All News

June 12, 2026

Swedish Supreme Court Adds Nuance to Previous Ruling on Bulk Requests for Court Judgments and Decisions

The Swedish Supreme Court has clarified that bulk requests for court judgments and decisions must be assessed by data category under Swedish constitutional law and the GDPR.

June 11, 2026

NIS2 and the Swedish Regulation Jungle

Sweden’s NIS2 framework is not contained in one rulebook, making the first compliance task to identify which layer of rules and which authority applies.

June 5, 2026

EU Commission Proposes Tech Sovereignty Package with New Rules for Chips, Cloud Services and AI infrastructure

The European Commission has proposed new rules on semiconductors and cloud services to reduce EU dependence on non-EU technology suppliers.

May 19, 2026

European Commission Publishes Draft Guidelines on High-Risk AI Systems

The long-awaited guidelines on high-risk AI systems under the EU AI Act have now been published in draft form by the European Commission.

May 8, 2026

EU Institutions Reach Preliminary Political Agreement on AI Act Omnibus

The EU institutions have reached a preliminary political agreement on the AI Act Omnibus, introducing key changes to the AI Act’s implementation timeline and compliance framework.

May 5, 2026

Sweden’s updated NIS2 draft regulation on training and security measures: broader flexibility, targeted tightening on supply chain security

MCF has published an updated draft regulation on training and security measures under Sweden’s NIS2 framework. The draft signals more flexibility overall, but tighter expectations in supply chain security.

April 28, 2026

When AI Transcription Is “Necessary” Under GDPR: Insights from IMY’s Latest Sandbox Project

IMY’s latest sandbox report suggests that AI transcription in social services can be GDPR-compliant where it meaningfully improves efficiency and remains tied to an existing legal task, redefining how “necessity” is assessed.

April 20, 2026

EDPB approves Europrivacy certification criteria for use in international data transfers

The EDPB has approved the Europrivacy certification criteria for use in international data transfers under the GDPR, adding a new potential Article 46 transfer tool for certified data importers outside the EEA.

March 30, 2026

ICC Guidance on Responsible AI in Marketing

The International Chamber of Commerce (ICC) has released a guidance on how to apply the ICC Advertising and Marketing Communications Code when using AI in advertising.

March 4, 2026

EU launches ICT Supply Chain Security Toolbox to address cybersecurity risks

The EU has introduced a new toolbox to help Member States address cybersecurity risks in ICT supply chains.

February 25, 2026

IMY Annual Report 2025: Complaint and Supervision Statistics

IMY’s Annual Report 2025 outlines a significant increase in complaints and breach notifications, extended supervisory timelines and renewed discussion on regulatory reform.

February 13, 2026

EDPB–EDPS Joint Opinion on the Digital Omnibus proposal

The EDPB and EDPS have welcomed the Commission’s push to simplify EU digital rules but warned that some proposed changes could weaken data protection and create legal uncertainty.

February 10, 2026

NIS2 Entities Registration in Sweden – Guidance

The registration framework under Sweden’s implementation of the NIS2 Directive is now in place.

February 9, 2026

EU Digital Networks Act: The Commission’s Proposal

On 21 January 2026, the European Commission proposed the Digital Networks Act, a comprehensive reform of EU electronic communications law replacing the EECC with a single Regulation.

February 6, 2026

The European Commission finds TikTok’s design in breach of the Digital Services Act

The European Commission has concluded that TikTok may be violating the Digital Services Act.

February 3, 2026

Swedish DPA: Priorities for 2026

The Swedish DPA has published its supervisory priorities for 2026.

February 2, 2026

EDPB–EDPS Joint Opinion on the Commission’s proposed AI Act amendments

The EDPB and EDPS issued a Joint Opinion on the Commission’s proposed amendments to the AI Act (the Digital Omnibus on AI).

December 15, 2025

New EU Regulation on Cross-Border GDPR Enforcement Procedures

On 12 December 2025, a new EU Regulation was published, setting harmonised procedural rules for the handling of cross-border GDPR enforcement cases by data protection authorities.

December 2, 2025

Technical Descriptions for Important and Critical Products Are Published

The European Commission has adopted Implementing Regulation (EU) 2025/2392, providing the technical descriptions for the categories of important and critical products with digital elements under the CRA.

November 25, 2025

The European Commission Publishes Model Contractual Terms and Standard Сontractual Clauses Under the Data Act

The Commission has released a package of non-binding model contractual terms (MCTs) and standard contractual clauses (SCCs) intended to harmonise how organisations contract for data access, data sharing and data-processing.

