GDPR

On December 4, 2025, the German Federal Government published its Federal Modernization Agenda, setting out a series of suggested amendments to the GDPR and the Federal Data Protection Act (Bundesdatenschutzgesetz). Among the key measures, Germany seeks to shift certain responsibilities from users to manufacturers and providers of standard IT products—following the model of the Cyber Resilience Act (CRA) and the AI Act—so that organizations can deploy standard solutions more easily and in compliance with the law.

The German Data Protection Conference (Datenschutzkonferenz, DSK)—the body of federal and state data protection authorities—has adopted a resolution strongly supporting this approach. The resolution builds on recommendations the DSK first made in its 2019 evaluation of the GDPR.Continue Reading German Government Proposes GDPR Reform to Shift Responsibility to Manufacturers

On December 16, 2025, the EU Commission unveiled its proposal for the Biotech Act.  The proposal, which is only the first part of a bigger initiative for regulating biotechnologies, focuses primarily on the health sector.  The Commission took the opportunity to broadly revise the Clinical Trial Regulation (“CTR”) – see our blog post here.  In particular, it sought to better align the CTR requirements with those of the General Data Protection Regulation (“GDPR”).  This blog post provides an overview of those revisions relating to the processing of personal data during clinical trials.Continue Reading EU Biotech Act Suggests Clarifying Data Protection Rules For Clinical Trials

On December 2, 2025, the Court of Justice of the European Union (“CJEU”) issued a decision clarifying the obligations of online marketplace operators with regard to content posted on their platform, where such content includes personal data.  This blogpost provides an overview of the decision and its key takeaways.Continue Reading CJEU Clarifies Responsibilities Of Online Marketplace Operators

On 19 November 2025, the European Commission (“Commission”) officially presented its Digital Omnibus Package (see here and here). The initiative represents a comprehensive update to the EU’s digital regulatory landscape, which the Commission frames as a competitiveness and simplification initiative aimed at reducing administrative burdens and enhancing legal certainty for businesses. Although the final text is likely to evolve during negotiations with the European Parliament and the Council of the EU (“Council”), the package, if adopted in its present form, would introduce significant changes to data protection obligations, cookie rules, cybersecurity regulations and the EU AI Act.

The Digital Omnibus Package consists of two proposed regulations: a “Digital Omnibus” that would amend, amongst other legislation, the General Data Protection Regulation (GDPR), ePrivacy Directive, NIS2 Directive and Data Act, and a “Digital Omnibus on AI” that would amend the EU AI Act. We outline below key proposals from the Digital Omnibus that have particular significance for organizations operating in the EU.

A summary of amendments affecting the Data Act and the key proposals in the Digital Omnibus on AI will be addressed in subsequent blog posts.Continue Reading European Commission Proposes Revisions to GDPR and Other Digital Rules Under Digital Omnibus Package

Over the past few months, there have been several notable developments in the cross-border data frameworks of the U.S., EU, UK, Brazil, and several Asia Pacific (“APAC”) countries. These developments reflect evolving regulatory approaches to international data flows, trade agreements, and national security priorities—each with certain nuances and particularities that multinational companies need to understand and be prepared to navigate. 

This blog post provides a brief summary of these developments and key takeaways for companies transferring personal data to or from these jurisdictions. Continue Reading Roundup of Cross-Border Data Transfer Developments

On September 4, 2025, the Court of Justice of the EU (“Court”) handed down its judgment in case EDPS v SRB C-413/23 P, setting aside the General Court of the European Union’s (“General Court”) judgment of April 26, 2023 in case SRB v EDPS T‑557/20.  In particular, the Court clarified that whether pseudonymized data can be considered as personal data depends on the specific circumstances of the case, such as whether a third party to whom data is transferred by a data controller can reasonably identify the data subject.

We provide below an overview of the Court’s key findings.Continue Reading EU Court of Justice Clarifies the Concept of Personal Data in the Context of a Transfer of Pseudonymized Data to Third Parties

This blog was prepared in collaboration with, and was originally published by, the UK BioIndustry Association, here. We are grateful to the UK BioIndustry Association for collaborating on this blog, and for the opportunity to post it here.

What are the UK’s plans to reform data protection law?

After an extended period of legislative back and forth, the Data (Use and Access) Bill has now received Royal Assent, becoming the Data (Use and Access) Act (we will therefore refer to it as the “Act” in this blog). The Act addresses various matters related to the use of data, and will to an extent distinguish the UK’s approach to data protection from that set out in the EU’s General Data Protection Regulation (“GDPR”). The European Commission will, therefore, assess whether these changes warrant stripping the UK of its adequacy status for data transfers, with a decision due by 27 December 2025. While the Commission is unlikely to withdraw its finding of adequacy, it is possible that a challenge to this finding could be brought before the Court of Justice of the EU, which could reach a different conclusion.

In summary, the Act is not a complete overhaul of data protection law in the UK; instead, it is more a package of targeted amendments. Of the changes most relevant to biotechs, the most significant is the more permissive regime for the use of personal data for scientific research – although, companies must still meet a number of requirements to fall within scope. More significant changes may take place in the future, as key parts of the Act enable the UK Government to pass secondary legislation in areas that may be relevant to biotechs.Continue Reading The UK’s new Data Legislation – What does it mean for the Life Science sector?

On April 29, 2025, the Italian data protection authority (“Garante”) launched a public consultation to collect feedback from stakeholders about the so-called “Pay or Ok” model. 

“Pay or Ok” refers to the concept of making access to a website’s content or service conditional on the website visitor performing one of

Continue Reading Italian Garante Launches Public Consultation on the Implementation of “Pay or Ok” Models

On March 13, 2025, the Court of Justice of the EU (“CJEU”) ruled that the right of rectification (in Article 16 GDPR) requires a national authority to correct a person’s gender identity, where it is shown to be inaccurate (Case C‑247/23 [Deldits]).  The authority, however, may require that person to provide relevant and sufficient evidence to establish that the information concerning their gender is inaccurate, but may not go so far as to require proof of gender reassignment surgery.Continue Reading CJEU Rules on Right of Rectification of Gender Identity