This Week in Privacy: Apr 6-12, 2026

The most significant privacy development this week wasn't a single breach or policy change, but rather a structural shift affecting hundreds of millions of users: Instagram's sweeping privacy policy overhaul that moved the platform's data controller from Ireland to the United States. Meanwhile, healthcare systems, law firms, and government agencies continued to fall victim to ransomware attacks, and a federal government attempt to unmask an anonymous critic raised serious First Amendment concerns.

Top Stories

Instagram Moves Data Control to the U.S., Removes Transparency Provisions

Instagram fundamentally restructured its privacy framework this week by shifting its data controller from Meta Platforms Ireland Limited to Meta Platforms, Inc. The change means Instagram users worldwide may now fall under U.S. jurisdiction rather than the EU's stricter GDPR regime. The revised policy also removed key transparency provisions, including detailed explanations about joint data processing arrangements with Facebook Page admins and specific EU-focused legal basis information. New language emphasizes Meta's use of cross-product data, cookie-based activity tracking, and inferred interests for ad personalization, while eliminating previous references to user controls over how partner data is used. The policy even removed age and gender as required fields for account creation and deleted mentions of specific cookie settings controls that users previously had access to.

Federal Subpoena Targets Anonymous Reddit User Who Criticized ICE

U.S. Immigration and Customs Enforcement issued a grand jury subpoena demanding Reddit hand over the name, address, and phone number of a user who allegedly criticized the agency online. The April 12 subpoena from federal prosecutors in Washington, D.C. came after an earlier attempt through a California court failed. Reddit's attorneys called the action a "disturbing escalation" and argued the user's posts and anonymity are protected by the First Amendment, though the company hasn't publicly stated whether it will challenge the order. The case raises fundamental questions about anonymous speech rights and government power to identify critics.

Healthcare Ransomware Attack Forces Hospital Offline, Disrupts Patient Care

Brockton Hospital in Massachusetts was hit by ransomware on April 7, forcing the facility to divert ambulances, cancel chemotherapy appointments, and shift to paper-based operations expected to last two weeks. The Anubis ransomware group encrypted hospital systems despite claiming they were careful to avoid harming patient care. The encryption continues to prevent patients from filling new prescriptions, demonstrating how ransomware directly impacts healthcare delivery. Federal and state officials are assisting with the investigation.

European Privacy Law Creates Legal Gray Zone for Child Safety Scanning

A temporary EU law permitting tech platforms to scan for child sexual abuse material expired April 3, and the European Parliament blocked its extension over privacy concerns. This created a legal gap where automated scanning is now illegal under EU privacy law, even though companies remain obligated to remove such content under separate regulations. Google, Meta, Snap, and Microsoft jointly called the decision an "irresponsible failure" and announced they would continue voluntary scanning despite the regulatory uncertainty, setting up a potential legal confrontation.

In Brief

• Google agreed to pay $135 million to settle claims that Android devices transmitted cellular data without consent from November 2017 onward, covering approximately 100 million U.S. users.
• Rockstar Games confirmed a third-party breach after hackers issued a ransom demand with an April 14 deadline, though the company says operations and players are unaffected.
• Jones Day law firm suffered a phishing attack exposing files for 10 clients, with the Silent Ransom Group demanding $13 million and leaking data to the dark web.
• Hackers allegedly stole 7.7 terabytes of LAPD data including officer personnel files and unredacted criminal complaints through a third-party system used by the LA City Attorney's Office.
• Dutch healthcare software vendor ChipSoft was hit by ransomware, though most of the 80% of Dutch hospitals using its patient record software maintained portal access.
• South Korea fined Lotte Card $3.38 million and suspended new enrollments for four months following a breach affecting nearly 3 million customers where registration numbers were stored in plain text.
• Christie's was fined $194,000 by South Korean authorities after an employee granted a malicious actor access that exposed data for 620 members.
• French email provider Alinto left 40 million email records exposed in an unsecured Elasticsearch database accessible to anyone on the internet.
• Lakeview Loan Servicing agreed to a $26 million settlement related to a 2021 breach potentially affecting 5.8 million mortgage customers.
• Oklahoma became the 21st state to enact comprehensive consumer privacy legislation, with protections taking effect January 1, 2027.
• A Guardian investigation revealed that child sex traffickers used Facebook and Instagram to buy and sell children through private messaging, leading to Meta losing a multimillion-dollar legal case in March 2026.

The Big Picture

This week revealed a troubling pattern: institutions entrusted with our most sensitive information continue to treat data security as an afterthought. When a Korean credit card company stores social security numbers in plain text, when law firms fall for basic phishing attacks, and when healthcare providers can't keep ransomware out of their systems, we're seeing systemic failures, not isolated incidents. At the same time, Instagram's quiet jurisdictional shift and the government's pursuit of an anonymous critic show how privacy protections can erode through both corporate restructuring and official pressure. The European Parliament's decision on child safety scanning illustrates the genuine tension between privacy and other social goods, but most of this week's events simply demonstrate that organizations collecting vast amounts of personal data still aren't securing it properly. Until the consequences of poor data stewardship exceed the cost of prevention, expect more of the same.