EU Data Protection

On March 25, 2026, the UK’s Office of Communications (“Ofcom”) and the Information Commissioner’s Office (“ICO”) published a joint statement setting out their common expectations for age assurance on online services (“Joint Statement”). The Joint Statement is aimed at services likely to be accessed by children that fall within the scope of the Online Safety Act 2023 (“OSA”) and UK data protection legislation, and is designed to help providers comply with both their online safety and data protection obligations when deploying age assurance.

The Joint Statement arrives alongside a broader push from both regulators—including Ofcom’s recent call to action directed at major tech firms, an open letter from the ICO urging platforms to strengthen their age checks, and several enforcement actions by both regulators.

Continue Reading Ofcom and ICO Issue Joint Statement on Age Assurance

On March 19, 2026, the CJEU issued its judgment in the Brillen Rottler case (C‑526/24).  The case concerns the GDPR right of access and the conditions for claiming damages.  In the underlying facts, an Austrian individual subscribed to Brillen Rottler’s newsletter and, two weeks later, exercised his right of access.

Continue Reading EU Court Defines Limits to the GDPR Right of Access

On February 13, 2026, France’s highest administrative court (“Conseil d’État”) delivered an important decision clarifying the boundary between pseudonymization and anonymization under the GDPR. The ruling confirms that data which remain re‑identifiable in practice—even with some effort—must be treated as personal data under the GDPR by service providers, unless the risk of re‑identification by such providers can genuinely be regarded as insignificant.

Continue Reading France’s Highest Administrative Court Upholds CNIL’s Standard On Anonymization

On February 11, 2026, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) (jointly, the Authorities) issued a Joint Opinion on the European Commission’s proposed Digital Omnibus Regulation (Digital Omnibus). This follows their Joint Opinion of January 20, 2026 on the Digital Omnibus on AI.

The Digital Omnibus, as with the other “omnibuses” released by the Commission, aims to streamline several EU laws, reduce administrative burdens for covered entities, and enhance competitiveness in the EU. Once adopted, it should reshape how organizations handle personal data generally, including in relation to AI development, scientific research, and incident reporting. The Authorities welcome efforts to simplify and to promote consistent interpretations of key concepts found in the GDPR, the ePrivacy Directive, the NIS2 Directive, and the remaining Data Acquis. At the same time, they caution that this initiative launched by the Commission must not weaken fundamental rights protections, including data protection.

Below is an overview of the Authorities’ positions. It covers only the key amendments discussed in our previous blog post on the Digital Omnibus.

Continue Reading EU Regulators Issue Opinion on Revisions of GDPR and Other Data Laws

On 15 January 2026, the Belgian High Court delivered a judgment in proceedings initiated by the Belgian Supervisory Authority, in which it challenged the scope of judicial review exercised by the Market Court over its enforcement decisions. The authority was unsuccessful on both grounds of appeal.

Continue Reading Belgian High Court Confirms Full Judicial Review of Supervisory Authority Decisions

As 2026 gets underway, the European Union enters a pivotal year for data protection, AI governance, and cybersecurity regulation, among other matters. EU institutions and national authorities are expected to progress a number of significant digital‑policy files, roll‑out new cyber‑resilience obligations, and make transparency in the privacy space a top priority. Below is an overview of the key developments to monitor.

Continue Reading What to Watch in 2026: Key EU Privacy & Cybersecurity Developments

On December 16, 2025, the EU Commission unveiled its proposal for the Biotech Act.  The proposal, which is only the first part of a bigger initiative for regulating biotechnologies, focuses primarily on the health sector.  The Commission took the opportunity to broadly revise the Clinical Trial Regulation (“CTR”) – see our blog post here.  In particular, it sought to better align the CTR requirements with those of the General Data Protection Regulation (“GDPR”).  This blog post provides an overview of those revisions relating to the processing of personal data during clinical trials.

Continue Reading EU Biotech Act Suggests Clarifying Data Protection Rules For Clinical Trials

On December 2, 2025, the Court of Justice of the European Union (“CJEU”) issued a decision clarifying the obligations of online marketplace operators with regard to content posted on their platform, where such content includes personal data.  This blogpost provides an overview of the decision and its key takeaways.

Continue Reading CJEU Clarifies Responsibilities Of Online Marketplace Operators

On 19 November 2025, the European Commission (“Commission”) officially presented its Digital Omnibus Package (see here and here). The initiative represents a comprehensive update to the EU’s digital regulatory landscape, which the Commission frames as a competitiveness and simplification initiative aimed at reducing administrative burdens and enhancing legal certainty for businesses. Although the final text is likely to evolve during negotiations with the European Parliament and the Council of the EU (“Council”), the package, if adopted in its present form, would introduce significant changes to data protection obligations, cookie rules, cybersecurity regulations and the EU AI Act.

The Digital Omnibus Package consists of two proposed regulations: a “Digital Omnibus” that would amend, amongst other legislation, the General Data Protection Regulation (GDPR), ePrivacy Directive, NIS2 Directive and Data Act, and a “Digital Omnibus on AI” that would amend the EU AI Act. We outline below key proposals from the Digital Omnibus that have particular significance for organizations operating in the EU.

A summary of amendments affecting the Data Act and the key proposals in the Digital Omnibus on AI will be addressed in subsequent blog posts.

Continue Reading European Commission Proposes Revisions to GDPR and Other Digital Rules Under Digital Omnibus Package

Over the past few months, there have been several notable developments in the cross-border data frameworks of the U.S., EU, UK, Brazil, and several Asia Pacific (“APAC”) countries. These developments reflect evolving regulatory approaches to international data flows, trade agreements, and national security priorities—each with certain nuances and particularities that multinational companies need to understand and be prepared to navigate. 

This blog post provides a brief summary of these developments and key takeaways for companies transferring personal data to or from these jurisdictions. 

Continue Reading Roundup of Cross-Border Data Transfer Developments