Environmental information regulation

Access to information is a critical component of a modern democracy. Ensuring that individuals, communities, businesses and other organisations have the opportunity to request and receive public documents is essential for effective participation in public life and it helps to make government and governance more efficient, open and transparent. The right to receive and impart information subject to appropriate exceptions is found in the Article 10 right under the European Convention on Human Rights and Fundamental Freedoms 1950: Freedom of Expression.

The right of access to environmental information is a key international norm found for instance, in Principle 10 of the Rio Declaration on Environment and Development 1992 which provides that:

‘Environmental issues are best handled with the participation of all concerned citizens, at the relevant level. At the national level, each individual shall have appropriate access to information concerning the environment that is held by public authorities, including information on hazardous materials and activities in their communities, and the opportunity to participate in decision-making processes. States shall facilitate and encourage public awareness and participation by making information widely available. Effective access to judicial and administrative proceedings, including

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

TAKE A FREE TRIAL

Latest Information Law News

Finnish SA fines S-Bank €1.8m for mobile banking authentication vulnerability

The Finnish Supervisory Authority (SA) has fined S-Bank EUR 1.8m and issued a reprimand for breaches of the EU General Data Protection Regulation (EU) 2016/679 (EU GDPR) after investigating a personal data breach reported in August 2022. The breach occurred when a new login function introduced in April 2022 contained a software flaw allowing customers to access others’ online banking accounts using strong authentication, leaving the vulnerability exploitable for more than three months and affecting a significant number of users. The SA found that S-Bank had failed to implement adequate safeguards, properly test the software, or respond appropriately to customer reports of login anomalies, violating Articles 5(1)(f), 25(1), 32(1), and 32(2) of the EU GDPR. The penalty reflected the seriousness of the breach, the protection of individuals’ rights, a prior reprimand, and consideration of a related EUR 7.67m fine imposed by the Finnish Financial Supervisory Authority in May 2025 for negligence in managing operational risks.

Direct email marketing and ‘sale’ under ePrivacy Directive (Inteligo Media)

EU Law analysis: The Court of Justice has clarified that offering a free user account may under certain conditions amount to a ‘sale’ of a service under Article 13(2) of the ePrivacy Directive, permitting companies to send direct marketing emails to such users under the so-called soft opt-in exception. The court held that indirect economic benefit, rather than direct payment, suffices for establishing a commercial relationship. Further, the court, in line with the Advocate General, found that Article 13(2) of the ePrivacy Directive is exhaustive, meaning that organisations meeting the soft opt-in criteria do not require a separate EU GDPR justification to send marketing emails. The decision is significant for practitioners advising on direct marketing compliance and demonstrates the precedence of ePrivacy rules over the EU GDPR where sector-specific provisions exist. Companies using freemium or similar models now have greater legal certainty, but must still ensure all conditions of the soft opt-in are rigorously met. Written by Wiebke Reuter, salary partner at Taylor Wessing, and Susan Hillert, associate at Taylor Wessing.

Information Law weekly highlights—20 November 2025

Welcome to this week’s edition of the Information Law weekly highlights a hand-picked summary of news analysis, updates and new content related to laws governing the use and dissemination of information and personal data. Each week these highlights focus on developments in key topics such as data protection, ePrivacy, cybersecurity, breach of confidence, misuse of private information, and defamation.

EDPS issues guidance to help EU bodies manage AI-related data protection risks

The European Data Protection Supervisor (EDPS) has published guidance to assist EU institutions, bodies, offices and agencies in identifying and mitigating data protection risks linked to artificial intelligence (AI) systems under Regulation (EU) 2018/1725. The Guidance for Risk Management of Artificial Intelligence systems outlines a framework aligned with ISO 31000:2018 for assessing and treating risks throughout the AI lifecycle. It emphasises technical mitigation of risks to fairness, accuracy, data minimisation, security and data subject rights, offering detailed measures to prevent bias, ensure interpretability and protect personal data. The document complements existing EDPS orientations on generative AI and data protection impact assessments, aiming to foster accountability and lawful AI deployment by EU controllers.

View Information Law by content type :

News