Are you tired of generic newsletters that skim over your real challenges? Dastra offers you Dastra Insights, a legal and regulatory watch specially designed for DPOs, in-house counsel, and Privacy and AI professionals.
🎯 Targeted, useful monitoring grounded in the day-to-day reality of data protection and AI.
Here is our selection for June 2026:
[AI / GDPR / Regulatory Simplification] The Omnibus package moves forward on the AI Act and GDPR documentation obligations
Date: June 2026
Source: European Parliament, European Commission, EDPB / EDPS
The digital simplification Omnibus package remains a key topic to watch for data, AI, and compliance teams. On the AI Act side, the European Parliament has approved simplification measures providing in particular for a delay of certain obligations applicable to high-risk AI systems, while maintaining the AI Act’s risk-based approach. The text also provides for a ban targeting certain “nudifier”-type systems and sexually explicit non-consensual content generated by AI.
On the GDPR side, the Commission has proposed easing certain record-keeping obligations for processing activities, notably for SMEs and certain mid-cap companies, where the processing does not present a high risk to the rights and freedoms of data subjects. The EDPB and the EDPS welcomed the goal of reducing administrative burden, while recalling that simplification must not weaken fundamental rights or the GDPR’s core principles.
For lawyers, DPOs, and compliance teams, the challenge is twofold: closely track the new AI Act compliance timelines, and avoid interpreting the GDPR simplification measures as a general exemption from documentation. Even if the register is formally lightened, organizations will still need to be able to demonstrate compliance, especially for risky processing, sensitive processing, AI-related processing, and arrangements involving monitoring, profiling, or automated decision-making.
[AI Act / Transparency] The Commission publishes the Code of Practice on labelling AI-generated content
Date: 10 June 2026
Source: European Commission
The European Commission has published the final Code of Practice on marking and labelling content generated or manipulated by AI. The code is voluntary, but it is intended to help providers and deployers of generative AI systems prepare for the AI Act’s transparency obligations.
Legal teams should monitor this closely for chatbots, deepfakes, public-interest content, and user interfaces. The code may become a practical reference for documenting labelling choices, internal controls, and product trade-offs.
[AI Act / Governance] The AI Act Advisory Forum holds its first meeting
Date: 22 June 2026
Source: European Commission
The Commission held the first meeting of the AI Act Advisory Forum, the consultative body provided for under Article 67 of the AI Act. Discussions focused on operating rules, standardisation, the Code of Practice on transparency for AI-generated content, and guidance on classifying high-risk AI systems.
The main interest is institutional: the AI Act’s interpretation and implementation ecosystem is taking shape. Affected companies should monitor the forum’s contributions, as they may influence standards, guidance, and compliance expectations.
[GDPR / Connected Mobility] The CNIL publishes its recommendation on location data from connected vehicles
Date: 30 June 2026
Source: CNIL
The CNIL has published its final recommendation on the use of location data from connected vehicles, following a public consultation. The text is aimed at manufacturers, rental companies, fleet managers, telematics providers, and data intermediaries.
The practical impact is significant: the CNIL clarifies in particular when consent is required under ePrivacy, how rights are managed in multi-user vehicles, data minimisation, retention periods, and security measures. Mobility players should review their information flows, legal bases, and mechanisms for disconnecting or deleting onboard data.
[Minors / Emerging Technologies] G7 authorities adopt principles on the protection of minors
Date: 26 June 2026
Source: CNIL
Meeting in Paris on 25 and 26 June at the CNIL’s invitation, the G7 data protection authorities adopted key principles on protecting minors in the face of emerging technologies.
Although these principles do not directly create new obligations, they provide a useful indication of supervisory priorities: digital age assurance, minors’ exposure to online services, protective design by default, appropriate transparency, and provider accountability. For DPOs, this is a sign of international convergence on expectations applicable to services used by children.
[UK GDPR / Complaints] New UK data protection complaints obligation
Date: 23 June 2026
Source: ICO
Impact: High
Source confidence: High, official source
The ICO confirms the entry into force of new requirements under the Data (Use and Access) Act: all organizations processing personal data must provide a clear complaints mechanism, acknowledge receipt within 30 days, investigate appropriately, and communicate the outcome of the complaint.
This is a highly operational update for compliance teams in the UK. Organizations should review their complaints procedures, response scripts, internal traceability, and the interaction with rights requests, access requests, and marketing complaints.
[IoT / Connected Devices] The ICO finalises its expectations for consumer connected products
Date: 11 June 2026
Source: ICO
The ICO publishes its final guidance on consumer IoT products and services. It covers, among others, connected speakers, smart TVs, fitness trackers, connected doorbells, home hubs, and household appliances.
The authority emphasises privacy by design, protective default settings, genuine and revocable consent, information at the right time, DPIAs when data is sensitive or children may use the product, as well as ongoing security. The ICO also announces a focus on smart TVs and targeted advertising, with a clear issue around consent and transparency.
[Data Breaches / GDPR] The EDPB adopts a common data breach notification template
Date: 10 June 2026
Source: EDPB
The EDPB adopts a common template for notifying personal data breaches. The aim is to harmonise the information submitted to supervisory authorities and facilitate application of Article 33 of the GDPR.
This is a directly usable tool for DPOs: it can serve as a benchmark for updating internal incident procedures, information-collection forms, 72-hour notification playbooks, and interactions with security, IT, and legal teams.
[Data Subject Rights / One-Stop-Shop] The EDPB updates its digest on the right to object and the right to erasure
Date: 25 June 2026
Source: EDPB
The EDPB publishes an updated One-Stop-Shop digest on the right to object and the right to erasure. The document is based on cross-border decisions and sets out how authorities assess the internal processes implemented by organisations.
For privacy teams, this is a useful resource to test the robustness of rights-request procedures: requests for account deletion, objection to direct marketing, response times, traceability, remedial measures, and consistency across European subsidiaries.
[AI / Data Governance] The United Arab Emirates announce the creation of a new authority dedicated to AI and data
Date: 14 June 2026
Source: Government of Dubai Media Office
The United Arab Emirates have announced the creation of a new Artificial Intelligence and Data Authority, placed under the authority of the Cabinet and intended to become the sole national body responsible for data, artificial intelligence, and digital government. The authority will bring together functions previously carried out by the Office of Artificial Intelligence, the digital government sector within the Telecommunications and Digital Government Regulatory Authority, as well as the UAE Data Office.
At this stage, the announcement is not accompanied by a new legislative text. It is nevertheless worth noting for lawyers and compliance teams, as the implementing regulations of the Emirati data protection law are still awaited. The creation of an integrated authority covering data, AI, and digital services could therefore signal a further step toward regulatory structuring.
It will also be important to monitor how the UAE chooses to regulate AI. The country already has policies, strategies, and guidelines, but their possible translation into legal obligations will raise classic and sensitive issues: protection of individual rights, data governance, security, transparency, while preserving economic attractiveness and business innovation.
