This Report aims to explore how the data protection by design and by default obligation breaks down in practice and whether it is effective, informed by how Data Protection Authorities (DPAs) and Courts enforced Article 25 GDPR since it became applicable. For instance, we analyze whether DPAs and courts find breaches of Article 25 without links to other infringements of the regulation and what provisions enforcers tend to apply together with Article 25 the most, including the general data protection principles and requirements related to data security under Article 32. We are also looking at what controls and behavior of controllers are deemed to be sufficient to comply with Article 25 and, per a contrario, what is not sufficient.
UK owners of smart home devices being asked for swathes of personal data
Smart home devices are collecting more personal data than required for their functioning, potentially sharing it with social media firms […]