A. Editorial
Welcome to the May 2026 edition of my data protection newsletter. If there is a single thread connecting this month’s regulatory updates, court decisions, and technological developments, it is that compliance has decisively moved out of the back office and directly into the user interface. Regulators and courts are no longer satisfied with theoretical frameworks or hidden privacy policies; they are scrutinizing exactly how data practices play out in the real world.
This shift is most evident in the current regulatory push for heightened transparency and user autonomy. With the European Data Protection Board launching its Coordinated Enforcement Framework on transparency obligations and standardizing Data Protection Impact Assessments, the expectations for clear, actionable documentation are higher than ever. Simultaneously, authorities are cracking down on the “front-end” of privacy. Ireland’s formal proceedings regarding deceptive dark patterns, the French Data Protection Authority’s strict new rules on email tracking pixels, and advocacy group noyb’s challenge against corporate privacy paywalls all prove that how organizations present choices is just as critical as the legal foundations behind them.
Beyond the interface, operational realities are being severely tested in both artificial intelligence and corporate governance. As authorities lay out practical, lifecycle-wide blueprints for GDPR-compliant AI development, massive copyright lawsuits over AI training data underscore the immense risks of poor data provenance. Meanwhile, the courts are drawing essential boundaries for privacy professionals. While the European Court of Justice has provided a welcome, pragmatic shield against abusive and weaponized data access requests, national rulings penalizing unlawful intra-group data sharing remind us that foundational privacy principles remain strictly enforced, regardless of corporate structure. I hope you find the insights in this month’s edition both valuable and actionable.
B. Supervisory Authorities
1. EDPB: Publishes One-Stop-Shop Case Digest on Legitimate Interest
In April 2026, the European Data Protection Board (EDPB) published a “One-Stop-Shop Case Digest” focusing on the legal basis of legitimate interest under Article 6(1)(f) GDPR. The digest compiles and analyzes key cross-border enforcement cases handled under the One-Stop-Shop (OSS) mechanism, providing insight into how supervisory authorities across the EU assess and apply the legitimate interest test in practice.
From a legal standpoint, the digest reinforces the established three-step assessment: (i) the existence of a legitimate interest, (ii) the necessity of the processing, and (iii) the balancing of interests between the controller and the data subject. By drawing on real enforcement cases, the EDPB illustrates how these criteria are interpreted in concrete scenarios, including online advertising, fraud prevention, and platform-based data processing. A recurring theme is the strict scrutiny applied to the balancing test, with particular emphasis on the reasonable expectations of data subjects and the need for effective safeguards where processing may have significant impact. The case digest also takes into account the EDPB Guidelines 1/2024 on Processing of Personal Data Based on Article 6(1)(f) GDPR and illustrates how parts of these Guidelines apply in practice .
Importantly, the digest highlights a trend toward a more restrictive interpretation of legitimate interest in high-risk or large-scale processing contexts. Supervisory authorities frequently challenge controllers where alternative, less intrusive means are available or where transparency and user control mechanisms are insufficient. The EDPB also underscores that documentation of the assessment — including the rationale behind the balancing exercise — is a key element of accountability and may be decisive in enforcement proceedings.
For companies, the digest serves as a valuable practical benchmark for structuring and defending legitimate interest assessments. It provides concrete examples of both compliant and non-compliant approaches, enabling organizations to refine their internal methodologies. In particular, businesses relying on legitimate interest for digital business models, analytics, or AI-related processing should revisit their assessments, ensure robust documentation, and implement appropriate safeguards aligned with supervisory expectations.
The case digest can be found here.
2. EDPB: Publishes 2025 Annual Report
In April 2026, the European Data Protection Board (EDPB) published its Annual Report for 2025, providing a comprehensive overview of its activities, priorities, and key developments in EU data protection. The report highlights the EDPB’s central role in ensuring the consistent application of the GDPR, particularly in an increasingly complex regulatory environment shaped by AI, digital platforms, and overlapping EU legislation.
