dpas bulletin - FEBRUARY 2026
Welcome back to our monthly DPAS bulletin, where we cover the latest data protection news and developments from around the world.
Can data still be “personal” if only the owner can identify it? Can Meta now take the EU Data Protection Board to court? Are self-declared ages enough for age verification online? What happens when a privacy watchdog itself gets hacked? What goes wrong when AI misidentifies someone in policing?
Read about all this and more in our latest DPAS Data Protection Bulletin.
Court of Appeal extends scope of personal data
The ongoing DSG Retail case has thrown up some interesting clarification on the definition of personal data in regards to a personal data breach. For some context: In 2017, DSG Retail suffered a cyber attack that exposed millions of customers’ personal and payment card details. The Information Commissioner’s Office (ICO) investigated and fined DSG for failing to implement adequate security measures. DSG appealed the fine to the First-tier Tribunal, and the dispute eventually reached the Upper Tribunal, which ruled in DSG’s favour.
However, at the next stage in the Court of Appeal it was found that data remains personal data if the controller can still identify individuals from it, even if the hacker who steals it cannot. This means companies cannot argue that weaker security was acceptable just because the stolen data might have been incomplete. Such as if the malicious actors took the pseudonymised data without the requisite means to make it usable.
Read more about this here.
Meta deemed able to challenge €225 million GDPR fine
Continuing in the courts, the Court of Justice of the European Union (CJEU) ruled that Meta (via WhatsApp Ireland) can directly challenge a binding decision of the European Data Protection Board (EDPB) in the EU courts. This is significant as this was something previously rejected by the EU General Court.
WhatsApp had brought an action against the EDPB’s binding decision that found it breached the EU GDPR and led to a €225 million regulatory fine, but the General Court dismissed the case as inadmissible on the grounds that the EDPB’s decision was not an act it could challenge directly. The CJEU disagreed, holding that the EDPB’s binding decision does produce direct legal effects and alters WhatsApp’s legal position, and therefore Meta is entitled to pursue its challenge in EU courts. The case was sent back to the General Court to be considered on the substantive merits.
Read more about this here.
ICO fines Reddit £14.47 million
Keeping my tenuous links alive, we will stay on the fine train as Reddit recently pulled into the ICO’s action station. The ICO released an enforcement notice after their investigation found Reddit to be “using children’s personal data unlawfully”. This comes after Reddit insisted on its self-declaration system, where users declare their age when making their account.
Back in December, the ICO released its children’s privacy progress update which included a renewed focus on the use of self-declaration as a tool for age verification. In their investigation, the ICO found that Reddit both failed to apply robust age assurance mechanisms and did not carry out an appropriate data protection impact assessment before January 2025.
Read more about this here.
Global AI summit slams EU regulation
February saw the return of the annual global AI summit. Unsurprisingly, at an event attended by lobbyists and national officials from states such as the US, the EU’s approach to regulating AI came under fire. The senior policy adviser for the White House labelled the attitude in the EU’s approach as “doomerism”.
Not to be outdone by our neighbours across the pond, the CEO of Open UK also raised her concerns that the AI Act was too soon. In her view, the EU shouldn’t have attempted to regulate something that they do not yet fully understand. Some have maintained support for the EU’s stance and argue it is a necessity. Like many things in this area, the answer as to whether AI regulation is a good thing appears to be: it depends.
Read more about this here.
Data protection and privacy authorities band together
The AI summit was not the only group to make noise this week, nor were the ICO the only authority putting children at the forefront of their action. That’s right, this one’s a two-for. In a public declaration of their stance, parties of the Global Privacy Assembly’s International Enforcement Cooperation Working Group published a joint statement on AI-generated imagery. While the GPA’s IEWG might not be the most glamorous acronym, it is an impressive feat to have 61 data protection authorities included as signatories.
The united stance of these authorities sets out their approach to companies that develop AI systems which create realistic images or videos of identifiable people without their consent. They stress that such tools must follow existing data protection laws, include strong safeguards especially to protect children, and provide ways for people to have harmful content removed. While the debate over AI regulation rages on, it is reassuring to see that authorities can find common ground to prevent the technology’s more damaging uses.
Read more about this here.
Dutch data protection authority faces security incident
One signatory of the statement, the Dutch Data Protection Authority, has suffered a security breach resulting in unauthorised access to their employee data. Ivanti Endpoint Manager Mobile, the system used by the Dutch body, has been a system targeted by malicious actors over February. In January, the Ivanti released advisories for vulnerabilities that would allow executables to be activated remotely.
The breach exposed work-related personal information of the Dutch Data Protection Authority’s employees, including their names, business email addresses, and phone numbers, though the full scope of accessed systems is still under investigation. Ivanti have since worked with the Netherlands National Cyber Security Centre to develop an RPM detection script. Which leaves me with the burning question: would a supervisory authority issue itself a reprimand? A regulatory ouroboros if you would.
Read more about this here.
Met police piloting facial recognition ID checks
We haven’t had anything sufficiently Orwellian in the bulletin for a month or two, so avid readers may be keen to read that the Metropolitan police are at it again. Sadiq Khan announced that 100 officers will be equipped with an automated facial scanning technology deployed on smartphones for a trial of six months.
The advantage of the device is that it will avoid unnecessary trips to the police station, so claims Khan. If there is no match, the biometric data they take of you will be deleted immediately. A reassurance, I’m sure, to our next story…
Read more about this here.
Police arrest wrong Asian man in facial recognition fiasco
A software engineer in Southampton was taken from his home and held for 10 hours after facial scanning software confused him for a suspect who had committed a burglary in a town he had never visited. Rather than accept that the software had quite obviously got it wrong, the man was taken into custody.
The engineer’s mugshot was held on the police database from a wrongful arrest in 2021, prompting the error in late January 2026. Those of you with a particularly good memory may recall the warning from the Surveillance Commissioner back in 2024, who raised concerns about the police holding on to biometric data after no further action was taken following an arrest. Which suggests that although the Met police will delete your data if they do not find a match, they will hold on to your biometric data for far longer than is necessary if you have ever been taken into custody. Even if you were not charged.
Read more about this here.
GET IN TOUCH WITH US!
If you need any support in ensuring your organisation is complying with the relevant legislation, or require training in the areas of data protection and information security, get in contact with us.
Either call us on 0203 3013384, email us at info@dataprivacyadvisory.com, or fill out our contact form. Our dedicated team will get back to you as soon as possible.
