PrivacySignal
Enforcement

Conseil d'État upholds Criteo's €40M GDPR fine

noyb (None of Your Business) · · EU · Enforcement

France's highest administrative court has upheld a €40 million GDPR fine against ad-tech company Criteo, originally issued by the French data protection authority CNIL. The ruling confirms CNIL's findings that Criteo could not demonstrate valid user consent for its tracking practices and failed to meet data subject rights obligations.

Why this matters: Criteo's business is built on following people around the web and building profiles of what they look at and buy. The core finding here is simple: the company could not prove it ever had real permission to do that. Consent is not a checkbox buried in a cookie banner. It has to be informed, specific, and genuinely given. This case took nearly seven years from complaint to final ruling, which tells you how slow enforcement can be even when the violation is clear. Ad-tech companies that run the same playbook now have one less place to hide.

Who should care: Lawyers · Privacy officers · Compliance · AI governance · Cybersecurity · General readers · Policy

This summary is AI-assisted and may contain errors. It is an original briefing to help you gauge significance quickly — not a reproduction of the source. Always read the linked original before relying on it. See our methodology.

Related stories

Enforcement
The Guardian — Tech · · International

Revealed: landmark Scottish AI project has no prospect of meeting renewables promise

A Guardian investigation found that a major £8.2bn AI datacentre project in Lanarkshire, Scotland, misrepresented its plans to supply large-scale renewable energy to the site. Both government officials and developers privately acknowledged a significant power provision problem, despite public promises of clean energy delivery.

Who should care: Lawyers · Privacy officers · Compliance · General readers · AI governance · Policy

#enforcement#ai Read original →
Enforcement
Q qz.com · · International

Amazon Ring sued over facial recognition privacy violation

Amazon's Ring has been hit with a lawsuit alleging that its devices used facial recognition technology in ways that violated users' privacy rights. The suit appears to center on the collection or processing of biometric data without adequate notice or consent.

Who should care: Lawyers · Privacy officers · Compliance · Cybersecurity · General readers · Policy

#enforcement#surveillance#privacy Read original →
Enforcement
HIPAA Journal · · US Federal

Employees Drop Class Action Lawsuit Against Stryker Over Hamdala Cyberattack

A consolidated class action filed by employees against medical technology company Stryker, stemming from a cyberattack in March 2026 attributed to the Hamdala threat group, has been voluntarily dismissed. The plaintiffs chose to drop the case rather than having it decided by a court.

Who should care: Lawyers · Privacy officers · Compliance · Healthcare professionals

#enforcement#healthcare Read original →
Enforcement
The Record · · International

Spyware found on phone of European Parliament member probing it

Researchers found that Stelios Kouloglou, a former European Parliament member who sat on the body's committee investigating commercial spyware abuses, was infected with Pegasus spyware twice while he was serving in that role.

Who should care: Lawyers · Privacy officers · Compliance · Cybersecurity

#enforcement#surveillance Read original →
Enforcement
A ABC15 Arizona · · International

Man ‘falsely arrested’ with facial recognition for cold case murder sues Phoenix PD, MCAO

A man is suing the Phoenix Police Department and the Maricopa County Attorney's Office after allegedly being wrongfully arrested for a cold case murder based on a facial recognition match. The lawsuit claims the identification was faulty and led to a wrongful deprivation of his liberty.

Who should care: Lawyers · Privacy officers · Compliance · Cybersecurity · General readers · Policy

#enforcement#surveillance#privacy Read original →
Enforcement
The Record · · International

Supreme Court decision threatens EU-US data transfer agreement

Privacy advocate Max Schrems has notified European officials of his intent to file a legal challenge against the EU-U.S. Data Privacy Framework, the agreement that permits personal data to flow from the European Union to American companies. Schrems, who previously dismantled two predecessor agreements, is citing a recent Supreme Court decision as grounds for the new challenge.

Who should care: Lawyers · Privacy officers · Compliance · AI governance

#enforcement#gdpr Read original →