In our January newsletter, you will find the following topics: |
|
|
|
|
|
|
|
DDPA publishes position paper on proposed Digital Omnibus Regulation |
On January 13, the Dutch Data Protection Authority (DDPA) published its position paper on the European Commission's (Commission) proposal for a Digital Omnibus. The Commission's proposal aims to streamline European digital laws. However, the DDPA is critical of some of the far-reaching changes to, among other things, the GDPR and the AI Act, which, without further substantiation, pose risks to the protection of personal data and fundamental rights.
The DDPA points out that the Digital Omnibus changes the core concepts of 'personal data' and 'pseudonymization'. These definitions determine the scope of the GDPR, and therefore which data must be processed in accordance the GDPR. According to the DDPA, the Commission’s proposal does not match the interpretation given to these concepts by the Court of Justice of the EU (CJEU). This could mean that the processing of certain (pseudonymized) data is no longer protected by the GDPR, which undermines the high level of protection for personal data.
The DDPA argues that a number of changes undermine transparency and accountability for controllers. For example, the obligation to report data breaches to the supervisory authorities is limited to situations posing a high risk to the data subjects only. According to the DDPA, organizations often underestimate the risk that data breaches pose to data subjects. In the absence of a duty to notify there is no corrective effect of supervision, meaning that data subjects may not be informed about risks of abuse and supervisory authorities may miss important incidents.
Additionally, the explicit inclusion of legitimate interest as a basis for the use of personal data for AI development and training purposes is merely a textual extension according to the DDPA since it is already possible to invoke this basis, provided that a legitimate interest assessment is performed. According to the DDPA, the proposed amendment does not clarify this, but may instead cause confusion.
The DDPA also criticizes the proposals to amend the AI Act. For example, the abolition of a public registration requirement for certain high-risk AI systems in a European database means that these systems will remain outside the view of supervisory authorities. The DDPA also considers the removal of the obligation for organizations to promote AI literacy among their staff to be undesirable. Under the proposal for the Digital Omnibus, this responsibility will lie with the Member States and the Commission. However, according to the DDPA, organizations are best placed to assess which skills are necessary for the safe use of AI. Notably, the obligation to ensure that high‑risk AI systems are used only by adequately trained personnel is retained in the AI Act.
The DDPA emphasizes that there are also positive elements in the proposals, such as European models for DPIAs, data breach notifications, and the harmonization of cookie rules. As the Dutch coordinating supervisory authority for the AI Act, the DDPA is also positive about proposals to strengthen cooperation between supervisory authorities within the AI Act. |
|
|
|
| |
|
|
EDPB and EDPS publish joint opinion on Digital Omnibus on AI proposal |
On January 20, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) published the joint opinion 1/2026 on the Digital Omnibus (the Opinion). The Opinion supports the aim of simplifying European digital legislation, but emphasizes that any amendment to the AI Act must not compromise the protection of fundamental rights, including the right to the protection of personal data.
For example, the supervisory authorities are critical of the proposal to extend the possibility of processing special categories of personal data for bias detection and correction. The proposal would make this exception applicable to all AI systems rather than only to high-risk AI systems. The EDPB and EDPS advise the legislator to limit this use to situations where serious risks exist and advocate for the reinstatement of the 'strict necessity' requirement as included in the current Article 10(5) of the AI Act, in conjunction with Article 9(2)(g) of the GDPR.
Like the DDPA, the European supervisory authorities are also critical of the removal of the registration requirement for certain high-risk AI systems in a European database. According to the supervisory authorities, this obligation promotes transparency, supervision, and public accountability for developers. Its removal would lead to a reduction in traceability, strategic under-registration by organizations, and risks to the protection of fundamental rights. The supervisory authorities also advocate maintaining the obligation for organizations to ensure AI literacy.
Furthermore, the regulators make recommendations on the design of AI testing environments for regulation at the European level. They emphasize that data processing within these testing environments must be supervised by national privacy regulators and that the division of roles between the AI Office, market regulators, and fundamental rights regulators must be more clearly defined. In addition, according to the supervisory authorities, the EDPB should be given a formal advisory role and observer status within the European AI Council.
