Search

Baltimore Medical System Data Breach Notice to Consumers

Baltimore Medical System, Inc. filed a security breach notice with the Vermont Attorney General's Office on April 2, 2026, notifying consumers of a data breach involving personal information. The notice was posted to the AG's public Security Breach Notices registry as required under Vermont law. Affected Vermont residents are advised to take protective steps.

South Wonston Parish Council, FOI 14, Not upheld

The ICO has upheld South Wonston Parish Council's reliance on section 14(1) of FOIA, finding the complainant's financial information request was vexatious. The decision, dated 1 April 2026, concludes the council was entitled to refuse the request and is not required to take any steps. The complainant may appeal this decision to the First-tier Tribunal within 28 days.

University of York FOIA Complaint - Not Upheld

The Information Commissioner's Office issued a Decision Notice finding that the University of York correctly handled a Freedom of Information request for professional emails between four named staff members. The university disclosed responsive information while withholding some third-party personal data under section 40(2) FOIA. The Commissioner determined the university does not hold further information within scope and that the exemption was properly applied. No remedial steps are required.

London Borough of Redbridge selective landlord notices, FOI partly upheld

ICO issued Decision Notice IC-464099-P6J1 on 31 March 2026, partially upholding a Freedom of Information complaint against London Borough of Redbridge. The Council had withheld selective landlord licence notice names and contents under FOIA Section 40(2) (personal data), but the ICO determined only some information qualifies for exemption. The Council must now reconsider disclosure of certain withheld details.

Crown Estate FOIA Section 40(2) Personal Data Exemption Upheld

The ICO issued a Decision Notice finding that The Crown Estate properly relied on FOIA section 40(2) (personal information) to withhold the name of a staff member occupying premises at East Lodge, Sunninghill Park. The Crown Estate had provided a copy of the lease but refused to identify the staff member, citing sections 40(2), 38(1), 41, and 43(2) of FOIA. The ICO upheld only the section 40(2) exemption, finding it sufficient grounds for withholding the personal data without needing to consider the other exemptions.

Austrian Data Protection Authority publishes 2025 Activity Report

The Austrian Data Protection Authority (DSB Austria) published its 2025 Activity Report (Tätigkeitsbericht 2025), renamed from the prior 'Datenschutzbericht' title. The report covers the authority's enforcement activity, complaints handled, investigations concluded, and regulatory decisions issued during 2025. Austrian businesses, public bodies, and data protection officers should review the report to understand DSB Austria's enforcement priorities and emerging compliance expectations.

Staffordshire Police FOI Request - Fresh Response Ordered

The ICO upheld a complaint against Staffordshire Police under the Freedom of Information Act 2000. The ICO found that the force failed to conduct adequate searches for information requested by a complainant who sought specific correspondence. The ICO has ordered Staffordshire Police to issue a fresh response following proper searches aimed at identifying all information within scope.

UK Export Finance EIR Commercial Interests Exemption Decision

The Information Commissioner's Office issued a Decision Notice in case IC-403066-Y4P3 regarding a complaint against UK Export Finance. The complainant requested information about project financing, and UK Export Finance withheld certain information citing regulation 12(5)(a) of the Environmental Information Regulations. The ICO determined that UK Export Finance correctly applied the commercial interests exemption, and no further action is required.

Hackney Council EIR Procedural Breaches Decision

The ICO issued a Decision Notice against London Borough of Hackney Council finding breaches of the Environmental Information Regulations. The Council failed to issue proper refusal notices under regulation 14(2) and failed to conduct internal reviews under regulation 11(2) when handling a request about the Future Shoreditch Area Action Plan. While the Council's reliance on regulation 12(4)(b) to refuse the request was upheld as valid, procedural failures constitute regulatory breaches.

Cheltenham Borough Council - Information Not Held (EIR 12(4)(a))

The ICO issued a Decision Notice finding that Cheltenham Borough Council did not act incorrectly in refusing an Environmental Information Regulations request for details about a potential loan for the Minster Exchange development project. The Commissioner determined that on the balance of probabilities, the requested information is not held by the council, allowing it to rely on regulation 12(4)(a) to refuse the request.

