After a surge of new digital legislation over the past two years, the European Commission appears to have no intention of easing its pace in reshaping Europe’s regulatory landscape. This includes proposals to reform the GDPR. Regulatory reforms should, however, focus on strengthening enforcement and fixing the structural problems of the GDPR, rather than merely simplifying and deregulating it.
Im vergangenen Monat hat die Kommission einen Reformvorschlag zur DSGVO vorgelegt. Konkret soll Art. 30 DSGVO angepasst werden, der Datenverarbeiter verpflichtet ein sog. „Verarbeitungsverzeichnis“ zu führen. Bisher galt für Unternehmen mit weniger als 250 Beschäftigten eine Ausnahme. Künftig soll diese Grenze auf 750 Mitarbeiter angehobenen werden. Doch der Vorschlag polarisiert.
The Italian Data Protection Authority banned ChatGPT for violating EU data protection law. As training and operating large language models like ChatGPT requires massive amounts of (personal) data, AI's future in Europe, to an extent, hinges upon the GDPR.
The ongoing trilogue negotiations on the GDPR procedural regulation aim to address significant enforcement shortcomings. From strengthening complainants' rights to harmonising Data Protection Authorities' discretion and improving cross-border cooperation, these discussions carry major implications for data protection in Europe. This analysis highlights the urgent need for reforms to ensure effective and fair enforcement.
GDPR provides the rulebook for international transfers of personal data from the EU and serves as the vehicle through which EU data protection law interacts with the wider world. However, the EU seems ambivalent about deciding how far it can expect third countries to adopt data protection standards similar to its own. Moreover, DPAs often fail to scrutinize data transfers to third countries that may lack the rule of law. Finally, the EU lacks a comparative methodology for assessing data protection equivalence in third countries. It is essential for the EU to elevate the public discourse so that the global significance of data transfers is recognized.
Recent investigations by Netzpolitik and the German public service broadcaster Bayerischer Rundfunk into the company Datarade have shed light on a part of the digital economy that has so far operated mainly in the background: data trading. The key players in this sector are data brokers, whose business model is to trade in (non-)personal data. Data trading is a multi-billion-dollar component of the global digital economy and not a new phenomenon. This article outlines the legal implications of data trading in the context of the GDPR, the DSA and the AI Act.
Die Recherchen von Netzpolitik und dem Bayerischen Rundfunk zum Unternehmen Datarade haben einen Teil der Digitalwirtschaft in den Fokus gerückt, der bisher vor allem im Hintergrund operierte: Datenhandel. Zentrale Akteure sind Datenhändler:innen (sog. Data Brokers), deren Geschäftsmodell darin besteht mit (nicht-)/personenbezogenen Daten zu handeln. Ausgehend von dem was über die Praktiken vieler Data Broker bekannt ist, erscheint vieles was heute offenbar gängige Praxis ist schlicht rechtswidrig. Der Beitrag umreißt die rechtlichen Implikationen von Datenhandel im Hinblick auf die DSGVO, den DSA und die KI-VO.
The EU legislator is working on a new Regulation to modify the GDPR. Unfortunately, the reform features deeply troubling elements. It seeks to mainstream a controversial Irish approach to dealing with data protection complaints, namely “amicable settlements” between individuals and digital corporations. Further, and rather problematically, the reform foreshadows the end of the principle of proximity. Gutting – or at least eroding – the proximity principle should ring alarm bells for anyone concerned with effective judicial remedies in the EU.
After Meta introduced this model for its social networking services Facebook and Instagram in November 2023, several national data protection authorities called on the EDPB to clarify the compatibility of this model with the GDPR. Data protection law is to be used as a lever to prohibit media companies or online service providers from offering a service that is more data-minimalist than the traditional business model. Data protection authorities are therefore faced with the question of whether the GDPR should address "social justice" concerns.
Nachdem das Digitalunternehmen Meta ein sog. „Pay-or-Consent“-Modell im November 2023 für seinen sozialen Netzwerkdienst Facebook eingeführt hatte, riefen mehrere staatliche Datenschutzbehörden den EDPB an, um die Vereinbarkeit dieses Modells mit der DSGVO zu klären. In einer grotesken Volte soll das Datenschutzrecht als Hebel dienen, Medienunternehmen oder großen Netzwerkbetreibern das Angebot einer Leistung zu untersagen, die datenminimalistischer ist als das überkommene Geschäftsmodell. Die Datenschutzbehörden stehen damit vor der Frage, ob die Interpretation der DSGVO einen „social justice turn“ vollziehen soll und Anliegen sozialer Gerechtigkeit zum Schutzzweck gemacht werden können.
13. September 2025
Giovanni Capoccia
12. September 2025
Anne Peters
12. September 2025
Anne Peters