On 2 December 2025, the Court of Justice of the European Union (CJEU) ruled that operators of online marketplaces can be held legally responsible for how personal data is handled on their platforms — even when the data is...more
12/26/2025
/ Court of Justice of the European Union (CJEU) ,
Data Controller ,
Data Protection ,
E-Commerce ,
EU ,
General Data Protection Regulation (GDPR) ,
Online Marketplace ,
Online Platforms ,
Personal Data ,
Retail Market ,
Sensitive Personal Information ,
Third-Party Service Provider
The German Data Protection Conference (DSK) issued guidance on transfers of personal data to countries outside of the European Economic Area — so-called “third countries” — in the context of medical research. The guidance...more
Advocate General Medina issued a well‑reasoned opinion in Joined Cases C‑258/23 to C‑260/23 before the Court of Justice of the EU (CJEU) that may allow national competition authorities to seize business emails during dawn...more
11/12/2025
/ Antitrust Investigations ,
Bring Your Own Device (BYOD) ,
Competition Authorities ,
Corporate Counsel ,
Court of Justice of the European Union (CJEU) ,
Data Protection ,
Dawn Raids ,
Email ,
EU ,
General Data Protection Regulation (GDPR) ,
Information Governance ,
Privileged Communication
The EU’s landmark Data Act took effect on Sept. 12, 2025, reshaping how customer data can be accessed, shared and monetized across the European digital economy. Orrick partners Christian Schröder and Julia Apostle join RegFi...more
The Italian Law No. 132/2025 on rules applicable to AI systems and models (‘Italian AI Law’) took effect October 10, 2025. It aims to integrate and implement the broader European AI regulatory framework (EU AI Act) by...more
10/16/2025
/ Artificial Intelligence ,
Clinical Trials ,
Cybersecurity ,
Data Protection ,
EU ,
Healthcare ,
Intellectual Property Protection ,
Italy ,
New Legislation ,
Popular ,
Regulatory Requirements ,
Research and Development
This Essential Guide is part of Orrick’s Cybersecurity & Privacy Compass Series. The Cybersecurity & Privacy Compass is your global guide to the evolving cybersecurity and privacy regulatory landscape.
...more
10/13/2025
/ Cloud Computing ,
Cybersecurity ,
Data Privacy ,
Data Protection ,
EU ,
European Commission ,
General Data Protection Regulation (GDPR) ,
Information Technology ,
Internet of Things ,
New Legislation ,
Regulatory Requirements ,
SaaS
In its judgment of 5 June 2025 (8 AZR 117/24, available in German only), the Federal Labor Court (BAG) ruled on claims for damages related to a recruitment procedure. This decision followed an earlier ruling by the Düsseldorf...more
10/9/2025
/ Background Checks ,
Data Privacy ,
Data Protection ,
Employee Privacy Rights ,
Employer Liability Issues ,
Employment Litigation ,
General Data Protection Regulation (GDPR) ,
Germany ,
Hiring & Firing ,
Job Applicants ,
Labor Reform ,
Popular ,
Privacy Laws ,
Regulatory Reform ,
Regulatory Requirements
The compliance challenge: Companies operating globally face a complex maze of emerging AI regulations. Our panel provided practical guidance for those navigating these fast-moving and divergent legal regimes....more
10/6/2025
/ AI Act ,
Artificial Intelligence ,
Compliance Management Systems ,
Cross-Border Transactions ,
Data Protection Impact Assessments (DPIAs) ,
General Data Protection Regulation (GDPR) ,
Innovative Technology ,
International Regulatory Standards ,
Machine Learning ,
New Regulations ,
Popular ,
Regulatory Requirements ,
Risk Management
In this guide, we answer key questions about the European Data Act, which became applicable on 12 September, including what the Data Act covers, who is impacted and what businesses should do to comply....more
9/12/2025
/ Cloud Computing ,
Cloud Service Providers (CSPs) ,
Connected Items ,
Critical Infrastructure Sectors ,
Cybersecurity ,
Data Management ,
Data Privacy ,
Data Protection ,
Data-Sharing ,
EU ,
Information Technology ,
Internet of Things ,
Regulatory Requirements ,
SaaS
Christian Schröder, leader of Orrick’s European Cyber, Privacy & Data Innovation practice, joins RegFi co-hosts Jerry Buckley and Caroline Stapleton to break down the EU Artificial Intelligence Act. The conversation explores...more
7/17/2025
/ Algorithms ,
Artificial Intelligence ,
Compliance ,
Data Privacy ,
Data Protection ,
EU ,
New Legislation ,
Regulatory Requirements ,
Risk Management ,
Technology ,
Technology Sector
On June 28, 2025 the Accessibility Improvement Act (Barrierefreiheitsstärkungsgesetz ("BFSG")), Germany's implementing act of the European Accessibility Act ("EAA"), will come into force, imposing a whole range of new...more
On May 8, 2025, the Federal Labor Court Bundesarbeitsgericht (“BAG”) issued a significant ruling concerning an employee’s claims for damages due to unlawful data transfers within a corporate group. The BAG ruled that works...more
While the authorities’ publications on AI have recently tended to be in the area of data protection (such as the EDPB, which we covered here and here), the European Commission has recently published its first set of [draft]...more
The European Data Protection Board's (EDPB) Opinion 28/2024 provides valuable insights into the intersection of artificial intelligence and data protection, particularly in the context of compliance with the EU General Data...more
About the Orrick Legal Ninja Series – OLNS In substantially all of the major world markets, we have dedicated technology lawyers who support young German technology companies on their growth trajectory through all stages. As...more
Over 3,000 privacy professionals from around the world gathered in Brussels recently for the 13th International Association of Privacy Professionals’ Europe Data Protection Congress 2024. The conference focused on the...more
The European Union (EU) has reached a significant milestone by finalizing the Artificial Intelligence Act (AI Act), establishing the world's first comprehensive AI law. This article outlines the history, structure,...more
This update is part of our EU AI Act Series. Learn more about the EU AI Act here. Developers and users of AI systems subject to the EU AI Act must adopt AI literacy measures by 2 February 2025. The Act requires them “to...more
A court in Hamburg, Germany, has decided a copyright infringement case in a way that sheds light on how European courts may apply the text and data mining (TDM) exemption to AI model developers. The exemption is contained in...more
This update is part of our EU AI Act Series. Learn more about the EU AI Act here. The EU AI Act imposes obligations on providers, importers, distributors and deployers of AI systems and General-Purpose AI Models (GPAIMs). ...more
This Essential Guide to the European Data Act is part of Orrick's Cybersecurity & Privacy Compass Series. The Cybersecurity & Privacy Compass is your global guide to the evolving cybersecurity and privacy regulatory...more
The European Network and Information Security 2 Directive aims to mitigate threats to network and information systems and ensure the continuity of services in the event of cybersecurity incidents. Member States must pass...more
The Court of Justice of the European Union (CJEU) has made a landmark decision (7 March 2024, C-604/22) on the intricacies of adtech, personal data, and joint control against the background of the General Data Protection...more
In this Essential Guide, part of Orrick’s Cybersecurity & Privacy Compass Series, we offer insights into the Cyberspace Administration of China's (CAC) new rules and requirements for cross-border data transfers.
The...more
This overview is part of a wider series of articles on the AI Act. For recommended steps to take in the first six months, our latest update is available here. The European AI Act has a broad material and territorial scope of...more