London Borough of Redbridge - Councillor Property FOIA Decision

The ICO issued a Decision Notice regarding a Freedom of Information complaint against the London Borough of Redbridge. The ICO upheld the council's refusal to disclose addresses of rental properties owned by a former councillor under section 44(1)(a) (statutory prohibition). However, the ICO determined the council incorrectly withheld related correspondence under section 40(2) (personal data), meaning that material must now be disclosed.

Carmarthenshire Council, EIR 5(2) breach, statutory response failure

Carmarthenshire Council, EIR 5(2) breach, statutory response failure

London Borough of Waltham Forest - FOIA Section 10 Breach

The ICO upheld a complaint against London Borough of Waltham Forest for failing to respond to a Freedom of Information request within the statutory 20-working-day timeframe, in breach of section 10 of FOIA. The authority must now provide a substantive response to the request and comply with its statutory obligations.

Northamptonshire Police FOI Complaint Upheld - Fresh Response Ordered

The ICO issued a Decision Notice finding Northamptonshire Police partially non-compliant with Freedom of Information Act obligations. The police must issue a fresh response to Q5 of the complainant's request regarding Developed Vetting information, either confirming/denying whether information is held and disclosing it or issuing a compliant refusal notice under section 17. The ICO dismissed the challenge regarding Q4 where section 21 exemption was correctly applied.

Met Police NCND Deceased Nazi, Security Exemption Upheld

The ICO issued a Decision Notice upholding the Metropolitan Police Service's refusal to confirm or deny holding information about a deceased Nazi sympathiser under FOIA section 23(5) (security bodies). The ICO found the MPS correctly applied the neither-confirm-nor-deny response, protecting sensitive national security and law enforcement information from disclosure.

Cabinet Office FOI Complaint Not Upheld - No Information Held

The Information Commissioner's Office investigated a Freedom of Information complaint against the Cabinet Office regarding a request for information about 'smashed gangs'. The Cabinet Office stated it did not hold information within scope of the request. The ICO upheld this position, finding no further steps required as the Cabinet Office's response complied with its obligations.

DAERA Fish Kill Protocol Withheld - Internal Review Timeliness Breach

The ICO issued a decision finding that DAERA was entitled to withhold a fish kill protocol under EIR 12(5)(g) (environmental protection) and EIR 13 (personal data). However, the ICO found that DAERA breached EIR 11(4) by not completing its internal review within the required timeframe. No further steps were required.

Department for the Economy - EIR 14 Procedural Breach Finding

The ICO issued a Decision Notice finding that the Department for the Economy breached regulation 14(3) of the Environmental Information Regulations by failing to specify the exception(s) applied in its initial refusal notice. The Department was entitled to withhold commercial interests information under EIR 12(5)(e). No remedial steps are required.

Brent EIR Complaint Dismissed Over Bobby Moore Bridge

The Information Commissioner's Office dismissed a complaint against London Borough of Brent regarding an Environmental Information Regulations request. The complainant sought information about the awarding of an advertising contract concerning the Bobby Moore Bridge. The ICO found that the council was entitled to withhold the information under regulation 12(4)(e) (internal communications exception) and that the public interest favoured maintaining the exception. No further action is required from the council.

EIR Complaint Against Croydon Council Upheld

ICO has upheld a complaint under the Environmental Information Regulations against London Borough of Croydon. The Council failed to respond to an information request within the statutory 20 working day period. The ICO requires the Council to provide a response to the complainant within 30 calendar days of the decision.

FOI complaint - Council breached section 17

The ICO issued a Decision Notice against Blackburn with Darwen Borough Council finding a breach of FOIA section 17 for failing to issue a timely refusal notice within 20 working days. The council was entitled to withhold information under section 40(2) but failed proper procedure. No further steps required.

