The European Commission has announced that a new age verification app designed to protect children online is ‘technically ready’ and will soon be available for citizens to use. The app will allow users to prove their age when accessing online platforms, helping protect children from harmful or inappropriate content. It can be set up with a passport or ID card, enabling users to prove their age when accessing online services. 

Stay up to date! Sign up to receive our fortnightly digest via email.

Reportedly, the app is ‘completely anonymous’, works on any device, and is fully open source. Cyber and privacy experts, however, immediately examined the source code on the GitHub software platform and reported several issues with the app’s design, including low cybersecurity standards and the possibility of bypassing the app’s biometric authentication features.

Unjustified parking fines through automated means

The deployment of scanning vehicles to check parked cars has resulted in an estimated 500,000 unjustified fines. This is evident from a new thematic study by the Dutch Data Protection Authority AP. Municipalities carry out an estimated 250 to 375 million scans yearly. This results in 3 to 5 million parking fines per year.  According to calculations, more than 10 per cent of these are unjustified. People who object to the fine are successful in 40 to 62 per cent of cases. 

A scanning vehicle only takes a snapshot, and the algorithms in the monitoring system do not see the circumstances. As a result, a scanning vehicle cannot, for example, determine that someone is loading or unloading. In such a situation, an exception may apply. The disabled parking permit, which is not registered to the license plate by default and is placed behind the windshield, is also not ‘seen’ by the scanning vehicle. If payment has not been made, the systems are unforgiving, and a fine follows automatically. 

Other legal updates

Alabama comprehensive privacy law: The Alabama Personal Data Protection Act (APDPA) was enacted on April 16. It includes one of the lowest applicability thresholds for businesses in the US that: 

• handle personal data of more than 25,000 consumers (excluding data processed solely for completing a payment transaction), or 
• derive more than 25% of gross revenue from selling personal data. 

From 1 May 2027, it will empower a consumer to confirm whether a controller is processing any of the consumer’s personal data, correct inaccuracies, delete, obtain a copy, and opt out of the processing of their data. Controllers will be required to respond to consumer requests within 45 days, with a possible 45-day extension, and provide a secure and reliable method for consumers to exercise their rights; the analysis from vitallaw.com sums up. 

Scientific research in the EU:  The EDPB has, in the meantime, adopted Guidelines on processing of personal data for scientific research purposes.  Many areas of scientific research rely on the processing of individuals’ personal data. In the guidelines, the EU data protection regulator provides clarifications on the:

• concept of ‘scientific research’  
• further processing for scientific research purposes  
• reliance on “broad consent” where the purposes of research are not fully known 
• rights of individuals to erasure and objection when their personal data are processed for scientific purposes 
• qualifications of data controller, joint controllers or processors.

The guidelines will be subject to public consultation until 25 June. 

DPIA template

The EDPB has also adopted a template for Data Protection Impact Assessments (DPIA). The template will help organisations structure, harmonise and substantiate their DPIA reporting processes. The template is complemented by an explainer document providing concise explanations for completing this template effectively, by breaking down key concepts in a simple language and addressing possible questions and knowledge gaps controllers might have.

Controllers can conduct their risk analysis and management processes as they prefer, using the DPIA methodology of their choice. A DPIA is a process required in situations where the processing is likely to result in a high risk, to describe how personal data will be processed, assess whether the processing is necessary and appropriate, and identify and reduce risks to individuals’ rights and freedoms. 

Frontier AI systems

According to the Guardian, British banks will be given access in the next week to Antropic’s latest AI tool, highly skilled at cyber-security and hacking tasks, that was deemed too dangerous to be released to the public. Advances in the Claude Mythos model capabilities have come with concerns about hackers using such tools to figure out passwords or crack encryption meant to keep data safe.

Anthropic, which has so far limited the release of the new model to a small clutch of primarily US businesses, including Amazon, Apple and Microsoft, said it would expand that to UK financial institutions. UK regulators are due to raise the issue of Mythos’s risks with bank bosses and government officials in the coming weeks. 

According to the presented results, Mythos can detect vulnerabilities faster and link them into complete exploits and attack chains. This can strengthen defences, but can also accelerate digital attacks.  Defenders can deploy AI to detect vulnerabilities earlier and remedy them faster. But attackers with access to similar models will scale up investigation, identification, and exploitation as well. To that end, the Dutch National Cyber ​​Security Centre suggests practical steps to adopt: 

• Explicitly incorporate AI developments into your security measures, particularly patch management; delaying action by days or weeks no longer fits the current threat landscape.
• Anticipate attacks that occur faster, more automatically, and in larger numbers, for example, in the detection of anomalous behaviour in networks.
• Maintain solid basic security and supplement it with appropriate additional measures, as attackers already use AI to improve and automate existing techniques.  

More official guidance

Secure database configurations: The German Federal Office for Information Security (BSI) has published a collection of secure configurations for database systems. It provides recommendations for optimally configuring encryption, authentication, authorisation, and other security-relevant aspects. It serves as a template for securely operating the database management systems MariaDB, MongoDB, and Weaviate. The repository is continuously being developed and will be expanded to include support for other database management systems.

Healthcare institutions’ data security audit: The Lithuanian State Data Protection Inspectorate VDAI carried out 10 scheduled audits of the security measures of healthcare institutions. Security checks related to access control, backup management, and event log management were assessed. As a result, several areas for improvement were identified:

• Only 11% of institutions use multi-factor authentication (MFA).
• Only 56 % of institutions centrally store and encrypt log entries.
• 67% of institutions have implemented automated alerts for suspicious events.
• 78 % of institutions have a log entry management policy and review it regularly.
• 78% of institutions document backup and recovery procedures.

Pixel tracking: The French data protection authority CNIL publishes the final version of its recommendations on tracking pixels in emails (in French). The tracking pixel is an alternative tracking method to cookies, usually implemented in the form of a reduced image (1 pixel by 1 pixel). Loading this image, which contains a user ID, tracks a user when they visit a page or read an email. This technique is used for personalising communication according to the interests of users, measuring the audience, improving the proper reception of emails, etc. 

The recommendation specifies the cases in which consent will be required for the use of tracking pixels in emails and those which are exempt. It also specifies the procedures for withdrawing consent.  

In other news

Data breaches on the rise: The Estonian data protection agency provides an analysis of the received data breach notifications in Q1 2026. One of the most insidious threats in today’s cyber landscape is data-stealing malware. (eg, RedLine, Vidar). It is often downloaded onto personal devices unintentionally – through illegal software, malicious ads, or fraudulent links generated using artificial intelligence. Data thieves don’t just limit themselves to passwords: they also steal session cookies, which allow attackers to bypass even multi-factor authentication by “hijacking” the active logged-in session.

If employees use personal devices to check work emails or access SaaS platforms like Slack or Salesforce, a single infected home computer can compromise the entire corporate network.

Illegal GPS tracking: The Slovenian Information Commissioner found that one of the providers of public utilities was continuously and indiscriminately collecting location data of employees, obtained through GPS transmitters installed in company vehicles, without clearly defining the purpose of the data processing. Employees were not properly informed about the scope and purpose of such tracking. Besides, the objectives could be achieved with less stringent measures (eg, manual entries, use of vehicle odometer data).

Employee computer monitoring: In a similar inspection procedure, a Slovenian regulator found another employer’s covert surveillance (via Spyrix Employee Monitoring software), was carried out without a legal basis, without informing employees and to an extent that exceeded the permissible limits of interference with privacy in the workplace, as it targeted the content of employees’ communication via private e-mail and completely private conversations. The regulator imposed a fine of 71,474 euros due to the violations found. 

Amazon multimillion fine annulled

The Administrative Court of Luxembourg has annulled a 746 million euro GDPR fine imposed on Amazon, citing procedural failings by the national regulator. Judges ruled that authorities did not properly assess the company’s level of fault before setting the penalty, DigWatch News platform reports. The sanction was issued in 2021 by the national data protection commission over Amazon’s targeted ad system and appealed in March 2025. While the violations were upheld, the court found the regulator failed to determine whether the conduct was intentional or negligent.  

Other enforcement decisions

Access to an employee’s email after the end of employment: An employee can access messages on their company email account and documents stored on their computer after the end of their employment. Any restrictions must be justified by specific and proven reasons, such as protecting company secrets. This is what Italy’s ‘Garante’ established in accepting the complaint of a former employee of an insurance company who had requested a copy of his company email messages and documents saved on his computer. 

The company had accessed the former employee’s email and, after examining the contents, provided only the messages deemed “strictly personal,” excluding those related to work. According to the regulator, the right of access applies to all personal data, including communications exchanged through an individualised company account. Therefore, it is unlawful to pre-select the content to be provided, nor to limit or obscure it based on the distinction between personal and professional contexts. For the violations identified, a fine of 50,000 euros was imposed.  

Face recognition in the airport: Garante also declared the processing of biometric data of passengers at Milan Linate Airport using the facial recognition system “FaceBoarding” to be unlawful. The system was used to allow passengers to access the security-restricted area and board at the gate after registering at special kiosks or via an app and subsequently associating their face with their identification document and boarding pass. The system requires that the acquired biometric data be stored entirely centrally on the servers, preventing passengers from exercising exclusive control over their data. 

And Finally

AI awareness: While almost half of internet users in Germany feel capable of recognizing AI-generated content, in reality, hardly anyone looks closely: only a minority have ever searched for inconsistencies in the image or checked the source (28 % and 19%, respectively). Knowledge about potential fraud scenarios is also limited. Only 38 per cent believe it’s possible that cybercriminals could, for example, manipulate an AI program to transmit sensitive data. Similarly, only 40 percent consider it conceivable that criminals could insert invisible instructions for AI systems into documents. 

In fact, both scenarios are technically possible.

Police data reach: US police have access to a wide range of databases that they can use to look up and misuse information about people. This can result in humiliating and bad decisions, sometimes causing long-term damage to people’s lives. In-depth research by Rights & Security International and Privacy International reveals the impact of this and argues for more effective limits on what kinds of personal information police can view, when, and why. The US is not alone in this trend. The UK and the EU are also expanding law enforcement’s data-access powers, introducing facial-recognition surveillance and proposing scanning of private messages, PI resumes. 

The post Data protection digest 4-18 April 2026: questions rising over new EU age verification app & unjust automated parking fines appeared first on TechGDPR.

The EU Court of Justice ruled that even a first personal data access request may be deemed abusive under the GDPR if it is made solely to generate compensation claims, allowing controllers to refuse such requests. An individual residing in Austria subscribed to the newsletter of a family-run optician company in Germany by entering his personal data in the registration form available on the company’s website. 

