Data Privacy

University of York FOIA Complaint - Not Upheld by ICO

The Information Commissioner's Office issued a decision notice on 31 March 2026 finding that the University of York correctly handled a Freedom of Information Act request for professional and academic emails between four named individuals from 1 January 2023. The Commissioner determined on the balance of probabilities that the university does not hold any further information within scope, and that section 40(2) of FOIA was correctly applied to withhold third-party personal data. No remedial steps are required.

Austrian Data Protection Authority Publishes 2025 Activity Report

The Datenschutzbehörde Austria (DSB Austria) has published its 2025 Activity Report (Tätigkeitsbericht 2025), formerly titled 'Datenschutzbericht'. The report covers the Austrian Data Protection Authority's activities, enforcement actions, and regulatory work for the year 2025. This is a routine publication providing an annual overview of the DSB's caseload and regulatory priorities under the GDPR framework.

Hackney Council EIR Procedural Breaches Decision

The ICO has issued a decision notice finding that the London Borough of Hackney Council breached the procedural requirements of the Environmental Information Regulations 2004 in handling a request for information about the Future Shoreditch Area Action Plan. While the Council was entitled to rely on regulation 12(4)(b) to refuse the request as manifestly unreasonable, it failed to issue a proper refusal notice under regulation 14(2) and failed to conduct a proper internal review under regulation 11(2).

London Borough of Waltham Forest Upheld for FOIA Section 10 Breach

The ICO has issued a Decision Notice finding that London Borough of Waltham Forest breached section 10 of the Freedom of Information Act 2000 by failing to respond to a complainant's information request within the statutory 20 working day timeframe. The complaint was upheld. The public authority is now required to provide a substantive response to the outstanding request in accordance with its obligations under FOIA.

Staffordshire Police FOI Request Upheld - Fresh Response Ordered

The ICO has upheld a complaint against Staffordshire Police under FOI 1(1), finding that the force failed to conduct adequate searches to locate information falling within the scope of a request for specific correspondence. The Commissioner requires Staffordshire Police to issue the complainant with a fresh response following searches aimed at identifying all information held. The decision was issued on 1 April 2026.

UK Export Finance EIR Commercial Interests Exemption Decision

The Information Commissioner's Office has issued its decision on a complaint against UK Export Finance regarding a request for information about the financing of a specific project. The ICO found that UK Export Finance correctly applied regulation 12(5)(a) of the Environmental Information Regulations 2004, which allows withholding information where disclosure would adversely affect commercial interests. The exemption was upheld and the complaint was not sustained. The ICO does not require UK Export Finance to take any steps as a result of this decision notice.

Met Police NCND FOIA Exemption for Deceased Nazi Sympathiser Upheld

The ICO has issued Decision Notice FOI 23 concerning a request for information about a deceased Nazi sympathiser made to the Metropolitan Police Service (MPS). The MPS applied neither confirm nor deny (NCND) responses citing sections 23(5), 24(2), 30(3), 31(3) and 40(5B)(a)(i) of FOIA. The ICO has upheld the use of section 23(5) (Information supplied by, or relating to, bodies dealing with security matters), finding that the MPS was not obliged to confirm or deny whether the requested information was held.

London Borough of Redbridge - FOIA Decision on Councillor Property Addresses

The ICO issued a decision on 31 March 2026 regarding a Freedom of Information request made to the London Borough of Redbridge. The complainant sought addresses of rental properties owned by Councillor Athwal plus related correspondence. The Council withheld the addresses under section 44(1)(a) (statutory prohibition) and the correspondence under section 40(2) (personal data). The ICO upheld the section 44(1)(a) exemption for the property addresses but found the section 40(2) exemption did not apply to the correspondence, meaning it must be disclosed.

Northamptonshire Police FOI Complaint Upheld in Part — Fresh Response Ordered for Q5

The Information Commissioner has upheld in part a freedom of information complaint against Northamptonshire Police regarding a request for information about the Developed Vetting (DV) of a former senior police officer. The Commissioner determined that Northamptonshire Police was entitled to rely on section 21(1) FOIA to refuse disclosure of information at Q4, as it was reasonably accessible by other means. However, the Commissioner found that the force's response to Q5 was not compliant with section 1(1) of FOIA. Northamptonshire Police is required to issue a fresh response to Q5, either confirming whether recorded information within scope is held and disclosing it, or issuing a refusal notice that complies with section 17 of FOIA.

