DPO Newsletter: Global Data Protection & Privacy News (issue #154)

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

🇪🇺 European Union – EDPB Publishes 2025 Annual Report
The EDPB’s 2025 Annual Report says national DPAs issued a record €1.15 billion in fines last year. It also highlights the Helsinki Statement and the Board’s first joint DMA/GDPR guidance.

🇫🇷 France – CNIL Publishes HR Data Retention Guide
France’s CNIL published a practical guide (in French) on how long employers should keep HR data, covering recruitment, payroll, workplace accidents, disciplinary files, and more. It’s a useful reference for DPOs and HR teams working under French law.

🇬🇧 United Kingdom – ICO Opens Consultation on Automated Decision-Making Guidance
The ICO launched a consultation on updated guidance on automated decision-making and profiling, with feedback open until 29 May 2026. The draft matters for employers and any business using AI or algorithmic decision tools.

2) Notable Case Law

🇪🇺 European Union – CJEU Says a First GDPR Access Request Can Still Be Abusive
The CJEU ruled (PDF) that even a first access request can be refused if it is abusive and made mainly to build a damages claim, not to check whether data is being processed lawfully. The ruling also confirms that unjustified refusals can themselves create compensation risk.

🇮🇹 Italy – Garante Fines Intesa Sanpaolo €31.8 Million
Italy’s Garante fined Intesa Sanpaolo after finding that a single employee repeatedly accessed thousands of customers’ banking data over more than two years, while internal systems failed to detect it. The authority also criticized the bank’s late and incomplete breach notification in its decision (in Italian).

🇺🇸 United States – FTC Settles with OkCupid and Match Over Secret Data Sharing
The FTC announced a settlement with OkCupid and Match after finding that user photos, location data, and other personal data were shared with a third party despite privacy promises. The companies are now barred from misrepresenting their data-sharing practices.

3) New and Upcoming Legislation

🇪🇺 European Union – AI Act Omnibus Enters Negotiation Phase
The European Parliament adopted its position on the Digital Omnibus on AI, opening the way for interinstitutional negotiations. One key proposal is replacing the fixed August 2026 deadline for high-risk AI obligations with a standards-readiness trigger.

🇺🇸 United States – Oklahoma Enacts a Comprehensive State Privacy Law
Oklahoma signed SB 546 into law, becoming the 20th U.S. state to enact a comprehensive privacy law. It grants consumers rights to access, correct, delete, and opt out of certain processing, with enforcement led by the Attorney General.

4) Strong Impact Tech

🇪🇺 European Union – NOYB Signals More Collective Actions After Cyber Incidents
At the IAPP Global Summit, Max Schrems said in an IAPP discussion that NOYB’s new qualified-entity status could be used to bring collective actions, with cyber incidents and data breaches likely to be an early focus.

🇨🇭 Switzerland – Swiss Finance Minister Files Complaint Over Grok Output
Swiss Finance Minister Karin Keller-Sutter filed a criminal complaint after Grok generated abusive content about her, asking prosecutors to assess potential liability in the new report.

Other key information from the past weeks

🇪🇺🇺🇸 EU-U.S. Data Privacy Framework – Adoption Continues, but Legal Uncertainty Remains
At the IAPP Global Summit, speakers noted in an IAPP update that more companies are joining the DPF, while many larger businesses continue using SCCs in parallel as a safeguard.

🇪🇺 European Union – EDPB Launches 2026 Transparency Enforcement Action
The EDPB launched its 2026 coordinated enforcement action on GDPR transparency and information obligations, with 25 DPAs set to contact organizations across sectors and consolidate findings into a final report.