Thirteen days later, he sent a request for access under Article 15 of the GDPR. The company refused the request, considering it to be abusive. According to various reports and blog articles, the individual systematically subscribes to newsletters of various companies before submitting an access request and then a compensation claim. The individual maintained that his access request was legitimate and claimed compensation of at least 1,000 euros. 

 Stay up to date! Sign up to receive our fortnightly digest via email.

Main developments

Protecting children online: On 3 April, the Regulation on the Extension of Derogation from the ePrivacy Directive for the purpose of identifying Child Sexual Abuse Material (CSAM) online expired, digitalpolicyalert.org reports. The extension concerns an exemption from data protection regulations, which grants hundreds of providers offering number-independent interpersonal communication services, such as messaging services, the authority to use technologies for processing personal and other data to identify, report, and remove instances of online child sexual abuse on their platforms. In addition, providers must ensure that information regarding reports of detected online child sexual abuse submitted to authorities and the Commission is accessible in a structured format.

‘Legitimate interests’ analysis: The EDPB has published a One-Stop-Shop case digest on the legal basis of “legitimate interest”. It provides useful examples of how regulators analyse controllers’ reliance on this legal basis in specific contexts, providing positive and negative compliance examples. In particular, it explains and summarises how regulators apply the three-step test to assess whether a controller can lawfully rely on legitimate interests. Relevant cases before the CJEU and national courts are also mentioned. 

Back up!

On World Backup Day, 31 March, the German Federal Office for Information Security (BSI) called on consumers to back up important data. Data backup is not a complicated process: most operating systems guide users through the process. Nonetheless, only one-fifth of internet users regularly create backups. Backups can be performed in the cloud or on a physical storage medium, such as an external hard drive.

Those who opt for a physical storage medium should keep it in a different location than, for example, the source computer for the data being backed up.  

Human resources management

The CNIL has published a reference framework (in French) to help data controllers identify retention periods for their personnel management activities. This document is particularly useful for data protection officers, GDPR referents, but also for staff working in human resources departments or for the information systems department. This repository is organised by processing activities and includes:

• recruitment;
• administrative management of personnel;
• compensation management;
• the security of goods and people;
• the management of professional vehicles;
• listening to and recording telephone conversations in the workplace;
• the management of collective labour relations;
• the management of occupational accidents;
• the management of litigation and pre-litigation;
• the management of Whistleblowing. 

More official guidance

Cookies user guide: The Swiss regulator, FDPIC, has published a factsheet on the use of cookies (in English) that explains how users can retain control over their own data and minimise the digital footprint they leave behind while browsing. Although cookies and similar technologies can enhance the online browsing experience, for example, by saving the contents of a shopping basket or certain preferences, they can also enable third parties to track users’ online activities. 

AI red lines: The Future of Privacy Forum continues its series of publications on Red Lines under the EU AI Act. This time, it pays attention to the prohibition on biometric categorisation for “certain sensitive characteristics” to deduce or infer race, political opinions, trade union membership, religious or philosophical beliefs, etc. The risks associated with biometric categorisation also reflect broader concerns under EU data protection legislation, as sensitive characteristics may themselves constitute special categories of personal data under the GDPR. 

Previous analysis by FPF also looked at prohibition and emotion recognition in the workplace and educational institutions.

Health data in the cloud: More and more organisations are using cloud solutions for processing health data. The Dutch data protection authority AP has therefore published an updated and broadened version of AP’s practice guide on patient data in the cloud. The practice guide now focuses not only on patient data within the treatment relationship, but on health data in a broader sense. 

In other news

Police biometric data: A police authority may,in a criminal investigation, collect biometric data solely because the collection is strictly necessary. The Maltese data protection agency looked at a recent ruling by the CJEU, which stated that the gathering of identification data may not be required systematically and clear reasons must be given for it, failing which the criminal penalty laid down for refusing to consent to that gathering will be invalid.

In a related case, a person was detained in Paris for organising a demonstration without prior notice and for disobedience. While he was in police custody, he refused to consent to the gathering of identification data (fingerprints and photo). That refusal resulted in his being charged, even though he was acquitted of the offence forming the basis of the envisaged gathering of identification data. 

Credit information checks should be free of charge: The Finnish data protection ombudsman considers that the regular practice of the credit information company Dun&Bradstreet, in which a person has only been able to check their own credit information once a year, free of charge, is not in accordance with data protection legislation. Customers had been regularly charged a fee if they had requested information more than once within a year. The company also had shortcomings in responding to requests for personal data. 

According to the law, a fee can only be charged in situations where the request is manifestly unfounded or unreasonable, for example, if the same information is requested repeatedly. 

More enforcement decisions

OKCupid data sharing: In the US, the Federal Trade Commission is taking action against OkCupid and its affiliate Match Group Americas over allegations that it deceived users of its dating app by sharing their personal information, including photos and location information, with an unrelated third party, contrary to OkCupid’s privacy promises. OkCupid provided the third party with access to nearly three million OkCupid user photos as well as location and other information without placing any formal or contractual restrictions on how the information could be used. 

The FTC also alleged that, since September 2014, Match and OkCupid took extensive steps to conceal their wrongdoing, including by trying to obstruct the FTC’s investigation.

Unauthorised access to banking information: The Italian data protection authority Garante has fined Intesa Sanpaolo 31.8 million euros for serious shortcomings in personal data security. The investigation found that an employee accessed, without justification, the banking information of 3,573 customers, making over 6,600 inquiries between February 21, 2022, and April 24, 2024. These unauthorised accesses were not detected by internal control systems, highlighting significant weaknesses in the monitoring and prevention mechanisms. 

And Finally

Wearables: The Swiss FDPIC has published practical advice on smartwatches and fitness trackers, which monitor your physical activity and bodily functions, and are now widely used. Smart glasses, which make it easy to take and share photos and videos, are also gaining in popularity. As all these body-worn devices pose a particular threat to privacy, users should exercise particular caution when using them. 

Before making their choice, buyers should check how the manufacturer has configured it and whether the product allows for privacy-friendly settings, where collected data is stored, and whether the processing of such data is comprehensible overall.

Fraudulent websites: Reportedly, phishing remains one of the largest forms of online crime. To better protect internet users against this, several Dutch public and private parties have jointly tested a new approach. The so-called Anti Phishing Shield demonstrates that the approach works: since the start of the pilot in July 2025, over two million attempts to visit phishing and fraudulent websites have been blocked among a group of over 200,000 users. Internet providers can easily connect to the tool and use it to protect their customers. And users must give their prior explicit consent via a so-called ‘opt-in’. 

Read the original publication to see how the Anti Phishing Shield works.

The post Data protection digest 3 April 2026: abusive access request, human resources management & patient data in the cloud  appeared first on TechGDPR.

What qualifies as personal data?

Article 4.1 of the GDPR defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

The EDPB explicitly identifies IP addresses as being personal data due to their ability to identify individual data subjects. If an IP address is successfully anonymized, then under the GDPR it is no longer considered personal data. 

The French Data Protection Authority (CNIL) ruled over a case dealing with the transfer of personal data to a company not in the EU. In the decision, the CNIL wrote:

“It should be noted that online identifiers, such as IP addresses or information stored in cookies can commonly be used to identify a user, particularly when combined with other similar types of information. This is illustrated by Recital 30 GDPR, according to which the assignment of online identifiers such as IP addresses and cookie identifiers to natural persons or their devices may “leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.” In the particular case where the controller would claim to not have the ability to identify the user through the use (alone or combined with other data points) of such identifiers, he would be expected to disclose the specific means deployed to ensure the anonymity of the collected identifiers. Without such details, they cannot be considered anonymous.”

What is an IP address?

An IP address is a way of identifying a device or user attached to the Internet. It is a set of numbers that distinguishes how the device requests and receives information from the Internet. The two main formats are IPv4 and IPv6. Originally, IPv4 was the sole way of identifying devices but it does not allow for as many unique addresses that are needed in the modern age. 

The format of IPv4 addresses are xxx.xxx.xxx.xxx where x is a decimal number. The format of IPv6 addresses is hexadecimal (2001:db8::ff00:42:8329), which means a value can be 0-9A-F. Static IP addresses are IP addresses that are constant and dynamic IP addresses can change over time. IP addresses can identify explicit addresses or the exact location of devices.

The GDPR perspective on IP addresses 

The GDPR explicitly includes “online identifiers” (e.g., IP addresses) as personal data when they can identify a person. Even if the controller doesn’t have the identifying data itself, if there are means reasonably likely (e.g., legal processes to get ISP logs) to link an IP to a person, then it qualifies as personal data. This logic comes from the CJEU case Breyer (C-582/14). The CJEU relied on Recital 26 of the GDPR, which states that in determining whether a person is identifiable, “to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.”

IP addresses can be personal data if the controller has legal ways to obtain additional info to identify someone via an ISP. This is due to the objective possibility of identification of a data subject. Under the GDPR there is less concern with whether it is probable or whether it has happened and the concern lies with whether it is objectively possible to identify an individual. Given an IP address, it is possible to identify an individual. EDPB decisions affirm that online identifiers like IP addresses are often treated as personal data because they can be combined with other information to profile or identify a data subject. 

Personal data vs PII 

Personal data, in the context of the GDPR, covers a much wider range of information than personally identifiable information (PII), commonly used in North America. In other words, while all PII is considered personal data, not all personal data is PII. For more information about PII vs personal data, read our blog post on the matter. 

Device IDs, IP addresses and Cookies are considered as personal data under GDPR. According to the definition of the PII; however, they are not PII because they are anonymous and cannot be used on their own to identify, trace, or identify a person. 

PII includes any information that can be used to re-identify anonymous data. Information that is anonymous and cannot be used to trace the identity of an individual is non-PII. Device IDs, cookies and IP addresses are not considered PII for most of the United States. But some states, like California, do classify this data as PII. California classifies aliases and account names aspersonal information as well.

Controllers must treat IP addresses as personal data

For organizations, this means IP addresses cannot be treated as neutral technical data. Controllers must:

• Identify a lawful basis for processing (e.g. consent, legitimate interest, contract performance).
• Provide transparency in privacy notices, clearly explaining why IP addresses are collected, who receives them (e.g., third-party providers), and how long they are retained.
• Apply data minimisation and storage limitation, ensuring IP data is only collected when necessary and retained for no longer than required.

In practice, this is highly relevant when embedding third-party services such as Google Fonts or analytics tools. Whenever a website loads resources from Google servers, the user’s IP address is transmitted to Google by default. Even when using Google Analytics with IP anonymisation enabled, the IP address is initially collected before truncation. The anonymisation feature represents a commitment by Google not to further process the full IP address, but technically, the IP is still transmitted during the request phase. From a strict GDPR perspective, this transmission itself constitutes processing.

ePrivacy Directive 

IP address collection via cookies or similar tracking technologies also engages the ePrivacy Directive. Where IP processing is linked to tracking or storing information on a user’s device, prior consent is generally required unless the processing is “strictly necessary” for providing the requested service. This creates a dual compliance requirement: organizations must assess both a GDPR lawful basis and ePrivacy consent obligations.