Cabinet Office FOI Complaint Not Upheld - No Information Held

The ICO issued a decision notice on 2 April 2026 finding that the Cabinet Office does not hold information within scope of a Freedom of Information request concerning "smashed gangs". The complainant's FOI 1 complaint was not upheld. The Commissioner does not require further steps to be taken.

ICO Upholds DAERA Refusal of Fish Kill Protocol Request

The ICO has upheld DAERA's refusal to disclose its fish kill protocol under the Environmental Information Regulations, finding the withholding justified under regulation 12(5)(g) (protection of the environment). The ICO also found that DAERA's internal review did not comply with the timeliness requirement under regulation 11(4). No further steps are required of DAERA.

Carmarthenshire Council, EIR 5(2) breach, statutory response failure

Carmarthenshire Council, EIR 5(2) breach, statutory response failure

Cheltenham Borough Council EIR 12(4)(a) Information Not Held Decision

The Information Commissioner has issued a Decision Notice concerning Cheltenham Borough Council's handling of an information request about a potential loan for the Minster Exchange development project. The Commissioner determined that while the council should have processed the request under the Environmental Information Regulations rather than FOIA, the council was entitled to rely on regulation 12(4)(a) on the basis that the requested information is not held.

Cheshire East Council, procurement bids withheld, FOI 43(2) not upheld

Cheshire East Council, procurement bids withheld, FOI 43(2) not upheld

ICO Upholds BBC Decision on Celebrity Traitors Salaries FOIA

A complainant requested salary information for celebrities appearing on the 2025 series of The Celebrity Traitors and details of donations to the winner's nominated charity. The ICO determined that this information, if held by the BBC, would be held for the purposes of 'journalism, art or literature' and falls outside the scope of FOIA. The BBC's decision to refuse disclosure is upheld and no remedial action is required.

Blackburn with Darwen Borough Council FOI Section 17 Breach Upheld

The ICO has upheld in part a Freedom of Information complaint against Blackburn with Darwen Borough Council, finding that the council was entitled to withhold information about a vacant property under section 40(2) of FOIA (third party personal data). However, the council was found to have breached section 17 of FOIA for failing to issue a refusal notice within 20 working days of receiving the original request. The ICO did not require the council to take any further steps.

Department for the Economy - EIR 14 Procedural Breach Finding

The ICO issued a Decision Notice finding that the Department for the Economy's initial refusal notice breached regulation 14(3) of the Environmental Information Regulations (EIR) by failing to specify the exception(s) it sought to apply under regulation 12(5)(e). The underlying exception claim based on commercial interests was not upheld. The ICO determined that no remedial steps are required to be taken by the Department.

London Borough of Brent EIR Complaint Dismissed Over Bobby Moore Bridge

The ICO dismissed a complaint against the London Borough of Brent regarding a request for information about the awarding of an advertising contract concerning the Bobby Moore Bridge. The council had cited regulation 12(4)(e) (internal communications) of the Environmental Information Regulations to withhold the information. The Commissioner determined that the council was entitled to apply this exception and that the balance of public interest favours maintaining it. No further action is required as the complaint was not upheld.

EIR Complaint Against Croydon Council Upheld

The ICO has upheld a complaint against Croydon Council under the Environmental Information Regulations, finding the council failed to respond to an environmental information request within the statutory 20 working day timeframe. The council must now provide a response to the complainant within 30 calendar days.

HMT Labour Together FOIA Request Not Upheld

The ICO Commissioner found that HM Treasury (HMT) does not hold information relating to meetings and correspondence between HMT ministers/officials and Labour Together for the purposes of section 1(1)(a) of FOIA, and therefore the freedom of information request was not upheld. However, HMT breached section 10(1) of FOIA by failing to respond within the statutory 20 working days — the request was made on 7 November 2024 but HMT did not seek clarification until 16 January 2025, which was outside the required timeframe. The Commissioner requires no steps to be taken as a result of the breach.

