Searching in Data Privacy & Cybersecurity · Search everything
702 changes Data Privacy & Cybersecurity
Age Assurance Technologies and Privacy Obligations Guidance
The OAIC published guidance on age assurance technologies clarifying expectations for entities conducting age checks online. The guidance emphasizes necessity and proportionality, data minimization, transparency, and strong vendor controls. The publication supports compliance with the Social Media Minimum Age scheme and eSafety Age-Restricted Material Codes requirements.
Children's Online Privacy Code Exposure Draft
The Office of the Australian Information Commissioner (OAIC) has published an exposure draft of the Children's Online Privacy Code for public consultation. The draft code introduces new obligations requiring agencies and organisations to consider children's best interests before collecting, using, or disclosing personal information, including requirements for targeted advertising consent and data deletion rights. The 60-day consultation opens March 31, 2026, with the Code expected to take effect in December 2026.
MOD Withheld Intelligence Services Bill File, Exemption Upheld
The Information Commissioner's Office issued a Decision Notice on 26 March 2026 in case IC-393615-M4Q4, upholding the Ministry of Defence's refusal to disclose file DEFE 68/1153 (Intelligence Services Bill) under section 23(1) FOIA. The complainant's challenge was not upheld, and the security bodies exemption was sustained.
Cabinet Office FOIA case, section 36(2)(c) exemption upheld
The Information Commissioner's Office issued a Decision Notice in case IC-373252-Y7J5, finding that the Cabinet Office correctly relied on section 36(2)(c) of the Freedom of Information Act 2000 to withhold information about email addresses directly accessed by or assigned to the Cabinet Secretary. The ICO upheld the exemption citing prejudice to the effective conduct of public affairs. This decision provides guidance on the application of this exemption in FOIA requests involving senior government officials.
FCDO mining FOI cost limit defence upheld
The ICO issued Decision Notice IC-407227-D6N2 upholding the Foreign, Commonwealth & Development Office's refusal of mining-related Freedom of Information requests. The FCDO successfully relied on section 12(2) FOIA (cost limit) and regulation 12(4)(b) EIR (manifestly unreasonable) to refuse the requests. The complaint was not upheld.
Home Office FOIA exemption upheld, late response breach
The Information Commissioner's Office issued a Decision Notice finding that the Home Office correctly withheld information about Palestinian Action under section 35(1)(a) FOIA (formulation or development of government policy), with the public interest favoring the exemption. The ICO also found the Home Office breached section 10 FOIA by failing to respond within 20 working days. No remedial steps required.
DHSC Ambulance Review FOIA Decision - Legal Privilege and Personal Data
The Information Commissioner's Office issued Decision Notice IC-407317-D5F4 regarding a Freedom of Information complaint against the Department of Health and Social Care (DHSC). The ICO found that DHSC properly withheld information under section 40(1) FOIA (personal data exemption) and had communicated all non-exempt information it holds. The legal professional privilege claim under section 42(1) was not upheld, but the information remains exempt under section 40(1). No further steps are required from DHSC.
MOD withheld Falkland invasion file, FOI not upheld
MOD withheld Falkland invasion file, FOI not upheld
Lambeth Council Ordered to Respond to EIR Request
The ICO issued a decision notice finding that the London Borough of Lambeth failed to respond to an Environmental Information Regulations (EIR) request within the required 20 working days. The ICO ordered the council to provide a response to the complainant within 30 calendar days. This is a binding compliance order under EIR 5(2).
GLA FOI complaint upheld, must respond in 30 days
The Information Commissioner's Office issued a Decision Notice upholding a Freedom of Information Act complaint against the Greater London Authority. The GLA failed to respond to an FOI request within the statutory 20 working day timeframe. The ICO ordered the GLA to provide a complete response to the complainant within 30 calendar days or face further enforcement action.
