In this week's roundup, I'm gathering some of the most important and interesting data, technology & digital law news from the past week.
Legal and regulatory developments
A) New laws, regulatory proposals, enforcement actions
The Data Act became applicable as of September 12, 2025. The European Parliamentary Research Service (EPRS) published a brief overview of the main provisions of the Data Act. (The European Commission has also updated its FAQ about the Data Act.) (In the meantime, doubts arise as to the readiness of national competent authorities to enforce the Data Act.)
Why does this matter? “The Data Act aims to create value from data generated by connected products and services, by introducing data-sharing obligations. The principles enshrined in the Act have received general approval, but concerns have been expressed about the clarity of certain definitions, the sharing of commercially sensitive data and its regulatory complexity.”
The European Commission published a guidance on vehicle data, accompanying the Data Act.
Why does this matter? “This guidance on vehicle data provides tailored advice to automotive stakeholders on how to implement Chapter II of the Data Act. It aims to explain the key obligations of the Data Act as they relate to vehicle data as defined in paragraph 19 of this guidance, focusing on the data that fall within the scope of Chapter II of the Data Act and on the applicable access rules. This guidance only concerns the automotive sector. This includes original equipment manufacturers (OEMs), suppliers, aftermarket service providers and insurance providers. Its content cannot therefore be automatically extrapolated to other industries or to the public sector.”
Italy became the first EU Member State to pass comprehensive AI law that align with the AI Act.
Why does this matter? “The law introduces cross-sector rules covering healthcare, work, public administration, justice, education and sport, requiring traceability and human oversight of AI decisions. It also limits AI access for under-14s to parental consent. […] The government designated the Agency for Digital Italy and the National Cybersecurity Agency as national authorities on AI development, while watchdogs including the Bank of Italy and market regulator Consob retain their powers. New criminal provisions target unlawful dissemination of AI-generated content, such as deepfakes, punishable by between one to five years in prison if it causes harm. […] On copyright, works created with AI assistance are protected if they result from intellectual effort […]. In healthcare, AI can assist diagnosis and care under conditions, with doctors retaining final decision-making and patients' maintaining the right to be informed. For workplaces, the law requires employers to inform workers when AI is being deployed.”
The Federal Ministry for Digital Affairs (Germany) has launched the state and association consultation on the draft bill for the implementation of the AI Act, (“AI Market Surveillance and Innovation Promotion Act”; KI-MIG).
Why does this matter? “The draft bill names the competent authorities in Germany, regulates their tasks and the interaction of the affected areas. It also contains measures to promote AI innovation and regulations for the fine procedure.”
The European Commission has opened a call for evidence to collect research and best practices on how to simplify its legislation in the upcoming Digital Omnibus, especially when it comes to data, cybersecurity and artificial intelligence (AI). The feedback period of the call for evidence is open until 14 October 2025.
Why does this matter? “The digital package will announce the Commission’s digital simplification agenda for the next years and propose a digital omnibus with a first set of measures to bring immediate relief to businesses. As underpinned by three public consultations, immediate measures are considered in particular for the data acquis, rules on cookies and other tracking technologies, cybersecurity incident reporting, and targeted adjustments to the Artificial intelligence Act to ensure the optimal application of the rules.”
Mario Draghi, the author of the report prepared for the European Commission on EU competitiveness, has urged “radical” cuts to the GDPR and called for a pause on implementing parts of the AI Act in order to foster regional AI development. (You can find Draghi report on EU competitiveness here.)
Why does this matter? “[…] he warned that Europe needs `new speed, scale and intensity` in the face of growing competition from China and the US, particularly in key tech sectors such as artificial intelligence. His speech pressed the Commission to deliver `results within months and not years.` […] The Commission must tackle obstacles to accessing data, he said, accusing the GDPR of creating high levels of legal uncertainty for AI developers. […] He also turned his fire on the AI Act itself, calling for the next stage of implementation to be “paused until we better understand the drawbacks” – a reference to the Act’s provisions that apply to “high risk” uses of AI in areas like critical infrastructure.”
President of Brazil signed a bill containing new children's online safety rules and empowering Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados (ANPD), as an autonomous agency.
Why does this matter? The changes concerning the status of the ANPD may also be relevant for the adoption of an adequacy decision for Brazil.
B) Guidelines, opinions & more
The European Data Protection Board (EDPB) has adopted guidelines on the interplay between the Digital Services Act (DSA) and the GDPR.
Why does this matter? “Several provisions included in the DSA entail the processing of personal data by intermediary service providers. The EDPB guidelines contribute to the consistent application of the DSA and of the GDPR, insofar as some provisions of the DSA concern the processing of personal data by intermediary service providers and include references to GDPR concepts and definitions. […] The EDPB guidelines help to understand how the GDPR should be applied in the context of DSA obligations. The EDPB also provides practical guidance relating to the cross-regulatory cooperation between authorities to coordinate enforcement which will provide more legal certainty for intermediary service providers and ultimately to protect the rights and freedoms of individuals.”
The EU Commission and the Personal Information Protection Commission of the Republic of Korea published a joint statement on the entry into force of the South Korean adequacy decision on the EU.
