Written by Miriam Friedmann, Moshe Lehmann
EU
EU Proposes Reduction of GDPR Record-Keeping Requirements
The European Commission has proposed simplifying GDPR record-keeping obligations as part of its broader regulatory streamlining efforts, aiming to reduce administrative burdens for businesses. The proposal would revise Article 30(5) GDPR, which offers an exemption from keeping a record of processing activities (“ROPA”). The exemption would be extended from organizations with fewer than 250 employees to those with fewer than 750 employees. Article 30(5) also includes exceptions to the exemption, which will also be revised such that only high-risk processing would require such SMEs to maintain a ROPA.
TikTok Fined €530 Million for Unlawful Data Transfers to China
The Irish Data Protection Commission (“DPC“) found that TikTok’s Transfer Impact Assessment failed to recognize that Chinese law does not provide protections essentially equivalent to EU law. Additionally, TikTok’s Privacy Notice was deemed inadequate as it failed to specify the third countries to which personal data was transferred, and did not clarify the nature of processing operations, namely, the personal data was remotely accessed by personnel in China.
Croatian DPA Issues Fines for DPO Conflicts of Interest and GDPR Compliance Failures
The Croatian Personal Data Protection Agency (“AZOP“) has recently imposed fines in two cases involving conflicts of interest in the appointment of Data Protection Officers (“DPOs“). In one case, AZOP fined a company €12,000 for appointing its procurator (a person granted the rights to conclude contracts and undertake legal actions in the name of the company) as DPO, finding that the procurator’s significant decision-making powers created a conflict of interest. In another case, AZOP fined a business information publisher €40,000 for appointing a director as DPO, as well as for other GDPR violations, stating that the director’s role was found to compromise the DPO’s independence.
Polish Court Limits the Use of Legitimate Interest as a Basis to Process Data for Legal Claims
A Polish Supreme Administrative Court ruled that a data controller cannot rely on legitimate interest regarding legal claims to process personal data unless there are actual legal claims filed against the controller. The case involved a bank that continued processing data after consent was revoked, arguing it might need the data for possible future claims. Both the Polish DPA and the court found this claim insufficient, as the bank could not point to any real legal dispute with the individuals concerned.
German Court Requires Clear “Reject All” Option on Cookie Banners
The Hanover Administrative Court ruled that website operators must provide a clearly visible “Reject All” button on cookie consent banners whenever an “Accept All” option is offered. This decision arose from a case against a media company whose banner design made it difficult for users to refuse cookies and failed to provide clear information about consent and third-party data processing.
US
Several States Advance Age-Appropriate Design and Age Verification Laws
Recent legislative activity in the U.S. reflects a growing trend toward age-appropriate design and stricter age verification requirements for online services and app stores. Vermont has passed its Age-Appropriate Design Code Act, pending the governor’s approval, which will require businesses to implement strong privacy protections for minors, limit data collection, and provide clear privacy tools. Texas has enacted a law mandating age verification and parental consent for app downloads and purchases by minors and is considering further restrictions on social media access for those under 18. In Louisiana, a bill nearing final passage would require both app stores and developers to verify users’ ages and obtain parental consent for minors. Nebraska has also adopted an Age-Appropriate Online Design Code Act aimed at enhancing parental control and limiting targeted engagement of children by tech companies.
National Security Agencies Published Guidance on Securing Data in AI Systems
Leading national security and cybersecurity agencies published guidance outlining essential best practices for protecting data used in AI and machine learning systems. The guidance emphasizes the importance of securing data throughout the AI lifecycle through measures such as data provenance tracking, encryption, digital signatures, secure storage, and robust access controls. The guidance also highlights key risks, including threats from compromised data supply chains, malicious data manipulation, and data drift, and provides practical mitigation strategies to help organizations safeguard sensitive and mission-critical information while maintaining the reliability and integrity of AI-driven outcomes
Texas Legislature Passes New AI Governance Act
On June 2, the Texas legislature passed the Texas Responsible Artificial Intelligence Governance Act, which, if signed by the governor, will take effect January 1, 2026. The Act applies broadly to developers and deployers of AI systems, requiring, in certain cases, certain entities using an AI system to disclose such use to the recipients of their services. The Act also prohibits the development or use of AI systems for harmful or discriminatory purposes and imposes specific obligations on both private and public sectors. It establishes enforcement powers for the Texas Attorney General, introduces fines for violations, and creates a Texas AI council and a regulatory sandbox to support responsible AI innovation.
Israel
The Privacy Protection Authority (“Authority“) has released draft guidelines to clarify the intersection between privacy laws and artificial intelligence (“AI“) systems. In these guidelines, the Authority clarifies that the Israeli Privacy Protection Law applies to AI systems and underscores the necessity of a legal basis for processing personal data through such systems, including information that the AI systems derive from personal data. The Authority further elaborates on the standards and requirements for obtaining informed consent and asserts that data scraping also requires the data subject’s consent. Additionally, the draft guidelines emphasize the need for robust corporate governance led by senior management. The Authority also addresses the right to amend personal data in the context of AI, expressing its intention to prioritize enforcement of the rights to amend and access personal data. With respect to data security, the Authority notes that most AI-based databases will be classified as requiring medium or high statutory security levels and stresses the significance of adhering to the principle of data minimization.
This publication is provided as a service to our clients and colleagues, with explicit clarification that each specific case requires individual examination and discussion in writing.
The information presented here is of a general nature and is not intended to answer the unique circumstances of any individual or entity. Although we strive to provide accurate and available information, we cannot guarantee the accuracy of the information on the day it is received, nor that the information will continue to be accurate in the future. Do not act on the information presented without appropriate professional advice after a comprehensive and thorough examination of the specific situation.
