FIRST PRIVACY

𝐔𝐧𝐝𝐞𝐫𝐬𝐭𝐚𝐧𝐝𝐢𝐧𝐠 𝐭𝐡𝐞 𝐈𝐂𝐎’𝐬 𝐄𝐧𝐜𝐫𝐲𝐩𝐭𝐢𝐨𝐧 𝐆𝐮𝐢𝐝𝐚𝐧𝐜𝐞 𝐮𝐧𝐝𝐞𝐫 𝐔𝐊 𝐆𝐃𝐏𝐑 In her latest blog post, Protiti Basu outlines the new guidance from the UK’s ICO regarding the use of encryption under the UK’s GDPR. -When ? During transmission, storage or when using portable media, encryption should be routine under the new guidance. -Which encryption and how to decide if it is important ? Both symmetric and asymmetric encryption are covered as well as the need to decide for example with a risk assessment if encryption should be used. Encryption should be part of a broader defence-in-depth approcah to security and become another layer of security. The ICO has made it clear that encryption is no longer optional but should be routine as a way to protect individual and build further trust. Read Protiti’s full analysis here:  https://lnkd.in/eWssUDkF

𝐃𝐢𝐬𝐧𝐞𝐲’𝐬 $10𝐌 𝐂𝐎𝐏𝐏𝐀 𝐂𝐚𝐬𝐞 In her latest blog post Michelle Bausenwein analyses the $10M Settlement reached on September 2, 2025 between Disney and the US‘ FTC. As a way to comply with the Children’s Online Privacy Protection Act (COPPA), Youtube introduced a setting to label a video or a full channel as „made for kids“ or "not made for kids“ in order to restrict certain YouTube functions. This would allow a bigger level of protection of children’s data. However, and even though this was allowed by YouTube’s settings, Disney mislabeled many videos accroding tot he FTC resulting in a lack of protection for children’s data as required by law. This $10M settlement, in a context where both the US and the EU strenghten tehir legal arsenal to protect children’s data show how critical data protection by design can be. Read Michelle’s full analysis here: https://lnkd.in/ePW7xqCt

𝐓𝐡𝐞 𝐈𝐂𝐎’𝐬 𝐖𝐚𝐫𝐧𝐢𝐧𝐠 𝐀𝐠𝐚𝐢𝐧𝐬𝐭 𝐔𝐧𝐥𝐚𝐰𝐟𝐮𝐥 𝐌𝐚𝐫𝐤𝐞𝐭𝐢𝐧𝐠 In a recent blog post, our colleague Protiti Basu analyses the new sactions totalling at £550,000 imposed by the UK’s ICO on two major companies relying on automated marketing calls. With both sanctions, the ICO clarified the need to consent to direct marketing calls as well as the transparency requirements for companies: -Consent must be given to each type of calls (automated or not), general consent to marketing does not apply especially to automated calls. -Companies must state their identities and especially display clear phone numbers and contacts details. Opting-out of the call must always be possible. These two decisions should be both a cautionnary tale and an opportunity: compliance with a law is both a duty, and the foundation of trust. Read Protiti’s full analysis here: https://lnkd.in/eSPCKaHT

🇨🇳 𝐂𝐡𝐢𝐧𝐚 𝐈𝐬𝐬𝐮𝐞𝐬 𝐌𝐞𝐚𝐬𝐮𝐫𝐞𝐬 𝐨𝐧 𝐏𝐞𝐫𝐬𝐨𝐧𝐚𝐥 𝐈𝐧𝐟𝐨𝐫𝐦𝐚𝐭𝐢𝐨𝐧 𝐂𝐨𝐦𝐩𝐥𝐢𝐚𝐧𝐜𝐞 𝐀𝐮𝐝𝐢𝐭𝐬 In her latest blog post, Han Zhang outlines the new Administrative Measures on Compliance Audits for Personal Information Protection as passed by the Cyberspace Administration of China and what they imply enterprises: -Two types of audits: periodic, compulsory for all personnal information processors, and regulatory which are triggered by regulators. -Most enterprises have no fixed timetables. After a 10 million individual data threshold comnes a mandatory timetable. -Audits can be conducted internally or externally. However large companies or with major internet platforms may be required to conduct external audits. Read Han’s full analysis here: https://lnkd.in/esd9bgKy

