EU
Austrian Supreme Court Strengthens Access Rights
Following 11 years of litigation, the Austrian Supreme Court ruled on claims that Meta did not provide full access to the data subject’s personal data following a request for access, rather only provided partial access in the form of an exemplary list. The Court held that Meta is required to provide the data subject with full access, including a list of data sources, recipients, and the processing purposes.
Poland’s DPA Fines Poczta Polska SA for Inadequate DPO Independence Safeguards
Poland’s data protection authority (UODO) fined Poczta Polska S.A. for failing to ensure the independence of its Data Protection Officer (DPO). An investigation revealed a clear conflict of interest, as the DPO also held a role in the company directly related to personal data processing. Simply put, the DPO was monitoring their own decisions. UODO also found that the company lacked a documented assessment of the DPO’s overall responsibilities in the company to ensure the DPO had the time and resources available to properly fulfill their DPO duties.
French Court Upholds €40 Million Fine for GDPR Breaches by an Adtech Company
The French Council of State upheld a CNIL fine against Criteo S.A., confirming that ad networks collecting personal data via cookies on partner websites act as controllers. Where Criteo uses such data for its own purposes, it is an independent controller. Criteo must independently demonstrate that valid consent was actually obtained and could not rely purely on contractual obligations requiring partners to obtain consent. The Court also ruled that blocking personalized ads does not satisfy erasure requests; Criteo was required to delete individual identifiers assigned to data subjects, and legitimate interest could not justify any continued processing of such identifiers.
EDPB and EDPS Joint Opinion on Digital Omnibus Proposal May Lead to a Rollback of Proposed GDPR Changes
The EDPB and EDPS recently issued a Joint Opinion on the proposed Digital Omnibus Regulation (aiming to simplify the EU’s digital regulatory framework and amending the GDPR, ePrivacy Directive and the Data Act), supporting certain minor amendments to the GDPR, while opposing changes that narrow the definition of personal data. The Proposal would have limited “personal data” to data that only the holder on its own could use to identify individuals, disregarding whether other recipients could do so. The authorities emphasized that reducing regulatory burdens must not compromise data subjects’ fundamental rights. Euractiv reported in February that the European Council is planning to remove this change in the Digital Omnibus Regulation, possibly due to the Joint Opinion.
Israel
PPA Publishes Practical Guidance on Privacy-Enhancing Technologies for AI Systems
In December 2025, the Israel Privacy Protection Authority (PPA) published a guide on Privacy Enhancing Technologies (PETs) for AI systems. The publication maps privacy risks across training data, user inputs, and system outputs throughout both the development and operational phases of AI system development. It categorizes technical solutions into three main types: data transformation, distributed computation, and encryption-based separation. The guide encourages layering these technologies to allow for flexible, context-specific implementation, and includes illustrative use cases across sectors such as health, finance and official statistics. It also reflects a broader expectation that such measures form part of privacy-by-design in AI systems.
PPA Issues First Responses to Legal Inquiries
Under Amendment 13, stakeholders may send the PPA inquiries to clarify the legal status in a particular case so as to help stakeholders proactively adhere to the law and potentially reduce the need for enforcement actions. The PPA released its first such preliminary opinions in February, clarifying two questions relating to each entity’s need to appoint a DPO, and one clarifying the designation of personal data under the data security regulations.
PPA Publishes Final Guidelines on Consent
The PPA published final, binding guidelines on consent, the main legal basis for processing under Israeli law. The guidelines signal a move toward concepts derived from the GDPR, such as differentiating processing that is necessary to perform a contract, recognition of a framework similar to processing for legitimate interests and addressing the withdrawal of consent. Some of the key takeaways include:
Enhanced Standard for Informed Consent
The PPA raises the bar for what constitutes “informed” consent in certain contexts, particularly when there are power imbalances between the parties, accessibility concerns, or where the processing constitutes a new form of technology with which the data subjects are likely unfamiliar. In these cases, the burden of proof may shift to the controller to demonstrate that valid consent was obtained. In any case, where the controller intends to process the personal data for additional purposes beyond those for which they were originally collected, such purposes should be highlighted in the privacy notice.
Reliance on Statutory Defenses
The Protection of Privacy Law, 1981, includes a section defining when an infringement of privacy is permitted (Section 18). The guidelines explain that in order to benefit from such a defense, the infringing party must conduct and document a balancing test between the infringement and the rights of the data subject where the infringement outweighs the rights and must include the reasons and legitimate interests of the infringing party that justify the infringement. This reflects a structured approach akin to a legitimate interests analysis.
Consent Withdrawal
Requests to withdraw consent should be seriously considered. Where previous processing cannot be reversed, in the event of a withdrawn consent request, future processing should be restricted.
PPA Publishes Opinion on Cross-Border Transfers under Regulation 2(4)
The PPA has published an Opinion clarifying its interpretation of Regulation 2(4) of the Privacy Protection Regulations (Transfer of Data to Databases Outside State Borders), 2001. Regulation 2(4) permits transfers of personal data from Israel to a third country where the recipient makes contractual commitments to comply with the requirements of Israeli data protection laws, “with any necessary adaptations”.
The PPA clarifies that “necessary adaptations” is not a subjective standard and cannot be based on the foreign recipient’s own organizational or operational constraints. Any agreement under Regulation 2(4) must include terms reflecting key requirements under Israeli law, including the purpose limitation, rights of access and correction or deletion, and confidentiality obligations. The recipient must undertake to comply with the substantive requirements of the Israeli Privacy Protection Regulations (Data Security), 2017, or maintain ISO/IEC 27001 certification. Where the Israeli database includes personal data originally transferred from the European Economic Area, the recipient must also undertake to comply with the substantive requirements of the Israeli regulations governing such data.
US
Disney Ordered to Pay $10 Million for COPPA Violations
The authorities alleged that certain child-directed videos were not properly labeled “Made for Kids”, enabling the collection of children’s personal information without adequate parental notice and verifiable consent. The order requires Disney to pay a $10 million civil penalty and to maintain ongoing compliance with COPPA’s notice and consent rules. It also obliges Disney to establish a documented program reviewing whether videos posted to YouTube should be designated as child-directed, unless YouTube makes changes to its platform obviating the need for such designations.
New York Legislature Passes Bill Expanding Protections for Sensitive Health Information
The New York Senate passed Senate Bill 1633A and the bill has been delivered to the New York State Assembly for further consideration. The bill seeks to expand protection for sensitive health information. The bill would require health information networks (systems that enable the electronic sharing of patient data across multiple healthcare providers and organizations) to support segmentation of sensitive data and restrict access to authorized parties. Electronic health record systems would be required to support functionalities enabling providers to restrict disclosures of certain categories of data, segmentation, and to better control the sharing of such information, including in cross-state contexts where applicable. Healthcare providers would be required to offer mechanisms to allow patients to request restrictions on certain disclosures and, in defined circumstances, to provide notice before responding to specified legal demands.
The above content is a summary provided for informational purposes only and does not constitute legal advice. It should not be relied upon without obtaining further professional legal counsel.
