The German Federal Court of Justice recently clarified online platforms' liability for user-generated content, ruling platforms aren't directly liable without knowledge but must act swiftly upon notification, significantly impacting digital service providers across Europe.
Australia’s eSafety Commissioner ordered Telegram to pay AUD 1 million for ignoring transparency obligations. Officials requested details on terrorist and child sexual content steps, but Telegram delayed months, triggering enforcement under the Online Safety Act.
On 28 February 2025, Japan’s Cabinet announced significant plans to introduce a Bill to promote research, development, and practical application of artificial intelligence technologies. The legislation focuses on transparency, protection of rights, and international cooperation.
Vodafone Romania was fined EUR 15,000 for GDPR violations, including unauthorised data sharing via WhatsApp and email. The investigation revealed failures in implementing proper safeguards to prevent employee and third-party access to sensitive customer information.
The Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) has imposed a fine of RON 74,526 (EUR 15,000) on Vodafone Romania for breaches of Articles 32(4) and 32(1)(b) of the General Data Protection Regulation (GDPR).
The ruling, issued on 20 January 2025, highlighted failures in safeguarding customer data, including personal details such as names, personal identification numbers, and addresses.
ANSPDCP’s investigation revealed troubling practices that exposed sensitive customer data. Among the key issues were the sharing of invoice photos containing personal data with unauthorised third parties, failure to use blind carbon copy (BCC) when sending emails, and sharing screenshots of application interfaces via WhatsApp.
These actions led to the unauthorised processing of personal data by employees and third parties.
Vodafone’s failure to implement proper technical and organisational measures raised red flags with regulators, ultimately resulting in this penalty.
Matei Nicolae, Starsii Ghenadie, Bleah Mariana, George Balaiti
ANSPDCP’s investigation uncovered a series of missteps by Vodafone Romania that directly violated GDPR provisions.
Article 32 requires organisations to ensure the security of personal data through appropriate technical and organisational safeguards. Vodafone’s shortcomings, particularly in the telecommunications sector where data protection is paramount, were particularly concerning.
One key issue was the sharing of invoice photos containing sensitive customer data with third parties. This unauthorised disclosure not only breached confidentiality but also highlighted vulnerabilities in Vodafone’s data-sharing protocols. Such lapses are unacceptable in industries where consumer trust relies heavily on secure handling of personal information.
Additionally, the investigation found that Vodafone employees used email communication without applying BCC, resulting in personal data being inadvertently exposed to unintended recipients.
This practice, although seemingly minor, can have major privacy implications. The use of screenshots from internal application interfaces, shared through WhatsApp, further exemplified the company’s lack of strict controls over data processing.
The fine imposed on Vodafone Romania sends a strong signal about the consequences of failing to protect customer data. At the heart of the matter lies Article 32(4) of the GDPR, which specifically mandates that entities using data processors must ensure these processors comply with security measures.
Vodafone’s apparent inability to enforce this requirement exposed systemic gaps in their data protection framework.
Italy has enforced new rules requiring digital devices to support parental control apps, ensuring parents can monitor children's online activity. The law also prevents companies from using collected data for advertising or profiling, strengthening privacy protections.
The CFPB seeks to categorise certain data brokers as consumer reporting agencies under Regulation V. Doing so would tighten obligations, require more transparency, and ensure consumers can see, correct, and control their own information.
House Bill H.210, introduced in Vermont, outlines new guidelines for digital platforms handling minors’ data. By mandating default high-privacy settings and transparent practices, legislators aim to reduce risks of emotional harm and excessive data harvesting.
Both GDPR and HIPAA are key regulations focused on protecting sensitive data. GDPR applies to personal data of EU residents, while HIPAA governs healthcare data in the U.S. Organisations must comply with both for international operations.
Follow the latest Tech Law news and updates about AI, Digital Assets, Internet Law, Data Protection, LawTech.
