The Swedish Government submits draft Cyber Security Act (implementation of NIS2) to the Council on Legislation
On 12 June 2025, the Swedish Government decided on a legislative council referral with proposals for a new Cyber Security Act (the “Act“) and other legislative amendments. The package implements Directive (EU) 2022/2555 (NIS 2). The referral shows a number of amendments in the proposal for the new Cyber Security Act compared to the proposal […]
The Swedish Consumer Agency Commissioned to Focus on Influencer Marketing
The Swedish Consumer Agency (Sw. Konsumentverket) has been commissioned by the Swedish government to strengthen its efforts related to influencer marketing, with particular emphasis on safeguarding children and young people. As part of this mandate, the Agency shall, inter alia, report both on its supervision of marketing activities carried out by influencers, and on how the […]
Commission Publishes Fourth Omnibus Proposal: Includes changes to record-keeping obligations under GDPR
The European Commission has today (21 May 2025) published its Fourth Omnibus Proposal, introducing targeted amendments, including changes to maintaining a Record of Processing Activities (ROPA) under Article 30 GDPR. These proposed changes align closely with the EDPB-EDPS joint letter of 8 May 2025 and confirm the Commission’s intent to change obligations relating to ROPA. […]
New EUIPO study on how GenAI is challenging copyright law
A new EUIPO-commissioned study examines how Generative AI is reshaping the copyright landscape, raising new challenges around how to protect intellectual property while supporting continued innovation. The report highlights the growing importance of licensing high-quality content for AI training and establishing clear mechanisms for rights reservation. While no universal solution currently exists, two main approaches […]
European Commission clarifies AI literacy obligations under Article 4 of the AI Act
Last week, the European Commission updated its AI literacy FAQ providing important clarifications on the AI literacy obligations set out in Article 4 of the AI Act. The AI literacy obligations require providers and deployers of AI systems to take measures to ensure that relevant staff possess a sufficient level of AI competence. The FAQ […]
Opinion: EU Letter Hints at Potential Major Shift in GDPR Record-Keeping Obligations
The European Commission is preparing a proposal to simplify GDPR record-keeping obligations, specifically those related to the Record of Processing Activities (ROPA). This was recently hinted at in a joint letter from the EDPB and EDPS dated 8 May 2025. While the proposal has not yet been published and nothing is final, the letter provides […]
EDPB Supports Six-Month Extension of UK Data Adequacy Decisions Until December 2025
The European Data Protection Board (EDPB) has approved a six month extension of the EU’s data adequacy decisions for the United Kingdom. These decisions, which allow personal data to be transferred from the EU to the UK, were due to expire on 27 June 2025. They will now remain valid until 27 December 2025. The […]
EU Set to Approve First-Ever GDPR Adequacy Decision for an International Organisation
In a landmark move for international data transfers, the European Data Protection Board (EDPB) has endorsed the European Commission’s draft adequacy decision recognising the European Patent Organisation (EPO) as offering an adequate level of personal data protection. This is the first time such a decision concerns an international organisation rather than a country or territory. […]
Swedish DPA Issues First Decisions on Cookie Banners Under the GDPR
The Swedish Authority for Privacy Protection (IMY) has, for the first time, issued decisions specifically concerning cookie banners under the GDPR. The three cases examine how organisations inform users about and obtain consent for cookies that involve the processing of personal data, including for purposes such as profiling and targeted advertising. IMY found that none […]
Swedish DPA Sends Questionnaire to 20 Organisations About the Right to Erasure
The Swedish Authority for Privacy Protection (IMY) is sending a questionnaire to 20 large organizations in both the public and private sectors to examine how they handle personal data deletion requests. This is part of a Europe-wide initiative led by the European Data Protection Board, involving 32 data protection supervisory authorities. IMY has deliberately selected […]