Category Archives: General Data Protection Regulation (GDPR)

Reset or rollback: Unpacking the EU’s Digital Omnibus Package

by Gareth Kristensen, Prudence Buckland, Jan-Frederik Keustermans, and Hakki Can Yildiz

Left to right: Gareth Kristensen, Prudence Buckland, Jan-Frederik Keustermans, and Hakki Can Yildiz (photos courtesy of Cleary Gottlieb Steen & Hamilton LLP)

Background

On 19 November 2025, the European Commission presented its much-anticipated Digital “Omnibus” package[1] intended to ease the administrative and compliance burden facing European businesses. Executive Vice-President of the Commission Henna Virkkunen stated that “[f]rom factories to start-ups, the digital package is the EU’s answer to calls to reduce burdens on our businesses.”[2]

Continue reading →

Explaining Credit Scores – The ECJ Rules on Automated Credit Assessments

by Katja Langenbucher and Kevin Bauer

Left to right: Katja Langenbucher and Kevin Bauer (photos courtesy of authors)

A little over a year ago, the SCHUFA tightened the requirements for credit scoring under the EU GDPR. On February 27, the Court handed down further instructions on providing scored consumers with “meaningful information about the logic involved” as required by Art. 15(1)(h) of the GDPR.

Continue reading →

Navigating GDPR Risks in AI: Insights from the EDPB’s latest Opinion & the UK ICO’s AI Consultation Response

by Dr. Christoph Werkmeister, Giles Pratt, Tristan Lockwood, and Dr. Benjamin Blum

In December 2024, the European Data Protection Board (EDPB) and the UK Information Commissioner’s Office (UK ICO) separately published significant guidance on the application of the GDPR to AI.

The EDPB’s Opinion 28/2024 had been much anticipated and generated significant media coverage, with headlines such as ‘AI developers don’t need permission to scoop up data, EU data watchdogs say’ (Politico). The UK ICO’s response to its year-long consultation on privacy issues in generative AI may have attracted less attention, but it also marked a significant development in how businesses should assess AI from a privacy perspective.

Continue reading →

CJEU: Competitors Can Sue over Data Protection Violations

by Dr. Detlev Gabel, Erasmus Hoffmann, and Markus Langen

Left to Right: Dr. Detlev Gabel, Erasmus Hoffmann and Markus Langen (photos courtesy of White & Case LLP)

Background

The German Federal Court of Justice (Bundesgerichtshof), tasked with resolving a conflict between two competing pharmacists, sought guidance from the Court of Justice of the European Union (“CJEU”) on interpreting the General Data Protection Regulation (“GDPR”). The defendant’s business sells over-the-counter (“OTC”) medicinal products online. During the ordering process, customers must provide certain information, including their name, delivery address, and details about the relevant OTC product. Invoking German legislation on unfair commercial practices, the claimant, a competitor, asked the German courts to halt this practice of the competing pharmacy, unless there is assurance that customers give prior consent for the processing of their health-related data.

The courts at both the first and second instance determined that the ordering process involves processing of health data, which is prohibited under the GDPR in the absence of explicit customer consent or other justification. The courts found this practice to be in breach of the GDPR, and thus unfair and unlawful under the German Unfair Competition Act. The German Federal Court of Justice sought clarification on whether the GDPR allows national legislation to permit competitors to initiate legal action against a person allegedly violating the GDPR. Furthermore, it inquired if the information provided during the ordering process qualifies as health data under the GDPR, even though the relevant OTC products do not require a prescription.

In its judgement of October 4, 2024, the CJEU provided clarity on these issues.

Continue reading →

Dutch Data Protection Authority Imposes a Fine of 290 Million Euros on Uber

by Sarah Pearce and Ashley Webber

Left to right: Sarah Pearce and Ashley Webber (Photos courtesy of the Hunton Andrews Kurth LLP)

On August 26, 2024, the Dutch Data Protection Authority (the “Dutch DPA”), as lead supervisory authority, announced that it had imposed a fine of 290 million euros ($324 million) on Uber. The fine related to violations of the international transfer requirements under the EU General Data Protection Regulation (the “GDPR”).

The Dutch DPA launched an investigation into Uber following complaints from more than 170 French Uber drivers to the French human rights interest group the Ligue des droits de l’Homme, which subsequently submitted a complaint to the French Data Protection Authority (the “CNIL”). The CNIL then forwarded the complaints to the Dutch DPA as lead supervisory authority for Uber.

Continue reading →

The EU AI Act is Officially Passed – What We Know and What’s Still Unclear

by Avi Gesser, Matt Kelly, Robert Maddox, and Martha Hirst

From left to right: Avi Gesser, Matt Kelly, Robert Maddox, and Martha Hirst. (Photos courtesy of Debevoise & Plimpton LLP)

The EU AI Act (the “Act”) has made it through the EU’s legislative process and has passed into law; it will come into effect on 1 August 2024. Most of the substantive requirements will come into force two years later, from 1 August 2026, with the main exception being “Prohibited” AI systems, which will be banned from 1 February 2025.

Despite initial expectations of a sweeping and all-encompassing regulation, the final version of the Act reveals a narrower scope than some initially anticipated.

Continue reading →

CNIL Publishes New Guidelines on the Development of AI Systems

by David Dumont and Tiago Sérgio Cabral

David Dumont and Tiago Sérgio Cabral (photos courtesy of Hunton Andrews Kurth LLP)

On June 7, 2024, following a public consultation, the French Data Protection Authority (the “CNIL”) published the final version of its guidelines addressing the development of AI systems from a data protection perspective (the “Guidelines”). Read our blog on the pre-public consultation version of these Guidelines.

In the Guidelines, the CNIL states that, in its view, the successful development of AI systems can be reconciled with the challenges of protecting privacy.

Continue reading →

Limited-Risk AI—A Deep Dive Into Article 50 of the European Union’s AI Act

by Martin Braun, Anne Vallery, and Itsiq Benizri

Left to right: Martin Braun, Anne Vallery and Itsiq Benizri (photos courtesy of the authors)

This blog post focuses on the transparency requirements associated with certain limited-risk artificial intelligence (AI) systems under Article 50 of the European Union’s AI Act.

As explained in our previous blog post, the AI Act’s overall risk-based approach means that, depending on the level of risk, different requirements apply. In total, there are four levels of risk: (1) unacceptable risk, in which case AI systems are prohibited (see our blog post on prohibited AI practices for more details); (2) high risk, in which case AI systems are subject to extensive requirements, including regarding transparency; (3) limited risk, which triggers only transparency requirements; and (4) minimal risk, which does not trigger any obligations.

Continue reading →