Public Services Ombudsman for Wales - FOIA Information Request Breach
The ICO issued a decision notice finding that the Public Services Ombudsman for Wales (PSOW) breached section 10(1) of FOIA by failing to acknowledge it held information requested by a complainant. The ICO determined that PSOW did hold the information for FOIA purposes, contradicting PSOW's position. No further action or penalties were required of PSOW.
University of Exeter FOI Section 32(1) Court Records Exemption Decision
The ICO issued a Decision Notice finding that the University of Exeter cannot withhold information related to a First-tier Tribunal appeal under section 32(1) FOIA (court records exemption). The exemption claim was not upheld. The Commissioner does not require further steps from Exeter.
Intesa Sanpaolo fined €31.8M for unauthorized access to 3,500+ clients' banking data
The Italian Data Protection Authority (Garante Privacy) imposed a €31.8 million fine on Intesa Sanpaolo S.p.A. for serious data security deficiencies. The bank failed to implement adequate technical and organizational measures to protect personal data, resulting in unauthorized access to banking information of over 3,500 clients for more than two years.
Breach Notification Letter - Rockland Trust
The Massachusetts Division of Insurance has issued a breach notification letter concerning Rockland Trust, dated March 1, 2026. This document appears to be part of a series of notifications related to data breaches affecting entities within the state.
Brock Built Homes Data Incident Notice
The Massachusetts Executive Office of Health and Human Services has issued a notice regarding a data incident affecting Brock Built Homes. The incident, which occurred between October 17-20, 2025, may have exposed personal information including Social Security numbers and financial details. Brock Built Homes is offering 12 months of free credit monitoring services.
Summit Insurance Data Breach Notification
Summit Insurance Services, Inc. is notifying affected individuals in Massachusetts about a data security incident that occurred between September 18, 2024, and December 2, 2024. The company is offering complimentary credit monitoring and fraud assistance services to mitigate potential harm.
Breach Notification Letter - Rockland Trust
The Massachusetts Attorney General's Office has issued a breach notification letter concerning Rockland Trust, dated March 1, 2026. The document details a security incident involving a mysterious handwritten manuscript and a missing page, potentially related to a powerful artifact and a curse.
Data Breach Notification from Empowerment Schools, CHCP
Empowerment Schools - Healthcare Ltd and Texas Medical Careers, Limited (CHCP) are notifying individuals of a data breach discovered on August 21, 2025. An unauthorized third-party accessed certain files between August 16-20, 2025, potentially exposing personal information. CHCP is offering free credit monitoring and identity theft insurance.
Breach Notification Letter - Rockland Trust
This document is a breach notification letter from Rockland Trust, dated March 1, 2026. It informs recipients about a data security incident involving a mysterious manuscript and a missing page, detailing the investigation and clues found. The letter is part of Massachusetts' breach notification requirements.
Ailco Equipment Finance Group Data Privacy Incident Notification
Ailco Equipment Finance Group is notifying affected individuals in Massachusetts about a data privacy incident experienced by its service provider, Kaaj Technologies Inc. The incident may have impacted full names and other personal information. Affected individuals are offered complimentary identity protection services.
Coastal Carolina Health Care Data Security Incident Notification
Coastal Carolina Health Care, PA is notifying Massachusetts residents of a data security incident affecting personal and protected health information. The notice provides details on the incident and resources for affected individuals, including instructions for credit monitoring and identity theft protection services, as required by Massachusetts law.
LanguageLine Solutions Data Breach Notification
LanguageLine Solutions is notifying affected individuals in Massachusetts about a data breach impacting the Interpreter Intelligence platform. The incident, which occurred around December 29, 2025, may have exposed personal information. The company is offering complimentary credit monitoring and identity protection services.
City of Washington Court House Data Breach Notification
The Massachusetts Office of the Attorney General has issued a data breach notification for the City of Washington Court House. The notice provides guidance to affected residents on steps to protect themselves, including information on credit freezes, identity theft reporting, and resources from the FTC and state agencies.
