An informal discussion is underway for the greater simplification of the GDPR
The Danish EU Presidency is promoting GDPR reform to increase competitiveness by introducing SME-friendly amendments, such as restricting data rights in low-risk situations, rationalising DPIAs, and requiring prior mediation procedures before lodging complaints, the eutechloop.com article states. These are in line with the precedent established by the Commission’s simplification plan in May this year, which gives small and mid-cap companies, those with less than 750 employees, targeted relief from GDPR reporting requirements on keeping records of processing activities (GDPR Art. 30).
In addition, the proposal introduces a definition of SME and SMC in Art. 4 of the GDPR and extends the scope of the GDPR’s Art. 40 and 42 to the SMCs, which refer to codes of conduct and certification.
According to an insideprivacy.com article, the following Danish proposals may make it easier for European organisations to process personal data as they:
- Define a minimum threshold for when data subject rights apply (Art. 12-20 GDPR).
- Clarify when DPIAs are required and consider exemptions or simplifications for SMEs (Art. 35 GDPR).
- Make the data subject’s right to complain to the supervisory authority conditional upon certain criteria (eg, prior engagement with the data controller) (Art. 77 GDPR).
- Exempt data controllers from having to notify certain data breaches to the supervisory authority, such as “uncomplicated and clearly defined” breaches (Art. 33 GDPR), etc.
At the moment, the EU is reevaluating its digital policies. This is partly motivated by Mario Draghi’s report on the bloc’s lapsed productivity and technology use, but also is fueled by the ongoing political pressure from Washington to ease digital regulations to unlock trade.
Provisions of data reform in the UK are already in place
On the 20th of August, a set of provisions of the new Data Use and Access Act 2025 entered into force, establishing provisions on ‘overriding’ and data breach notification, plus reporting and progress requirements in relation to the use of copyright works in the development of AI systems. The Bill applies to all data controllers, processors, and electronic communications service providers handling personal data.
It introduces new sections to the UK Data Protection Act 2018 to prevent relevant enactments passed after the Bill’s commencement from overriding main data protection legislation requirements (eg, it establishes that data subject rights cannot be overridden unless an express contrary provision is made). The Bill also mandates personal data breach notifications to the Information Commissioner within 72 hours of becoming aware of the breach, digitalpolicyalert.org sums up.
In parallel, the Information Commissioner’s Office is consulting on draft changes to how we handle data protection complaints. The Data Use and Access Act places new requirements on organisations to have a complaints process specifically for data protection-related issues, such as providing an electronic complaints form. They also must acknowledge your complaint within 30 days and respond to it ‘without undue delay’.
Stay up to date! Sign up to receive our fortnightly digest via email.
Another consultation aims to address the new lawful basis of “recognised legitimate interests”. It will provide a presumption of legitimacy to processing activities for certain pre-approved public interest purposes, including activities such as crime prevention, public security, safeguarding, emergency response, and sharing personal data to help other organisations perform their public tasks.
Cybersecurity of digital products in Switzerland
The Swiss Federal Council, meanwhile, decided to strengthen the cyber resilience of digital products. Despite the importance of preventing or quickly addressing such vulnerabilities, Switzerland currently lacks clear cyber resilience requirements. This new legislation will set out cybersecurity requirements for the development and commercialisation of products with digital components, establish rules for market surveillance of these products, and lay the groundwork for banning the import and sale of insecure devices.
The new legislation will take into account the international context, including the EU’s Cyber Resilience Act, which came into force on 11 December 2024, with a draft corresponding bill to be submitted for consultation by Autumn 2026.
Documentation requirements under DORA
What documentation requirements do companies have to fulfil under DORA? The German Federal Financial Supervisory Authority (BaFin) has published an overview with graphic attachments to help companies navigate these requirements. Companies have had to apply the European Digital Operational Resilience Act’s regulation since 17 January 2025. DORA aims to make the European financial market more secure against cyber risks and incidents affecting information and communication technology (ICT).
More guidance on the DORA application can be found here.
Software updates and patch releases
Most software needs updating after its initial release to address bugs, newly identified vulnerabilities, and revisions to features and functionality. But software patches and other changes can introduce new cybersecurity and privacy risks and can impair operations if not managed effectively. To support successful, secure software updates and patches, the US National Institute of Standards and Technology, (NIST), has finalised modifications to its catalogue of security and privacy safeguards to assist both the developers who create patches and the organisations that receive and implement them in their own systems.
