European Commission

On May 13, 2025, the European Commission issued its draft Guidelines on the protection of minors online under the DSA (“the Guidelines”).  The Guidelines aim to support providers of online platforms that are “accessible to minors” with meeting their obligation to ensure “a high level of privacy, safety, and security” for minors under Article 28(1) of the Digital Services Act (“DSA”).

Below we provide an overview of the Guidelines and key takeaways.Continue Reading European Commission Publishes Draft Guidelines on the Protection of Minors under the DSA

The European Commission (“Commission”) is working on a new EU consumer protection law called the Digital Fairness Act (“DFA”) to better protect consumers in the digital space.  The DFA is expected to regulate, among other things, influencer marketing. 

With EU consumer protection watchdogs starting to bring cases against companies whose products or services are promoted by influencers (see for example here), the DFA’s provisions may apply not only to influencers, but also to companies that deploy or use influencers, to ensure that advertising practices are fair and transparent.  This blog post explores two key issues that the European Commission is expected to prioritize in its approach to influencer marketing.  It also provides a brief overview of the French legal framework in this area, which some expect to serve as a model for the EU’s forthcoming rules in this area.Continue Reading Digital Fairness Act Series – Topic 1: Influencer Marketing

On March 13, 2025, the Commissioner for Democracy, Justice, the Rule of Law and Consumer Protection, Michael McGrath, confirmed that the Commission is considering simplifying the GDPR with a view to reducing the burden on smaller businesses.  This statement aligns with the Commission’s broader goal of simplifying the EU digital framework.Continue Reading European Commission Confirms Plans to Simplify GDPR

On October 3, 2024, the European Commission published a report evaluating the effectiveness of existing EU consumer protection laws in protecting consumers in the digital space.  More specifically, the report assesses the effectiveness of the following three consumer protection laws: (i) the Unfair Commercial Practices Directive (“UCPD”); (ii) the Consumer Rights Directive (“CRD”); and (iii) the Unfair Contract Terms Directive (“UCTD”).  It also identifies and analyses the main provisions in the DSA, DMA, Data Act, and AI Act that are of particular relevance for protecting consumers in the digital environment.  The report is the result of the 2022 public consultation we mentioned in our previous blog post.Continue Reading EU Commission Publishes Report Assessing EU Consumer Laws and Paves Way for New and Stronger EU Consumer Law for the Digital Space

On September 12, 2024, the European Commission announced that it will launch a public consultation on additional standard contractual clauses for international transfers of personal data to non-EU controllers and processors that are subject to the EU GDPR extra-territorially (“Additional SCCs”), something that has been promised by the European Commission as far back as 2022.  The public consultation is planned for the last quarter of 2024.Continue Reading EU Commission Announces New SCCs for International Transfers to Non-EU Controllers and Processors Subject to the GDPR

On 12 July 2024, EU lawmakers published the EU Artificial Intelligence Act (“AI Act”), a first-of-its-kind regulation aiming to harmonise rules on AI models and systems across the EU. The AI Act prohibits certain AI practices, and sets out regulations on “high-risk” AI systems, certain AI systems that pose transparency risks, and general-purpose AI (GPAI) models.Continue Reading EU Artificial Intelligence Act Published

Last month, the European Commission published a draft Implementing Regulation (“IR”) under the EU’s revised Network and Information Systems Directive (“NIS2”). The draft IR applies to entities in the digital infrastructure sector, ICT service management and digital service providers (e.g., cloud computing providers, online marketplaces, and online social networks). It sets out further detail on (i) the specific cybersecurity risk-management measures those entities must implement; and (ii) when an incident affecting those entities is considered to be “significant”. Once finalized, it will apply from October 18, 2024.

Many companies may be taken aback by the granular nature of some of the technical measures listed and the criteria to determine if an incident is significant and reportable – especially coming so close to the October deadline for Member States to start applying their national transpositions of NIS2.

The IR is open for feedback via the Commission’s Have Your Say portal until July 25.Continue Reading NIS2: Commission Publishes Long-Awaited Draft Implementing Regulation On Technical And Methodological Requirements And Significant Incidents

On April 4, 2023, the European Commission announced that the EU and Japan had successfully completed the first periodic review of the Japan-EU mutual adequacy arrangement, adopted in 2019.  The mutual adequacy recognition – whereby Japan and the EU each have recognized the other’s data protection regime as adequate to protect personal data – complements the regions’ other bilateral partnerships, such as the EU-Japan Economic Partnership Agreement, the Strategic Partnership Agreement, and the recently launched EU-Japan Digital Partnership (see our previous blogpost here).

The review process led to the adoption of two reports by the Commission and the Personal Information Protection Commission of Japan (“PPC”), each discussing the functioning of their respective adequacy decisions.  According to the Commission’s report, the convergence between the EU and Japan’s data protection frameworks has further increased in recent years, and the mutual adequacy arrangement appears to be functioning well.  We provide below a brief overview of the Commission’s main findings.Continue Reading European Commission Announces Conclusion of First Review of Japan-EU Adequacy Arrangement

On April 18, 2023, the European Commission published its proposal for an EU Cyber Solidarity Act (“CSA”).  It aims to strengthen incident detection, situational awareness, and response capabilities, and to ensure that entities providing services critical for day-to-day life can access expert support to manage their cyber risk and respond to incidents.  Specifically, the CSA aims to promote information sharing about cyber incidents and vulnerabilities, to help improve the cyber resilience of critical entities, and to create an EU-wide resource for incident management.

The CSA adds another layer to the increasingly crowded landscape of EU cybersecurity laws.  The proposed law would interact with the revised Network and Information Security Directive (“NIS2”) and certifications issued under the Cybersecurity Act. Private companies in specific sectors will also have to consider potential overlap with the forthcoming Cyber Resilience Act and the financial services-focused Digital Operation Resilience Act.

Below, we set out three striking features of the CSA that are likely to be of particular relevance to private companies.Continue Reading Three Interesting Features of the Proposed EU Cyber Solidarity Act

On February 20, 2023, the European Commission launched an initiative to further specify procedural aspects relating to the enforcement of the GDPR (“ procedural initiative”). The aim of the procedural initiative is to clarify the administrative procedure that applies in cross-border investigations and enforcement under the GDPR. These rules are expected to clarify and complement the existing rules on cooperation and dispute resolution under GDPR Articles 60 and 65.

This procedural initiative was announced in the Commission’s work program for 2023, and the text of the proposal is not yet available. The European Commission is expecting to publish a draft regulation on procedural rules relating to the enforcement of the GDPR in Q2 2023.Continue Reading European Commission Plans to Improve Cooperation Between Supervisory Authorities in Cross-Border GDPR Cases