The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) issued recommendations for organizations to review their data retention practices and comply with statutory periods effective from 2025. The HmbBfDI specified that different retention periods may apply depending on data type and industry. Access the recommendations here (in German) →
The French CNIL has announced its priorities for 2025: data collection through mobile apps, the right to erasure, cybersecurity of local authorities and data processed in prison administration. Read more here (in French) →
The European Commission proposed to extend the UK’s adequacy decision for six months, until December 27th, 2025. This will give time to the new UK Data (Use and Access) Bill to complete its legislative motions. The EU Commission will then assess the adequacy of the new bill. Read more here →
The Dutch data protection authority (AP) issued its 2024 annual report. A number of regulatory actions on AI, Big Tech and other areas were taken, including six considerable fines and seven reprimands. Learn more here (in Dutch) →
2) Notable Case Law
The Italian Garante fined Energia Pulita S.r.l. €300,000 for GDPR violations, after receiving more than 80 complaints related to unwanted marketing calls. The Garante found out that Energia Pulita wasn’t collecting consent properly, which led to the extensive spreading of personal data to various controllers. Read the Garante’s decision here (in Italian) →
A statement on the O’Carroll vs Meta case was issued by the UK Information Commissioner’s Office which highlighted that individuals have the right to object to personal data use in direct marketing, as per Articles 21(2) and 21(3) of the UK GDPR. Read the statement here →
3) New and Upcoming Legislation
United Kingdom: On March 17th, 2025, the UK’s Online Safety Act’s illegal content obligations came into effect. The Act requires platforms to remove illegal material and prevent criminal content. Learn more here →
California: Assembly Bill 264 was amended to require businesses to obtain explicit consent from consumers before storing their personal information outside the United States. More details here →
Washington:Senate Bill 5708 and House Bill 1834 set new obligations for businesses providing online services to minors. These include estimating minors’ ages, not collecting or selling their data, configuring high privacy settings by default, and restricting profiling and addictive feeds.
4) Strong Impact Tech
The Swiss Federal Data Protection and Information Commissioner (FDPIC) finalised its preliminary investigation into X/Twitter‘s AI system, Grok. Grok processed data from X users and the investigation focused on the transparency of this processing. The FDPIC concluded that X/Twitter was aligned with the FADP requirements. Read more here →
OpenAI has allegedly violated the GDPR‘s data accuracy principle when ChatGPT generated a false criminal story about a Norwegian user, negatively impacting their private life. noyb has filed a complaint with Norway’s data protection authority, Datatilsynet seeking both a fine and the deletion of the story. More details here →
Other key information from the past weeks
The California Privacy Protection Agency fined American Honda Motor $632,000 for CCPA violations. Read more →
A new analysis of the Swiss privacy company Proton has concluded that Big Tech companies hand over the personal data of millions of their users to US authorities. More details →
The Irish Data Protection Commission has submitted a draft decision on an inquiry into TikTok, focusing on the transfer of EU user data to China. Read more →