Anonymisation, pseudonymisation & risks

Pseudonymisation can reduce risks and demonstrate accountability, but it does not remove GDPR applicability. Organizations must still implement appropriate technical and organisational safeguards. In order to pseudonymize IP addresses, it is necessary to obscure the IP address. This is often done by: 

• For IPv4 addresses, the last segment is replaced with a zero or removed.
  • Example: 123.456.789.123 → 123.456.789.0
• For IPv6 addresses, a similar approach is applied, truncating the last portion.

Guidance from the European Data Protection Board makes clear that true anonymization must be irreversible. Simple IP truncation or masking is typically considered pseudonymization, not anonymization. This is because re-identification may still be possible, especially when combined with other data points. IP truncation reduces identifiability but does not automatically result in anonymisation. In most cases it constitutes pseudonymisation, meaning GDPR obligations still apply. Simply put: IP truncation is a risk-reduction measure (pseudonymization), not true anonymization under GDPR standards, unless re-identification is demonstrably impossible.

Real-world examples

• Analytics and server logs: IP addresses used for traffic analysis remain personal data.
• Security and abuse detection: Legitimate interest may apply, but retention must be limited.
• Advertising and profiling: IP-based tracking combined with cookies generally requires prior consent and careful transparency measures.

Conclusion 

Under the GDPR, personal data encompasses far more than obvious identifiers such as names or identification numbers. It includes any information that can reasonably be linked to an individual. IP addresses, whether static or dynamic, fall within this definition when identification is objectively possible. This identification includes even if indirect or requiring additional data from third parties. Reach out to TechGDPR for any help with regards to understanding the nuances of data protection legislative requirements. 

The post Is an IP address considered personal data?  appeared first on TechGDPR.

The EDPB and EDPS adopted a Joint Opinion on the European Commission’s Proposal for a European Biotech Act. It aims to strengthen Europe’s biotechnology and biomanufacturing sectors, including streamlining the regulatory framework and updating the rules for clinical trials (in the form of proposed amendments to the Clinical Trials Regulation). The privacy regulators welcome the aim to establish a single legal basis for the processing of personal data by sponsors and investigators in the context of clinical studies. The opinion provides several recommendations to ensure that the proposed simplifications do not lower the level of protection for clinical trial participants:

• Clarifying the controller roles of the actors involved in funding and conducting clinical trials, jointly and severally
• Limiting data retention for various personal data collected throughout the clinical trial (except master files storage requirements)
• Further processing for other clinical trials and scientific research
• Coherence with the AI Act
• Appropriate technical and organisational measures (the use of pseudonymisation)
• Regulatory sandboxes

Stay up to date! Sign up to receive our fortnightly digest via email.

Main developments 

Transparency enforcement action: On 18 March, the EDPB launched its Coordinated Enforcement Framework (CEF) action for 2026. Following a year-long coordinated action on the right to erasure in 2025, the CEF’s focus this year will shift to compliance with the obligations of transparency and information under the GDPR. The GDPR ensures that individuals are informed when their data is being processed (under Art. 12, 13 and 14). This right to be informed is a core element of transparency and ensures that individuals have more control over their data. Participating authorities will soon contact controllers from different sectors across Europe.

European Blockchain sandbox: The European Commission has published the results of the third edition of the ‘European Blockchain Sandbox‘, an initiative in which European data protection agencies participate along with other authorities. Following the publication of the selected projects, which cover all EU/EEA regions and represent a wide range of sectors and issues, and once the stage of confidential regulatory dialogues was completed, the report of good practices will follow, the same process as the first two editions.

Other legal updates

Data Brokers EU study: The Belgian data protection agency and the EDPB commissioned a study to gain greater insights into the ecosystem of data brokerage. In particular, several types of data brokers and providers were identified: personal data brokers, AI platforms integrating personal data, business data brokers, data pools and cleanrooms, data marketplaces, self-generated data providers, data brokers with user control, and aggregated data providers with re-identification risk.

The study shows that the data broker and provider market in Belgium is highly diverse, with varying levels of risk associated with the use of personal data. More than 40 data brokers and providers active in Belgium were identified in the study.

Big Tech compliance with the EU DMA: The gatekeepers designated in 2023, Alphabet, Amazon, Apple, ByteDance, Meta and Microsoft, have submitted reports on their updated compliance measures under the Digital Markets Act (DMA), outlining the changes they have implemented and measures they have taken during the past year. The gatekeepers also submitted to the Commission updated, independently audited reports on consumer profiling techniques. The public versions of the updated compliance reports will shortly be available here and here.

US privacy laws development: DLA Piper publishes a list of recently introduced comprehensive privacy bills, state by state (Alabama, Arizona, Iowa, Illinois and more). They are reflecting a continued trend toward expanding individual privacy rights and creating new compliance obligations on businesses that collect and process personal data, including consent requirements, data minimisation, data brokers, child data, geolocation, biometrics and other types of sensitive data.

More from supervisory authorities

Age assurance guide: The Australian Information Commissioner (OAIC) has published new guidance on age assurance technologies to assist entities in ensuring Australians’ privacy is protected when they encounter age checks online. Three months on from the commencement of the Social Media Minimum Age (SMMA) scheme, the OAIC has observed significant growth in age checks taking place in Australia to allow people access to other online services. The guidance calls on entities to: 

• establish whether age checks are needed and take a privacy-by-design approach
• undertake due diligence to ensure the security of the entity’s age assurance ecosystem
• assess risk and choose age-assurance methods that are proportionate and data minimising
• ensure clear consent requests are used for the collection of sensitive information (such as biometric templates) or for secondary use or disclosure
• be transparent in privacy notices and ensure meaningful support is available to individuals, through simple and easy to access complaints processes

IT security in the health sector: The IT security of software products in the healthcare sector has room for improvement. This is a recent conclusion reached by Germany’s Federal Office for Information Security (BSI) after testing the standard configurations of various healthcare software products. As part of the project, four exemplary practice management systems (PMS) vulnerabilities were examined using penetration tests. The results included: the lack of encryption methods for data transmission and the use of outdated and therefore insecure encryption algorithms. 

AI systems monitoring criteria

AI outputs are typically non-deterministic, meaning the AI may exhibit a range of behaviours under the same input conditions. To that end, America’s NIST publishes much needed analysis of post-deployment AI system monitoring aimed at improving their reliability. The study introduces the six monitoring categories to support a more organised discussion: 

• Functionality: Does the system continue to work as intended? 
• Operational: Does the system maintain consistent service across its infrastructure? 
• Human Factors: Is the system transparent to humans and of high quality?
• Security: Is the system secure against attacks and misuse? 
• Compliance: Does the system adhere to relevant regulations and directives? 
• Large-Scale Impacts: Does the system promote human flourishing?

Web filtering proxy

The French privacy regulator CNIL promotes cybersecurity solutions that comply with the GDPR, both in their use and in their design. To this end, it publishes a recommendation to support users and providers of filtering web proxies – a device or service used to secure internet access by filtering web content for security and compliance reasons. Web filters can help meet the data security obligation (Art. 32 of GDPR). However, they are themselves based on data processing that must also be ensured to comply with the GDPR. CNIL recommendations aim in particular to inform data controllers:

• on compliance with the principles of the GDPR in the use of a web filtering proxy, including the determination of a legal basis, the minimisation of the data collected, the retention periods and the respect of the exercise of rights by the data subjects;
• on the points of attention relating to the use of HTTPS decryption and the implementation of a list of exceptions;
• on the deployment modalities;
• on the security of the access filtering and logging solution.

In other news

Account deletion and purchase history: The Privacy Commissioner of Canada has issued its findings in an investigation into complaints against Loblaw Companies (the biggest Canadian food retailer) related to the PC Optimum Loyalty Program. Several complainants alleged that Loblaw did not delete their PC Optimum accounts after they requested it, and/or that it had not responded to inquiries about their deletion requests.

The investigation found that, while Loblaw had mechanisms in place for customers to request an account deletion or to raise privacy concerns, it took an unreasonable amount of time to address the requests, and also failed to respond to some privacy-related inquiries. The investigation also found that Loblaw retained PC Optimum members’ purchase history after their account had been deleted, and that the removal of personal identifiers such as names and email addresses was an insufficient measure to have in place.

Age assurance technology fine: The Spanish AEPD fined Yoti 950,000 euros following an investigation into its role as an intermediary in identity and age-verification processes. The fine includes 500,000 euros for processing special category biometric data without a valid exemption under Article 9 of the GDPR, 200,000 euros for obtaining consent for research and analytics through pre-ticked boxes in breach of Article 7, and 250,000 euros for retaining data, including biometric and geolocation information, for longer than necessary in violation of the storage limitation principle under Article 5(1). 

The AEPD required Yoti to demonstrate within six months that its processing of biometric data, consent mechanisms, and data retention practices comply with the GDPR, digitalpolicyalert.org reports.

More enforcement decisions

Amazon Italy ban: The Italian Data Protection Authority Garante ordered Amazon Italia Logistica to immediately stop processing the personal data of more than 1,800 employees at its Passo Corese (RI) site. The ban concerns workers’ sensitive information, which Amazon systematically collected and stored throughout their employment and retained for up to ten years after they left the company, using an internal platform linked to the attendance tracking system and accessible to numerous managers.

The information was recorded on the platform following interviews conducted when employees returned from periods of absence. It included details about medical conditions such as Crohn’s disease, herniated discs, and pacemaker implants, as well as participation in strikes and trade union activities. In some cases, notes referred to alleged misuse of leave. Personal and family matters were also documented, including references to a terminally ill parent, a sibling with brain cancer and marital separations, according to the Maltese data protection agency analysis.

Intesa Sanpaolo fine: Garante also fined Intesa Sanpaolo 17.628 million euros for unlawful personal data processing. Intesa Sanpaolo had profiled approximately 2.4 million customers identified as “predominantly digital customers” through automated processing of personal data, including age, use of digital channels, absence of investment products, and financial balances below 100,000 euros. This profiling lacked a valid legal basis. The regulator determined that informed consent under Article 6(1) of the GDPR was the only applicable legal basis, and that such consent had not been obtained, digitalpolicyalert.org sums up. 

