Editorial
This month’s issue of the Zeitfresser Privacy Newsletter arrives at a time when the privacy landscape is anything but static. Across Europe and beyond, regulators, courts, and legislators are reshaping the boundaries of what responsible data use looks like in an age of accelerating technological change.
Several key developments illustrate this trend. The European Data Protection Board continues to refine its role as both an enforcer and a guide, weighing in on contentious issues like “Consent or Pay” models, blockchain compliance, and AI model training — all with implications that reach far beyond legal theory. While its 2024 Annual Report offers insights into these evolving priorities, it also underscores the EDPB’s growing emphasis on practical guidance and coordinated enforcement.
Meanwhile, enforcement actions are making waves. The Irish DPC’s €530 million fine against TikTok for unlawful data transfers to China stands as a stark reminder of the global stakes in data governance. Similarly, the European Commission’s use of the Digital Markets Act to penalize Meta and Apple signals a new phase of digital regulation — one that moves beyond privacy to tackle structural market power and platform accountability.
Nationally, we’re seeing strong divergence. Germany’s plan to centralize data protection oversight raises serious questions about accessibility, effectiveness, and democratic control. The Spanish and Hamburg authorities, in contrast, focus on enabling responsible innovation, publishing new guidance on synthetic data and the intersection of the Data Act with GDPR obligations.
And across the Atlantic, the U.S. appears to be pivoting in the opposite direction. The FTC’s signals toward a lighter-touch, risk-based enforcement model — especially regarding AI — highlight the growing regulatory gap between jurisdictions. This may again cast doubt on the stability of transatlantic data transfer mechanisms.
The legal sphere is also active. Recent European Court of Justice rulings clarify the extent of GDPR protections for corporate representatives and hint at a more expansive interpretation of marketing practices under the ePrivacy Directive. Together, these decisions suggest a tighter regulatory environment for businesses operating across sectors.
From synthetic data and blockchain to AI governance and transatlantic data flows, the developments covered in this issue show that while the challenges are complex, they also open the door to more transparent, accountable, and innovation-friendly approaches to data protection across borders.
