RegRally Insights: Personal Data Protection and ICT Regulation – June 2026

This edition of RegRally Insights reflects a continued tightening of EU data protection enforcement and a widening regulatory focus across digital services, AI systems, and cross-border data transfers. Supervisory authorities and courts are reinforcing a strict, practice-based interpretation of GDPR principles, with increasing emphasis on transparency, accountability, and demonstrable compliance.

A key theme this month is the expansion of enforcement beyond individual complaints. Regulators and courts are confirming that investigations may escalate into systemic assessments, leading to broad corrective measures and significant financial exposure for controllers.

Cross-border data transfers remain under sustained scrutiny, with regulators taking a particularly strict approach to transfers outside the EEA and reinforcing the requirement for “essentially equivalent” protection in practice. At the same time, new developments around GDPR certification mechanisms suggest a gradual shift toward more structured, standardised compliance tools for international data flows.

AI and employee data processing are emerging as a new enforcement frontier, with growing attention on how workplace communications and behavioural data are reused for model training and automation. Authorities are increasingly testing the limits of purpose limitation and transparency in this context.

Overall, the regulatory direction is clear: organisations are expected to move beyond formal compliance frameworks and demonstrate operational, auditable adherence to GDPR principles across their data ecosystems.

Meta loses High Court challenge against Irish DPC in GDPR enforcement scope case

The Irish High Court has upheld the authority of the Irish Data Protection Commission (DPC) in a landmark case involving Meta Platforms Ireland Ltd, rejecting Meta’s challenge to the scope of a GDPR investigation originating from a single 2018 user complaint. The case concerned Facebook’s refusal to provide raw personal data stored in its “Hive” system, which the complainant argued was necessary to verify compliance with GDPR rights, including the right of access to special category data.

The DPC’s draft decision (October 2025) found multiple GDPR infringements and proposed significant corrective measures, including a reprimand, binding compliance orders, and administrative fines estimated between EUR 360–430 million. Meta contested the DPC’s authority to extend the investigation beyond the individual complaint to assess systemic processing practices affecting all Facebook users.

The High Court rejected this argument, confirming that complaint-driven investigations under GDPR may lawfully expand to address systemic issues where necessary to ensure effective enforcement. The court held that supervisory authorities are not limited to the narrow facts of the initial complaint and may impose system-wide corrective measures, including fines, where broader infringements are identified.

Key implications of the judgment

• GDPR enforcement scope confirmed: Data protection authorities may expand investigations beyond the original complaint if systemic risks or infringements are identified.
• System-wide remedies permitted: Supervisory authorities can impose corrective measures affecting large user bases, not only individual complainants.
• Strong affirmation of DPC powers: The ruling reinforces the DPC’s broad investigative and enforcement discretion under the GDPR framework.
• Increased compliance exposure for large platforms: Companies processing data at scale face heightened risk of cross-user enforcement actions triggered by individual complaints.

Overall, the decision significantly strengthens the EU data protection enforcement architecture by confirming that complaint-based procedures can evolve into full-scale systemic investigations with substantial financial and operational consequences for data controllers.

Recommendations

This case confirms that supervisory authorities may investigate and impose corrective measures beyond an individual complaint when broader GDPR compliance issues are identified.

Companies should therefore:

• Ensure that data subject rights requests are handled consistently, completely, and within GDPR deadlines.
• Regularly review internal data access, retention, and disclosure practices to identify potential compliance gaps before they become systemic issues.
• Maintain clear documentation demonstrating how GDPR obligations are implemented in practice, including procedures for responding to access requests.
• Conduct periodic audits of privacy governance frameworks to verify that policies, technical controls, and operational processes remain aligned.
• Assess the potential wider impact of any identified compliance issue, as regulators may evaluate consequences affecting large groups of users rather than only the individual complainant.
• Establish effective oversight mechanisms to detect recurring or large-scale compliance risks and implement corrective actions promptly.
• Ensure accountability measures are in place, allowing the organisation to demonstrate compliance during regulatory investigations.

