United Kingdom
Imgur owner MediaLab fined over children’s privacy failures
- MediaLab, Igmur’s parent company, was fined by the ICO for failing to protect the personal information of children under 13.
- The investigation found Imgur processed children’s data without parental consent, failed to implement age assurance measures, and neglected to perform mandatory data protection impact assessments.
- By failing to verify ages, the platform exposed minors to harmful content, including material related to eating disorders, violence, and hate speech.
- Imgur proactively suspended UK access in September 2025 to avoid further liability, though the ICO maintains that exiting the market does not absolve the company of responsibility for past breaches.
Plans approved for £250m data centre
- Wiltshire Council has approved a £250m high-security data centre at the Spring Park Campus in Corsham, despite over 1,100 formal objections from the local community.
- Residents and campaigners raised significant alarms regarding flooding risks, noise pollution from cooling fans, and the massive scale of the building (18.7m tall and 180m long).
- To mitigate local impact, the council has imposed “robust conditions” covering drainage systems, environmental protections, and site security before construction can begin.
United States
California fines Disney $2.75 million for data privacy violations
- Disney has agreed to pay a $2.75 million penalty to the state of California, the largest ever under the CCPA, to resolve allegations of obstructing consumer opt-out rights.
- An investigation found that Disney’s opt-out process was “disjointed,” requiring users to opt out on every individual device or service rather than applying the choice globally across their entire account.
- Beyond the fine, Disney must implement a simplified, “consumer-friendly” opt-out system and provide progress reports every 60 days to the California AG until all services are fully compliant.
ICE tapping school cameras amid Trump’s immigration crackdown
- Police departments across the US are quietly leveraging school district security cameras to assist Donald Trump’s mass immigration enforcement campaign.
- AI-powered license plate readers (Flock Safety) installed for school safety are being integrated into a national database, allowing police to track travel patterns for immigration-related investigations.
- Multiple law enforcement leaders acknowledged they conducted the searches in the audit logs to help the Department of Homeland Security (DHS)
- Flock Safety has repeatedly stated that it does not provide the DHS with direct access to its cameras and that all data-sharing decisions are made by local customers, including school districts.
Europe
CJEU rules Meta can challenge EDPB’s binding WhatsApp decision
- The CJEU ruled that companies can directly challenge binding decisions made by the European Data Protection Board (EDPB), overturning a previous lower court ruling restricting appeals to national courts.
- The court found that the EDPB’s interventions are of “direct concern” to businesses because they leave national regulators with no discretion, effectively determining the final legal outcome and penalty.
- This decision establishes a pathway for Meta and other major firms to more easily contest billions of euros in pending GDPR fines that were increased or mandated by the EDPB.
- The specific case regarding WhatsApp’s 2021 transparency violations now returns to the EU General Court for a full reassessment of the merits, including whether the €225 million fine was justified.
Dutch Authorities confirm breach exposing employee contact data
- The Dutch Data Protection Authority, the Dutch Council for the Judiciary confirmed their systems were compromised by cyber-attacks that exploited the recently disclosed security flaws in Ivanti Endpoint Manager Mobile (EPMM).
- Unauthorized actors accessed work-related contact information for thousands of employees, including names, business emails, and phone numbers, though no direct compromise of mobile devices was detected.
- The attacks exploited two critical flaws which allowed unauthenticated remote code execution via malformed HTTP requests.
International
Somalia approves regulatory framework to strengthen public data protection
- During an extraordinary meeting chaired by President, the Council of Ministers approved the Regulatory Framework for the Public Data Protection Law by a majority vote.
- This new framework provides the specific legal and technical provisions required to fully implement the Data Protection Act of 2023
- The regulation is a cornerstone of Somalia’s citizen-centred digital agenda, designed to build public trust in new e-government services and secure national data infrastructure.
- Developed by the Ministry of Communications and Technology, the framework empowers the Somali Data Protection Authority (DPA) to manage data-related services and ensure transparent governance of personal information.
For the latest updates on ICE school surveillance, Meta’s GDPR challenge, Disney’s CCPA penalty, Somalia’s new data protection framework, and major data governance developments across the UK, US, Europe and beyond visit our Data Protection News hub.