November 25, 2025

ESAs Publish First List of Critical ICT Third-Party Providers Under DORA

The European Supervisory Authorities (the ESAs) have published the first list of critical ICT third-party providers (CTPPs) designated under the Digital Operational Resilience Act (DORA).

November 20, 2025

The Digital Omnibus: Targeted Amendments to the EU Digital Rulebook

The Commission has released a regulatory package to reduce administrative burdens and streamline the EU’s fragmented digital rules.

October 30, 2025

EDPB Publishes Opinion on European Commission's Proposal to Extend UK Adequacy Decision for Data Transfers to December 2031

The Commission proposes to extend the UK’s GDPR adequacy until December 2031, with the EDPB broadly supportive while urging close monitoring of UK legal changes, ahead of the Commission’s formal adoption.

October 24, 2025

Swedish Accessibility Act – First Market Surveillance and Supervision by PTS

Following the entry into force of the Swedish Act on the Accessibility of Certain Products and Services in June, the Swedish Post and Telecom Authority (Sw. PTS) has initiated its first round of market surveillance and superv

October 16, 2025

Swedish Government Submits Bill on New Cybersecurity Act to Implement NIS 2

The Swedish Government has published the bill to implement the NIS 2 directive (2022/2555) into Swedish law. The proposal includes amongst other things the introduction of a new law, the Swedish Cybersecurity Act.

October 8, 2025

Sweden Proposes National AI Legislation to Supplement the EU AI Act

Sweden’s long-awaited AI inquiry (SOU 2025:101) proposes a new national AI law and ordinance to supplement the EU AI Act, designating the Swedish Post and Telecom Authority (PTS) as the lead supervisory authority.

October 1, 2025

Prohibitory injunction request under GDPR is clarified by the EU court

In Case C-655/23, the EU court held that the GDPR does not itself grant a right to preventive injunctions, though Member States may allow them, and such relief cannot reduce compensation for non-material damages.

September 29, 2025

Digital Omnibus: Simplifying the EU’s Digital Rulebook

The European Commission introduces digital simplification agenda for the next years.

September 26, 2025

Proposed Amendments to the Swedish Gambling Act to Address Unlicensed Gambling

A new Swedish government inquiry has proposed significant amendments to the Gambling Act (Sw. spellagen (2018:1138)) in order to combat unlicensed gambling more effectively.

September 19, 2025

Product safety in focus – EU joint market surveillance initiative

The Swedish Consumer Agency (Sw. Konsumentverket) has found that only 17% of tested children’s activity toys comply with EU standards.

September 16, 2025

New Government Inquiry May Broaden Swedish Employers’ Right to Background Checks, But Legislative Reform Will Likely Take Years

Swedish employers face increasing legal uncertainty over background checks, as recent case law and strict GDPR rules leave them with very limited and often ineffective tools to screen candidates or employees.

September 15, 2025

European Commission Publishes Updated FAQ (v. 1.3) on the Data Act

The latest version of the Commission’s FAQ provides important clarifications for impacted businesses.

September 4, 2025

No Revolution in Sight: EU Court Upholds Narrow Interpretation on Pseudonymised Data

The CJEU held that pseudonymised data falls outside EU data protection law only where re-identification is not reasonably likely, such as when it is unlawful or practically impossible.

September 3, 2025

EU–U.S. Data Privacy Framework Survives Its First Major Test in Ruling by the EU General Court

The EU General Court’s decision to uphold the EU-U.S. Data Privacy Framework ensures that transatlantic data transfers remain legally viable under GDPR – for now.

August 28, 2025

The Swedish Consumer Agency Calls For a Ban on Telemarketing

The Swedish Consumer Agency calls for stricter telemarketing rules or a ban, citing rising complaints, aggressive sales, unintended contracts, and risks to elderly and foreign-background consumers.

July 30, 2025

European Commission Publishes Training Data Summary Template for Providers of GPAI Models

The AI Act requires GPAI model providers to disclose training data using a standardized EU template to ensure transparency.

July 18, 2025

Commission Approves Draft Guidelines Clarifying Obligations for General-Purpose AI Models

The Guidelines clarify key obligations under Chapter V of the AI Act for general-purpose AI models, pending formal adoption by the European Commission.

July 17, 2025

The AI Office receives the final Draft of General-Purpose AI Code of Practice

Regulation 2024/1689 (AI Act) will impose new requirements on general-purpose AI from 2 August 2025. To support compliance, the AI Office has facilitated drawing-up of the General-Purpose AI Code of Practice.

July 3, 2025

Two Regulatory Technical Standards (RTS) for the DORA have been published

The Commission has recently adopted two additional Regulatory Technical Standards (RTS) in the form of Delegated Regulations, thus completing the process of adopting all eight RTS.

