Searching in Data Privacy & Cybersecurity · Search everything
702 changes Data Privacy & Cybersecurity
ICO Overturns Bristol Council's Freedom of Information Refusal
The UK's Information Commissioner's Office (ICO) has overturned Bristol City Council's refusal to provide information regarding road blocks for the East Bristol Liveable Neighbourhood project. The ICO found the council incorrectly categorised the request as manifestly unreasonable.
ICO Decision Notice: NHS Trust Failed to Respond to FOI Request
The Information Commissioner's Office (ICO) has upheld a Freedom of Information (FOI) request against North East London NHS Foundation Trust. The Trust failed to respond to the request within the statutory 20 working days. The ICO has ordered the Trust to provide a response within 30 calendar days.
ICO Upholds FOI Complaint Against DHSC
The UK Information Commissioner's Office (ICO) has upheld a complaint against the Department of Health & Social Care (DHSC) for failing to complete public interest test considerations within a reasonable time. The DHSC is now required to provide a substantive response to the FOI request within 30 calendar days.
ICO Upholds HM Treasury FOI Refusal on Policy Grounds
The UK's Information Commissioner's Office (ICO) has upheld HM Treasury's refusal to disclose meeting notes and minutes to the Finance and Leasing Association, citing Section 35 of the Freedom of Information Act concerning government policy formulation. The ICO found that HM Treasury was entitled to withhold the information on these grounds.
ICO Decision: Lewisham Council FOI 17 Upheld, 40(2) Not Upheld
The UK's Information Commissioner's Office (ICO) issued a decision regarding a Freedom of Information (FOI) request made to Lewisham Council. The ICO upheld the council's decision to withhold information under FOI section 40(2) but found the council breached section 17 by failing to issue a timely refusal notice.
Bridgend Council FOI Complaint Upheld by ICO
The UK's Information Commissioner's Office (ICO) has upheld a complaint against Bridgend County Borough Council for failing to respond to a Freedom of Information (FOI) request within the statutory 20 working days. The council has been directed to provide a substantive response to the request.
ICO Decision on Kingston Upon Thames FOI Data Protection Complaints
The ICO issued a decision regarding data protection complaints against the Royal Borough of Kingston Upon Thames. While the council was found not to hold the requested information under EIR regulation 12(4)(a), its internal review process did not comply with regulation 11(4). No further steps are required by the Commissioner.
ICO Decision: Oxford City Council correctly withheld expense report data
The UK's Information Commissioner's Office (ICO) issued a decision finding that Oxford City Council correctly withheld expense report data under section 40(2) of the Freedom of Information Act (FOIA). The decision upholds the council's reliance on the third-party personal information exemption.
ICO Decision Notice: Halton Council Mersey Gateway Bridges Information Request
The UK's Information Commissioner's Office (ICO) has upheld a complaint against Halton Council regarding a request for information about the Mersey Gateway bridges. The ICO found the Council failed to conduct a reasonable search for the requested information, violating the Environmental Information Regulations (EIR). The Council must now conduct further searches and issue a new response.
ICO Decision: HMRC FOI Request - Statutory Prohibition Upheld
The UK's Information Commissioner's Office (ICO) has issued a decision regarding a Freedom of Information (FOI) request made to HM Revenue and Customs (HMRC). The ICO upheld HMRC's decision to withhold certain information based on section 44(1) of the FOIA, which concerns statutory prohibitions on disclosure.
ICO Upholds FOI Complaint Against London Borough of Enfield for Delayed Response
The UK's Information Commissioner's Office (ICO) has upheld a Freedom of Information (FOI) complaint against the London Borough of Enfield. The ICO found that the council failed to respond to a complainant's information request within the statutory 20-working-day limit, breaching Section 10 of the Freedom of Information Act.
ICO Decision Notice: Home Office FOI migrant stats upheld
The UK's Information Commissioner's Office (ICO) has upheld a complainant's appeal against the Home Office regarding a Freedom of Information (FOI) request for migrant arrival statistics. The ICO ruled that the Home Office improperly withheld information under the personal data exemption.
