Entries submitted
D1 – Entry by: Data Protection Commission
Description of the initiative:
The DPC’s inquiries considered state surveillance by local authorities (regional and municipal authorities) and found widespread deployment of CCTV in public places to prevent littering. Widespread non-compliance with data protection law was discovered, resulting in the DPC exercising corrective powers, including administrative fines, bans on processing, and orders to bring processing into compliance.
The inquiries further found local authorities had an invalid legal basis under the waste management and litter pollution legislation that facilitated CCTV deployment for litter and waste purposes. While this legislation provided local authorities’ powers to detect, investigate, and prosecute waste and litter pollution offences, it did not explicitly give the power to deploy or process footage for these purposes, nor did not set out the necessary procedural safeguards for use of these technologies. Consequently, the DPC banned various deployed CCTV cameras.
The DPC made the relevant Government Minister aware of these issues, and worked with the legislature and the Local Government Management Agency (LGMA) to remedy them. The legislative gap was addressed by the Circular Economy and Miscellaneous Provisions Act, 2022, which provided for lawful deployment of recording technology, including CCTV, for the enforcement of litter pollution and waste management legislation subject to statutory codes of practice. The DPC was involved in pre-legislative scrutiny of the Act and worked with the LGMA in 2024 on three codes of practice for local authorities to use CCTV and mobile recording devices to combat waste and litter pollution offences. The DPC played an active role in the scrutiny of these codes and made detailed observations on all three codes.
The DPC has seen a significant improvement in awareness and compliance due to this initiative. It is clear from engagement with local authorities increased effort is put into DPIAs and compliance documentation. The DPC is also receiving frequent queries from local authorities on implementing the codes of practice. The DPC has regular face-to-face engagement with local authority DPOs in various fora. The new legislation provides a basis for use of CCTV that is clear, precise and foreseeable to data subjects, and protects against the risk of disproportionate surveillance by authorities.
Why the initiative deserves to be recognised by an award?
This initiative deserves to be recognised because it demonstrates how the DPC’s work brings about positive systemic change. It started with identifying the problem and the infringements of data protection law and the necessary exercise of corrective powers, i.e. local authorities using CCTV without a lawful basis, and then resulted with the DPC contributing to solving the problem, through pre-legislative scrutiny of new legislation and practical guidance through the creation of three codes of practice. Through its engagement, the DPC ensured that the new legislation provides a legal basis for local authorities to use CCTV and other recording technologies that protects the fundamental rights to privacy and data protection and that ensures that the use of these technologies is limited to circumstances where they are necessary, proportionate and in the public interest. The DPC’s decisions and engagement with the relevant government Departments have resulted in legislative and behavioural change in a way that facilitates our policy objective. The DPC has gone from a position of awareness raising about data protection compliance in the abstract to building on practical and improved compliance.
D2 – Entry by: Information and Privacy Commissioner of Ontario
Description of the initiative:
Effective since 2024, this new enforcement authority to impose AMPs is intended to give Ontarians confidence that there are effective mechanisms to encourage compliance with PHIPA and deter against threats to their personal health information.
On the day the regulation came into force, the IPC released guidance setting out a comprehensive roadmap of how the IPC intends to exercise these new powers. The guidance explains what we may consider when issuing AMPs, as well as the factors that will inform the amount imposed on a case-by-case basis.
The IPC’s enforcement model for AMPs is adapted from the “just culture approach”, commonly used in the health sector to address medical errors. This approach uses a gradation of responses to foster a culture of learning, continuous improvement and accountability. It emphasizes the value of reporting and learning from errors that occur in complex systems, reserving more severe consequences for recalcitrant behaviours where stronger responses are necessary.
Similar to medical errors, privacy breaches can be the result of honest, one-off mistakes, while others may be due to more repeated or systemic issues. In yet other cases, privacy breaches may result from reckless or negligent behaviour, or even deliberate and maligned intention.
