EDPO (European Data Protection Office)

“META Platforms' plan to collect detailed records of United States employees' computer usage for training its artificial intelligence (AI) models is more extensive than initially described and set to capture non-US data in the process, according to internal documentation seen by Reuters. The documents introduce fresh complications for the project — a key component of chief executive officer Mark Zuckerberg's broader plan to transform how the company operates around AI agents — that could draw Meta into a new European privacy fight, said rights groups. The Facebook and Instagram owner told staff last month it was launching the tool to capture how people use computers, including mouse movements, clicks and navigation through dropdown menus to build AI agents that can perform everyday software tasks autonomously. The tool, called Model Capability Initiative (MCI), is pulling in data from more than 200 apps and websites, according to a list Meta shared with staffers.” #Privacy #GDPR #Meta #EUPrivacy Subscribe to EDPO's newsletter here: https://lnkd.in/dwK8sde *This article was not written by EDPO. The opinions and views of the author(s) do not necessarily reflect those of EDPO. https://lnkd.in/eDbpfKQ8

“The European Data Protection Board has just adopted two major opinions that will substantially facilitate international data transfers while enhancing personal data protection. It approved the extension of Europrivacy, the European Data Protection Seal of the EU General Data Protection Regulation, to be used in countries outside the EU or European Economic Area. It also approved a specific version of the Europrivacy criteria to be used as a mechanism for international data transfers under Article 46 of the GDPR.   The first EDPB opinion (14/2026) authorizes the use of the Europrivacy certification outside of Europe. Europrivacy was previously approved to serve as a European Data Protection Seal by companies established in EU and EEA countries under Article 42. This new decision enables companies located in other countries to also request a certification demonstrating the GDPR compliance of their data processing activities.   In its second decision (15/2026), the EDPB approved a specific version of the Europrivacy certification criteria to be used by data importers as a mechanism for international data transfers in accordance with Article 46. The data importer certification must be completed by a binding and enforceable commitment. This marks an important step in the operationalization of certification mechanisms in the context of cross-border data flows. In practice, it will enable companies acting as data importers outside the EEA to demonstrate their effective adequacy for receiving personal data from Europe. It will substantially reduce the risks and due diligence burden for all parties and strengthen legal certainty and trust in international data transfers.” #privacy #GDPR #EU #Europrivacy #EDPB Subscribe to EDPO's newsletter here: https://lnkd.in/dwK8sde *This article was not written by EDPO. The opinions and views of the author(s) do not necessarily represent those of EDPO. https://lnkd.in/eaKA-8wj

“Euro zone banks need to invest more in cybersecurity if they are to get a grip on new AI models that can find flaws in software, the European Central Bank's outgoing Vice President Luis de Guindos said on Wednesday.   New large language models such as Anthropic's Mythos are viewed by cybersecurity experts as posing significant challenges to the banking industry and its legacy technology systems, prompting a series of warnings from regulators and policymakers around the world.   The ECB has been quizzing euro zone banks about their preparedness for weeks, including at a meeting this week, and de Guindos said the sector needed to reach deeper into its pockets to strengthen its defences against cyberattacks powered by AI.   ‘We have to understand much better the potential implications of these new models and to try to put in place the systems and cybersecurity patches that can address that situation,’ de Guindos, whose term runs out at the end of the month, told reporters.   ‘And (we have) to try to start to enhance the awareness of the financial institutions, of the banks, about the need of additional cybersecurity investment, because it's going to be something that is going to be quite structural in the near future.’“ #privacy #GDPR #dataprotection #AI #EU #CyberSecurity #ECB Subscribe to EDPO's newsletter here: https://lnkd.in/dwK8sde *This article was not written by EDPO. The opinions and views of the author(s) do not necessarily represent those of EDPO. https://lnkd.in/eNRuhCdw

"Pope Leo XIV on Monday called for 'disarming' AI in a letter that reads like a direct attack on Silicon Valley tech moguls, who are currently engaged in a years-long race to build more powerful AI models. [...]   The Pope warned about the dangers of AI to education, workers, and families, and criticised Silicon Valley tech moguls for attempting to use AI to place themselves above others in their pursuit of power. The Catholic leader also argued that society should impose strict rules on AI and other tech. [...]   The Pope’s comments appeared largely aligned with the European Union’s push to regulate the sector.   The Pope argued that there should be transparent rules for governing AI and that those rules should be inclusive, ensuring that AI doesn’t make the poor poorer and the rich richer. He also directly endorsed ongoing efforts to limit children’s access to social media platforms, saying that 'far-sighted public policies' are needed to counter the platforms’ immediate interests." #privacy #GDPR #dataprotection #AI #EU   Subscribe to EDPO's newsletter here: https://lnkd.in/dwK8sde   *This article was not written by EDPO. The opinions and views of the author(s) do not necessarily represent those of EDPO. https://lnkd.in/eRfBYs-m

You can’t “enter Europe first” and think about compliance later. That’s not how it works. Because the moment you offer services, you’re already in scope. GDPR. AI Act. DSA. NIS2. Not one framework. An ecosystem. And most companies realise it at the same moment: When a deal is on the table. Or when due diligence starts. They prepare for one requirement… and discover several. And by then, timing is no longer flexible. Because in Europe, compliance doesn’t come after expansion. It’s part of what makes expansion possible in the first place. Sérgio Abreu