Foreign service providers and the choice of jurisdiction

A DLA Piper analysis looks at a case in California demonstrating the expanding reach of personal jurisdiction over foreign companies operating online platforms. It relates to an appellate court’s decision to reverse a district court’s dismissal of a class action against an Estonian software company for lack of personal jurisdiction. The plaintiffs brought a class action in the Northern District of California against 3Commas Technologies, an Estonian private limited company that provides software services for cryptocurrency trading, based on an alleged data breach. 

In the above case, the foreign company collected IP addresses, billing addresses, and location data that could reveal users as California residents, contacted them, and interacted with them for cryptocurrency trades. The appeal court also decided that including specific references to California privacy rights can be construed as evidence of intentionally targeting California consumers. Finally, the choice of law and forum selection clauses in vendor contracts may be used as evidence, too.

And Finally

Data altruism: The French CNIL also publishes FAQs on Recognised Data Altruism Organizations in the EU. The Data Governance Regulation (DGA) creates an EU-recognised Data Altruism Organisation (DAO) status. These altruistic organisations voluntarily share data for general interest and non-profit purposes. In particular, Article 18 of the DGA sets out the various general conditions for registration:

• conducts altruistic data activities
• be a legal person pursuing objectives of general interest under national law
• operates on a not-for-profit basis and is legally independent of any entity operating for profit
• conducts its data altruism activities through a structure that is functionally separate from its other activities
• complies with a set of common European rules, known as the ‘compendium of rules’, in a transparent, secure and interoperable manner 

AI agents and data security: A Krebs-on Security law blog looks at AI-based assistants, autonomous programs that have access to the user’s computer, files, online services and can automate virtually any task. In particular, their popularity is growing among developers and IT workers. These powerful new tools are rapidly shifting the security priorities for organisations, while blurring the lines between data and code, trusted co-worker and insider threat. The article explains various vulnerabilities for users, including the case where exposing a misconfigured AI agent web interface to the Internet allows external parties to read the bot’s complete configuration file, including every credential, from API keys and bot tokens to signing keys. Another experiment showed how easy it is to create a successful supply chain attack through a public repository of downloadable “skills” that allow AI agents to integrate with and control other applications.

The post Data protection digest 3-18 Mar 2026: Proposed EU Biotech Act strengthens clinical trial participants’ rights appeared first on TechGDPR.

On 10 February, the EDPB and EDPS, in a joint opinion, strongly welcomed the regulatory solution to address cookie fatigue and the proliferation of consent banners. This follows the  European Commission’s proposal to switch to automated, machine-readable indications of data subjects’ choices under the Digital Omnibus package. The EU regulators welcome that, pursuant to the proposed Article 88b of the GDPR, harmonisation standards will be developed. 

Such standards should cover the communication of data subjects’ choices, from browsers to websites, from mobile phone applications to web services, and ensure that all involved actors use the same automated machine-readable indications and are not simply repackaging consent in a new technical format. 

 Stay up to date! Sign up to receive our fortnightly digest via email.

Anticipating the need of data controllers and browser providers in the near future to be able to accept and enable automated signals, TechGDPR publishes Conditional Consent, an open concept paper proposing what automated signalling should look like for meaningful user control, based on three dimensions:

• Cookie purpose
• Website category
• Third-party processing

The concept paper contains the main principles, legal basis and exceptions, technical specifications, along with a comparison with existing tools, and a proposed implementation solution, all available at conditionalconsent.com.

Main developments 

Prohibited AI practices: A Future of Privacy Forum analysis draws “red lines” under prohibited practices in the new EU AI Act. They concern harmful manipulation and deception, social scoring, individual risk assessment, untargeted scraping of facial images, emotion recognition, biometric categorisation, and real-time remote biometric identification for law enforcement. Prohibited AI practices are regulated by Article 5 of the AI Act, which became applicable in February 2025. Plus, starting on 2 August 2025, this provision also became enforceable. 

AI-generated images: The EDPB has signed a Joint Statement on AI-Generated Imagery and the Protection of Privacy. The statement, coordinated by the Global Privacy Assembly, represents the united position of 61 authorities across the world. The statement addresses serious concerns about AI systems that generate realistic images and videos depicting identifiable individuals without their knowledge or consent. The co-signatories are especially concerned about potential harm to children and other vulnerable groups, such as cyber-bullying and/or exploitation. Fundamental principles should guide all organisations developing and using AI content generation systems, including:

• Implement robust safeguards to prevent the misuse of personal information.
• Ensure meaningful transparency about AI system capabilities, safeguards, acceptable uses and the consequences of misuse. 
• Provide effective and accessible mechanisms for individuals to request the removal of harmful content involving personal information and respond rapidly to such requests. 
• Address specific risks to children through implementing enhanced safeguards and providing clear, age-appropriate information to children, parents, guardians and educators

Digital Omnibus legal study

The European Parliament published a study identifying interlinks and possible overlaps between different legal acts in the field of digital legislation. It analyses the European Commission’s Digital Omnibus package proposals published on 19 November 2025, distinguishing administrative simplification from more substantive recalibration of safeguards across data, privacy, cybersecurity and AI areas. The study highlights key areas of controversy (legal certainty, enforcement capacity, and impacts on rights) and sets out areas for consideration for parliamentary scrutiny, including:

• Debate over the definition of personal data in the GDPR
• Integrating ePrivacy into GDPR (cookie fatigue)
• Concerns about restricting data access rights
• Data Act consolidation
• Centralised incident notification submission SEP
• AI timelines, burden reduction and centralisation.

Ransomware statistics

In 2025, 65 ransomware incidents were reported to the police in the Netherlands. Incident response companies responded to 40 incidents. Access is usually gained through exploiting vulnerabilities and account takeovers. In a ransomware attack, computer systems and data are locked with a code containing malicious software. Hard drives, databases, backups, USB drives, and cloud data can also be affected. The victim is blackmailed. The attacker offers this code for payment. 

Reporting the incident is crucial if you, as a business or individual, have been a victim of ransomware. Even if the criminals have already been paid, filing a report provides the police with vital information. A report can contain missing information that police can use to unlock the system. It also helps them identify suspects. 

More from supervisory authorities

GDPR survey in Germany: The North Rhine-Westphalia data protection commissioner has used a recent survey by the business association Bitkom as an opportunity to reject discussions about the complete or partial centralisation of data protection supervision.

The survey of 603 companies clearly shows that businesses in the state primarily view data protection laws as too complicated. 85 % of the companies surveyed in Germany want more understandable data protection regulations. 79 % are calling for a reform of the GDPR, and 69 % demand better coordination with other regulations. 

Just 33 % believe that decision-making processes would be faster within a federal agency, while 44 % are concerned about losing proximity to their local supervisory authority and thus a direct contact person (which implies the need for additional staff to handle a sharply increasing number of complaints and consultation services). 

Session replay tools: The French data protection regulator CNIL is launching a public consultation on its draft recommendation concerning session replay tools that allow the monitoring and analysis of users’ online behaviour. The objective is to support the actors who design these tools and those who use them in their compliance. Session replay tools are used to reconstruct the complete browsing path of an Internet user on a website or a mobile app. They can, for example, be used to detect and fix bugs or optimise the structure or ergonomics of a website or mobile application. 

More official guidance

GDPR certification criteria: The North Rhine-Westphalia data protection commissioner also approved a nationwide catalogue (available in English and German) of criteria for IT solutions. Companies that meet these criteria will receive a certificate confirming their compliance with European data protection law, which they can then use for advertising purposes. The catalogue was developed by TÜV Nord Group. This is the third such approval issued by the NRW regulator.

Specifically, it addresses so-called information processing services – online banking, accounting, and AI systems, as well as search engines. The certification process, conducted by a specialised certification body, typically involves a detailed audit of the processing operations within the respective company. This audit verifies the technical and organisational measures in place, as well as compliance with the principles of the GDPR. 

Health screening campaigns via phone are possible: In Italy, the data protection authority Garante has approved the use of telephone numbers for screening, provided that adequate safeguards are respected. Healthcare companies may use adult patients’ telephone numbers, provided during previous healthcare services, to promote participation in screening campaigns required by national or regional regulations, even if the information request did not expressly state this purpose at the time the data was collected.

Specifically, healthcare companies will be required to update their information, specifying that the most recent contact details collected for treatment purposes, subject to verification of their accuracy. It may be used exclusively for the promotion of public prevention programs and not for other purposes (for example, scientific research or administrative activities).

In other news

Employee data access rights: The LewisSilkin legal blog analyses a recent decision from the French Court of Appeal, which confirmed that employees cannot rely on their right of access to obtain copies of entire work email correspondence or business files, merely because their name or email address appears in them. Where the material contains no substantive personal data beyond identifying information, the right of access does not extend to wholesale document disclosure.

Furthermore, the right of access cannot be seen as a litigation discovery mechanism (e.g., employee dismissal as it appears in the above case). The court decision also reflects the ICO guidance on the Right of Access.  

Reddit fine: In the UK, Reddit was fined 14.47 million pounds for children’s privacy failures. The Information Commissioner’s investigation found that Reddit did not apply any robust age assurance mechanism. The company did not have a lawful basis for processing the personal information of children under the age of 13. It also failed to carry out a data protection impact assessment to assess and mitigate risks to children before 2025. In the past year, Reddit introduced age assurance measures that include age verification to access mature content and asked users to declare their age when opening an account. The commissioner once again informed Reddit that relying on self-declaration presents risks to children, as it is easy to bypass. 

Samsung consent case: The Texas Attorney General reached an agreement with Samsung Electronics America, concerning the collection of Automated Content Recognition (ACR) viewing data from Texas consumers through Samsung smart televisions. Under the agreement, Samsung must cease collecting or processing ACR viewing data without obtaining Texas consumers’ express consent and must update its smart televisions to implement clear and conspicuous disclosures and consent screens, digitalpolicyalert.org reports.

More enforcement decisions

Ransomware attack followed by privacy fine: In Spain, data protection agency AEPD fined Sprinter Megacentros del Deporte (a sporting goods retailer) 2.6 million euros for a data breach, DataGudance reports. A ransomware attack encrypted systems and exfiltrated data, affecting 6.3 million individuals. Notification of a data breach to data subjects was also not delivered ‘without undue delay’ and lacked specific mitigation information. 

Biometric data fine: The Italian Garante has fined eCampus University 50,000 euros for unlawfully processing the biometric data of numerous participants in its online courses. The investigations revealed the lack of a suitable legal basis to justify the use of biometric systems, especially given the availability of less invasive tools.

It also emerged that the University had not conducted a data protection impact assessment before implementing the system. The violations affected a very high number of participants, over 450 students for each lesson.

