Search

Opinion 15/2026 on Europrivacy Certification Criteria for European Data Protection Seal

The European Data Protection Board adopted Opinion 15/2026 regarding the Europrivacy certification criteria for approval as a European Data Protection Seal. The opinion assesses whether the criteria meet requirements under Articles 42 and 46 GDPR for use as a transfer mechanism. This certification provides organizations with an approved tool to demonstrate adequate safeguards for international personal data transfers.

Opinion 14/2026 Europrivacy Certification Criteria GDPR Seal Approval

The European Data Protection Board (EDPB) issued Opinion 14/2026 regarding Europrivacy certification criteria under Article 42.5 GDPR. The opinion addresses whether the Europrivacy certification scheme meets requirements for approval as an official European Data Protection Seal. Certification bodies and data controllers operating in EU member states will need to consider this guidance when implementing or obtaining data protection certifications.

Guidelines 1/2026 on Processing Personal Data for Scientific Research Purposes

The European Data Protection Board has opened a public consultation on Guidelines 1/2026 addressing the processing of personal data for scientific research purposes under the GDPR. The guidelines cover topics including legal basis, consent requirements, and data subject rights in research contexts. Comments may be submitted until 25 June 2026, after which submitted responses will be published on the EDPB website.

Europrivacy European Data Protection Seal Approved as Appropriate Safeguard for International Data Transfers

The European Data Protection Board adopted two Article 64 GDPR opinions approving the first certification instruments for international data transfers. The Europrivacy European Data Protection Seal can now be used as an appropriate safeguard for international data transfers under Articles 42 and 46 GDPR. The certification scheme has been extended to include organizations established outside the EEA but subject to GDPR under Article 3(2).

EU Age Verification App Technically Ready, Rollout Soon

The European Commission announced 15 April 2026 that its age verification app is technically ready and will soon be available for citizens. The app is built on the European Digital Identity Wallet framework and aims to provide privacy-preserving, anonymous age verification for online services. Commission President Ursula von der Leyen emphasized the app's open-source, user-friendly design and stated it supports Digital Services Act implementation and broader children's protection goals.

xAI Sues California AG Over AI Training Data Transparency Law

xAI filed a lawsuit against California Attorney General Rob Bonta challenging AB 2013, the state's generative AI training data transparency law that took effect January 1, 2026. The law requires developers of generative AI systems made available to California residents to publicly disclose 12 categories of information about their training datasets, including data sources, size, copyright status, and personal information content. The District Court denied xAI's motion for preliminary injunction, and xAI has appealed to the 9th Circuit.

EU Digital Omnibus Makes Deidentification Statements Inevitable

IAPP published an analysis examining how the proposed EU Digital Omnibus regulation would codify Recital 26's anonymization standard into binding Article 4 definitions. The analysis notes the regulation shifts responsibility to organizations, requiring them to document and demonstrate why they cannot re-identify individuals from deidentified datasets — effectively requiring companies to prove a negative regarding identification capabilities.

Italian DPA Newsletter No. 546: Eni Fined €96k, Remote Exam FAQs, FaceBoarding Non-Compliance

The Italian DPA (Garante) published Newsletter No. 546 covering five items. The Garante fined Eni €96,000 for a GDPR violation. The DPA also issued FAQs on remote proctoring systems for online exams and training courses, clarified employees' right to access personal emails after employment ends, found Milano Linate Airport's FaceBoarding facial recognition system non-compliant with GDPR, and approved the MIM Ministry's AscoltaMi listening service.

Live Nation/Ticketmaster Found Illegal Monopoly by Jury

Colorado AG Phil Weiser announced that a jury found Live Nation and Ticketmaster liable as an illegal monopoly in the live entertainment and ticketing industry. Colorado and other states rejected a settlement reached between the Justice Department and Live Nation and continued the antitrust lawsuit through trial in New York federal court. The jury verdict found Live Nation violated state and federal antitrust laws by monopolizing the market.