June 18, 2025

Swedish DPA: Systematic Alcohol Tests May Qualify as Health Data

The Swedish DPA (IMY) has issued two decisions concerning the routine use of alcohol breath tests conducted on vessel captains operating within the public transportation system in Stockholm.

June 18, 2025

The Swedish Government submits draft Cyber Security Act (implementation of NIS2) to the Council on Legislation

On 12 June 2025, the Swedish Government decided on a legislative council referral with proposals for a new Cyber Security Act and other legislative amendments.

June 10, 2025

The Swedish Consumer Agency Commissioned to Focus on Influencer Marketing

The Swedish Consumer Agency (Sw. Konsumentverket) has been commissioned by the Swedish government to strengthen its efforts related to influencer marketing, with particular emphasis on safeguarding children and young people.

May 21, 2025

Commission Publishes Fourth Omnibus Proposal: Includes changes to record-keeping obligations under GDPR

The European Commission today (21 May 2025) published its Fourth Omnibus Proposal, introducing changes to ROPA obligations under Article 30.

May 21, 2025

New EUIPO study on how GenAI is challenging copyright law

A new EUIPO-commissioned study examines how Generative AI is reshaping the copyright landscape, raising new challenges around how to protect intellectual property while supporting continued innovation.

May 13, 2025

European Commission clarifies AI literacy obligations under Article 4 of the AI Act

Last week, the European Commission updated its AI literacy FAQ providing important clarifications on the AI literacy obligations set out in Article 4 of the AI Act.

May 8, 2025

Opinion: EU Letter Hints at Potential Major Shift in GDPR Record-Keeping Obligations

The European Commission is preparing a proposal to simplify GDPR record-keeping obligations, specifically those related to the Record of Processing Activities (ROPA).

May 7, 2025

EDPB Supports Six-Month Extension of UK Data Adequacy Decisions Until December 2025

The European Data Protection Board (EDPB) has approved a six month extension of the EU’s data adequacy decisions for the United Kingdom.

May 7, 2025

EU Set to Approve First-Ever GDPR Adequacy Decision for an International Organisation

The European Data Protection Board has endorsed the EU’s first-ever draft adequacy decision for an international organisation, recognising the European Patent Organisation as offering adequate data protection.

April 30, 2025

Swedish DPA Issues First Decisions on Cookie Banners Under the GDPR

The Swedish Authority for Privacy Protection (IMY) has, for the first time, issued decisions concerning cookie banners under the GDPR.

April 29, 2025

Swedish DPA Sends Questionnaire to 20 Organisations About the Right to Erasure

The Swedish Authority for Privacy Protection (IMY) is sending a questionnaire to 20 large organizations in both the public and private sectors to examine how they handle personal data deletion requests.

April 29, 2025

The Swedish Consumer Agency initiates audits against over 50 influencers and advertisers

According to the agency, many influencers fail to clearly label promotional content, thereby violating marketing laws and placing young audiences—who are particularly vulnerable to subtle advertising—at risk.

April 23, 2025

Sanctions imposed on Apple and Meta for breaches of the Digital Markets Act

The European Commission has fined Apple and Meta €500 million and €200 million respectively for breaches of the Digital Markets Act.

April 16, 2025

Proposal for implementation of Directive 2023/2673 into Swedish law

The Swedish government has published a Swedish Government Official Report (SOU 2025:34) outlining proposals for how Directive 2023/2673 should be implemented into Swedish law.

April 14, 2025

EDPB Publishes Draft Guidelines on Blockchains

The EDPB has published its draft Guidelines 02/2025 on the processing of personal data through blockchain technologies.

April 11, 2025

European Commission plans to launch AI Act support tools to simplify compliance with the AI Act

The European Commission has launched an AI Continent Action Plan to simplify compliance and help organisations navigating within the new AI Act.

April 11, 2025

European Commission publishes living repository to highlight AI literacy efforts across organisations

The European Artificial Intelligence Office has launched a living repository showcasing how AI Pact organisations are promoting learning and knowledge-sharing around AI literacy, as required by Article 4 of the AI Act.

April 3, 2025

European Commission adopts Decision (EU) 2025/628 laying down internal rules for its data processing activities under the enforcement of the DSA

On 31 March 2025, the European Commission adopted internal rules for processing personal data under the Digital Services Act (Regulation (EU) 2022/2065) for supervision, investigation, enforcement, and monitoring purposes.

April 2, 2025

Swedish DPA Initiates Audits on Providers of Online Criminal Offence Databases Following Supreme Court Ruling

The Swedish Authority for Privacy Protection (IMY) has announced that it has initiated audits against two providers of searchable databases on criminal offences.

