On September 17, 2025, the German Supervisory Authorities (Konferenz der unabhängigen Datenschutzaufsichtsbehörden des Bundes und der Länder, DSK) published new guidelines and recommendations addressing the complex requirements for transferring personal data, particularly health data (including health data contained in biomaterials), to countries outside of the European Economic
Continue Reading New German Guidelines on GDPR Requirements for International Transfers of Health Data in Medical ResearchEuropean Union
Italy Adopts Artificial Intelligence Law
By Dan Cooper & Laura Somaini on
Posted in Artificial Intelligence (AI), European Union
On September 23, 2025, the Italian law on artificial intelligence (hereinafter, “Italian AI Law”) was signed into law, after receiving final approval by the Italian Senate on September 17, 2025.
The law consists of varied provisions, including general principles and targeted sectoral rules in certain areas not covered by the EU AI Act. The Italian AI Law will enter into force on October 10, 2025. We provide below an overview of key aspects of the final text of the Italian AI Law. For full detail, please see our previous blogpost here.Continue Reading Italy Adopts Artificial Intelligence Law
European Commission and Brazil Advance Towards Mutual Adequacy Decision
On September 5, 2025, the European Commission announced the launch of the process to adopt an adequacy decision for Brazil under the General Data Protection Regulation (GDPR), involving an assessment of whether Brazil ensures an adequate level of personal data protection comparable to that in the EU. Once adopted, the decision would permit personal data to flow freely between Brazil and the EU without the need for additional safeguards, covering flows from businesses, public authorities, and research projects.
The Brazilian federal government, through the National Data Protection Authority (ANPD), announced that it is simultaneously considering adopting an equivalent adequacy decision to facilitate the uninterrupted flow of data from Brazil to the EU. The parallel initiatives highlight a mutual commitment to aligning privacy and data protection standards across the Atlantic, and take place in a context of closer bilateral relations and increased U.S. scrutiny of Brazilian and European digital policies.Continue Reading European Commission and Brazil Advance Towards Mutual Adequacy Decision
European Parliament Study Recommends Strict Liability Regime for High-Risk AI Systems
Posted in European Union, Liability
On July 24, 2025, the European Parliament (EP) published a study entitled Artificial Intelligence and Civil Liability – A European Perspective. The study considers some of the EU’s existing and proposed liability frameworks, notably the revised Product Liability Directive (PLDr) and the AI Liability Directive (AILD), which was proposed by the European Commission only to be later withdrawn. The study concludes that neither instrument sufficiently addresses the full scope of product liability risks and defects uniquely posed by high-risk AI systems, as that concept is defined by the EU AI Act. Therefore, it calls for the creation of a dedicated strict liability framework, specifically designed to tackle the particular liability risks that these systems are said to give rise to. While it is too early to predict whether other key European stakeholders will support such a framework and bring it to fruition, this development is an important one to monitor closely for those creating or working with high-risk AI systems.Continue Reading European Parliament Study Recommends Strict Liability Regime for High-Risk AI Systems
Digital Fairness Act Series — Topic 4: Digital Subscriptions
Digital contracts and subscriptions have significantly increased, with the subscription economy tripling since 2017, according to the European Commission’s Digital Fairness Act Fitness Check. However, the Fitness Check points out that the number of issues with digital subscriptions, such as difficult cancellations, automatic renewals without reminders, and unclear subscription terms, have also increased. The Commission proposes to tackle these issues in its proposed Digital Fairness Act (“DFA”), which recently entered its consultation phase (see our blog post here).