Data processing agreement fine: The Polish data protection authority UODO has fined DPD Polska more than 2.75 million euros after finding serious failures in how the courier company structured its relationships with external carriers, according to an analysis by grcreport.com. These carriers participated in loading and unloading parcels and had access to address labels containing personal data. In some cases, shipments were transported in vehicles not owned by DPD Polska and for which it had no other legal basis. Despite this third-party access, the company did not conclude personal data processing agreements with the carriers.

GDPR does not prevent authorities from being notified of social fraud

The Danish data protection regulator, Datatilsynet, explains that the GDPR does not contain a general prohibition on disclosing information to public authorities. On the contrary, the rules allow data to be disclosed when there is a lawful basis for processing. This may be if the disclosure is necessary to comply with a legal obligation. The question of whether, for example, an insurance company may or must disclose information on possible fraud to a public authority, therefore, depends on the specific legal basis in national legislation, including rules on confidentiality and sector-specific regulations. 

And Finally

AI models and GDPR audit tool:  The French CNIL, with other actors in the digital data domain, the ANSSI, the PEReN and Inria, are launching a call for expressions of interest to test an audit tool called PANAME that makes it possible to assess the confidentiality of AI models and their compliance with the GDPR. This project aims to develop a tool to audit the privacy of AI models. It will take the form of a library for performing data extraction and/or re-identification tests on AI models. 

For more than a decade, research has shown that it is possible to extract data, including personal data, from an AI model that was included in the training dataset. This extraction can be carried out via:

• statistical techniques at the model level, full or partial access to the model, 
• in the case of generative AI, by directly querying the model by instruction (prompt).

AI geolocation: Privacy International explains that one of the most concerning capabilities of the newest AI systems is to infer geographic location from images. Vision‑Language Models (VLMs) can now determine where in the world any given photo is taken with striking speed and accuracy. Most people are unaware that widely accessible AI tools can identify the location of their personal photos, even when Global Positioning System (GPS) metadata has been removed. Inferring location from images without GPS data may potentially support beneficial activities, such as robotics development or investigative journalism. But they are not privacy risk-free. 

The post Data protection digest 18 Feb – 2 Mar 2026: ‘Conditional Consent’ for meaningful user control over cookie preferences appeared first on TechGDPR.

Throughout 2025, 32 supervisory authorities across the EU/EEA launched coordinated investigations into controllers’ compliance with the right to erasure under the GDPR. Now, the EDPB has published a report of the findings. As the right to deletion is not absolute, some controllers face difficulties in assessing and applying the conditions for exercising this right, including in conducting the balancing tests between the right to erasure and other rights and freedoms. Many regulators raised concerns regarding controllers not having:

• internal procedure or practice in place to handle erasure requests, or having an incomplete or irregularly reviewed procedure,
• specific procedures and measures to handle erasure requests in the context of back-ups,
• staff training,  
• information provided to data subjects,
• legal certainty on the exceptions to deny erasure requests, and 
• data retention periods, etc.

Multiple regulators found that controllers relying on anonymisation for deletion have varying degrees of success in correctly implementing it. In some cases, they only apply basic pseudonymisation or partial masking, although such a process would not fulfil the requirements of the GDPR regarding deletion.

Stay up to date! Sign up to receive our fortnightly digest via email.

Interestingly, the majority of the polled controllers (out of 764) had not received a single request for erasure in the last two years. While controllers were often chosen due to being in certain particular situations (processing sensitive data, processing a very large amount of data, etc.), about 70% of controllers still received fewer than 10 requests per year. Also, it appears that certain profiles are less likely to exercise their rights (eg, applicants in public services, citizens toward public services, contractors, or job applicants/employees) while others seem less hesitant to do so (eg, potential customers).

Main developments 

Digital omnibus and GDPR simplification: The EDPB and EDPS issued a long-awaited statement on simplification of the digital legislative framework in the EU. Among many things, they advised against the proposed changes to the definition of personal data. The changes go far beyond a targeted modification of the GDPR, a ‘technical amendment’ or a mere codification of CJEU jurisprudence.

Defining what is no longer personal data directly affects and narrows the scope of application of EU data protection legislation and should not be addressed in an implementing act, say the regulators. The full opinion in the context of GDPR, AI Act, and ePrivacy Directive can be read here.

UK data reform: Meanwhile, in the UK, on 5 February, the main provisions of the Data Use and Access Act 2025  came into force, amending the UK GDPR and Data Protection Act 2018. These include: new ‘recognised legitimate interests’ legal basis for data controllers, cookie consent exemptions, data reuse permissions, the use of automated decision making, more relaxed transfers of personal data internationally, and sometimes limiting data subject access requests, etc. 

Age-appropriate code design

On February 5, South Carolina signed Age-Appropriate Code Design into law, after it was previously adopted by California, Maryland, Nebraska, and Vermont. According to JD Supra analysis, covered online services must exercise “reasonable care” in the use of a minor’s personal data and the design and operation of the covered online service. This includes features that:

•  Decrease minors’ time and activity on the service to prevent compulsive usage, severe psychological harm, and privacy intrusions. 
• Opt minors out of “personalisation recommendation systems” by default, and 
• Set personal data settings to the highest level of protection by default.
• Collect, use, share, or retain the minimum amount of a minor’s personal data “necessary” to provide the specific elements of the covered online service, etc.

More from supervisory authorities

DPO role: Under EU law, all EU institutions, bodies, offices and agencies (EUIs) are required to appoint a data protection officer (DPO). To strengthen the effectiveness and independence of this function, the EDPS has adopted two key documents clarifying the role and protection of DPOs within EUIs: 

• Supervisory Guidance on the role of DPOs in EUIs, and
• Rules on the application of the requirement of prior consent by the EDPS for the dismissal of DPOs 

They provide practical and up-to-date guidance on the designation of DPOs, their institutional positioning, the guarantees of independence attached to the function, and the responsibilities entrusted to them. 

Cybersecurity exercise: The ENISA offers a methodology to an end-to-end theoretical framework for planning, running and evaluating cybersecurity exercises. It ensures the right profiles and stakeholders are involved at the right time, and provides theoretical material based on lessons identified, industry best practices and cybersecurity expertise. Download the guide and the support toolkit templates here. 

Games age limitation: The French government, on 4 February, adopted a decree on the experimentation of games with monetisable digital objects. It requires, among other controls,  the refusal of the opening of a player account for any minor, or before verification of the identity and the age of the applicant. It requires the enterprise offering a game to document the arrangements used for verification, to carry out regular checks, and to be able to demonstrate the effectiveness and compliance of those arrangements to the National Gaming Authority. 

How to deal with data protection complaints

The updated UK ICO guidance reminds organisations what they need to do to meet the new requirements for people to open a data protection complaints process, as set out in the new Data Use and Access Act, although these requirements are not in force until 19 June 2026. At a glance, the law says organisations must:

• Give people a way of making data protection complaints;
• Acknowledge receipt of complaints within 30 days of receiving them;
• Without undue delay, take appropriate steps to respond to complaints, including making appropriate enquiries, and keep people informed;
• Without undue delay, tell people the outcome of their complaints.

Read practical advice on each of these points in the original publication.

In other news

СNIL sanctions statistics: Cookies, employee surveillance and data security were the main subjects of the penalties imposed by the French data protection authority CNIL, in 2025, the cumulative amount of which totalled 486,839,500 euros. Also, insufficient security of personal data, lack of cooperation with the CNIL and non-respect for the rights of individuals were the three main reasons for sanctions under the recently introduced simplified procedures. Numerous formal notices have targeted websites that allowed the deposit of cookies and other trackers without respecting the consent of individuals, either by not allowing them to refuse the deposit in a simple way, or by not taking into account the withdrawal of users’ consent.

In addition, the regulator often sanctioned the non-compliance with the obligations of the subcontractors concerning the data entrusted to them, in particular: 

• implementing appropriate technical and organisational measures to ensure an adequate level of security;
• only processing data on the instructions of the data controller;
• deleting the data at the end of their contractual relationship with the data controller.

OpenClaw AI: The Dutch data protection authority AP warns against the use of OpenClaw, an AI agent tool that has become popular since last year. The platform provides users with an AI assistant to install, which can perform tasks autonomously. For that, the user has to give full access to their computer and programs, including email, files and online services. The platform can also be vulnerable to hidden commands in websites, emails and chat messages. That can lead to taking over accounts, reading personal data and stealing access codes.

More enforcement decisions

Amazon Italy investigation: On 9 February, the Italian data protection authority Garante and the National Labour Inspectorate announced an investigation into Amazon regarding the processing of workers’ personal data and the use of video surveillance systems. The investigation will examine the company’s logistics hubs, with a particular focus on the distribution centres in Passo Corese and Castel San Giovanni, to determine the extent to which monitoring practices comply with the legal requirements stipulated within the Workers’ Statute, digitalpolicyalert.org reports. 

Dutch municipalities fined: The Dutch data protection AP authority fined 10 municipalities 250,000 euros for processing sensitive information without consent, according to DataGuidance. Violations included processing data on religious beliefs, family relationships, political views, and criminal or terrorism-related information. The municipalities processed this sensitive information (from an external research bureau, amid national counter-radicalisation efforts) without valid consent.

Swiss cookie redress case: Digitec Galaxus informed the Swiss privacy regulator FDPIC that it had implemented its formal recommendation that customers be given the option to object to the processing of their personal data for marketing purposes. Following criticism over excessive data processing, users can now disable personalisation with one click (one-click opt-out), whereby the corresponding cookies are automatically disabled. To that end, the registration form now explicitly mentions personalisation and the right to object, and the privacy policy has been updated accordingly.

And Finally

Data brokers warning in the US: The Federal Trade Commission sent letters to 13 data brokers warning them of their responsibility to comply with the Protecting Americans’ Data from Foreign Adversaries Act of 2024. It prohibits data brokers from selling, releasing, disclosing, or providing access to personally identifiable sensitive data about Americans to any foreign adversary, which includes North Korea, China, Russia, and Iran, or any entity controlled by those countries. 

The law defines personally identifiable sensitive data to include health, financial, genetic, biometric, geolocation, and sexual behaviour information, etc.

The post Data protection digest 3-17 Feb 2026: When using anonymisation for deletion, controllers have differing degrees of success – EDPB appeared first on TechGDPR.

The usual assumption of most US businesses is, “the GDPR is an EU regulation, hence it does not impact my organisation.” This belief results most often in unnecessary risk. The US equivalent of this misconception would be a company registered in Texas thinking its services don’t fall under the scope of the CCPA. 

The GDPR has extraterritorial effect, that is, it has effect on and more often than not, does affect organisations which are outside the European Union.

Note that since Brexit, the UK has maintained GDPR provisions but further adapted them to its body of laws, this is known as the UK GDPR which adds an additional but small level of complexity for transfers of data outside the UK. For the sake of simplicity, the term GDPR used in this article will also apply to the UK.

