This Report aims to explore how the data protection by design and by default obligation breaks down in practice and whether it is effective, informed by how Data Protection Authorities (DPAs) and Courts enforced Article 25 GDPR since it became applicable. For instance, we analyze whether DPAs and courts find breaches of Article 25 without links to other infringements of the regulation and what provisions enforcers tend to apply together with Article 25 the most, including the general data protection principles and requirements related to data security under Article 32. We are also looking at what controls and behavior of controllers are deemed to be sufficient to comply with Article 25 and, per a contrario, what is not sufficient.
Norway DPA publishes statement on X’s use of data for AI training
X has resumed processing EU/EEA users' posts for AI training, requiring users to opt out to protect their personal data.