Best Practice Guidance 'Facing the Camera' on Police Use of Live Facial Recognition

The UK Surveillance Camera Commissioner has issued best practice guidance titled 'Facing the Camera' for police forces in England and Wales on the lawful deployment of Live Facial Recognition technology. This is the first guidance issued since the Court of Appeal overturned South Wales Police's use of LFR in the Bridges v South Wales Police case. The guidance helps forces understand how to deploy LFR in compliance with current legal requirements while balancing civil liberties.

Fraser Sampson Appointed Biometrics and Surveillance Camera Commissioner

The Home Secretary has appointed Fraser Sampson as the government's new independent Biometrics and Surveillance Camera Commissioner, effective 1 March 2021. This appointment consolidates the previously separate Biometrics Commissioner and Surveillance Camera Commissioner roles into a single position. The Commissioner will promote compliance with the Surveillance Camera Code and rules on police use of DNA profiles and fingerprints under the Protection of Freedoms Act 2012.

DCMS Consultation on Biometric Data and Surveillance Reform

DCMS launched a consultation on reforms to the UK data protection regime. The consultation proposes legislative changes to streamline police collection, use, and retention of biometric data, and suggests merging the Biometrics Commissioner and Surveillance Camera Commissioner functions under the Information Commissioner's Office for simplified oversight.

Surveillance Camera Code of Practice Amendments Laid in Parliament

The Surveillance Camera Commissioner laid an updated Surveillance Camera Code of Practice before Parliament on 16 November 2021 pursuant to Section 31(3) of the Protection of Freedoms Act 2012. Subject to parliamentary approval, the updated code is due to come into effect on 12 January 2022.

Fraser Sampson Raises Concerns on Police Biometrics Oversight

Professor Fraser Sampson, the Independent Commissioner for Biometrics and Surveillance Cameras, submitted a formal response to the Department for Digital, Culture, Media & Sport consultation 'Data: a new direction'. He raised serious concerns about proposals to absorb oversight of police biometric and surveillance camera powers into the Information Commissioner's Office. The consultation questions regarding these transfers appear on page 142 of the 146-page document.

NDG Statement on Patient Data Reflective Practice Safeguards

The National Data Guardian published a position statement on 27 November 2025 clarifying when regulated health and social care professionals in England may access confidential patient information for reflective practice purposes. The statement establishes safeguards and limits for data access, explains the application of Caldicott Principles, and underpins NHS England guidance on using information for reflective practice published the same day.

NDG 2024-25 Work Report, Priorities Through March 2027

The National Data Guardian (NDG) published its 2024-25 annual report covering activities from April 2024 to March 2025. The report accounts for the work of Dr Nicola Byrne and her office in advising on health and social care data use. The NDG also outlines priority work areas through the conclusion of Dr Byrne's term on 31 March 2027.

NDG Briefing on Data Use and Access Bill

The National Data Guardian published a briefing on the Data (Use and Access) Bill as part of their statutory duty to advise on matters affecting health and care data. The document outlines NDG's views on the bill, highlighting provisions they support while identifying areas requiring further consideration. The briefing was shared with the Department of Health and Social Care and Department for Science, Innovation and Technology before being published for transparency and parliamentary support.

Survey Findings on Barriers to Direct Care Information Sharing

The National Data Guardian (NDG) published a survey report on barriers to health and care professionals sharing information to support direct care. Commissioned in late 2019, the online survey aimed to understand perceived obstacles to appropriate information sharing. The report includes four recommendations for educational initiatives to improve direct care information sharing practices.

Co-Designed Communications on Health and Care Data Expectations

The National Data Guardian published research testing whether co-designed communications can help people understand and expect specific uses of their health and care data. Working with NHS Screening Quality Assurance Service and Population Health Management programmes, the research found that well-designed materials can successfully inform people and set accurate expectations about data use, including safeguards. The findings provide practical insights for health and care organisations on communicating transparently about data use to reduce surprise.

