Every year at this time I sit down to write a blog article, tying the experiences that I have during the holiday season into the world of data privacy. This year I have struggled to come up with a topic that really spoke to me. But, as I sat down to write my family’s annual […]
data protection
Beyond the Theory: CNIL Sanctions Under the Light of the Digital Omnibus
As the French data protection authority (Commission nationale de l’informatique et des libertés, CNIL) recently imposed two high-amount sanctions, we take this opportunity to try and make a practical application of some rules from the recently published draft of the Digital Omnibus. What Happened? In the span of a week, the CNIL imposed major sanctions […]
EU Data Act: Practical Guidance from the Dutch AP’s Newsletter
The Data Act entered into force on 12 September 2025, and in the Netherlands its national Implementation Act (Dataverordening, Dv) followed on 21 November 2025. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) published a newsletter this week explaining what the Data Act means in practice, particularly for organisations that work with data from connected […]
China’s Revised Cybersecurity Law: Key Changes and Compliance Implications
On 28 October 2025, the Standing Committee of the 14th National People’s Congress adopted the Decision on amending the Cybersecurity Law of People’s Republic of China. The revised Cybersecurity Law (the “Revised Law”) will take effect on 1 January 2026. This is the first substantial update to the Cybersecurity Law (“Original Law”) since its promulgation […]
India’s New Data Protection Framework: What Businesses Need to Know
India has entered a new phase in its privacy journey with the Digital Personal Data Protection Act (DPDPA), 2023 and its recently notified Rules. Together, they establish a comprehensive regulatory system governing digital personal data and operationalize the fundamental right to privacy enshrined in the Constitution of India. The government has chosen a staggered rollout […]
Finally Here: The Digital Omnibus Proposal and Practical Implications for Organisations Through the Lens of GDPR
The European Commission’s Digital Omnibus Package Proposal (the Proposal) represents one of the most comprehensive realignments of the EU’s digital regulatory landscape since the introduction of the GDPR. This comes in addition to the changes the European Commission proposed in May 2025 under Omnibus IV. The long-awaited text, leaked during the previous weekend and now […]
The Italian Data Protection Authority Orders an Immediate Stop to Deepfake App Clothoff
The Italian Data Protection Authority (Garante) has taken urgent action against Clothoff, an AI-powered app capable of generating hyper-realistic “deep nude” images based on pictures of real people. On 3 October the regulator has issued an immediate order blocking the app – developed by a company based in the British Virgin Islands – from processing […]
Whose Consent Is It Anyway? The Promise Behind India’s Consent Manager
This article is part of a series examining the features of India’s Digital Personal Data Protection Act, 2023 that are unique to, or diverge from, the GDPR. India’s Digital Personal Data Protection Act, 2023 (DPDPA) represents a new phase in the country’s data protection landscape. While inspired by global frameworks such as the GDPR, it […]
CNIL Fines Samaritaine €100,000 for Hidden Cameras: A Legal Analysis
On 18 September 2025, the French Data Protection Authority (CNIL) issued Deliberation SAN-2025-008, imposing a €100,000 fine on Samaritaine SAS for clandestinely installing surveillance cameras in employee areas. In August 2023, in response to a rise in stockroom thefts, the company installed five hidden cameras disguised as smoke detectors. The devices also recorded audio. Within […]
Automated Credit Scoring Under Scrutiny in Europe
The CJEU’s SCHUFA judgement (C-634/21) in 2023 clarified that producing and transmitting a credit score can itself amount to an automated decision under Article 22 GDPR where the score is determinative for contract outcomes. This ruling has now translated into concrete enforcement. In 2025, both the Austrian and Hamburg DPAs issued decisions that apply these […]
Bibbidi Bobbidi Boo, Here’s a Fine for You – Disney’s $10M COPPA Case
Sometimes even the strongest magic cannot hide a compliance misstep, as the Federal Trade Commission (FTC) reminded Disney that even their enchantments must follow the rules. On September 2, 2025, a settlement of $10 million was reached between Disney Worldwide Service, Inc. and Disney Entertainment Operations LLC (Disney) and the FTC. Disney is one of […]
AI Meeting Transcripts: Efficiency Tool or Corporate Liability?
AI-powered meeting assistants have rapidly become one of the most adopted categories of workplace technology. These tools join video calls to record, transcribe, and summarize conversations, promising efficiency gains and more reliable documentation. The value proposition is clear: accurate records improve accountability, knowledge-sharing, and business continuity. But as with any technology deployed at scale, the […]
The Data Act entered into force – what you need to know
On 12 September 2025, the Data Act (Regulation (EU) 2023/2854) became applicable in the EU member states. The Data Act creates a framework for fair access to and use of data across the EU and it is aimed at giving users more control over product-generated data and foster the principles of transparency, fairness, and GDPR […]
China‘s Latest Updates on PIPL and Clarifications on Sensitive Personal Information
Different legislative updates were recorded in China in the last couple of months. These concern several topics related to data protection and data security, such as the definition of sensitive personal information, appointment obligations and registration of a Data Protection Officer (DPO), reporting measures in case of data security incidents for financial services and the […]
The Weaponization of Data Protection
As data protection professionals, we see the value of strong individual rights under the GDPR. The right to access, rectify, and erase one’s personal data is foundational to the regulation’s spirit of informational self-determination. But there’s also a negative side to this that is becoming increasingly difficult to ignore: the weaponization of data protection rights […]