What is the GDPR and why it has global reach

The GDPR is the code name for the UK and the EU’s General Data Protection Regulation. It shields the personal data of individuals who are within the European Union, provides rights to the data owners (i.e. individuals) and lays out obligations for the organisations handling that data. It has a general territorial scope such that it may apply to organisations outside of the EU if certain conditions are fulfilled.

A US company may be controlled by the GDPR if it is:

1. Providing goods or services to data subjects in the European Union (EEA and UK)

This trigger is independent of payment or contractual terms. A business will be deemed to be targeting or envisaging an EU audience if it engages in any of the following activity:

• Sending physical goods or providing access to digital services into a member state of the EU/EEA/UK;
• Taking payments in a European currency such as Euros;
• Running campaigns that market to email recipients in the EU/EEA/UK; and
• Providing a website or service in a language that is widely spoken across the EU/EEA/UK.

2. Tracking the behavior of users in the European Union

This trigger is extremely applicable to digital-first companies today. If your business is tracking or profiling users in the European Union, the GDPR will most likely apply. This includes practices like:

• Tracking European Union website and app users with analytics tools;
• Placing cookies or other tracking tags on the devices of users in the European Union which triggers additional requirements from the ePrivacy Directive and other local laws; and
• Running targeted advertisement campaigns against users within the European Union on the basis of their online behavior.

Article 3 of the GDPR expressly sets out these conditions. These are detailed in additional guidance by the European Data Protection Board (Guidelines 05/2021). Registration of an organization outside of the EU does not necessarily remove a business from scope.

What constitutes personal data under the GDPR?

The GDPR defines personal data as any information relating to an identified or identifiable natural person. This definition is deliberately broad. This is to encompass a wider range of data than the concept of “personally identifiable information” (PII) used in other jurisdictions. It is critical for any organisation to understand what information falls under this comprehensive definition to determine its compliance obligations.

Personal data includes, but is not limited to:

• Direct identifiers: A person’s name, email address, physical address, or telephone number.
• Online identifiers: An individual’s Internet Protocol (IP) address, browser cookies, and device identifiers (IP/MAC address, IMEIs, …).
• Pseudonyms like user IDs, vehicle numbers (VINs), randomly chosen usernames, hashes…
• Metadata in context like timestamps, 
• Special categories of data: Biometric data, such as fingerprints or facial recognition information. To learn more about sensitive data under the GDPR, that is addressed in Art.9 of the GDPR and our blog article detailing the differences between PII and personal data. 
• Other information: Video or photo recordings, and an individual’s location data.
• IoT data associated with a device purchaser, owner, user, maintenance person, etc…

If your organization collects any of this information from individuals in the European Union, it is processing personal data and must assess its compliance obligations under the GDPR.

What if my business doesn’t comply?

Non-compliance with the GDPR will result in massive financial and reputational losses. Supervisory authorities can impose fines of up to twenty million euros or four percent of the annual global turnover of an organization. This is decided by whichever is the greater. The GDPR has a highly structured framework of administrative fines, which can be applied in two tiers:

• Tier 1: Up to €10 million, or 2% of the company’s total annual turnover worldwide in the preceding financial year. This is decided by whichever is the greater.
• Tier 2: Up to €20 million, or 4% of the company’s total annual turnover worldwide in the preceding financial year. This is decided by whichever is the greater.

Enforcement is also a legitimate concern for U.S. companies. For example, Clearview AI, a U.S.-based firm, was the subject of enforcement action and fines by multiple EU data protection authorities for processing EU individuals’ personal data lacking a sufficient legal basis. 

Along with fines, organizations can anticipate loss of customer trust, damage to their reputation, and legal restrictions on their data processing activities. Enforcement action against household names demonstrates that regulators are willing to act against organizations outside the European Union when the GDPR applies. 

A simple checklist for your U.S. company

To allow you to consider at a glance whether the GDPR applies to your business, ask yourself the following questions:

• Does your company’s website, app, or service deliver goods or services to individuals in the European Union?
• Do you use instruments that monitor the online behavior of individuals in the European Union?
• Does your company process the personal data of any of your staff members working in the European Union?
• Do you implement any vendor tool to carry any of that data processing for you?

If you answered yes to any of these queries, then it is highly likely your company is subject to the GDPR.

Real-life examples of when the GDPR applies

• An online store in the United States accepting payment in euros and shipping goods to customers in the European Union;
• A company processing payroll for a remote employee working in the European Union;
• A marketing company running targeted campaigns aimed at audiences within the European Union.

Conversely, a strictly internal website with no European customer targeting and only incidental EU visits generally will not be subject to the GDPR.

Special Case: United States companies with EU-Based employees

The processing of employees’ personal data in the European Union triggers GDPR obligations. Some examples are maintaining personal records, processing sensitive information, and monitoring work performance. Paying an employee in the European Union without additional data processing might not necessarily trigger full GDPR compliance requirements. That being the case HR processes need to be carefully reviewed. Please check out our blog article on how the GDPR and effects HR data for non EU-companies for further information. 

Your next steps toward compliance

If your business is subject to the GDPR, it’s essential to be forward-leaning with regards to compliance.

• Carry out a data mapping exercise: This will lead to Records of Processing Activities, the details of which are outlined in Art. 30 of the GDPR. Record all personal data your organization gathers and processes, the reason for the data, and where it is stored;
• Determining a lawful basis for all your data processing activities: This provides a documented and valid legal rationale for collecting and using personal data. This could be e.g., user consent, contractual necessity with the person, or legitimate interest of your organization, EU legal obligation;
• Drafting accessible  privacy notices: Provides an intelligible and accessible privacy notice describing data collection, purposes, storage, and data sharing practices;
• Respecting the rights of data subjects: Enable individuals to exercise their rights under the GDPR. These rights include access, rectification, erasure, restriction, and objection;
• Appointing a Data Protection Officer (DPO): Appoint a DPO where required. This could be due to processing vast volumes of sensitive personal data or conduct systematic monitoring of individuals;
• Consider an EU Representative: If your business is established outside of the European Union, you may need to have a representative within one of the member states under Article 27; and/or
• Seek expert advice: The GDPR is complex. For complete compliance, it would be ideal to obtain a professional GDPR compliance audit.

Conclusion

Whether the GDPR affects an American business or not is not a matter of a business’s physical presence, but if it has a connection with individuals in the European Union. If your business offers goods or services to EU residents or monitors their activities, then it is very likely the GDPR will affect you. The penalty for failure to comply can be extremely high, both financially and with regard to one’s reputation.

It is suggested that all U.S. businesses conduct an internal examination of data processing operations. If unsure, securing a professional GDPR compliance assessment can guarantee a clear and secure path forward.

The post Does the GDPR apply to my US company? appeared first on TechGDPR.

The Israeli data protection authority published a technical guide to Privacy Enhancing Technologies, available in English. PETs are a diverse family of methods, processes, and digital tools that are appropriate for different stages in the information life cycle:

• Data collection and preparation for use: Obfuscating personal data and reducing its level of detail by removing identifiers, altering data values, or masking exact figures.
• Data use and processing: Reducing exposure of personal data during processing, and in some cases, enabling data use without the need for viewing it during processing.
• Control over data use: Defining rules and permissions for access to personal data and displaying data relating to the identity of the person accessing the data, the type of data, and the time of access. 

Stay up to date! Sign up to receive our fortnightly digest via email.

Main developments 

Brazil adequacy decision: On 28 January, the European Commission recognised that Brazil ensures an adequate level of protection for personal data under the EU GDPR. The enforced decision confirms that Brazil provides comparable levels of data protection, allowing the free transfer of personal data between the two jurisdictions without additional authorisations or safeguards. The Commission also recognises the independence of the Brazilian Data Protection Authority (ANPD), and the safeguards governing public authorities’ access to personal data for law enforcement and national security purposes. 

Data Privacy Framework: The EDPB has published a new version of the EU-US Data Privacy Framework FAQ for European individuals.  “European individuals” means any natural person, regardless of their nationality, whose personal data has been transferred to a US company under this framework. It applies to any type of personal data processed for commercial or health purposes, and human resources data collected in the context of employment, as long as the recipient company in the US is self-certified under the DPF. 

If you believe that a company in the US has violated its obligations or your rights under the EU-U.S. Data Privacy Framework, several redress avenues are available. 

Digital omnibus: The EDPB and EDPS also adopted a joint opinion on simplification of the implementation of harmonised rules on AI. Among other things, the EDPB and the EDPS recommend maintaining the standard of strict necessity currently applying for the processing of special categories of personal data for bias detection and correction in relation to high-risk AI systems. They also support the creation of EU-level AI regulatory sandboxes to promote innovation and help SMEs, as well as AI literacy obligations for systems providers and deployers. The full opinion can be read here. 

HIPAA Notice

In the US, if your company provides health benefits or qualifies as a covered entity under the Health Insurance Portability and Accountability Act (HIPAA), it is important to update your Notice of Privacy Practices (NPP) by 16 February to remain compliant. The notice must include new and more restrictive requirements related to protected health information (PHI) in particular, on the disclosure of patients’ substance use disorder records. The following steps may include assessing related policies, training, materials, and business associate agreements (BAAs) for consistency.

You can also read the latest epic.org report on the health data privacy crisis in the US here. 

More from supervisory authorities

M&A: Before a planned company sale, large amounts of data are often processed as part of a due diligence review. This can include personal data, particularly of employees, customers, and suppliers. The Liechtenstein Data Protection Authority has compiled information (in German) regarding which data protection regulations must be observed. This information does not replace an individual assessment and is not exhaustive. 

Camera surveillance in public transport: The Dutch data protection authority states that permanent camera surveillance at employees’ designated workstations is not permitted. Cameras may only be used when strictly necessary, for example, for safety during incidents, and not for systematic monitoring or evaluation of employees. For the data controller, this includes technical adjustments to cameras, adapting internal protocols, and providing clear instructions to employees.

AI tools safe usage: The Spanish AEPD has published the main principles of safe, responsible, and conscious use of AI. Among the recommendations, the privacy regulator advises against sharing personal data with AI – full name, address, telephone number, ID/NIE, images of people, or sensitive or delicate information – medical, financial or contractual details, geolocation. In the workplace, the agency emphasises the importance of following the information and security policies of each organisation and, in particular, of not including information that reveals confidential data of the entity, its staff or clients.

