We’ve compiled the latest in Data Protection and Privacy news for your convenience below.
1) Newly Published Documentation
πͺπΊ European Union β EDPB Adopts Common Data Breach Notification Template
The EDPB published a draft common template for GDPR breach notifications and opened a public consultation until 5 August 2026. The initiative aims to harmonize breach reporting across EU supervisory authorities and simplify compliance for organizations handling incidents across multiple jurisdictions.
π«π· France β CNIL Publishes Updated Electronic Marketing Guidance
France’s CNIL released updated guidance on commercial emails, SMS campaigns, unsubscribe requirements, and consent rules. The guidance clarifies when prior consent is required and when organizations may rely on soft opt-in exemptions.
πͺπΊ European Union β Commission Proposes Cloud and AI Development Act
The European Commission published its proposal for the Cloud and AI Development Act (CADA), introducing a four-tier sovereignty framework for cloud services used by public authorities. The proposal could significantly affect cloud procurement, hosting decisions, and vendor due diligence across Europe.
2) Notable Case Law
π³π± Netherlands β Dutch AP Fines Yango Over Data Transfers to Russia
The Dutch Data Protection Authority fined Yango operator MLU B.V. β¬100 million for unlawfully transferring EU users’ personal data to Russia. The authority found that contractual safeguards did not adequately mitigate access risks from Russian authorities in its decision.
πͺπΊ European Union β CJEU Tightens Rules on Retaining HR Investigation Records
The CJEU ruled that employers may not indefinitely retain disciplinary investigation records where no wrongdoing was established. The decision reinforces GDPR storage limitation requirements and strengthens employees’ ability to request deletion of outdated records.
π°π· South Korea β South Korea Issues Record Fine Against Coupang
South Korea’s Personal Information Protection Commission imposed a record $409 million fine on e-commerce giant Coupang following a breach affecting more than 33 million customers. The authority cited failures in access controls, authentication management, and breach notification procedures according to a Reuters report.
3) New and Upcoming Legislation
πͺπΊ European Union β AI Omnibus Confirms New High-Risk AI Deadlines
The European Parliament approved the AI Omnibus package, confirming that standalone high-risk AI systems will face compliance obligations from December 2027, while embedded AI systems will follow in August 2028. The measure also introduces a new ban on AI-generated non-consensual intimate content.
π¬π§ United Kingdom β UK Complaints Process Requirement Takes Effect on 19 June
UK organizations must have a formal internal data protection complaints process in place by 19 June 2026 under the Data (Use and Access) Act 2025. Individuals will be required to raise complaints directly with organizations before escalating them to the ICO. Read the ICO guidance.
4) Strong Impact Tech
πͺπΊ European Union β EU Orders Meta to Restore WhatsApp Access for Rival AI Chatbots
The European Commission issued interim antitrust measures requiring Meta to restore WhatsApp Business API access for competing AI assistants, including OpenAI and Anthropic. The decision highlights growing regulatory scrutiny of AI platform gatekeeping, according to a BBC report.
π Global β Anthropic Suspends New AI Models Following Export Controls
Anthropic suspended access to its newly launched Fable 5 and Mythos 5 models after a U.S. export control directive restricted access by foreign nationals. The company said it is working with authorities to restore availability, according to a Reuters report.
Other key information from the past weeks
πΈπ¬ Singapore β Singapore Consults on Personal Data Rules for Generative AI
Singapore’s PDPC launched a public consultation on draft guidance covering the use of personal data in generative AI systems. The proposal suggests organizations may need AI-specific notices rather than relying solely on general privacy notices.
πͺπΊ π§π· EUβBrazil β EU and Brazil Expand Cooperation on Protecting Minors Online
As part of the EUβBrazil Digital Partnership, the European Commission and Brazil’s ANPD signed a cooperation arrangement focused on protecting minors online. The initiative signals growing international coordination around children’s privacy and online safety. Read the announcement.
π Enjoyed this issue? Share it on LinkedIn and subscribe for weekly updates
Latest issues
About us
Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.