breach Notice to Vermont Consumers

Adrian Jules LTD filed a security breach notice with the Vermont Attorney General notifying Vermont consumers of a data breach involving unauthorized access to consumer personal information. The notice was published on the Vermont AG's Security Breach Notices portal on April 8, 20226 (date format per source). Affected Vermont residents are advised to review the full notice for details on the compromised data types and recommended protective actions.

David Evans Enterprises Data Breach Notice to Consumers

David Evans Enterprises, Inc. filed a data breach notice with the Vermont Attorney General's Office on April 10, 2026, notifying consumers of a security incident involving their personal information. The company posted the official data breach notice as a PDF document on the AG's security breach notices portal. Consumers who may have been affected by this incident should review the full notice for details on the nature of the breach and any protective measures available.

Nicholas H. Safford & Co., Inc. Data Breach Notice to Consumers

The Vermont Attorney General's Office has published a data breach notice from Nicholas H. Safford & Co., Inc. alerting consumers to a security incident that may have exposed personal information. The notice was filed with the AG's office and made publicly available on April 10, 2026. Affected consumers should refer to the full notice for details on the nature of the breach and recommended protective steps.

TruView BSI, LLC Data Breach Notice to Consumers

The Vermont Attorney General's Office published a data breach notice from TruView BSI, LLC alerting consumers to a security incident involving personal information. The notice, dated April 8, 2026, is available as a PDF on the AG's security breach notices page. The document provides details on the nature of the breach, the types of information affected, and steps consumers may take to protect themselves.

SDI Management LLC Data Breach Notice to Consumers

SDI Management LLC filed a data breach notice with the Vermont Attorney General's Office on April 9, 2026. The notice concerns unauthorized access or acquisition of personal information affecting consumers. The document is available as a PDF on the AG's security breach notices portal.

EDPB DPIA Template Public Consultation

The European Data Protection Board (EDPB) has opened a public consultation on its draft Data Protection Impact Assessment (DPIA) Template. The consultation runs from 14 April 2026 to 9 June 2026, during which organisations are encouraged to use the template and provide feedback. After finalisation, data protection authorities across the EU will adopt this template as their unique template or as a meta-template with which national specific templates will be compatible.

Contractor Sentenced to 10 Years for $1.4M Home Remodeling Fraud

A Denver District Court judge sentenced Avi Schwalb to 10 years in the Colorado Department of Corrections for carrying out a home remodeling contractor fraud scheme and stealing over $1.4 million from homeowners. In February 2026, a jury found Schwalb guilty on all 47 felony charges of theft, money laundering, and violating the state's organized crime law. Schwalb and his business partners were accused of soliciting home remodeling contracts, collecting customer deposits, and then failing to complete any work on the projects.

EDPB Adopts DPIA Template for Harmonised EU Compliance

The European Data Protection Board (EDPB) has adopted a standardised template for Data Protection Impact Assessments (DPIA), designed to help organisations structure, harmonise and evidence their DPIA reporting processes under the GDPR. The template includes an explainer document that breaks down key concepts in plain language to address knowledge gaps. The template is voluntary but offers predefined fields that prompt complete and structured responses, reducing errors and saving time. A public consultation runs until 9 June 2026, after which Data Protection Authorities across EU member states will adopt the template either as their sole standard or as a meta-template for national alignment.

Brighton & Hove City Council Breaches FOIA/EIR on Drive Request

The ICO upheld a complaint against Brighton & Hove City Council for handling a request for information about the construction of a drive at a specific address under the wrong legal framework. The council disclosed some information but withheld other information under section 21 of the FOIA (information accessible by other means). The ICO found the request should have been considered under the Environmental Information Regulations (EIR), not the FOIA, and that the council breached regulation 5(1) and regulation 14(1) of the EIR by applying the wrong framework. The ICO requires the council to reconsider the request under the EIR and issue a fresh response, disclosing any environmental information unless valid exceptions apply.

RCVS VCMS FOI Complaint Not Upheld - Info Not Held

The ICO issued a Decision Notice dated 8 April 2026 concerning a Freedom of Information complaint against the Royal College of Veterinary Surgeons (RCVS) regarding the Veterinary Client Mediation Service (VCMS). The ICO determined, on the balance of probabilities, that RCVS does not hold the requested information about VCMS complaints. The complaint is not upheld and no further steps are required from RCVS as a result of this notice. This Decision Notice is a formal binding determination under the ICO's FOIA regulatory authority.

Newham Council Stratford One Complaint Details Withheld Under EIR

The ICO has determined that London Borough of Newham correctly relied on regulation 12(5)(b) of the Environmental Information Regulations (EIR) to withhold information relating to complaints about student accommodation known as Stratford One in East London. The Commissioner found that disclosing the information would have an adverse effect on the course of justice. No compliance steps are required of the Council.

Northumbria Police Operation Eustace FOI Complaint Not Upheld

The Information Commissioner's Office investigated a Freedom of Information complaint against Northumbria Police concerning a request for information relating to Operation Eustace. The Commissioner determined on the balance of probabilities that Northumbria Police does not hold information within the scope of the request. As the complaint was not upheld, the Commissioner does not require Northumbria Police to take any steps to provide the requested information.

FCDO fails FOI response deadline, ICO upholds complaint

FCDO fails FOI response deadline, ICO upholds complaint

Crown Prosecution Service Withholds Text Messages, FOI Appeal Not Upheld

The ICO has issued a Decision Notice finding that the Crown Prosecution Service correctly relied on section 30(1)(c) of the Freedom of Information Act to withhold copies of text messages it considered as evidence in connection with particular criminal allegations. The complainant's appeal was not upheld, and the Commissioner does not require the CPS to take any further steps.