Fairness Innovation Challenge: Up to £400,000 for AI Bias Solutions

The UK Department for Science, Innovation and Technology, through the Centre for Data Ethics and Innovation, has launched the Fairness Innovation Challenge offering up to £400,000 in government investment to UK companies. The competition will fund up to three solutions with individual awards of up to £130,000 each, focusing on innovative approaches to tackle bias and discrimination in AI systems, with initial focus on healthcare and other real-world use cases. Submissions close on 13 December 2024.

Ethics, Transparency and Accountability Framework for Automated Decision-Making

The UK Centre for Data Ethics and Innovation, alongside the Department for Science, Innovation and Technology, Cabinet Office, and Office for Artificial Intelligence, published a 7-point Ethics, Transparency and Accountability Framework for Automated Decision-Making. The framework provides guidance for public sector organisations on using automated or algorithmic decision-making systems safely, sustainably and ethically. An accompanying Risk Potential Assessment Form helps teams evaluate possible risks of automated or algorithmic decisions.

International Survey of Public Opinion on AI Safety

The Centre for Data Ethics and Innovation commissioned Deltapoll to conduct international research on public opinion towards AI safety ahead of the UK's AI Safety Summit 2023. Respondents from nine countries expressed widespread support for AI safety testing, with 76% agreement in the UK and Singapore, and 62% in the UK supporting government-backed AI safety institutes.

CDEI Rebranded as Responsible Technology Adoption Unit

The UK Centre for Data Ethics and Innovation (CDEI) has been renamed the Responsible Technology Adoption Unit (RTA). The name change reflects the directorate's evolving role in supporting responsible AI adoption across public and private sectors under the Department for Science, Innovation and Technology.

Public Attitudes to Data and AI: Tracker Survey Wave 3

The CDEI and Department for Science, Innovation and Technology published Wave 3 of the Public Attitudes Tracker Survey, monitoring how UK public attitudes towards data and AI vary over time. The survey includes an infographic of key findings and weighted data tables. No compliance obligations or regulatory requirements are created by this publication.

Newsletter N. 546: Eni Fine 96K Euro, FAQ, Email Access, FaceBoarding

Garante per la protezione dei dati personali published Newsletter No. 546 covering multiple decisions. The authority fined Eni 96,000 euros for GDPR violations related to workplace email access and data protection practices. The newsletter also addresses employee email access after employment termination, the FaceBoarding biometric system at Milano Linate airport being non-compliant with GDPR, and approval of the AscoltaMi service for the Ministry of Education and Merit (MIM).

California Cybersecurity Audit Rule: Class Action Discovery and Privilege Implications

The California Privacy Protection Agency's cybersecurity audit rule took effect Jan. 1, 2026, requiring covered businesses to conduct annual audits covering 18 technical and organizational components and submit written certification to the agency. The rule, the first of its kind among state data privacy laws of general applicability, may generate substantial compliance efforts and create discoverable evidence in data breach class action litigation.

David Evans Enterprises Data Breach Notice to Consumers

The Vermont Attorney General's Office posted a data breach notice regarding David Evans Enterprises, Inc. on April 10, 2026. The notice informs Vermont consumers about a security incident involving unauthorized access to personal information. Affected consumers should review the full notice for specific details about the breach and recommended protective measures.

SDI Management LLC Data Breach Notice to Consumers

The Vermont Attorney General posted a data breach notification from SDI Management LLC on April 9, 2026. The notice alerts consumers that their personal information may have been compromised in a security incident. Affected consumers should review the full notice for information about the breach and recommended protective steps.

Buena Vista Management Services Data Breach Notice to Consumers

The Vermont Attorney General's Office published a data breach notice from Buena Vista Management Services, LLC on April 10, 2026, informing consumers of a security incident involving unauthorized access to personal information. The notice advises affected Vermont consumers of the breach and provides information regarding the nature of the incident. This notification fulfills the company's obligations under Vermont's data breach notification law.