Why does this matter? The PIPC’s decision recognises the European Union’s personal data protection framework as equivalent. “Together with the 2021 European Commission’s adequacy decision on the Republic of Korea, this establishes a comprehensive area of free and safe personal data flows between the two jurisdictions. […] This innovative mutual adequacy arrangement covers both the private and public sectors. […] This arrangement will complement and enhance the benefits of the EU-Korea Free Trade Agreement and the recently concluded Digital Trade Agreement. […] This arrangement will also be the basis for working even closer together to shape global discussions on personal data protection, artificial intelligence (AI) and to contribute proactively to the spread of digital trust worldwide. ”
The European Data Protection Supervisor (EDPS) published its opinion on the negotiating mandate for a framework agreement between the EU and the USA on the exchange of information for security screenings and identity verifications.
Why does this matter? “The EDPS notes that the proposed framework agreement, once finalised, would establish an important precedent, as it would be the first agreement concluded by the EU to entail large-scale sharing of personal data, including biometric data (fingerprints), for the purpose of border and immigration control by a third country. Therefore, the EDPS stresses the need to ensure that the envisaged processing of personal data does not exceed the limits of what is strictly necessary and proportionate.”
The UK´s Information Commissioner´s Office (ICO) debunks myths on storage and access technologies.
Why does this matter? ICO recognised that there are still “some common misunderstandings about how the law applies to storage and access technologies, like cookies or tracking pixels” and they are committed to addressing such myths.
The French Data Protection Authority (CNIL) issued guidance on school surveillance systems. (The document is available in French.)
Why does this matter? “To secure access and avoid incidents, cameras are installed in schools to film the corridors, entrance halls, the school's living areas and the street. These devices must comply with various rules so as not to infringe on the privacy of students and educational staff.”
C) Publications, reports
The largest study to date was published of how people are using ChatGPT. (The full report is avaiolable here.)
Why does this matter? “The findings show that consumer adoption has broadened beyond early-user groups, shrinking the gender gap in particular; that most conversations focus on everyday tasks like seeking information and practical guidance; and that usage continues to evolve in ways that create economic value through both personal and professional use. This widening adoption underscores our belief that access to AI should be treated as a basic right—a technology that people can access to unlock their potential and shape their own future.”
The European Commission´s Directorate-General for Education, Youth, Sport and Culture and the SHARE 2.0 Community of Practice on Innovation published a report on Artificial intelligence in the sport sector.
Why does this matter? “The paper provides background information regarding the role of AI in the sport sector focusing on three key areas: grassroots sport, professional sport and fan engagement. The paper offers recommendations on how AI can be approached from clubs and organisations active in these three sectors. The ideas proposed are based on input from the Community of Practice in Innovation and its Steering Group.”
Data, Technology & Company news
Albania appointed the world’s first AI-made minister, called “Diella”. “Diella, who is powered by artificial intelligence, will handle public procurement.”
Why does this matter? “Albania has become the first country in the world to have an AI minister — not a minister for AI, but a virtual minister made of pixels and code and powered by artificial intelligence.”
Britain and the United States have agreed a technology pact to boost ties in AI, quantum computing and civil nuclear energy.
Why does this matter? “Under the deals announced, chipmaker Nvidia said it would deploy 120,000 graphics processing units across Britain - its largest rollout in Europe to date. It is working to deploy up to 60,000 Grace Blackwell Ultra chips with UK-based Nscale, which will partner OpenAI in a UK leg of the U.S. company's giant Stargate project and tie-up with Microsoft to establish Britain's largest AI supercomputer. Microsoft said it would invest 22 billion pounds in total to expand cloud and AI infrastructure as well as in the supercomputer, which will be in Loughton, north-east London.”
Based on news reports, “A deal has been made between the US and China to keep TikTok running in the US, […].”
Why does this matter? “The social media platform, which is run by Chinese company ByteDance, was told it had to sell its US operations or risk being shut down. However, Trump has repeatedly delayed the ban since it was first announced in January. Later on Tuesday, he ordered the deadline extended again, until 16 December. […] The Wall Street Journal reported that under a deal being negotiated between the US and China, TikTok's U.S. business would be controlled by an investor consortium that would include tech company Oracle, private equity firm Silver Lake, and venture capital firm Andreessen Horowitz. In a new US entity created under the deal, US investors would hold a roughly 80% stake and Americans would dominate the board, with one member selected by the US government, according to the Journal, which cited people familiar with the matter. US users, meanwhile, would move to a new app, currently in the testing phase, that will have content-recommendation algorithms using technology licensed from ByteDance. […] It also said Oracle would keep its existing agreement to host TikTok servers inside the US.”
Nvidia invests $5bn in rival Intel.
Why does this matter? “The deal, announced on Thursday, will involve a partnership between the two American companies to make personal computer and data centre chips, as demand for AI continues to surge and companies seek to power massive data centres. It will make Nvidia one of Intel's biggest shareholders, with a roughly 4% stake in the troubled semiconductor company.”
Leading internet publishers and technology companies, including Reddit, Yahoo, People Inc., Internet Brands, Ziff Davis, Fastly, Quora, O’Reilly Media, and Medium, announced their support for the launch of the RSL Standard licensing protocol and the nonprofit RSL Collective rights organization.
Why does this matter? “Through the new RSL Standard, the RSL Collective will provide fair, standardized compensation for publishers and creators, and simple, automated licensing for AI and technology companies.”