On June 12, 2026, the European Commission (“Commission”) launched its public consultation on guidelines (“Guidelines”) that will significantly shape the implementation of the EU’s Corporate Sustainability Due Diligence Directive (“CSDDD;” more details about the CSDDD available here). The consultation, presented in the form of a detailed questionnaire, is open

Continue Reading European Commission Seeks Public Input on CSDDD Guidelines: What to Watch

On May 26, 2026, the Spanish Data Protection Agency (“AEPD”) published details of its decision to fine Amadeus IT Group, S.A. (“Amadeus”), a Madrid-headquartered technology provider for the global travel and tourism industry, EUR 18 million in connection with GDPR violations involving Amadeus’s Global Distribution System (“GDS”). Amadeus voluntarily paid the fine, less a 20% reduction, on May 29, 2025, thereby terminating the proceedings without admitting liability. The fine, one of the largest the AEPD has imposed, highlights the enforcement risks associated with repurposing personal data such as passenger data without appropriate transparency or a valid legal basis under the GDPR.

Continue Reading Amadeus IT Group Receives GDPR Fine

The UK Government today announced that it intends to ban social media platforms from offering services to children under 16, alongside wider restrictions on certain online functionalities that the Government has identified as harmful to children.

The announcement follows the conclusion of the Department for Science, Innovation and Technology’s (“DSIT”) consultation, “Growing up in the online world,” which received more than 116,000 responses (we originally wrote about that consultation here). The Government intends to bring the first regulations to Parliament before the end of the year using powers created by the Children’s Wellbeing and Schools Act 2026 (“CWSA”), with protections expected to come into force in Spring 2027. Today’s announcement is the latest in a series of significant developments reshaping the UK’s online safety framework. We summarize some of these latest developments below.

Continue Reading Online Safety in the UK: Social Media Ban for Under 16s and Other Recent Developments

A federal court recently addressed whether plaintiffs alleging misleading commercial email practices in violation of Washington’s Commercial Electronic Mail Act (“CEMA”) have Article III standing to pursue claims. The ruling suggests that alleged violations of CEMA, standing alone, could constitute a concrete injury for Article III standing, where the asserted harm aligns with the statute’s purpose.

Continue Reading Washington Anti-Spam Law Decision Addresses Article III Standing in CEMA Cases

On 3 June 2026, the European Commission (“Commission“) published its proposal for a Regulation establishing a framework of measures for strengthening Europe’s cloud and AI ecosystem—the Cloud and AI Development Act (“CADA Proposal“). The CADA Proposal sits at the heart of the Commission’s broader Tech Sovereignty Package (which we describe at a high level here), and aims to address what the Commission perceives as two critical vulnerabilities in the EU’s digital landscape: a structural deficit in data centre capacity and a dependence on a limited number of non-EU cloud computing service providers.

Continue Reading The EU Cloud and AI Development Act in Depth

On 20 May 2026, Brazil adopted Presidential Decree No. 12,976, establishing a comprehensive framework to address violence against women online. Adopted alongside a parallel decree (No. 12,975) reforming intermediary liability, it reflects a more assertive approach to regulating online harms, including those driven or amplified by AI. Together, these measures will require companies to reassess internal processes to ensure rapid content removal and more proactive monitoring, including for AI‑enabled services.

Continue Reading Brazil Steps Up Regulation of Violence Against Women in the Digital Environment

On 30 April 2026, the Court of Justice of the EU (the “Court”) delivered its judgment in Case C‑133/24 CD Tondela and Others (“Tondela”). The case arose from a preliminary ruling request submitted by a Portuguese court concerning a no-poach agreement entered into by Portuguese professional football clubs during the COVID-19 pandemic.

This is the first opportunity for the Court to examine a no-poach agreement in the sports industry in depth, and it comes at a time when labour-market restrictions feature high on EU competition authorities’ enforcement agenda (please see here for our coverage of key developments in this area). The judgment integrates the growing body of sports judgments, after Superleague, Royal Antwerp, ISU and FIFA, testing how EU competition law should factor in the specific features of sport.

The Court’s position is primarily driven by its assessment of the agreement’s context. The Court, in line with the Opinion of Advocate General (“AG”) Emiliou, confirms that no-poach agreements may amount to serious violations of Article 101 TFEU – that is, restrictions “by object”. But it recognises that the sports industry exhibits specificities that, in certain circumstances, such as the COVID-19 pandemic here, may place no-poach agreements outside the scope of Article 101 TFEU altogether, or at least require a detailed analysis of their effects.

Continue Reading Tondela (Case C‑133/24): No-Poach Agreements in Sport: Context Always Matters

On June 4, 2026, the Equal Employment Opportunity Commission (“EEOC”) approved its National Enforcement Plan (“NEP”) for FY2025 – FY2029, rescinding and replacing the agency’s FY2024 – FY2028 Strategic Enforcement Plan (“SEP”) before that plan’s scheduled endpoint. The NEP identifies and focuses the agency’s attention and resources on specific substantive categories of enforcement priorities including (1) “remedying DEI-related race and sex discrimination”; (2) “protecting American workers from anti-American national origin discrimination”; (3) “defending women’s rights to single-sex spaces at work and workers’ rights to express the binary nature of sex”; and (4) “protecting workers’ religious liberty rights to receive religious accommodations and be free from religious discrimination, harassment, and related retaliation,” among others.

Continue Reading EEOC’s New National Enforcement Plan Signals Shift Toward Intentional Discrimination and DEI Enforcement

On 19 May 2026, the European Commission published its long-awaited draft, non-binding guidelines on the classification of high-risk AI systems (“HRAIs”) under the EU AI Act (the “Guidelines”). Across three documents—covering general principles, high-risk classification in the context of regulated products (Annex I), and high-risk use cases (Annex III)—the Commission sets out its approach to one of the AI Act’s central questions: when does an AI system fall within the high-risk regime (and, just as importantly, when does it not)?

Continue Reading EU AI Act Update: The European Commission Publishes Draft Guidelines on HRAIs

On May 29, 2026, the Governor of Louisiana signed into law SB 386, the Louisiana Data Privacy Act (“LDPA”). Louisiana joins Alabama and Oklahoma as the third state to enact a comprehensive privacy law this year. The law will take effect on January 1, 2027.

Continue Reading Louisiana Enacts Comprehensive Privacy Law