March 26, 2025

Swedish Ruling Clarifies the Applicability of Swedish Law in Cross-Border Marketing

The Swedish Patent and Market Court of Appeal recently issued a ruling regarding the possibility to intervene against marketing on a website operated by an EU-based company in Sweden.

March 21, 2025

Sanctions imposed on Telenor ASA

Datatilsynet has issued an order and imposed an administrative fine of 350,000 EUR on Telenor ASA for inadequate compliance with the GDPR’s requirements regarding data protection officers.

March 17, 2025

Legitimate Interest: Are Common Practices and Social Conventions Still Relevant?

Following the ruling in C-394/23 (“Mousse”), should common practices and social conventions be entirely disregarded when assessing legitimate interest under GDPR?

March 14, 2025

Swedish DPA Outlines 2025 Priorities for Supervision and Regulatory Guidance

Following the Swedish DPA’s (IMY) announcement in its 2024 annual report to adopt a more risk-based approach to supervision, IMY has now identified five key areas for 2025.

March 12, 2025

New Swedish Camera Surveillance Rules Take Effect on 1 April 2025

As of 1 April 2025, new rules will apply for the Swedish Camera Surveillance Act (2018:1200). The new rules will simplify camera surveillance procedures for businesses and organizations in Sweden.

March 11, 2025

Third Draft of the EU Code of Practice for GPAI-models Has Been Released

Today, the third draft of the EU Code of Practice for general-purpose AI models (GPAI models) was released. The code of practice aims to assist providers of GPAI models in aligning with the upcoming obligations in the AI Act.

March 11, 2025

EU Updates Model Clauses on AI Procurement to Align with the AI Act

The EU released on 5 March 2025 updated model clauses on AI procurement to align with the AI Act.

March 10, 2025

Ensuring safety and sustainability: The Commission’s proposed measures for consumer safety and sustainable E-commerce

March 10, 2025

The European Health Data Space Regulation Has Been Officially Published

The European Health Data Space (EHDS) Regulation was officially published in the Official Journal of the European Union on 5 March 2025 and will enter into force on 26 March 2025.

March 5, 2025

US Data Transfers in the Trump Era – What’s Not Said Can Be Just as Important

Here we go again… Over the past few weeks, changes introduced by the new U.S. administration have had a significant impact—among others for data transfers to the U.S

March 5, 2025

EDPB Launches 2025 Coordinated Action on Right to Erasure

The European Data Protection Board (EDPB) has launched its 2025 Coordinated Enforcement Framework (CEF) action, focusing on the enforcement of the right to erasure under Article 17 GDPR.

February 28, 2025

EU Report Highlights Potential Legal Conflict Between AI Act and GDPR on Sensitive Personal Data

A new report from the European Parliamentary Research Service (EPRS) warns of a potential legal conflict between the EU AI Act and the GDPR, particularly concerning the use of sensitive personal data to mitigate algorithmic

February 27, 2025

European Commission Is Planning To Propose the Digital Fairness Act  

Following the Digital Fairness Fitness Check report on 3 October 2024, the European Commission plans to propose a Digital Fairness Act aimed at addressing key consumer protection issues in the online environment.

February 25, 2025

Swedish Supreme Court's Landmark Decision on Public Disclosure of Criminal Judgments

The Swedish Supreme Court has issued two significant decisions on the public disclosure of criminal judgments, emphasizing the precedence of the GDPR over Sweden’s constitutional laws relating to public access to information.

February 21, 2025

Swedish DPA Publishes Annual Report for 2024

The Swedish Authority for Privacy Protection (IMY) has published their annual report for 2024.

February 20, 2025

EU Commission Publishes Updated FAQ on the Data Act

On 3 February 2025, the EU Commission published the latest version of Frequently Asked Questions (FAQ) on the Data Act (Regulation (EU) 2023/2854).

February 18, 2025

Swedish Guidelines on Data Protection Impact Assessments

The Swedish Authority for Privacy Protection (IMY) has provided guidance on conducting Data Protection Impact Assessments (DPIAs) for organizations processing personal data under the GDPR. The goal is to simplify the DPIA pro

February 17, 2025

CJEU Clarifies ‘Total Worldwide Annual Turnover’ For GDPR Fine Calculations

The Court of Justice of the European Union (CJEU) has in case C-383/23 clarified how ‘total worldwide annual turnover’ should be interpreted when calculating the maximum administrative fine under Article 83(4) and (6) GDPR.

