Issues with the US data transfers continue to emerge
The privacy advocacy group NOYB and their campaigner Max Schrems are asking the European Commission to begin exiting the EU-US Data Privacy Framework (DPF), given that the US Constitution now prohibits independent oversight on privacy matters. This follows a recent US Supreme Court ruling that US President Donald Trump could fire a key decision-maker from the Federal Trade Commission (FTC), which also oversees consumer privacy. For years, the EU has heavily relied on the independent FTC as the enforcer of EU-US deals on personal data.
Stay up to date! Sign up to receive our fortnightly digest via email.
NOYB further elaborates that while some companies may still not directly rely on the DPF and instead use SCCs and BCRs, they usually also rely on a transfer impact assessment (TIA), which in turn relies on formerly independent US executive bodies such as the PCLOB or the Data Protection Review Court. The Supreme Court decision therefore affects them too, even if they do not rely on the FTC. NOYB will also file a lawsuit, aiming to allow the CJEU to annul the current US data transfers deal. However, such a lawsuit typically takes 2-3 years until a final decision is reached.
Finally, the Commission’s decision on the US adequacy for personal data transfers is formally in force until the Commission decides to repeal it.
Other legal updates

GDPR inconsistencies across the EU survey: The European Data Protection Board has launched a dedicated contact form for stakeholders to report possible inconsistencies in how the GDPR is interpreted across Europe. The new tool enables stakeholders to report alleged divergences between national positions, as well as between national positions and those of the EDPB.
Right to erasure case digest: The EDPB has also published an update to the One-Stop-Shop (OSS) case digest on the right to object and the right to erasure. The document lists the most frequent infringements and gives an overview on which corrective measures have been issued. Since the original digest was finalised in 2022, the regulators have adopted hundreds of new decisions. Cases cover, for example, the latest exercise of the right to object to direct marketing or the wish of individuals to erase their account or online data profile.
The growing number of US state privacy laws: JD Supra reports that, in 2026, four states, Oklahoma, Louisiana, Alabama and Vermont, have passed comprehensive new state privacy laws, making it up to 23 in total. Additionally, three others, Virginia, Maryland and Connecticut, have passed significant amendments to their privacy laws, some of which are expected to go into effect shortly. New state legislation contains a greater emphasis on data protection impact assessment requirements, protections around the sale of data, and disclosures on the use of automated decision-making and LLMs.
UK DUAA right to complain takes effect
New legal requirements on how organisations handle data protection complaints are now in force (from 19 June), marking a significant change for businesses across the UK. Under the Data Use and Access Act 2025, all organisations must now give people a clear way to raise a data protection complaint, acknowledge it within 30 days, investigate appropriately and communicate the outcome. The ICO’s data protection complaints guidance has been designed to support organisations of all sizes.
Official guidance

Tourist accommodations: Following several complaints submitted regarding personal data collection and processing practices by hotel businesses, the Greek Data Protection Authority issued compliance recommendations to tourist accommodations:
- Do not receive or retain photos or copies of identity cards, passports, credit or debit cards, given that there is no specific legislative provision requiring this.
- Ensure that any processing of personal data is based on an appropriate legal basis and that prior assessment of the necessity and proportionality of the measures is applied.
- Provide customers with clear, easily accessible and up-to-date information regarding the processing of their personal data, both through websites and by any other appropriate means.
- Review internal check-in, payment and reservation management procedures, informing staff accordingly, to ensure the application of the principle of data minimisation.
EdTech survey: The UK Information Commissioner explains that because children may not be able to choose or opt out of many digital tools their schools adopt, it is essential that parents and pupils can trust that this technology meets the highest standards of data protection. To that end, the regulator has published ‘Edtech examined’ report, which details the findings during 2024 and 2025 within 28 edtech providers, whose products are widely used across primary and secondary schools in the UK. The providers often did not:
- correctly determine their role as a controller or processor for each processing activity in their product
- assess whether reusing children’s information for their own purposes complies with the law, before doing so
- fully map all data flows into, through and out of edtech products, and keep complete records of their processing activities
- set out their retention periods and explain how long they need to keep children’s information, and how they will delete it
- complete Data Protection Impact Assessments when required
- ensure control and oversight of their subprocessors, etc.
Video game industry

