Hi privacy navigators,

The Irish High Court recently awarded €7,500 in damages for a GDPR breach—reportedly the highest such court-awarded damages in Ireland (and Europe?) to date.

While administrative fines from data-protection authorities often reach into the millions or even billions, this relatively modest figure highlights a key point: it represents only an individual claim. Where numerous people are similarly affected by a single breach, the potential exposure for organizations could be enormous.

Find all resources from this episode at: https://conformally.com/privacy-navigator
Learn more about Conformally at https://conformally.com

Hi privacy navigators,

The Consent or Pay model is now a reality in the UK, and the ICO has set out a framework for how businesses can implement it while remaining GDPR-compliant.

At first glance, the approach seems balanced: users get a choice, companies get flexibility, and privacy remains protected—at least in theory.

But here’s the real question: Is privacy something that can be bought and sold like any other commodity? If so, shouldn’t the market set the price? And if not, doesn’t that make the very concept of “paying for privacy” fundamentally flawed?

The ICO tries to walk a tightrope between these two positions, but does it succeed? Or are we left with a framework that tries to regulate an uncomfortable reality without fully confronting its implications?

Find all resources from this episode at: https://conformally.com/privacy-navigator
Learn more about Conformally at https://conformally.com

Hi privacy navigators,

When news first broke that a small Chinese AI startup called DeepSeek managed to build a reasoning model better than OpenAI’s top-tier o1 model—and for around $6 million investment—everyone’s jaws dropped.

How could such an underdog possibly outperform a tech giant that’s burned billions in research and development

Not to mention it's free. As you can imagine it went viral in a matter of days.

But as we all know, there’s a dark side to these too-good-to-be-true stories. DeepSeek’s sudden stardom raised red flags among privacy regulators across Europe—especially once it became clear that this new AI powerhouse was more than happy to store and process your data on Chinese soil, in a manner that screams “GDPR… what’s that?”

Let’s dive into this fiasco and see what lessons we, as privacy pros, can learn from DeepSeek’s swift rise and potential meltdown.

Find all resources from this episode at: https://conformally.com/privacy-navigator
Learn more about Conformally at https://conformally.com

In a settlement that shook the foundations of British media, Prince Harry's five-year battle against News Group Newspapers (NGN) concluded with an unprecedented admission of wrongdoing and a substantial financial settlement. This case exposed decades of systematic privacy violations.

The Origins: A Pattern of Intrusion
The story begins in 1996, during Harry's teenage years, when NGN's publications - The Sun and News of the World - embarked on what would later be revealed as a systematic campaign of privacy intrusion. For 15 years, between 1996 and 2011, the publications employed over 100 private investigators who conducted more than 35,000 investigations.

The Scale of Violations
Methods of Intrusion:

• Phone hacking
• Surveillance operations
• Misuse of private information
• Employment of private investigators

The violations extended beyond Harry himself, reaching into the private life of his late mother, Princess Diana, creating a multi-generational pattern of privacy breaches.

The Legal Battle
In 2019, Harry initiated legal proceedings against NGN, presenting evidence of over 200 articles containing illegally obtained information. This case formed part of a broader strategy, alongside successful actions against Mirror Group Newspapers and ongoing litigation with Associated Newspapers.

The Settlement's Significance
The January 2025 settlement marked several unprecedented developments:

• First-ever admission of wrongdoing by The Sun newspaper
• Full acknowledgment of "unlawful activities" by private investigators
• Recognition of intrusion into Princess Diana's private life
• Agreement to pay with legal costs estimated around £10 million
• Prince Harry was awarded legal costs and £140,000 in damages, which are non material by their nature

Corporate Cover-up Allegations
Perhaps most damaging were the allegations of systematic cover-ups at the corporate level. Harry and co-claimant Tom Watson alleged that NGN:

• Destroyed 30 million emails and other records
• Engaged in perjury at the highest levels
• Orchestrated an extensive conspiracy to conceal wrongdoing

And Justice For All (1300 cases)
This case goes far beyond a personal victory for Prince Harry. While he stands as the driving force who exposed these malicious practices and brought them to justice—at least in part—it’s important to remember the broader impact. Over 1,300 claims have now been settled by NGN, with the total cost surpassing £1.2 billion. Harry’s efforts have not only shed light on these wrongdoings but also paved the way for accountability on an unprecedented scale.


Final Thoughts
I follow and analyze a lot of privacy news, including countless fines for violations, but this case stands out as monumental. The sheer duration of these illegal activities is staggering—and in many instances, they’re still happening.

There’s always a delicate balance between free expression and privacy, but in this case, that line wasn’t just crossed—it was obliterated. And, as always, money plays a role. People crave the secrets of celebrities, and wherever there’s an audience, there’s profit, often at any cost.

But this isn’t a gray area. It’s as black and white as it gets: hacking phones, spying, surveillance—it doesn’t take a legal expert to know this is fundamentally wrong.

That’s why it’s reassuring to see justice served, even partially, to those affected. This case proves that even against corporate giants, we must continue to defend privacy and uphold the principles that lead to a better, fairer society.

Find all resources from this episode at: https://conformally.com/privacy-navigator
Learn more about Conformally at https://conformally.com

Find all resources from this episode at: https://conformally.com/privacy-navigator
Learn more about Conformally at https://conformally.com

The Austrian DSB Slaps Down Google’s Controllership Denial
A data subject submitted a Data Subject Access Request (DSAR) directly to Google LLC, demanding access to their personal data under GDPR.

