General Data Protection Regulation (GDPR)

French law requires that where hosting services providers host certain types of health data, they must first obtain certification as “hébergeurs de données de santé” (“HDS”) which translates as “health data hosting service providers”. The relevant HDS certification framework was updated in 2024. This framework notably incorporates the amendments introduced by the law of 21 May 2024 aimed at securing and regulating the digital space, as well the decree of 24 March 2026, which imposes data sovereignty-related obligations that will take effect in September 2026.

Continue Reading V2.0 Certification of French Health Data Hosting Service Providers (HDS) now Fully Effective

Can a data controller reject a data subject’s first data access request on the basis that it is “excessive”? Until recently, many organisations were cautious and adopted an agnostic view about the intentions behind first access requests. However, the EU Court of Justice (“CJEU”) has clarified in a recent decision that although excessive

In its press release relating to the Court of Justice of the European Union (CJEU) judgment of 10 February 2026 in Case C-97/23 P, the CJEU has confirmed that the action brought by an organization against a Binding Decision of the European Data Protection Board (EDPB) is admissible.

With this decision, the CJEU has clarified that organizations have a right of direct appeal against binding decisions of the EDPB on which a national authority’s decision against them is based.

Continue Reading EDPB Binding Decisions Can Be Challenged Directly by Organizations Before EU Courts

The European Data Protection Board1 (EDPB) and the European Data Protection Supervisor2 (EDPS) adopted on 10 February 2026 a joint opinion (Joint Opinion 2/20263) on the European Commission’s Digital Omnibus initiative (described by the Commission as “a set of technical amendments to a large corpus of digital legislation, selected to bring immediate relief to businesses, public administrations, and citizens alike, and to stimulate competitiveness”).

Although both bodies welcome (and largely endorse) the Commission’s proposals set out in the initiative (subject to certain caveats), the opinion expresses marked unease with the proposed approach to redefining personal data, which would be recalibrated to align with the CJEU’s most recent interpretation of the concept [Case C-413/23 (EDPS v SRB)4].

Continue Reading Towards a Contextual Concept of Personal Data Under the GDPR: the Commission Moves Forward, the EDPB and EDPS Push Back

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Balancing the Scales: How to Use “Legitimate Interest” to Process Personal Data “Fairly”

Court Ruling in China on Personal Data

On October 9, 2024, the European Data Protection Board (EDPB) unveiled its much-anticipated Guidelines on using legitimate interest (Article 6.1(f) of the GDPR) as a lawful basis for processing personal data. These guidelines set out clear criteria for data controllers, and will therefore be most welcome.

For years, legitimate interest has been among the go-to option for organizations, with the idea that it offers more flexibility (as long as you comply with the inherent requirements of its use). High-profile cases, like the Court of Justice of the European Union’s (CJEU) decision in Royal Dutch Tennis Association (KNLTB), acknowledged that commercial interests may qualify as legitimate, but also crystalized the tension on its uses from supervisory authorities and privacy advocates.

Continue Reading Balancing the Scales: How to Use “Legitimate Interest” to Process Personal Data “Fairly”

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Biden Budget Proposal Advances AI Priorities | Privacy World

US Regulators Lift the Curtain on Data Practices With Assessment, Reporting

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

In Narrow Vote California Moves Next Generation Privacy Regs Forward | Privacy World

EDPB Versus Ireland? Does the Opinion on

On February 13, 2024, the European Data Protection Board (EDPB) released its opinion on the notion of the main establishment of a controller in the EU under article 4(16)(a) GDPR and the criteria for the application of the “one-stop shop” mechanism, in particular, regarding the notion of a controller’s “place of central administration” (PoCA) in

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Connecticut Attorney General Report: CTDPA Enforcement Insights & Takeaways | Privacy World

California Attorney General Announces Industry Investigative Sweep into