EU

EDPB Binding Decisions Can Be Challenged Directly by Organizations Before EU Courts

By Stéphanie Faber, David Naylor, Robert Lister & Georgie Hayes on March 13, 2026

Posted in Appeals, Court of Justice of the EU (CJEU), Data Privacy, EU, European Data Protection Board, General Data Protection Regulation (GDPR), Litigation

In its press release relating to the Court of Justice of the European Union (CJEU) judgment of 10 February 2026 in Case C-97/23 P, the CJEU has confirmed that the action brought by an organization against a Binding Decision of the European Data Protection Board (EDPB) is admissible.

With this decision, the CJEU has clarified that organizations have a right of direct appeal against binding decisions of the EDPB on which a national authority’s decision against them is based.

Rewriting EU Telecom Rules: Inside the New Digital Networks Act

By Francesco Liberatore on January 29, 2026

Posted in EU Commission, Technology, Telecommunications

The European Commission has unveiled its long‑awaited proposal for the EU Digital Networks Act (DNA), a sweeping regulation poised to reshape Europe’s telecoms and digital infrastructure landscape for decades to come. From accelerating the fiber transition to introducing an EU‑wide satellite authorization regime and simplifying market access through a single passport, the proposal signals a…

India Issues 2025 AI Governance Guidelines: How It Compares to Other Global AI Acts

By Bindu Janardhanan, Scott Warren & Tanvi Mehta Krensel on December 22, 2025

Posted in Artificial Intelligence, Asia, EU, India, US

In 2025, India’s approach on AI has shifted significantly from, “Will AI change the way business is done?” to “What is the best way to adopt it to enable business expansion?” Guided by the principles of People, Planet, and Progress, “Safe and trusted AI for all” has become the motto governing India’s approach to AI. The evolving digital infrastructure, specific sector-driven regulation, techno-legal philosophy, strength of the powerful Global South, and a strong inclusion narrative are cornerstones to India’s AI journey.

Cooperation, Commitments and the Digital Services Act: A Tale of Two Platforms

By Bartolomé Martín, Annette Demmel & Alan Friel on December 11, 2025

Posted in Digital Services Act, EU, EU Commission

The Digital Services Act (DSA) has now moved from abstract framework to concrete enforcement. Two recent cases involving very large online platforms show how the same law, applied to similar types of conduct, can produce dramatically different outcomes. The difference lies less in the substance of the infringements and more in how each platform chose to respond once the EU Commission intervened.

EU Data Act in Full Effect

By Francesco Liberatore, Gorka Navea & Bartolomé Martín on December 10, 2025

Posted in Data Privacy, EU

The EU Data Act, which entered into full effect on 12 September 2025, is one of the cornerstones of the EU’s digital strategy, yet it places considerable compliance challenges for companies falling within its scope. Francesco Liberatore, Gorka Navea and Bartolomé Martín provide an overview of the act, its key practical compliance challenges and…

EU Seeks Feedback on Proposed Digital Package To Simplify and Modernise Regulations

By Stéphanie Faber, David Naylor & Simon Sepesi on September 19, 2025

Posted in Artificial Intelligence, EU

Measures included in the digital package aim to cut red tape through “digital by default” services and applying the “once-only” principle, which will mandate public sector bodies across the EU to reuse citizen and business data instead of requiring it to be provided separately to different agencies.

On 16 September 2025, the European Commission (EC) launched a call for evidence to collect research and information on best practices for its upcoming digital package. This is a new round of feedback and follows earlier consultations on data regulation, cybersecurity rules, and the implementation of the Artificial Intelligence Act (AI Act).

The EU’s Voluntary GPAI Code: Reflecting on Strategic Choices in an Evolving Regulatory Context

By Bartolomé Martín & Stéphanie Faber on August 5, 2025

Posted in Artificial Intelligence, Artificial Intelligence Act (AI Act), EU, European Commission (EC)

The EU AI Act is entering into force in stages. While most of its provisions will not apply until August 2026, key requirements for general-purpose AI (GPAI) models took effect much earlier, starting on August 2, 2025.

In anticipation of this earlier milestone, the Code of Practice for General-Purpose AI Models was published on the EU commission’s website on July 10, 2025. It is a voluntary tool, prepared by independent experts in a multi-stakeholder process involving nearly 1000 participants, (general-purpose AI model providers, downstream providers, industry organizations, civil society, rightsholders and other entities, as well as academia and independent experts). The Code represents an initial effort to translate the AI Act’s GPAI-specific obligations into practical measures.

It focuses on three central areas (Transparency, Copyright, and Safety and Security) and offers a framework that developers of GPAI models may rely on to demonstrate responsible practices in line with the EU’s evolving regulatory approach.

GDPR Relief for SMEs? EDPB and EDPS Weigh in on the EU’s Simplification Plans

By Bartolomé Martín & Stéphanie Faber on July 23, 2025

Posted in Compliance, Data Privacy, EU

On 21 May 2025, the European Commission published a proposal for a new regulation aimed at simplifying several EU legal instruments, including targeted amendments to the General Data Protection Regulation (GDPR). The announced objective is to ease compliance obligations for small and medium-sized enterprises (SMEs) and extend certain regulatory benefits to small mid-cap companies (SMCs) (a category of businesses that often face comparable regulatory burdens to large corporations but lack equivalent resources). In the field of data protection, the proposal focuses on revising the obligation to maintain records of processing activities under Article 30 GDPR. It suggests raising the employee threshold for this obligation and clarifying that record-keeping would only be required when processing is likely to pose a high risk to individuals’ rights and freedoms.

The European Commission’s Guidance on Prohibited AI Practices: Unraveling the AI Act

By Bartolomé Martín on May 7, 2025

Posted in Artificial Intelligence, Artificial Intelligence Act (AI Act), Compliance, EU, European Commission (EC), European Data Protection Board, GDPR

The European Commission published its long-awaited Guidelines on Prohibited AI Practices (CGPAIP) on February 4, 2025, two days after the AI Act’s articles on prohibited practices became applicable.

The good news is that in clarifying these prohibited practices (and those excluded from its material scope), the CGPAIP also addresses other more general aspects of the AI Act, which comes to provide much-needed legal certainty to all authorities, providers and deployers of AI systems/models in navigating the regulation.

Privacy World Week in Review

By Kristin Bryan on August 12, 2024

Posted in "ANPD" Autoridade Nacional de Proteção de Dados (Brazilian Data Protection Agency), "LGPD" Lei Geral de Proteção de Dados Pessoais (Brazilian General Data Protection Law), Artificial Intelligence, Artificial Intelligence Act (AIA), Asia Pacific, Association of Southeast Asian Nations (ASEAN), Biometric Information Privacy Act (BIPA), Brazil, Compliance, DPO, EU, European Commission (EC), France, French National Commission on Informatics and Liberty (CNIL), Personal Data Protection Act (PDPA), US

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Privacy World

EU