Data Protection & Cybersecurity Archives | GamingTechLaw by Giulio Coraggio

When Can a GDPR Access Request Be Rejected? The CJEU Draws a Clear Line

With its judgment in Brillen Rottler (C-526/24), the Court of Justice of the European Union (CJEU) has now clarified that, under specific circumstances, a data controller is entitled to refuse an access request — even if it is the first one submitted by the data subject.

Mar 2026

Are Advertising Cookie Identifiers Personal Data? A French Court Decision Raises Questions for AdTech and AI Training

A recent decision advertising cookie identifiers of the French Conseil d’État has reignited a fundamental debate in EU data protection law: when do online identifiers qualify as personal data under the GDPR?

Mar 2026

EU Cyber Resilience Act: Commission Publishes Draft Guidance to Support Companies on Compliance

The European Commission has just published for feedback its long-awaited draft guidance to assist companies in applying the Cyber Resilience Act (CRA), a landmark EU regulation aiming to strengthen cybersecurity across the digital product landscape.

Feb 2026

EDPB Binding Decisions Challengeable Under GDPR: Why This ECJ Ruling Changes the Digital Omnibus Debate

EDPB binding decisions are challengeable under the GDPR: with its judgment of 10 February 2026 in Case C-97/23 P, the Court of Justice of the European Union confirmed that binding decisions adopted by the European Data Protection Board under Article 65 GDPR can be directly challenged before the EU Courts under Article 263 TFEU.

Feb 2026

The Definition of Personal Data Will Remain Unchanged: Impact on AI Training Under the Digital Omnibus

The definition of personal data remains unchanged under the Digital Omnibus. What this means for AI training and legitimate interest under GDPR.

Feb 2026

EDPB and EDPS Joint Opinion on the Digital Omnibus: Support for Simplification, Resistance to Redefining Personal Data

The EDPB and EDPS joint opinion on the Digital Omnibus supports the European Commission’s goal of simplifying EU digital rules and strengthening competitiveness.

Dec 2025

AI Training Based on Legitimate Interest: Is the Digital Omnibus Proposal Enough?

The European Commission’s latest Digital Omnibus package introduces a significant and much-debated idea: allowing AI training based on legitimate interest, under Article 6(1)(f) GDPR, accompanied by a new Article 88c. The proposal formalises something many expected — that training AI systems or AI models on personal data may rely on legitimate interest as a legal basis.

Dec 2025

Digital Omnibus and Incident Reporting: Why the New EU System May Create New Challenges

The European Commission’s plan with the Digital Omnibus package on incident reporting, which introduces a single-entry point for notifying incidents across GDPR, NIS2, DORA, eIDAS and other EU regimes, aims to simplify compliance but may instead create new operational complexity.

Nov 2025

The EU’s Digital Package on Simplification: Streamlining GDPR, AI and Data Rules

The Digital Package on Simplification, proposed by the European Commission, updates key EU laws — including the GDPR, the AI Act, the Data Act, the NIS2 Directive, and the ePrivacy Directive — to modernize and simplify the entire European digital regulatory framework.

Nov 2025

EU Commission to codify legitimate interest as legal basis for AI training: a turning point for GDPR and innovation

The European Commission’s proposal to codify legitimate interest as a legal basis for AI training marks the most significant reform to the GDPR since its adoption. By explicitly recognizing legitimate interest as legal basis for AI training, the Commission aims to reconcile data protection with the realities of modern artificial intelligence.