BBC FOI Request for Celebrity Salaries Not Upheld

The Information Commissioner's Office issued a decision notice finding in favour of the BBC regarding a Freedom of Information Act request for celebrity salaries from the 2025 series of The Celebrity Traitors. The ICO determined that any salary information held by the BBC would be exempt from disclosure as it was held for journalism, art, or literature purposes. The ICO upheld the BBC's position and requires no remedial action.

HMT Labour Together FOIA Request Not Upheld

The ICO issued a decision notice finding that HM Treasury (HMT) did not violate FOIA by stating it does not hold information about meetings between HMT officials and Labour Together. However, the ICO found that HMT breached section 10(1) of FOIA by failing to respond to the request within the statutory 20 working days, as clarification was not sought until 16 January 2025 for a request made on 7 November 2024. The ICO requires no remedial steps to be taken.

Cheshire East Council, procurement bids withheld, FOI 43(2) not upheld

Cheshire East Council, procurement bids withheld, FOI 43(2) not upheld

DROP Audits Preliminary Comment Period - Data Broker Regulations

The California Privacy Protection Agency (CPPA) announced preliminary rulemaking activities regarding Delete Request and Opt-out Platform (DROP) audits for data brokers under CalPrivacy. The agency is accepting preliminary written comments through May 7, 2026 at 5:00 PM PT to inform potential future regulations. Comments received are public records and may be included in future rulemaking packages.

Buenos Aires Decree 97/26 Promotes AI in Public Sector

Marval, O'Farrell & Mairal analyzed Buenos Aires Decree 97/26, which promotes AI adoption across the public sector of the Ciudad Autónoma de Buenos Aires. The decree positions AI as a strategic tool for administrative efficiency, public service delivery, and digital transformation, citing existing implementations in education including teacher training programs and student access initiatives.

CFM Resolution 2.454/2026 AI Governance Standards for Brazilian Medicine

CFM 2.454/2026 establishes AI governance for Brazil healthcare

Chile's LPDP Impacts Mergers and Acquisitions Analysis

Deloitte Legal analyzed Chile's Ley 21.719 on Personal Data Protection (LPDP), effective Dec. 1, 2026, and its implications for M&A transactions. The LPDP introduces maximum fines of 20,000 UTM (approximately USD 1.6 million) and establishes the Personal Data Protection Agency with investigative and corrective powers. The analysis draws parallels to GDPR's structural impact on European capital markets, noting that inadequate data handling in target companies can reduce acquisition prices by hundreds of millions of dollars.

CNPD Attends IAPP Global Summit 2026 Washington DC

The Luxembourg data protection authority (CNPD) announced its participation in the IAPP Global Summit 2026 held in Washington, DC from March 30 to April 2, 2026. CNPD President Tine A. Larsen represented Luxembourg at the gathering, which convened 42 data protection authorities, US privacy officials, federal representatives, Congressional members, and FTC commissioners. The summit addressed data protection priorities, the US legislative agenda, and international cooperation frameworks.

ARTURO ACOSTA S.L. v. AEPD - Right to Erasure Enforcement Appeal Dismissed

The AEPD dismissed the appeal filed by ARTURO ACOSTA S.L. (NIF: B38094249) against enforcement resolution EXP202512014 (PD/00238/2025), which had upheld a data subject's GDPR erasure complaint. The company argued it could not suppress data because returned devices were factory-restored, but the AEPD upheld the original ruling based on the company's failure to timely respond to the erasure request and lack of documented proof of compliance. The DPA rejected claims of bad faith by the claimant and proportionality violations by the company.

GDPR Appeal Dismissed as Late - Administrative Procedure

The Spanish Data Protection Agency (AEPD) issued Resolution EXP202407584 dismissing a recurso de reposición (administrative appeal) as extemporaneous. The appellant filed the appeal on February 27, 2026, exceeding the one-month deadline from the January 26, 2026 notification of the original resolution. The AEPD found no grounds to admit the late-filed appeal under Article 116.d of the LPACAP.

