Searching in Data Privacy & Cybersecurity · Search everything
702 changes Data Privacy & Cybersecurity
Data Protection Commission 2024 Annual Report
The Data Protection Commission (DPC) has published its 2024 Annual Report, detailing €652 million in administrative fines issued, including significant penalties against Meta and LinkedIn. The report also highlights the conclusion of numerous inquiries and breach notifications.
DPC Fines CDETB €125,000 for GDPR Data Breach
The Irish Data Protection Commission (DPC) has fined the City of Dublin Education and Training Board (CDETB) €125,000 for a GDPR data breach. The inquiry found CDETB infringed multiple GDPR articles related to security measures, breach notification to the DPC, and notification to data subjects.
DPC Inquiry into TikTok Data Transfers to China
The Irish Data Protection Commission (DPC) has opened an inquiry into TikTok Technology Limited regarding the transfer of EEA users' personal data to servers in China. This follows TikTok's admission that limited data was stored in China, contrary to previous evidence provided to the DPC.
Data Protection Commission Opens Inquiry into Children's Health Ireland
The Data Protection Commission (DPC) has opened a formal inquiry into Children's Health Ireland (CHI) concerning the security of children's health records at Tallaght University Hospital. The inquiry follows protected disclosures and a breach notification, and will examine CHI's GDPR compliance regarding physical data security.
CJEU Rules Pre-Ticked Checkboxes Invalid for Cookie Consent
The European Court of Justice (CJEU) ruled that pre-ticked checkboxes are invalid for obtaining cookie consent. This decision, welcomed by data protection authorities, clarifies that active user behavior is required for valid consent regarding data processing.
Bundestag Strengthens Data Protection Authority
The German Bundestag's Budget Committee has allocated an additional 67 posts to the Federal Commissioner for Data Protection and Freedom of Information (BfDI) for the upcoming year. This funding aims to enhance supervision of security authorities, support new digitalization tasks in the health sector, and improve international cooperation.
BfDI Fines 1&1 Telecom EUR 9.55M and Rapidata EUR 10k under GDPR
Germany's Federal Commissioner for Data Protection and Freedom of Information (BfDI) has fined 1&1 Telecom GmbH EUR 9.55 million for insufficient technical and organizational measures to protect customer data and Rapidata GmbH EUR 10,000 for failing to appoint a data protection officer. These actions underscore the enforcement of GDPR provisions.
EDPB Agrees on GDPR Evaluation and Suggests Cooperation Improvements
The European Data Protection Board (EDPB) has agreed to contribute to the European Commission's evaluation of the GDPR. The EDPB suggests improvements in cooperation between data protection authorities and revisions to standard contractual clauses for data transfers.
ECJ Invalidates Privacy Shield, Impacts International Data Transfers
The European Court of Justice (ECJ) has declared the EU-US Privacy Shield invalid, impacting international data transfers. The German Federal Commissioner for Data Protection and Freedom of Information (BfDI) stated that companies and authorities can no longer rely on the Privacy Shield for data exchange with the USA, requiring special safeguards and adherence to fundamental rights.
France Travail fined €5 million for data security breach
The CNIL has fined FRANCE TRAVAIL (formerly Pôle Emploi) €5 million for failing to implement adequate security measures to protect job seeker data, following a hack in early 2024. The fine addresses inadequate technical and organizational measures, including weak authentication and logging.
CNIL Work Programme 2026-2028 on Data Economy
The CNIL has published its work programme for 2026-2028, focusing on understanding data-related business models and measuring the economic impact of its decisions. The programme aims to deepen expertise in data protection's economic implications and contribute to public debate on the data economy.
CNIL Annual Report: 2025 Fines and Sanctions
The CNIL reported imposing €486.8 million in fines and 83 sanctions in 2025, primarily for violations related to cookies, employee monitoring, and data security. The report details 143 compliance orders and 31 reminders of legal obligations issued during the year.
