DPO Newsletter: Global Data Protection & Privacy News (issue #153)

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

🇮🇹 Italy – AgID Publishes Accessibility Guidelines Under the European Accessibility Act
Italy’s Agency for Digital Italy adopted new guidelines to help businesses meet accessibility requirements for digital services (Italian, PDF) under the EAA. Read the AgID news article (Italian).

🇪🇺 European Union – Parliament Advances AI Omnibus Under Digital Omnibus Package
MEPs reached a preliminary agreement on AI Act amendments, extending high-risk compliance deadlines to 2027–2028, introducing a ban on non-consensual deepfakes, and strengthening AI Office oversight powers.

🇬🇧 United Kingdom – ICO and Ofcom Push Platforms for Stronger Age Checks
The ICO and Ofcom called on major platforms to improve age verification, warning that children under minimum-age thresholds cannot be lawfully processed as regular users. Read the ICO press release.

2) Notable Case Law

🇫🇷 France – Court Upholds Criteo’s €40 Million GDPR Fine
France’s highest administrative court confirmed CNIL’s fine against Criteo over consent, transparency, and erasure violations affecting millions of users. Read the Conseil d’État’s decision.

🇮🇹 Italy – Garante Fines Intesa Sanpaolo €17.6 Million Over Unlawful Profiling
Italy’s privacy authority fined the bank for profiling 2.4 million customers during a restructuring and shifting them to a digital subsidiary without a valid legal basis. Read the Garante press release (Italian).​​​

🇪🇸 Spain – AEPD Fines Yoti €950,000 Over Biometric Age Verification
Spain’s data protection authority sanctioned Yoti for unlawful biometric processing, invalid consent collection, and excessive retention of personal data. Read the AEPD Resolution (Spanish, PDF)

3) New and Upcoming Legislation

🇺🇸 United States – California’s CalPrivacy Opens Consultation on Privacy Rights and Opt-Out Signals
California’s privacy agency launched consultations on reducing friction in privacy rights requests and improving opt-out preference signals, with comments open until 6 April 2026. Read the CalPrivacy notice on reducing friction.

4) Strong Impact Tech

🇺🇸 United States – Anthropic Sues Pentagon Over AI Military Use Restrictions
Anthropic challenged a Pentagon designation that followed its refusal to allow certain military uses of Claude, including mass surveillance and autonomous weapons without human oversight. Read the Anthropic’s civil compliant here (PDF)

🇪🇺 European Union – X Submits Blue Check Compliance Plan After DSA Fine
X submitted proposed changes to its verification system following the European Commission’s enforcement action under the DSA.

Other key information from the past weeks

🇪🇺 European Union – EDPB Publishes First Data Brokers Market Study
The EDPB mapped over 40 data broker actors, highlighting re-identification risks and offering a framework for regulators to better assess third-party data ecosystems. Read more here.

🇺🇸 United States – OpenAI Tests Ads in ChatGPT, Raising Privacy Concerns
OpenAI began testing ads in ChatGPT, potentially personalised based on user interactions, prompting concerns about influence in highly sensitive contexts. Read more here.