Digital euro preparations
The proposed Digital Euro Regulation is currently being voted on in the European Parliament, and the Eurosystem is preparing for its issuance by 2029. The French and German data protection regulators are closely working together on the privacy implications of the project. Reportedly, the ECB and national central banks will manage the common infrastructure, but will not be able to directly identify the parties to the transaction. Meanwhile, the payment service providers will hold the real identities of users and manage Know Your Customer procedures and administer accounts, allowing them to retain the identity of the parties to the transaction.
Stay up to date! Sign up to receive our fortnightly digest via email.
Before transmitting the payment order, this information will be replaced by a technical identifier, also known as a pseudonym. From a legal point of view, this configuration will imply joint responsibility for data processing between the ECB and the national central banks for the management of the common infrastructure, while payment service providers will also assume responsibility for the processing of their customers’ personal data.
Implementing EU Age Verification
At the end of April, the European Commission adopted a recommendation on the introduction of age verification tools based on anonymous proof-of-age technologies. The document (now available in all 24 EU official languages) stipulates the actions the Commission encourages Member States to take to make sure that all EU citizens have access to robust and privacy-preserving age verification by 31 December 2026.
The Commission will make available a list of age-verification solutions that meet privacy and security standards equivalent to the EU age-verification blueprint and other relevant legislation. Furthermore, a list of trusted providers of proof of age attestations will be set up. These providers can verify the user’s age for the age verification solution via one of the supported onboarding mechanisms, such as eIDs, passports, or ID cards.
EU AI rules streamlined
On the 7th of May, the EU negotiators reached a provisional agreement on a proposal to simplify certain rules regarding Artificial Intelligence. The proposal forms part of the so-called ‘Omnibus VII’ legislative package in the EU’s simplification agenda. Among others, the Commission proposed certain regulatory exemptions granted to SMEs and small mid-caps (SMCs), and extending the possibility to process sensitive personal data for bias detection and mitigation.
Additionally, as for rules for industrial AI such as medical devices, toys, machinery and watercraft, a compromise was found on a mechanism that allows for resolving situations in which sectoral law is similar to the AI Act, by limiting the latter’s application. The full list of changes and amendments can be read here.
More official guidance
Electromobility: The German Federal Office for Information Security BSI clarifies security risks of technological advances that have accelerated the expansion of electromobility. With the rising number of electric vehicles, the need for a comprehensive, high-performance, and secure public charging infrastructure is growing. The increasing number of charging points and the multitude of different stakeholders, such as manufacturers, grid operators, and charging station operators, are increasing their cyber threat exposure.
These can lead to mobility restrictions, damage to vehicles or charging infrastructure, and even outages in the overarching power grid.
AI in medical devices guide: The German Federal Data Protection Commissioner, meanwhile, published a roadmap for AI in medical devices. The document (available in German) provides a concise overview of the legal requirements of the EU AI Act and how they relate to the existing provisions of the Medical Device Regulation. However, the roadmap does not replace case-by-case assessment. Providers of AI-based medical devices remain responsible for reviewing and implementing the specific requirements for their respective use cases.
AI and GDPR guide: The Croatian data protection agency’s latest guidance (available in Croatian) is intended for organisations that develop, train, test, integrate or use artificial intelligence systems. It goes through practical issues that arise very quickly in AI projects:
- How the GDPR applies to an AI model or system
- How to determine the roles of suppliers and users of the system
- How to define the purpose and legal basis of processing
- Data protection by design
- How to inform data subjects, and enable the exercise of rights
- When to conduct a DPIA, and
- What security measures should be taken into account
Smart glasses, workplace privacy
Connected glasses, whether for prescription spectacles or sunglasses, contain sensors within their frame (microphone and camera) that are connected to the wearer’s mobile phone, often through a mobile app. They allow you to use the phone’s features via a voice command. These glasses are also often connected to AI. In addition, some manufacturers are developing glasses that would integrate a screen. In a workplace environment, they allow the recording of audio and video, support AI-generated meeting summaries, store data,
and allow communication functions such as sending work emails or making calls. Also, they may be useful for facial recognition for security, and medical uses that help clinicians document symptoms or conditions, etc. This raises workplace privacy issues, particularly in jurisdictions that require consent for such data processing.
