GDPR

On February 13, 2026, France’s highest administrative court (“Conseil d’État”) delivered an important decision clarifying the boundary between pseudonymization and anonymization under the GDPR. The ruling confirms that data which remain re‑identifiable in practice—even with some effort—must be treated as personal data under the GDPR by service providers, unless the risk of re‑identification by such providers can genuinely be regarded as insignificant.Continue Reading France’s Highest Administrative Court Upholds CNIL’s Standard On Anonymization

On February 19, 2026, the UK Court of Appeal handed down its decision in DSG Retail Limited v The Information Commissioner [2026] EWCA Civ 140. The Court ruled that a controller’s data security duty applies to all personal data for which it acts as controller – irrespective of whether the information would constitute personal data in the hands of a third party (in this case, an attacker). Note that the case is concerned with events before the GDPR came into force, so the legal context is provided by UK Data Protection Act 1998 (“DPA 1998”), although the Court did take into account more recent jurisprudence, including CJEU case law.

The case adds useful colour to ongoing debates surrounding the definition of “personal data.” The Court of Appeal confirmed that a controller’s duty to implement appropriate measures to protect personal data applies to data that is “personal” from the perspective of the controller —even if a third-party attacker could not identify individuals from the exfiltrated dataset. This dovetails with the SRB v EDPS’s clarification that whether data is “personal” can depend on the context, while a controller’s obligations (such as transparency) must be assessed from the controller’s perspective at the relevant time (which, for the transparency principle, is at the time of collection of the data). (For more information on SRB v EDPS, see our prior post here.)Continue Reading UK Court of Appeal Rules on the Concept of Personal Data in the Context of Data Security

On February 18, 2026, the European Data Protection Board (“EDPB”) published its Report on Stakeholder Event on Anonymisation and Pseudonymisation of 12 December 2025 (the Report). The Report summarises feedback from a remote stakeholder event convened to inform the EDPB’s ongoing work on Guidelines 01/2025 on Pseudonymisation (version for public consultation available here) and forthcoming guidance on anonymisation. The event gathered input from 115 participants spanning industry, NGOs, academia, law firms, and public sector bodies.

The objective of the Report is to capture stakeholder insights on how the General Data Protection Regulation (“GDPR”) applies to anonymisation and pseudonymisation, particularly following the Court of Justice of the European Union’s (“CJEU”) judgment in EDPS v SRB (C‑413/23 P). (See our previous blog post here.)Continue Reading EDPB Publishes Report on Stakeholder Event on Anonymisation and Pseudonymisation

On 15 January 2026, the Belgian High Court delivered a judgment in proceedings initiated by the Belgian Supervisory Authority, in which it challenged the scope of judicial review exercised by the Market Court over its enforcement decisions. The authority was unsuccessful on both grounds of appeal.Continue Reading Belgian High Court Confirms Full Judicial Review of Supervisory Authority Decisions

On December 4, 2025, the German Federal Government published its Federal Modernization Agenda, setting out a series of suggested amendments to the GDPR and the Federal Data Protection Act (Bundesdatenschutzgesetz). Among the key measures, Germany seeks to shift certain responsibilities from users to manufacturers and providers of standard IT products—following the model of the Cyber Resilience Act (CRA) and the AI Act—so that organizations can deploy standard solutions more easily and in compliance with the law.

The German Data Protection Conference (Datenschutzkonferenz, DSK)—the body of federal and state data protection authorities—has adopted a resolution strongly supporting this approach. The resolution builds on recommendations the DSK first made in its 2019 evaluation of the GDPR.Continue Reading German Government Proposes GDPR Reform to Shift Responsibility to Manufacturers

On December 16, 2025, the EU Commission unveiled its proposal for the Biotech Act.  The proposal, which is only the first part of a bigger initiative for regulating biotechnologies, focuses primarily on the health sector.  The Commission took the opportunity to broadly revise the Clinical Trial Regulation (“CTR”) – see our blog post here.  In particular, it sought to better align the CTR requirements with those of the General Data Protection Regulation (“GDPR”).  This blog post provides an overview of those revisions relating to the processing of personal data during clinical trials.Continue Reading EU Biotech Act Suggests Clarifying Data Protection Rules For Clinical Trials

On December 2, 2025, the Court of Justice of the European Union (“CJEU”) issued a decision clarifying the obligations of online marketplace operators with regard to content posted on their platform, where such content includes personal data.  This blogpost provides an overview of the decision and its key takeaways.Continue Reading CJEU Clarifies Responsibilities Of Online Marketplace Operators

On 19 November 2025, the European Commission (“Commission”) officially presented its Digital Omnibus Package (see here and here). The initiative represents a comprehensive update to the EU’s digital regulatory landscape, which the Commission frames as a competitiveness and simplification initiative aimed at reducing administrative burdens and enhancing legal certainty for businesses. Although the final text is likely to evolve during negotiations with the European Parliament and the Council of the EU (“Council”), the package, if adopted in its present form, would introduce significant changes to data protection obligations, cookie rules, cybersecurity regulations and the EU AI Act.

The Digital Omnibus Package consists of two proposed regulations: a “Digital Omnibus” that would amend, amongst other legislation, the General Data Protection Regulation (GDPR), ePrivacy Directive, NIS2 Directive and Data Act, and a “Digital Omnibus on AI” that would amend the EU AI Act. We outline below key proposals from the Digital Omnibus that have particular significance for organizations operating in the EU.

A summary of amendments affecting the Data Act and the key proposals in the Digital Omnibus on AI will be addressed in subsequent blog posts.Continue Reading European Commission Proposes Revisions to GDPR and Other Digital Rules Under Digital Omnibus Package

Over the past few months, there have been several notable developments in the cross-border data frameworks of the U.S., EU, UK, Brazil, and several Asia Pacific (“APAC”) countries. These developments reflect evolving regulatory approaches to international data flows, trade agreements, and national security priorities—each with certain nuances and particularities that multinational companies need to understand and be prepared to navigate. 

This blog post provides a brief summary of these developments and key takeaways for companies transferring personal data to or from these jurisdictions. Continue Reading Roundup of Cross-Border Data Transfer Developments

On September 4, 2025, the Court of Justice of the EU (“Court”) handed down its judgment in case EDPS v SRB C-413/23 P, setting aside the General Court of the European Union’s (“General Court”) judgment of April 26, 2023 in case SRB v EDPS T‑557/20.  In particular, the Court clarified that whether pseudonymized data can be considered as personal data depends on the specific circumstances of the case, such as whether a third party to whom data is transferred by a data controller can reasonably identify the data subject.

We provide below an overview of the Court’s key findings.Continue Reading EU Court of Justice Clarifies the Concept of Personal Data in the Context of a Transfer of Pseudonymized Data to Third Parties