On 7 May 2026, negotiators from the Council of the European Union, the European Parliament, and the European Commission reached a provisional agreement on the terms of the Digital Omnibus on AI, marking the first set of amendments to the EU AI Act since its adoption in June 2024. The final package of amendments reflects a mix of pragmatic timeline extensions, focused simplification measures, and a small number of substantive policy changes.
Continue Reading EU AI Act Update: Timeline Relief, Targeted Simplification, and New ProhibitionsEuropean Union
EU Sets the Clock on Age Verification: Rollout Urged by End‑2026
Posted in European Union, Minors
The European Commission has set a clear timeline for rolling out age verification across the EU:
- by June 30, 2026, Member States are encouraged to submit implementation plans; and
- by December 31, 2026, at least one EU‑compliant age verification solution should be available in each Member State.
This timeline, set…
Continue Reading EU Sets the Clock on Age Verification: Rollout Urged by End‑2026CNIL Publishes Recommendation on Email Tracking Pixels
By Alix Bertrand & Kristof Van Quathem on
Spain’s Supervisory Authority Issues New Guidance on AI‑Based Voice Transcription
On April 20, 2026, the Spanish Data Protection Agency (AEPD) has published new guidance on how to comply with the GDPR when using AI‑powered voice transcription tools. The guidance builds on earlier AEPD guidance on this topic from January 2026. This blog post sets out the key takeaways of both guidance documents, which are only available in Spanish.
The AEPD’s guidance confirms a risk‑based approach to AI‑powered voice transcription. Organizations using these tools should not treat transcription as a purely technical feature, but as a processing activity that requires continuous governance, clear transparency, and proactive safeguards. Given the widespread and growing use of transcription tools across business functions, this guidance is likely to be relevant well beyond Spain.
Continue Reading Spain’s Supervisory Authority Issues New Guidance on AI‑Based Voice TranscriptionNew EDPB Guidelines on the Use of Personal Data in Scientific Research
Posted in European Union, Health Privacy
On April 15, 2026, the European Data Protection Board (EDPB) published draft Guidelines 1/2026 on the processing of personal data for scientific research purposes (Guidelines). The Guidelines are open for public consultation until 25 June 2026. They aim to clarify how the GDPR applies to academic, public‑sector, and commercial research, including research that relies on AI, large data sets, and the reuse of personal data. The Guidelines do not cover the application of other EU or Member State law regulating scientific research or the processing of genetic, biometric, or health data specifically.
Continue Reading New EDPB Guidelines on the Use of Personal Data in Scientific ResearchCJEU Advocate-General indicates that communications network operators can lawfully be required to remove Chinese components, and that compensation is not required
On 19 March 2026, Advocate-General Capeta issued an opinion in the case of Elisa Eesti AS v Estonian Government Security Committee (C-354/24). This case concerned, among other things, whether a 2022 order from the Estonian Government for Elisa Eesti AS—a 5G network operator—to remove Huawei components from its network for national security reasons was subject to EU law, constituted a lawful restriction on the right to offer an electronic communications network, and amounted to a “deprivation of property” requiring compensation.
AG Capeta concluded that the relevant Estonian regime was within scope of EU law—specifically the European Electronic Communications Code (“EECC”)—even though that regime allowed for the imposition of orders on electronic communications network (“ECN”) providers for national security reasons. She also concluded that the requirement to obtain prior authorization from the Estonian government for use of network equipment constituted a restriction on the freedom to provide an ECN, but that this could be justified on national security grounds if the decision was based on a genuine risk assessment that meets the requirements for proportionality under EU law. She stated that this determination should be left to the referring court. Finally, she concluded that the Estonian Government’s order did not amount to a “deprivation” of property for which compensation would be required, as it was instead a mere “restriction” on the use of property.
Below, we describe these non-binding conclusions in more detail. The Court’s final ruling in this case will have significant implications for the European Commission’s proposed revisions to the EU Cybersecurity Act, which as drafted would—among other things—allow the Commission to require ECN providers to remove and cease using components from designated high-risk jurisdictions in their networks. See our prior blog post on the proposal for a revised Cybersecurity Act here.
…
Continue Reading CJEU Advocate-General indicates that communications network operators can lawfully be required to remove Chinese components, and that compensation is not required
EU Court Defines Limits to the GDPR Right of Access
By Kristof Van Quathem on
Posted in Data Privacy, EU Data Protection, European Union, GDPR, GDPR Rights, Litigation, Uncategorized
On March 19, 2026, the CJEU issued its judgment in the Brillen Rottler case (C‑526/24). The case concerns the GDPR right of access and the conditions for claiming damages. In the underlying facts, an Austrian individual subscribed to Brillen Rottler’s newsletter and, two weeks later, exercised his right of access.
Continue Reading EU Court Defines Limits to the GDPR Right of AccessSpanish Supervisory Authority Issues Detailed Guidance on Agentic AI and GDPR Compliance
In February 2026, the Spanish data protection authority (Agencia Española de Protección de Datos, “AEPD”) published guidance on data protection issues related to the use of AI agents. The guidance follows an earlier, similar analysis by the UK Information Commissioner’s Office, which we discussed in a prior blog…
Continue Reading Spanish Supervisory Authority Issues Detailed Guidance on Agentic AI and GDPR ComplianceFrance’s Highest Administrative Court Upholds CNIL’s Standard On Anonymization
By Alix Bertrand & Kristof Van Quathem on
On February 13, 2026, France’s highest administrative court (“Conseil d’État”) delivered an important decision clarifying the boundary between pseudonymization and anonymization under the GDPR. The ruling confirms that data which remain re‑identifiable in practice—even with some effort—must be treated as personal data under the GDPR by service providers, unless the risk of re‑identification by such providers can genuinely be regarded as insignificant.
Continue Reading France’s Highest Administrative Court Upholds CNIL’s Standard On AnonymizationEDPB Publishes Report on Stakeholder Event on Anonymisation and Pseudonymisation
On February 18, 2026, the European Data Protection Board (“EDPB”) published its Report on Stakeholder Event on Anonymisation and Pseudonymisation of 12 December 2025 (the “Report”). The Report summarises feedback from a remote stakeholder event convened to inform the EDPB’s ongoing work on Guidelines 01/2025 on Pseudonymisation (version for public consultation available here) and forthcoming guidance on anonymisation. The event gathered input from 115 participants spanning industry, NGOs, academia, law firms, and public sector bodies.
The objective of the Report is to capture stakeholder insights on how the General Data Protection Regulation (“GDPR”) applies to anonymisation and pseudonymisation, particularly following the Court of Justice of the European Union’s (“CJEU”) judgment in EDPS v SRB (C‑413/23 P). (See our previous blog post here.)
Continue Reading EDPB Publishes Report on Stakeholder Event on Anonymisation and Pseudonymisation