In the last three years, very high fines have been issued by the French data protection authority (Commission Nationale de l’Informatique et des Libertés or CNIL) to big companies for non-compliance in the area of cookies and tracking devices. Some examples are: the 35 million euros sanction imposed by the CNIL against Amazon in 2020 […]
English Posts
AI Meeting Transcripts: Efficiency Tool or Corporate Liability?
AI-powered meeting assistants have rapidly become one of the most adopted categories of workplace technology. These tools join video calls to record, transcribe, and summarize conversations, promising efficiency gains and more reliable documentation. The value proposition is clear: accurate records improve accountability, knowledge-sharing, and business continuity. But as with any technology deployed at scale, the […]
BSI White Paper on Bias in Artificial Intelligence
On July 24, 2025, the German Federal Office for Information Security (BSI), through authors Dr. Jonas Ditz und Elmar Lichtmeß, published an interesting white paper “Bias in Artifical Intelligence” (currently only available in German) that provides developers, providers, and operators of AI systems with an introduction to the issue of bias. What does the term […]
The Data Act entered into force – what you need to know
On 12 September 2025, the Data Act (Regulation (EU) 2023/2854) became applicable in the EU member states. The Data Act creates a framework for fair access to and use of data across the EU and it is aimed at giving users more control over product-generated data and foster the principles of transparency, fairness, and GDPR […]
Pseudonymised Data: Not Always Personal According to The Latest CJEU Judgement
On 4 September 2025, the Court of Justice of the European Union (CJEU) handed down its judgment in EDPS v Single Resolution Board (C-413/23 P). The ruling addresses a fundamental question in EU data protection law: when pseudonymised information qualifies as personal data, and for whom. This decision provides important clarification on the scope of […]
China‘s Latest Updates on PIPL and Clarifications on Sensitive Personal Information
Different legislative updates were recorded in China in the last couple of months. These concern several topics related to data protection and data security, such as the definition of sensitive personal information, appointment obligations and registration of a Data Protection Officer (DPO), reporting measures in case of data security incidents for financial services and the […]
The Weaponization of Data Protection
As data protection professionals, we see the value of strong individual rights under the GDPR. The right to access, rectify, and erase one’s personal data is foundational to the regulation’s spirit of informational self-determination. But there’s also a negative side to this that is becoming increasingly difficult to ignore: the weaponization of data protection rights […]
AI Literacy: What You Really Need to Know
Artificial intelligence (AI) is no longer a specialised technology reserved for a handful of tech companies. It now powers, at least tangentially, the tools, platforms, and processes of almost every business. AI’s presence in the workplace is now routine. Organisations must ensure their employees know how to use AI responsibly, both as a compliance requirement […]
Classifying ChatGPT under the AI Act: A Practical Walkthrough
This blog post explores two topics currently attracting significant attention in practice: ChatGPT and the AI Act. Using a practical example, we will show how ChatGPT can be classified under the Act. Our scenario: A company wants to provide its employees with ChatGPT and has chosen the paid ChatGPT Team licence. In this post, we […]
UK Data (Use and Access) Act 2025: Key Changes for Privacy Compliance
On 19 June 2025, the Data (Use and Access) Act 2025 (DUAA) received Royal Assent, becoming law in the UK and marking a significant development in the country’s data protection framework. The first provisions will take effect on 20 August 2025 under the Commencement No. 1 Regulations, with others phased in through mid‑2026; some changes (most […]
EU AI Act Obligations for General-Purpose AI Models Take Effect
The European Union has reached a new milestone in regulating Artificial Intelligence, one year after the EU AI Act was enacted. From 2 August 2025, provisions of the AI Act governing general-purpose AI (GPAI) models are in force. These rules apply to GPAI models, i.e. models that can be adapted for many tasks, from content […]
Belgian Companies: Are You Overlooking the Data Protection Officer Requirement?
In our previous article, we explained what Belgium’s new Private Investigations Law (WPO) means for companies and when the law applies. As we highlighted, the law’s scope extends well beyond professional detective firms. In fact, many common workplace actions now fall within the WPO. The term “private investigation activities” is defined broadly. It includes any […]
Enforcement Trends in DSR Handling: Key Lessons from Recent EU Decisions
Over recent months, data protection authorities have issued rulings that expose common failings in the handling of data subject rights requests (DSRs). While these were isolated complaints, the supervisory authorities found that the organisations involved lacked internal procedures, failed to provide legally reasoned responses, and could not demonstrate accountability when challenged. These rulings confirm that […]
Belgium’s new Private Investigations Law: what it means for employers and employee privacy
In December 2024, Belgium introduced a significant update to its legislation on private investigations: the Wet tot regeling van de private opsporing (WPO). At first glance, this might seem relevant only to private detectives, but the law’s scope is much broader. In fact, it affects how companies conduct internal investigations and manage workplace incidents. If […]
AI Regulation in the US: A Question of Federal Preemption or State Autonomy?
In the realm of data protection, the United States has long been a patchwork of sector-specific laws and state-led initiatives. Despite repeated federal attempts, the United States still lacks a comprehensive data privacy framework. To fill the void left by the inaction of the federal government, the individual states started to act. Currently, there are […]