The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have published their Joint Opinion (the Joint Opinion) on the European Commission’s Digital Omnibus Proposal (the Proposal). Following our earlier analysis (Part 1) of the Proposal itself, this article examines how key elements of the reform are viewed by these supervisory bodies. […]
Internationaler Datenschutz
Internationaler_Datenschutz
Reading Between the Lines of the Italian DPA’s 2026 Inspection Plan
With its Resolution of 30 December 2025, the Italian Data Protection Authority (Garante per la protezione dei dati personali) published its inspection plan for the period January to July 2026. The plan sets out the Authority’s inspection focus for the first semester of the year and provides for at least 40 targeted inspections across the […]
EuGH-Urteil zu Datenschutzhinweisen bei Bodycams
Mit dem Urteil vom 18.12.2025 (C-422/24) hat der Europäische Gerichtshof (EuGH) eine Entscheidung zu Datenschutzhinweisen bei einer am Körper getragenen Kamera (Bodycam) getroffen. Dabei musste der EuGH im Rahmen eines Vorabentscheidungsersuchens gemäß Art. 267 des Vertrags über die Arbeitsweise der Europäischen Union (AEUV) die Frage beantworten, ob Art. 13 oder Art. 14 DSGVO anwendbar ist, […]
U.S. Data Privacy Developments in 2025 – A Year in Review
Every year at this time I sit down to write a blog article, tying the experiences that I have during the holiday season into the world of data privacy. This year I have struggled to come up with a topic that really spoke to me. But, as I sat down to write my family’s annual […]
China’s 2025 Personal Information Protection Campaign – App Enforcement Takeaways
As 2025 comes to a close, China’s personal information protection enforcement continues to demonstrate sustained intensity and increasing sophistication. Regulatory activity over the past year confirms that personal data protection compliance has become a long-term supervisory priority, characterized by frequent enforcement actions, expanding coverage, and closer scrutiny of actual implementation. In March 2025, the Cyberspace […]
Beyond the Theory: CNIL Sanctions Under the Light of the Digital Omnibus
As the French data protection authority (Commission nationale de l’informatique et des libertés, CNIL) recently imposed two high-amount sanctions, we take this opportunity to try and make a practical application of some rules from the recently published draft of the Digital Omnibus. What Happened? In the span of a week, the CNIL imposed major sanctions […]
EU Data Act: Practical Guidance from the Dutch AP’s Newsletter
The Data Act entered into force on 12 September 2025, and in the Netherlands its national Implementation Act (Dataverordening, Dv) followed on 21 November 2025. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) published a newsletter this week explaining what the Data Act means in practice, particularly for organisations that work with data from connected […]
China’s Revised Cybersecurity Law: Key Changes and Compliance Implications
On 28 October 2025, the Standing Committee of the 14th National People’s Congress adopted the Decision on amending the Cybersecurity Law of People’s Republic of China. The revised Cybersecurity Law (the “Revised Law”) will take effect on 1 January 2026. This is the first substantial update to the Cybersecurity Law (“Original Law”) since its promulgation […]
India’s New Data Protection Framework: What Businesses Need to Know
India has entered a new phase in its privacy journey with the Digital Personal Data Protection Act (DPDPA), 2023 and its recently notified Rules. Together, they establish a comprehensive regulatory system governing digital personal data and operationalize the fundamental right to privacy enshrined in the Constitution of India. The government has chosen a staggered rollout […]
The Italian Data Protection Authority Orders an Immediate Stop to Deepfake App Clothoff
The Italian Data Protection Authority (Garante) has taken urgent action against Clothoff, an AI-powered app capable of generating hyper-realistic “deep nude” images based on pictures of real people. On 3 October the regulator has issued an immediate order blocking the app – developed by a company based in the British Virgin Islands – from processing […]
Whose Consent Is It Anyway? The Promise Behind India’s Consent Manager
This article is part of a series examining the features of India’s Digital Personal Data Protection Act, 2023 that are unique to, or diverge from, the GDPR. India’s Digital Personal Data Protection Act, 2023 (DPDPA) represents a new phase in the country’s data protection landscape. While inspired by global frameworks such as the GDPR, it […]
CNIL Fines Samaritaine €100,000 for Hidden Cameras: A Legal Analysis
On 18 September 2025, the French Data Protection Authority (CNIL) issued Deliberation SAN-2025-008, imposing a €100,000 fine on Samaritaine SAS for clandestinely installing surveillance cameras in employee areas. In August 2023, in response to a rise in stockroom thefts, the company installed five hidden cameras disguised as smoke detectors. The devices also recorded audio. Within […]
Automated Credit Scoring Under Scrutiny in Europe
The CJEU’s SCHUFA judgement (C-634/21) in 2023 clarified that producing and transmitting a credit score can itself amount to an automated decision under Article 22 GDPR where the score is determinative for contract outcomes. This ruling has now translated into concrete enforcement. In 2025, both the Austrian and Hamburg DPAs issued decisions that apply these […]
Datenschutzkonferenz veröffentlicht Anwendungshinweise zu Datenübermittlungen für medizinische Forschung in Drittländer
Die internationale Zusammenarbeit in der medizinischen Forschung gewinnt zunehmend an Bedeutung, bringt jedoch besondere datenschutzrechtliche Herausforderungen mit sich und stellt Forschende sowie Forschungseinrichtungen auf die Probe. Sobald dabei personenbezogene Daten verarbeitet oder übermittelt werden, müssen die datenschutzrechtlichen Anforderungen beachtet werden. Besonders bei Datenübermittlungen in sogenannte Drittländer ist sicherzustellen, dass das in der EU gewährte Datenschutzniveau […]
Understanding the ICO’s Encryption Guidance under UK GDPR
The United Kingdom’s Information Commissioner’s Office (ICO) has released detailed guidance on the use of encryption under the UK GDPR. This guidance is a part of the ICO’s wider information-security programme and is designed to help organisations use encryption effectively to safeguard personal information. This article outlines the key points of the ICO’s guidance on […]