Cetera Financial Group Data Breach Notification
Cetera Financial Group has issued a data breach notification letter to affected individuals in Massachusetts following an email event. The company is offering complimentary 24-month credit monitoring services to mitigate potential identity theft risks. The notification is mandated by Massachusetts law.
Kaaj Technologies Data Breach Notification
Kaaj Technologies Inc. is notifying Massachusetts residents of a data breach impacting personal information, including full name and [Extra1]. The company is offering complimentary 24-month identity protection services through Experian IdentityWorks and identity restoration support.
CW Advisors Data Breach Notification
CW Advisors, LLC is notifying affected individuals in Massachusetts about a data security incident that compromised their names and Social Security numbers. The company is offering two years of complimentary credit monitoring and identity theft protection services to mitigate potential harm.
Dubroff, Easley & Lovell LLP Security Incident Notification
Dubroff, Easley & Lovell, LLP is notifying affected individuals of a data security incident that occurred between September 2, 2025, and September 22, 2025. The law firm determined on March 3, 2026, that personal data may have been acquired by an unauthorized party. The firm is offering complimentary identity monitoring services.
Liberty Bankers Life Ins Co Data Breach Notification
The Massachusetts Attorney General's Office has issued a breach notification letter concerning Liberty Bankers Life Insurance Company. The notice details a data security incident that occurred on November 4, 2025, where unauthorized access to network files may have exposed consumer information, including personal identifiers. The company is offering identity monitoring services.
STRATeBEN Inc. Data Breach Notification
STRATeBEN Inc., an employee benefits consulting firm, has issued a data breach notification to individuals whose name, Social Security number, and date of birth were compromised. The company is offering 24 months of complimentary identity monitoring services through Kroll to affected individuals.
MXB Battery Operations LP Data Breach Notification
MXB Battery Operations LP is notifying affected individuals in Massachusetts of a data breach that occurred on March 26, 2026. The breach may have exposed personal information, including names. The company is offering complimentary credit monitoring services to mitigate potential harm.
Deschutes Public Library Data Security Incident Notice
The Massachusetts Attorney General's office has issued a data security incident notice for the Deschutes Public Library. The notice informs consumers about a breach involving personal information and outlines their rights under Massachusetts law, including steps for credit monitoring and placing security freezes.
Data Protection Commission Approves Binding Corporate Rules for Intec Billing Ireland
The Irish Data Protection Commission (DPC) has approved the Binding Corporate Rules (BCRs) for processor Intec Billing Ireland Limited, on behalf of the CSG group. This decision provides a framework for the group's international data transfers, ensuring compliance with GDPR requirements.
Shopify Controller Binding Corporate Rules Approved
The Irish Data Protection Commission, in conjunction with the EDPB, has approved Shopify International Limited's Binding Corporate Rules (BCRs) for controllers. This decision provides a framework for Shopify to transfer personal data to third countries while ensuring an essentially equivalent level of protection as required by the GDPR.
Shopify International Limited Processor Binding Corporate Rules Approved
The Irish Data Protection Commission (DPC) has approved the Binding Corporate Rules (BCRs) for Shopify International Limited as a data processor. This decision provides a framework for Shopify's international data transfers, ensuring compliance with GDPR standards.
University Hospitals Birmingham NHS Trust Enforcement Action
The UK's Information Commissioner's Office (ICO) has issued an enforcement notice against University Hospitals Birmingham NHS Foundation Trust. The notice details breaches of data protection law, requiring the Trust to take specific actions to rectify the issues.
Queen Elizabeth Hospital NHS Trust Enforcement Action
The UK's Information Commissioner's Office (ICO) has taken enforcement action against Queen Elizabeth Hospital King's Lynn NHS Foundation Trust. This action involves an enforcement notice, indicating a significant regulatory finding related to data protection practices within the Trust.
