Current events, updates, and developments in data protection law
We urgently demand the government of Gabon to immediately reverse orders to shut down social media indefinitely in the country. The order is in gross violation of national and international human rights frameworks and must not be allowed to continue. The post #KeepItOn: authorities must reverse social media shutdown order and restore access in Gabon appeared first on Access Now.
The inquiry concerns potential breaches of the bloc’s General Data Protection Regulation
Facts: typo The Local Territorial Agency for Residential Housing (Azienda territoriale per l’edilizia residenziale) submitted a complaint to the DPA regarding the installation of security cameras by the business “Macelleria La Costata s.r.l.s.”, a local butcher . The Local Territorial Agency for Residential Housing (Azienda territoriale per l’edilizia residenziale) submitted a complaint to the DPA regarding the installation of security cameras by the business “Macelleria La Costata s.r.l.s.”, a
Brussels, 13 February - The EDPB has recently adopted its work programme for 2026-2027, which is grounded in the four pillars of the EDPB strategy 2024-2027. The work programme is based on the priorities set out in the EDPB strategy and it also takes into account the commitments made in the Helsinki Statement on enhanced clarity, support and engagement aimed at making GDPR compliance easier, strengthening consistency, and boosting cross-regulatory cooperation. Easing compliance is at the top of
The New York Times reported that Meta is considering adding face recognition technology to its smart glasses. According to an internal Meta document, the company may launch the product “during a dynamic political environment where many civil society groups that we would expect to attack us would have their resources focused on other concerns.” This is a bad idea that Meta should abandon. If adopted and released to the public, it would violate the privacy rights of millions of people and cost the
Discord has begun rolling out mandatory age verification and the internet is, understandably, freaking out. At EFF, we’ve been raising the alarm about age verification mandates for years. In December, we launched our Age Verification Resource Hub to push back against laws and platform policies that require users to hand over sensitive personal information just to access basic online services. At the time, age gates were largely enforced in polities where it was mandated by law. Now they’re landi
Facts }}}} The DPA fined a business support company with 80,000 euros for transferring personal data from its employees to a third party without the proper legal basis, in violation of Art. 6 (1) GDPR.The DPA fined a customer support provider €80,000 for unlawfully transferring its employees’ private phone numbers to its business customer without a valid legal basis. == English Summary ==== English Summary == === Facts ====== Facts === MAJOREL SP SOLUTIONS, S.A. (the controller) entered into an
English Summary }}}} The DPA fined the Polish national postal operator €232k for a DPO conflict of interest. The DPO concurrently served as a Security Director and company proxy, effectively monitoring their own decisions regarding the means of data processing.The DPA fined the national postal operator €232,000 for appointing a DPO with a conflict of interest. The DPO concurrently served as a Security Director and representative of the controller, effectively monitoring their own decisions regar
Holding === Holding ====== Holding === The DPA upheld the complaint and found an infringement of [[Article 6 GDPR#1|Article 6(1) GDPR]]. The Authority clarified that the necessity for the performance of a contract must be interpreted strictly and covers only processing that is objectively necessary, not merely useful or convenient.The DPA upheld the complaint and found an infringement of [[Article 6 GDPR#1|Article 6(1) GDPR]]. The DPA clarified that the necessity for the performance of a contrac
The European Commission preliminarily found that TikTok was in breach of the Digital Services Act (DSA) due to the addictive design of its platform. EDRi welcomes this decision and urges TikTok to swiftly mitigate the risks to which its users are exposed. The post EDRi welcomes EU preliminary findings on TikTok’s addictive platform design appeared first on European Digital Rights (EDRi).
Dangerously unchecked surveillance and rights violations have been a throughline of the Department of Homeland Security since the agency’s creation in the wake of the September 11th attacks. In particular, Immigration and Customs Enforcement (ICE) and Customs and Border Protection (CBP) have been responsible for countless civil liberties and digital rights violations since that time. In the past year, however, ICE and CBP have descended into utter lawlessness, repeatedly refusing to exercise or
We're taking part in Copyright Week, a series of actions and discussions supporting key principles that should guide copyright policy. Every day this week, various groups are taking on different elements of copyright law and policy, and addressing what's at stake, and what we need to do to make sure that copyright promotes creativity and innovation. Long before generative AI, copyright holders warned that new technologies for reading and analyzing information would destroy creativity.