The IPC’s enforcement approach under PHIPA was modelled after this “just culture approach” to reflect the plurality of situations that may give rise to privacy breaches. It includes a range of tools to be used in a just and proportionate manner, depending on the severity of the circumstances. The toolbox includes: awareness-raising and education, advice and recommendations, early resolution and mediation, binding orders, AMPs, and in the most serious of cases, referral to the Attorney General for prosecution of offences that may result in significant fines and imprisonment.
The IPC’s guidance explains, in clear language:
- What AMPs are, and what they are intended to achieve
- When AMPs might be issued, using concrete examples
- How the IPC will determine the quantum of AMPs depending on a number of explicit factors
To accompany the guidance document, the IPC also released an animated video to explain and raise awareness of AMPs in the health sector.
Why the initiative deserves to be recognised by an award?
IPC’s AMP guidance was designed to uniquely map onto the “just culture approach” used in the health system to deal with medical errors. By resonating with a regulatory approach already familiar to most health institutions, our intention was to secure early buy-in and understanding. Ultimately, we want to support compliant behaviour in a fair and proportionate manner — not create a chill against reporting breaches for fear of undue punishment.
IPC’s AMP guidance provides health institutions with clear guidance on what they can expect as we implement this new enforcement authority, while at the same time assuring individuals that there is a strong regulatory framework in place to protect their personal health information.
These aims foster trust in digital health, one of the IPC’s key strategic priorities. Our goal is to promote confidence in the digital health care system by guiding custodians to respect the privacy and access rights of Ontarians, and supporting the pioneering use of personal health information for research and analytics to the extent it serves the public good.
Written in accessible language, this document makes it easy for both institutions and the public to discern key takeaways about AMPs and how they will be implemented.
D3 – Entry by: Information Commissioner’s Office (UK) and Office of the Privacy Commissioner (Canada)
Description of the initiative:
In October 2023, 23andMe suffered a data breach that affected almost 7 million of its customers worldwide. Given the scale of the breach, the sensitivity of the personal information involved, and the international service provided by 23andMe, OPC and ICO decided to jointly investigate 23andMe’s privacy practices and compliance with Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”), the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA 2018).
The joint investigation featured investigators, legal services, communications teams and executive team members from both agencies and involved collaboration at every level of each partner organisation. Our Offices worked together on all aspects of the investigation, from initial enquiries, to conducting interviews, to analysis of data and report drafting.
– Utilised compatible technology to set up shared workspaces for live time collaboration on documents;
– Investigative processes were mapped out and aligned;
– Legal review conducted to assess the alignment between respective legislative frameworks;
– Information was shared between both Offices, reducing repeated requests to 23andMe for the same information;
– Information already independently supplied to both agencies was examined to identify inconsistencies and irregularities;
– Investigative enquiries were jointly drafted between both organisations;
– Responses were independently examined by both Offices, providing a level of challenge and robustness to the resulting conclusions;
– New elements were incorporated into existing processes from the partner Office (e.g. ICO participating in interviews hosted by OPC and the OPC attending an ICO oral hearing as observers);
– Joint report produced with extensive alignment on findings and presenting a unified response to the incident and our investigation.
Via the above, our Offices were able to demonstrate the compatibility of their investigative approaches and also their respective legislative frameworks. The joint report features almost complete alignment in our findings of contraventions of both UK GDPR and PIPEDA, showing that the standards required by both sets of legislation are compatible and consistent.
Our offices’ approach presented a unified front to 23andMe, demonstrating the seriousness of the incident and our commitment to act together as partner regulators. We proved that multi-national companies can be subject to collaborative investigations from multiple regulators, and showed the value of enforcement cooperation to amplify impact.
Why the initiative deserves to be recognised by an award?
– Both Commissioners were actively involved and committed to effective enforcement cooperation outcomes.
– We used technology to collaborate in real-time, dramatically improving efficiency and timeliness of responses.
– We addressed different legislative frameworks by thorough analysis of the respective requirements and careful enquiry drafting.
– We leveraged expertise across both organisations to streamline analysis and provide robust evidence.
