On September 17, 2025, the German Supervisory Authorities (Konferenz der unabhängigen Datenschutzaufsichtsbehörden des Bundes und der Länder, DSK) published new guidelines and recommendations addressing the complex requirements for transferring personal data, particularly health data (including health data contained in biomaterials), to countries outside of the European Economic Area for scientific research purposes under the GDPR. These guidelines may be of particular relevance for pharmaceutical, medical device, and other life sciences companies that conduct clinical research.Continue Reading New German Guidelines on GDPR Requirements for International Transfers of Health Data in Medical Research
Commission Collects Feedback to Simplify Rules on Data, Cybersecurity and Artificial Intelligence in Upcoming Digital Omnibus
On September 16, 2025, the European Commission launched a call for evidence to collect feedback and best practices on simplifying several key areas of the EU digital rulebook, ahead of its planned Digital Omnibus package. This initiative targets legislation related to data, cybersecurity, and artificial intelligence, aiming to reduce administrative burdens and compliance costs for businesses while preserving high standards of fairness, security, and privacy online.Continue Reading Commission Collects Feedback to Simplify Rules on Data, Cybersecurity and Artificial Intelligence in Upcoming Digital Omnibus
EU Court of Justice Clarifies the Concept of Personal Data in the Context of a Transfer of Pseudonymized Data to Third Parties
On September 4, 2025, the Court of Justice of the EU (“Court”) handed down its judgment in case EDPS v SRB C-413/23 P, setting aside the General Court of the European Union’s (“General Court”) judgment of April 26, 2023 in case SRB v EDPS T‑557/20. In particular, the Court clarified that whether pseudonymized data can be considered as personal data depends on the specific circumstances of the case, such as whether a third party to whom data is transferred by a data controller can reasonably identify the data subject.
We provide below an overview of the Court’s key findings.Continue Reading EU Court of Justice Clarifies the Concept of Personal Data in the Context of a Transfer of Pseudonymized Data to Third Parties
Italian Garante Adopts Statement on Health Data and AI
On July 30, 2025, the Italian Data Protection Authority (“Garante”) released a statement addressing the risks of using AI to interpret medical data. In this statement, the Garante recognizes the growing trend of individuals uploading medical analyses, X-rays, and other reports onto generative artificial intelligence platforms to obtain interpretations and diagnoses. It warns users of these AI services to carefully evaluate the implications of sharing health-related data with AI providers and relying on automatically generated responses.Continue Reading Italian Garante Adopts Statement on Health Data and AI
Adequacy Decision for the European Patent Organisation
On 15 July 2025, the European Commission adopted an adequacy decision for the European Patent Organisation (EPO). This marks the first time such a decision has been granted to an international organisation. From now on, personal data can be transferred from the EU to the EPO based on this decision, without the need for additional safeguards such as Standard Contractual Clauses (SCCs).Continue Reading Adequacy Decision for the European Patent Organisation
Help Shape the New EU Consumer Protection Law: Join the Public Consultation on the Digital Fairness Act
On July 17, 2025, the European Commission launched a “call for evidence” and public consultation on the Digital Fairness Act (“DFA”), an anticipated new consumer protection law. The Commission seeks feedback on existing EU consumer protection laws and on proposals for how the DFA could address the following two problems with the existing laws, as identified through a “Fitness Check” of EU consumer law published in October 2024:
- Lack of digital fairness for consumers. This particularly affects vulnerable groups such as minors, offering them suboptimal choices that can lead to financial harm, loss of time, negative health impacts, and indirect effects like environmental costs.
- Unclear rules for businesses and market fragmentation. This results in increased business costs, hampers cross-border trade, leads to missed opportunities, and causes unfair competition, particularly from non-EU traders.
The Commission has also emphasized its objective to enhance the EU’s competitiveness, aiming for simplification of consumer protection rules and the removal of barriers within the EU Market. This includes efforts to achieve greater legal certainty regarding unfair commercial practices. The goal is to address enforcement deficiencies, regulatory gaps, and market fragmentation, as some Member States have regulated or are considering new regulation in these areas.Continue Reading Help Shape the New EU Consumer Protection Law: Join the Public Consultation on the Digital Fairness Act
Denmark Proposes GDPR and ePrivacy Directive Revision
On July 4, 2025, a non-paper from the Danish government signaled an intention to propose a targeted revision of the GDPR and the ePrivacy Directive to reduce the compliance burden on companies and ensure their competitiveness. Denmark recently assumed the Presidency of the Council of the European Union and will be in a privileged position to shape EU policymaking for the next six months. Amending the GDPR forms part of the Danish presidency program. During this period, the European Commission is also expected to publish a fitness check on EU digital legislation, along with a digital omnibus package (see our previous blog here).Continue Reading Denmark Proposes GDPR and ePrivacy Directive Revision
Overview of Key CJEU Rulings on EU Consumer Protection Law of June 2025
n June 2025, the Court of Justice of the European Union (CJEU) delivered important rulings clarifying the application of the EU Unfair Contract Terms Directive (UCTD), which protects consumers from unfair standard contract terms that have not been individually negotiated. The UCTD ensures such terms are transparent, clear, and balanced; unfair terms are not binding on consumers and may expose businesses to enforcement actions.
This blog post highlights four significant cases decided in June 2025. These cases involve preliminary references from national courts to the CJEU to clarify whether national laws are aligned with EU law.Continue Reading Overview of Key CJEU Rulings on EU Consumer Protection Law of June 2025
Council and Parliament Agree on Key Reforms to the EU ADR Framework
On June 26, 2025, the Council and the European Parliament reached a provisional agreement on modernizing the EU’s framework for alternative dispute resolution (ADR) in consumer matters.
The current ADR framework—established in Directive 2013/11/EU (ADR Directive)—has not been amended since its adoption in 2013. As noted in our previous blog, the European Commission recognized the need to modernize the system and, on October 17, 2023, proposed a legislative package to (i) amend the ADR Directive, and (ii) repeal the Online Dispute Resolution (ODR) Regulation, which created the European Online Dispute Resolution (ODR) Platform, on the basis that this platform was infrequently used. The ODR repeal regulation was formally adopted on November 19, 2024 and the ODR Platform will be discontinued on July 20, 2025. Since then, the focus has shifted to finalizing a reformed ADR framework.Continue Reading Council and Parliament Agree on Key Reforms to the EU ADR Framework
CNIL Publishes Recommendations on Legitimate Interest as a Legal Basis for AI Training
On June 19, 2025, the French Data Protection Authority (“CNIL”) published two recommendations for AI developers. The first recommendation covers reliance on the GDPR’s legitimate interest legal basis for developing an AI model. It provides examples of legitimate interests that can justify the use of personal data for AI development.
Continue Reading CNIL Publishes Recommendations on Legitimate Interest as a Legal Basis for AI Training