EDPB Guidelines on Article 48 GDPR
The European Data Protection Board (EDPB) has published final guidelines on Article 48 of the GDPR, concerning the recognition of judgments and decisions of public authorities of third countries. These guidelines clarify the conditions under which such judgments can be relied upon for international data transfers.
EDPB Consultation on DSA and GDPR Interplay Guidelines
The European Data Protection Board (EDPB) has opened a public consultation on its draft Guidelines 3/2025 concerning the interplay between the Digital Services Act (DSA) and the General Data Protection Regulation (GDPR). The consultation period is open until October 31, 2025.
EDPB Joint Guidelines on DMA and GDPR Public Consultation
The European Data Protection Board (EDPB) and the European Commission have opened a public consultation on their Joint Guidelines concerning the interplay between the Digital Markets Act (DMA) and the General Data Protection Regulation (GDPR). Interested parties are invited to submit comments by December 4, 2025.
EDPB GDPR Compliance Templates Consultation
The European Data Protection Board (EDPB) has launched a public consultation to gather ideas for developing ready-to-use GDPR compliance templates for organizations. The consultation seeks input on the most useful template types and closes on December 3, 2025.
EDPB Consultation on User Accounts for E-commerce Websites
The European Data Protection Board (EDPB) has launched a public consultation on its Recommendations 2/2025 concerning the legal basis for requiring user accounts on e-commerce websites. The consultation is open for comments until February 12, 2026.
EDPB Public Consultation on Processor Binding Corporate Rules
The European Data Protection Board (EDPB) has launched a public consultation on its Recommendations 1/2026 concerning Processor Binding Corporate Rules. The consultation is open until March 2, 2026, and aims to gather feedback on the application, elements, and principles for these rules under GDPR.
S-Bank Fined EUR 1.8 Million for GDPR Violations
The European Data Protection Board reports that the Finnish Supervisory Authority has fined S-Bank EUR 1.8 million for GDPR violations related to a data security vulnerability. The bank failed to implement adequate safeguards, leading to a personal data breach affecting a significant proportion of its customers.
EDPB Strengthens Global Data Protection Cooperation
The European Data Protection Board (EDPB) held a meeting with Data Protection Authorities from countries and organizations with an EU adequacy decision to strengthen global data protection cooperation. This follows up on a previous meeting in October 2024 and focuses on sharing information and experiences in international data protection enforcement.
EDPB/EDPS Support AI Act Streamlining with Stronger Safeguards
The European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) have issued a joint opinion on the EU Commission's proposal to streamline the AI Act. While supporting administrative simplification, they urge stronger safeguards to protect fundamental rights and advise against removing the registration obligation for high-risk AI systems.
EDPB Conference on Cross-Regulatory Cooperation
The European Data Protection Board (EDPB) is hosting a conference on March 17, 2026, in Brussels to discuss cross-regulatory cooperation from a data protection perspective. Registration is open until February 26, 2026.
EDPB/EDPS Joint Opinion on Digital Omnibus Regulation Proposal
The EDPB and EDPS have issued a joint opinion on the Digital Omnibus Regulation proposal, supporting simplification efforts while raising concerns about proposed changes to the GDPR's definition of personal data. They also welcome increased data breach notification thresholds and deadlines.
ICO Decision Notice: Cabinet Office FOI Request Breach
The UK's Information Commissioner's Office (ICO) has issued a decision notice regarding a Freedom of Information (FOI) request made to the Cabinet Office. The ICO upheld a complaint that the Cabinet Office breached FOI rules by failing to respond to a request within the statutory 20-working day period.
ICO Decision Notice: UWE must disclose construction expenditure
The UK's Information Commissioner's Office (ICO) issued a decision notice against the University of the West of England (UWE). UWE is required to disclose construction expenditure information within 30 days, as the ICO found their refusal to be unlawful under the Environmental Information Regulations (EIR).