Digital identities ecosystem

Verifiable Digital Credentials (VDCs) can represent a wide range of data, from a driver’s license to a diploma to proof of age, explains America’s NIST. However, their interoperability requires a common set of standards and protocols for issuing, using, and verifying VDCs. As VDCs gain traction for both in-person and online identity verification, two key standards are helping to define this space:

• ISO/IEC 18013-5, which underpins mobile driver’s licenses and related mobile documents, and
• the World Wide Web Consortium’s Verifiable Credentials formats.

See their comparison in the original publication. 

In parallel, the German Federal Office for Information Security (BSI) has issued the updated Technical Guideline for Biometric Authentication Systems (in German), which can be used for significantly more use cases of facial and fingerprint recognition through smartphones or access control systems. 

Cookie policy

The Latvian data protection authority reminds us of the essentials of a cookie policy, which provides the user with clear information about how their data is processed when using cookies. A document published on any website must explain in a user-friendly way: a) what cookies the website uses; b) for what purpose they are used; c) who their recipients are.

The multi-layered approach ensures that the most important information about the use of cookies on the website is provided in a concentrated manner (in the cookie pop-up notification or banner), including an indication of where more detailed information can be found (cookie policy). Cookie policies are often confused with privacy policies (by briefly including information about cookies among what is described in the privacy policy). However, to ensure transparency, information should be provided to users separately – in two documents or at least in clearly separated “blocks” of information. 

Shopping cart reminder e-mail

According to the Saxony data protection commissioner, retailers often send a reminder email pointing out an incomplete purchase process. Despite regular complaints received about such communication, there are no data protection concerns regarding a one-time shopping cart status update via email. The automatically generated messages must be distinguished from unsolicited advertising and are considered technical support. 

Given the customer’s expectations and the recipient’s perspective, it is at least realistic to expect a technically triggered status update during the contract negotiation phase, in accordance with Art. 6 of the GDPR. At the same time, the data processing known as reminder emails is subject to information requirements and must be appropriately indicated in the notices pursuant to Art. 13 of the GDPR.

In other news

Excel file disclosure: The Romanian regulator ANSPDCP imposed fines totalling 15,000 euros against Continental Automotive Products SRL for breaches of the GDPR principles of data minimisation, accountability, and the security of processing. The investigation followed the controller submitting a personal data breach notification concerning the repeated internal distribution of an Excel file containing a consolidated list of employees, including medical data from medical certificates relating to numerous employees and former employees over a period of time. 

GM driver data ban: America’s Federal Trade Commission finalised an order against General Motors and its OnStar subsidiary after the automaker secretly collected and sold detailed driving data from millions of vehicles without consumer consent.  The final order approved by the Commission imposes a five-year ban on GM disclosing consumers’ geolocation and driver behaviour data to consumer reporting agencies. And for the entire 20-year life of the order, GM will be required to:

• obtain affirmative express consent from consumers before collecting, using, or sharing connected vehicle data, with some exceptions, such as for providing location data to emergency first responders;
• create a way for all US consumers to request a copy of their data and seek its deletion;
• give consumers the ability to disable the collection of precise geolocation data from their vehicles if their vehicle has the necessary technology; and
• provide a way for consumers to opt out of the collection of geolocation and driver behaviour data, with some limited exceptions.

Chromebook case

The Danish data protection authority decided in the Chromebook case regarding 51 municipalities’ use of Google’s products for teaching in primary schools. The regulator issues serious criticism and warns the municipalities about their setup of the programs in question and about the use of sub-processors outside the EU. In addition, it states that as a data controller, municipalities cannot legally use products that contain unclear processing constructs. Finally, they must have access to the necessary resources to ensure lawful processing of personal data, including in situations where the contractual basis for the product changes.

Microsoft 365 Education

The Austrian data protection authority upheld a complaint filed by a pupil, represented by the European Centre for Digital Rights (NOYB), against Microsoft regarding the use of tracking cookies in Microsoft 365 Education. The decision relates to the installation and use of non-essential cookies on the device of a minor using Microsoft 365 Education at an Austrian school.  The authority also found that no valid consent had been obtained, digitalpolicyalert.org reports.

More enforcement decisions

Employees’ geolocation: The Italian regulator Garante fined a company in the agricultural seed selection and production sector 120,000 euros for unlawfully processing the personal data of five employees. As part of a multinational group, at the direction of its Swiss parent company, it installed a device on its company vehicles that unlawfully collected data on employees’ business and private travel (time, mileage, fuel consumption, and driving style) for the purpose of assigning a monthly score. The collected data was retained for 13 months and used to evaluate employee driving behaviour and to implement any corrective measures. 

Access to a fired worker’s email: Garante also ruled that the content of emails, contact information, and any attachments fall within the definition of correspondence and are therefore protected by the right to confidentiality. In the related case, the regulator fined a company 40,000 euros for violating the confidentiality of a CEO’s email account after his employment ended. After receiving a disciplinary letter that resulted in dismissal,  he asked the company to disable the email account, forward any messages received in the meantime to his personal email address, and activate an automatic reply. However, this request remained unanswered. 

France Travail: The French CNIL, meanwhile, fined France Travail 5 million euros for failing to ensure the security of the data of job seekers. In 2024, attackers managed to break into the agency’s information system. They used social engineering techniques to usurp the accounts of CAP EMPLOI advisors, responsible for people with disabilities. The attackers accessed the data of all registered people, or those who have been registered over the past 20 years. However, the attackers did not gain access to the complete files of job seekers, which may include health data. 

And finally

Change your password:  According to the German BSI, a blanket password change is no longer an effective security measure. Frequent password changes often lead consumers to use weak, easily predictable passwords. Password managers help to keep track of passwords. However, even a complex password does not offer 100% protection. Instead, BSI recommends activating two-factor authentication (2FA). 

Australia child accounts ban: According to the Guardian, Snapchat banned or disabled the accounts of around 415,000 Australian users who were detected as being under the age of 16. This was done to comply with the new under-16s social media prohibition. In December, Snapchat was one of ten platforms that needed to restrict people (4,7 million accounts) under the age of 16 from using its services. However, other allegations have surfaced after the prohibition went into place, with some claiming that Snapchat’s facial age verification was easily overcome by teens.

The post Data protection digest 19 Jan – 2 Feb 2026: New PETs guide, Digital identities ecosystem & employees’ surveillance fine appeared first on TechGDPR.

The Hamburg Data Protection Commissioner provided a comprehensive questionnaire for determining the legitimate interests legal basis for processing. It helps those responsible to examine and document precisely what their interest in data processing is and whether the rights and interests of the data subject are adequately considered. It guides users step-by-step through the most important checkpoints:

• Determination: What objectives are pursued with the data processing, and are these legally permissible?
• Necessity: Is the processing necessary, and is only the required personal data collected?
• Balancing: Are the rights and interests of the individuals concerned sufficiently considered and protected?
• Documentation and compliance: Are the audit procedures recorded and regularly updated?

You can download the LIA questionnaire in German or the LIA questionnaire in English.

Stay up to date! Sign up to receive our fortnightly digest via email.

EDPB updates

The European Data Protection Board welcomes comments on the recommendations on the elements and principles to be found in Processor Binding Corporate Rules – BCR-P. Such comments should be sent by 2 March. BCRs are a tool for providing appropriate safeguards for transfers of personal data by a group of undertakings engaged in a joint economic activity with third countries that have not been providing an adequate level of protection pursuant to the GDPR. The recommendations clarify when BCR-P can be used, namely, only for intra-group transfers between processors, when the controller is not part of the group. Read more about the scope of BCR-P and its interplay with the data processing agreements here.

Other developments

AWS Europe Sovereign Cloud: The German Federal Office for Information Security BSI has announced its support for the US cloud provider Amazon Web Services in the design of security and sovereignty features for its new European Sovereign Cloud (ESC): an independent cloud infrastructure located entirely within the EU, whose operation will be technically and organisationally independent from the global AWS instance.

Later this year, the BSI will publish general sovereignty criteria for cloud computing solutions based on the new framework. It will serve as a basis for assessing the degree of autonomy of cloud solutions and can also be used in procurement processes. 

HIPAA Security Rule: In the US, for HIPAA-covered entities and business associates, the HIPAA Security Rule requires ensuring the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the regulated entity creates, receives, maintains, or transmits. To that end, the US Department of Health and Human Services has published the latest recommendations on System Hardening and Protecting ePHI. The measures include: 

• patching known vulnerabilities
• removing or disabling unneeded software and services
• enabling and configuring security measures that sometimes intersect with some of the technical safeguard standards and implementation specifications of the HIPAA Security Rule, such as access controls, encryption, audit controls, and authentication.

GDPR certifications and codes of conduct

France’s CNIL maps the deployment of GDPR compliance tools across Europe. Two maps list the certifications and codes of conduct approved by national supervisory authorities or by the European Data Protection Board since the entry into force of the GDPR. These instruments may operate at either the national or European level. Certification (Art. 42 of the GDPR) makes it possible to demonstrate that a product, service, or data processing activity meets data protection criteria set out in an approved referential. And a code of conduct (Art. 40 of the GDPR) translates the Regulation’s obligations into concrete, sector-specific rules, and becomes binding on its members. 

UK international transfers

The UK Information Commissioner published an updated guidance on international transfers of personal data, making it quicker for businesses to understand and comply with the transfer rules under the UK GDPR. It sets out a clear ‘three-step test’ for organisations to use to identify if they’re making restricted transfers. New content also provides clarity on areas where organisations have questions, such as roles and responsibilities, which reflects the complexity of multi-layered transfer scenarios.

Multi-device consent

The French regulator also published its recommendations (in French) on the collection of cross-device consent. For instance, when a user accesses a website or a mobile app, they express their choices about the use of cookies or other trackers on a device connected to their account. These choices are then automatically applied to all devices connected to that account. This includes, but is not limited to, their phone, tablet, computer or connected TV, as well as the browser or app they are using. Thus, users must be well-informed of this login system.

More from supervisory authorities

Remote job interviews: According to the Latvian regulator DVI, an employer may collect the content of a remote job interview using AI tools if an appropriate legal basis can be applied. Such data processing may be carried out based on the candidate’s consent or the legitimate interests of the company. Consent must be freely given, specific, unambiguous and informed. If the processing is carried out based on legitimate interests, a balancing test of the interests of both parties must be carried out before such processing is initiated.

Regardless of the chosen legal basis, the data controller is obliged to inform the candidate before the interview about the planned data processing during the interview, including the use of AI tools, the purposes of processing, the data retention period and the candidate’s rights. The candidate has the right to object, and such objections must be taken into account; in the event of potential harm, the processing must be stopped.

