On October 14, 2025, the European Data Protection Board (“EDPB”) announced that its 2026 coordinated enforcement action (“CEA”) will focus on transparency and information obligations — the rules that require organizations to clearly explain how they collect, use, and share personal data — under Articles 12-14 of the General Data Protection Regulation (“GDPR”).Continue Reading EDPB to Focus on Transparency in 2026 Enforcement
EU Law and Regulatory
New German Guidelines on GDPR Requirements for International Transfers of Health Data in Medical Research
On September 17, 2025, the German Supervisory Authorities (Konferenz der unabhängigen Datenschutzaufsichtsbehörden des Bundes und der Länder, DSK) published new guidelines and recommendations addressing the complex requirements for transferring personal data, particularly health data (including health data contained in biomaterials), to countries outside of the European Economic Area for scientific research purposes under the GDPR. These guidelines may be of particular relevance for pharmaceutical, medical device, and other life sciences companies that conduct clinical research.Continue Reading New German Guidelines on GDPR Requirements for International Transfers of Health Data in Medical Research
Italy Adopts Artificial Intelligence Law
By Dan Cooper & Laura Somaini on
On September 23, 2025, the Italian law on artificial intelligence (hereinafter, “Italian AI Law”) was signed into law, after receiving final approval by the Italian Senate on September 17, 2025.
The law consists of varied provisions, including general principles and targeted sectoral rules in certain areas not covered by the EU AI Act. The Italian AI Law will enter into force on October 10, 2025.
We provide below an overview of key aspects of the final text of the Italian AI Law. For full detail, please see our previous blogpost here.Continue Reading Italy Adopts Artificial Intelligence Law
Reimposition of UN-Mandated Sanctions Against Iran and Additional EU and UK Sanctions
On 29 September 2025, United Nations (“UN”) nuclear-related sanctions against Iran, which were suspended in 2015, were reimposed following action at the UN Security Council by France, Germany, and the United Kingdom. In parallel, the European Union (“EU”) and United Kingdom (“UK”) also reintroduced autonomous sanctions measures against Iran that…
Continue Reading Reimposition of UN-Mandated Sanctions Against Iran and Additional EU and UK SanctionsGermany enacts Standard Contractual Clauses for pharmaceutical clinical trial agreements – Changes for medical device studies also on the horizon
Germany has taken another step to improve the conditions for pharmaceutical research & development in Germany. Now, the Federal Government has adopted the “Standard Contractual Clauses” for pharmaceutical clinical trial agreements. In this blog, we discuss what the new standard clauses cover and how they will affect clinical trials in Germany.Continue Reading Germany enacts Standard Contractual Clauses for pharmaceutical clinical trial agreements – Changes for medical device studies also on the horizon
Commission Collects Feedback to Simplify Rules on Data, Cybersecurity and Artificial Intelligence in Upcoming Digital Omnibus
On September 16, 2025, the European Commission launched a call for evidence to collect feedback and best practices on simplifying several key areas of the EU digital rulebook, ahead of its planned Digital Omnibus package. This initiative targets legislation related to data, cybersecurity, and artificial intelligence, aiming to reduce administrative burdens and compliance costs for businesses while preserving high standards of fairness, security, and privacy online.Continue Reading Commission Collects Feedback to Simplify Rules on Data, Cybersecurity and Artificial Intelligence in Upcoming Digital Omnibus
European Commission and Brazil Advance Towards Mutual Adequacy Decision
Posted in EU Law and Regulatory
On September 5, 2025, the European Commission announced the launch of the process to adopt an adequacy decision with Brazil under the General Data Protection Regulation (GDPR), determining that Brazil ensures an adequate level of personal data protection comparable to that in the EU. Once adopted, the decision would permit personal data to flow freely between Brazil and the EU without the need for additional safeguards, covering flows from businesses, public authorities, and research projects.
The Brazilian federal government, through the National Data Protection Authority (ANPD), announced that it is simultaneously progressing on adopting an equivalent adequacy decision to facilitate the uninterrupted flow of data from Brazil to the EU. The parallel initiatives highlight a mutual commitment to aligning privacy and data protection standards across the Atlantic, and take place in a context of closer bilateral relations and increased U.S. scrutiny of Brazilian and European digital policies.Continue Reading European Commission and Brazil Advance Towards Mutual Adequacy Decision
European Commission adopts technical standards for the decentralized communication system to be used under the forthcoming e-evidence Regulation
By Paul Maynard on
The EU e-evidence Regulation and Directive, which establish a regime for law enforcement authorities (“LEAs”) in one Member State to issue legally-binding demands for data from certain types of providers established in other Member States, will come into effect on 18 August 2026 (our post on the specific requirements of the Regulation and Directive is available here). On 28 July 2025, the European Commission adopted an Implementing Regulation (“IR”) setting out the technical specifications for the decentralized communications system that LEAs and covered service providers must use when, among other things, issuing and responding to European Production Orders (“EPOs”) and European Preservation Orders (“EPrOs”) under the e-evidence Regulation.Continue Reading European Commission adopts technical standards for the decentralized communication system to be used under the forthcoming e-evidence Regulation
EU Court of Justice Clarifies the Concept of Personal Data in the Context of a Transfer of Pseudonymized Data to Third Parties
By Dan Cooper, Kristof Van Quathem & Laura Somaini on
Posted in Data Protection, EU Law and Regulatory
On September 4, 2025, the Court of Justice of the EU (“Court”) handed down its judgment in case EDPS v SRB C-413/23 P, setting aside the General Court of the European Union’s (“General Court”) judgment of April 26, 2023 in case SRB v EDPS T‑557/20. In particular, the Court clarified that whether pseudonymized data can be considered as personal data depends on the specific circumstances of the case, such as whether a third party to whom data is transferred by a data controller can reasonably identify the data subject.
We provide below an overview of the Court’s key findings.Continue Reading EU Court of Justice Clarifies the Concept of Personal Data in the Context of a Transfer of Pseudonymized Data to Third Parties
The European Commission adopts the Clean Industrial Deal State Aid Framework
By Carole Maczkovics & Alessandro Cogoni on
On June 25, 2025, the European Commission adopted the Clean Industrial Deal State Aid Framework (CISAF) to promote the EU’s goals for decarbonization and competitiveness. CISAF makes permanent the relaxed State aid compatibility rules adopted under the Temporary Crisis and Transition Framework (TCTF). It will be in effect from June 25, 2025 until December 31, 2030.Continue Reading The European Commission adopts the Clean Industrial Deal State Aid Framework