Are you tired of generic newsletters that skim over your real challenges? Dastra offers you Dastra Insights, a legal and regulatory watch specially designed for DPOs, in-house counsel, and Privacy and AI professionals.
🎯 Targeted, useful monitoring grounded in the day-to-day reality of data protection and AI.
Here is our selection for April 2026:
[AI - EU] European Commission consultation on AI transparency obligations
Date: 8 May 2026
Source: European Commission
The European Commission has opened a consultation on draft guidelines relating to the transparency obligations provided for under the AI Act. These obligations will apply from 2 August 2026 and concern, in particular, informing individuals when they interact with an AI system, as well as labelling or detecting certain content generated or manipulated by AI.
This topic is directly operational for AI providers and deployers, especially for chatbots, AI assistants, deepfakes, AI-generated publications on matters of public interest, emotion recognition systems, and biometric categorization systems. Lawyers and DPOs should follow the finalization of these guidelines, as they will clarify compliance expectations before the obligations take effect.
The consultation is open until 3 June 2026. The Commission also indicates that a voluntary code of practice on the labelling and marking of AI-generated content is expected in June 2026.
[AI-EU] Political agreement on the AI Omnibus and timetable for high-risk systems
Date: 7 May 2026
Source: European Commission
The European Commission announced a political agreement between the European Parliament and the Council on simplifying certain implementation rules of the AI Act as part of the so-called Digital Omnibus on AI package. The agreement notably changes the application timetable for certain high-risk AI systems.
The rules applicable to high-risk systems in areas such as biometrics, critical infrastructure, education, employment, migration, asylum, or border control would apply from 2 December 2027. For systems embedded in certain products, such as toys or elevators, the deadline would be 2 August 2028.
For compliance teams, the challenge is twofold: avoid treating this delay as a general suspension of the AI Act, and adjust compliance roadmaps according to the categories of systems involved. Obligations already applicable or about to become applicable, notably in relation to prohibited practices, AI literacy, GPAI, and transparency, remain to be addressed separately.
[AI-EU] Commission publishes draft guidelines on classifying high-risk AI systems
Date: 19 May 2026
Source: European Commission - Guidelines for providers and deployers of AI high-risk systems
The European Commission has published a draft guideline to help providers and deployers determine whether an AI system should be classified as a high-risk system under the AI Act. The document clarifies how the classification should be interpreted and includes practical examples covering the main areas concerned.
The guidelines are not legally binding at this stage, but the Commission states that they reflect its interpretation and will guide application of the regulation. They are subject to a targeted consultation open until 23 June 2026, before the final version is adopted.
[AI-EU] Annual report on prohibited practices and high-risk use cases
Date: 22 May 2026
Source: European Commission
The Commission has published a review report on the possible need to amend the list of prohibited AI practices and high-risk use cases under the AI Act. This report is part of the monitoring mechanism предусмотренный by Article 112 of the AI Act.
The Commission notes in particular that the assessment of certain especially harmful practices remains at an early stage, but mentions the political agreement on the AI Omnibus, including a ban on systems generating non-consensual sexually explicit or intimate content, including certain so-called “nudification” applications.
For lawyers and DPOs, this report confirms that the mapping of high-risk AI uses should not be frozen: the AI Act lists are likely to evolve in step with technological risks, especially in relation to biometrics, synthetic content, protection of minors, and infringements of fundamental rights.
[AI] CNIL-PIPC awareness campaign on generative AI and privacy
Date: 27 May 2026
Source: CNIL - Generative AI and privacy
The CNIL and the PIPC, the Korean data protection authority, have published an awareness poster dedicated to the use of generative AI services and the protection of personal data. The initiative is part of their cooperation launched in 2022.
Although the document is broadly aimed at user awareness, it is useful for internal privacy awareness programs, especially in organizations deploying generative AI tools to employees, students, public officials, or young audiences.
For DPOs, the practical value lies in integrating simple messages into internal AI-use policies: avoid entering personal or sensitive data into tools that are not controlled, check privacy settings, and raise awareness of the risks linked to re-use of prompts and provided content.