Cybersecurity guide: The Australian Cyber Security Centre published guidance with a checklist on managing cybersecurity risks of artificial intelligence for small businesses when adopting cloud-based AI technologies. Reportedly, more small businesses are using AI through applications, websites and enterprise systems hosted in the public cloud like OpenAI’s ChatGPT, Google Gemini, Anthropic’s Claude, and Microsoft Copilot. Before adopting AI tools, small businesses should understand the related risks and ways to mitigate them, including: 

• data leaks and privacy breaches
• reliability and manipulation of AI outputs
• supply chain vulnerabilities.

Data subject rights in the event of a bankruptcy

The Norwegian data protection authority has imposed a fine on Timegrip AS. The case concerns a retail chain that went bankrupt, and the employees needed to document the hours they had worked. The company Timegrip had been the data processor for the retail chain until the bankruptcy, and stored this data. However, they would not provide the data to either the bankruptcy estate or the employees themselves. 

Timegrip argued that the company did not have the right to provide the complainant with a copy because a data processor can only process personal data on the basis of an instruction from the controller. Since the controller retail chain had gone bankrupt, Timegrip claimed that no one could give them such an instruction. At the same time, Timegrip refused access requests from 80 different individuals, despite the company being aware that they were in a vulnerable situation and dependent on the timesheets to document their salary claims. 

In addition, it was Timegrip that made decisions about essential aspects of the processing, such as what the data could be used for, the storage period and who could have access to the personal data. In other words, it was clear that it was Timegrip that exercised the real control over the personal data.

Google multimillion-dollar settlement over child data

In the US, a federal judge granted final approval for a 30 million dollar class action settlement against Google, after six years of litigation with parents claiming the tech giant violated children’s privacy by collecting data while they watched YouTube videos. Although Google doesn’t charge for access to YouTube, the company does use it as a revenue source. It collaborates with advertisers and the owners of popular YouTube channels to advertise on specific videos, with Google and the channel owners splitting the payments received from advertisers.

In other news 

Free mobile fine: The French CNIL issued two sanctions against the companies FREE MOBILE and FREE, imposing fines of 27 and 15 million euros, respectively, over the inadequacy of the measures taken to ensure the security of their subscribers’ data. In October 2024, an attacker managed to infiltrate the companies’ information systems and access personal data concerning 24 million subscriber contracts, including IBANs, when the people were customers of both companies. 

The investigation has shown that the authentication procedure for connecting to the VPN of both companies, used in particular for the remote work of the company’s employees, was not sufficiently robust. In addition, the measures deployed by the companies in order to detect abnormal behaviour on their information system were ineffective.

Major university data breach: In Australia, a cyberattack compromised the personal information of students from all Victorian government schools. An unauthorised external third party accessed a database containing information about current and past school student accounts, including student names, school-issued email addresses, and encrypted passwords. In the opinion of the Australian legal expert from Moores, who analysed the breach, certain factors tend to correlate with such incidents. These include:

• Adoption of new CRMs and platforms (including leaving administrator access open, and having incorrect privacy settings, which make online forms publicly searchable);
• Keeping old information which is no longer required;
• A spike in emails sent to incorrect recipients on Fridays and in the lead-up to school holidays.
• Spreadsheets sent via email (instead of SharePoint, for example).

Business email compromise

Business Email Compromise (BEC) is currently one of the fastest-growing forms of digital fraud, according to the Dutch National Cybersecurity Centre. In BEC, criminals pose as trusted individuals within an organisation, often a director or manager, but also a colleague, supplier, or customer.

The criminals’ goals can vary, such as changing account numbers, obtaining login credentials, stealing sensitive information, or using compromised accounts for new phishing campaigns. The power of BEC lies not in its technical complexity but in exploiting the principles of social influence. BEC fraudsters cleverly utilise subtle social pressure, for example, by capitalising on scarcity by creating a sense of urgency, exploiting reciprocity by first building trust or asking for small favours, or relying on an authority figure. 

And finally 

AI prompting guide: IAB Europe has published its AI Prompting Guide. It provides practical, reusable techniques you can apply immediately, including, among others, managing risks such as hallucinations, sensitive data exposure, bias, and prompt injection. Mitigating methods in this case may be addressed through careful prompting, review, and user judgment, while others require more structural safeguards such as validation, monitoring, and clear boundaries around how models are used. 

For instance, sensitive data exposure occurs when confidential, personal, or proprietary information is included in prompts or generated in outputs inappropriately. This can involve personal data, commercial secrets, or information subject to legal or contractual restrictions. The mitigation strategy would include: 

• removing or anonymising sensitive information before including it in prompts 
• limiting the amount of context shared to what is strictly necessary for the task 
• following organisational guidance on approved tools and data handling, and 
• applying access controls where models are integrated into workflows. 

For sensitive use cases, ensure outputs are reviewed before being stored, shared, or acted upon.

The post Data protection digest 4-18 Jan 2026: Legitimate Interests Assessment, AWS Europe Sovereign Cloud, Google settlement over child data appeared first on TechGDPR.

A new regulation came into force on 1 January, supplementing the GDPR. It speeds up the work of data protection authorities in enforcement cases that involve multiple countries in the EU/EEA. The regulation provides, among other things, for time limits, stages of investigation, the exchange of information between authorities, and the rights of the parties concerned. In future, data protection authorities will have to issue a resolution proposal on a cross-border case as a rule within 12-15 months. In the most complex cases, the deadline can be extended by 12 months. The regulation will apply from April 2027. 

Stay up to date! Sign up to receive our fortnightly digest via email.

UK Adequacy decision

The European Commission adopted two new adequacy decisions for the UK – one under the GDPR and the other under the Law Enforcement Directive, until 27 December 2031.  In accordance with the new decisions, transfers of personal data from the EU to the UK can continue to take place without any specific framework. Following Brexit, the Commission adopted two adequacy decisions vis-à-vis the UK in 2021. Sunset clauses had been introduced in each of the decisions. The decisions expired in mid 2025, but have been extended until the end of the year. The EDPS has since issued an opinion on these decisions.

More legal updates

US consumer privacy updates: In Kentucky, as well as Indiana, Rhode Island and several other states, GDPR-enhanced legislation related to consumer data privacy took effect on January 1. In Kentucky, in particular, the new legislation establishes the rights to confirm whether data is being processed, to correct any inaccuracies, to delete personal data provided by the consumer, to obtain a copy of the consumer’s data, and to opt out of targeted advertising, the sale of data, or profiling of the consumer along with requirements for entities that control and process their data.

Similarly, in January, new regulations became effective in California regarding a risk-assessment framework for certain high-risk data processing activities, as well as transparency and notice requirements, disclosure of sensitive personal information, data breach reporting, consumer rights requests, and data collection and deletion by data brokers. 

AI use by banks

The Hungarian data protection regulator issued a report on the processing of personal data by AI systems used by banks in Hungary (available in English). Some good practices indicated by the report include:

• AI recognition of images, voices and texts must be reliable, without compromising data security. Principles of data minimisation and storage limitation must be observed.
• The quality of the data used for AI training is important, as well as identifying whether or not the training data needs to be linked to a specific natural person. In many cases, pseudonymisation or anonymisation can be used to mitigate privacy risks before training.
• The use of ‘Shadow AI’ is becoming a new phenomenon. It covers all cases where, in an organisation, users use AI systems in an unregulated, non-transparent, uncoordinated manner from the point of view of the organisation, either for work or for some personal use, using the organisation’s IT infrastructure. 
• In their operations, certain banks under review also use analytical models to analyse and predict creditworthiness and product affinity, the precise classification of which may raise questions. They often operate on a statistical basis, but may also have an AI-based component, and it is necessary to apply the appropriate safeguards. 

More from supervisory authorities

EU Data Act: The French privacy regulator CNIL explained how the EU Data Act is going to reform the EU digital economy, gradually implemented through 2026-2027. The Act sets fair rules on the access and use of personal or non-personal data generated by connected objects. It allows anyone who owns or uses connected products to access the data generated by this object. It also facilitates their sharing with other actors, in particular by prohibiting unfair contractual clauses.

The implementation of this regulation must be done in conjunction with the GDPR. In particular, it provides that in the event of a contradiction between the two texts, it is the GDPR that prevails when personal data is concerned.

Similarly, the Digital Governance Act should be taken into account, which has set up new trusted intermediaries to encourage voluntary data sharing.

Bodycam use: At the end of December, the CJEU ruled in a case regarding a data controller’s obligation to provide information when collecting personal data via a body-worn camera worn by ticket inspectors on public transport. The collection of personal data by means of body-worn cameras constitutes collection directly from the data subject. The information obligation must therefore be respected at the time of collection, Article 13 of the GDPR. The information obligation can operate at several levels, where the most important information is, for example, stated in a warning sign, while the remaining information can be provided in another appropriate (and easily accessible) way.

Disney US settlement

On 31 of December, a federal judge required Disney to pay 10 million dollars to settle FTC allegations that the company allowed personal data to be collected from children who viewed child-directed videos on YouTube without notifying parents or obtaining their consent as required by the Children’s Online Privacy Protection Rule (COPPA Rule). A complaint alleged that Disney violated the COPPA Rule by failing to properly label some videos that it uploaded to YouTube as “Made for Kids”.

The complaint alleged that by mislabeling these videos, Disney allowed for the collection, through YouTube, of personal data from children under 13 who viewed child-directed videos and used that data for targeted advertising to children.

More enforcement decisions

TikTok investigations: According to vitallaw.com, the Spanish and Norwegian data protection authorities have issued warnings to TikTok users regarding the company’s transfer of personal data to China, where national laws could require that data be shared with Chinese authorities. TikTok already faces EU fines over violations of the GDPR and was ordered to stop transferring personal data to China. 

So far, TikTok has been granted an interim injunction that allows the company to continue transferring personal data to China until the case is resolved. As a result, regulators are warning users to read the online platform’s notifications and privacy policies, check their privacy settings and think about what they share in the app. It is also recommended that businesses consider whether to continue using TikTok and conduct risk assessments.

PCRM software fine: Finally, the French CNIL has fined Nexpublica 1,700,000 euros for failing to provide sufficient security measures for a tool for managing the relationship with users in the field of social action.  Nexpublica (formerly Inetum Software), specialises in the design of computer systems and PCRM software used in particular by homes for disabled people.

At the end of 2022, Nexpublica customers made data breach notifications with the CNIL, because users of the portal had access to documents concerning third parties. The CNIL then carried out inspections of the company, which revealed the inadequacy of the technical and organisational measures. It is considered that the vulnerabilities found:

• were mostly the result of a lack of knowledge of the state of the art and basic safety principles;
• were known and identified by the company through several audit reports.

Despite this, the flaws were only patched after the data breaches.

The post Data protection digest 3 Jan 2026: Improvements are being made to GDPR enforcement, US consumer privacy, and emerging “Shadow AI” concerns appeared first on TechGDPR.