Bits of Freedom shares lessons learned while working on “Amsterdam Top400”, an invasive municipality project which involved the use of predictive policing and led to unwanted interference in the private lives of young people. Together with a coalition of professionals from different background and affected individuals, they explored the possibility of holding the municipality of Amsterdam accountable for violations of children’s rights, data protection law, and fundamental freedoms. The post Fig
Spyware continues to spread across Europe despite years of scandals and undisputable evidence of fundamental rights violations. As the European Commission remains inactive, civil society, journalists and some lawmakers at the European Parliament are stepping up pressure for accountability. In this context, EDRi is launching a document pool to centralise resources that tracks abuse and support the growing push for a full EU-wide ban of spyware. The post EDRi launches new resource to document abus
So many data breaches happen throughout the year that it can be pretty easy to gloss over not just if, but how many different breaches compromised your data. We're diving into these data breaches and more with our latest EFFector newsletter. Since 1990, EFFector has been your guide to understanding the intersection of technology, civil liberties, and the law. This latest issue tracks U.S. Immigration and Customs Enforcement's (ICE) surveillance spending spree, explains how hackers are
Nederlands Samenvatting: Een rechtbank heeft €3.500 toegekend aan een persoon wiens financiële gegevens per ongeluk door een bank aan een andere klant zijn verzonden. De rechtbank oordeelde dat deze onrechtmatige openbaarmaking een schending vormde van het recht op privacy van de persoon en dat er sprake was van immateriële schade. Nederlands Samenvatting: Een rechtbank heeft €3.500 toegekend aan een persoon wiens financiële gegevens per ongeluk door een bank aan een andere klant zijn verzonden. De rechtbank oordeelde dat deze onrechtmatige openbaarmaking een schending vormde van het recht op privacy van de persoon en dat er sprake was van immateriële schade. == Nederlands Samenvatting == Nederlands Samenvatting == === Conclusie ======
Fixed link: "Regarding the fairness of the procedure:" "Regarding the fairness of the procedure:" Initially, the data protection authority (DPA) rejected this argument based on a violation of Article 6 of the European Convention on Human Rights (ECHR). The DPA pointed out that the right not to be required to prove someone's guilt does not conflict with the sharing of internal reports from the complainant, even under coercive measures. Furthermore, the publicly available reports constitute evidence upon which the DPA can base its reasoning. Initially,
}}}} The Court awarded €100 in non-material damages for the storage and processing of cookies without the data subject’s consent. Although the infringement was considered minor, and the data subject suffered no loss of control over his data, the court held that the feeling of being monitored constituted non-material damage.A Court awarded €100 in non-material damages for the storage and processing of cookies without the data subject’s consent. Although the infringement was considered minor, and
join the international community, including the UN’s Independent International Fact-Finding Mission, in calling on Iran to immediately restore internet and mobile communications and in demanding accountability and transparency for the grave human rights violations documented in the country The post #KeepItOn: Iran plunged into digital darkness, concealing human rights abuses appeared first on Access Now.
=== Facts ====== Facts === DEEZER (the data controller) has informed the French data protection authority (CNIL) about a data breach that affected 21,574,775 users, of whom 9,849,354 were located in France. DEEZER has identified Mobius Solutions Ltd (the data processor) as the likely source of the data breach. The data protection authority has launched an investigation into the data processor. DEEZER (the data controller) has informed the French data protection authority (CNIL) about a data breach that affected approximately 46,900,000 users worldwide, of whom 21,574,775 were located in France.