TruView BSI, LLC Data Breach Notice to Consumers

TruView BSI, LLC submitted a data breach notification to the Vermont Attorney General's Office on April 8, 2026. The notice advises Vermont consumers who may be affected by the breach to review the attached PDF for details on the incident and recommended next steps.

Adrian Jules LTD Data Breach Notice to Consumers

Adrian Jules LTD filed a data breach notice with the Vermont Attorney General's Office on April 8, 2026. The notice informs consumers about a security incident involving unauthorized access to personal information. The company is providing details about the breach and recommended actions for affected individuals.

Legend Senior Living Data Breach Notice to Vermont Consumers

Legend Senior Living, LLC filed a data breach notice with the Vermont Attorney General's Office on April 10, 2026, informing Vermont consumers of a security incident involving personal information. The notice, published on the AG's Security Breach Notices page, provides affected consumers with details about the breach and recommended protective measures. No specific breach date, type of data compromised, or number of affected individuals was stated in the source document.

OneDigital Investment Advisors data breach notice posted 8th Apr

OneDigital Investment Advisors data breach notice posted 8th Apr

Nicholas H. Safford & Co., Inc. Data Breach Notice to Consumers

The Vermont Attorney General posted a data breach notice from Nicholas H. Safford & Co., Inc. informing consumers of a security incident involving personal information. The company published the notice as required under Vermont's security breach notification law. Consumers are advised to review the full notice for details on the compromised data and recommended protective actions.

EDPB DPIA Template Public Consultation

The European Data Protection Board (EDPB) has opened a public consultation on its Data Protection Impact Assessment (DPIA) Template, running from 14 April 2026 until 9 June 2026. The template aims to provide a harmonized approach for DPIAs across EU member states. After the consultation closes, DPAs will begin adopting this template as their unique or 'meta-template'.

Contractor Sentenced to 10 Years for $1.4M Home Remodeling Fraud

A Denver District Court judge sentenced Avi Schwalb to 10 years in the Colorado Department of Corrections for a home remodeling contractor fraud scheme that stole over $1.4 million from homeowners. In February 2026, a jury found Schwalb guilty on all 47 felony charges including theft, money laundering, and violating Colorado's organized crime law. The investigation covered work conducted from July 2021 to December 2024.

EDPB Adopts DPIA Template for Harmonised EU Compliance

The European Data Protection Board has adopted a template for Data Protection Impact Assessments (DPIA) to help organisations structure, harmonise and evidence their DPIA reporting processes under the GDPR. The template, which is not mandatory for organisations to use, includes predefined fields and a supporting explainer document with concise explanations. The template is subject to public consultation until 9 June 2026, after which EU Data Protection Authorities will adopt it either as their sole standard or as a 'meta-template' for national alignment.

Metropolitan Police NCND FOI 40 Complaint Not Upheld

The Information Commissioner's Office has issued a Decision Notice in case IC-469364-Q5L0 concerning a Freedom of Information complaint against the Metropolitan Police Service. The complainant requested information about whether a named individual worked for the MPS. The MPS responded using 'neither confirm nor deny' (NCND) under section 40(5B)(a)(i) of FOIA. The ICO determined that the MPS was entitled to apply the NCND exemption and the complaint was not upheld.

Kent County Council FOIA 10 Upheld

The ICO issued a decision notice finding Kent County Council in breach of FOIA for failing to respond to a freedom of information request within the statutory 20 working day timeframe. The council must now provide a substantive response to the original request within 30 calendar days of the decision.

Birmingham City Council FOI 12 Upheld

The ICO has upheld a complaint against Birmingham City Council regarding a Freedom of Information Act request. The Council cited section 12 (appropriate limit) to refuse providing information about invoices paid from April 2019. The ICO determined the Council is not entitled to rely on section 12. The Council must now issue a fresh response to the request without relying on section 12(1) of FOIA.