Google LLC dodged responsibility, passing the request off to Google Ireland Ltd., claiming the latter was the sole controller for EEA and Swiss operations.

This triggered an investigation by the Austrian DSB, who didn’t buy Google LLC’s claim that they were just a bystander.

Evidence uncovered showed Google LLC wasn’t just “helping out” — they were the master mind behind key data processing decisions.



Why Google LLC Can’t Escape Being a Controller?

Let’s be clear — the DSB saw right through Google LLC’s attempt to paint themselves as a processor. Google LLC sets the tone for product development, infrastructure, and the rules of the game for how personal data is handled globally. That’s textbook controllership.



DSARs Are a Controller’s Problem, Period.

Here’s the deal: GDPR Article 4(7) says controllers are responsible for everything—from why data is collected to what’s done with it. And under Articles 12–23, responding to DSARs is non-negotiable. By directing data processing globally, Google LLC effectively made themselves accountable for these requests.



What nailed Google LLC?

They control the playbook for EEA processing.

They design the systems that collect and process personal data.

Their contracts with Google Ireland Ltd. didn’t effectively hand off responsibilities.

In short, the DSB ruled: “You can’t be this involved and not call yourself a controller.”



Signs You’re a Controller (Even If You Deny It):

You decide what data gets collected and why.

You build the systems and infrastructure for processing.

You set the rules — from storage to security to compliance.

You enforce standards across global operations.

You call the shots when it comes to how personal data is used, shared, or accessed.



You can read the full decision in German here.

Read the whole newsletter here: https://conformally.com/featured_item/w03-2025-pn/

Find all resources from this episode at: https://conformally.com/privacy-navigator
Learn more about Conformally at https://conformally.com

German Court Awards €10,000 for Unlawful Disclosure of Employee’s Health Data
A German court ruled that an employee was entitled to €10,000 in damages after the unauthorized sharing of their health data. The employee’s health information, shared via email, was disseminated to nearly 10,000 members of an association.

The court emphasized that the sharing of sensitive health data constitutes harm in itself under GDPR, even without evidence of additional damages. This aligns with the CJEU’s stance on non-material damages.

EDPB Issues Opinion 28/2024 on AI Models
The European Data Protection Board (EDPB) released its Opinion 28/2024, addressing the application of GDPR to artificial intelligence (AI) models. Key points include:

• Transparency: Organizations must provide clear and accessible information about AI systems.
• Fairness and Bias: AI models should be tested for and protected against bias to prevent discrimination.
• Purpose Limitation and Data Minimization: AI systems should use only the data necessary for their specific purpose.
• Accountability: Organizations must establish clear roles and responsibilities for data controllers and processors.

If you haven't already, now is a good time for organisations developing AI tools to use these guideline to review practices around transparency, fairness, and bias mitigation to ensure GDPR compliance.

Irish DPC Concludes Investigation into Meta’s “View-As” Feature
The Irish DPC investigated Meta’s "View-As" feature after a security flaw exposed personal data from 50 million users to unauthorized parties. Findings included:

Lack of Adequate Safeguards: Insufficient measures to protect user data.
Violation of GDPR Security Principles: Breach of data protection and accountability requirements.

Find all resources from this episode at: https://conformally.com/privacy-navigator
Learn more about Conformally at https://conformally.com

UK Data Use and Access Bill Updates

The UK government is proposing the Data Use and Access Bill to modernise data protection regulations.

• The bill seeks to balance data processing benefits with user privacy and has received positive feedback from the Information Commissioner's Office (ICO).
• It impacts sectors like health and finance, promoting data sharing in research while clarifying consent procedures.
• The bill addresses the use of automated decision-making technology (ADMT) in AI, granting individuals the right to challenge decisions made by AI systems.
• The proposed reforms would restructure the ICO, granting it additional enforcement resources and responsibilities related to technology innovation and public safety.
• The ICO would gain powers to investigate data protection compliance and security incidents, potentially requiring organisations to provide technical reports.
• The bill emphasises the responsible and careful handling of personal data in the context of AI and data breaches.

Read more here

Seven consortia have been selected to establish AI Factories across Europe

Seven consortia have been selected to establish AI Factories across Europe. The tldr:

• These factories aim to boost AI innovation and will receive €1.5 billion in funding, split equally between the EU and national sources.
• They will be hosted in research hubs across Europe, including Barcelona, Bologna, Kajaani, Bissen, Linköping, Stuttgart and Athens.
• The AI factories will provide access to computing power, data, and talent necessary for AI development.
• Their focus is on developing large language models and specialised vertical AI models for various sectors.
• The next opportunity for Member States to submit proposals for new AI factories is 1 February 2025.

Read more here

Brazil is on its way to regulate AI.

Here is what you need to know:

• The Brazilian Senate will vote in two days on a bill to regulate Artificial Intelligence (AI).
• The bill defines AI systems similarly to the EU AI Act.
• It outlines rights for people affected by AI, drawing inspiration from GDPR principles.
• A risk-based approach is adopted, prohibiting certain AI systems deemed to be excessively risky.

We quite liked Luiza Jarovski’s take on this, see it here

Find all resources from this episode at: https://conformally.com/privacy-navigator
Learn more about Conformally at https://conformally.com