DROP Audits Preliminary Comment Period - Data Broker Regulations

The California Privacy Protection Agency (CPPA) is conducting preliminary rulemaking activities to explore regulations clarifying audit requirements for data brokers processing deletion requests under CalPrivacy. The agency is accepting preliminary written comments from April 7, 2026 until 5:00 p.m. PT on May 7, 2026. This is pre-rulemaking activity—preliminary comments do not reflect any decisions regarding future formal rulemaking, and if regulations are proposed, a separate formal APA comment period will follow.

Buenos Aires Decree 97/26 Promotes AI in Public Sector

Marval, O'Farrell & Mairal analyzed Ciudad Autónoma de Buenos Aires Decree 97/26, which establishes a general mandate for all government departments to actively promote AI implementation in both internal management and citizen-facing services. The decree identifies priority areas including economic activity authorizations, building permits and notices, traffic violation processing, and citizen service channels. The Secretaría de Innovación y Transformación Digital is designated as the coordinating authority for AI implementation across the city government.

CFM Resolution 2.454/2026 AI Governance Standards for Brazilian Medicine

Brazil's Federal Council of Medicine (CFM) published Resolution CFM No. 2.454/2026 establishing governance, audit, and monitoring standards for AI systems used in medicine. The resolution requires preliminary risk classification (low, medium, high, or unacceptable), mandates documentation of AI use in clinical records, prohibits AI from independently communicating diagnoses or therapeutic decisions without human mediation, and obliges institutions to establish internal AI governance commissions. The regulation intersects with Brazil's LGPD by treating health data as sensitive throughout the AI lifecycle and by requiring privacy-by-design and by-default controls.

Chile LPDP Reshapes M&A Privacy Due Diligence, Compliance Deadline December 2026

This IAPP analysis examines how Chile's Ley 21.719 on Personal Data Protection (LPDP), effective December 1, 2026, will fundamentally reshape privacy practices in mergers and acquisitions. The law introduces fines up to 20,000 UTM (approximately USD 1.6 million) and establishes the Agencia de Protección de Datos Personales with investigative and corrective powers. Organizations conducting M&A in Chile must now incorporate a formal privacy checkpoint in due diligence, verify legal bases for data processing and consent mechanisms, and establish compliant cross-border transfer protocols using Chilean Standard Contractual Clauses approved in December 2025.

CNPD Attends IAPP Global Summit 2026 Washington DC

The CNPD participated in the IAPP Global Summit 2026 held in Washington, DC from March 30 to April 2, 2026. CNPD President Tine A. Larsen represented the Luxembourg data protection authority at the event, which gathered 42 data protection authority representatives, U.S. privacy officials, federal representatives, Congressional members, and FTC commissioners. Discussions addressed data protection priorities, the U.S. legislative agenda, and international cooperation prospects.

Vodafone Spain Appeal of €200k Data Fine Dismissed

The AEPD has dismissed Vodafone Spain's recurso de reposición (administrative appeal) against a €200,000 GDPR fine originally imposed under Expediente EXP202308705. The fine was for violating Article 6.1 GDPR (lawfulness of processing) due to Vodafone's failure to verify customer identity before processing a request to modify the claimant's email address, which enabled a third party to fraudulently obtain a duplicate SIM card for the claimant's phone line. The AEPD rejected all of Vodafone's appeal arguments, including that security measures need not be absolute and that the company acted with due diligence, affirming the penalty for inadequate SIM issuance controls.

GDPR Appeal Dismissed as Late - Administrative Procedure

The AEPD Presidency dismissed a recurso de reposición (administrative appeal) filed by A.A.A. against resolution EXP202407584 of 24 January 2026, finding it time-barred by one day under Article 124 of the LPACAP. The one-month filing deadline ran from notification on 26 January 2026, expiring on 26 February 2026; the appeal was not filed until 27 February 2026. The dismissal is final in the administrative lane, and the appellant may file a contentious-administrative claim before the Audiencia Nacional within two months of notification.

ARTURO ACOSTA S.L. v. AEPD - Right to Erasure Appeal Dismissed

The AEPD dismissed the recurso de reposición filed by ARTURO ACOSTA, S.L. against the agency's prior resolution upholding a data subject's right-to-erasure claim. The company had argued devices were returned factory-reset with no accessible personal data and that Article 17 GDPR compliance was technically impossible. The AEPD rejected this, holding that regardless of the technical state of devices, the data controller remained obligated under Article 12.3 GDPR to respond formally and in writing within the legal timeframe. The technical certificate submitted by the company was found insufficient as it only described device state, not the required formal response to the data subject. This decision reinforces that GDPR erasure obligations cannot be satisfied by tacit or presumed compliance.