Oklahoma Enacts Comprehensive State Privacy Law
Oklahoma has enacted its 21st state-level comprehensive privacy law, Enrolled Senate Bill No. 546, which will take effect on January 1, 2027. The law grants consumers specific privacy rights and imposes obligations on businesses regarding data processing, security, and disclosures, enforced by the Attorney General.
Oklahoma Enacts Comprehensive Consumer Data Privacy Law
Oklahoma has enacted Senate Bill 546, establishing its comprehensive consumer data privacy law, making it the 21st state with such legislation. The law applies to businesses meeting specific data processing thresholds and grants consumers rights similar to those in other state privacy laws.
Brazil-EU Data Transfer Adequacy Decision
Brazil's ANPD and the European Commission have recognized mutual adequacy for personal data transfers, simplifying mechanisms under their respective data protection laws. While this eases contractual friction, underlying processing compliance remains critical for entities transferring data between the EU and Brazil.
New Laws Restrict AI for Minors, Add Privacy Rights
Washington state has enacted a new law, effective January 1, 2027, that imposes restrictions on the use of AI for minors and introduces new privacy rights. The law defines 'companion chatbots' broadly and may impact companies using conversational AI for customer engagement, requiring compliance with governance mechanisms, design elements, and potentially facing private rights of action.
Insurance Broker Indicted for Fraud and Theft
The Colorado Attorney General's Office announced the indictment of George Gonzalez, an insurance broker, on 23 felony counts for allegedly diverting over $100,000 in insurance premium payments. The indictment includes charges of insurance fraud and theft, affecting multiple insurance companies and their customers.
EU Digital Omnibus, CSAM detection, AI Act, ICO guidance updates
The IAPP Privacy News reports on developments in the EU Digital Omnibus on AI, with interinstitutional negotiations underway and a potential June vote. Discussions on the data counterpart, the Digital Omnibus, are ongoing, facing criticism regarding cybersecurity incident reporting. The temporary derogation for voluntary CSAM detection will not be extended, creating a potential legal vacuum.
US State Data Breach Notification Laws Resource Updated
The IAPP has updated its resource chart detailing US state data breach notification laws. The update highlights variations in definitions of personal information and coverage, noting that while all states have such laws, they often define 'personal information' more narrowly than comprehensive privacy laws and primarily focus on data relevant to identity theft and financial fraud.
India's DPDPA Faces Legal Challenges and AI Risks
India's Digital Personal Data Protection Act (DPDPA) is facing legal challenges, including petitions to the Supreme Court and Kerala High Court concerning fundamental rights, data breach compensation, and state exemptions. The government also outlined legal safeguards for AI risks, referencing existing acts and new guidelines.
Schubert Organization Inc. Data Breach Notice to Consumers
The Vermont Attorney General's Office has published a data breach notice from The Schubert Organization Inc. to consumers. The notice, dated March 20, 2026, details a security incident affecting consumer data.
Health Management Systems America Data Breach Notice
The Vermont Attorney General's Office has issued a data breach notice regarding Health Management Systems of America. The notice informs consumers about a data breach that may have compromised their personal information, requiring specific actions to protect themselves.
Summit Insurance Services Data Breach Notice to Consumers
The Vermont Attorney General's Office has published a data breach notice from Summit Insurance Services to consumers. The notice, dated March 26, 2026, details a security incident affecting consumer data.
UFCW Local 342 Data Breach Notice to Consumers
The Vermont Attorney General's Office has published a data breach notice for UFCW Local 342, informing consumers about a security incident. The notice provides a link to a PDF document detailing the breach and its implications for affected individuals.
Cetera Financial Group Data Breach Notice to Consumers
The Vermont Attorney General's Office has published a data breach notice for Cetera Financial Group. The notice informs consumers about a data security incident that may have affected their personal information. Specific details regarding the breach and affected data were not provided in the summary notice.
Navia Data Breach Notice to Consumers
The Vermont Attorney General's Office has published a data breach notice from Navia for consumers, dated March 23, 2026. This notice informs consumers about a data security incident affecting their personal information.