DAERA Decision on Freedom of Information and Data Protection Complaints
The ICO has issued a decision regarding complaints against the Department of Agriculture, Environment and Rural Affairs (DAERA) concerning freedom of information and data protection. DAERA was found to have breached EIR regulation 11(4) by failing to provide an internal review outcome within 40 working days, but was entitled to withhold certain commercial information.
ICO Decision Notice: DHSC FOI request on NHS data platform exempt
The UK's Information Commissioner's Office (ICO) issued a decision notice regarding a Freedom of Information (FOI) request concerning the NHS Federated Data Platform contract with Palantir Technologies Ltd. The ICO determined that information related to the formulation or development of government policy is exempt from disclosure under FOIA.
MoJ FOI Decision Notice - Information Not Held
The UK Information Commissioner's Office (ICO) issued a decision notice regarding a Freedom of Information (FOI) request made to the Ministry of Justice (MoJ). The ICO determined that the MoJ was entitled to refuse the request on the grounds that the information was not held in recorded form and would require the creation of new information.
UCA FOI Request Decision Notice
The Information Commissioner's Office (ICO) issued a decision notice regarding a Freedom of Information (FOI) request made to the University for the Creative Arts (UCA). The ICO found that UCA breached FOI laws by failing to respond within the statutory timeframe and by not issuing a proper refusal notice. No further steps were required by the ICO.
GDPR Resolution on Right of Access and Sanction
The Spanish Data Protection Agency (AEPD) has issued a resolution regarding a complaint about the right of access under GDPR. The agency found that the respondent failed to provide a legally established response to the data subject's request, leading to the admission of the claim and the initiation of a procedure for infringement.
GDPR Rights Resolution: Access and Suppression Claims
The Spanish Data Protection Agency (AEPD) issued a resolution regarding a complaint about access and suppression rights under GDPR. The resolution addresses a claimant's assertion that the Directorate General of Police failed to fully respond to a request for information on biometric data processing and access.
GDPR Resolution on Data Access Rights for VIMCORSA
The Spanish Data Protection Agency (AEPD) issued a resolution regarding a data access rights complaint against VIMCORSA. The complainant alleged VIMCORSA obstructed their right to access personal data and related repair documentation for a property. The AEPD found that VIMCORSA's response was inadequate and potentially obstructed the complainant's rights under GDPR.
AEPD Resolution: Closure of Employee Biometric Data Tracking Investigation
The Spanish Data Protection Agency (AEPD) has closed an investigation into the Ayuntamiento de Valladolid regarding its use of fingerprint-based employee time tracking. The agency closed the case after the municipality confirmed it had ceased using biometric data for employee time registration on September 2, 2024, following AEPD guidance.
EDPB Opinion on Dutch Authority's BCD Travel BCR
The European Data Protection Board (EDPB) has issued Opinion 7/2026 regarding a draft decision by the Dutch Supervisory Authority concerning the Binding Corporate Rules (BCRs) of BCD Travel Group. This opinion addresses the international transfer of personal data under GDPR.
EDPB Opinion on Dutch Authority's IBM Group BCR Draft Decision
The European Data Protection Board (EDPB) has issued an opinion on a draft decision by the Dutch Data Protection Authority concerning the Binding Corporate Rules (BCRs) of the IBM Group. This opinion addresses the international transfer of data and the adequacy of IBM's BCRs.
IDPC Decision on Incomplete Personal Data Copy Complaint
The Information and Data Protection Commissioner (IDPC) of Malta has initiated an investigation into a complaint alleging that a data controller provided an incomplete copy of personal data to a complainant exercising their right of access under GDPR. The controller has been unresponsive to the Commissioner's requests for information, leading to formal orders invoking investigative powers.
NDPC Urges Sports Betting Operators to Secure User Data
The Nigeria Data Protection Commission (NDPC) has urged sports betting operators to enhance data security measures for the approximately 60 million users on their platforms. The NDPC emphasized compliance with the Nigeria Data Protection Act (NDP Act), 2023, highlighting the importance of protecting customer data and the benefits of compliance for the gaming sector.