GDPR Article 15 Subject Access Request Complaint Assessment

The Information and Data Protection Commissioner assessed a GDPR Article 77 complaint where a complainant alleged a controller failed to provide complete personal data in response to a Subject Access Request under Article 15. The controller responded on June 1, 2025 with only partial records, omitting internal/external correspondence, employment-related third-party communications, salary progression records, and Industrial Tribunal-related data. The Commissioner determined the investigation scope shall not extend to a 2019 access request due to the complainant's nearly six-year delay in lodging the complaint, which materially impaired the ability to conduct a fair investigation. Following the controller's initial response, additional searches were conducted and further records were retrieved.

Baron Property Services Settles Colorado AG Investigation Over Renters Insurance Overcharges and Criminal Background Screening

Colorado Attorney General Phil Weiser announced a settlement with property management company Baron Property Services, LLC, resolving allegations that the company violated the Colorado Consumer Protection Act by improperly charging tenants for renters insurance and violated the Rental Application Fairness Act by treating pending or unresolved criminal charges as convictions. Under the settlement, Baron will pay approximately $7,300 in restitution to 368 tenants who were improperly charged for insurance when they had individual renters insurance, and $67,635 to the state.

California Higher CCPA Fines, Age Assurance Enforcement Ramp-up

CalPrivacy Deputy Director Michael Macko indicated at the IAPP Global Summit 2026 that CCPA fines may increase, noting fines could become 'a cost of doing business if they're not higher.' The agency levied its first CCPA fine in March 2025 and reached five CCPA settlements totaling less than USD4 million; data broker registration fines brought five-figure penalties. The California AG's office separately signaled an upcoming rulemaking on age assurance under the Protecting Our Kids from Social Media Addiction Act (SB 976), with age verification provisions taking effect January 1, 2027. Connecticut's AG has an active probe into a major AI chatbot's CTDPA compliance, and Delaware and Indiana gained enforcement authority under their comprehensive privacy laws effective January 1.

OAIC Draft Children's Online Privacy Code for Online Services

The Office of the Australian Information Commissioner released an exposure draft of the Children's Online Privacy Code on April 2, 2026, opening a 60-day public consultation. The draft introduces new obligations requiring organizations to consider children's interests before collecting, using, or disclosing their personal information, obtain consent for targeted advertising, and provide deletion rights. Novel protections include requirements to notify children when a parent has provided consent on their behalf and when parents or other users are tracking their geolocation. The code applies to online services where children face highest privacy risks including apps, games, streaming services, and educational tools. The code is slated to become law in December 2026, complementing the social media minimum age obligation that took effect in December 2025.

Mass Disclosure of Personal Data and Privacy Lessons from Slovakia and the EU

This IAPP analysis article examines how courts in Slovakia and at the EU level have consistently ruled against broad, indiscriminate personal data disclosures, striking down measures including Slovakia's NGO donor disclosure law, provisions of the Fifth Anti-Money Laundering Directive allowing unrestricted public access to UBO registries, and the EU Data Retention Directive. The article analyzes five CJEU decisions spanning 2014-2022 to illustrate the proportionality principle: any broad collection, processing or publication of personal data must be justified and proportionate to its purpose, with adequate safeguards for affected individuals. Key takeaway for governments and organizations: simply invoking public interest is insufficient, and blanket measures treating all individuals equally without distinction are unlikely to withstand judicial scrutiny.

45-Year-Old Male Arrested for Suspected Doxxing Under PDPO Section 64(3A)

PCPD arrested a 45-year-old Chinese male in the New Territories on 2 April 2026 for suspected doxxing of a female friend, allegedly disclosing her personal data—including her Chinese name, HKID number, residential address, and photo—on seven occasions across social media and flyers between December 2025 and January 2026 without her consent. The arrested person was granted bail and PCPD will continue its investigation into the case. PCPD warns that doxxing is a serious offence carrying a maximum penalty of HK$1,000,000 fine and five years' imprisonment.

