All news with #gdpr tag

🔒 A new report from Absolute Security finds that 58% of CISOs would realistically consider paying a ransom to restore systems after a ransomware attack. US respondents were likelier to consider payment (63%) than UK peers (47%), with legal guidance, GDPR and doubts over recovery cited as reasons. Operational downtime was viewed as the most damaging impact. The report warns organizations to invest in resilience, infrastructure and governance to reduce reliance on ransom payments.

⚖️ NOYB has filed a complaint in an Austrian court arguing that LinkedIn’s paywalled "Who’s Viewed Your Profile" feature violates GDPR Article 15 by denying EU users free access to profile-visitor data. The group says LinkedIn refuses Data Subject Access Requests (DSARs) from non-paying users while providing the same information to Premium subscribers. LinkedIn rejects the claim, saying it discloses the information via its Privacy Policy and that users can control visibility settings. NOYB seeks regulatory enforcement and potential fines to stop what it calls illegal monetization of access rights.

🔒 Ten years after the EU adopted the General Data Protection Regulation (GDPR), experts say it fundamentally reshaped corporate privacy culture but left important gaps. Analysts credit the GDPR with embedding privacy into daily operations, raising standards, and creating accountability by forcing organizations to know and document their processing. Yet enforcement inconsistencies, international transfer disputes, widespread consent fatigue and the rise of generative AI expose legal and practical tensions that require clarification and coordination with newer digital rules.

🇩🇪 Amazon Quick is now available in the AWS Europe (Frankfurt) region (eu-central-1). This launch lets customers in Germany use Amazon Quick capabilities—AI-powered chat, Research, Spaces, Flows, and QuickSight dashboards—with data stored and processed locally within the Frankfurt region. The expansion includes in-region inference via EU-CRIS, ensuring inference traffic stays inside European AWS Regions. Regulated industries such as financial services, healthcare, and the public sector can meet GDPR and local data sovereignty requirements.

⚖️ Police Scotland was fined £66,000 and reprimanded after an Information Commissioner’s Office (ICO) investigation found the force extracted and then mistakenly shared the full contents of a female detective’s phone with the officer she accused of rape. The disclosed material reportedly included intimate photos, medical records and contact details. The ICO said the force failed to limit data sharing, implement appropriate organisational and technical measures, and notify the regulator within the required 72‑hour timeframe.

⚖️ Advocate General Athanasios Rantos advised that, under PSD2, banks must immediately refund customers for unauthorised transactions resulting from phishing unless the bank has reasonable grounds to suspect the customer committed fraud and communicates those grounds in writing to the competent national authority. Banks may later seek reimbursement if they can prove the customer acted intentionally or with gross negligence. This opinion is advisory, not a final CJEU ruling.

🔐 A recent job posting from GCHQ for a Chief Information Security Officer has drawn industry attention for offering a maximum salary of £130,000 (roughly €150k–€155k) despite demanding executive-level responsibilities. The role requires deep expertise in securing cloud environments, emerging technologies and compliance with frameworks such as NIST, ISO 27001, GDPR and GovS 007. Desired certifications include CISSP, CISM or CCISO. Observers note the posting highlights the gap between public sector compensation and market rates amid a global cybersecurity skills shortage.

🔒 Samsung and the State of Texas have settled a dispute over allegations that its smart TVs used Automated Content Recognition (ACR) to collect viewing data without users' express consent. Under the agreement, Samsung must halt collection or processing of ACR viewing data from Texas consumers unless they give clear, affirmative consent, and it will update TVs with clearer privacy disclosures and consent screens. Texas AG Ken Paxton said the settlement compels clear, conspicuous notices; Samsung maintains it did not spy on consumers but agreed to strengthen privacy notices.

⚠️ A recent GCHQ job advertisement seeks a chief information security officer described as one of the most influential cyber security leadership roles in the UK, yet it offers a maximum salary of £130,000 (about $175,000). The role asks for expertise securing cloud environments and emerging technologies, and knowledge of frameworks such as NIST, ISO 27001, GDPR and GovS 007. Professional certifications like CISSP, CISM or CCISO are flagged as highly desirable. The compensation and absence of industry-style incentives have prompted criticism amid a global shortage of security talent.