From a legal perspective, the report underscores the growing importance of the EDPB’s consistency and cooperation mechanisms, particularly under Articles 63 and 64 GDPR. In 2025, the Board continued to issue opinions and guidance on fundamental topics such as AI-related data processing, cross-border enforcement, and the interplay between GDPR and other EU digital laws. A notable focus was placed on aligning data protection with emerging frameworks such as the AI Act and the Digital Services Act, reinforcing the GDPR as a cornerstone of the broader EU digital regulatory architecture.
The report also emphasizes the increasing operationalization of enforcement tools, including the One-Stop-Shop mechanism and coordinated actions such as the Coordinated Enforcement Framework (CEF). These instruments aim to reduce fragmentation across Member States and enhance the effectiveness of supervisory activities. At the same time, the EDPB highlights ongoing challenges, including the need for sufficient resources at national authority level and the growing complexity of large-scale, cross-border data processing cases.
For companies, the report provides valuable insight into regulatory priorities and enforcement trends. It signals continued scrutiny in areas such as AI, transparency, international data transfers, and digital business models relying on large-scale data processing. Organizations should closely monitor EDPB guidance and enforcement patterns, as they increasingly shape the practical interpretation of GDPR requirements across the EU. The report also confirms that compliance expectations are becoming more integrated across different regulatory regimes, requiring a more holistic governance approach.
The report can be found here.
3. EDPB: New Template for Data Protection Impact Assessments Published
In April 2026, the European Data Protection Board (EDPB) released a new standardized template for conducting Data Protection Impact Assessments (DPIAs). The template is part of the EDPB’s broader initiative to enhance clarity, support, and stakeholder engagement, as outlined in the Helsinki Statement on enhanced clarity, support and
engagement from June 2025. It is intended to support controllers in systematically assessing high-risk processing activities under Article 35 GDPR and to promote a more harmonized approach across the EU. By providing a structured format, the EDPB aims to facilitate both the documentation and the practical execution of DPIAs, particularly in complex processing scenarios such as AI deployments or large-scale data analytics. The template is supported by an additional document provided by the EDPB, which explains its usage and gives more context to the template itself.
From a legal perspective, the template reflects the EDPB’s continued effort to operationalize the accountability principle under Article 5(2) GDPR. It guides organizations through the key elements of a DPIA, including a detailed description of the processing operations, an assessment of necessity and proportionality, a structured risk analysis for data subjects, and the identification of appropriate mitigation measures. Notably, the template emphasizes a risk-based approach and encourages controllers to clearly document their balancing decisions, thereby strengthening the evidentiary value of DPIAs in potential supervisory proceedings.
For companies, the practical relevance lies in the increasing scrutiny of DPIAs by supervisory authorities. The availability of an EDPB-backed template sets a de facto benchmark for what regulators may consider “adequate” documentation. Organizations should therefore review their existing DPIA processes against this structure, particularly for high-risk use cases such as AI systems, profiling activities, or large-scale customer data processing. Aligning internal templates with the EDPB model can reduce compliance risks and improve defensibility in audits or investigations.
The template can be found here.
4. EDPB: Launch of Coordinated Enforcement Framework (CEF) 2026 on Transparency Obligations
In March 2026, the European Data Protection Board (EDPB) officially launched its Coordinated Enforcement Framework (CEF) 2026, focusing on transparency and information obligations under Articles 12, 13, and 14 GDPR. The initiative brings together national supervisory authorities across the EU to conduct coordinated investigations into how organizations inform individuals about the processing of their personal data. The CEF is rooted in the EDPB Strategy 2024–2027, which identifies coordinated enforcement as a key instrument to ensure consistent application of the GDPR across Member States.
From a legal standpoint, the initiative underscores the central role of transparency as a cornerstone of the GDPR. Controllers are required to provide clear, accessible, and comprehensive information about their processing activities, including purposes, legal bases, recipients, retention periods, and data sources. The coordinated action will assess whether organizations meet these requirements in practice, particularly in complex environments such as digital platforms, AI-driven services, and multi-layered data processing ecosystems. The EDPB aims to identify systemic shortcomings and develop a more harmonized interpretation of transparency obligations across jurisdictions.