Joint Taskforce on Motor Finance Claims

The FCA, SRA, ICO, and ASA have launched a joint taskforce to address poor handling of motor finance claims by claims management companies (CMCs) and law firms. The ICO has stated it will take action against unlawful unsolicited direct marketing practices causing harm to the public, working alongside taskforce partners to pool expertise and regulatory powers. The ICO encourages members of the public to report nuisance calls and texts through its complaints process.

European Complaint Handling Workshop on GDPR Cooperation

The CNPD hosted a three-day European workshop in Luxembourg from March 25–27, 2026, bringing together representatives of the European Data Protection Board (EDPB) and 24 national data protection authorities. The workshop, titled 'Practical issues concerning complaint handling: establishment of shared best practices,' addressed common operational challenges in data protection complaint management and explored solutions drawn from field experience. Participants focused on information sharing and harmonising complaint-handling procedures across EU data protection authorities to strengthen consistent application of the GDPR.

Guide on Recording Workplace Meetings Legally

The CNPD has published new thematic guidance clarifying the legal framework for audio recording of workplace meetings in the private sector. The guidance addresses GDPR compliance requirements, including employee consent and legitimate interest considerations, and responds to frequently asked questions from private-sector actors. This dossier applies exclusively to enterprises, associations, and private organisations; it does not cover public-sector entities such as communes or the Chamber of Deputies.

CNPD Sponsors EschTechWeek 2026 AI Event in Esch-sur-Alzette

The CNPD participated as an official sponsor of EschTechWeek 2026, held from March 23 to 28, 2026 in Esch-sur-Alzette, Luxembourg. The event, focused on artificial intelligence, brought together institutions, experts, businesses, and citizens around digital innovation and its societal implications. CNPD staff contributed to three activities: a Tech Supreme Court Junior ethical AI moot court, a TN'Teens workshop titled 'Le mythe de Prométhée à l'ère de ChatGPT', and a Bus Tour stop at the Twist building in Belval.

HKIRC and PCPD Co-organise AI Security Summit for Enterprises, Over 620 Attend

The Hong Kong Internet Registration Corporation Limited (HKIRC) and the Office of the Privacy Commissioner for Personal Data (PCPD) co-organised the 'AI Security and Cybersecurity Summit for Enterprises' on 31 March 2026, with the Digital Policy Office as strategic partner. The Summit covered two thematic areas—Cybersecurity and Artificial Intelligence (AI) Security—and attracted over 620 corporate representatives from diverse sectors, including small and medium-sized enterprises, to enhance organisational awareness of cybersecurity and AI security risks. The PCPD announced it would launch a 'Data Security' Package in Q2 2026 with free quotas for professional workshops.

PCPD Publishes eHealth Privacy Guidance for Healthcare Professionals

The Office of the Privacy Commissioner for Personal Data (PCPD) published an information leaflet titled 'Points to Note for Healthcare Providers and Healthcare Professionals' on 31 March 2026, providing practical guidance on compliance with the Personal Data (Privacy) Ordinance (PDPO) when handling patient data through Hong Kong's Electronic Health System (eHealth System). The leaflet covers requirements for data collection and use, data accuracy, data security, direct marketing restrictions, transparency obligations, and data access/correction request handling. It includes an action list to assist healthcare providers in reviewing whether adequate measures have been adopted to safeguard personal data privacy.

Proposed FOIA and Privacy Act Regulations

The Office of the National Cyber Director (ONCD) published a notice of proposed rulemaking establishing its first Freedom of Information Act (FOIA) and Privacy Act regulations. These regulations will govern ONCD's procedures for processing public records requests and handling personal data under the Privacy Act. Public comments are accepted until May 15, 2026.

GDPR Appeal Inadmitted — Complainant Lacks Standing

The AEPD Presidency issued a resolution on 12 February 2026 inadmitting a recurso de reposición filed by A.A.A. in case EXP202500572 against CONSEJERÍA DE EDUCACIÓN DE LA JUNTA DE CASTILLA Y LEÓN. The inadmission rests on Article 62.5 of the LPACAP and Article 116(b) LPACAP: filing a complaint or denuncia under GDPR Article 77.2 does not confer standing to challenge the AEPD's decision to close the proceedings, because complainants have neither a subjective right nor a legitimate interest in the sanctioning of the reported party. The Supreme Court decisions cited (26 November 2002 and 6 October 2009) establish that punitive power belongs solely to the Administration, not to private complainants.