Finally, the supervisory authorities express concerns about postponing the application of the obligations for high-risk AI systems by up to 16 months. In a rapidly developing AI market, this could have major consequences for the protection of fundamental rights and freedoms, according to the supervisory authorities. They call on the legislator to carefully consider whether the current deadlines for certain obligations, such as transparency requirements, cannot be enforced after all. |
|
|
|
| |
|
|
Epic Games' appeal against ACM fine for unfair commercial practices in Fortnite unfounded |
On January 14, the Rotterdam District Court ruled on Epic Games International's (Epic Games) objections against two fines imposed by the Netherlands Authority for Consumers and Markets (ACM) for unfair commercial practices in the game Fortnite.
The proceedings focused on Epic Games' advertising to children and the digital interface of the in-game item shop. Epic Games argued that ACM was using too broad a definition of the term 'child'. Epic Games also argued that there was no direct incitement to purchase or violation of the requirements of professional diligence.
The court does not agree with Epic Games' arguments and considers it plausible that the expressions used, such as "Buy the Battle Pass," "Get it now," and "Grab it," qualify as aggressive commercial practices because they directly encourage children to make purchases. Relevant to this is that the purchase buttons in the digital environment were prominently colored and strikingly designed, that the texts are written in an imperative tone, and that buttons that definitively refuse the purchase are less visible. The court emphasizes that it is irrelevant whether a purchase is actually completed. The decisive factor is the influence that the expressions have on the economic behavior of children.
The court dismissed Epic Games' argument that age differences within the category of minors should be taken into account. Epic Games no longer disputes that Fortnite targets children and particularly attracts this group. According to the law, the average member of the group of children must be considered. The court therefore ruled that a distinction between different categories of minors, as argued by Epic Games, is not relevant.
The court confirmed that the design of the Item Shop violated the requirements of professional diligence. This included a lack of clarity about the availability period of items, the use of countdown timers, and the creation of artificial scarcity. According to the court, the ACM rightly identified these elements as "dark patterns" capable of significantly limiting children's ability to make an informed decision. Here too, the ACM does not have to demonstrate that the limitation actually took place. It is sufficient that the disruption can be considered plausible, according to the court.
The District Court declared the objections unfounded and upheld all measures imposed by the ACM.
Epic Games has been ordered by the ACM to provide clarity about the availability period of items, to discontinue the use of timers, and to apply a minimum visibility period of 48 hours for minors. The court ruled that these measures are appropriate and sufficiently substantiated, given the limited playing time of children and the risks of impulse purchases. |
|
|
|
| |
|
|
Gelderland District Court rules that software developer's appeal based on exoneration clause is valid |
On January 21, 2026, the Gelderland District Court published a ruling in civil proceedings between Primedinners B.V. and Media Artists B.V. The case concerned damage proceedings in which Primedinners requested a declaration that Media Artists could not invoke a contractual exoneration clause.
In the main proceedings, the Arnhem-Leeuwarden Court of Appeal had already ruled that Media Artists had failed imputably in the timely delivery of the agreed software and that Primedinners could legally terminate the agreement. That ruling is final and forms the basis for these proceedings. The central issue in the damage proceedings is whether the contractual exoneration included in Media Artist's general terms and conditions applies.
The court considers that an exoneration clause must remain inapplicable if its application is unacceptable according to standards of reasonableness and fairness. That standard must be applied restrictively, and the court must carefully weigh all relevant circumstances together. In this context, Primedinners argued that Media Artist's exoneration clause is unusual in the IT sector, that Media Artists had a stronger position than Primedinners, that the clause was not specifically negotiated, and that the damage is extensive.
The court did not agree with Primedinners' arguments. Similar exoneration clauses are common in the sector, for example in the general terms and conditions of the trade association NL Digital. In addition, both parties are small businesses and Primedinners had sufficient opportunity to discuss the clause or seek legal assistance. The court ruled that Primedinners was accountable for its failure to take these actions.
