On 12 September 2025, the Data Act (Regulation (EU) 2023/2854) became applicable in the EU member states. The Data Act creates a framework for fair access to and use of data across the EU and it is aimed at giving users more control over product-generated data and foster the principles of transparency, fairness, and GDPR […]
mb-firstprivacyenglisch
Pseudonymised Data: Not Always Personal According to The Latest CJEU Judgement
On 4 September 2025, the Court of Justice of the European Union (CJEU) handed down its judgment in EDPS v Single Resolution Board (C-413/23 P). The ruling addresses a fundamental question in EU data protection law: when pseudonymised information qualifies as personal data, and for whom. This decision provides important clarification on the scope of […]
China‘s Latest Updates on PIPL and Clarifications on Sensitive Personal Information
Different legislative updates were recorded in China in the last couple of months. These concern several topics related to data protection and data security, such as the definition of sensitive personal information, appointment obligations and registration of a Data Protection Officer (DPO), reporting measures in case of data security incidents for financial services and the […]
The Weaponization of Data Protection
As data protection professionals, we see the value of strong individual rights under the GDPR. The right to access, rectify, and erase one’s personal data is foundational to the regulation’s spirit of informational self-determination. But there’s also a negative side to this that is becoming increasingly difficult to ignore: the weaponization of data protection rights […]
AI Literacy: What You Really Need to Know
Artificial intelligence (AI) is no longer a specialised technology reserved for a handful of tech companies. It now powers, at least tangentially, the tools, platforms, and processes of almost every business. AI’s presence in the workplace is now routine. Organisations must ensure their employees know how to use AI responsibly, both as a compliance requirement […]
UK Data (Use and Access) Act 2025: Key Changes for Privacy Compliance
On 19 June 2025, the Data (Use and Access) Act 2025 (DUAA) received Royal Assent, becoming law in the UK and marking a significant development in the country’s data protection framework. The first provisions will take effect on 20 August 2025 under the Commencement No. 1 Regulations, with others phased in through mid‑2026; some changes (most […]
EU AI Act Obligations for General-Purpose AI Models Take Effect
The European Union has reached a new milestone in regulating Artificial Intelligence, one year after the EU AI Act was enacted. From 2 August 2025, provisions of the AI Act governing general-purpose AI (GPAI) models are in force. These rules apply to GPAI models, i.e. models that can be adapted for many tasks, from content […]
Belgian Companies: Are You Overlooking the Data Protection Officer Requirement?
In our previous article, we explained what Belgium’s new Private Investigations Law (WPO) means for companies and when the law applies. As we highlighted, the law’s scope extends well beyond professional detective firms. In fact, many common workplace actions now fall within the WPO. The term “private investigation activities” is defined broadly. It includes any […]
Enforcement Trends in DSR Handling: Key Lessons from Recent EU Decisions
Over recent months, data protection authorities have issued rulings that expose common failings in the handling of data subject rights requests (DSRs). While these were isolated complaints, the supervisory authorities found that the organisations involved lacked internal procedures, failed to provide legally reasoned responses, and could not demonstrate accountability when challenged. These rulings confirm that […]
Belgium’s new Private Investigations Law: what it means for employers and employee privacy
In December 2024, Belgium introduced a significant update to its legislation on private investigations: the Wet tot regeling van de private opsporing (WPO). At first glance, this might seem relevant only to private detectives, but the law’s scope is much broader. In fact, it affects how companies conduct internal investigations and manage workplace incidents. If […]
AI Regulation in the US: A Question of Federal Preemption or State Autonomy?
In the realm of data protection, the United States has long been a patchwork of sector-specific laws and state-led initiatives. Despite repeated federal attempts, the United States still lacks a comprehensive data privacy framework. To fill the void left by the inaction of the federal government, the individual states started to act. Currently, there are […]
Preventable Data Breaches: Compliance Takeaways from Recent ICO Cases
Over the past few months, the UK Information Commissioner’s Office (ICO) has issued a series of enforcement actions that underscore a recurring regulatory concern: data breaches that, in the ICO’s view, were not merely accidental but the result of organisations failing to implement even basic data protection safeguards—violations of their accountability obligations under the UK […]
TikTok receives fine of 530 million euros by Irish DPC
In September 2021 an investigation was started by the Irish Data Protection Commission (DPC), as Lead Supervisory Authority, to verify TikTok’s compliance with GDPR obligations in terms of: verification of age requirements for users under 13 or 18 years of age and lawfulness of the personal data transfers to the People’s Republic of China (China). […]
Belgian DPA Clarifies Company Liability for GDPR Breaches by Rogue Employees
Are companies always responsible if their employees cause a data breach under the General Data Protection Regulation (GDPR)? According to a recent decision by the Belgian Data Protection Authority (DPA), the answer appears to be yes, or at least in most cases. The Case In this case, a manager at a hospital accessed an employee’s […]
ECJ Judgement on „Credit Scoring“ – Scope of the Right of Access and Illegality of Section 4 (6) of the DSG under EU Law
The recent ruling of the European Court of Justice (ECJ) of 27 February 2025 (C-203/22 – Dun & Bradstreet Austria GmbH) clarifies that data subjects have a comprehensive right to information pursuant to Art. 15 para. 1 lit. h GDPR, in particular with regard to automated decision-making in connection with creditworthiness scoring procedures. In this […]