France’s data protection authority, CNIL, has released new guidance addressing the relationships between data controllers, processors, and joint processing arrangements. The documentation provides clarity on how entities can determine their respective roles when processing personal data. Joint arrangements require formal agreements detailing shared obligations including data subject requests and security management. Learn more here (in French) →
The European Data Protection Board published guidance on cross-border data transfers to foreign government authorities under GDPR Article 48. The framework establishes that foreign court decisions lack automatic recognition within European jurisdictions. Where formal agreements are absent, organizations must evaluate alternative legal grounds on an individual basis. Access it here →
The European Data Protection Board announced dual expert initiatives focusing on artificial intelligence and data protection compliance. One initiative targets legal practitioners with analysis of regulatory frameworks including GDPR and AI Act compliance. The companion initiative addresses technical specialists with guidance on secure AI development and privacy-preserving audit procedures.
Poland’s EU Council leadership proposed a regulatory harmonization initiative to address fragmentation across digital governance frameworks. The proposal targets overlapping requirements and inconsistent terminology across AI, data protection, and cybersecurity domains. Recommendations include establishing unified terminology resources and implementing consolidated reporting mechanisms. Access it here →
2) Notable Case Law
German privacy regulators issued penalties totaling €45 million against telecommunications provider Vodafone GmbH for GDPR compliance failures. The enforcement action addressed inadequate oversight of third-party partnerships and authentication security vulnerabilities. The company has implemented remedial measures including enhanced partner auditing and separation from fraudulent partners. Access the press release here →
Swedish appellate courts upheld financial penalties against streaming platform Spotify, imposing SEK 58 million (approximately €5.2 million) in fines for data subject rights violations. The ruling followed regulatory findings that the platform failed to provide adequate transparency regarding individual rights and data retention policies. The court highlighted the platform’s shortcomings in handling data subject rights and GDPR compliance. Learn more here (in Swedish) →
3) New and Upcoming Legislation
Oregon: Recent legislative developments strengthened consumer privacy protections through amendments to state privacy law. The framework restricts targeted advertising and data sales involving individuals under 16 years of age and establishes location-based privacy protections within 1,750-foot proximity zones. The legislation emphasizes enhanced safeguards for minors and location tracking. Follow the Bill here →
California: New workplace transparency requirements mandate annual reporting of employee surveillance technologies to state labor authorities. The legislation requires detailed disclosures about technology providers, capabilities, and data handling practices. Regulatory authorities must publish submitted reports within 30 days. Access the Bill here →
Nebraska: Child safety legislation established age-appropriate design requirements for major online platforms operating within the state. Services with annual revenues exceeding $25 million must implement protective mechanisms for users under 13. The framework mandates opt-out capabilities for engagement features, taking effect January 1, 2026. Follow the Bill here →
4) Strong Impact Tech
UK cybersecurity authorities published cultural guidance for organizations seeking to strengthen security behaviors across their operations. The framework emphasizes positioning security as a business enabler and promoting psychological safety for incident reporting. Implementation strategies address various organizational contexts with practical scenarios and visual assessment tools. Access it here →
British telecommunications regulator Ofcom outlined its strategic vision for artificial intelligence oversight spanning multiple sectors through 2025-26. The approach encompasses innovation support through technical sandboxes and specialized risk management across telecommunications and broadcasting. The strategy emphasizes balancing technological advancement with consumer protection. Learn more here →
Other key information from the past weeks
Texas lawmakers overwhelmingly passed the Texas Responsible Artificial Intelligence Governance Act (TRAIGA), establishing AI guardrails including discrimination prohibitions and biometric data protections starting January 1, 2026. More details →
Reddit filed lawsuit against Anthropic alleging unauthorized scraping of user-generated content to train Claude AI chatbot without proper licensing agreements. Learn more here →
AI researchers suspect Chinese company DeepSeek may have used Google’s Gemini model outputs to train its latest R1 reasoning model, highlighting ongoing concerns about unauthorized model distillation practices. Learn more →