NDPC and Trade Ministry Partner to Boost Nigeria's Competitiveness
The Nigeria Data Protection Commission (NDPC) and the Ministry of Industry, Trade and Investment have partnered to enhance Nigeria's global competitiveness through data protection and privacy initiatives. This collaboration aims to build trust, attract foreign direct investment, and ensure compliance with the Nigeria Data Protection Act, 2023.
NDPC and NBS Alliance to Secure Nigeria's Socioeconomic Data
The Nigeria Data Protection Commission (NDPC) and the National Bureau of Statistics (NBS) have formed a strategic alliance to secure Nigeria's official socioeconomic data. This collaboration aims to enhance public trust in data handling processes and support the government's economic initiatives.
Cardone Law Data Security Incident Notification
Cardone Law Firm is notifying individuals of a data security incident discovered on August 25, 2025, which may have involved personal information. The firm is offering 24 months of free credit monitoring services to affected individuals.
EDPB Coordinated Enforcement Action on Transparency and Data Subject Rights
The Hellenic Data Protection Authority (HDPA) is participating in the European Data Protection Board's (EDPB) 2026 Coordinated Enforcement Action (CEF) focused on transparency and data subject rights under GDPR. This initiative involves 25 DPAs across Europe assessing controllers' compliance, with findings to be aggregated into a consolidated report.
White House AI Policy Recommendations
The White House has released its policy recommendations for federal AI regulation, emphasizing children's online safety, intellectual property, AI literacy, and preemption of state laws. The recommendations aim to establish a uniform national framework for AI development and use, fostering public trust and innovation.
US Senate Hearing Explores Section 230 Reforms
A US Senate hearing explored potential reforms to Section 230 of the Communications Decency Act, which provides liability protections for online platforms. Lawmakers and experts discussed the law's impact on the digital ecosystem and its applicability to emerging technologies like AI, with a general sentiment favoring amendments over full repeal.
Marquis Software Solutions Data Breach Notice to Consumers
The Vermont Attorney General's Office has published a data breach notice from Marquis Software Solutions to consumers. The notice, dated March 16, 2026, informs consumers about a data security incident affecting their personal information. Specific details regarding the nature of the breach or affected data were not provided in the summary document.
FTC, States Reach $100M Settlement with Walmart Over Deception
The FTC and a bipartisan group of state attorneys general have reached a $100 million multistate settlement with Walmart over allegations of deceiving drivers and customers in its Spark Driver Program. The settlement resolves claims that Walmart misrepresented driver pay and customer tips, with $89 million for consumer restitution and $11 million in penalties to states.
Utah Businesses Guided on Cash Rounding During Penny Shortage
The Utah Division of Consumer Protection has issued guidance to businesses on how to handle cash rounding during a national penny shortage. The guidance recommends a specific rounding methodology for cash-only transactions after taxes are calculated and requires businesses to provide notice of their chosen method.
Mercedes-Benz USA Settles with 50 States for $149.6M Over Emissions Defeat Devices
Utah and 50 other states have reached a $149.6 million settlement with Mercedes-Benz USA and Daimler AG for using illegal emissions defeat devices in over 211,000 diesel vehicles. The settlement addresses deceptive practices related to circumventing emissions standards and misleading consumers about environmental compliance.
Utah AG Secures $7.9M Judgment Against Amazon Store Scammer
The Utah Division of Consumer Protection secured a $7.9 million judgment and permanent ban against Parker J. Wilde for a deceptive Amazon e-commerce store scheme that defrauded over 200 consumers. Wilde is prohibited from participating in money-making schemes and telemarketing in Utah.
Utah Division of Consumer Protection Fines Maintenance Funding Providers
The Utah Division of Consumer Protection has concluded an audit of maintenance funding providers (MFPs), identifying over 600 violations of the Maintenance Funding Practices Act. This has resulted in nearly $100,000 in fines levied against 14 providers for issues including failure to register, improper disclosures, and inappropriate referral practices.
European Data Protection Authorities Focus on Transparency Obligations
European data protection authorities, coordinated by the EDPB, will focus on transparency and information obligations under GDPR for the year 2026. This initiative aims to ensure data controllers provide clear, accessible information to individuals regarding the processing of their personal data.