Vodafone Spain €200k GDPR Fine Appeal Dismissed

AEPD dismissed Vodafone Spain's appeal against a €200,000 GDPR fine originally issued on 10 January 2026 for violations of Article 6.1 of the GDPR. The enforcement action arose from Vodafone's processing of a SIM card duplicate request without adequate identity verification, allowing a third party to obtain the claimant's SIM card by first modifying the account email. The DPA upheld the fine, finding Vodafone failed to follow its own security policies requiring verification calls or requests from linked phone lines.

GDPR Article 15 Subject Access Request Complaint Assessment

The IDPC assessed a complaint under Article 77 GDPR regarding alleged failures by a controller to respond completely to two subject access requests made in August 2019 and May 2025. The complainant alleged the controller omitted key categories of personal data including employment-related correspondence, salary progression records, and Industrial Tribunal-related data. The Commissioner found the 2019 allegations inadmissible due to an approximately six-year delay between the access request and the complaint filing, which materially impaired the ability to investigate the matter with certainty.

Baron Property Services Settlement for Renters Insurance and Criminal Record Violations

The Colorado Attorney General reached a settlement with Baron Property Services, LLC requiring the company to pay $75,000 total for violations of the Colorado Consumer Protection Act and Rental Application Fairness Act. The settlement includes $7,300 in restitution to 368 tenants improperly charged duplicate renters insurance fees and $67,635 in civil penalties. Baron has also agreed to comply with both statutes going forward and refrain from misrepresenting renters insurance requirements or improperly using criminal records in rental decisions.

California Higher CCPA Fines Age Assurance Enforcement Ramp-up

California Privacy Protection Agency and state attorneys general indicated increased enforcement activity at IAPP Global Summit 2026. CalPrivacy is considering higher CCPA fines following $4 million in total settlements from five cases. The California AG's office is preparing rulemaking on age verification requirements under the Protecting Our Kids from Social Media Addiction Act. Enforcement priorities include data minimization and purpose limitation principles.

Draft Children's Online Privacy Code for Online Services

Australia's OAIC released an exposure draft of the Children's Online Privacy Code, proposing new obligations for online services to protect children's data. The code requires consent before targeted advertising using children's data, grants children rights to request data deletion, and mandates notifications when parents consent on behalf of children or when geolocation is being tracked. Public consultation runs for 60 days, with the code set to become law in December 2026.

Mass Disclosure of Personal Data and Privacy Lessons from Slovakia and the EU

IAPP published an analysis examining EU court decisions on data disclosure requirements. The analysis covers Slovakia's Constitutional Court striking down an NGO donor disclosure law, CJEU rulings invalidating public access to Ultimate Beneficial Owner registries (C-37/20, C-601/20), and annulment of the Data Retention Directive (C-293/12, C-594/12). The piece emphasizes that blanket transparency obligations must be proportionate to privacy rights.

Doxxing Arrest Under PDPO Section 64(3A)

The Office of the Privacy Commissioner for Personal Data (PCPD) arrested a 45-year-old male in Hong Kong's New Territories for suspected doxxing of a female friend under section 64(3A) of the Personal Data (Privacy) Ordinance (PDPO). The suspect allegedly disclosed personal data including the victim's name, Hong Kong Identity Card number, residential address, mobile phone number, and photo without consent. Maximum penalties under section 64(3C) include a fine of HK$1,000,000 and imprisonment for five years.

Joint Taskforce on Motor Finance Claims

The ICO, FCA, SRA, and ASA have formed a joint taskforce to address poor handling of motor finance claims by claims management companies (CMCs) and law firms. The ICO specifically commits to enforcing consent requirements for unsolicited direct marketing under PECR. This is a coordinated regulatory response to harmful practices in the motor finance claims sector.

European Complaint Handling Workshop on GDPR Cooperation

CNPD Luxembourg hosted a 3-day European workshop (March 25-27, 2026) on data protection complaint handling, bringing together representatives from the EDPB and 24 EU data protection authorities. The workshop focused on harmonizing complaint handling procedures under the GDPR through shared best practices.

