Iubenda logo
Start generating

Documentation

Table of Contents

DPO Newsletter: Global Data Protection & Privacy News (issue #139)

DPO Newsletter: Global Data Protection & Privacy News

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

  • The Italian Garante published FAQs on accessing personal data in medical records. In particular, the Garante stated that healthcare facilities must provide data subjects with a copy of their data, and the first copy should be free of charge. Access the FAQs here (in Italian) →
  • The Danish Data Protection Authority, Datatilsynet, has published a press release including its supervisory focus areas for 2025. These areas include, among other things, children’s data, the regulation of digital tracking via shopping apps, and the use of AI and generative AI in healthcare. Access the full list here (in Danish) →
  • Ireland’s Data Protection Commission (DPC) welcomed the European Data Protection Board’s opinion on the use of personal data in AI development and deployment. The DPC asked for this guidance in September 2024 to ensure consistent rules across the EU. Read the press release here →
  • The New Jersey Division of Consumer Affairs Cyber Fraud Unit released FAQs on the New Jersey Data Privacy Law (NJDPL), concerning key definitions and scope of the law. The law affects businesses and controllers targeting New Jersey residents. Learn more here →

2) Notable Case Law

  • The Italian Garante fined Illumia S.p.A. €678,900 for GDPR violations. The company was making unsolicited telemarketing calls, lacked a proper legal basis for the calls, and did not ensure compliance with the law. Read about the decision here (in Italian) →
  • The Court of Justice of the European Union (CJEU) ruled that access requests under GDPR cannot be deemed ‘excessive’ solely based on their number. The case involved an Austrian individual whose complaints were limited by the Austrian Data Protection Authority to two per month. This decision was overturned, and the CJEU clarified that authorities must prove abusive intent to label requests as excessive and may only impose fees or refuse requests if disproportionate. Access the ruling here →

3) New and Upcoming Legislation

  • New Hampshire: House Bill 195, introduced on January 8, 2025, proposes amendments to the New Hampshire Privacy Act by clarifying the definition of ‘personal information’ and setting conditions for its disclosure. It requires explicit, informed consent for most disclosures but allows exceptions for emergencies, criminal activity, or legal obligations. Access here →
  • Texas: Senate Bill 726, introduced on January 1, 2025, requires smart device operators in Texas to inform users about personal data collection. Text of the bill →
  • Virginia: Senate Bill 769 amends §59.1-578 of the Code of Virginia, requiring privacy notices with opt-out options for cookies and consumer consent for non-essential cookies. Read more here →
  • Washington: House Bill 1170 requires entities with generative AI systems used by over 1 million people in Washington to offer free AI detection tools, user feedback systems, and AI-generated content disclosures. It also prohibits collecting personal data through the detection tool, except under specific conditions. Access here →

4) Strong Impact Tech

  • The Texas Attorney General has filed a lawsuit against TikTok for violations of the Deceptive Trade Practices Act. The lawsuit accuses TikTok of false advertising and for marketing its apps as safe for minors, not disclosing the nature of the content and its addictiveness. Read more here →
  • Apple has agreed to pay $95 million to settle a 5-year-long lawsuit. Allegedly, the voice assistant Siri recorded private conversations that were shared with third parties and used for targeted ads. Learn more →

Other key information from the past weeks

  • The Dutch Data Protection Authority fined Coolblue B.V. €40,000 for GDPR violations related to improper cookie consent practices. Learn more →
  • France’s Law No. 2024-449 transposes the European Digital Services Act and Digital Markets Act into national law. Access here (in French) →
  • The French CNIL fined the telecommunications operator ORANGE 50 million euros for showing advertising to users of its email service without their consent. Read more →

đź‘Ť Enjoyed this issue? Share it on LinkedIn and subscribe for weekly updates

About us

iubenda

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com