Facts: A court has sentenced a person to six months of imprisonment, with the sentence suspended, for unauthorized access to and use of the personal data of 334 customers without consent, in violation of Article 6, paragraph 1, of the GDPR, and for unauthorized access to company systems. A court has sentenced a person to six months of imprisonment, with the sentence suspended, for unauthorized access to and use of the personal data of 334 customers without consent, in violation of the national Penal Code and Article 6, paragraph 1, of the GDPR. == And
}}}} Het gerecht heeft €100 aan immateriële schade toegekend voor het opslaan en verwerken van cookies zonder de toestemming van de betrokkene. Hoewel de overtreding als gering werd beschouwd en de betrokkene geen verlies van controle over zijn gegevens heeft geleden, oordeelde het gerecht dat het gevoel van bewaakt worden een vorm van immateriële schade vormde. Het gerecht heeft €100 aan immateriële schade toegekend voor het opslaan en verwerken van cookies zonder de toestemming van de betrokkene. Hoewel de overtreding als gering werd beschouwd, en
The court awarded €100 in non-pecuniary damages for the storage and processing of cookies without the consent of the individual. While the violation was considered minor, and the individual did not suffer a loss of control over their data, the court ruled that the feeling of being monitored constituted a form of non-pecuniary damage. The court awarded €100 in non-pecuniary damages for the storage and processing of cookies without the consent of the individual. Although the violation was considered minor, and...
=== Facts ====== Facts === DEEZER (the controller) notified the French DPA (CNIL) of a data breach affecting 21,574,775 users, out of which 9,849,354 users were located in France. The controller identified Mobius Solutions Ltd (the processor) as the likely source of the data breach. The DPA launched an investigation into the processor.DEEZER (the controller) notified the French DPA (CNIL) of a data breach affecting approximately 46,900,000 users worldwide, out if which 21,574,775 users located i
Vaste link: "Over de eerlijkheid van de procedure:" "Over de eerlijkheid van de procedure:" In eerste instantie wees de gegevensbeschermingsautoriteit (DPA) het argument van de hand op basis van een schending van artikel 6 van het Europees Verdrag voor de Rechten van de Mens (EVRM). De DPA wees erop dat het recht om niet te worden belast met het bewijs van iemands schuld niet in strijd is met het delen van interne rapporten van de klager, zelfs niet onder dwangmaatregelen. Bovendien vormen de openbaar gemaakte rapporten bewijs waarop de DPA haar argumentatie kan baseren. In eerste instantie,
}}}} The court has awarded €100 in non-pecuniary damages following a large-scale data breach that affected a social network. While the damage was considered minor, the court ruled that the unauthorized linking and public dissemination of the individual's phone number with other profile data resulted in a loss of control over personal data, which in itself constituted non-pecuniary damage worthy of compensation. The court has awarded €100 in non-pecuniary damages following a large-scale data breach.
}}}} The DPA fined a processor €1 million for failing to delete the personal data of users, processing it for purposes contrary to contract stipulations and for failing to keep a record of its processing activities.The DPA fined a processor €1,000,000 for failing to delete the personal data of users, processing the data for purposes contrary to contract stipulations, and for failing to keep a record of its processing activities. == English Summary ==== English Summary == Finally, the DPA found t
Fixed Link '''On the fairness of the procedure:''' '''On the fairness of the procedure:''' At first, the DPA rejected the argument based on a violation of [[article 6 ECHR]]. The DPA pointed out that the right not to incriminate oneself is not incompatible with the sharing of the complainant’s internal reports, even under coercive measures. What’s more, the disclosed reports are evidence on which the DPA can base its argument. At first,
Summary: A court has awarded €3,500 to a person whose financial data was accidentally sent to another customer by a bank. The court ruled that this unauthorized disclosure constituted a violation of the person's right to privacy and that non-pecuniary damages were involved. Summary: A court has awarded €3,500 to a person whose financial data was accidentally sent to another customer by a bank. The court ruled that this unauthorized disclosure constituted a violation of the person's right to privacy and that non-pecuniary damages were involved. == Summary == Summary == === Conclusion ======
English Summary }}}} A court awarded €3,500 to a data subject after a bank mistakenly sent her financial data to another client, finding that the disclosure unlawfully violated her right to privacy and caused non-material harm.A court awarded €3,500 to a data subject after a bank mistakenly sent her financial data to another client, finding that the disclosure unlawfully violated her right to privacy and caused non-material damages. == English Summary ==== English Summary == === Holding ====== H
Fixed Link He latter further claimed during the lawsuit against AZOP's decision that the authority had incorrectly and incompletely established the facts, misapplied substantive law, and breached procedural rules. He emphasized that the published personal data was unrelated to transparency in public administration, that he was neither a public figure nor a political actor, and that any public interest ended once he left office on 31 March 2023. He invoked his right to erasure under [[Articl
On November 2nd and November 10th, 2022, individuals who used the portal informed the responsible party that they had accessed files related to other individuals. On November 2nd and November 10th, 2022, individuals who used the portal informed the responsible party that they had accessed files related to other individuals. On November 22nd, 2022, the responsible party reported the data breach to the Data Protection Authority (AP). On November 22nd, 2022, the responsible party reported the data breach to the Data Protection Authority (AP). The data breach was caused by a configuration error.