FCDO fails FOI response deadline, ICO upholds complaint

FCDO fails FOI response deadline, ICO upholds complaint

Crown Prosecution Service Withholds Text Messages, FOI Appeal Not Upheld

The Information Commissioner's Office has issued a Decision Notice in case IC-419334-F5H6 dated 7 April 2026. The Crown Prosecution Service withheld copies of text messages considered as evidence in criminal proceedings, citing FOIA section 30(1)(c) (criminal proceedings) and section 40(2) (personal information). The ICO determined that CPS correctly relied on section 30(1)(c) to withhold the requested information. No further steps are required of the CPS.

FCDO FOI Complaint Upheld, Response Required

The ICO has upheld a Freedom of Information complaint against the Foreign, Commonwealth and Development Office (FCDO). The public authority failed to respond to an FOI request within the statutory 20 working day period required under FOIA. The Commissioner requires FCDO to provide the complainant with a response within 30 calendar days of this decision notice.

University of Bradford FOI 10 Upheld, 30-Day Response Required

The ICO has upheld a Freedom of Information complaint against the University of Bradford. The public authority failed to respond to the complainant's FOI request within the statutory 20 working days under FOIA. The ICO requires the university to provide a substantive response to the request within 30 calendar days.

Newham Council Stratford One Complaint Details Withheld Under EIR

The Information Commissioner's Office has issued a decision notice regarding a complaint against the London Borough of Newham concerning requests for information about Stratford One student accommodation complaints. The Council relied on regulation 12(5)(b) of the Environmental Information Regulations (EIR) — adverse effect on the course of justice — to withhold the information. The ICO determined that the Council correctly applied this exemption and no further compliance steps are required.

Brighton & Hove City Council Breaches FOIA on Drive Request

The ICO has issued a Decision Notice finding that Brighton & Hove City Council breached FOIA requirements when handling an information request about a drive at a specific address. The council processed the request under FOIA section 21 (information accessible by other means) when it should have been handled under the Environmental Information Regulations (EIR). The ICO upheld complaints under EIR regulation 5(1) and regulation 14(1). The council is required to reconsider the request under the EIR and issue a fresh response to the complainant.

Castle Point Borough Council - FOI Complaint Partly Upheld

The ICO issued a Decision Notice concerning Castle Point Borough Council's handling of a Freedom of Information request. For part 1 of the request (emails between named individuals), the ICO found the council does not hold the requested information. For part 2 (email chains), the ICO determined the council is entitled to withhold personal data under section 40 for Email Chain 1 and part of Email Chain 2, but must disclose remaining information in Email Chain 2 since no exemption was cited.

Northumbria Police Operation Eustace FOI Complaint Not Upheld

The Information Commissioner's Office issued a Decision Notice regarding a Freedom of Information complaint against Northumbria Police concerning Operation Eustace. The ICO determined that on the balance of probabilities, Northumbria Police does not hold information within the scope of the request. The Commissioner does not require Northumbria Police to take any steps.

RCVS VCMS FOI Complaint Not Upheld - Info Not Held

The Information Commissioner's Office issued a decision notice regarding a Freedom of Information complaint against the Royal College of Veterinary Surgeons (RCVS). The complainant requested information about complaints handled by the Veterinary Client Mediation Service (VCMS). The ICO determined that on the balance of probabilities, RCVS does not hold the requested information. The complaint was not upheld and no further steps are required.

Apple Collects Street Images in Luxembourg April 8 - May 7, 2026

The CNPD informs the public that Apple will collect street-level imagery in Luxembourg from April 8 to May 7, 2026, for its Apple Maps service. Apple will automatically blur faces and license plates on published images. Individuals with questions about image processing or who wish to request additional blur may contact Apple directly.