DPO Newsletter: Global Data Protection & Privacy News (issue #146)

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

🇩🇪 Germany – BfDI Updates GDPR and BDSG Guidance Brochure
The Federal Commissioner for Data Protection updated comprehensive guidance (in German) covering GDPR-BDSG relationships, lawful processing bases, data protection principles, DPO requirements, and data subject rights with practical implementation examples.

🇱🇺 Luxembourg – CNPD Publishes AI Literacy Guidance Under EU AI Act
The authority provided a framework for Article 4 AI literacy requirements, emphasizing tailored employee training based on experience levels, risk assessment for AI-affected individuals, and development of appropriate oversight mechanisms.

🇳🇴 Norway – NSM Releases National Cyber Incident Response Framework
The National Security Authority established a collaborative approach between businesses and National Cyber Security Center (in Norwegian), requiring compliance with ICT security principles, third-party supplier reviews, and systematic incident handling processes.

🇨🇦 Canada – OPC Launches Children’s Privacy Code Consultation
Privacy Commissioner initiated stakeholder consultation to clarify PIPEDA obligations for children’s data until August 19, 2025. The consultation covers privacy by default and privacy rights, transparency requirements and deceptive practice avoidance.

2) Notable Case Law

🇺🇸 USA – FTC Fines Companies $145 Million for Telemarketing Violations
Assurance IQ fined $100 million and MediaAlpha $45 million for deceptive healthcare plan marketing. In addition, MediaAlpha also carried out unauthorized robocalls to Do Not Call Registry numbers, and misled consumers about coverage benefits.

3) New and Upcoming Legislation

🇬🇷 Greece – ADAE Issues Electronic Communications Privacy Regulations
Decision 304/2025 requires providers to establish security policies, conduct risk assessments, implement incident reporting procedures to ADAE, and maintain employee training and encryption standards for network protection (in Greek).

🇺🇸 USA (Federal) – Senate Introduces Trustworthy AI Validation Act
Legislation mandates NIST Director develop voluntary AI assurance guidelines within one year, addressing harm mitigation, consumer privacy, governance controls, and dataset quality with biennial reviews.

4) Strong Impact Tech

🇺🇸 USA – State Attorneys General Challenge Instagram Location-Sharing Feature
Multiple AGs expressed concerns about Meta’s Instagram location feature risks to vulnerable populations, recommending minor access restrictions, adult user risk alerts, and simplified disable controls for enhanced safety.

🇬🇧 United Kingdom – Law Commission Examines AI Legal Personality Framework
Discussion paper explores AI autonomy, adaptiveness, and potential legal personality grants, emphasizing need for legal evolution amid rapid AI advancement while considering implications of non-personality scenarios.

Other key information from the past weeks

🇫🇷🇳🇱 France/Netherlands – Air France and KLM Third-Party Data Breach
Forbes reported that a breach in a third-party customer support tool exposed passenger names, contact details, and loyalty numbers, linked to a phishing campaign targeting Salesforce platforms. Authorities have been notified.

🇨🇭 Switzerland – PostFinance Voice Recognition Violation
The Swiss Federal Data Protection and Information Commissioner (FDPIC)  ruled against PostFinance AG for unlawful biometric voice recognition collection in violation of proportionality principles. The bank used opt-out rather than express consent and was ordered to obtain proper consent and delete existing voiceprints. However, it has appealed the FDPIC’s decision to the Federal Administrative Court.

🇺🇸 USA – GameStop Settles Facebook Data Sharing Case for $4.5 Million
Settlement covers unauthorized customer data sharing via Facebook tracking pixels between August 2020-April 2025 without proper consent. Claims deadline was August 15, 2025.