GDPR

In February 2026, the Spanish data protection authority (Agencia Española de Protección de Datos, “AEPD”) published guidance on data protection issues related to the use of AI agents. The guidance follows an earlier, similar analysis by the UK Information Commissioner’s Office, which we discussed in a prior blog

Continue Reading Spanish Supervisory Authority Issues Detailed Guidance on Agentic AI and GDPR Compliance

On February 13, 2026, France’s highest administrative court (“Conseil d’État”) delivered an important decision clarifying the boundary between pseudonymization and anonymization under the GDPR. The ruling confirms that data which remain re‑identifiable in practice—even with some effort—must be treated as personal data under the GDPR by service providers, unless the risk of re‑identification by such providers can genuinely be regarded as insignificant.

Continue Reading France’s Highest Administrative Court Upholds CNIL’s Standard On Anonymization

On December 4, 2025, the German Federal Government published its Federal Modernization Agenda, setting out a series of suggested amendments to the GDPR and the Federal Data Protection Act (Bundesdatenschutzgesetz). Among the key measures, Germany seeks to shift certain responsibilities from users to manufacturers and providers of standard IT products—following the model of the Cyber Resilience Act (CRA) and the AI Act—so that organizations can deploy standard solutions more easily and in compliance with the law.

The German Data Protection Conference (Datenschutzkonferenz, DSK)—the body of federal and state data protection authorities—has adopted a resolution strongly supporting this approach. The resolution builds on recommendations the DSK first made in its 2019 evaluation of the GDPR.

Continue Reading German Government Proposes GDPR Reform to Shift Responsibility to Manufacturers

On December 11, 2025, the CNIL fined an Israeli company €1 million for failing to comply with its GDPR obligations after providing personalized advertising services to an EU music-streaming platform. The service helped the platform to personalize and optimize marketing campaigns to promote its streaming services.

The CNIL held that the GDPR applied to the non-EU processor under Article 3(2), on the basis that it had monitored the behavior of EU users by creating audience segments based on demographics and listening habits, on behalf of the controller.

Continue Reading French CNIL Imposes €1M GDPR Fine on Israeli Ad Tech Firm

On December 16, 2025, the EU Commission unveiled its proposal for the Biotech Act.  The proposal, which is only the first part of a bigger initiative for regulating biotechnologies, focuses primarily on the health sector.  The Commission took the opportunity to broadly revise the Clinical Trial Regulation (“CTR”) – see our blog post here.  In particular, it sought to better align the CTR requirements with those of the General Data Protection Regulation (“GDPR”).  This blog post provides an overview of those revisions relating to the processing of personal data during clinical trials.

Continue Reading EU Biotech Act Suggests Clarifying Data Protection Rules For Clinical Trials

On October 14, 2025, the European Data Protection Board (“EDPB”) announced that its 2026 coordinated enforcement action (“CEA”) will focus on transparency and information obligations — the rules that require organizations to clearly explain how they collect, use, and share personal data — under Articles 12-14 of the General Data Protection Regulation (“GDPR”).

Continue Reading EDPB to Focus on Transparency in 2026 Enforcement

On July 4, 2025, a non-paper from the Danish government signaled an intention to propose a targeted revision of the GDPR and the ePrivacy Directive to reduce the compliance burden on companies and ensure their competitiveness.  Denmark recently assumed the Presidency of the Council of the European Union and will be in a privileged position to shape EU policymaking for the next six months.  Amending the GDPR forms part of the Danish presidency program.  During this period, the European Commission is also expected to publish a fitness check on EU digital legislation, along with a digital omnibus package (see our previous blog here).

Continue Reading Denmark Proposes GDPR and ePrivacy Directive Revision

Personalized advertising and pricing are increasingly common online practices, and prompt discussions about fairness and consumer rights in the EU.  This post examines how these practices are regulated under EU consumer protection law, and what we anticipate from the forthcoming Digital Fairness Act (DFA).  We also consider how data protection rules—such as the GDPR—interact with consumer protection laws.

This is the third post in our series on the DFA—a draft EU law currently being prepared by the European Commission and expected to be published in mid-2026.  Previous posts covered influencer marketing and AI chatbots in consumer interactions.

Continue Reading Digital Fairness Act Series — Topic 3: Personalized Advertising and Pricing

On March 13, 2025, the Commissioner for Democracy, Justice, the Rule of Law and Consumer Protection, Michael McGrath, confirmed that the Commission is considering simplifying the GDPR with a view to reducing the burden on smaller businesses.  This statement aligns with the Commission’s broader goal of simplifying the EU digital framework.

Continue Reading European Commission Confirms Plans to Simplify GDPR

On September 12, 2024, the European Commission announced that it will launch a public consultation on additional standard contractual clauses for international transfers of personal data to non-EU controllers and processors that are subject to the EU GDPR extra-territorially (“Additional SCCs”), something that has been promised by the European Commission as far back as 2022.  The public consultation is planned for the last quarter of 2024.

Continue Reading EU Commission Announces New SCCs for International Transfers to Non-EU Controllers and Processors Subject to the GDPR