Guide on Recording Workplace Meetings Legally

CNPD Luxembourg published thematic guidance clarifying the legality of audio recording workplace meetings in the private sector. The guide addresses frequently asked questions about using recordings to facilitate minute-taking and ensure accurate transcription of discussions. This guidance applies to companies, associations, and private organizations but explicitly excludes public sector entities.

CNPD Sponsors EschTechWeek 2026 AI Event in Esch-sur-Alzette

The Luxembourg Commission nationale pour la protection des données (CNPD) sponsored EschTechWeek 2026, held March 23-28, 2026 in Esch-sur-Alzette. As an official sponsor, the CNPD participated in activities including a mock Tech Supreme Court on AI ethics, a youth workshop on AI risks and promises, and a facility tour highlighting its data protection mission. The event focused on responsible AI development and digital trust.

AI Security and Cybersecurity Summit for Enterprises

The Privacy Commissioner for Personal Data Hong Kong and HKIRC co-hosted an AI Security and Cybersecurity Summit on March 31, 2026, attracting over 620 corporate representatives. Government officials delivered opening remarks on Hong Kong's AI development strategy and governance framework, including the Ethical Artificial Intelligence Framework and Generative AI Technical Guideline.

Information Leaflet on eHealth Patient Data Privacy for Healthcare Professionals

The Office of the Privacy Commissioner for Personal Data (PCPD) in Hong Kong published an information leaflet to assist healthcare providers and professionals in complying with the Personal Data (Privacy) Ordinance (PDPO) when handling patient data through the eHealth System. The leaflet covers requirements for data collection, accuracy, security, direct marketing prohibitions, and data access requests, with practical guidance and recommended good practices.

Proposed FOIA and Privacy Act Regulations

The Office of the National Cyber Director (ONCD) published a notice of proposed rulemaking establishing its first Freedom of Information Act (FOIA) and Privacy Act regulations. These regulations will govern ONCD's procedures for processing public records requests and handling personal data under the Privacy Act. Public comments are accepted until May 15, 2026.

GDPR Appeal Inadmitted - Complainant Lacks Standing

The AEPD issued Resolution EXP202500572 declaring a recurso de reposición inadmissible because the appellant, as a mere complainant under Article 77.2 GDPR, lacked the legal standing to appeal. The decision cites Supreme Court precedent establishing that complainants have neither subjective rights nor legitimate interests in obtaining sanctions against those they denounce.

First FOIA and Privacy Act Regulations

The Office of the National Cyber Director (ONCD) has released its first proposed Freedom of Information Act (FOIA) and Privacy Act regulations for public comment. The regulations establish ONCD's procedures for processing FOIA requests and managing Privacy Act records. Comments on the proposed rule are due May 15, 2026.

CNPD and Luxembourg AI Factory Host RE.M.I. AI Session

The CNPD and Luxembourg AI Factory co-hosted a RE.M.I. (Regulation Meets Innovation) plenary session at Belval on March 17, 2026, bringing together researchers, regulators, businesses, and innovation support organizations. The event featured presentations on deepfake detection, AI Act transparency obligations, and concrete AI applications in road safety, along with updates from working groups developing tools for model selection, note-taking, and email sorting.

EDPB Coordinated Enforcement Framework 2026 Transparency Action

The European Data Protection Board (EDPB) launched its 2026 Coordinated Enforcement Framework (CEF) action, focusing on compliance with GDPR transparency and information obligations under Articles 12, 13, and 14. Twenty-five Data Protection Authorities (DPAs) across Europe will conduct enforcement actions and fact-finding exercises targeting data controllers from various sectors throughout 2026, with findings to be consolidated in an EDPB report and followed by targeted enforcement at national and EU levels.

Global Privacy Sweep Finds Rising Privacy Risks for Children Online

The OAIC published results from the 2025 Global Privacy Enforcement Network sweep, examining 900 websites and apps used by children. The sweep found 59% require email collection, 71% lack child-tailored privacy controls, and 36% lack accessible account deletion. Compared to a 2015 baseline, data collection practices have increased, raising privacy risks for child users.