⚠️ Olympique de Marseille says it was the target of an attempted cyberattack after a threat actor claimed to have breached some servers and leaked a sample of allegedly stolen information. The actor claims the database includes details on about 400,000 individuals and more than 2,050 Drupal CMS accounts, including staff, contributors, and moderators. The club reports its technical teams and specialized providers quickly contained the situation, that operations continue normally, and that no banking details or passwords have been compromised; it has reported the incident to the CNIL and filed a complaint.

🔒 A forthcoming overhaul to the UK GDPR will convert the Information Commissioner's Office from a single-commissioner model into a board-run government agency, with Paul Arnold appointed as the first CEO of the new structure. The changes, to be enacted through the Data (Use and Access) Act 2025, aim to improve continuity, broaden expertise and manage a growing workload. The reform also grants the ICO new investigatory and compulsory powers and expands duties affecting businesses, while Data Essentials training will be scaled up.

🔒 The UK Information Commissioner's Office (ICO) has fined Reddit £14.47m for failing to implement robust age verification and for not conducting a required DPIA before January 2025. The regulator found that children under 13 had personal data processed without a lawful basis and were potentially exposed to inappropriate content. Reddit maintains it avoids collecting identity data to protect privacy, while experts warn heavy-handed identity checks could introduce new privacy and security risks.

🔒 The UK Information Commissioner's Office has fined Reddit £14.47 million for collecting and processing the personal information of children under 13 without adequate safeguards. The ICO found Reddit lacked a meaningful age-verification system until July 2025 and judged the measures introduced then could be easily bypassed. Reddit said it will appeal and disputes the regulator's assessment.

🔎 Ireland's Data Protection Commission has opened a formal probe into X over the use of its Grok AI to generate non‑consensual sexual images of real people, including children. The inquiry will assess whether X Internet Unlimited Company complied with core GDPR duties such as lawful processing, data protection by design, and required impact assessments. The DPC said it has been engaging with XIUC since media reports emerged and has commenced a large‑scale inquiry. As X's EU lead regulator, the DPC's findings could trigger cross‑border enforcement and significant penalties.

🔒 Eurail B.V. confirmed that customer data stolen in a breach earlier this year is now being offered for sale on the dark web, and a sample dataset was published on Telegram. The company says it is still determining which specific records and how many customers are affected, but reported compromised fields may include full names, passport and ID numbers, IBANs, health details, and contact information. GDPR-required notifications have been filed and non-EU authorities will be informed. Customers are urged to change reused passwords, monitor bank accounts closely, and contact privacyhelp@eurail.com for support and FAQs.

🔒 France Travail has been fined €5 million by the CNIL after a March 2024 cyber-attack that potentially exposed personal data for an estimated 43 million jobseekers. The regulator found failures including weak authentication for Cap Emploi advisors, insufficient logging and monitoring, and overly broad access permissions, breaching Article 32 of the GDPR. France Travail must provide evidence of corrective measures on a strict timeline or face a €5,000 daily fine.

📢 France Travail was fined €5 million by CNIL after a 2024 breach exposed personal data for up to 43 million job seekers. CNIL said attackers used social engineering to hijack CAP EMPLOI advisers' accounts, exposing names, birth dates, national insurance numbers, addresses, emails and phone numbers. The watchdog ordered documented corrective measures and warned of €5,000 daily penalties if the agency fails to comply.

📈 A new DLA Piper report finds that notifications of GDPR violations across the EU averaged 443 reports per day in 2025, a 22% increase over 2024. The firm cautions that the dataset does not definitively explain the rise but highlights likely drivers such as geopolitical tensions, new attacker technologies, and expanded mandatory reporting laws. Annual fines remained near €1.2 billion while cumulative penalties total about €7.1 billion since 2018.

🛡️ AI agents are being embedded into regulated workflows and are forcing a rethink of controls designed for human actors, including SOX, GDPR, PCI DSS, and HIPAA. Because agents act, adapt, and drift, controls that once relied on predictable human behavior can silently fail, collapsing segregation of duties and exposing sensitive data. CISOs should treat agents as non-human identities with least‑privilege access, strong credential management, continuous monitoring, and robust logging and change governance to keep regulated workflows auditable and defensible.

📈 The number of organisations reporting GDPR breaches rose 22% in 2025 to a daily average of 443, according to DLA Piper, making this the first year since 2018 that notifications topped 400. Germany, the Netherlands and Poland recorded the most reports, and analysts pointed to geopolitical unrest and emerging AI-enabled threats as contributors. Annual GDPR fines remained stable at €1.2bn, with Ireland issuing the largest share, including a €530m penalty for TikTok over international data transfers.