EU & UK
- The EDPB issued Statement 2/2025 following the CJEU’s judgement on the PNR Directive, upholding its validity but requiring limitations to protect personal data rights.
- The CJEU ruled that under GDPR Article 16, national authorities must rectify personal data in public registers if it’s inaccurate, including gender information.
- Datatilsynet fined Telenor NOK 4 mil. for deficiencies in DPO scheme and internal controls.
- The Hellenic DPA fined the National Bank of Greece EUR 220,000 for GDPR violations, specifically for not responding promptly to data access requests.
- EDPB published Opinion 2/2025 on draft decision of IMY regarding controller BCRs.
- The Spanish Data Protection Authority (AEPD) fined Iberia Cards EUR 16,000 for processing a complainant’s data without a valid legal basis, in violation of GDPR Article 6.1.
AMERICAS
- The California Privacy Protection Agency fined Honda USD 632,000 for CCPA violations, including excessive data collection, request denials, and improper data sharing.
- New York’s AG filed a lawsuit against National General and Allstate Insurance Co. for failing to protect New Yorkers’ personal information from cyberattacks.
- Saturn Technologies was ordered to pay USD 650,000 in penalties and strengthen privacy for young users as they failed age verification for school kids for providing services.
- California’s AG initiated an investigation into the location data industry for potential violations of the California Consumer Privacy Act (CCPA).
