The Saxon Data Protection Authority (SächsDSB) reviewed around 30,000 websites for data protection issues, particularly focusing on the use of Google Analytics. They emphasized that Google Analytics tracks user behavior in detail, making user consent essential under data protection laws. The authority discovered that 2,300 websites, including those of companies, associations, and public bodies, failed to meet these consent requirements. The SächsDSB will demand that these entities correct the violations and delete improperly collected data, with potential formal proceedings if they do not comply. Press release in German →
The Federal Commissioner for Data Protection and Freedom of Information (BfDI) and the UK’s Information Commissioner (ICO) met in Venice and signed a Memorandum of Understanding (MoU) to formalize their cooperation. The MoU outlines the exchange of information between the authorities and confirms their commitment to collaborate on key international data protection issues. Access here →
The European Commission’s Multistakeholder Expert Group released its report on the application of the General Data Protection Regulation (GDPR). The report noted positive developments in compliance, awareness, and the use of rights to access and erasure. However, it also identified issues such as low awareness of other rights, challenges with automated decision-making, data portability, transparency obligations, and GDPR’s alignment with other regulations. Concerns were also raised about the adoption of Standard Contractual Clauses for data transfers and inadequate coordination between data protection authorities in cross-border cases.Read here →
2) Notable Case Law
The Spanish Data Protection Authority (AEPD) fined BANCO BILBAO VIZCAYA ARGENTARIA, SA (BBVA) €200,000, later reduced to €120,000. The fine was based on a complaint that BBVA had incorrectly included the complainant’s personal data in a solvency file without proper prior notice, due to an incorrect address. The AEPD found that BBVA violated the GDPR’s accuracy principle, which mandates that personal data must be accurate and up-to-date. By failing to provide the correct address, BBVA caused significant harm to the complainant, who did not receive the notification. BBVA paid the reduced fine of €120,000 voluntarily, acknowledging its responsibility. The Authority’s Decision can be found here in Spanish →
The Irish Data Protection Commission (DPC) announced that Meta will no longer process EU/EEA user data for “artificial intelligence techniques” following 11 complaints from privacy advocacy group noyb. Although the DPC initially approved Meta’s AI operations in the EU/EEA, recent pressure from other regulators has led to this change. We cover the full story here →
3) New and Upcoming Legislation
US Law Updates:
Vermont: Vermont’s Governor vetoed House Bill 121, which aimed to enhance consumer privacy. The bill included provisions such as the Vermont Data Privacy Act, public outreach and education, an Attorney General study, protection of personal information including data broker security breach provisions, and an age-appropriate design code. The Governor stated that the bill posed unnecessary risks, particularly due to the private right of action provision, which could impact many businesses and non-profits. He also highlighted concerns about the age-appropriate code, citing potential First Amendment violations, similar to issues seen with legislation in California. Press release →
Rhode Island: House Bill 7787, the Rhode Island Data Transparency and Privacy Protection Act, was passed by the State Senate and is now at 50% progression. This bill, paired with Senate Bill 2500, aims to improve data transparency and privacy protection. If approved, it will take effect on January 1, 2026.
4) Strong Impact Tech
LinkedIn has stopped using special category data for targeted advertising. This decision was made after the European Commission requested information to check compliance with the Digital Services Act (DSA) following a complaint from civil society organizations. The complaint alleged that LinkedIn allowed advertisers to target users based on special categories of personal data from users’ participation in LinkedIn Groups. If true, this would violate the DSA’s ban on targeted ads using sensitive personal data. Press release →
The European Commission has requested information from Pornhub, XVideos, and Stripchat regarding illegal content and the protection of minors under the Digital Services Act (DSA). The Commission seeks detailed information on the measures these companies have implemented to assess and mitigate risks related to minors’ online protection and to prevent the spread of illegal content and gender-based violence. Read more here →