}}}} The DPA imposed a 1 700 000 € fine under [[Article 32 GDPR|Article 32 GDPR]] to a processor who had incorrectly configured a software that processed files relating to persons with disabilities, leading to a massive data breach.The DPA imposed a €1,700,000 fine to a processor who had incorrectly configured a software that processed files relating to persons with disabilities, leading to a massive data breach. == English Summary ==== English Summary == === Facts ====== Facts === A software co
A data subject wished to be addressed in a gender-neutral way and claimed they were misgendered by two companies (the data controllers) in profile settings, tickets, and train announcements.A data subject wished to be addressed in a gender-neutral way and claimed they were misgendered by two companies (the data controllers) in profile settings, tickets, and train announcements. They initially sent a tweet to one of the involved controllers asking whether gender-neutral options would be available
The data protection authority (DPA) has imposed a fine of €1,700,000 on a data processor that had incorrectly configured a software program. This program processed files related to people with disabilities, which resulted in a large-scale data breach. The DPA has imposed a fine of €1,700,000 on a data processor that had incorrectly configured a software program. This program processed files related to people with disabilities, which resulted in a large-scale data breach. == Summary in English == == Summary in English == === Facts === A software company...
Facts === Facts ====== Facts === DEEZER (the controller) notified the French DPA (CNIL) of a data breach affecting 21,574,775 users, out of which 9,849,354 users located in France. The controller identified Mobius Solutions Ltd (the processor) as the likely source of the data breach. The DPA launched an investigation into the processor.DEEZER (the controller) notified the French DPA (CNIL) of a data breach affecting 21,574,775 users, out of which 9,849,354 users were located in France. The contr
=== Processing ====== Processing === First, the data protection authority (DPA) found that the data processor should have deleted the users' data at the end of the agreement with the data controller. The DPA considered the failure to do so a violation of Article 28(3)(g) of the GDPR. First, the data protection authority (DPA) found that the data processor should have deleted the users' data at the end of the agreement with the data controller. The failure to do so, even if the data was retained due to unauthorized collaboration, ...
}}}} De gegevensbeschermingsautoriteit heeft een bedrijf een boete van 1 miljoen euro opgelegd voor het niet verwijderen van de persoonlijke gegevens van gebruikers, het verwerken van deze gegevens voor doeleinden die in strijd zijn met de contractuele afspraken, en het niet bijhouden van een register van de verwerkingsactiviteiten. De gegevensbeschermingsautoriteit heeft een onderaannemer een boete van 1 miljoen euro opgelegd voor dezelfde overtredingen: het niet verwijderen van de persoonlijke gegevens van gebruikers, het verwerken van deze gegevens voor doeleinden die in strijd zijn met de contractuele afspraken, en het niet bijhouden van een register van de verwerkingsactiviteiten. == Samenvatting in het Engels == == Samenvatting in het Engels == === Feiten ====== Feiten === DE
The ICO has issued a consultation to seek organisations’ views on the processes the ICO follows when it suspects a breach of the UK GDPR or the Data Protection Act 2018
}}}} The DPA fined a company €1 million for failing to delete the personal data of users, processing it for purposes contrary to contract stipulations and for failing to keep a record of its processing activities.The DPA fined a subcontractor €1 million for failing to delete the personal data of users, processing it for purposes contrary to contract stipulations and for failing to keep a record of its processing activities. == English Summary ==== English Summary == === Facts ====== Facts === DE
A person requested to be addressed in a gender-neutral manner and stated that two companies (the responsible parties) were using an incorrect gender in their profile settings, on tickets, and in train announcements. Initially, the person sent a message via Twitter to one of the responsible parties, asking if there were any gender-neutral options available.
