Women in Privacy – Global Privacy Leadership Lunch
Join us in Brussels for our next Women in Privacy – Global Privacy Leadership Lunch.
EU Court of Justice Issues Landmark Judgment on Concept of “Personal Data”
On 4 September 2025, the EU Court of Justice (the “CJEU”) issued a landmark ruling in SRB v. EDPS confirming that pseudonymous data is not automatically personal data in all cases (the “SRB Case”). Instead, the key question is whether the controller can realistically re-identify the individual. This judgment is expected to have a significant impact on instances where effective technical and/or organisational measures prevent re-identification by the controller. Importantly, although the ruling arose under EU Regulation 2019/1725 – i.e., the EU data protection law applicable to EU Institutions (such as the Commission) – the CJEU confirmed that the same interpretation applies under the General Data Protection Regulation (the “GDPR”).
EU Consults on Digital Fairness Act: Big Changes Ahead for Consumer-Facing Platforms
The European Commission (Commission) has launched a public consultation on a proposed new law — the Digital Fairness Act (DFA) — aimed at strengthening consumer protection in digital markets. The goal is to fill perceived regulatory “gaps” left by recent EU digital regulations, including the Digital Services Act (DSA) and Digital Markets Act (DMA).
Financial Entities in the EU: Time to Register Your ICT Third-Party Service Providers under DORA
The European Union’s (“EU”) Digital Operational Resilience Act (“DORA”) became effective on 17 January 2025. Since then, financial entities (such as banks, insurance companies and investment firms) and their ICT third-party service providers operating in the EU have been – directly or indirectly – subject to the new regime. One of the first key DORA compliance deadlines, for financial entities to register their ICT service providers with competent EU Member State authorities, is coming into effect across most of the member states this month.
EU Commission Publishes AI Continent Action Plan and Seeks Input
On April 9, 2025 the European Commission adopted a communication on the so-called AI Continent Action Plan – its strategy to shape the next phase of AI development in Europe, with consultation to follow. The Commission’s declared objective is to transform the EU into a global leader in AI by fostering innovation, ensuring trustworthy AI, and enhancing competitiveness while safeguarding democratic values and cultural diversity. Keep monitoring Data Matters for more on the Commission’s consultation, when available. (more…)
Meeting EU Data, Cybersecurity, and Artificial Intelligence Law Obligations: A Checklist for Swiss Life Sciences Companies
For Swiss companies, the next six months are critical for preparing to meet new Digital Data Law obligations. In this briefing, we outline the key timelines, compliance requirements, and practical steps to align with EU requirements. (more…)
New Pathway of Regulating Artificial Intelligence in Switzerland: Competitive Edge or Challenge?
On February 12, 2025, the Swiss Federal Council unveiled its long-awaited approach to artificial intelligence (AI) regulation. Instead of adopting a comprehensive AI Act like the European Union, Switzerland has opted for a sector-specific framework, integrating AI considerations into existing laws rather than creating a standalone regulatory regime. (more…)
EIOPA Publishes Consultation on Opinion on AI Governance and Risk Management
On February 12, 2025, the European Insurance and Occupational Pensions Authority (“EIOPA”) published a consultation on its draft opinion on artificial intelligence (“AI”) governance and risk management (the “Opinion”).
EU Commission Launches Cybersecurity Action Plan for Hospitals and Healthcare Providers
On January 15, 2025 the EU Commission published an action plan with an aim to support cybersecurity in hospitals and healthcare providers in the EU (the Action Plan). The Action Plan is another response by the EU to the increasing cybersecurity threats facing all industries, including the health sector. The Commission notes that this risk has increased due to, amongst other factors, the increased digitisation of healthcare, which has allowed attack surfaces to grow. It also comes following a number of high-profile incidents which have impacted healthcare providers in the EU. The Action Plan is intended to build on the new EU cybersecurity legislation, such as the NIS Directive 2 (NISD2) and the Cyber Resilience Act, and feed into the full deployment of the European Health Data Space Regulation which was adopted on January 21, 2025. See our blog post here.
Data Privacy and Cybersecurity Outlook for 2025: What Financial Services Firms Need To Know
Last year saw many developments across the worldwide data privacy and cybersecurity landscape, including in the EU/UK, and this momentum shows no sign of slowing in 2025. The EU General Data Protection Regulation (GDPR) enters its seventh year in May 2025. New cybersecurity and operational resilience legislation and related guidance are coming into force to regulate new and challenging technologies, several of which will affect financial services firms.