– We leveraged the time difference with efficient handovers and shared responsibilities, enabling 24 hour case coverage.
– Using GPA’s Enforcement Cooperation Handbook, we aligned investigatory processes and timelines to present a unified approach.
– We built capacity and learned new skills, e.g., conducting joint interviews – a novel approach for ICO.
– We were flexible, finding collaborative ways to overcome challenges, e.g., reacting quickly to 23andMe’s bankruptcy by issuing documents ahead of schedule while respecting reporting restrictions.
– We produced innovative final products including a joint authored report.
– We demonstrated compatibility of legislation while supporting independent conclusions of each Office; retaining integrity of processes and compliance with local legislation.
– We avoided duplication of effort and amplified impact, improving both protections for people and the organisation’s compliance, and setting clear global regulatory expectations for wider industry.
– Supporting GPA’s vision to strengthen enforcement capacities, we are sharing lessons learned and advice with other DPAs for future joint investigations.
D4 – Entry by: Instituto de Transparencia, Acceso a la Información Pública, Protección de Datos Personales y Rendición de Cuentas de la Ciudad de México
Description of the initiative:
INFOVERSO is a pioneering digital platform created by INFOCDMX to strengthen dispute resolution processes concerning access to public information and, critically, the protection of personal data. Developed using FrameVR’s metaverse technology, INFOVERSO enables citizens and public authorities to engage in conciliation hearings within an immersive, interactive virtual space that is fully accessible through standard web browsers on computers, smartphones, or VR devices—without requiring downloads, user accounts, or the disclosure of any personal data.
At its core, INFOVERSO is privacy-centric. Participants interact through customizable avatars that preserve anonymity and ensure confidentiality throughout the hearing process. Real-time document sharing and collaborative tools support fair, balanced dialogue while upholding due process and minimizing exposure of sensitive data. These features have already proven successful in the resolution of diverse disputes.
By eliminating physical and technological barriers, INFOVERSO expands procedural accessibility for vulnerable and geographically remote populations. It also serves as an educational space, offering guided virtual tours and materials on the rights to privacy and information, contributing to the broader culture of digital rights.
Uniquely, INFOVERSO was conceived and developed entirely by INFOCDMX’s internal teams, leveraging institutional resources without additional external funding. This demonstrates a cost-efficient, replicable model of public innovation that integrates cutting-edge technology with a strong human rights framework.
Why the initiative deserves to be recognised by an award?
INFOVERSO is an innovative, rights-based solution that advances both access to information and the protection of personal data through inclusive digital transformation. It is one of the first platforms in Latin America to use immersive virtual environments for privacy-sensitive dispute resolution, breaking new ground in how public institutions can guarantee procedural fairness while safeguarding individual anonymity.
Its impact is tangible: faster resolution of cases, increased participation by previously excluded groups, and enhanced trust in public institutions. Most notably, INFOVERSO has successfully facilitated conciliations in cases involving access and privacy rights, demonstrating the platform’s practical value in real-world legal and administrative contexts.
Designed and deployed using internal public resources, INFOVERSO challenges the assumption that innovation requires high-cost infrastructure. Its accessibility, privacy-by-design architecture, and educational features make it a scalable and replicable model for other data protection authorities.
Recognizing INFOVERSO would highlight the essential link between digital innovation and human rights protection. It shows how immersive technology—when ethically applied—can become a powerful tool for transparency, accountability, and the defense of privacy in the digital age.
D5 – Entry by: Israeli Privacy Protection Authority
Description of the initiative:
A criminal investigation conducted by the Israeli PPA against the Mayor of an Israeli City. According to the findings of the PPA’s investigation, the Mayor misused the municipality’s resident database to promote his political campaign for re-election. This was done in various ways and with the assistance of municipal employees and the campaign staff, in a manner that repeatedly violated the privacy of the city’s residents and involved the use of their personal data.
