Legitimate Interest: Are Common Practices and Social Conventions Still Relevant?
Following the ruling in C-394/23 (“Mousse”), should common practices and social conventions be entirely disregarded when assessing legitimate interest under GDPR? In this article, I briefly explain why I believe such aspects can still be considered. Legitimate interest is arguably the most widely used legal basis to process personal data for commercial purposes. As a […]
Swedish DPA Outlines 2025 Priorities for Supervision and Regulatory Guidance
Following the Swedish DPA’s (IMY) announcement in its 2024 annual report to adopt a more risk-based approach to supervision, IMY has now identified five key areas for 2025. These priorities aim to provide clearer regulatory guidance and strengthen enforcement efforts. These five focus areas include: You can find the full report here (in Swedish only).
New Swedish Camera Surveillance Rules Take Effect on 1 April 2025
As of 1 April 2025, new rules will apply for the Swedish Camera Surveillance Act (2018:1200). The new rules will simplify camera surveillance procedures for businesses and organizations in Sweden. The most significant change is the removal of the requirement to obtain a permit from the Swedish Authority for Privacy Protection (IMY) for camera surveillance […]
Third Draft of the EU Code of Practice for GPAI-models Has Been Released
Today, the third draft of the EU Code of Practice for general-purpose AI models (GPAI models) was released. The code of practice aims to assist providers of GPAI models in aligning with the upcoming obligations in the AI Act. The latest version introduces a streamlined structure, featuring two commitments on transparency and copyright for all […]
EU Updates Model Clauses on AI Procurement to Align with the AI Act
The EU released on 5 March 2025 updated model clauses on AI procurement to align with the AI Act. The model clauses were developed within the Community of Practice on Public Procurement of AI, which is supported by the European Commission. It should be noted however that the model clauses state that they are working […]
Ensuring safety and sustainability: The Commission’s proposed measures for a safe, fair and sustainable E-commerce
In early February, the Commission released its comprehensive strategy to address the challenges arising from the rapid increase in e-commerce imports into the EU directly to consumers. The strategy aims to enhance consumer protection and safety, sustainability and fair competition. The proposed measures include, e.g.,: The strategy can be found here.
The European Health Data Space Regulation Has Been Officially Published
The European Health Data Space (EHDS) Regulation was officially published in the Official Journal of the European Union on 5 March 2025 and will enter into force on 26 March 2025. The regulation enhances individual rights by granting EU citizens immediate access to their electronic health data and enabling seamless cross-border sharing. It also establishes […]
US Data Transfers in the Trump Era – What’s Not Said Can Be Just as Important
Here we go again… Over the past few weeks, changes introduced by the new U.S. administration have had a significant impact—too many to cover in a short post, but I’m sure most of you are aware. One of the effects of these changes is a shift in EU-U.S. relations, and unfortunately, not in a positive […]
EDPB Launches 2025 Coordinated Action on Right to Erasure
The European Data Protection Board (EDPB) has launched its 2025 Coordinated Enforcement Framework (CEF) action, focusing on the enforcement of the right to erasure under Article 17 GDPR. This initiative follows the 2024 action on the right of access and aims to assess how organizations handle requests to delete personal data. The Swedish Authority for […]
EU Report Highlights Potential Legal Conflict Between AI Act and GDPR on Sensitive Personal Data
A new report from the European Parliamentary Research Service (EPRS) warns of a potential legal conflict between the EU AI Act and the GDPR, particularly concerning the use of sensitive personal data to mitigate algorithmic bias. The AI Act, which came into force in August 2024, aims to regulate (amongst other things) high-risk AI systems […]