My Content
Insights

EU Court of Justice Defines Limits to the GDPR Right of Access

On March 19, 2026, the Court of Justice of the European Union issued its judgment in *Brillen Rottler GmbH & Co. KG v. TC* (Case C-526/24), addressing whether a controller may refuse even a first request for access as “excessive” under Article 12(5) of the GDPR, and whether a data subject can claim compensation under Article 82(1) for infringement ...

EDPB and EDPS Issue Joint Opinions on Cybersecurity and Biotech Proposals

The European Data Protection Board and the European Data Protection Supervisor adopted two significant Joint Opinions in March 2026, addressing major European Commission legislative proposals that intersect with cybersecurity, health data governance, and data protection.

On March 19, the EDPB and EDPS published their Joint Opinion on the proposed Cybersecurity Act 2 (CSA2) and the proposed amendments to the NIS2 ...

Ninth Circuit Clarifies Its Class Action Jurisdiction Over Foreign Companies Operating Online

On March 2, 2026, the U.S. Court of Appeals for the Ninth Circuit issued a significant decision in *Freeman v. 3Commas Technologies OÜ*, reversing a district court’s dismissal of a class action against an Estonian cryptocurrency trading software company for lack of personal jurisdiction in California. The ruling provides important guidance on when foreign technology companies that operate online platforms ...

California State Court Jury Find Meta and Google Liable for Teen Addiction

Back in November 2025, Judge Carolyn B. Kuhl of the Los Angeles Superior Court denied summary judgment motions filed by Meta, Google (YouTube), ByteDance (TikTok), and Snap in the bellwether case K.G.M. v. Meta Platforms et al., allowing claims by a young woman who alleged that social media platforms’ design features caused her depression, anxiety, and compulsive use to ...

France’s High Court Clarifies the Boundary Between Pseudonymization and Anonymization

France’s Conseil d’État—the country’s highest administrative court—rejected challenges by three companies in the Cegedim group to CNIL fines totaling €1.8 million, delivering an important ruling on when pseudonymized health data remains personal data under the GDPR.

The companies operated two databases, fed by data collected from doctors’ practice management software and pharmacy systems. By March 2021, one database held data ...

EU Commission Publishes Draft Guidance on the Cyber Resilience Act and AI Transparency

The European Commission published two significant sets of draft guidelines in March 2026, providing practical compliance guidance for two of the EU’s most consequential recent digital regulations.

On March 3, 2026, the Commission published draft guidelines intended to clarify the application of the EU Cyber Resilience Act (CRA) and opened a public consultation for stakeholder feedback. The CRA, which entered ...

More of My Content
Insights
More Insights