For companies, the practical implications are significant. The coordinated nature of the enforcement action increases the likelihood of sector-wide scrutiny and reduces the risk of divergent national interpretations. Organizations should proactively review their privacy notices, layered information concepts, and internal data mapping to ensure that all required disclosures are complete, consistent, and easily understandable. Particular attention should be paid to indirect data collection scenarios, third-country transfers, and AI-related processing, where transparency requirements are often insufficiently implemented in practice.
We will keep you informed, once we now which national authorities will participate to narrow the scope of this years CEF.
5. CNIL: Publishes Recommendations for GDPR-Compliant AI System Development
In April 2026, the French Data Protection Authority (CNIL) published comprehensive recommendations on how to ensure compliance with the GDPR throughout the development lifecycle of artificial intelligence systems. The guidance is part of CNIL’s broader effort to provide practical, innovation-friendly frameworks for AI deployment, addressing increasing regulatory scrutiny around the use of personal data in AI training and operation.
From a legal perspective, the recommendations emphasize that GDPR obligations apply across all phases of AI system development — from data collection and model training to deployment and ongoing use. CNIL reiterates core principles such as purpose limitation, data minimization, and transparency, and highlights the need for a clearly defined legal basis when personal data is used. Particular attention is given to the training phase, where large and often heterogeneous datasets are involved. Controllers are required to carefully assess whether personal data is necessary and to implement safeguards such as anonymization, pseudonymization, or data filtering where possible. The guidance also stresses the importance of conducting Data Protection Impact Assessments (DPIAs) for high-risk AI applications and embedding privacy-by-design measures into system architecture.
For organizations, the practical implications are substantial. The CNIL recommendations provide a structured blueprint for integrating data protection into AI governance frameworks and product development processes. Companies should ensure that data sourcing practices are documented, risks are systematically assessed, and mitigation measures are implemented and continuously reviewed. In particular, organizations deploying generative AI or large language models should reassess their training data strategies and transparency mechanisms. The guidance signals that supervisory authorities expect not only formal compliance but demonstrable, operationalized data protection throughout the AI lifecycle.
The recommendations are complimented by a checklist which supports the measures required. This checklist can be found here.
6. CNIL: Publishes Guidance on the Use of Tracking Pixels in Emails
In April 2026, the French Data Protection Authority (CNIL) issued new guidance on the use of tracking pixels in emails, addressing a widespread but often opaque practice in digital marketing and communication. Tracking pixels — typically invisible images embedded in emails — enable senders to collect information such as whether an email has been opened, the time of access, and, in some cases, the recipient’s device or location. CNIL’s publication aims to clarify the applicable legal framework under the GDPR and the ePrivacy rules.
From a legal standpoint, CNIL qualifies tracking pixels as technologies that access or store information on a user’s terminal device, thereby falling within the scope of Article 5(3) of the ePrivacy Directive (as implemented in national law) in conjunction with the GDPR. As a result, their use generally requires prior consent from the recipient, unless a strict exemption applies. CNIL emphasizes that users must be clearly and comprehensively informed about the presence and purpose of such tracking mechanisms, including the type of data collected and how it will be used. The authority also highlights that relying on legitimate interest as a legal basis will, in most cases, not be sufficient to justify the deployment of tracking pixels without consent.
For organizations, the practical implications are immediate and far-reaching, particularly in marketing, CRM, and newsletter operations. Companies should reassess their email tracking practices to ensure that valid consent mechanisms are in place before deploying tracking pixels. This includes reviewing consent collection flows, updating privacy notices, and ensuring that tracking functionalities can be effectively disabled where consent is not granted. The guidance also signals increased enforcement risk in this area, especially given the broader European trend of scrutinizing tracking technologies beyond traditional cookies.
Note: Most references made in this article are only available in French.