Last week at CPDP Brussels, the conversations were exactly where EDPO lives: at the intersection of regulation and real-world implementation.   Across panels and workshops, we explored how organisations can navigate evolving frameworks such as the GDPR, the AI Act, the Data Act, and other digital regulations in practice.   CPDP reminded us why we do what we do. Helping organisations to navigate and translate their representative obligations into clear, practical, and manageable operations.   Here’s a little video sneak peek of the moments that made the week so valuable: reconnecting with regulators, academics, professionals, and fellow experts, and bringing back insights we can turn into action for the organisations we work with. #CPDP2026 #Privacy #DataProtection #EUCompliance #AIAct #DataAct #DigitalRegulation #EDPO

“On 24 May 2026, we mark ten years since the General Data Protection Regulation (GDPR) entered into force. This landmark law gave Europeans real control over their personal data for the first time, and changed life online forever.  […] Before the GDPR, the rules protecting your personal data varied widely from one EU country to another, and your rights were often unclear. The GDPR changed that.  Across the EU, you now have the right to know what data is collected about you, why it is collected, and who it is shared with. You can request access to your data, ask for it to be corrected or deleted, and withdraw your consent at any time.  […] The GDPR does not stand alone. Over the past decade, the EU has built a broad set of digital rules to protect people online:  - The Digital Services Act holds large online platforms accountable for harmful content - The Digital Markets Act tackles unfair practices by the biggest tech gatekeepers - The AI Act ensures that AI systems used in Europe respect your rights and safety […] Together, these efforts reflect a simple message: in the EU, the online world serves people, not the other way around.” #Privacy #GDPR #EC #DigitalRules Subscribe to EDPO's newsletter here: https://lnkd.in/dwK8sde *This article was not written by EDPO. The opinions and views of the author(s) do not necessarily reflect those of EDPO. https://lnkd.in/dyxyNku7

“Why now?” Because regulation only becomes real when enforcement starts. Monaco’s data protection law was published in 2024. It entered into force in December 2025. For a while, it stays on paper. And then something shifts. Questions start coming in. Authorities become more active. And compliance moves from theory… to practice. That’s when priorities change. Because just like under the GDPR, the consequences are not symbolic. Failure to appoint a representative - when required - can lead to fines of up to: €5 million or 2% of global turnover. And at that point, it’s no longer about understanding the law. It’s about being ready for it. Baudouin de Meulemeester Snyers

EDPO had the opportunity to attend the insightful Computers, Privacy and Data Protection 2026 in Brussels this week, and it was fascinating to see the many discussions on, amongst other topics, the #Omnibus, the future of digital regulation, the #AIAct, the #DSA, and digital sovereignty in Europe.🇪🇺 Across the different panels and workshops we attended, this stood out to us: ·      One of the strongest represented themes throughout the conference was the Omnibus. As many of us are aware of, the Digital Omnibus sparks significant debate. While simplification and legal certainty were presented as necessary to support innovation and reduce compliance burdens, many speakers questioned where the line sits between simplification and deregulation, especially when fundamental rights protections are at stake. ·      Another topic which deserved much attention was digital sovereignty. Multiple speakers stressed that EU digital sovereignty is not only about regulation, but about infrastructure, resilience and the ability to make autonomous technological choices. Several discussions highlighted that the EU’s challenge is not simply to compete with the US, but to build credible alternatives aligned with European values and fundamental rights, while avoiding dependencies on external infrastructures and private actors. ·      Across multiple panels, enforcement of the many legal frameworks in the digital package emerged as one of the core issues. A recurring point was that fragmented and/or unclear enforcement weakens both trust and innovation, predictability, and consistence. This has the consequency that it creates confusion whilst navigating diverging interpretations across Member States, which in turn can hamper legal certainty, innovation and trust. ·      Discussions on operating systems and AI interoperability raised broader questions about the balance between openness, security and user protection. Some speakers warned that interoperability obligations without sufficient safeguards could create new privacy and security risks, especially in AI ecosystems. ·      Several discussions emphasised that enforcement and simplification should not be seen as opposites. Stronger coordination between regulators, harmonized guidance and clearer rules were repeatedly presented as essential to making Europe’s digital rulebook workable in practice. ·      An overall conclusion amongst all of these topics is the idea that Europe’s digital future will depend not only on legislation, but on whether Europe can still build and shape its own infrastructures, institutions and technological ecosystems in line with democratic values. Overall, CPDP 2026 showed just how complex the current European digital landscape has become but the drive to excell, clarify, and reposition the EU even stronger. The main narrative is therefore not mainly focusing on only regulating technology, but increasingly about defining what kind of digital future Europe wants to build.

“Back in 2023, the European Union adopted a package of measures with a directive and a regulation pertaining to cross-border access to electronic evidence. Said otherwise: the EU e-Evidence regulation will apply in three months — beginning 18 Aug. According to the European Commission, more than half of all criminal investigations include a cross-border request to access electronic evidence such as texts, emails or messaging apps. Electronic evidence is needed in more than 80% of criminal investigations, according to the Commission. The number of requests introduced by law enforcement authorities to access e-evidence increased by 70% between 2013 and 2016. The need for harmonization of rules across Europe was definitely there; so was facilitating international exchange among trusted partners — a conversation that ran in parallel, including with the U.S. Yet despite the sense of importance and urgency, this process has been a decade in the making, dating back to 2015 when the Commission started to review issues related to cross-border access to e-evidence.” #DataProtection #EDPO #EU #EuropeanCommission #eEvidencePackage Subscribe to EDPO's newsletter here: https://lnkd.in/dwK8sde *This article was not written by EDPO. The opinions and views of the author(s) do not necessarily represent those of EDPO. https://lnkd.in/eKbabTrn