More from supervisory authorities
Public cloud and data protection: ISO/IEC 27018 has provided guidance for protecting personally identifiable information (PII) in public cloud services, specifically when the cloud service provider acts as a PII processor. As cloud computing becomes the default mode of service delivery, organisations must ensure that personal data stored and processed in the cloud is properly safeguarded. ISO/IEC 27018 helps cloud providers meet legal, contractual, and ethical obligations regarding PII. It supports compliance across jurisdictions, enhances customer trust, and provides a clear structure for data protection in the cloud.
IT security label: Manufacturers of smart security solutions can now apply for the IT security label from the German Federal Office for Information Security (BSI). The connected home is part of everyday life for many people. This includes smart security technology, such as app-controlled alarm systems, smart motion sensors, mechatronic security devices (smart locks), and networked smoke detectors. In addition to the physical protection of their own four walls, consumers should also consider the cybersecurity of their digital security solutions. With the IT security label, the IT security features of smart security technology are transparent for buyers, and help manufacturers highlight their products on the market.
Protecting child data online
To improve children’s online safety, the European Commission has adopted guidelines for the protection of minors under Art. 28 of the Digital Services Act (DSA). This requires platforms accessible to minors to implement appropriate and proportionate measures to ensure a high level of privacy, security and protection of minors, including:
- Age verification and default settings.
- Interface design that does not encourage prolonged use of the platform by adolescents.
- Limits on the processing of behavioural data and prioritising explicit signals from minors regarding desired content.
- Clear rules regarding harmful content and behaviour, the establishment of coordinated moderation policies, and allowing for the possibility of human review in cases of harmful content.
At the same time, parental controls are best used as a complement to other measures, as they are often not equally effective due to different family situations.
Is it permissible to offer a discount for consenting to receive commercial communications?
The Latvian data protection authority states that a small additional benefit (for example, a symbolic discount that the customer can choose to use or not) may be permissible if it does not affect access to the service itself. That is to say, consent is not included as a non-negotiable part of the conditions for using the service in its essence, for example, purchasing in an online store.
It is important to ensure that the benefits offered, which are associated with consent to the processing of personal data, do not create a feeling of pressure on customers. Namely, the intended amount of benefits should be small enough not to create the feeling in the customer that, by not providing consent to the processing of their data, they will receive a significantly less advantageous offer, thus affecting the person’s right to freely decide on the processing of their data.
The section intended for entering contact information for receiving news must clearly state the purpose of data processing – sending commercial communications, and must also contain a function (most often a tickable box) in which the person clearly expresses his/her wish to receive such communications. Information on the withdrawal of consent and its consequences must also be made easily accessible. In this section, the advantage that the vendor, for example, gives to customers who have shown interest in receiving news should be indicated only as additional information.
Receive our digest by email
Sign up to receive our digest by email every 2 weeks
GDPR (non) compliance trends
Some advancements in GDPR compliance are detailed in the Icelandic data protection authority’s 2024 report. It is good to note that the biggest Icelandic insurance firms, which make automated decisions on applications and requests for offers for health and life insurance, largely comply with the data privacy laws. The agency has placed a greater emphasis on protecting children’s privacy. Businesses started to monitor closely how kids behave when playing computer games online. Additionally, a business that handles Icelandic genetic analysis is facing legal challenges, and the public sector was sanctioned for improper handling of minors’ data in education.
In parallel, the Maltese data protection regulator, in its annual report, revealed that the majority of complaints received were about CCTV-related cases, while other major areas of compliance included data subject access requests and their shortcomings (increasingly in cross-border situations), unsolicited direct marketing and disclosure to third parties, data security and information obligation by data controllers, cookie banners and, finally, AI use.
Cancelling membership “not easy”
According to the US FTC’s recent case against the operators of LA Fitness, “not easy” is an understatement for consumers seeking to cancel their LA Fitness memberships or related services. For in-person cancellations, LA Fitness designated only one employee (even though multiple employees can initiate memberships). This has effectively restricted cancellations to whenever that person is available at the gym, often during hours when consumers are typically at work.