7. GPDP: €5.9 Million Fine Against BancoPosta and Postepay Apps
In April 2026, the Italian Data Protection Authority (Garante per la protezione dei dati personali – GPDP) imposed a fine of €5,877,000 on Poste Italiane S.p.A. in connection with the operation of its “BancoPosta” and “Postepay” mobile applications. The decision follows an investigation into several data protection infringements affecting millions of users of the widely used financial service apps.
From a legal perspective, the authority identified multiple violations of the GDPR, particularly in relation to transparency obligations, data security, and the lawful processing of personal data. The GPDP found that users were not adequately informed about certain data processing activities carried out via the apps, including the use of tracking and profiling mechanisms. In addition, the authority highlighted shortcomings in the implementation of appropriate technical and organizational measures under Article 32 GDPR, pointing to vulnerabilities that exposed user data to potential unauthorized access. The decision also addressed deficiencies in the legal basis for specific processing operations, particularly where user consent was either not properly obtained or not sufficiently documented.
For organizations, the case underscores the heightened regulatory focus on mobile applications in the financial sector, where large-scale processing of sensitive and behavioral data is common. Supervisory authorities are increasingly scrutinizing not only external-facing transparency measures but also backend processing logic and security configurations. Companies operating digital platforms — especially apps with integrated analytics, profiling, or tracking functionalities — should ensure that their privacy notices fully reflect actual processing activities and that consent mechanisms are robust and auditable. Equally important is the continuous review of technical safeguards to align with the “state of the art” requirement under the GDPR.
The decision can be found here.
Note: Most references made in this article are only available in Italien.
D. Court Decisions
1. ECJ: Limits to the Exercise of the Right of Access Under Article 15 GDPR
In March 2026, the European Court of Justice (ECJ) clarified the limits of the right of access under Article 15 GDPR, addressing the increasingly relevant question of whether and under what circumstances such requests may constitute an abuse of rights. The case arose from a situation in which a data subject exercised the right of access not primarily to verify the lawfulness of data processing, but for purposes unrelated to data protection — in particular, to obtain information for use in legal disputes.
The Court confirmed that the right of access is a fundamental element of the GDPR, enabling individuals to understand and verify how their personal data is processed. However, it also emphasized that this right is not unlimited. In line with general principles of EU law, the ECJ held that the exercise of data subject rights may be restricted in cases of manifest abuse. Such abuse may occur where a request is made exclusively for purposes unrelated to data protection, or where it is clearly excessive in light of its context and objective. At the same time, the Court set a high threshold for invoking abuse, stressing that controllers must carefully assess each request on a case-by-case basis and cannot refuse access lightly.
From a practical perspective, the ruling provides important guidance for handling increasingly strategic or litigation-driven access requests. While companies cannot reject requests solely because they may serve parallel legal purposes, the decision opens the door for limiting clearly abusive or repetitive requests. Organizations should ensure that internal procedures for handling Article 15 requests include a documented assessment of potential abuse, while maintaining a cautious approach given the strict standards set by the Court. The judgment thus strikes a balance between protecting data subject rights and preventing their instrumentalization beyond the GDPR’s intended scope.
The decision can be found here.
2. LAG Rheinland-Pfalz: Damages Awarded for Unlawful Intra-Group Data Sharing
In March 2026, the Higher Labour Court of Rhineland-Palatinate (LAG Rheinland-Pfalz) ruled on the entitlement to damages under Article 82 GDPR in a case involving unauthorized intra-group data transfers. The decision concerned the disclosure of employee data within a corporate group without a valid legal basis, highlighting once again that intra-group data sharing is not exempt from GDPR requirements.
From a legal perspective, the court emphasized that transfers of personal data between affiliated companies must independently comply with the GDPR, regardless of corporate structures. In the case at hand, the employer had shared employee-related information with another group entity without sufficient legal justification. The LAG found that this constituted a violation of the GDPR, as no appropriate legal basis — such as consent, contractual necessity, or legitimate interest properly balanced against the employee’s rights — could be established. Importantly, the court confirmed that such violations can give rise to compensable non-material damages, even where the harm primarily consists in the loss of control over personal data.