First FOIA and Privacy Act Regulations

The Office of the National Cyber Director (ONCD) has released its first proposed Freedom of Information Act (FOIA) and Privacy Act regulations for public comment. The regulations establish ONCD's procedures for processing FOIA requests and managing Privacy Act records. Comments on the proposed rule are due May 15, 2026.

CNPD and Luxembourg AI Factory Host RE.M.I. AI Plenary Session

On March 17, 2026 at Belval, Luxembourg's CNPD and Luxembourg AI Factory co-hosted the second RE.M.I. (Regulation Meets Innovation) plenary session, bringing together researchers, regulators, businesses, and innovation-support organisations. The SnT presented deepfake detection research, ALIA outlined AI Act transparency obligations, and POST Telecom shared a road-safety AI use case. REMI working groups reported progress on pre-trained model selection, note-taking assistants, and email sorting tools, while discussions covered Luxembourg's AI testing landscape, compliance evaluation, responsible AI, and cybersecurity. The session closed with LuxInnovation and CNPD reflections on key takeaways and next steps.

EDPB 2026 Coordinated Enforcement Action on GDPR Transparency Obligations

The EDPB has launched its 2026 Coordinated Enforcement Framework (CEF) action, focusing on compliance with transparency and information obligations under Articles 12, 13, and 14 of the GDPR. Twenty-five Data Protection Authorities across Europe will participate, conducting enforcement actions or fact-finding exercises to assess controller compliance. Participating DPAs will share findings in the second half of 2026, culminating in a consolidated report submitted to the EDPB for adoption, enabling targeted follow-ups at both national and EU levels.

Children's Online Privacy Code Exposure Draft

The OAIC has published an exposure draft of the Children's Online Privacy Code, establishing new rules requiring agencies and organisations to consider the best interests of children before collecting, using, or disclosing their personal information online. The draft Code introduces consent requirements for targeted advertising directed at children, a right for children to request deletion of their personal information, age-appropriate privacy notices, and notification when parents consent on behalf of children or when geolocation is being tracked. The consultation opens 31 March 2026 and closes 5 June 2026, with the Code intended to be registered by 10 December 2026.

Age Assurance Technologies and Privacy Obligations Guidance

The OAIC has published guidance on age assurance technologies to assist entities in protecting Australians' privacy when implementing online age checks, issued three months after the Social Media Minimum Age scheme commenced. The guidance outlines five core expectations: entities must establish whether age checks are necessary, conduct security due diligence, choose proportionate and data-minimising methods, obtain consent for sensitive information collection, and maintain transparent privacy notices with accessible complaints processes. Failure to meet these obligations may constitute an interference with privacy and trigger compliance or enforcement action under the Privacy Act.

2025 Global Privacy Sweep Finds Rising Privacy Risks for Children Online

The OAIC participated in a Global Privacy Enforcement Network sweep involving 27 authorities examining nearly 900 websites and apps used by children. The sweep found that 71% of platforms lacked child-specific protective controls, 72% of age assurance measures could be circumvented, and data collection increased compared to 2015. The OAIC is developing a Children's Online Privacy Code under the Privacy and Other Legislation Amendment Act 2024, with an Exposure Draft scheduled for a 60-day public consultation beginning 31 March 2026.

DHSC Ambulance Review FOIA Decision - Legal Privilege and Personal Data

The Information Commissioner's Office has issued a decision notice concerning a Freedom of Information Act complaint against the Department of Health and Social Care regarding its handling of a request for information about the appointment of NHS England to lead the North East Ambulance Service review. The ICO found that DHSC communicated all non-exempt information it holds, that section 42(1) legal professional privilege was not properly engaged, but that section 40(1) personal data exemption was correctly applied. The ICO also found no breach of section 16(1) advice and assistance obligations.

Secretary of State for Defence - Intelligence Services Bill File Withheld, Exemption Upheld

The Information Commissioner's Office issued a decision notice dated 26 March 2026 regarding a freedom of information complaint against the Ministry of Defence. The complainant requested a copy of file DEFE 68/1153: Intelligence Services Bill, which the MOD withheld under section 23(1) of FOIA (security bodies exemption). The ICO upheld the MOD's exemption decision, finding that the requested file is exempt from disclosure under section 23(1) of FOIA. This decision concludes the ICO's review of the complaint without requiring any additional disclosure.