CJEU Rules Pre-Ticked Checkboxes Invalid for Cookie Consent

The European Court of Justice (CJEU) ruled that pre-ticked checkboxes are invalid for obtaining cookie consent. This decision, welcomed by data protection authorities, clarifies that active user behavior is required for valid consent regarding data processing.

Bundestag Strengthens Data Protection Authority

The German Bundestag's Budget Committee has allocated an additional 67 posts to the Federal Commissioner for Data Protection and Freedom of Information (BfDI) for the upcoming year. This funding aims to enhance supervision of security authorities, support new digitalization tasks in the health sector, and improve international cooperation.

BfDI Fines 1&1 Telecom EUR 9.55M and Rapidata EUR 10k under GDPR

Germany's Federal Commissioner for Data Protection and Freedom of Information (BfDI) has fined 1&1 Telecom GmbH EUR 9.55 million for insufficient technical and organizational measures to protect customer data and Rapidata GmbH EUR 10,000 for failing to appoint a data protection officer. These actions underscore the enforcement of GDPR provisions.

EDPB Agrees on GDPR Evaluation and Suggests Cooperation Improvements

The European Data Protection Board (EDPB) has agreed to contribute to the European Commission's evaluation of the GDPR. The EDPB suggests improvements in cooperation between data protection authorities and revisions to standard contractual clauses for data transfers.

ECJ Invalidates Privacy Shield, Impacts International Data Transfers

The European Court of Justice (ECJ) has declared the EU-US Privacy Shield invalid, impacting international data transfers. The German Federal Commissioner for Data Protection and Freedom of Information (BfDI) stated that companies and authorities can no longer rely on the Privacy Shield for data exchange with the USA, requiring special safeguards and adherence to fundamental rights.

France Travail fined €5 million for data security breach

The CNIL has fined FRANCE TRAVAIL (formerly Pôle Emploi) €5 million for failing to implement adequate security measures to protect job seeker data, following a hack in early 2024. The fine addresses inadequate technical and organizational measures, including weak authentication and logging.

CNIL Work Programme 2026-2028 on Data Economy

The CNIL has published its work programme for 2026-2028, focusing on understanding data-related business models and measuring the economic impact of its decisions. The programme aims to deepen expertise in data protection's economic implications and contribute to public debate on the data economy.

CNIL Annual Report: 2025 Fines and Sanctions

The CNIL reported imposing €486.8 million in fines and 83 sanctions in 2025, primarily for violations related to cookies, employee monitoring, and data security. The report details 143 compliance orders and 31 reminders of legal obligations issued during the year.

EDPB Guidelines on Article 48 GDPR

The European Data Protection Board (EDPB) has published final guidelines on Article 48 of the GDPR, concerning the recognition of judgments and decisions of public authorities of third countries. These guidelines clarify the conditions under which such judgments can be relied upon for international data transfers.

EDPB Consultation on DSA and GDPR Interplay Guidelines

The European Data Protection Board (EDPB) has opened a public consultation on its draft Guidelines 3/2025 concerning the interplay between the Digital Services Act (DSA) and the General Data Protection Regulation (GDPR). The consultation period is open until October 31, 2025.

EDPB Joint Guidelines on DMA and GDPR Public Consultation

The European Data Protection Board (EDPB) and the European Commission have opened a public consultation on their Joint Guidelines concerning the interplay between the Digital Markets Act (DMA) and the General Data Protection Regulation (GDPR). Interested parties are invited to submit comments by December 4, 2025.

EDPB GDPR Compliance Templates Consultation

The European Data Protection Board (EDPB) has launched a public consultation to gather ideas for developing ready-to-use GDPR compliance templates for organizations. The consultation seeks input on the most useful template types and closes on December 3, 2025.

EDPB Consultation on User Accounts for E-commerce Websites

The European Data Protection Board (EDPB) has launched a public consultation on its Recommendations 2/2025 concerning the legal basis for requiring user accounts on e-commerce websites. The consultation is open for comments until February 12, 2026.

EDPB Public Consultation on Processor Binding Corporate Rules

The European Data Protection Board (EDPB) has launched a public consultation on its Recommendations 1/2026 concerning Processor Binding Corporate Rules. The consultation is open until March 2, 2026, and aims to gather feedback on the application, elements, and principles for these rules under GDPR.

Guidance on Reporting Scams Pretending to be Companies House

Companies House has published guidance on how to report scams that impersonate the agency. The guidance details how to identify and report suspicious phone calls and emails, providing examples of known scam tactics.

Companies House Transition Plan for Economic Crime Act

Companies House has published an outline transition plan for the Economic Crime and Corporate Transparency Act 2023. The plan details the indicative timeline for commencing key provisions, with updates indicating potential postponements for certain measures to prioritize identity verification and stakeholder feedback.

Companies House Identity Verification Legal Requirement

Companies House has issued guidance stating that identity verification for directors and persons with significant control will become a legal requirement from November 18, 2025. This marks the start of a 12-month transition period for companies to comply.