For companies, the ruling reinforces a key compliance principle: intra-group data transfers must be treated as regular data disclosures under the GDPR and require the same level of legal scrutiny and documentation as transfers to third parties. In particular, organizations should ensure that group-wide data sharing arrangements are clearly documented, supported by a valid legal basis, and reflected in internal policies and privacy notices. The decision also illustrates the growing willingness of courts to award damages for GDPR violations in employment contexts, thereby increasing litigation risks for insufficiently governed internal data flows.
The decision can be found here.
Note: Most references made in this article are only available in German.
3. Austrian Federal Administrative Court: Street Addresses Alone Do Not Constitute Personal Data
In its decision of 12 February 2026, the Austrian Federal Administrative Court (Bundesverwaltungsgericht – BVwG) clarified that the mere display of a street address on public signage does not automatically qualify as the processing of personal data under the GDPR. The case concerned a complaint by a resident who argued that the installation of a public transport sign bearing his residential address violated his right to data protection.
From a legal perspective, the court focused on the definition of “personal data” under Article 4(1) GDPR and the prerequisite of an identifiable natural person. It held that a standalone address — without any additional identifying elements such as a name or other contextual information — does not, as a rule, allow for the identification of a specific individual. Consequently, the court found that no processing of personal data had taken place in this case. The possibility that a person could be identified through additional external sources (e.g. land registers or population databases) was deemed insufficient to establish a direct or indirect personal reference in the specific context.
The ruling is particularly relevant as it draws a clear line between location-based information and personal data, reinforcing that not every reference to a physical address triggers GDPR applicability. Only where an address is combined with further identifying information or used in a context that enables attribution to a specific individual will it typically qualify as personal data.
For organizations, the decision provides helpful guidance when assessing borderline cases involving location data, signage, or publicly accessible information. While it confirms that not all address-related information falls within the scope of the GDPR, companies should remain cautious: the assessment is highly context-dependent, and the threshold for identifiability may be met more easily where additional data points are available or combined. Proper data classification and context-specific analysis therefore remain essential.
The decision can be found here.
Note: Most references made in this article are only available in German.
4. ECJ Advocate General: Supervisory Authorities May Qualify as Controllers in Complaint Procedures
In April 2026, the Advocate General at the European Court of Justice (ECJ) delivered an Opinion in Case C-205/25, addressing the role of data protection authorities in complaint proceedings under Article 77 GDPR. The case centers on whether a supervisory authority, when handling complaints, can itself be considered a “controller” within the meaning of Article 4(7) GDPR and is therefore subject to data subject rights such as the right of access under Article 15 GDPR.
From a legal perspective, the Advocate General takes the view that supervisory authorities may indeed act as controllers when they process personal data in the context of complaint procedures. While authorities operate under a public mandate, they still determine the purposes and means of processing in such proceedings — for example when collecting, evaluating, and storing information submitted by complainants and other parties. As a consequence, the Opinion suggests that data protection authorities are not exempt from GDPR obligations in this context and must, in principle, comply with transparency requirements and grant access rights to data subjects, unless specific limitations under Union or Member State law apply.
This interpretation reinforces the principle that GDPR obligations are function-based rather than entity-based. Even public authorities tasked with enforcing data protection law may themselves fall within its scope when engaging in data processing activities. At the same time, the Advocate General acknowledges that practical limitations may arise, particularly where disclosure could interfere with ongoing investigations or the rights of third parties, requiring a careful balancing of interests.
For organizations, the Opinion is noteworthy beyond the specific case, as it underlines a broader regulatory trend: supervisory authorities are increasingly held to the same accountability standards they enforce. While the final ECJ judgment is still pending, the Opinion suggests a potential expansion of procedural rights vis-à-vis regulators. Companies involved in complaint proceedings may therefore gain additional avenues to request access to information held by supervisory authorities, although such rights will likely remain subject to procedural safeguards and restrictions.
The Opinion can be found here.