Frimley Health NHS Trust FOI Request Upheld
The ICO has upheld a Freedom of Information (FOI) request against Frimley Health NHS Foundation Trust for failing to respond within the statutory 20 working days. The Trust is now required to respond to the complainant within 30 calendar days.
ICO Upholds Lambeth Council's Refusal on Information Request
The ICO has upheld Lambeth Council's refusal of one information request under the Environmental Information Regulations (EIR) 11(2) and 5(2). However, the Council breached EIR 5(2) by failing to respond within 20 working days and EIR 11(2) by not completing an internal review.
ICO Upholds Complaint Against Birmingham City Council for Delayed Planning Information
The UK's Information Commissioner's Office (ICO) has upheld a complaint against Birmingham City Council for failing to provide planning information within the statutory 20-working-day timeframe. The ICO found the council in breach of the Environmental Information Regulations (EIR).
ICO Updates UK GDPR International Transfer Guidance
The UK's Information Commissioner's Office (ICO) has updated its guidance on international personal data transfers under UK GDPR. The revised guidance aims to simplify compliance for businesses by introducing a 'three step test' and clarifying complex areas.
ICO Fines Two Companies £225,000 for Nuisance Marketing
The UK's Information Commissioner's Office (ICO) has fined Allay Claims Ltd and ZMLUK Limited a total of £225,000 for sending millions of unsolicited marketing messages. Allay Claims was fined £120,000 for unlawful text messages, and ZMLUK Limited received a £105,000 fine for unlawful marketing emails.
ICO Investigates Grok AI for Non-Consensual Imagery
The UK's Information Commissioner's Office (ICO) has opened a formal investigation into X Internet Unlimited Company and X.AI LLC regarding their Grok AI system. The investigation will assess compliance with data protection laws concerning the potential generation of non-consensual sexual imagery, including of children.
ICO Reprimands GP Surgery for Excessive Medical Data Disclosure
The UK's Information Commissioner's Office (ICO) has reprimanded Staines Health Group for sending 23 years of a terminally ill patient's medical records directly to an insurer, instead of the requested five years to the patient. The ICO cited a lack of written processes and inadequate training as contributing factors.
ICO Fines MediaLab £247,590 for Children's Privacy Failures
The UK's Information Commissioner's Office (ICO) has fined MediaLab, owner of Imgur, £247,590 for unlawfully processing children's personal data. The investigation found MediaLab failed to implement age checks and obtain parental consent, putting children at risk of exposure to harmful content.
FTC Warns Data Brokers on PADFAA Compliance
The FTC has warned 13 data brokers about their obligations under the Protecting Americans’ Data from Foreign Adversaries Act (PADFAA). The letters remind companies that selling sensitive personal data to foreign adversaries is prohibited and violations could result in civil penalties of up to $53,088 per violation.
EDPB Rules of Procedure for Informal Panel of EU DPAs
The European Data Protection Board (EDPB) has published its Rules of Procedure for the informal panel of EU Data Protection Authorities (DPAs) concerning the EU-US Data Privacy Framework. This guidance outlines the operational framework for the DPAs in their oversight of the framework.
EDPB Opinion on Dutch SA's draft decision on ABB Group rules
The European Data Protection Board (EDPB) has issued Opinion 4/2026 regarding a draft decision by the Dutch Supervisory Authority concerning ABB Group's Binding Corporate Rules (BCRs). This opinion addresses the international transfer of data and the adequacy of ABB's proposed rules.
EDPB Opinion on Dutch Authority's Draft Decision for FrieslandCampina
The European Data Protection Board (EDPB) has issued Opinion 3/2026 regarding a draft decision by the Dutch Data Protection Authority concerning FrieslandCampina's Binding Corporate Rules (BCRs). This opinion addresses international data transfers and compliance with GDPR.