Companies House Fees and Powers Update

Companies House will implement new fee structures effective February 1, 2026, with digital filing fees for incorporation, confirmation statements, and voluntary strike-offs increasing. These changes, alongside new powers granted by the Economic Crime and Corporate Transparency Act, aim to enhance the UK's corporate registers and combat economic crime.

Insolvency Service Shuts Down UK Business Registration Services

The UK Insolvency Service has shut down three companies that facilitated the registration of over 11,000 UK businesses for overseas clients, primarily from China. These companies operated without proper registration and failed to conduct anti-money laundering checks, creating a false impression of UK presence for their clients.

S-Bank Fined EUR 1.8 Million for GDPR Violations

The European Data Protection Board reports that the Finnish Supervisory Authority has fined S-Bank EUR 1.8 million for GDPR violations related to a data security vulnerability. The bank failed to implement adequate safeguards, leading to a personal data breach affecting a significant proportion of its customers.

EDPB Strengthens Global Data Protection Cooperation

The European Data Protection Board (EDPB) held a meeting with Data Protection Authorities from countries and organizations with an EU adequacy decision to strengthen global data protection cooperation. This follows up on a previous meeting in October 2024 and focuses on sharing information and experiences in international data protection enforcement.

EDPB/EDPS Support AI Act Streamlining with Stronger Safeguards

The European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) have issued a joint opinion on the EU Commission's proposal to streamline the AI Act. While supporting administrative simplification, they urge stronger safeguards to protect fundamental rights and advise against removing the registration obligation for high-risk AI systems.

EDPB Conference on Cross-Regulatory Cooperation

The European Data Protection Board (EDPB) is hosting a conference on March 17, 2026, in Brussels to discuss cross-regulatory cooperation from a data protection perspective. Registration is open until February 26, 2026.

EDPB/EDPS Joint Opinion on Digital Omnibus Regulation Proposal

The EDPB and EDPS have issued a joint opinion on the Digital Omnibus Regulation proposal, supporting simplification efforts while raising concerns about proposed changes to the GDPR's definition of personal data. They also welcome increased data breach notification thresholds and deadlines.

ICO Decision Notice: Cabinet Office FOI Request Breach

The UK's Information Commissioner's Office (ICO) has issued a decision notice regarding a Freedom of Information (FOI) request made to the Cabinet Office. The ICO upheld a complaint that the Cabinet Office breached FOI rules by failing to respond to a request within the statutory 20-working day period.

ICO Decision Notice: UWE must disclose construction expenditure

The UK's Information Commissioner's Office (ICO) issued a decision notice against the University of the West of England (UWE). UWE is required to disclose construction expenditure information within 30 days, as the ICO found their refusal to be unlawful under the Environmental Information Regulations (EIR).

Frimley Health NHS Trust FOI Request Upheld

The ICO has upheld a Freedom of Information (FOI) request against Frimley Health NHS Foundation Trust for failing to respond within the statutory 20 working days. The Trust is now required to respond to the complainant within 30 calendar days.

ICO Upholds Lambeth Council's Refusal on Information Request

The ICO has upheld Lambeth Council's refusal of one information request under the Environmental Information Regulations (EIR) 11(2) and 5(2). However, the Council breached EIR 5(2) by failing to respond within 20 working days and EIR 11(2) by not completing an internal review.

ICO Upholds Complaint Against Birmingham City Council for Delayed Planning Information

The UK's Information Commissioner's Office (ICO) has upheld a complaint against Birmingham City Council for failing to provide planning information within the statutory 20-working-day timeframe. The ICO found the council in breach of the Environmental Information Regulations (EIR).

ICO Updates UK GDPR International Transfer Guidance

The UK's Information Commissioner's Office (ICO) has updated its guidance on international personal data transfers under UK GDPR. The revised guidance aims to simplify compliance for businesses by introducing a 'three step test' and clarifying complex areas.

ICO Fines Two Companies £225,000 for Nuisance Marketing

The UK's Information Commissioner's Office (ICO) has fined Allay Claims Ltd and ZMLUK Limited a total of £225,000 for sending millions of unsolicited marketing messages. Allay Claims was fined £120,000 for unlawful text messages, and ZMLUK Limited received a £105,000 fine for unlawful marketing emails.

ICO Investigates Grok AI for Non-Consensual Imagery

The UK's Information Commissioner's Office (ICO) has opened a formal investigation into X Internet Unlimited Company and X.AI LLC regarding their Grok AI system. The investigation will assess compliance with data protection laws concerning the potential generation of non-consensual sexual imagery, including of children.

ICO Reprimands GP Surgery for Excessive Medical Data Disclosure

The UK's Information Commissioner's Office (ICO) has reprimanded Staines Health Group for sending 23 years of a terminally ill patient's medical records directly to an insurer, instead of the requested five years to the patient. The ICO cited a lack of written processes and inadequate training as contributing factors.

ICO Fines MediaLab £247,590 for Children's Privacy Failures

The UK's Information Commissioner's Office (ICO) has fined MediaLab, owner of Imgur, £247,590 for unlawfully processing children's personal data. The investigation found MediaLab failed to implement age checks and obtain parental consent, putting children at risk of exposure to harmful content.

