On May 26, 2026, the Spanish Data Protection Agency (“AEPD”) published details of its decision to fine Amadeus IT Group, S.A. (“Amadeus”), a Madrid-headquartered technology provider for the global travel and tourism industry, EUR 18 million in connection with GDPR violations involving Amadeus’s Global Distribution System (“GDS”). Amadeus voluntarily paid the fine, less a 20% reduction, on May 29, 2025, thereby terminating the proceedings without admitting liability. The fine, one of the largest the AEPD has imposed, highlights the enforcement risks associated with repurposing personal data such as passenger data without appropriate transparency or a valid legal basis under the GDPR.
Continue Reading Amadeus IT Group Receives GDPR FineGDPR
Spanish Supervisory Authority Issues Detailed Guidance on Agentic AI and GDPR Compliance
In February 2026, the Spanish data protection authority (Agencia Española de Protección de Datos, “AEPD”) published guidance on data protection issues related to the use of AI agents. The guidance follows an earlier, similar analysis by the UK Information Commissioner’s Office, which we discussed in a prior blog…
Continue Reading Spanish Supervisory Authority Issues Detailed Guidance on Agentic AI and GDPR ComplianceFrance’s Highest Administrative Court Upholds CNIL’s Standard On Anonymization
On February 13, 2026, France’s highest administrative court (“Conseil d’État”) delivered an important decision clarifying the boundary between pseudonymization and anonymization under the GDPR. The ruling confirms that data which remain re‑identifiable in practice—even with some effort—must be treated as personal data under the GDPR by service providers, unless the risk of re‑identification by such providers can genuinely be regarded as insignificant.
Continue Reading France’s Highest Administrative Court Upholds CNIL’s Standard On AnonymizationGerman Government Proposes GDPR Reform to Shift Responsibility to Manufacturers
On December 4, 2025, the German Federal Government published its Federal Modernization Agenda, setting out a series of suggested amendments to the GDPR and the Federal Data Protection Act (Bundesdatenschutzgesetz). Among the key measures, Germany seeks to shift certain responsibilities from users to manufacturers and providers of standard IT products—following the model of the Cyber Resilience Act (CRA) and the AI Act—so that organizations can deploy standard solutions more easily and in compliance with the law.
The German Data Protection Conference (Datenschutzkonferenz, DSK)—the body of federal and state data protection authorities—has adopted a resolution strongly supporting this approach. The resolution builds on recommendations the DSK first made in its 2019 evaluation of the GDPR.
Continue Reading German Government Proposes GDPR Reform to Shift Responsibility to ManufacturersFrench CNIL Imposes €1M GDPR Fine on Israeli Ad Tech Firm
On December 11, 2025, the CNIL fined an Israeli company €1 million for failing to comply with its GDPR obligations after providing personalized advertising services to an EU music-streaming platform. The service helped the platform to personalize and optimize marketing campaigns to promote its streaming services.
The CNIL held that the GDPR applied to the non-EU processor under Article 3(2), on the basis that it had monitored the behavior of EU users by creating audience segments based on demographics and listening habits, on behalf of the controller.
Continue Reading French CNIL Imposes €1M GDPR Fine on Israeli Ad Tech FirmEU Biotech Act Suggests Clarifying Data Protection Rules For Clinical Trials
On December 16, 2025, the EU Commission unveiled its proposal for the Biotech Act. The proposal, which is only the first part of a bigger initiative for regulating biotechnologies, focuses primarily on the health sector. The Commission took the opportunity to broadly revise the Clinical Trial Regulation (“CTR”) – see our blog post here. In particular, it sought to better align the CTR requirements with those of the General Data Protection Regulation (“GDPR”). This blog post provides an overview of those revisions relating to the processing of personal data during clinical trials.
Continue Reading EU Biotech Act Suggests Clarifying Data Protection Rules For Clinical TrialsEDPB to Focus on Transparency in 2026 Enforcement
On October 14, 2025, the European Data Protection Board (“EDPB”) announced that its 2026 coordinated enforcement action (“CEA”) will focus on transparency and information obligations — the rules that require organizations to clearly explain how they collect, use, and share personal data — under Articles 12-14 of the General Data Protection Regulation (“GDPR”).
Continue Reading EDPB to Focus on Transparency in 2026 EnforcementDenmark Proposes GDPR and ePrivacy Directive Revision
On July 4, 2025, a non-paper from the Danish government signaled an intention to propose a targeted revision of the GDPR and the ePrivacy Directive to reduce the compliance burden on companies and ensure their competitiveness. Denmark recently assumed the Presidency of the Council of the European Union and will be in a privileged position to shape EU policymaking for the next six months. Amending the GDPR forms part of the Danish presidency program. During this period, the European Commission is also expected to publish a fitness check on EU digital legislation, along with a digital omnibus package (see our previous blog here).
Continue Reading Denmark Proposes GDPR and ePrivacy Directive RevisionDigital Fairness Act Series — Topic 3: Personalized Advertising and Pricing
Personalized advertising and pricing are increasingly common online practices, and prompt discussions about fairness and consumer rights in the EU. This post examines how these practices are regulated under EU consumer protection law, and what we anticipate from the forthcoming Digital Fairness Act (DFA). We also consider how data protection rules—such as the GDPR—interact with consumer protection laws.
This is the third post in our series on the DFA—a draft EU law currently being prepared by the European Commission and expected to be published in mid-2026. Previous posts covered influencer marketing and AI chatbots in consumer interactions.
Continue Reading Digital Fairness Act Series — Topic 3: Personalized Advertising and PricingEuropean Commission Confirms Plans to Simplify GDPR
On March 13, 2025, the Commissioner for Democracy, Justice, the Rule of Law and Consumer Protection, Michael McGrath, confirmed that the Commission is considering simplifying the GDPR with a view to reducing the burden on smaller businesses. This statement aligns with the Commission’s broader goal of simplifying the EU digital framework.
Continue Reading European Commission Confirms Plans to Simplify GDPR