Fantastic to see our colleague Dr. Jur. Verónica Miño Vásquez representing FIRST PRIVACY at the 3rd European Health Data Protection Conference (EHDPC) in Paris. 🎉🎉

Cookies keep costing companies dearly in France. Over the past few years, the CNIL has issued some of Europe’s highest fines for unlawful use of cookies and trackers. The latest wave came in September: Google (€325M) and Shein (€150M), both sanctioned for practices that undermined valid consent and ignored users’ choices. As our colleague Francesca Romana Di Costanzo highlights in her new blog post, these cases reinforce three points: -ePrivacy rules apply independently from GDPR’s one-stop-shop. -Consent must be free, specific, and easy to refuse. -Dark patterns around cookie banners will not be tolerated. In France, cutting corners on cookies can cost hundreds of millions. 👉 Read Francesca’s full analysis here: https://lnkd.in/etMYEZzK

The EU Data Act is here! As explained by Francesca Romana Di Costanzo in her latest post, the Data Act (Regulation (EU) 2023/2854) reshapes the rules for access to and use of data generated by connected products and services. 🔑 What it means for organisations: -Users must get easy, free, and quick access to product data. -Transparency: tell users what data is generated before contracts are signed. -Cloud switching: no lock-in, easy provider change. -Contracts & interoperability: clear licence terms and usable data across systems. ⚖️ The Data Act works alongside the GDPR: whenever personal data is involved, GDPR applies. 📌 Companies should already be preparing: update systems, adapt contracts, and set up processes for data access and portability. Read the full analysis by Francesca here: https://lnkd.in/drxR-_fh

⚖️ When is pseudonymised data still personal? In her latest blog post, our colleague Giulia Provini analyses the recent CJEU judgment in EDPS v Single Resolution Board (C-413/23 P), which directly addresses this question. On 4 September 2025, the Court clarified that the classification of pseudonymised data depends on who holds it and what they can realistically do with it: ->For controllers: pseudonymised data remains personal if they retain the re-identification key. GDPR obligations apply in full. ->For recipients: if they lack the key and cannot reasonably re-identify individuals by other means, the same dataset may not count as personal data. ->Actor-specific assessment: identifiability is not absolute but contextual. The same data can be personal in one party’s hands and non-personal in another’s. The CJEU rejected a “one-size-fits-all” approach and reinforced a proportionate, case-by-case analysis. For organisations, this means pseudonymisation is never a shortcut to GDPR exemption. Each processing context must be evaluated carefully, with DPO or privacy counsel involvement. Read Giulia’s full analysis here: https://lnkd.in/eJ3hdzAU

⚖️ When is pseudonymised data still personal? In her latest blog post, our colleague Giulia Provini analyses the recent CJEU judgment in EDPS v Single Resolution Board (C-413/23 P), which directly addresses this question. On 4 September 2025, the Court clarified that the classification of pseudonymised data depends on who holds it and what they can realistically do with it: ->For controllers: pseudonymised data remains personal if they retain the re-identification key. GDPR obligations apply in full. ->For recipients: if they lack the key and cannot reasonably re-identify individuals by other means, the same dataset may not count as personal data. ->Actor-specific assessment: identifiability is not absolute but contextual. The same data can be personal in one party’s hands and non-personal in another’s. The CJEU rejected a “one-size-fits-all” approach and reinforced a proportionate, case-by-case analysis. For organisations, this means pseudonymisation is never a shortcut to GDPR exemption. Each processing context must be evaluated carefully, with DPO or privacy counsel involvement. Read Giulia’s full analysis here: https://lnkd.in/eJ3hdzAU

Supervisory authorities are raising the bar on data subject rights (DSR) handling. In a recent blog post, Giulia Provini highlights EU enforcement cases where organisations failed on basics: misconfigured inboxes, unclear procedures, poor communication, or a lack of escalation to the DPO. The lesson is that even a single mishandled request can trigger enforcement if the process is not lawfully and transparently managed. Key takeaways from these rulings: -DSR workflows must be structured and monitored. -Every delay, refusal, or outcome must be documented and legally reasoned. -Requests must be acknowledged, tracked, and communicated within deadlines. -DPO involvement is essential where legal uncertainty exists. -Intake channels need regular testing to ensure accessibility. The right of access is central to the GDPR, and regulators are treating it accordingly. Read Giulia’s full analysis here: https://lnkd.in/dBnZBama