This Week in Privacy: Mar 9-15, 2026

A major European court decision this week overturned one of the largest privacy fines in history, while data breaches continued to plague organizations across sectors, from healthcare to gaming. The week saw 19 separate breach incidents alongside significant policy shifts from tech giants.

Top Stories

Amazon Wins Reversal of Record GDPR Fine

In a landmark decision that could reshape European privacy enforcement, a Luxembourg court overturned a €746 million GDPR fine against Amazon on March 13. The court annulled the ruling entirely and sent the case back to Luxembourg's data protection regulator for reassessment. This fine had been one of the largest privacy penalties ever imposed, and its reversal raises questions about how European regulators calculate and justify massive GDPR penalties. The decision doesn't mean Amazon is off the hook entirely, but the company has won a significant victory in its ongoing battle with European privacy authorities.

Turkish Restaurant Chain Exposes 1.2 Million Users in Major Breach

The Baydöner data breach exposed information from over 1.2 million email addresses after hackers published stolen data on a public forum. The compromised information included names, phone numbers, cities of residence, and plaintext passwords, a particularly concerning detail since unencrypted passwords make account takeovers trivial. A smaller subset of records also contained Turkish national ID numbers and dates of birth. While the company stated payment data wasn't affected, the plaintext password storage reveals troubling security practices at the restaurant chain.

Instagram Drops End-to-End Encryption for Direct Messages

Meta announced it will discontinue end-to-end encryption for Instagram direct messages after May 8, 2026, citing extremely low adoption rates. The feature was never enabled by default and was only available as an opt-in option in some regions. While Meta positions this as removing an unused feature, the decision moves Instagram in the opposite direction from industry trends toward stronger privacy protections. Users who value private conversations may need to migrate to other platforms like WhatsApp, which maintains default encryption.

Microsoft Discloses AI-Generated Marketing Calls

Microsoft updated its privacy policy to explicitly inform users that marketing phone calls may use auto-dialers and artificial or prerecorded voices generated by artificial intelligence. The disclosure represents a new level of transparency about how AI is being used to contact consumers, though it may concern users who prefer human interaction or worry about increasingly sophisticated automated outreach.

In Brief

• Telus Digital confirmed a security breach after hackers claimed to have stolen nearly 1 petabyte of data over multiple months.
• An incident responder was accused by the DOJ of providing information to the BlackCat ransomware gang during negotiations.
• Divine Skins, a League of Legends customization service, lost data from 105,814 accounts after an attacker deleted their database.
• Lotte Card was fined $6.5 million by Korea's privacy regulator after 450,000 social registration numbers leaked.
• Bell Ambulance disclosed a breach affecting nearly 238,000 individuals from an incident that occurred in February 2025.
• England Hockey is investigating after appearing on the AiLock ransomware gang's leak site.
• A foreign hacker compromised FBI files related to the Jeffrey Epstein investigation during a 2023 breach of the New York Field Office.
• Quittr, a porn addiction app, leaked intimate data about hundreds of thousands of users and then lied about its security failures.
• Police Scotland was fined £66,000 for excessive collection and unlawful disclosure of mobile phone data.
• Iranian hackers targeted Stryker, a major U.S. medical device provider with 56,000 employees.
• Ericsson blamed a vendor whose employee fell for a voice-phishing scam, exposing data from over 15,000 people.
• Operation Synergia III took down 45,000 malicious servers and resulted in 94 arrests across 72 countries.
• Adobe agreed to pay $75 million to settle allegations it made subscription cancellations deliberately difficult.

The Big Picture

This week illustrates a troubling imbalance in privacy enforcement and protection. While Europe's largest privacy fine gets overturned, organizations continue to leak sensitive data at an alarming pace, with 19 separate breaches reported in just seven days. The incidents span every sector and reveal fundamental security failures, from plaintext password storage to employees falling for phishing scams. Meanwhile, tech companies are moving in opposite directions on encryption, with Instagram removing privacy features as AI-generated marketing calls become normalized. The gap between privacy regulations and actual data protection continues to widen.