As I was in a meeting when the European Data Protection Board opened registration for its pseudonymisation stakeholder event of 12 December 2025, I missed the short (approx. 1h) registration window and they placed me on a waiting list instead – a pity given my frequent interventions on the EU Court of Justice’s SRB judgment […]
Myth-busting time! This week, the EDPB published its Opinion on AI models & personal data, and then the Italian authority revealed it had fined OpenAI. But unlike what some are suggesting, the Italian decision *predates* the EDPB Opinion by a month. So let’s dispel a few myths surrounding that Opinion: – “Game changer”? The positions […]
Full analysis likely to come in the coming days, but some first thoughts on the EDPB’s “AI models & personal data” Opinion. In essence, the EDPB doesn’t exclude anything entirely but leaves it up to national supervisory authorities to make a call in cases they are handling – and while it doesn’t prohibit relying on […]
Digital Omnibus & GDPR: I like some things & dislike others about the proposal, but want to push back against claims that the “personal data” definition change will weaken protection. Of course some data protection supervisory authorities will say this (non-personal data generally falls outside of their remit), but is there truly weakening of protection […]
NIS2 vs GDPR: fines/injunctions in Belgium to be challenged before different courts? While the Belgian legislator has gradually been entrusting one single, specialised court with highly regulatory cases (essentially regarding telecom rules, financial services rules and data protection rules), it appears for now *not* to have chosen to entrust that same court, the Belgian Market […]
When I pointed out issues with the DMA-GDPR Guidelines & resulting risks for *all* controllers (not just gatekeepers), the EDPB’s Gwendal Le Grand said something to the effect of “Don’t just post about it, submit a response”. So here we go, a copy of the response submitted yesterday to the public consultation by the Commission […]
Privacy-friendly analytics: dismissal of complaint for lack of evidence of processing of personal data. Reasoning of the Belgian DPA’s Inspection Service, quoting SRB and Breyer & confirming our arguments: 1. Insufficient evidence of a GDPR infringement The complainant did not provide concrete evidence demonstrating that his personal data had actually been processed by the provider (or […]
NIS2: Looking forward to giving a 2-day workshop with Chris A. De Vuyst from the Centre for Cybersecurity Belgium (= Belgian cybersecurity authority) next week, further to tremendous preparatory work by Chris and Val�ry Vander Geeten. [Thanks again Val�ry as well as the Data Protection Institute for thinking of me in this respect!] The Network […]
Two victories before the Belgian DPA this week: dismissal of a complaint against a privacy-friendly analytics provider (re ads & content) due to lack of evidence of processing of personal data (Breyer + SRB having an impact), and one decision confirming that where data is shared pre-GDPR, the controller using it post-GDPR is the one […]
Digital Omnibus & ePrivacy: good intentions but bad outcome. While I have praised the Commission’s attempt at GDPR-related pragmatism (though a good idea re special categories of data didn’t make it), I have remained silent on the ePrivacy front. There, the proposal is not good in my view. It would create an alternative to Art. […]