According to the indictment filed following the PPA’s investigation (and a parallel police investigation for other felonies), the offenses included the following events, which took place over several years:
Under the mayor’s direction, personal information and political opinions of city residents were recorded in the municipal database;
The database, some of which is legally transferred from the Population Authority to the municipality for city management purposes, was passed on to the campaign headquarters in order to broaden the information about voters and assist the mayor in his re-election campaign;
The mayor’s campaign headquarters contracted with a software company and provided it with the enhanced database of city residents to develop software that would utilize all the information during the municipal elections.
As a result, databases were created that merged information provided to the municipality for managing city affairs with information collected by the campaign headquarters, and this data was repeatedly used in the course of election campaigns.
Following his indictment, which included other felonies as well, a special statutory committee decided on the mayor’s suspension from his office, for one year. The criminal court proceedings are currently still ongoing.
Why the initiative deserves to be recognised by an award?
The Israeli Privacy Protection Authority (PPA) demonstrated independence in enforcement in a landmark case involving the mayor of a northern medium-sized Israeli city. The PPA uncovered that the mayor systematically misused the municipality’s resident database— originally provided by the Population Authority for public service purposes—to promote his political campaign over several elections.
Under the mayor’s direction, personal data about residents were recorded and unlawfully transferred to the campaign staff and a private software company. These enhanced databases were used to target voters, merging official records with campaign materials in clear violation of the Israeli Privacy Protection Law.
Despite the political sensitivity, the PPA conducted an independent and thorough criminal investigation that led to indictments, criminal sanctions, and the mayor’s suspension from office. This case illustrates the PPA’s role as a fearless and impartial enforcer, capable of holding public officials accountable for privacy violations.
This case exemplifies the PPA’s unwavering commitment to upholding data protection law, and reinforcing accountability through effective enforcement. It stands as a powerful model for privacy protection authorities worldwide and is a compelling candidate for recognition by the Global Privacy Assembly.
D6 – Entry by: Office of the Data Protection Commissioner-Kenya
Description of the initiative:
The ODPC has entrenched dispute resolution and enforcement through its Complaints Investigations and Enforcement (CIE) Directorate, which receives and investigates complaints regarding violations of the Data Protection Act. This department is also in charge of conducting investigations, issuing enforcement notices, and imposing administrative fines for noncompliance with the act.
The Office has simplified the process of lodging complaints for data subjects by allowing them to do so through the website https://www.odpc.go.ke/file-lodge-a-complaint/, where they are directed through the information the Office needs. Furthermore, the Office’s implementation of the Artificial Intelligence (AI) chatbot, LindaData, which aims to provide accessible and real-time assistance to individuals and organizations seeking information on data protection regulations, best practices, and compliance guidelines, has made it easier for data subjects to understand how to file complaints.
ODPC receives complaints on a daily basis and has to comply with the statutory timeline of 90 days. As of 31st May, 2025, the Office had received 7,611 complaints and resolved 7,497 complaints. As a result, the following enforcement actions have been taken:
- Issuance of 247 determinations.
- Issuance of 112 enforcement notices.
- Issuance of 19 penalty notices to ensure that data controllers and processors comply with data protection regulations.
- 20 recommendations for prosecution for the offences under the Act.
- Issuance of 134 compensation orders.
Moreover, 52 complaints have been resolved through Alternative dispute resolution that involves negotiation, mediation and conciliation which is facilitated by the Office through its Alternative Dispute Resolution Framework.
ODPC also conducts investigations on its own initiative where there in cases involving public interest. For instance, ODPC’s proactive investigation in emerging technologies such as Worldcoin, issuance of cessation orders, collaboration with regulatory and advocacy groups, and supervision of the court-ordered data deletion in the Worldcoin case in Republic v Tools for Humanity Corporation (US) & 8 others; Katiba Institute & 4 others (Exparte Applicants); Data Privacy & Governance Society of Kenya (Interested Party) (Judicial Review Application E119 of 2023) [2025] KEHC 5629 (KLR) (Judicial Review) (5 May 2025) (Judgment) highlights its robust enforcement of Kenya’s Data Protection Act.