EDPB Opinion on Dutch Supervisory Authority's AkzoNobel Group Decision
The European Data Protection Board (EDPB) has adopted an opinion regarding a decision by the Dutch Supervisory Authority concerning AkzoNobel Group's Binding Corporate Rules (BCRs). This opinion addresses international data transfers and compliance with GDPR.
EDPB Opinion on Heineken Group BCR Draft Decision
The European Data Protection Board (EDPB) has issued Opinion 1/2026 regarding a draft decision by the Dutch Supervisory Authority concerning Heineken Group's Binding Corporate Rules (BCRs). This opinion addresses the international transfer of data under GDPR.
ICO Guidance on Subject Access Requests
The UK Information Commissioner's Office (ICO) has published guidance on subject access requests (SARs) under GDPR. The guidance is aimed at large businesses in the public, private, and third sectors, with resources also available for small businesses.
ICO Guidance on Individual Rights and GDPR
The UK's Information Commissioner's Office (ICO) has updated its guidance on individual rights under GDPR. This update is in anticipation of the Data (Use and Access) Act 2025 and indicates that further changes may occur. The guidance is primarily aimed at large businesses.
ICO Guidance on Lawful Basis for Personal Data Processing
The UK's Information Commissioner's Office (ICO) has updated its guidance on the lawful basis for processing personal data. This guidance is under review due to upcoming legislation, the Data (Use and Access) Act 2025, and may be subject to change.
UK GDPR: Controllers and Processors Definitions and Responsibilities
The UK's Information Commissioner's Office (ICO) has updated its guidance on definitions and responsibilities for data controllers and processors under UK GDPR. This update is in anticipation of the Data (Use and Access) Act 2025 and is suitable for large businesses, with resources also available for small businesses.
ICO Guidance on UK GDPR International Data Transfers
The UK's Information Commissioner's Office (ICO) has published updated guidance on international transfers of personal data under UK GDPR. The guidance consolidates information on adequacy regulations, appropriate safeguards, transfer risk assessments, and exceptions for restricted transfers.
FTC Sending $22.8 Million to Consumers for Deceptive Real Estate Schemes
The FTC is returning nearly $23 million to 1,659 consumers who were defrauded by deceptive real estate schemes, specifically Sanctuary Belize and Kanantik. This second distribution includes checks averaging $16,462 for Sanctuary Belize investors and $6,346.39 for Kanantik investors.
FTC Settlement with Express Scripts to Lower Drug Costs
The FTC has secured a settlement with Express Scripts, Inc. (ESI), a major pharmacy benefit manager, requiring significant changes to its business practices. These changes are projected to lower drug costs for patients by up to $7 billion over 10 years and increase revenue for community pharmacies.
FTC ANPRM on Rental Housing Fees Submitted to OMB
The FTC has submitted a draft Advance Notice of Proposed Rulemaking (ANPRM) concerning fees in the rental housing market to the Office of Management and Budget (OMB) for review. This action signals the agency's intent to potentially create new rules to address deceptive or unfair fees charged to renters.
FTC Draft Rulemaking on Negative Option Plans Submitted for Review
The FTC has submitted a draft Advance Notice of Proposed Rulemaking (ANPRM) concerning its Negative Option Rule to the Office of Management and Budget (OMB) for review. This action indicates the agency is considering potential revisions or new regulations related to negative option plans, which are common in subscription services.
FTC Warns 42 Law Firms on Anticompetitive DEI Hiring Practices
The FTC has issued warning letters to 42 law firms regarding potentially anticompetitive employment practices related to Diversity, Equity, and Inclusion (DEI) hiring. The firms, which participated in the Mansfield Certification program, are cautioned that coordinating on candidate pools or sharing pay information may violate antitrust laws.
ICO Enforcement Actions
The UK's Information Commissioner's Office (ICO) has published a list of its enforcement actions, including monetary penalties, prosecutions, and reprimands. This page serves as a central repository for these actions across various sectors.