On December 2, 2025, the Court of Justice of the European Union (“CJEU”) issued a decision clarifying the obligations of online marketplace operators with regard to content posted on their platform, where such content includes personal data. This blogpost provides an overview of the decision and its key takeaways.
Continue Reading CJEU Clarifies Responsibilities Of Online Marketplace OperatorsGDPR
European Commission Proposes Revisions to GDPR and Other Digital Rules Under Digital Omnibus Package
On 19 November 2025, the European Commission (“Commission”) officially presented its Digital Omnibus Package (see here and here). The initiative represents a comprehensive update to the EU’s digital regulatory landscape, which the Commission frames as a competitiveness and simplification initiative aimed at reducing administrative burdens and enhancing legal certainty for businesses. Although the final text is likely to evolve during negotiations with the European Parliament and the Council of the EU (“Council”), the package, if adopted in its present form, would introduce significant changes to data protection obligations, cookie rules, cybersecurity regulations and the EU AI Act.
The Digital Omnibus Package consists of two proposed regulations: a “Digital Omnibus” that would amend, amongst other legislation, the General Data Protection Regulation (GDPR), ePrivacy Directive, NIS2 Directive and Data Act, and a “Digital Omnibus on AI” that would amend the EU AI Act. We outline below key proposals from the Digital Omnibus that have particular significance for organizations operating in the EU.
A summary of amendments affecting the Data Act and the key proposals in the Digital Omnibus on AI will be addressed in subsequent blog posts.
Continue Reading European Commission Proposes Revisions to GDPR and Other Digital Rules Under Digital Omnibus PackageRoundup of Cross-Border Data Transfer Developments
Over the past few months, there have been several notable developments in the cross-border data frameworks of the U.S., EU, UK, Brazil, and several Asia Pacific (“APAC”) countries. These developments reflect evolving regulatory approaches to international data flows, trade agreements, and national security priorities—each with certain nuances and particularities that multinational companies need to understand and be prepared to navigate.
This blog post provides a brief summary of these developments and key takeaways for companies transferring personal data to or from these jurisdictions.
Continue Reading Roundup of Cross-Border Data Transfer DevelopmentsEU Court of Justice Clarifies the Concept of Personal Data in the Context of a Transfer of Pseudonymized Data to Third Parties
By Dan Cooper, Kristof Van Quathem & Laura Somaini on
Posted in EU Data Protection, GDPR
On September 4, 2025, the Court of Justice of the EU (“Court”) handed down its judgment in case EDPS v SRB C-413/23 P, setting aside the General Court of the European Union’s (“General Court”) judgment of April 26, 2023 in case SRB v EDPS T‑557/20. In particular, the Court clarified that whether pseudonymized data can be considered as personal data depends on the specific circumstances of the case, such as whether a third party to whom data is transferred by a data controller can reasonably identify the data subject.
We provide below an overview of the Court’s key findings.
Continue Reading EU Court of Justice Clarifies the Concept of Personal Data in the Context of a Transfer of Pseudonymized Data to Third PartiesThe UK’s new Data Legislation – What does it mean for the Life Science sector?
By Fredericka Argent, Paul Maynard & Tomos Griffiths on
This blog was prepared in collaboration with, and was originally published by, the UK BioIndustry Association, here. We are grateful to the UK BioIndustry Association for collaborating on this blog, and for the opportunity to post it here.
What are the UK’s plans to reform data protection law?
After an extended period of legislative back and forth, the Data (Use and Access) Bill has now received Royal Assent, becoming the Data (Use and Access) Act (we will therefore refer to it as the “Act” in this blog). The Act addresses various matters related to the use of data, and will to an extent distinguish the UK’s approach to data protection from that set out in the EU’s General Data Protection Regulation (“GDPR”). The European Commission will, therefore, assess whether these changes warrant stripping the UK of its adequacy status for data transfers, with a decision due by 27 December 2025. While the Commission is unlikely to withdraw its finding of adequacy, it is possible that a challenge to this finding could be brought before the Court of Justice of the EU, which could reach a different conclusion.
In summary, the Act is not a complete overhaul of data protection law in the UK; instead, it is more a package of targeted amendments. Of the changes most relevant to biotechs, the most significant is the more permissive regime for the use of personal data for scientific research – although, companies must still meet a number of requirements to fall within scope. More significant changes may take place in the future, as key parts of the Act enable the UK Government to pass secondary legislation in areas that may be relevant to biotechs.
Continue Reading The UK’s new Data Legislation – What does it mean for the Life Science sector?Italian Garante Launches Public Consultation on the Implementation of “Pay or Ok” Models
By Kristof Van Quathem & Laura Somaini on
On April 29, 2025, the Italian data protection authority (“Garante”) launched a public consultation to collect feedback from stakeholders about the so-called “Pay or Ok” model.
“Pay or Ok” refers to the concept of making access to a website’s content or service conditional on the website visitor performing one of…
Continue Reading Italian Garante Launches Public Consultation on the Implementation of “Pay or Ok” ModelsGerman SA Checks Whether Online Retailers Allow Consumers to Make Purchases Without Creating an Account
Posted in European Union, GDPR
In January 2025, the German Supervisory Authority of Hamburg (“HSA”) examined the practices of online retailers based in Hamburg as to whether they allowed consumers to make purchases without creating a user account. This was mentioned in a press release issued by the HSA regarding a ruling by the Hamburg Higher Regional Court confirming a HSA’s decision that online retailers may, in certain circumstances, require consumers to create a user account. This, in turn, follows the guidance published by the German supervisory authorities (“German SAs”) in 2022 (in German), which stated that online retailers generally may not require consumers to create a user account in order to make a purchase.
Continue Reading German SA Checks Whether Online Retailers Allow Consumers to Make Purchases Without Creating an AccountCJEU Rules on Right of Rectification of Gender Identity
Posted in GDPR Rights
On March 13, 2025, the Court of Justice of the EU (“CJEU”) ruled that the right of rectification (in Article 16 GDPR) requires a national authority to correct a person’s gender identity, where it is shown to be inaccurate (Case C‑247/23 [Deldits]). The authority, however, may require that person to provide relevant and sufficient evidence to establish that the information concerning their gender is inaccurate, but may not go so far as to require proof of gender reassignment surgery.
Continue Reading CJEU Rules on Right of Rectification of Gender IdentityWatchdog to Investigate Mobile Payment Provider Over Its Use of Purchase History for Targeted Advertising
On March 18, 2025, the Norwegian Consumer Council asked the Norwegian Supervisory Authority to investigate a payment app provider for using consumers’ purchase history for targeted advertising.
Continue Reading Watchdog to Investigate Mobile Payment Provider Over Its Use of Purchase History for Targeted AdvertisingBelgian High Court Decides on Abuse of Law in relation to the GDPR Right to File a Complaint
By Kristof Van Quathem on
Posted in European Union, GDPR
On January 10, 2025, the Belgian High Court (Hof van Cassatie) upheld the decision of the Market Court in a case that pitched the GDPR right to file a complaint against the general legal principle in Belgian law that prohibits the abuse of law.
Continue Reading Belgian High Court Decides on Abuse of Law in relation to the GDPR Right to File a Complaint