Measures included in the digital package aim to cut red tape through “digital by default” services and applying the “once-only” principle, which will mandate public sector bodies across the EU to reuse citizen and business data instead of requiring it to be provided separately to different agencies.
On 16 September 2025, the European Commission (EC) launched
The EU AI Act is entering into force in stages. While most of its provisions will not apply until August 2026, key requirements for general-purpose AI (GPAI) models took effect much earlier, starting on August 2, 2025.
In anticipation of this earlier milestone, the Code of Practice for General-Purpose AI Models was published on the EU commission’s website on July 10, 2025. It is a voluntary tool, prepared by independent experts in a multi-stakeholder process involving nearly 1000 participants, (general-purpose AI model providers, downstream providers, industry organizations, civil society, rightsholders and other entities, as well as academia and independent experts). The Code represents an initial effort to translate the AI Act’s GPAI-specific obligations into practical measures.
It focuses on three central areas (Transparency, Copyright, and Safety and Security) and offers a framework that developers of GPAI models may rely on to demonstrate responsible practices in line with the EU’s evolving regulatory approach.Continue Reading The EU’s Voluntary GPAI Code: Reflecting on Strategic Choices in an Evolving Regulatory Context
On 21 May 2025, the European Commission published a proposal for a new regulation aimed at simplifying several EU legal instruments, including targeted amendments to the General Data Protection Regulation (GDPR). The announced objective is to ease compliance obligations for small and medium-sized enterprises (SMEs) and extend certain regulatory benefits to small mid-cap companies (SMCs) (a category of businesses that often face comparable regulatory burdens to large corporations but lack equivalent resources). In the field of data protection, the proposal focuses on revising the obligation to maintain records of processing activities under Article 30 GDPR. It suggests raising the employee threshold for this obligation and clarifying that record-keeping would only be required when processing is likely to pose a high risk to individuals’ rights and freedoms.Continue Reading GDPR Relief for SMEs? EDPB and EDPS Weigh in on the EU’s Simplification Plans
The European Commission published its long-awaited Guidelines on Prohibited AI Practices (CGPAIP) on February 4, 2025, two days after the AI Act’s articles on prohibited practices became applicable.
The good news is that in clarifying these prohibited practices (and those excluded from its material scope), the CGPAIP also addresses other more general aspects of the AI Act, which comes to provide much-needed legal certainty to all authorities, providers and deployers of AI systems/models in navigating the regulation.Continue Reading The European Commission’s Guidance on Prohibited AI Practices: Unraveling the AI Act
In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.Continue Reading Privacy World Week in Review
Shortly after the publication of the Artificial Intelligence (AI) Act, the EU Commission published the AI Pact’s draft commitments with a view of anticipating compliance with high-risk requirements for AI developers and deployers.
Publication and timeline for the AI Act
The EU AI Act was published in the Official Journal of the European Union on July 12, 2024, as “Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonized rules on artificial intelligence.” We have presented the main provisions and purposes of the AI Act in our publication here.
The EU AI Act will enter into force across all 27 EU Member States on August 1, 2024, but has variable transition periods depending on the relevant parts of the AI Acts; starting with February 2, 2025, at which point, prohibited AI practices must be withdrawn from the market, and with the enforcement of the majority of its provisions commencing on August 2, 2026.
The call for participation on the AI Pact by the EU commission
In this context, the EU Commission issued a press release on July 22, 2024, promoting the “AI Pact”, seeking the industry’s voluntary commitment to anticipate the AI Act and to start implementing its requirements ahead of the legal deadline. The press release can be found here.
The AI Pact was first launched in November 2023, obtaining responses from over 550 organizations of various sizes, sectors, and countries.
The AI Office has since initiated the development of the AI Pact, which is structured around two pillars:Continue Reading The EU Commission’s Draft AI Pact anticipating compliance with newly published AI Act
When expanding/ directing operations into Europe, foreign organizations often have questions about how to deal with the EU’s ever-expanding regulatory framework. From a data protection perspective, it is often assumed that B2B operations do not trigger the extraterritorial applicability of EU data protection laws (mainly, Regulation (EU) 2016/679 or GDPR) and that it is sufficient to enter into data processing agreements with European data controllers. But is it really that simple?
Some context…
As raised above, one of the most salient elements of the GDPR is that it applies not only to processing operations carried out by controllers and processors established in the European Union, but also to certain processing operations carried out by controllers and processors established outside the Union. This is the case of the processing related to the active offering of goods or services to data subjects in the Union and the monitoring of their behavior, as far as it takes place within the Union (Article 3.2 of the GDPR).Continue Reading A data processing agreement is not always enough.
Op-ed on what we know of the EDPB opinion on Pay or OK
April 17, 2024, 5:15 p.m. (Brussels)
Today, the EDPB plenary had a moment. It discussed an opinion on the Pay or OK models for social media. It was not its role, but it was likely trapped to do, as Art. 64(2) GDPR didn’t consider that national data protection authorities would sometimes use tactics similar to privacy activists to weaponize fundamental rights in a fight that has very little to do with privacy at its core. The discussion is much more about the Internet we want (or not).
“In most cases, it will not be possible for large online platforms to comply with the requirements for valid consent if they confront users only with a binary choice between consenting to processing of personal data for behavioral advertising purposes and paying a fee” says the opinion (according to the leak from POLITICO).Continue Reading When the EDPB is Weaponized, It Is Our Privacy That Is at Risk
1. Introduction
The Framework Convention on Artificial Intelligence, Human Rights, Democracy and the Rule of Law has been concluded by the Council of Europe (CoE) Committee on Artificial Intelligence on March 24, 2024, finally landing a decisive blow with a provisional agreement on the text of a treaty on artificial intelligence and human rights (Treaty).
This Treaty is the first of its kind and aims to establish basic rules to govern AI that safeguard human rights, democratic values and the rule of law among nations. As a CoE treaty, it is open for ratification by countries worldwide. It is worth noting that in this epic battlefield, apart from the CoE members in one corner of the global arena, on the opposite corner, representing various nations like the US, the UK, Canada and Japan, we have the observers, eyeing the proceedings, ready to pounce with their influence. Although lacking voting rights, their mere presence sends shockwaves through the negotiating ring, influencing the very essence of the Treaty.Continue Reading Heavyweight Fight, Did the US or EU KO the AI Treaty?
In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.