Online tracking is part of digital life, but businesses are increasingly recognizing that it can harm people when it isn't done responsibly, Stephen Almond, U.K. Information Commissioner's Office regulatory risk executive director, blogged Thursday. The ICO has been "taking decisive action, supporting organisations to make changes" to ensure they can navigate online tracking responsibly while safeguarding people's personal information.

Meta's latest pay-or-consent policy in the EU may be breaching consumer and data protection law as well as the Digital Markets Act, the European Consumer Organisation (BEUC) said Thursday. It contacted the relevant EU enforcement authorities about its concerns.

CNIL, the French regulator, will pay "particular attention" in coming months to whether software development kit (SDK) providers are complying with the GDPR, it announced Tuesday (according to an informal translation). SDK providers play a central role in the operation of mobile apps. Popular SDKs include audience measurement and advertising monetization, the CNIL document said. When the regulator published recommendations earlier on integrating SDKs and implementing controls to ensure GDPR compliance, it notified SDK suppliers that it would start checking compliance this spring.

The Council of the EU Tuesday approved rules aimed at improving cross-border access to EU health data. The European Health Data Space (EHDS) regulation will give people better access to and control over their personal electronic health data while allowing certain data to be reused for research and innovation for patients' benefit, the Council said.

Data controllers need more awareness of European Data Protection Board (EDPB) guidelines on data subjects' right of access to their personal data, the board said Monday in a report.

The European Data Protection Board (EDPB) Friday clarified the use of pseudonymized data for EU General Data Protection Regulation compliance. Comments on the guidelines are due Feb. 28.

Austrian privacy advocacy group Noyb Thursday sued TikTok, AliExpress, Shein, Temu, WeChat and Xiaomi under the General Data Protection Regulation for unlawfully transferring Europeans' personal data to China. Noyb said four of the companies conceded sending the data to China, and two acknowledged sending it to undisclosed third countries. EU law is clear, the group said: Data transfers are allowed only if the destination country doesn't undermine data protection: "Given that China is an authoritarian surveillance state, companies can't realistically shield EU users' data from access by the Chinese Authorities." The emergence of Chinese apps opens a front for EU data protection law, Noyb said.

Norwegian privacy watchdog Datatilsynet said Thursday it's carrying out a major audit of municipal schools to ensure that they're protecting the privacy and data security of their students during rapid digitization, according to an unofficial translation. Unfortunately, it said, the reality today is that municipalities too little expertise and resources to safeguard school children's privacy, and that many lack an overview of what personal data is processed in the learning tools used in teaching. The audit will provide practical guidance, it said.

The European Parliament Civil Liberties Committee Thursday named Bruno Gencarelli as European data protection supervisor (EDPS) for 2025-2030. Gencarelli, currently European Commission head of international data flows and protections, beat three other candidates in a secret ballot, including current EDPS Wojciech Wiewiorowski. Once the European Parliament president and political party heads confirm the vote, Parliament and the European Council will make the appointment. The EDPS supervises how EU institutions and bodies process personal data to ensure compliance with privacy law, and advises them on personal data processing and related policies and legislation. The office's role has been expanded to cover such things as EU bodies' compliance with the AI Act.

French privacy regulator CNIL Thursday unveiled a 2025-2028 strategic plan focused on AI, minors' rights, cybersecurity, and mobile apps and digital identity, according to an unofficial translation.