European Union

On February 27, 2025, the Court of Justice of the European Union (“CJEU”) issued a significant decision on the right of data subjects to request access to their personal data under Article 15 GDPR, specifically as it relates to automated decision-making and striking an appropriate balance between informing data subjects and protecting trade secrets (Case C‑203/22).Continue Reading CJEU Clarifies GDPR Rights on Automated Decision-Making and Trade Secrets

On February 6, 2025, Advocate General Spielmann released his opinion in the EDPS vs. SRB case (Case C‑413/23 P).  In this case, the European Data Protection Supervisor appealed a decision from the General Court (see our blog post here).

In essence, the case turns on the question of whether

Continue Reading CJEU Advocate General Supports Pragmatic Definition of Personal Data

On January 9, 2025, the Court of Justice of the European Union (“CJEU”) issued a decision on the GDPR’s lawfulness and data minimization principles.

The case arose after a French association (“Mousse”) complained to the French Supervisory Authority (“CNIL”) about the fact that France’s main train company SNCF requires customers to indicate their title and gender identity by ticking either “Sir” or “Madam” when purchasing a train ticket online.  Mousse considered that such a mandatory requirement could not be justified under the “contractual performance” or “legitimate interests” legal bases set out in Article 6 GDPR, and infringed the GDPR’s principles of lawfulness, data minimization and transparency. 

The CNIL dismissed the complaint, and Mousse appealed the CNIL’s decision before the French Administrative Supreme Court (“Conseil d’Etat”), which stayed the proceedings to refer some questions to the CJEU.Continue Reading CJEU Finds Customers’ Title Is Not Necessary Data For The Purchase Of A Train Ticket

On 15 January 2025, the European Commission published an action plan on the cybersecurity of hospitals and healthcare providers (the “Action Plan”). The Action Plan sets out a series of EU-level actions that are intended to better protect the healthcare sector from cyber threats. The publication of the Action Plan follows a number of high-profile incidents in recent years where healthcare providers across the European Union have been the target of cyber attacks.Continue Reading European Commission Publishes Action Plan on Cybersecurity of Hospitals and Healthcare Providers

In the final quarter of 2024, there have been significant developments in the EU cybersecurity legal landscape. Most prominently, the EU institutions adopted the Cyber Resilience Act and mid-October marked the deadline for Member States to transpose the NIS2 Directive into national law. Most Member States failed to meet the NIS2 transposition deadline, which resulted in the European Commission sending a formal notice to 23 Member States, urging them to transpose the Directive. These 23 Member States have been given two months to respond. (For more information on the Cyber Resilience Act and NIS2 Directive, see our blog posts here and here.)Continue Reading Three Recent Developments in the EU Cyber Landscape

In the past few weeks, there have been significant developments relating to the “legitimate interests” legal basis under Article 6(1)(f) of the GDPR:

  • On 4 October 2024, the Court of Justice of the EU (“CJEU”) handed down its judgment in a case relating to the Royal Dutch Lawn
Continue Reading Five key takeaways from recent EU developments on the GDPR’s “legitimate interests” legal basis

On October 3, 2024, the European Commission published a report evaluating the effectiveness of existing EU consumer protection laws in protecting consumers in the digital space.  More specifically, the report assesses the effectiveness of the following three consumer protection laws: (i) the Unfair Commercial Practices Directive (“UCPD”); (ii) the Consumer Rights Directive (“CRD”); and (iii) the Unfair Contract Terms Directive (“UCTD”).  It also identifies and analyses the main provisions in the DSA, DMA, Data Act, and AI Act that are of particular relevance for protecting consumers in the digital environment.  The report is the result of the 2022 public consultation we mentioned in our previous blog post.Continue Reading EU Commission Publishes Report Assessing EU Consumer Laws and Paves Way for New and Stronger EU Consumer Law for the Digital Space

Now that the EU Artificial Intelligence Act (“AI Act”) has entered into force, the EU institutions are turning their attention to the proposal for a directive on adapting non-contractual civil liability rules to artificial intelligence (the so-called “AI Liability Directive”).  Although the EU Parliament and the Council informally agreed on the text of the proposal in December 2023 (see our previous blog posts here and here), the text of the proposal is expected to change based on a complementary impact assessment published by the European Parliamentary Research Service on September 19.Continue Reading The EU Considers Changing the EU AI Liability Directive into a Software Liability Regulation