Irish DPC Opens Inquiry into SHEIN Ireland
Ireland's Data Protection Commission opened a formal inquiry into Infinite Styles Services Co. Ltd. (SHEIN Ireland) under section 110 of the Data Protection Act 2018. The investigation will examine the fast-fashion platform's data processing practices affecting EU/EEA users.
DPC latest newsDPC Publishes Decision on Permanent TSB Data Breaches
The Irish DPC published its final decision following an inquiry into personal data breaches at Permanent TSB, originally reported in May 2022. The decision addresses the bank's handling of data breach notifications and its technical and organisational measures.
DPC announcementCriteo €40M Fine Upheld by French Court
France's Conseil d'État — the country's highest administrative court — upheld the CNIL's €40 million fine against Criteo, Europe's largest ad-tech tracking company. The case was originally brought by NOYB and Privacy International over violations related to online tracking and advertising without valid consent.
NOYB coverageEDPB Launches CEF 2026 on Transparency Obligations
The European Data Protection Board launched Coordinated Enforcement Framework (CEF) 2026, an action focused on transparency and information obligations under GDPR. National authorities will run aligned checks to assess how clearly organisations explain data processing to individuals.
EDPB announcementIrish DPC Opens Inquiry into X over Grok AI Images
Ireland's DPC announced a section 110 inquiry into X Internet Unlimited Company over Grok AI's alleged generation of non-consensual intimate and sexualised images of real people, including children. The investigation examines compliance with GDPR Articles 5, 6, 25, and 35 regarding EU/EEA data subjects.
DPC press releaseGoogle Fined €325 Million by CNIL for Gmail Spam
France's CNIL fined Google €325 million for sending unsolicited promotional emails to Gmail users without valid consent. The decision found that Google used its dominant position in email to push advertising content in ways that violated GDPR consent requirements. The case was brought by NOYB.
NOYB announcementTikTok Fined €530 Million for Data Transfers to China
Ireland's DPC fined TikTok €530 million for transferring European users' personal data to China without adequate safeguards. The investigation found that TikTok failed to verify and guarantee that EEA user data accessed remotely by staff in China received protection essentially equivalent to EU standards. TikTok was also found to have stored some EU data on Chinese servers contrary to earlier representations.
DPC press releasesLinkedIn Fined €310 Million by Irish DPC
Ireland's Data Protection Commission fined LinkedIn €310 million for unlawfully processing personal data for targeted advertising. The decision found that LinkedIn relied on invalid legal bases — including legitimate interests and consent — for behavioural analysis across its European user base. LinkedIn was ordered to bring its processing into compliance.
DPC decisionUber Fined €290 Million by Dutch DPA for US Data Transfers
The Dutch Autoriteit Persoonsgegevens fined Uber €290 million for transferring European drivers' personal data to the United States without adequate safeguards. The case parallels Meta's €1.2B fine for similar violations and reinforces the principle that US data transfers require robust supplementary measures post-Schrems II.
Dutch DPA (AP)X (Twitter) Fined €550 Million by Irish DPC
Ireland's DPC concluded its investigation into X Corp (formerly Twitter), issuing a fine of €550 million for unlawful processing of personal data for advertising purposes through the MoPub ad network. The investigation examined whether X processed special categories of personal data — including inferred political opinions and sexual orientation — for advertising without a valid legal basis.
DPC press releasesEU AI Act Enters Into Force
The EU Artificial Intelligence Act entered into force on 1 August 2024, creating the world's first comprehensive AI regulatory framework. It introduces obligations that interact directly with GDPR, particularly for AI systems processing personal data. Providers of high-risk AI systems must comply with data governance, transparency, and human oversight requirements. Full application begins August 2026.
Official text of the AI ActMeta Fined €1.2 Billion — Record GDPR Penalty
The Irish DPC issued a €1.2 billion fine against Meta Platforms Ireland for transferring personal data to the United States without adequate safeguards following the Schrems II ruling. Meta was ordered to suspend future data transfers and bring existing transfers into compliance within five months. Meta appealed the decision but the fine stands as the largest in GDPR history.
DPC announcementEU–US Data Privacy Framework Adopted
The European Commission adopted the EU–US Data Privacy Framework adequacy decision, providing a legal basis for transatlantic personal data flows to certified US companies. The framework succeeded the invalidated Privacy Shield and introduced a new Data Protection Review Court as a redress mechanism for EU individuals. Privacy advocacy group NOYB has already signalled plans to challenge it.
Commission adequacy decisionEDPB Establishes ChatGPT Task Force
Following Italy's Garante temporarily banning ChatGPT over GDPR concerns in March 2023, the European Data Protection Board established a dedicated task force to coordinate enforcement and develop a consistent EU-wide approach to large language models. The task force examined legal bases for training data, data subject rights, and accuracy obligations under GDPR.
EDPB task force newsMeta (Instagram) Fined €405M for Children's Data
Ireland's DPC fined Meta €405 million for Instagram's failure to protect children's data — including defaulting minor accounts (aged 13–17) to public visibility and displaying phone numbers and email addresses publicly. The decision was one of the first major enforcement actions focused specifically on children's data protection, reinforcing GDPR Article 8 obligations.
DPC press releaseMeta (Facebook) Fined €265M for Data Scraping
The Irish DPC fined Meta €265 million after a massive dataset of 533 million Facebook user records — scraped via the contact import feature — appeared on hacking forums in 2021. The investigation focused on Facebook's failure to implement adequate technical and organisational measures to prevent the large-scale scraping of personal data.
DPC press releaseNew Standard Contractual Clauses Published
The European Commission published modernised Standard Contractual Clauses for international data transfers, replacing the outdated 2001/2004 versions. The new SCCs feature a modular structure covering controller-to-controller, controller-to-processor, and processor-to-processor transfers, and for the first time incorporate requirements for Transfer Impact Assessments to assess third country laws.
Commission SCCs page