While the case is likely to be mentioned in upcoming non-material damages claims, its unique circumstances mean defence arguments remain robust.
By Tim Wybitul, Isabelle Brams, Timo Hager, and Thies Schmitte
On 1 October 2025, the General Court of the European Union (GCEU) held the EU liable for non‑material damage caused by the unlawful processing of personal data by an EU body. In OC v. Commission (T ‑384/20 RENV),1 which concerned a press release by the
The CJEU rules that personal data can be pseudonymous in the hands of one party and anonymous in the hands of another.
By Myria Saarinen, Tim Wybitul, Wolf-Tassilo Böhm, Isabelle Brams, Gail Crawford, Fiona M. Maclean, Danielle van der Merwe, and Amy Smyth
The Court of Justice of the European Union (CJEU) has delivered its judgment in case C-413/23 EDPS v. SRB, addressing questions on the scope of personal data regulated by
EU General Court confirms United States ensured an adequate level of protection for EU personal data transfers to the US.
By Ian Felstead, Tim Wybitul, Wolf-Tassilo Böhm, Hayley M. Pizzey, Isabelle Brams, and Clarence Cheong
On 3 September 2025, the EU General Court delivered its judgment in Case T-553/23, Latombe v. Commission. The court dismissed Latombe’s action for annulment of the EU-US Data Privacy Framework (DPF) and upheld the European Commission’s Adequacy Decision (Adequacy
Proposals grant controllers increased flexibility for automated decision-making, provided suitable safeguards are implemented.
By Fiona Maclean, Gail Crawford, Amy Smyth, and Lorenzo Meusburger
On 23 October 2024, the UK government introduced the Data (Use and Access) Bill (the Bill) to Parliament, marking a significant step in the evolution of the country’s data protection landscape. It follows previous reform attempts that lapsed after the July 2024 government change. The proposed legislation aims to reform various aspects of UK data protection law while also addressing broader initiatives related to data access and digital identity. Among its many provisions (138 Clauses, 16 Schedules and 251 pages to be precise), the Bill outlines notable changes in the realm of automated decision-making.
Organisations should expect increased scrutiny and enforcement activity around the role of data protection officers in the coming year.
By Gail E. Crawford, Fiona M. Maclean, Ben Leigh, and Amy Smyth
The European Data Protection Board (EDPB) has announced that its coordinated enforcement action for 2023 will focus on the designation and position of data protection officers (DPOs). Each year, the EDPB’s Coordinated Enforcement Framework (CEF) designates a topic EU data protection authorities (DPAs) should focus on. Although participation for any given year is voluntary, the EDPB has stated that this CEF will involve 26 DPAs across the European Economic Area, including the European Data Protection Supervisor.
By Gail Crawford and Calum Docherty
On October 3, 2017, the Irish High Court announced that it will make a reference to the Court of Justice of the European Union (CJEU) for a preliminary ruling on the validity of the Standard Contractual Clauses, which allow companies in the European Economic Area (EEA) to transfer personal data outside of the EEA. In doing so, the Irish High Court acknowledged that, “there are well founded grounds for believing that the [Standard Contractual Clauses] are invalid,” but clarified that this was a question of EU law for the CJEU to decide.
What happened in the case?
Maximillian Schrems (an Austrian privacy campaigner who, in 2015, led a case that struck down the EU-US Privacy Shield’s forerunner, Safe Harbor) has a Facebook account. Schrems complained to the Irish Data Protection Commissioner (DPC) that Facebook Ireland Limited (Facebook Ireland) transferred his data to its US-parent, Facebook Inc. (Facebook US) for further processing.
In order to transfer personal data to a third country outside of the EEA, that third country (in this case, the US) should offer guarantees ensuring an adequate level of protection for personal data essentially equivalent to the level of protection ensured within the EEA. The European Commission (EC) has not considered the US to provide this adequate level of protection for personal data, so companies that wish to transfer data must rely on other data transfer mechanisms, including the Standard Contractual Clauses.
By Gail Crawford and Ksenia Koroleva
The Federal Law No. 87-FZ of May 1, 2017, on Amendments to the Federal Law on Information, Information Technologies, and Information Protection (the Law) came into force on July 1, 2017. The Law introduces the definition of an audiovisual service owner and regulates their activities, including imposing ownership restrictions.
The Notion of Audiovisual Service Owners
According to the Law, an audiovisual service owner is an owner of a website, a page of a website, an information system, and/or software (an Audiovisual Service):
The following are not regarded an Audiovisual Service:
By Gail Crawford, Ulrich Wuermeling, Calum Docherty
The General Data Protection Regulation (GDPR or Regulation) will become applicable in one year, as of May 25, 2018. A lot has happened since we set out the key provisions of the Regulation last year. As companies implement compliance programmes in efforts to protect data subjects and avoid hefty enforcement penalties, each EU Member State government has to pass implementation laws. Furthermore, regulators are slowly providing guidance on how to apply and interpret the GDPR.
What is happening in the EU Member States?
The GDPR was drafted to “harmonise the protection of fundamental rights and freedoms of natural persons in respect of processing activities and to ensure the free flow of personal data between Member States” (Recital 3). Yet the GDPR itself provides a lot of leeway for Member States in its implementation, including room for derogations from at least 50 articles. This “margin of manoeuvre” (Recital 10) creates a degree of uncertainty for data controllers and data processors, and there are some areas where companies (especially those processing sensitive personal data, where Member States have the most flexibility) will need to wait and respond to what Member State governments are proposing.
Well ahead of the implementation deadline for the European General Data Protection Regulation (GDPR), the German Parliament (Bundestag) passed a new Federal Data Protection Act (Bundesdatenschutzgesetz) on April 27, 2017. The Federal Council (Bundesrat) could confirm the Act before the summer, but may require further amendments. If the Parliament and the Council fail to agree, the legislative process will have to start from the beginning after the German elections in September.
The new Act retains the old title of the Bundesdatenschutzgesetz, but the content has changed completely. The GDPR is directly applicable and, therefore, the Act only complements the GDPR or regulates areas outside the scope of it. Most of the 85 Articles of the new Act deal with the public sector and the implementation of the Law Enforcement Directive. However, it also includes some provisions for the private sector based on opening clauses that either allow or require national implementation. The main German modifications for the private sector are the following:
On January 10, 2017, the European Commission proposed a new ePrivacy Regulation (Proposal). Compared to the internal draft that was leaked in December, the official Proposal has been substantially modified. However, the general approach taken by the European Commission has not changed. The Proposal includes provisions with a broad scope of application covering over-the-top (OTT) services as well as communication between devices and all data stored on a device.
In the internal draft, the European Commission suggested