The FTC alleges that consumers who try to cancel via mail faced similar challenges. LA Fitness has instructed consumers to print and mail a hard-to-find cancellation form. Although consumers have been able to cancel by mail without the form, LA Fitness doesn’t disclose which details must be included in the cancellation notice. The company also instructs consumers to send cancellation requests via registered or certified mail. Finally, LA Fitness reinforced these unlawful practices by training staff to reject such emails or phone calls.
In other news
YouTube settlement: Google and YouTube have agreed to pay $30 million to settle a long-running class action alleging they unlawfully collected data from children under 13 to serve targeted ads without parental consent. The Google class action settlement, filed in a California federal court, proposes a fund to compensate an estimated 35-45 million children who watched YouTube videos between July 2013 and April 2020.
“Pay or Ok” illegal: According to the Noyb privacy advocacy organisation, the Austrian Federal Administrative Court upheld a previous ruling by the country’s data protection authorities that the Austrian daily DerStandard had breached the GDPR by launching “Pay or Okay.” Users must be allowed to object to or give selected permission for each processing purpose, according to rulings from the court. DerStandard was the first news website in Austria to implement a “pay or okay” policy. Customers were forced to consent or pay for a monthly subscription, rather than having a free choice to accept or reject the online tracking of hundreds of third parties.
Non-cooperation with the authority: The Swiss FDPIC has filed a criminal complaint against Add Conti GmbH for failure to cooperate in an investigation. Following several complaints from affected individuals, the FDPIC opened an investigation on 4 June. The FDPIC requested the company answer a list of questions within 30 days. The FDPIC expressly reminded Add Conti GmbH of its obligation to cooperate in the proceedings and of the fact that deliberate refusal to cooperate is punishable by a fine of up to CHF 250,000. Although the letter was delivered, the FDPIC received no response.
Add Conti was collecting personal data of persons residing in Germany without their knowledge and making it available to German companies for advertising purposes. In addition, the company was not responding to requests for information and deletion.
Major cyberattack on Swedish municipalities
On 23 August, a cyberattack on Miljödata disrupted services in around 200 municipalities, several major private businesses and universities and colleges, with concerns over stolen sensitive data, news outlets report. The Swedish data protection regulator confirmed that it has already received around 200 reports of cyber incidents. Managers and HR use the affected systems to handle medical certificates, rehabilitation matters, and the reporting and management of work-related injuries. The attacker has encrypted personal data, preventing businesses from accessing it, but the reporting parties are unaware of how the data has been otherwise affected. In many cases, this concerns information about employees, such as health and union membership.
‘Personalisation’ in AI systems
The Future of Privacy Forum explains the subject of ‘Personalisation’, which refers to features of AI systems that adapt to an individual user’s preferences, behaviour, history, or context. Personalisation techniques can include long-term memory knowledge bases, short-term conversation history, user and system prompts, settings, and fine-tuning the model after training.
For example, an AI instructor may be able to track a student’s progress on certain subjects, recall their learning interests and level, and modify explanations as necessary. According to some scholars, an AI system must have a complete understanding of its user, including their present emotional state, to be useful in even more sensitive or private situations, such as mental health.
A user’s personal information, including prejudices and stereotypes, may be reflected in some of the data they provide to the chatbot or what the algorithm deduces from their interactions. Last but not least, an AI system (such as the newest AI agents by Google, Meta, Anthropic, Microsoft, OpenAI ) that has received or observed user data may be more likely to share that information with third parties in an effort to complete a task without the user’s consent.
In case you missed it
Face photo morphs: America’s NIST issues guidelines to help organisations detect face photo morphs and deter identity fraud. Face morphing software, which combines photos of different people into a single image, is being used to commit identity fraud. Thus, morph detection software, which has grown more effective in recent years, can help flag questionable photos. However, the most effective defence against the use of morphs in identity fraud is to prevent morphs from getting into operational systems and workflows in the first place.
Single-image detection, in the best cases, can detect morphs as often as 100% of the time (at a false detection rate of 1%) if the detector has been trained on examples from the software that generated the morph. However, accuracy can degrade to well below 40% on morphs generated with software unfamiliar to the detector. Differential detectors are more consistent in their abilities, in the best cases, with accuracy ranging from 72% to 90%, across morphs created using both open-source and closed-source morphing software, but they require an additional genuine photo for comparison.