The Spanish and Belgian Data Protection Authorities have jointly published Recommendations and Best Practices for Data Protection in Video Games. This is the first coordinated document delivered by European data protection authorities to promote good practices to ensure compliance with the GDPR in the design, development and distribution of video games. It is based on evidence gathered through:
- static analyses (of privacy policies, terms of service, contracts) and
- dynamic analyses (execution in real-world online gaming environments, SDKs, launchers, etc.) of current video games.
It analyses the most common personal data processing activities in video games, identifies the threats and risks involved, and offers recommendations and best practices for each phase of the video game lifecycle and for each stakeholder.
In other news
Tracking pixels need consent: In Australia, the Privacy Commissioner has found that health service providers Medmate and Monash interfered with the privacy of individuals whose sensitive information was collected via third-party tracking pixels. The Commissioner’s decision establishes that the use of tracking pixels to track website visitors to health-related websites, and the subsequent targeting of them with advertising on social media platforms, amounts to a collection of sensitive information for which the website provider must obtain users’ consent (under the Privacy Act 1988).
WordPress sites targeted: The Dutch National Cyber Security Centre found that cybercriminals are exploiting WordPress sites to distribute malware to visitors. Visitors are tricked into downloading and executing a .zip or .js file. This can lead to a malware infection and potentially the theft of the visitor’s login credentials. Subsequently, various forms of malware, such as ransomware, can be installed on the visitor’s device.
Various measures to protect your website against malware (such as enabling multifactor authentication, notifications for actions that do not occur often, logging for changes and login attempts, keeping plugins and themes up to date, blocking the execution of PHP files in the uploads and limiting the number of administrators, etc.) can be found in the original publication.
Medical data fine: The Lithuanian Data Protection Inspectorate VDAI imposed a 450,000 euro fine on UAB InMedica for personal data security violations. The company suffered a ransomware attack where a third party encrypted data on four systems. These systems processed personal data of patients and employees. The investigation found that access control and authentication were not sufficiently protected:
- Multi-factor authentication was not applied to privileged users connecting via an external network (the Internet),
- Access was not restricted to authorised persons, and
- Passwords did not meet a certain level of complexity.
Passengers with reduced mobility data

Airlines may process the health data of passengers with disabilities or reduced mobility without obtaining their consent when this is necessary to ensure transport safety and assistance during the journey, as required by industry legislation. However, they must ensure compliance with the principles of transparency regarding data processing and limit data retention to the period strictly necessary to achieve these purposes.
This was reiterated by the Italian Data Protection Authority Garante, which, following a passenger’s complaint, fined Emirates airline 180,000 euros. Emirates made the provision of assistance conditional upon completion of the form, intended to collect information on the passenger’s health, details of the attending physician, and any accompanying persons. The regulator deemed the processing of health data legitimate; however, the information regarding the processing of data collected through the form and data retention limitation (7 years) was inadequate.
Receive our digest by email
Sign up to receive our digest by email every 2 weeks
Unlawful spam threats case
A Manchester firm was fined 300,000 pounds for bombarding people in debt with over 5.5 million unlawful texts. KRA Consultancy Ltd targeted people with unlawful spam texts, including fake bailiff messages. The company sent 5,575,715 unsolicited direct marketing texts between April 2022 and May 2025, promoting debt solutions to people who had already been turned down for loans.
This led to more than 60,000 complaints being made to the Information Commissioner and the spam reporting service (‘7726’). The evidence revealed how the company deliberately tried to evade detection. It contacted a telecoms provider based in China, seeking assurances that the mass text messages would be “completely untraceable.” KRA also did not attempt to check that the loan decline data was accurate or whether the recipients had consented to receive marketing messages.
And Finally

Extended reality: In Germany, the Federal Commissioner for Data Protection and Freedom of Information has published recommendations on data protection in extended reality applications. The paper explains application examples of extended reality technologies (sometimes referred to as “crossed reality” or “XR”) in the field of gaming or wearables, where neutral or personal data of a user or other uninvolved persons can be collected and processed from various sources (hardware and software).
Reportedly, just twenty minutes in a virtual reality simulation can generate nearly 2 million unique body language recordings.
Neuro data in non-health fields: The Ibero-American Data Protection Network adopted an analysis on the processing of neurodata in contexts such as consumption, advertising or entertainment (in Spanish). The document includes the definition of neurodata processing, the application of enhanced safeguards, the requirement of transparency and explainability, and the unacceptable uses that could require specific legal prohibitions.
The starting point is that all neurodata linked to an identified or identifiable person should be considered personal data. Furthermore, information originating from the brain and nervous system can be unique and highly individualised. Although neurodata is not explicitly recognised as a separate category in all regulatory frameworks, the text indicates that its nature and significant impact justify considering enhanced protection.