E. National & International Developments
1. Microsoft Defender: Critical Zero-Day Vulnerabilities Actively Exploited
In April 2026, multiple critical zero-day vulnerabilities affecting Microsoft Defender and core Windows security mechanisms were disclosed and are already being actively exploited in the wild.The vulnerabilities, tracked under identifiers such as CVE-2026-33825, enable attackers to bypass or disable built-in security protections, thereby compromising the integrity of Windows systems. Security researchers have linked the exploits — referred to as “RedSun,” “UnDefend,” and “BlueHammer” — to targeted attacks against enterprise environments.
From a technical and legal perspective, the incidents highlight the fragility of relying solely on standard endpoint protection solutions for safeguarding personal data. The vulnerabilities allow attackers to evade detection mechanisms, disable security features, and potentially gain unauthorized access to systems processing personal data. This directly impacts the obligation under Article 32 GDPR to implement “appropriate technical and organizational measures” reflecting the state of the art. Once such vulnerabilities are publicly known and actively exploited, organizations may be required to reassess whether their existing security posture remains adequate.
The situation also raises questions regarding incident response and breach notification obligations. Where exploitation leads to unauthorized access to personal data, companies may face reporting obligations under Articles 33 and 34 GDPR within strict timelines. Given that zero-day vulnerabilities can remain undetected for extended periods, organizations must ensure that monitoring, logging, and detection capabilities are sufficiently robust to identify potential compromise scenarios.
For companies, the practical implications are immediate. Security teams should verify patch availability and apply updates without delay, implement compensating controls where patches are not yet available, and reassess endpoint protection strategies beyond a single-vendor approach. In parallel, data protection teams should evaluate whether such vulnerabilities could trigger risk assessments or reporting obligations. The case underscores that “state of the art” security is a dynamic benchmark — and failure to react promptly to known critical vulnerabilities may expose organizations not only to cyber risks but also to regulatory scrutiny.
2. German Bundesrat Issues Comprehensive Statement on the “Digital Omnibus”
In March 2026, the German Bundesrat published a detailed statement on the European Commission’s proposed “Digital Omnibus” package, which aims to simplify and streamline key elements of EU digital regulation, including aspects of the GDPR. The statement reflects the position of the German federal states and provides extensive feedback on proposed reforms, particularly regarding data protection obligations and administrative burdens for companies.
From a legal perspective, the Bundesrat broadly supports efforts to reduce complexity and improve the practical applicability of the GDPR, especially for small and medium-sized enterprises. At the same time, it emphasizes that simplification must not come at the expense of the fundamental rights of data subjects. The statement calls for a more risk-based approach to compliance obligations, advocating for clearer distinctions between low-risk and high-risk data processing activities. It also addresses specific areas such as record-keeping requirements, documentation duties, and the interpretation of legal bases, suggesting that these should be adapted to better reflect operational realities without weakening core GDPR principles.
In addition, the Bundesrat highlights the need for greater legal certainty and harmonization across Member States. Diverging interpretations by national supervisory authorities are identified as a key challenge for businesses operating cross-border. The statement therefore advocates for stronger coordination mechanisms and clearer guidance at EU level. It also touches on the interaction between the GDPR and newer digital regulations, underlining the importance of a coherent regulatory framework that avoids duplication and conflicting obligations.
For companies, the Bundesrat’s position signals a potential shift toward more pragmatic and risk-oriented data protection requirements in the medium term. However, it also confirms that fundamental compliance standards — particularly transparency, accountability, and data subject rights — will remain non-negotiable. Organizations should closely monitor the дальней development of the Digital Omnibus initiative, as it may lead to targeted adjustments of existing obligations while simultaneously increasing expectations for structured, risk-based compliance frameworks.
The statement can be found here.
Note: Most references made in this article are only available in German.
3. noyb Files Lawsuit Against Hamburg Data Protection Authority Over PimEyes Case
In April 2026, the privacy advocacy organization noyb (None of Your Business) filed a lawsuit against the Hamburg Data Protection Authority (HmbBfDI), challenging its handling of a complaint concerning the facial recognition service “PimEyes.” The case centers on the authority’s decision not to take enforcement action despite allegations that the service unlawfully processes biometric data by scraping images from the internet and enabling identification of individuals.