The court does not consider the exoneration clause to be unacceptable according to standards of reasonableness and fairness. The nature of the cooperation agreement, Primedinners' dependence on Media Artist, and the amount of the pure financial loss do not detract from Media Artists' reliance on the exoneration clause. |
|
|
|
| |
|
|
European Commission publishes FAQ on the Data Act |
On January 22, the Commission published an updated version of its FAQ on the Data Act. This FAQ is intended as practical guidance for market parties in implementing the Data Regulation.
The FAQ clarifies the application of the most important concepts and obligations under the Data Act, including the rights of users of connected products, the obligations of data controllers, and the relationship to the GDPR. The Commission emphasizes that the FAQ is not binding and does not constitute an extension of legal obligations.
A large part of the FAQ deals with the obligations of data holders when providing data to users and third parties designated by users. In this regard, the Commission clarifies that data must be made directly or indirectly accessible in a "comprehensive, structured, commonly used, and machine-readable format." Data holders must comply with such requests without undue delay, while ensuring that the quality, completeness, and security of the data are maintained.
The FAQ also explains the so-called "safety and security handbrake." This allows data holders to suspend or refuse data provision in order to protect trade secrets or if safety and security standards so require.
In addition, the Commission provides clarifications on the role of users of connected products in cases where there are multiple users, the scope of user rights, application outside the EU, and the possibility of sharing data with third parties. Users must be located within the EU, but they may request the data holder to transmit their data to a third party outside the EU. The data holder is not obliged to comply with such a request.
The FAQ also addresses the overlap with the GDPR, including the need for non-involved users to have an independent legal basis for the processing of personal data.
Finally, the FAQ contains a detailed explanation of other aspects of the Data Act, such as access to data by public authorities, the obligations of cloud and data service providers in the transfer process, and enforcement mechanisms. |
|
|
|
| |
|
|
EU and Brazil adopt mutual adequacy decisions |
On January 26, the Commission and Brazil adopted mutual adequacy decisions allowing the transfer personal data from the EU to Brazil and vice versa without any additional safeguards.
According to the Commission, the Brazilian Constitution recognizes privacy and data protection as fundamental rights. Additionally, the Lei Geral de Proteção de Dados (LGPD) provides a general legal framework that is largely consistent with the GDPR. The LGPD contains provisions on lawfulness, purpose limitation, data minimization, transparency, and security of personal data. The framework also recognizes rights for data subjects, including access, rectification, erasure, and data portability.
According to the Commission, the ANPD, the supervisory authority for the LGPD, has enforcement powers comparable to those of European supervisory authorities. Brazil therefore offers a level of protection that is "essentially equivalent" to the GDPR.
The mutual recognition of adequacy creates the largest area for free and secure data flows in the world, covering approximately 670 million individuals. The Commission emphasizes that this reduces costs and promotes legal certainty for European companies operating in Brazil and for Brazilian companies entering or wishing to enter the European market.
The Commission will review the adequacy decision after four years. Controllers must continue to comply with the other obligations of the GDPR, including transparency, security, and the conclusion of processing agreements. |
|
|
|
| |
|
|
|
|
Marc Elshof
attorney-at-law | partner
T: +31 70 376 06 87
M:+31 6 46 37 61 08
marc.elshof@barentskrans.nl
|
|
|
|
|
Lars Groeneveld
attorney-at-law | senior associate
T: +31 70 376 06 48
M:+31 6 46 11 04 57
lars.groeneveld@barentskrans.nl
|
|
|
|
|
Job Julicher
attorney-at-law
T: +31 70 376 08 10
M:+31 6 27 42 99 77
job.julicher@barentskrans.nl
|
|
|
|
|
Julius Louter
attorney-at-law
T: +31 70 376 06 40
M:+31 6 15 43 37 52
julius.louter@barentskrans.nl
|
|
|
|
|
|
BarentsKrans
The Hague | Amsterdam
+31 70 376 06 06
communicatie@barentskrans.nl
www.barentskrans.nl |
| |
|
|
| |
|
|
|
