Privacy law

Tax authorities’ access to individuals’ banking data: the European Court of Human Rights sets privacy limits in the case of Ferrieri and Bonassisa v. Italy

By Francesco Gelmetti & Andrea Isola on February 4, 2026

The 2026 opened with a notable decision by the European Court of Human Rights (ECtHR) in the case of Ferrieri and Bonassisa v. Italy.

The ECtHR found the violation of Article 8 of the Convention for the Protection…

Agentic AI: the ICO’s early thoughts on the data protection implications

By Marcus Evans (UK) & Rosie Nance on January 12, 2026

The ICO has kicked off 2026 with sharing its early thoughts on the data protection implications of agentic AI in its ICO tech futures: Agentic AI report. The report considers the novel data protection risks presented by agentic AI.

The Healthline Order: Privacy law grows teeth

By Steve Roosa (US), Philip Hodgkins (US) & Susan Ross (US) on July 11, 2025

The proposed $1.55 million CCPA settlement with Healthline is not just the largest of its kind to date – it is, more importantly, it marks a pivotal evolution in how American regulators are approaching consumer privacy enforcement.

The facts are…

AI Armageddon Series

By Steve Roosa (US) on June 30, 2025

The biggest AI privacy problems no one is talking about: Installment 1: The Agent2Agent (“A2A”) Protocol

In the privacy world, everyone is focused on fairness, bias, and data scraping. These issues, however, are not even among the top 3 AI…

CJEU Advocate General clarifies when pseudonymised data falls outside the definition of personal data

By Marcus Evans (UK), Rosie Nance & Alice Knowles on February 10, 2025

On 5 February 2025, the Advocate General of the Court of Justice of the European Union (CJEU) issued its opinion in the case of C 413/23 P European Data Protection Supervisor (EDPS) v Single Resolution Board…

Online Safety Act: Protecting Children from Harmful Content Online – Ofcom’s Guidance on Age Assurance for Part 3 Services

By Farah Mukaddam (UK), Marcus Evans (UK) & Rosie Nance on January 28, 2025

Ofcom has published its guidance for implementing age assurance measures for regulated service providers. User-to-user (U2U) services and search services take note: a decision not to implement highly effective age assurance measures means that your service may be deemed by…

New Horizons in Data Protection: Malaysia’s Personal Data Protection (Amendment) Act 2024

By Wilson Ang, Jeremy Lua & Terence De Silva on January 17, 2025

On 24 December 2024, Malaysia’s Minister of Digital stipulated the dates on which the provisions of the Malaysian Personal Data Protection (Amendment) Act 2024 (Amendment Act) will come into force. The Amendment Act will take effect in three…

Facial recognition and privacy: Updated OAIC guidance

By Lisa Fitzgerald on December 11, 2024

The Office of the Australian Information Commissioner (OAIC) has issued guidance to private sector organisations who are considering using facial recognition technology (FRT) for identification purposes in commercial or retail settings. The guidance follows a determination of the Privacy Commissioner…

TR v Land Hessen – DPA not obliged to fine under the GDPR

By Shan Nanayakkara on December 3, 2024

By Shan Nanayakkara

In TR v Land Hessen (C‑768/21) the European Court of Justice (“ECJ”) found that following a personal data breach, a supervisory authority is under no obligation to exercise its corrective powers, specifically the power to…

Bill C-26: Advancing towards cybersecurity governance in Canada

By John Cassell (CA), Imran Ahmad (CA) & Marisa Kwan on October 30, 2024

Content On September 19, the Senate commenced its second reading of Bill C-26: An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, marking a significant step forward in the legislative process since…

Data Protection Report