OIG Audit: Medicaid Agencies Made $207M in Unallowable Payments for Deceased Enrollees

The HHS OIG has released an audit report finding that Medicaid agencies made an estimated $207.5 million in unallowable capitation payments to managed care organizations on behalf of deceased enrollees between July 2021 and June 2022. The report recommends CMS provide agencies with data to recover payments and explore OBBB Act implementation.

Maine Medicaid Autism Services Improper Payments

The HHS OIG has issued a report finding that Maine made at least $45.6 million in improper fee-for-service Medicaid payments for autism services provided to children. The audit identified that all sampled claims were improper or potentially improper, leading to recommendations for refunds and improved provider guidance.

HHS OIG: ACF Can Improve Homeless Youth Services Compliance

The HHS Office of Inspector General (OIG) issued a report finding that the Administration for Children and Families (ACF) can improve services to homeless youth by strengthening grant recipients' compliance with Transitional Living Program (TLP) requirements. The audit found significant documentation gaps in service provision for a large percentage of youth served by TLP grants.

HHS OIG: Hospital Cybersecurity Controls Need Improvement

The HHS Office of Inspector General (OIG) issued a report finding that a large southeastern hospital needs to improve its cybersecurity controls, particularly for web applications. The OIG made four recommendations to enhance defenses against cyberattacks, which the hospital has concurred with.

Philadelphia K-12 Schools COVID-19 Testing Program Audit

The HHS Office of Inspector General found that Philadelphia did not consistently monitor its COVID-19 screening testing program for K-12 schools, leading to $257,620 in unallowable costs and overpayments. The OIG recommended Philadelphia update its procedures for oversight and compliance.

OSHA Cites Horizon Biofuels for Safety Violations After Fatal Explosion

The U.S. Department of Labor's OSHA has cited Horizon Biofuels Inc. for willful and serious safety violations following a fatal explosion at their Fremont, NE facility. The company faces proposed penalties of $147,542 for issues including combustible dust, ignition source protection, and lack of fall protection.

NY Contractor Settles $600k Penalty for Safety Violations

A New York roofing contractor, DME Construction Associates Inc., has settled with the U.S. Department of Labor for $600,000 following a fatal fall in 2021. The settlement resolves willful safety violations, including failure to provide fall protection, and requires enhanced safety measures.

Labor Department Launches Compliance Assistance Tools

The U.S. Department of Labor's Wage and Hour Division has launched new compliance assistance tools, including a webpage, video series, and industry toolkits. These resources aim to help employers understand federal labor laws and promote proactive compliance.

OSHA Cites Construction Firm for Trench Safety Violations

The Occupational Safety and Health Administration (OSHA) has cited CB&A Construction LLC for willful trench safety violations following an investigation into a trench collapse. The agency proposed $170,145 in penalties.

DOL Guidance on Longshore and Harbor Workers' Compensation Act Security Deposits

The U.S. Department of Labor has published new guidance to provide enhanced and transparent criteria for calculating securitization requirements for insurers writing policies under the Longshore and Harbor Workers' Compensation Act. This guidance aims to lower costs for vital industries while ensuring worker safety.

DOJ Audit Report: OCEDTF Drug Control Funding FY 2025

The Department of Justice's Office of the Inspector General has released an audit report reviewing the Organized Crime Drug Enforcement Task Forces' accounting of drug control funding for Fiscal Year 2025. The report, number 26-018, was posted on February 5, 2026.

Department of Labor Rescinds ERISA Advisory Opinion 2023-01A on Citigroup Program

The Department of Labor has rescinded Advisory Opinion 2023-01A concerning Citigroup's Action for Racial Equity Asset Manager Program. The Department now states the program is unlawful under civil rights laws, not ERISA, and requires Citigroup to immediately cease all illegal activity.

DOJ OIG Audits Office of Justice Programs Drug Funding

The DOJ Office of the Inspector General has released an audit report reviewing the Office of Justice Programs' accounting of drug control funding for Fiscal Year 2025. The report, number 26-019, was posted on February 5, 2026.

ERISA Advisory Opinion on California Firefighters Disability Plan

The Department of Labor's Employee Benefits Security Administration (EBSA) issued Advisory Opinion 2025-02A regarding the California Association of Professional Firefighters (CAPF) Long Term Disability Plan and the National Peace Officers and Fire Fighters Benefit Association (NPFBA) Long Term Care Plan. The opinion addresses whether these plans qualify as employee welfare benefit plans under ERISA.

DOJ Audit Report: DEA Drug Control Funding FY2025

The Department of Justice's Office of the Inspector General has released an audit report reviewing the Drug Enforcement Administration's accounting of drug control funding for Fiscal Year 2025. The report, number 26-017, was posted on February 5, 2026.

Morgan Stanley Compensation Plan Not Subject to ERISA

The Department of Labor issued Advisory Opinion 2025-03A, determining that Morgan Stanley's deferred incentive compensation programs are not considered employee pension benefit plans under ERISA. This guidance clarifies the applicability of ERISA to specific compensation structures for financial advisors.