On February 13, 2026, France’s highest administrative court (“Conseil d’État”) delivered an important decision clarifying the boundary between pseudonymization and anonymization under the GDPR. The ruling confirms that data which remain re‑identifiable in practice—even with some effort—must be treated as personal data under the GDPR by service providers, unless the risk of re‑identification by such providers can genuinely be regarded as insignificant.Continue Reading France’s Highest Administrative Court Upholds CNIL’s Standard On Anonymization
EU Data Protection
EU Regulators Issue Opinion on Revisions of GDPR and Other Data Laws
Posted in EU Data Protection, European Union
On February 11, 2026, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) (jointly, the Authorities) issued a Joint Opinion on the European Commission’s proposed Digital Omnibus Regulation (Digital Omnibus). This follows their Joint Opinion of January 20, 2026 on the Digital Omnibus on AI.
The Digital Omnibus, as with the other “omnibuses” released by the Commission, aims to streamline several EU laws, reduce administrative burdens for covered entities, and enhance competitiveness in the EU. Once adopted, it should reshape how organizations handle personal data generally, including in relation to AI development, scientific research, and incident reporting. The Authorities welcome efforts to simplify and to promote consistent interpretations of key concepts found in the GDPR, the ePrivacy Directive, the NIS2 Directive, and the remaining Data Acquis. At the same time, they caution that this initiative launched by the Commission must not weaken fundamental rights protections, including data protection.
Below is an overview of the Authorities’ positions. It covers only the key amendments discussed in our previous blog post on the Digital Omnibus.Continue Reading EU Regulators Issue Opinion on Revisions of GDPR and Other Data Laws
Belgian High Court Confirms Full Judicial Review of Supervisory Authority Decisions
On 15 January 2026, the Belgian High Court delivered a judgment in proceedings initiated by the Belgian Supervisory Authority, in which it challenged the scope of judicial review exercised by the Market Court over its enforcement decisions. The authority was unsuccessful on both grounds of appeal.Continue Reading Belgian High Court Confirms Full Judicial Review of Supervisory Authority Decisions
What to Watch in 2026: Key EU Privacy & Cybersecurity Developments
As 2026 gets underway, the European Union enters a pivotal year for data protection, AI governance, and cybersecurity regulation, among other matters. EU institutions and national authorities are expected to progress a number of significant digital‑policy files, roll‑out new cyber‑resilience obligations, and make transparency in the privacy space a top priority. Below is an overview of the key developments to monitor.Continue Reading What to Watch in 2026: Key EU Privacy & Cybersecurity Developments
EU Biotech Act Suggests Clarifying Data Protection Rules For Clinical Trials
By Dan Cooper, Kristof Van Quathem & Alix Bertrand on
On December 16, 2025, the EU Commission unveiled its proposal for the Biotech Act. The proposal, which is only the first part of a bigger initiative for regulating biotechnologies, focuses primarily on the health sector. The Commission took the opportunity to broadly revise the Clinical Trial Regulation (“CTR”) – see our blog post here. In particular, it sought to better align the CTR requirements with those of the General Data Protection Regulation (“GDPR”). This blog post provides an overview of those revisions relating to the processing of personal data during clinical trials.Continue Reading EU Biotech Act Suggests Clarifying Data Protection Rules For Clinical Trials
CJEU Clarifies Responsibilities Of Online Marketplace Operators
By Dan Cooper, Kristof Van Quathem & Alix Bertrand on
On December 2, 2025, the Court of Justice of the European Union (“CJEU”) issued a decision clarifying the obligations of online marketplace operators with regard to content posted on their platform, where such content includes personal data. This blogpost provides an overview of the decision and its key takeaways.Continue Reading CJEU Clarifies Responsibilities Of Online Marketplace Operators
European Commission Proposes Revisions to GDPR and Other Digital Rules Under Digital Omnibus Package
On 19 November 2025, the European Commission (“Commission”) officially presented its Digital Omnibus Package (see here and here). The initiative represents a comprehensive update to the EU’s digital regulatory landscape, which the Commission frames as a competitiveness and simplification initiative aimed at reducing administrative burdens and enhancing legal certainty for businesses. Although the final text is likely to evolve during negotiations with the European Parliament and the Council of the EU (“Council”), the package, if adopted in its present form, would introduce significant changes to data protection obligations, cookie rules, cybersecurity regulations and the EU AI Act.
The Digital Omnibus Package consists of two proposed regulations: a “Digital Omnibus” that would amend, amongst other legislation, the General Data Protection Regulation (GDPR), ePrivacy Directive, NIS2 Directive and Data Act, and a “Digital Omnibus on AI” that would amend the EU AI Act. We outline below key proposals from the Digital Omnibus that have particular significance for organizations operating in the EU.
A summary of amendments affecting the Data Act and the key proposals in the Digital Omnibus on AI will be addressed in subsequent blog posts.Continue Reading European Commission Proposes Revisions to GDPR and Other Digital Rules Under Digital Omnibus Package
Roundup of Cross-Border Data Transfer Developments
Over the past few months, there have been several notable developments in the cross-border data frameworks of the U.S., EU, UK, Brazil, and several Asia Pacific (“APAC”) countries. These developments reflect evolving regulatory approaches to international data flows, trade agreements, and national security priorities—each with certain nuances and particularities that multinational companies need to understand and be prepared to navigate.
This blog post provides a brief summary of these developments and key takeaways for companies transferring personal data to or from these jurisdictions. Continue Reading Roundup of Cross-Border Data Transfer Developments
EDPB to Focus on Transparency in 2026 Enforcement
Posted in EU Data Protection
On October 14, 2025, the European Data Protection Board (“EDPB”) announced that its 2026 coordinated enforcement action (“CEA”) will focus on transparency and information obligations — the rules that require organizations to clearly explain how they collect, use, and share personal data — under Articles 12-14 of the General Data Protection Regulation (“GDPR”).Continue Reading EDPB to Focus on Transparency in 2026 Enforcement
Commission Collects Feedback to Simplify Rules on Data, Cybersecurity and Artificial Intelligence in Upcoming Digital Omnibus
On September 16, 2025, the European Commission launched a call for evidence to collect feedback and best practices on simplifying several key areas of the EU digital rulebook, ahead of its planned Digital Omnibus package. This initiative targets legislation related to data, cybersecurity, and artificial intelligence, aiming to reduce administrative burdens and compliance costs for businesses while preserving high standards of fairness, security, and privacy online.Continue Reading Commission Collects Feedback to Simplify Rules on Data, Cybersecurity and Artificial Intelligence in Upcoming Digital Omnibus