Privacy

In the final months of 2025 and early 2026, two independent studies highlighted significant vulnerabilities in WhatsApp’s metadata management. The University of Vienna and SBA Research demonstrated the ability to enumerate 3.5 billion accounts through the contact discovery mechanism, while Tal Be’ery (Zengo) showed how cryptographic key IDs allow inference of operating system, device type, and approximate session age. Meta has begun implementing fixes, but the privacy implications remain significant. This article analyzes the nature of metadata, WhatsApp-specific risks, and presents open source alternatives based on federated protocols such as XMPP and Matrix.

Public consultation open until 4 December 2025 on guidelines regulating the interplay between Digital Markets Act and GDPR

The EU Digital Omnibus: Europe’s Bold Move to Simplify Digital Regulation The European Commission launched today an ambitious initiative that could fundamentally reshape how businesses interact with EU digital regulations. The Digital Omnibus, part of the broader Digital Package on Simplification, represents the most significant attempt yet to address what many consider the growing complexity burden of Europe’s digital regulatory landscape. The Problem Brussels Finally Acknowledges After years of stakeholder complaints about regulatory fragmentation and implementation complexity, the Commission has officially recognized what industry has been saying: Europe’s digital rulebook has become unwieldy. The call for evidence document is surprisingly candid about the challenges, noting that “multiple horizontal, and sector-specific rules were adopted, leading to complexity in implementation, fragmentation in their application at the national level and misalignment in the enforcement approaches.” ...

The EU Court of Justice Clarifies the Limits of Pseudonymization: Data Remains Personal for Those Who Hold the Key The EDPS/SRB Case: When Pseudonymized Opinions Remain Personal Data The recent Judgment of the Court of Justice of the European Union (First Chamber) of 4 September 2025 in the Case C-413/23 P of 4 September 2025 provides essential clarifications on the nature of pseudonymized data and transparency obligations for data controllers, with significant implications for anyone managing data sharing processes with third parties. ...

TODAY (July 14, 2025), the European Commission officially published its comprehensive Guidelines on the Protection of Minors under Article 28 of the Digital Services Act (DSA). This landmark 64-page framework will reshape how platforms protect children across Europe. Core Framework - The “5Cs” Risk Assessment: The guidelines mandate that platforms assess risks across five categories: Content, Conduct, Contact, Consumer, and Cross-cutting risks, encompassing exposure to harmful content, AI chatbot vulnerabilities, and excessive spending patterns. ...

🚨 NEW EDPB-EDPS Joint Opinion on SME Record-Keeping Simplification On 9 July 2025, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) released their Joint Opinion 01/2025 on the proposed regulation to simplify record-keeping obligations for small and medium-sized enterprises (SMEs) and small mid-cap companies (SMCs). 🎯 Key Highlights: Extended threshold: The proposal would raise the employee threshold from 250 to 750 employees for record-keeping exemptions under Art. 30(5) GDPR Broader scope: SMCs (small mid-cap companies) would also benefit from simplified obligations Risk-based approach maintained: High-risk processing activities would still require full compliance regardless of company size Administrative burden reduction: Aims to provide greater flexibility for smaller organizations while maintaining data protection standards 💡 EDPB-EDPS Position: The authorities express preliminary support for this targeted simplification initiative, welcoming the risk-based approach that ensures fundamental rights protection remains intact. However, they’ve requested further clarification on the new 750-employee threshold and recommend better alignment with the newly introduced SME/SMC definitions. ...

The European Commission Launches Public Consultations on the Future of EU Data Legislation Brussels, 9 July 2025 – The European Commission announced today that it has officially launched a set of public consultations aimed at evaluating and shaping the next phase of the European Union’s data legislative framework. The initiative focuses on three cornerstone instruments of the EU data strategy: Regulation on the Free Flow of Non-Personal Data Open Data Directive (ODD) Data Governance Act (DGA) These legislative acts have been fundamental in enabling data-driven innovation, enhancing the reuse of public sector information, and promoting trust and interoperability in data sharing across Member States. However, as the digital ecosystem evolves rapidly, the Commission is now seeking updated, evidence-based input from stakeholders to assess how these instruments are functioning and where improvements or recalibrations may be needed. ...

An online social network such as Facebook cannot use all of the personal data obtained for the purposes of targeted advertising, without restriction as to time and without distinction as to type of data.

The online sale of pharmacy-only medicinal products requires the explicit consent of the customer to the processing of his or her data, even where those medicinal products do not require a prescription.

Access by the police to data contained in a mobile telephone is not necessarily limited to the fight against serious crime