UK Clinical Trials
Patients in the UK will get access to new treatments faster and still safely under new clinical trial regulations coming into force on 28 April 2026. The new rules include faster assessment of first-in-human trials and the introduction of notifiable trials and a fast-track route to allow lower-risk trials under simplified consent requirements. At the same time, sponsors will have to ensure compliance with the highest standards under expanded enforcement rules and offences.
Ransom cases are mounting
The UK Information Commissioner fined South Staffordshire Water Company 963,900 pounds following a serious cyber attack that resulted in the personal information of 633,887 people being extracted and published on the dark web. The cyber attack began with a successful phishing email. The recipient opened an attachment, which enabled the attacker to install malicious software which remained undetected within the organisation’s systems:
- Limited controls enabled the attacker to escalate to administrator privileges after gaining an initial foothold.
- Inadequate monitoring and logging, as only 5% of the IT environment was being monitored.
- Use of obsolete, unsupported software, including Windows Server 2003.
- Inadequate vulnerability management, including unpatched critical systems and the absence of regular scans.
Furthermore, the US learning platform Canvas recently became a victim of a major data extortion attack (by the ShinyHunters group). The hackers exploited an issue related to Free-for-Teacher accounts. Numerous universities and college campuses in a number of countries are said to be affected. The personal information of millions of students that has been compromised may include names, email addresses, student IDs, and messages sent in Canvas. The platform provider company, Instructure, decided to pay the extortionist. The digital confirmation of data destruction (shred logs) was also received.
Fintech privacy fine
The Belgian regulator DPA has imposed a 120,000 euro fine on Isabel SA, a major player in the Belgian FinTech sector, for failing to admit its liability for the authentication and identification processing of its TruliUs service. Between 2020 and 2023, Isabel operated this service, which allowed users to authenticate themselves with partners. Isabel collected a very extensive set of personal data, including name, address, national register number, date and place of birth, as well as a photo of the electronic identity card.
The complainant, a user of the service, discovered the extent of this data collection and submitted a request for access to Isabel, which did not respond, considering that he was acting only as a processor and not as a data controller. This erroneous classification, therefore, led to a cascade of several breaches, such as a failure to inform the users of the system in advance, a failure to respond to the complainant’s requests for access, as well as the collection of data exceeding what was necessary for the purpose of authentication pursued.
In other news
Ex-employee email fine: Another 176,000 euro fine issued by the Belgian DPA concerns a major technology company that failed to delete the email account of a former employee promptly. The complainant realised, half a year after her departure, that her old professional mailbox was still active. She therefore requested access to it and that it be subsequently deleted. The company has a legitimate interest in keeping an email account for a month after a departure, not for more than a year, as in this case, to be able to redirect the former employee’s contacts to the colleague who takes over the files.
Receive our digest by email
Sign up to receive our digest by email every 2 weeks
Transferring EU data to Russia: In Finland, Yango ( a taxi app) was fined 100 million euros for transferring personal data of users to Russia. The Yango application processed personal data of taxi customers and drivers in Finland and Norway. The company responsible for Yango’s processing of personal data in Europe is MLU BV, located in the Netherlands, part of the Russian Yandex Group. The investigation showed that users’ data was transferred to Russia without adequate safeguards as required by the EU GDPR: the company was unable to demonstrate that Russian authorities had been sufficiently prevented from accessing personal data.
Yango operations in Finland and Norway ceased in October 2025. However, Yango applications are still available in app stores in Finland and Norway.
And Finally
India’s techno-legal approach to AI compliance: The Future of Privacy Forum’s recent analysis looks at New Delhi’s role in shaping the AI governance agenda. So far, India allows sectoral regulators such as the Securities and Exchange Board of India and the Royal Bank of India to oversee AI within their respective domains, rather than relying on a single, prescriptive national law. Thus, India’s case dictates a ‘techno-legal’ approach where governance frameworks must be built for specific contexts rather than transplanted from elsewhere.
Pay or not to pay ransoms: The Guardian has investigated the question of whether firms should pay ransomware attackers to regain access to their systems. Although governments across the globe advise against it, and even sometimes criminalise it, many organisations ultimately do it. However, experts believe that payments could fund other criminal activities, and ultimately, there is no guarantee that paying a ransom or extortion would prevent the release of data or end the threats. In fact, if ransoms are not paid, then the effectiveness of the attack vector is reduced and potentially becomes less attractive to hacker groups.