Why the initiative deserves to be recognised by an award?
- The ODPC established accessible channels for the public to lodge complaints and has acted on 7,497 complaints, showing responsiveness and building trust in the enforcement mechanism.
- Pioneering Enforcement Actions: The ODPC issued its first penalty notice in December 2022 against Oppo Kenya, imposing the maximum fine of KES 5 million (approximately USD 41,000) for using a data subject’s photo on Instagram without consent, following non-compliance with an enforcement notice. This marked a significant step in demonstrating the ODPC’s commitment to holding entities accountable for data protection violations.
- Diverse and Impactful Penalties: In September 2023, the ODPC issued penalty notices totalling KES 9.375 million to three data controllers, including a school (KES 4.5 million) and a digital credit provider (KES 2.975 million), for breaches such as processing personal data without consent and inadequate notification measures. These actions underscore the ODPC’s ability to tailor penalties to different sectors and violations, reinforcing compliance across industries.
- Setting a Regional Example: ODPC’s actions, including high-profile fines and enforcement notices, set a precedent for other African regulators. Its transparency in publishing decisions and its collaboration with international bodies like the Network for African Data Protection Authorities (NADPA) enhance its regional influence.
D7 – Entry by: Office of the Privacy Commissioner of Canada, Office of the Privacy Commissioner for Personal Data of Hong Kong, China, Information Commissioner’s Office, UK
Description of the initiative:
The Office of the Privacy Commissioner of Canada, with support from the members of the GPEN Committee – the U.S. Federal Trade Commission, the Information Commissioner’s Office of the United Kingdom, the Office of the Privacy Commissioner for Personal Data of Hong Kong, China, and the Privacy Protection Authority of Israel – coordinated and participated in the 2024 GPEN Sweep on deceptive design patterns (DDPs) along with 25 other privacy enforcement authorities from around the world. DDPs are used on websites and mobile apps to influence, manipulate, or coerce users to make decisions that are not in their best interests. They can prevent users from making informed decisions about the collection, use, and disclosure of their personal information, and cause them to give up more privacy than they would like. Because of the relevance of DDPs to both privacy and consumer protection, the Sweep was coordinated for the first time with the International Consumer Protection and Enforcement Network (ICPEN).
OPC Canada was the 2024 “Sweep Coordinator” and developed, in collaboration with participating privacy enforcement authorities, the methodology to help identify DDPs while ensuring the evaluation of apps and websites was conducted according to similar standards. Questions focused on five indicators: (i) Complex and confusing language (ii) Interface interference (iii) Nagging (iv) Obstruction (v) Forced action.
During the process, sweepers reviewed over 1,000 websites and apps aiming to replicate the user experience. On July 9, 2024, the 2024 GPEN Sweep on DDPs Report was released summarizing key observations of the Sweep that found that 97% of websites and apps examined were using DDPs.
In Canada, OPC Canada partnered with two of its provincial counterparts – Alberta and British Columbia - to review some of the platforms that were most popular among children in Canada. On July 9, 2024, OPC Canada released the OPC Sweep Report summarizing key observations that revealed that specific DDPs, such as false hierarchy, confirm shaming, and nagging, occurred significantly more often on children’s websites and apps than on those aimed at the general population.
Following the Sweep, some participating authorities have already followed up or plan to do so with organizations on the issues they have identified through the Sweep. OPC Canada sent letters to a number of organizations to share the results of the Sweep with most having committed to making positive changes to their websites and apps.
Why the initiative deserves to be recognised by an award?
The Sweep was the first cross-regulatory venture of its kind, leading to successful “soft” enforcement actions in some jurisdictions. It is an example of how privacy enforcement authorities cannot only cooperate through formal joint or coordinated investigations but can also come together on soft enforcement actions to incite change. It demonstrates that by working together, privacy enforcement authorities can expand their capacity and amplify their impact for the protection of privacy and personal data.