=== Holding ====== Holding === Firstly, the DPA found that the processor should have deleted the users' data at the end of the contractual relationship with the controller. Failing to do so, the DPA found a violation of [[Article 28 GDPR#3g|Article 28(3)(g) GDPR]]. Firstly, the DPA found that the processor should have deleted the users' data at the end of the contractual relationship with the controller. Failing to do so, even if the data were retained as a result of an unauthorised co
The data protection authority has fined a company €1 million for failing to delete user personal data, processing this data for purposes that conflict with contractual agreements, and not maintaining a register of processing activities. The data protection authority has also fined a subcontractor €1 million for the same violations: failing to delete user personal data, processing this data for purposes that conflict with contractual agreements, and not maintaining a register of processing activities. == Summary in English == == Summary in English == === Facts ====== Facts ===
On 2 November and 10 November 2022, data subjects using the portal reported to the controller that they had access to files relating to other data subjects. On 2 November and 10 November 2022, data subjects using the portal reported to the controller that they had access to files relating to other data subjects. On 22 November 2022, the controller notified the data breach to the DPA. On 22 November 2022, the controller notified the data breach to the DPA. The breach was found to be due to a conf
Facts === Facts ====== Facts === DEEZER (the data controller) has informed the French data protection authority (CNIL) about a data breach affecting 21,574,775 users, of whom 9,849,354 are located in France. DEEZER (the data controller) has identified that Mobius Solutions Ltd (the data processor) is likely the source of the data breach. The data protection authority has launched an investigation into the data processor. DEEZER (the data controller) has informed the French data protection authority (CNIL) about a data breach affecting 21,574,775 users, of whom 9,849,354 are located in France. The responsible...
=== Verwerking ====== Verwerking === Ten eerste heeft de gegevensbeschermingsautoriteit (DPA) geconstateerd dat de verwerker de gegevens van de gebruikers had moeten verwijderen aan het einde van de overeenkomst met de verantwoordelijke. Het niet doen van dit alles, heeft de DPA als een schending van artikel 28(3)(g) van de AVG beschouwd. Ten eerste heeft de gegevensbeschermingsautoriteit (DPA) geconstateerd dat de verwerker de gegevens van de gebruikers had moeten verwijderen aan het einde van de overeenkomst met de verantwoordelijke. Het niet doen van dit alles, zelfs als de gegevens bewaard bleven als gevolg van een ongeautoriseerde samenwerking, ...
Een betrokkene wenste om op een genderneutrale manier aangesproken te worden en stelde dat twee bedrijven (de verantwoordelijke partijen) in hun profielinstellingen, op tickets en in trein aankondigingen een verkeerd gender gebruikten. De betrokkene stuurde aanvankelijk een bericht via Twitter naar een van de betrokken verantwoordelijke partijen, waarin hij vroeg of er genderneutrale opties beschikbaar zouden zijn.
Holding === Holding ====== Holding === The DSB held that the controller violated [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]], which grants supervisory authorities the power to issue binding instructions to data controllers to ensure compliance with the GDPR. The violation arose from the controller’s failure to implement the binding instruction requiring modification of the website cookie banner to allow users to refuse consent as easily as giving it.The DSB held that the controller violated [[A
Feiten. Ten slotte herhaalde het hof dat toestemming niet vereist was, omdat artikel 6 van de AVG alternatieve, wettelijke gronden biedt voor de verwerking van gegevens. Aangezien aan artikel 6(1)(f) was voldaan, was het ontbreken van toestemming irrelevant. Het hof oordeelde dat AZOP de wet correct had toegepast en dat de inbreuk op de privacy van de betrokkene evenredig was, en bevestigde daarom de beslissing. Het hof wees de vordering van de betrokkene en de bijbehorende kosten af. Ten slotte herhaalde het hof dat toestemming niet vereist was, omdat artikel 6 van de AVG...
Facts }}}} The DPA held that a gambling operator lawfully transferred data to a processor for sending invitations to sporting events, but found that the controller breached transparency obligations by not informing the data subject about the categories of data recipients.The DPA held that the operator of a gambling site lawfully transferred data to a processor for sending invitations to sporting events since the engagement of a processor does not require a separate legal basis. However, the cour