FCDO FOI Complaint Upheld, Response Required

The Information Commissioner's Office has upheld a Freedom of Information complaint against the Foreign, Commonwealth and Development Office (FCDO) for failing to respond to a request within the statutory 20 working days prescribed by FOIA. The ICO Decision Notice, dated 7 April 2026, requires the FCDO to provide the complainant with a substantive response to the outstanding request within 30 calendar days of the notice. The complaint is classified under FOI 10 and the FCDO, as a central government authority, is now subject to a binding enforcement requirement to cure the procedural breach.

University of Bradford FOI 10 Upheld, 30-Day Response Required

The ICO has upheld a Freedom of Information complaint against the University of Bradford. The public authority failed to respond to the complainant's FOI request within the statutory 20 working days under FOIA. The ICO requires the university to provide a substantive response to the request within 30 calendar days.

Birmingham City Council FOI 12 Upheld

The Information Commissioner upheld a complaint against Birmingham City Council regarding a Freedom of Information Act request for invoice records from 1 April 2019. The Council initially provided partial information but later attempted to rely on section 12 (appropriate limit) of FOIA to refuse the full request, claiming compliance would exceed cost limits. The Commissioner found the Council is not entitled to rely on section 12 and requires the Council to issue a fresh response that does not rely on that exemption. This decision clarifies that public authorities cannot use the cost exemption without demonstrating genuine effort to locate and provide accessible information.

Castle Point Borough Council FOI Complaint Partly Upheld

The ICO has issued a Decision Notice in respect of a Freedom of Information Act complaint against Castle Point Borough Council. The council had initially refused parts of a three-part FOI request for emails between named individuals, agendas, and meeting minutes, citing sections 40 (third party personal information) and 41 (information provided in confidence) of FOIA. The investigation found that the council does not hold information within scope of part 1 of the request, and is entitled to withhold Email Chain 1 entirely under section 40, and part of Email Chain 2 under section 40. However, the council must disclose the remaining information in Email Chain 2 as no exemption was cited for it.

Kent County Council FOIA 10 Upheld

The ICO issued a decision notice finding Kent County Council in breach of FOIA for failing to respond to a freedom of information request within the statutory 20 working day timeframe. The council must now provide a substantive response to the original request within 30 calendar days of the decision.

Met Police NCND FOI 40 Complaint Not Upheld

The ICO has issued a Decision Notice in case IC-469364-Q5L0, finding that the Metropolitan Police Service was entitled to neither confirm nor deny (NCND) whether a named individual worked for them. The MPS cited section 40(5B)(a)(i) of the Freedom of Information Act as its basis for the NCND response. The Commissioner determined that the MPS's position was lawful and no remedial steps are required.

Apple to Collect Street Images in Luxembourg April 8 – May 7, 2026

Apple will collect street-level imagery across Luxembourg for its Apple Maps service from April 8 through May 7, 2026, using dedicated vehicles. The Luxembourg data protection authority (CNPD) has published this notice to inform the public of the data collection activity. Apple commits that no identifiable faces or license plates will appear on published 360-degree imagery, and individuals may contact Apple directly to request additional blurring of specific images.

Black Country Healthcare NHS Foundation Trust FOI Complaint Upheld

The Information Commissioner has upheld a Freedom of Information complaint against Black Country Healthcare NHS Foundation Trust (BCHFT). The Trust failed to respond to a request for information regarding African Caribbean Community Initiative, who provide mental health services, within the statutory 20 working days required under FOIA. The Commissioner requires the Trust to provide the complainant with a full response to the information request within 30 calendar days.

Police FOI complaint: 10(1) upheld, 12(1) not upheld

Police FOI complaint: 10(1) upheld, 12(1) not upheld

London Borough of Southwark Upheld for FOIA Response Failure

The ICO has upheld a complaint against London Borough of Southwark for failing to respond to a Freedom of Information request within the statutory 20 working day timeframe. The Commissioner has ordered the authority to provide a substantive response to the complainant within 30 calendar days in compliance with its FOIA obligations.

Royal Borough of Greenwich - FOIA Request Non-Compliance Upheld

The ICO has upheld a complaint against the Royal Borough of Greenwich for failing to respond to a Freedom of Information Act request within the statutory 20 working day timeframe. The Commissioner has ordered the public authority to provide a substantive response to the complainant within 30 calendar days of the decision.

ICO Upholds Middleton Cheney Parish Council FOI Cost Limit Refusal

The Information Commissioner's Office issued a Decision Notice on 9 April 2026 concerning a complaint against Middleton Cheney Parish Council. The Council had refused an information request relating to the Middleton Cheney Playing Fields Association, citing section 12(1) (cost limit) of FOIA. The ICO found that the Council was entitled to refuse to comply with the request under section 12(1) and that the Council complied with its section 16 obligations to offer advice and assistance. The Commissioner does not require the Council to take any steps.

Queen Elizabeth Hospital King's Lynn NHS Foundation Trust - FOI Breach Decision

The ICO has upheld a complaint against The Queen Elizabeth Hospital King's Lynn NHS Foundation Trust, finding that the public authority breached section 10 of the Freedom of Information Act 2000 (FOIA) by failing to respond to an information request within the statutory 20 working day timeframe. The Commissioner determined that the Trust must now provide a substantive response to the original request for information concerning failure to pay suppliers on time and liabilities for late payment compensation and/or interest. The decision applies to NHS Foundation Trusts as public authorities subject to FOIA.