Through panel engagements at global privacy events such as the 46th GPA in Jersey, APPA 62 Forum and the 2025 IAPP Global Summit, this initiative has raised awareness of this important issue for individuals to be aware of DDPs, so that they can better protect their privacy and personal information online. Ensuring that privacy is respected and protected by design will create a safer online environment for everyone, especially children, and increase individuals’ trust in the global digital environment.
The Sweep also led to engagement with the industry. For instance, OPC Canada followed up with Canadian organizations to share the issues identified through the Sweep. This approach resulted in most organizations being contacted committing to making a positive change to their websites and apps.
D8 – Entry by: Albanian Information and Data Protection Commissioner
Description of the initiative:
The Cooperation Agreement between the Republic of Albania and Eurojust was ratified by Law no. 113/2018.
IDP has a specific role in the implementation and enforcement of this Agreement, as defined in Article 19 thereof. Specifically, this article designates the IDP as the competent authority responsible for monitoring the actual implementation of the Agreement, as well as developments in the field of data protection and data security.
Reporting is carried out annually to the Data Protection Officer of Eurojust. In accordance with Article 19 of the Agreement, the IDP is expected to benefit from best practices in the context of reporting to Eurojust. As the authority responsible for oversight in the field of personal data protection, IDP bears the obligation to engage in regular exchanges of views with Eurojust.
In fulfillment of this obligation, in September 2023, representatives of the General Directorate for the Protection of Personal Data in the IDP conducted a study visit to The Hague, in cooperation with representatives from Eurojust and the Dutch Data Protection Authority. The Liaison Prosecutor of the Republic of Albania to Eurojust also participated in this meeting.
The objective of the study visit was to provide appropriate technical assistance and expertise to the Albanian delegation for the creation and development of a structured methodology for monitoring, reporting, and enforcing compliance with the Agreement with Eurojust, particularly regarding the implementation of personal data protection legislation.
Subsequently, the IDP conducted a monitoring process at the General Prosecutor’s Office, the Prosecutor’s Offices of General Jurisdiction, and the Special Structure Against Corruption and Organized Crime (SPAK), focusing on the processing of personal data, the exchange of operational information, the assessment of compliance with data protection obligations, and the identification of preventive measures to address shortcomings, in line with the obligations of the Agreement with Eurojust.
Upon completion of this monitoring process, in July 2024, the IDP prepared the Annual Monitoring Report addressed to Eurojust, titled: “On the Cooperation Agreement between the Republic of Albania and Eurojust regarding the implementation of obligations related to the protection of personal data”.
This report was prepared in the framework of implementing the Agreement with Eurojust, reflecting the current situation regarding the protection and security of personal data, the measures taken, and the strategies applied in support of data protection legislation. Its aim is to ensure the security, protection, and privacy of data processed by the prosecution system during the international transfer of operational data and the exchange of information with Eurojust.
In addition, the IDP drafted five monitoring reports addressed to various prosecutor’s offices. These reports outlined the relevant conclusions and recommendations regarding the adoption of concrete measures in compliance with the Law on Personal Data Protection and its secondary legislation, with the purpose of improving the functioning of the prosecution system within the framework of the Agreement with Eurojust.
It is important to emphasize that this report was drafted for the first time by the IDP and submitted to Eurojust, positioning Albania as the first country among the Western Balkans and Eastern Partnership regions to carry out such reporting within the framework of cooperation with Eurojust.
Why the initiative deserves to be recognised by an award?
This initiative serves as a strategic approach to promote the enforcement of personal data protection legislation and to familiarize with best practices identified during the process by the IDP. Its aim is to ensure that a field as sensitive as the competent authorities remains vigilant in safeguarding the protection and security of personal data, particularly sensitive criminal data processed during the activities of the prosecution system.
Furthermore, the Annual Monitoring Report has been well received and positively evaluated by Eurojust, ranking Albania as the third country among non-EU third countries in terms of the highest number of cooperations with Eurojust in 2024.
This successfully carried out initiative by the IDP also serves as a best practice, due to its structured approach and the training of staff regarding specific obligations within the framework of cooperation between countries and international organizations.