[AI - UK] The ICO announces its priorities for “safe” AI innovation
Date: 29 May 2026
Source: ICO - Response to government on safe AI-powered innovation
The ICO has published its response to the UK government on safe AI innovation. The regulator announces work for 2026/2027 to strengthen consumer trust and legal certainty for businesses regarding the application of data protection law to AI.
The announced priorities include the development of an AI code of practice, guidance dedicated to agentic AI, and support for consumers in an increasingly personalized AI environment.
For lawyers and DPOs operating in the UK, this announcement signals the ICO’s next doctrinal focus areas. AI projects involving ADM, biometric data, agentic models, or personalization should be anticipated in DPIAs, AI governance policies, and contract reviews.
[GDPR-Transfers] Europrivacy as a certification usable for transfers
Date: 16 April 2026
Source: EDPB - Opinion 15/2026 Europrivacy certification criteria
The EDPB adopted Opinion 15/2026 on Europrivacy certification criteria, regarding their approval as a European data protection seal that can be used as a tool for transfers under Articles 42 and 46 of the GDPR.
This development is important for organizations looking for international transfer mechanisms other than standard contractual clauses or BCRs. It does not remove the transfer analysis or risk assessment, but it may enrich the compliance toolkit for documenting appropriate safeguards.
DPOs will need to follow the exact practical conditions for using this certification, particularly its interaction with post-Schrems II supplementary measures, importer commitments, and ongoing monitoring requirements.
[Health-FR] EUR 5 million fine against IQVIA
Date: 28 May 2026
Source: CNIL - Health data: a EUR 5 million fine imposed on IQVIA
The CNIL fined IQVIA Operations France EUR 5 million for breaches related to the management of health data warehouses. The decision notably concerns failure to comply with safeguards intended to limit risks for data subjects.
One particularly important point concerns the qualification of the data: IQVIA argued that the data were anonymous, but the restricted committee held that they were only pseudonymous, since re-identification remained possible with reasonable means.
This decision is significant for players in healthcare, research, pharmaceutical studies, and data science. It is a reminder that pseudonymization does not take data outside the scope of the GDPR, and that authorizations or processing frameworks must be respected in practice, not merely in the initial documentation.
[GDPR-FR] CNIL: 2025 annual report, AI priorities, cybersecurity and European cooperation
Date: 18 May 2026
Source: CNIL - Annual report: the CNIL’s 2025 record and key actions
The CNIL has published its 2025 annual report, highlighting a year marked by an increase in complaints, an unprecedented level of fines, a record number of data breach notifications, and the authority’s preparation for its new missions under the AI Act.
The report confirms three major priorities: regulation of artificial intelligence, cybersecurity, and European cooperation. On AI, the CNIL recalls its support work on generative AI, the publication of resources for designers and developers, and its upcoming scaling-up under the AI Act. On cybersecurity, it states that it received 6,167 data breach notifications in 2025, about one incident in two being linked to hacking.
The most operational information is the announcement that in 2026, the CNIL will devote 50% of its inspections and enforcement actions to data security breaches. DPOs should draw a practical consequence: evidence of security measures, vendor management, incident documentation, DPIAs, and cyber/GDPR governance become priority control points.
[GDPR-FR] Douai Court of Appeal: GDPR non-compliance of a website may lead to contract nullity
Date: 7 May 2026
Source: Court of Cassation - CA Douai, 7 May 2026, No. 22/05075
The Douai Court of Appeal declared a website creation and rental contract null and void due to an error concerning the essential qualities of the delivered website. The dispute opposed Auffray Paysage and Axecibles, the provider responsible for creating the website. The Court held that the website collected personal data under conditions that did not comply with the GDPR and cookie regulations.
The decision notes in particular that cookies, including a Google Analytics cookie, were installed automatically despite the absence of valid user choice. The Court also mentions the processing linked to the contact form and the free callback button. It recalls that continuing to browse does not constitute valid consent and that the requirements relating to consent for trackers are not mere recommendations.