This post briefly highlights certain issues with digital subscriptions identified in the Fitness Check, outlines how these issues are currently regulated in the EU, and considers the Fitness Check’s proposals to address these issues. It is the fourth post in our series on the upcoming DFA – previous posts covered influencer marketing, AI chatbots in consumer interactions, and personalised advertising and pricing.Continue Reading Digital Fairness Act Series — Topic 4: Digital Subscriptions
Italian Garante Adopts Statement on Health Data and AI
By Kristof Van Quathem on
On July 30, 2025, the Italian Data Protection Authority (“Garante”) released a statement addressing the risks of using AI to interpret medical data. In this statement, the Garante recognizes the growing trend of individuals uploading medical analyses, X-rays, and other reports onto generative artificial intelligence platforms to obtain interpretations and diagnoses. It warns users of these AI services to carefully evaluate the implications of sharing health-related data with AI providers and relying on automatically generated responses.Continue Reading Italian Garante Adopts Statement on Health Data and AI
European Parliament Committee Recommends Commission to Propose EU Directive on Algorithmic Management
On June 26, 2025, the European Parliament’s Committee on Employment and Social Affairs published a draft report (“Draft Report”) recommending that the Commission initiate the legislative process for an EU Directive on algorithmic management in the workplace. The Draft Report defines algorithmic management as the use of automated systems—including those involving artificial intelligence—to monitor, assess, or make decisions affecting workers and solo self-employed persons.
This Draft Report follows a Commission study published in March 2025 (“Commission Study”), which found that while existing EU legislation, such as the GDPR, addresses some risks to workers from algorithmic management, others remain. The Commission Study also recognizes that the AI Act does not establish specific rights for workers in the context of AI use, which is noted as a concern.
The Draft Report encloses the proposed text for a new Directive on algorithmic management in the workplace (“Proposed Directive”). The Draft Report has not yet been endorsed by the European Parliament.Continue Reading European Parliament Committee Recommends Commission to Propose EU Directive on Algorithmic Management
European Commission Makes New Announcements on the Protection of Minors Under the Digital Services Act
Posted in Digital Services Act, European Union
On 14 July 2025, the European Commission published its final guidelines on the protection of minors under the Digital Services Act (“DSA”) (the “Guidelines”). The Guidelines are intended to provide guidance to providers of online platforms that are “accessible to minors” on meeting their obligations to “put in place appropriate and proportionate measures to ensure a high level of privacy, safety, and security of minors, on their service” (DSA, Art. 28(1)). Continue Reading European Commission Makes New Announcements on the Protection of Minors Under the Digital Services Act
When is a Safety Component of Radio Equipment a High-Risk AI System Under the EU Artificial Intelligence Act?
There is an ongoing debate in Brussels about the circumstances under which AI-based safety components integrated into radio equipment are subject to the requirements for high-risk AI systems of the EU Artificial Intelligence Act 2024/1689 (the “AI Act”). The debate is particularly relevant because, if AI-based safety components are considered high-risk under the AI Act, they will be subject to a comprehensive set of regulatory requirements under the AI Act as of August 2, 2027. These requirements include risk management, data quality measures, transparency towards users, human oversight, as well as obligations relating to accuracy, robustness, and cybersecurity.
The discussion affects devices like smartphones with AI-driven emergency call features, smart home safety systems, smart home appliances and drones using AI for obstacle avoidance and emergency landing. In effect, many, if not all, of the AI-based safety components of internet-connected radio equipment could be subject to the AI Act’s requirements for high-risk AI systems.
Below we briefly outline the framework of the current debate.Continue Reading When is a Safety Component of Radio Equipment a High-Risk AI System Under the EU Artificial Intelligence Act?
European Commission publishes its plan to enable more effective law enforcement access to data
By Paul Maynard on
On 24 June 2025, the European Commission published its “roadmap” for ensuring lawful and effective access to data by law enforcement (“Roadmap”). The Roadmap forms a key part of the Commission’s internal security strategy, which was announced in April, and follows on from the November 2024 recommendations of the High-Level Group on Access to Data for Effective Law Enforcement.
Of most immediate relevance to electronic communications service (“ECS”) providers, the Commission intends to propose new data retention requirements, is considering changes to better enable cross-border live interception of communications, and will support the development of tools enabling law enforcement authorities (“LEAs”) to access encrypted data. We describe these proposals, and other elements of the Roadmap, in more detail below.Continue Reading European Commission publishes its plan to enable more effective law enforcement access to data