It is worth emphasizing that the study visit of IDP to the Eurojust in The Hague, which also included the Liaison Prosecutor of the Republic of Albania, provided the Albanian delegation the necessary technical expertise for the creation and development of a structured methodology related to monitoring and reporting on the Agreement with Eurojust, particularly regarding the implementation of personal data protection legislation.
In September 2024, the Data Protection Academy in Brussels, a project established by the European Commission, the Regional Cooperation Council (RCC), EDPS, DG JUST, SIGMA, ReSPA, and GIZ, recognized the Annual Monitoring Report of the IDP, as a positive model of inter-institutional cooperation and as one of the best practices reflecting the work carried out by the Republic of Albania.
D9 – Entry by: Office of the Australian Information Commissioner (OAIC)
Description of the initiative:
The Australian Information Commissioner agreed to a $50 million payment program as part of an enforceable undertaking (EU) received from Meta Platforms, Inc. (Meta) to settle civil penalty proceedings. The payment scheme will be open to eligible Australian Facebook users impacted by the Cambridge Analytica matter.
The Commissioner alleged that the personal information of some Australian Facebook users was disclosed to the This is Your Digital Life app in breach of the Privacy Act 1988 (Cth). The information was exposed to the risk of disclosure to Cambridge Analytica and other third parties, and risked being used for political profiling purposes.
The agreement followed a court-ordered mediation, which had been ongoing since February 2024, as part of the Federal Court civil penalty proceeding the Commissioner commenced in March 2020.
The EU requires Meta to set up a payment scheme, which will be run by an independent third-party administrator. The scheme will be open to individuals who:
- held a Facebook Account between 2 November 2013 and 17 December 2015;
- were present in Australia for more than 30 days during that period; and
- either installed the This is Your Digital Life app or were Facebook friends with an individual who installed the app.
The payment scheme will be structured into two tiers of payments. The first will permit individuals to apply for a base payment if they believe they experienced generalised concern or embarrassment because of the matter. The second category will provide for specific payment, likely to be higher than the base payment, to those who can demonstrate they have suffered loss or damage. The third-party administrator will also establish a timely internal review avenue for individuals in relation to the payment scheme.
Any residual funds not exhausted in the payment scheme will be paid into the Commonwealth’s Consolidated Revenue Fund. Meta also paid a contribution to the Commissioner’s legal costs.
Why the initiative deserves to be recognised by an award?
The payment scheme demonstrates that all entities operating in Australia must be transparent and accountable in the way they handle personal information, in accordance with their obligations under Australian privacy law, and give users reasonable choice and control about how their personal information is used. Australians need assurance that whenever they provide their personal information to an organisation, they are protected by the Privacy Act wherever that information goes.
The settlement represents the largest ever payment dedicated to addressing concerns about the privacy of individuals in Australia and represents a substantive resolution of privacy concerns raised by the Cambridge Analytica matter.
We remain committed to applying our powers under the Privacy Act to achieve proportionate outcomes to ensure that Australians’ privacy is protected, particularly with respect to technologies that have a high privacy impact. This groundbreaking outcome reflects the significant concerns of the Australian community.
D10 – Entry by: California Privacy Protection Agency
Description of the initiative:
The CPPA’s investigative sweep of data broker registration doubled down on the agency’s efforts to hold data brokers accountable for privacy violations.
California law requires data brokers to register with the CPPA and pay a fee annually. Registration is important because it brings transparency to the data broker industry. In addition, because California is an opt-out jurisdiction, the registry identifies data brokers and gives consumers a way to assert their privacy rights.
Registration is even more important because starting in 2026, the CPPA will be launching an online portal where consumers can submit a single request to delete their non-exempt personal information held by all data brokers. This one-stop system means that consumers will not have to contact each data broker individually to assert their deletion rights.
