Data Protection News Update 02 March 2026

IGS
March 2, 2026

United Kingdom

Reddit fined £14 million for children’s data protection failures

The Information Commissioner’s Office (ICO) in charging the £14 million fine, has concluded that Reddit used the personal information of children “unlawfully” and did not employ adequate measures to check the age of its UK users.
Reddit commonly relies on Persona, that checks selfies or ID photos when users try to access age‑restricted content, however the users are still able to create an account without any form of age verification to access pages of the site considered inappropriate for children.
The ICO also found that although Reddit’s terms of service restricted the children under 13 from using the platform, it did not specify any age assurance mechanisms until July 2025.
The ICO recently also fined MediaLab, an image hosting site Imgur, almost £250,000 for failing to protect children’s data. This follows despite the site having blocked all UK users since September 2025 after the introduction of the Online Safety Act.

Medical student at Princess Elizabeth hospital charged with data protection offences

A medical student in Gurnsey’s Princess Elizabeth Hospital has been accused of illegally accessing the personal data of 46 hospital patients.
The student, Rebecca Elliot, has been charged with eight offences allegedly conducted over a period of six years, from October 2019 to October 2025.
During these six years, it has been argued that she accessed the personal data “knowingly or recklessly, without the consent of the data controller.”
Following the active investigation, she has been suspended from her role at the hospital.

United States

The Trump administration has ordered US diplomats to “fight” Data Sovereignty laws

In an internal State Department cable, it was found that US diplomats have been ordered to actively oppose foreign laws that restrict how American tech companies handle citizens’ data abroad.
Data Sovereignty has become especially popular in Europe, with regulators restricting how data is stored and transferred, stemming from concerns over US trade, privacy and surveillance policies.
The State Department cable included talking points on the promotion of the Global Cross-Border Privacy Rules Forum, a multinational initiative launched in 2022 by the United States, Mexico, Canada, Australia, and Japan, supporting free flow of data whilst ensuring privacy protection.
This cable highlights a shift in US strategy which previously revolved around engaging Europe diplomatically, however, it has now evolved into pressuring foreign governments to reform data privacy regulations that could hinder U.S. businesses.

Europe

EU’s GDPR reforms may be rejected by multiple national governments

National governments of the EU aim to reject reforms to the EU GDPR proposed by the European Commission.
The EU Commission presented its ‘digital omnibus’ plans in November 2025, as part of a measure to reduce red tape caused by data and AI laws that seeks to boost AI technology in Europe.
This revision to the GDPR seeks to include the recent SRB v EDPS ruling, which found that in some cases “pseudonymised” data, where a person’s details are obscured so they cannot be easily identified, may be outside the scope of the GDPR.
EU countries will consider the proposed text on February 27, 2026, in a meeting of diplomats focused on the EU’s simplification efforts.

X (formerly Twitter) appeals the EU’s €120 million fine on the platform

In December 2025, the EU imposed a €120 million fine on X, for breach of important transparency and user protection rules under the Digital Services Act (DSA)- marking the first formal penalty under the Act.
The EU commission argued that the fine stems from “the deceptive design of its ‘blue checkmark’, the lack of transparency of its advertising repository, and the failure to provide access to public data for researchers,”
In its appeal, X argues that the fines resulted from “grave procedural errors” and “tortured interpretation of obligations under the DSA”.
The Commission in January 2026 has also launched a new investigation into X’s AI assistant, Grok, evaluating if it complies with the DSA. The UK’s ICO also began a formal investigation into X over Grok’s image manipulation functionality involving the use of personal data.

International

WhatsApp’s privacy policy faces a challenge in India

WhatsApp’s 2021 privacy policy has been legally challenged in India’s Supreme Court, over the privacy, data control and the business model of Meta.
This case marks a step towards regulation of dominant online platforms in India.
WhatsApp, a few days ago, told the Supreme Court it would comply with the order requiring it to give Indian users greater control over how their data is shared with its parent company, Meta, by 16 March 2026.
This order comes from the recent ‘take it or leave it’ approach adopted by WhatsApp, which required users to share data with Meta companies to keep using the app.

For the latest updates on the Reddit children’s data protection failures, the Princess Elizabeth Hospital data access charges, the Trump administration’s pushback against data sovereignty laws, the EU’s proposed GDPR reforms, visit our Data Protection News hub.

Data Protection News Update 07 April 2026

ICO fines pendant alarm company £100,000 for unlawful marketing calls NHS staff refuse to work on Palantir’s £330 deal platform over ethical concerns United States

Data Protection News Update 30 March 2026

MPs urge the UK Government to reconsider giving Palantir access to the Financial Conduct Authority (FCA) data ICO and Ofcom align on age assurance rules

Data Protection News Update 23 March 2026

Reform UK may breach data laws with free energy bills competition UK Investigates Leak of Information from Meeting about U.S. Base Request United States US

What Does The GDPR Accountability Principle Ensure?

Out of the seven data protection principles within the General Data Protection Regulation (GDPR), the accountability principle stands out as one of the broadest and