The practical significance is major for IT and web contracts: GDPR compliance is not only a matter of administrative sanction by the CNIL. It can also become an essential quality expected of the delivered service, the absence of which affects contract validity. Digital service providers must therefore embed privacy by design compliance in their deliverables, and clients should contractually frame obligations relating to cookies, forms, analytics, security, and compliance documentation.
[Health-FR] CNIL: update of reference methodologies MR-001 and MR-003
Date: 26 May 2026
Source: CNIL - Health research: the CNIL updates and expands the scope of reference methodologies 001 and 003 ; see also the compliance grids MR-001 / MR-003
The CNIL announced the update and expansion of reference methodologies MR-001 and MR-003, which govern certain health data processing activities for research purposes. MR-001 applies to research requiring consent collection, while MR-003 applies to research that does not require such consent for participation.
The changes concern notably the scope, categories of data, recipients, information provided to individuals, security, transfers outside the European Union, and the use of processors. The CNIL also specifies that the new methodologies are supplemented by annexes on security and quality control, as well as annotated versions and compliance checklists.
For controllers, sponsors, CROs, healthcare institutions, and DPOs, the practical impact is very concrete: when a study complies with the applicable reference methodology, it may be conducted on the basis of a compliance undertaking, without prior CNIL authorization. By contrast, non-compliant studies must be documented and, depending on the case, submitted for authorization. Studies or substantial changes implemented from 23 May 2026 onward must be assessed against the new versions.
[Cloud] CNIL clarifies GDPR roles of cloud actors
Date: 28 May 2026
Source: CNIL - What qualifications apply to cloud computing actors?
The CNIL has published guidance on how cloud actors should be qualified under the GDPR: controller, joint controller, or processor. It notably distinguishes between processing linked to the provision of the service, service improvement, security “of” the cloud, and security “in” the cloud.
This clarification is very useful for cloud contracts, risk analyses, processor clauses, compliance documentation, and the management of data subject rights requests. The CNIL stresses that the qualification depends on a concrete analysis of the provider’s degree of control, the purposes pursued, and the essential means of the processing.
For DPOs, the practical point is clear: processing for service improvement or general security carried out by the provider should not automatically be classified as processing by a processor. Depending on the case, it may fall within the provider’s own responsibility.
[Cyber-EU] NIS2: adoption of common incident notification templates
Date: 26 May 2026
Source: European Commission - NIS2 Cooperation Group adopts common templates for incident reporting
The NIS2 Cooperation Group, bringing together Member States, the European Commission and ENISA, has adopted common templates for reporting cybersecurity incidents. The adoption took place during the 39th plenary meeting in Cyprus.
These templates are intended to harmonize notification fields across the European Union and reduce administrative burden for essential and important entities operating in several Member States. The Commission indicates that it plans to adopt these templates by an implementing act, which would make them mandatory for all Member States.
For DPOs and compliance lawyers, the relevance is immediate: an incident may trigger both a NIS2 notification to the CSIRT or competent authority, and a GDPR notification to the data protection authority where personal data are involved. Internal incident response procedures must therefore align NIS2 deadlines, notably the 24-hour early warning and the 72-hour notification, with Article 33 of the GDPR.
[Cyber-UK] The ICO publishes five measures against AI-amplified cyber threats
Date: 14 May 2026
Source: ICO - Five steps to protect your organisation from AI-powered cyber threats
The ICO has published practical recommendations to help organisations address AI-amplified cyber threats, including AI-generated phishing, automated vulnerability discovery, credential compromise, and data poisoning.
The regulator recalls that UK GDPR obligations require appropriate technical and organisational measures to protect personal data. It also emphasises the importance of a DPIA and safeguards where AI tools process high-risk data.
This publication is useful for bridging AI governance and cyber compliance programmes. DPOs should ensure that risks specific to AI systems, including attacks targeting models, training data, or outputs, are integrated into risk assessments and security documentation.