February 14, 2025

Investigation of Shein Illustrating the Importance of Adhering to EU Consumer Law When Targeting EU Markets

Last week, the European Commission announced that an investigation had been initiated into the Chinese e-commerce fashion company Shein within the Consumer Protection Cooperation Network. This highlights the principle that co

AI Liability Directive Proposal Withdrawn

On February 12, 2025, the European Commission announced that it would no longer proceed with the proposed Artificial Intelligence Liability Directive (AILD). Originally introduced in 2022, the AILD aimed to establish uniform

February 12, 2025

EU Commission Withdraws e-Privacy Regulation proposal

On 11 February 2025, the European Commission officially withdrew its proposal for a new E-Privacy Regulation, concluding years of debate over new rules on electronic communications privacy. Originally introduced in 2017, the

February 9, 2025

New Privacy Guidelines on Generative AI from European Data Protection Authorities

In recent weeks, several European data protection authorities have published new guidance outlining key data protection considerations for the use of generative AI. These guidelines address compliance challenges related to bo

February 4, 2025

Commission publishes Guidelines on prohibited AI practices under article 5 of the AI Act

At last—only two days after the prohibitions under the AI Act came into force—the European Commission has published and approved its much-anticipated first guidance.

February 4, 2025

Re-Launch of the new and improved tracker

Snellman is excited to (re)launch our Digital Compliance Tracker! The new and improved Snellman Digital Compliance Tracker is re-launched today!

January 30, 2025

Cyber Solidarity Act enters into force

The Cyber Solidarity Act will enter into force on 4 February 2025.

December 10, 2024

Cyber Resilience Act enters into force

On 10 December 2024 the Cyber Resilience Act entered into force.

January 23, 2025

EDPB publishes reports on bias and data subjects’ rights in the AI context

The EDPB has today published two reports on how to understand and assess bias and implementation of data subjects’ right in the AI context by clarifying methods and tools usable.

January 22, 2025

Council adopts new regulation establishing the European Health Data Space

The Council has adopted a new regulation, establishing the European Health Data Space (EHDS), for the exchange and access to health data at the EU level.

January 20, 2025

The right of withdrawal from distance contracts concluded by means of an online interface

New rules on the right of withdrawal from distance contracts concluded by means of an online interface.

January 20, 2025

Code of conduct on countering illegal hate speech online +

The Commission and the European Board for Digital Services welcomes revised “Code of conduct on countering illegal hate speech online +”.

November 14, 2024

The Commission publishes Q&A on General-Purpose AI Models

The Commission has published a Q&A for General-Purpose AI Models (GPAIM) in the AI Act.

January 15, 2025

EDPS publishes Digital Clearinghouse 2.0

Today, the European Data Protection Supervisor (EDPS) introduced its concept note on the Digital Clearinghouse 2.0.

January 14, 2025

Recent ECJ Judgement on the Price Indication Directive – Announced Price Reductions Must be Calculated on the Lowest Price in the Last 30 Days

On 26 of December 2024, the European Court of Justice (“ECJ”) delivered its judgement in case C-330/23 (Aldi Süd) on the interpretation of article 6a of the Price Indication Directive.

January 14, 2025

EDBP publishes opinion on data protection in the context of AI models

On 17 December 2024, the EDPB published opinion 28/2024 on certain data protection aspects related to the processing of personal data in the context of AI models.

October 28, 2024

EDPB guidelines on the technical scope of the ePrivacy directive

On 7 October 2024 the EDPB adopted new guidelines regarding the technical scope of article 5(3) of the ePrivacy directive.

October 28, 2024

X is not a core platform service under the Digital Markets Act

On 16 October 2024, the Commission announced that the online social networking service of X is not a core platform service under the Digital Markets Act (DMA). According to the press release, X did not quality as a gatekee…

October 28, 2024

Harmonised standards for the AI Act

On 24 October 2024 the European Commission published a brief addressing the upcoming harmonised standards for the AI Act. The harmonised standards are intended to define concrete approaches that can be adopted to meet the …

October 25, 2024

The Data Act

The European market has seen a sharp increase in connected devices in recent years. The use of connected objects, also called the Internet of Things, generates an increasing amount of data. On 11 January 2024 the EU Data A…

October 25, 2024

The AI Act

On 1 August 2024, the EU regulation 2024/1689 laying down harmonised rules on artificial intelligence (the AI Act) entered into force, with provisions that will become applicable gradually over the following 6 to 36 months…

October 18, 2024

The Digital Operational Resilience Act (DORA)

On 16 January 2023, the Digital Operational Resilience Act (DORA) entered into force. The EU regulation will apply as of 17 January 2025, with the overall objective to strengthen IT security within the financial sector, in…