From a legal perspective, the dispute raises fundamental questions about the obligations of supervisory authorities under Article 77 GDPR. Noyb argues that the Hamburg DPA failed to properly investigate and enforce GDPR provisions, particularly those relating to the processing of biometric data under Article 9 GDPR. According to noyb, PimEyes’ business model — which allows users to upload images and identify individuals across the web — constitutes high-risk processing of sensitive personal data without a valid legal basis. By declining to take action, the authority is alleged to have violated its duty to ensure effective enforcement and protection of data subject rights.
The case also touches on procedural rights and accountability of supervisory authorities. Under the GDPR, individuals not only have the right to lodge complaints but also to expect that these complaints are handled diligently and effectively. The lawsuit seeks judicial clarification on the extent to which DPAs must pursue enforcement actions and how far their discretion extends when deciding whether to act on complaints.
For companies, the case is less about immediate compliance obligations and more about the evolving enforcement landscape. It highlights increasing pressure on supervisory authorities to take decisive action in high-profile and high-risk cases, particularly involving AI and biometric technologies. At the same time, it signals that enforcement gaps may themselves become subject to legal scrutiny. Organizations operating in sensitive areas such as facial recognition should therefore not rely on perceived regulatory inaction but ensure robust compliance, as both regulators and courts are likely to intensify their focus on such technologies.
Further information on the complaints procedure can be found here.
4. noyb: “LinkedIn locks GDPR rights behind a paywall”
In April 2026, privacy advocacy group noyb raised allegations against LinkedIn, claiming that the platform effectively restricts the exercise of GDPR rights by placing certain functionalities behind a paid subscription model. According to the complaint, users are required to upgrade to premium services in order to access features that are relevant for exercising their data protection rights, such as enhanced visibility into profile views or interactions.
From a legal standpoint, the allegations touch on core GDPR principles, particularly the requirement that data subject rights — including access, transparency, and control over personal data — must be provided free of charge under Article 12(5) GDPR. While companies may offer additional value-added services on a paid basis, they must not condition the exercise of fundamental rights on payment. Noyb argues that LinkedIn’s design may blur this line by embedding data-relevant functionalities into its premium offering, potentially undermining the effectiveness of users’ rights.
The case also fits into the broader regulatory debate around “pay or okay” models and platform design practices. Supervisory authorities and courts across Europe have increasingly scrutinized whether digital services create structural barriers — including financial or interface-related — that discourage or limit the exercise of data protection rights. If confirmed, such practices could be considered a violation of both transparency and fairness principles under Article 5 GDPR.
For companies, the issue highlights an often overlooked compliance risk: the indirect restriction of data subject rights through product design. Organizations should ensure that all GDPR rights can be exercised easily, transparently, and free of charge, independent of any premium features or business models. In particular, companies offering tiered services or subscription models should carefully assess whether any functionalities relevant to data access, control, or transparency are inadvertently restricted to paying users.
The complaint can be found here (German).
5. U.S. Publishers File Copyright Lawsuit Against Meta Over AI Training
In April 2026, several major U.S. publishing companies filed a copyright lawsuit against Meta, alleging that the company unlawfully used protected literary works to train its artificial intelligence models. The case adds to a growing number of legal disputes worldwide concerning the use of copyrighted material in the development of generative AI systems.
From a legal perspective, the lawsuit focuses on whether the large-scale use of copyrighted texts for AI training constitutes a permissible use — such as “fair use” under U.S. law — or an infringement of intellectual property rights. The publishers argue that Meta systematically incorporated protected works into its training datasets without authorization, thereby exploiting their content for commercial purposes. Meta, like other AI developers, is expected to rely on defenses based on transformative use and the technical nature of model training, where content is not reproduced in a traditional sense but used to generate statistical patterns.