In October 2024, the CPPA’s Enforcement Division announced an investigative sweep of data broker compliance with the registration requirement. The CPPA promptly brought more than a half dozen enforcement actions against data brokers, including the following:
- Securing a settlement agreement requiring data broker Background Alert — which promoted its ability to dig up “scary” amounts of information about people — to shut down or pay a steep fine.
- Bringing an enforcement action against National Public Data, Inc., a Florida–based data broker responsible for a data breach that exposed the personal information of millions of people.
- Securing settlements requiring data brokers Key Marketing Advantage LLC, Infillion, The Data Group LLC, Growbots, Inc., and UpLead LLC to pay fines and abide by injunctive terms after failing to register with the CPPA.
Why the initiative deserves to be recognised by an award?
Data brokers present unique threats to privacy. By design, data brokers traffic in consumers’ personal information—including highly personal information that reveals sensitive details about our lives and identities. California is preparing to launch a new system in 2026, called the Delete Request Opt Out Platform (“DROP”), that will allow consumers to ask all registered data brokers to delete their personal information. Deletion is one of the most important rights available under California’s cutting edge privacy law.
The DROP system depends on having a full and complete registry of data brokers. The CPPA’s investigative sweep against data brokers represents a significant effort to ensure that data brokers are properly registered, thus allowing more consumers to use the DROP system starting next year. The CPPA’s subsequent enforcement actions against more than a half dozen data brokers shows that the agency is prepared to hold them accountable.
These enforcement actions matter because data brokers will soon face higher penalties. Starting in 2026, data brokers will be subject to a $200 fine for each deletion request for each day the data broker fails to delete the information. The penalty amount will add up quickly for those that fail to comply with the requests to delete.
D11 – Entry by: National Privacy Commission
Description of the initiative:
With the exponential rise in data privacy complaints in the Philippines – largely due to the fast-paced digitalization of various services – the National Privacy Commission (NPC) recognizes the urgent need to improve public awareness and access its alternative dispute resolution mechanism, specifically, mediation.
While mediation offers a swift and cost-effective way to settle privacy disputes, it remains unfamiliar and intimidating to many, particularly ordinary citizens who may lack legal knowledge or access to legal support.
To address this, the NPC launched the Mediation Infographic Initiative, a public information campaign designed as a comic strip – a format deeply rooted in Filipino culture and storytelling. Known locally as “komiks”, comic strips have long served as an accessible and entertaining way to convey serious messages to the public or confront issues through real-life scenarios. In this way, cultural familiarity is leveraged to present mediation in a relatable, realistic and engaging format.
Using local language (Filipino), conversational tone, and culturally resonant illustrations, the comic strip demystifies the NPC’s mediation procedure—from filing a complaint to participating in a mediation conference—through the story of everyday characters navigating real-world data privacy concerns.
Widely distributed through NPC website and social media platforms, and soon in print, the comic strip ensures accessibility across all communities. Through this, the Commission hopes to build a more inclusive and engaged ecosystem where every Filipino is empowered to protect their personal data.
Why the initiative deserves to be recognised by an award?
The NPC’s Mediation Infographic Initiative deserves recognition for its culturally grounded, inclusive approach. It serves as a tool to promote an effective and efficient way of settling data privacy disputes and an avenue for parties to complaints to have a platform to discuss matters affecting their data privacy rights.
Oftentimes, matters like dispute resolution and enforcement are viewed as something restrictive, intimidating and distant from the everyday lives of ordinary people. It gives the impression that the public, without legal counsel or assistance, cannot successfully defend or assert their rights. With the Mediation Infographic Initiative, data subjects realize that they can take an active role in resolving their dispute and achieving justice without the concomitant legal expenses usually attributed to case resolution.
Most importantly, this Initiative shifts the perception of enforcement from punishment to partnership. It brings clarity to a crucial redress mechanism through relatable visuals and understandable language. By using komiks, the Initiative is able to breakdown the most complex concepts and legal procedures. It is truly impactful in a country where digital literacy and access to legal support vary widely. This Initiative deserves recognition for defying barriers that hinder immediate redress to privacy concerns of the Filipino people.