PDPC Decision on Institute of Mental Health Data Consent
The Singapore Personal Data Protection Commission (PDPC) amended a previous decision concerning the Institute of Mental Health (IMH). The amendment clarifies the factual background regarding IMH's use of patient data for research study recruitment, specifically addressing implied consent and the visibility of a notification to patients.
Goldheart Jewelry Data Breach Decision
Singapore's Personal Data Protection Commission has issued a decision against Goldheart Jewelry Pte. Ltd. for a data breach affecting 41,379 individuals. The breach resulted from insufficient security measures, including a failure to implement adequate patch management and access controls, leading to unauthorized access and disclosure of personal data.
PDPC Decision on Data Protection and Accountability
Singapore's Personal Data Protection Commission (PDPC) issued a decision against Air Sino-Euro Associates Travel Pte. Ltd. for failing to protect customer data, resulting in unauthorized access and disclosure. The organization also failed to appoint a data protection officer and implement internal policies.
Marina Bay Sands Data Breach Penalty Decision
Singapore's Personal Data Protection Commission has issued a decision against Marina Bay Sands Pte. Ltd. for a data breach affecting approximately 665,495 members. The breach resulted from insufficient security arrangements and a failure to mitigate risks of human error, leading to unauthorized access and disclosure of personal data. A financial penalty has been imposed.
PDPC Decision on Data Protection Breach by People Central Pte. Ltd.
Singapore's Personal Data Protection Commission (PDPC) issued a decision against People Central Pte. Ltd. for breaching data protection obligations. The company experienced an unauthorized access and deletion of client employee data due to insufficient security arrangements, including SQL injection vulnerabilities and weak access controls. The decision was handled under an expedited procedure due to the organization's admission of facts and breach.
EU Regulators Focus on Cross-Regulatory Cooperation for Digital Laws
The European Data Protection Board (EDPB) is increasing focus on cross-regulatory cooperation for EU digital laws, including the GDPR, AI Act, and Digital Markets Act. The EDPB is developing joint guidance with the European Commission on these interactions and on data protection and competition, aiming for consistent interpretation and enforcement.
Senator Blackburn Proposes AI Framework for Child Safety and Copyright
U.S. Senator Marsha Blackburn has introduced a discussion draft for a federal AI policy framework focusing on children's online safety and copyright protection. The proposal aims to establish national standards, incorporating elements from the Kids Online Safety Act and the NO FAKES Act, and includes provisions for a private right of action for child harms.
China PIPL Compliance Audit Guidance and Enforcement Trends
China's Personal Information Protection Law (PIPL) requires organizations to audit personal information processing for compliance. Recent regulatory developments, particularly concerning minors' data, indicate an increasing expectation for audits to be repeatable, verifiable, and evidence-backed, with a focus on demonstrating consistent implementation and technical reality.
EDPB-EDPS Joint Opinion on Cybersecurity Act 2 and NIS 2 Directive Amendments
The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have issued a joint opinion on proposed amendments to the Cybersecurity Act 2 and the NIS 2 Directive. This opinion provides recommendations on the legislative proposals concerning cybersecurity certification and network and information security.
EDPB Report on Anonymisation and Pseudonymisation Stakeholder Event
The European Data Protection Board (EDPB) has published a report detailing discussions from a stakeholder event on anonymisation and pseudonymisation techniques. The report summarizes key takeaways and perspectives shared during the event.
GDPR Rights Procedure Resolution - Spanish DPA
The Spanish Data Protection Agency (AEPD) issued a resolution regarding a data subject's right to erasure request against UPTA-CLM. The agency found issues with the contact information provided by the organization, including a non-functional data protection officer email address.
EDPB Announces 2026 GDPR Transparency Measure
The European Data Protection Board (EDPB) announced its 2026 Coordinated Enforcement Framework (CEF) measure, focusing on transparency and information obligations under the GDPR. The Austrian Data Protection Authority will participate in this coordinated action.
EDPB Launches Coordinated GDPR Enforcement on Transparency
The European Data Protection Board (EDPB) has launched a coordinated enforcement action for 2026 focusing on compliance with GDPR transparency and information obligations. Twenty-five Data Protection Authorities across Europe will participate, assessing controllers' adherence to Articles 12, 13, and 14 of the GDPR.