While the case is rooted in U.S. copyright law, it has broader implications for data protection and AI governance in Europe. The use of large datasets — potentially including personal data embedded in texts — intersects with GDPR requirements, particularly regarding lawful data sources, purpose limitation, and transparency. The outcome of such litigation may therefore indirectly influence how AI training practices are assessed under European data protection frameworks.
For companies, the case highlights a key compliance risk in AI development: the origin and legality of training data. Organizations deploying or developing AI systems should ensure that datasets are lawfully sourced, that intellectual property rights are respected, and that contractual safeguards with AI providers clearly address liability for potential infringements. As litigation in this area intensifies, both copyright and data protection considerations are likely to become central elements of AI governance strategies.
6. German Federal Data Protection Commissioner: Government Data Retention Plans Deemed Unlawful
In May 2026, the German Federal Commissioner for Data Protection and Freedom of Information (BfDI) sharply criticized the federal government’s renewed plans to introduce data retention obligations, concluding that the proposed framework would likely be unlawful under European law. The initiative seeks to reintroduce the storage of telecommunications traffic and location data for law enforcement purposes and is part of a broader policy push to expand surveillance capabilities.
From a legal perspective, the BfDI’s assessment builds on established case law of the European Court of Justice (ECJ), which has repeatedly ruled that indiscriminate or blanket data retention constitutes a disproportionate interference with fundamental rights under the EU Charter. The authority emphasized that any permissible regime must be strictly targeted, limited to specific threats, and accompanied by strong safeguards. The current plans, however, are seen as amounting to generalized and preventive data collection, thereby failing to meet the requirements of necessity and proportionality. In parallel, data protection authorities have also raised concerns about related legislative initiatives — such as so-called “chat control” proposals — warning against the risk of broad, suspicionless mass surveillance.
The debate highlights the continuing tension between security policy objectives and fundamental rights protection. While policymakers argue that expanded data retention is necessary to combat serious crime and terrorism, supervisory authorities stress that such measures must remain the exception and cannot undermine the core principles of privacy and data protection.
For companies, particularly in the telecommunications and digital services sectors, the situation creates ongoing legal uncertainty. Organizations may face regulatory pressure to implement retention measures that could later be invalidated by courts. Companies should therefore approach such requirements with caution, ensuring that any data storage practices remain aligned with GDPR principles — especially purpose limitation, data minimization, and proportionality — and are adaptable to potential legal changes.
Note: Most references made in this article are only available in German.
7. Ireland: Media Regulator Launches DSA Proceedings Against Meta Over Dark Patterns
In April 2026, Ireland’s media regulator, Coimisiún na Meán, initiated formal proceedings under the Digital Services Act (DSA) against Meta Platforms in relation to Facebook and Instagram.The investigations focus on the alleged use of so-called “dark patterns” — user interface designs that manipulate or nudge users into making decisions that may not be in their best interest, particularly regarding privacy and consent choices.
From a legal perspective, the proceedings are based on the DSA’s provisions requiring online platforms to design their interfaces in a transparent, fair, and non-deceptive manner. Dark patterns that undermine user autonomy — for example by making it easier to accept tracking than to رفض it, or by obscuring privacy settings — are explicitly restricted under the DSA framework. Although the case is not directly grounded in the GDPR, it closely intersects with data protection principles, especially those relating to consent (Article 7 GDPR) and fairness and transparency (Article 5 GDPR). The outcome may therefore further clarify how UX design practices are evaluated across both regulatory regimes.
The investigations will assess whether Meta’s platforms provide users with genuine and informed choices or whether interface design systematically steers users toward more data-intensive options. This reflects a broader European enforcement trend targeting not only the legal basis for data processing but also the design of digital environments in which user decisions are made.
For companies, the case highlights the growing regulatory convergence between data protection law and platform regulation. Compliance is no longer limited to backend processing and legal documentation but increasingly extends to frontend design and user experience. Organizations should therefore review their consent flows, privacy dashboards, and interface designs to ensure that choices are presented in a neutral, balanced, and easily accessible manner. Failure to do so may trigger enforcement under both the GDPR and the DSA.
