The dilemma I had when I opened up the calendar and realised had I posted this week’s picks tomorrow, it would have been May the 4th. Think of the gifs. Anywho, this week felt a little swamping in terms of regulation, but maybe that’s just the way the regulation pendulum is swinging at the moment.
🤖 Artificial Intelligence
The German government passed a bill introducing AI-supported investigative powers, formally regulating tools such as automated biometric image matching and cross-case data analysis in criminal procedure. Under the proposal, law enforcement could (subject to strict thresholds tied to serious crime) compare images from investigations with publicly available online content and analyse lawfully stored police data across databases using automated systems, including AI. The model remains explicitly assistive: systems may organise and surface data, but decisions must be taken by human investigators. The draft reflects a familiar balancing exercise, addressing inefficiencies in data use while embedding ex ante safeguards to contain the expansion of investigative power.
🪁 Children’s Rights in Cyberspace
Türkiye adopted a new law amending Law No. 5651, introducing a stricter regulatory framework for social media platforms and online gaming services. The reform centres on child protection. Platforms are now prohibited from providing services to users under 15 and must implement age verification measures, while users aged 15–18 must be offered segregated “safe” service environments. At the same time, social network providers face expanded obligations, including parental control tools, measures against deceptive advertising, and accelerated compliance with emergency blocking orders. The law also extends platform regulation into the gaming ecosystem for the first time, formally distinguishing between game developers, distributors and platforms, and assigning targeted obligations such as age rating, local representation, and parental controls. Enforcement follows the now-familiar Turkish escalation model: administrative fines (up to a percentage of global turnover for large platforms), followed by advertising bans and, ultimately, bandwidth throttling.
🔐 Cybersecurity
Germany’s federal cybersecurity authority, the Bundesamt für Sicherheit in der Informationstechnik, introduced new criteria to assess and strengthen digital sovereignty in cloud computing. The framework establishes a non-binding but auditable set of benchmarks enabling organisations to evaluate whether cloud services can be used in a self-determined and risk-appropriate manner. It complements existing security standards and allows both providers and users to assess key factors such as control, localisation, and operational autonomy. While not regulatory in itself, the initiative seeks to render dependency structures more transparent and to support more informed, risk-based decisions in cloud adoption.
🔏 Data Protection & Privacy
The Italian DPA issued guidance reminding hotels that compliance obligations do not quietly extend into data retention. While accommodation providers must identify guests and transmit their data to public authorities, this obligation does not justify retaining copies of identity documents. The increasingly common practice of photographing IDs or collecting them via messaging apps is therefore treated as excessive and risk-inducing. Once the transmission is complete, any copies must be deleted or destroyed, with only proof of reporting retained. In essence, a straightforward application of data minimisation: what the law requires you to process, it does not entitle you to keep.
UK’s Information Commissioner’s Office issued updated guidance clarifying that charities can now contact supporters without prior consent under a new “soft opt-in” introduced by the Data (Use and Access) Act 2025. Under the change, charities may send emails, texts or social media messages to individuals who have previously shown interest in their work, provided strict safeguards are met. The reform is framed as enabling more effective fundraising and engagement, while maintaining baseline data protection standards. The guidance emphasises that this flexibility is conditional, that organisations must still ensure transparency, offer clear opt-outs, and handle personal data responsibly. A calibrated shift from strict consent towards interest-based engagement within defined limits?
The CNIL approved a sectoral code of conduct for retail, translating GDPR obligations into operational rules for clothing and footwear merchants. The code functions as a practical compliance tool: it specifies how core GDPR principles like as lawful processing, purpose limitation and retentionapply in day-to-day retail activities, both online and in-store. Adherence is binding for participants and subject to oversight by an accredited third-party monitoring body. More broadly, the move reflects the growing role of Article 40 GDPR codes as instruments of standardisation, turning abstract legal obligations into sector-specific benchmarks. Congrats on the first code of national scope, then.
🛒 E-Commerce & Digital Consumer
The Commission preliminarily found Meta in breach of the Digital Services Act over its handling of under-13 access to Instagram and Facebook. The issue is not simply that children may be lying about their age, but that Meta’s systems appear too weak to prevent, detect or remove them effectively. The Commission points to self-declared birth dates with little meaningful verification, a reporting tool that is difficult to use, poor follow-up after reports, and an allegedly incomplete risk assessment that downplays evidence of under-13 use across the EU. If confirmed, the findings could lead to fines of up to 6% of Meta’s global annual turnover. Unsurprisingly, age limits in terms and conditions are not enough if the platform architecture quietly lets children walk straight through.
The European Commission’s first review of the Digital Markets Act found that, just two years into application, the framework is already making digital markets more contestable and fair, without requiring legislative revision. The report highlights early, tangible effects: reduced lock-in, increased data portability, greater user control over personal data, and new entry opportunities for business users (including SMEs), alongside improved transparency in online advertising markets. At the same time, enforcement remains work-in-progress, with ongoing non-compliance proceedings and continued reliance on intensive regulatory dialogue with designated gatekeepers. Crucially, the Commission considers the DMA “fit for purpose” in its current form. Rather than amendment, the focus shifts to stricter enforcement, procedural refinement, and forward-looking application, particularly in emerging areas such as AI and cloud services.
👩🏼🎨 Intellectual Property
The CJEU ruled that a retirement home does not carry out a “communication to the public” merely by retransmitting satellite TV and radio programmes through its internal cable network to residents’ rooms. The Court treats the residents less like hotel guests and more like people living in their own private sphere, since they reside there permanently rather than temporarily. That matters because the rightholders, when authorising the original broadcast, are understood to have already contemplated reception by viewers in their private or family circles. So, no new public, no separate communication to the public. A useful reminder that not every institutional setting turns private reception into public exploitation.
Well that’s it for this week. Looking forward to the next, bye!
If you have any thoughts or suggestions on how to make this digest more enjoyable, feel free to drop a line. Your feedback is always welcome!
Featured image generated using DALL·E 3.