Dutch DPA fines Yango operator MLU EUR 100 million over unlawful data transfers to Russia

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) has imposed a EUR 100 million fine on MLU B.V., the Netherlands-based operator of the Yango taxi application, for unlawful transfer and processing of personal data involving users in Norway and Finland. The case was conducted jointly with Norwegian and Finnish supervisory authorities and concerns the transfer of sensitive personal data to Russia, where data protection standards are considered not equivalent to EU standards.

According to the regulator, MLU processed highly sensitive data, including driver’s licence scans, home addresses, and precise geolocation data, and stored or made it accessible on servers located in Russia. The authority concluded that this arrangement failed to meet the GDPR requirements for international data transfers, which require that personal data exported outside the EU be protected at a level essentially equivalent to EU safeguards.

The AP emphasised that data stored in Russia may be accessible to state authorities under legal frameworks that do not meet EU adequacy standards, creating heightened risks for data subjects. The decision is based on findings that the appropriate safeguards under Chapter V of the GDPR (such as adequate transfer mechanisms and technical/organisational measures) were insufficient or not properly implemented.

The AP emphasised that data stored in Russia may be accessible to state authorities under legal frameworks that do not meet EU adequacy standards, creating heightened risks for data subjects.

MLU disputes the findings, arguing that data was stored within the EU in pseudonymised and encrypted form and was not accessible to unauthorised parties. The company also notes that Yango ceased operations in Norway and Finland and has cooperated with regulators. MLU retains the right to appeal.

Key implications:

• Reinforces strict EU stance on international data transfers to third countries without adequacy decisions, particularly Russia-related processing environments.
• Confirms heightened regulatory scrutiny of corporate structures linked to Russian tech groups operating via EU subsidiaries.
• Highlights the importance of robust technical and organisational safeguards (encryption, pseudonymisation, data localisation controls) in cross-border processing.
• Demonstrates strong enforcement coordination between EU/EEA data protection authorities in cross-border GDPR cases.

Overall, the decision underscores that GDPR compliance for international data transfers is assessed not only on contractual safeguards, but also on the practical risk of access by third-country authorities, with significant financial and reputational consequences for non-compliance.

Recommendations

Organisations transferring personal data outside the EEA should not rely solely on contractual arrangements or vendor assurances. They should ensure that appropriate transfer mechanisms are in place, conduct Transfer Impact Assessments (TIAs) and regularly update them, and assess whether the laws and practices of the destination country could undermine the level of protection required under GDPR.

Particular attention should be paid to transfers involving jurisdictions where government access to personal data may be difficult to challenge or where privacy safeguards are not equivalent to those available within the EU. Regulators increasingly expect organisations to demonstrate, not merely assume, that transferred data remains adequately protected.

EDPB expands Europrivacy certification to support GDPR-compliant international data transfers

The European Data Protection Board (EDPB) has issued two opinions expanding the role of Europrivacy certification as a mechanism for GDPR compliance and international data transfer, strengthening regulatory clarity and cross-border data flow governance under the General Data Protection Regulation.

The first opinion extends Europrivacy, the European Data Protection Seal, to organisations established outside the EU/EEA. This allows non-European companies to obtain certification demonstrating alignment with GDPR requirements, thereby broadening the scheme’s applicability to global data processing activities and enabling third-country entities to formally evidence GDPR-level safeguards.

The second opinion introduces a transfer-specific certification framework under Article 46 GDPR. This version of Europrivacy is designed to operate as an international transfer safeguard, allowing data importers outside the EEA to demonstrate “essentially equivalent” protection through certification combined with binding and enforceable commitments. In practice, this creates a structured pathway for lawful cross-border transfers, reducing reliance on bespoke contractual assessments.

Key implications:

• Alternative transfer mechanism: Certification becomes a formal GDPR transfer tool alongside SCCs, BCRs, and adequacy decisions.
• Simplified compliance burden: Certified entities may reduce due diligence and ongoing monitoring obligations for EU data exporters.
• Third-country accessibility: Non-EU organisations can directly obtain GDPR-aligned certification to support market access and data processing arrangements.
• Increased reliance on independent audits: Continuous compliance verification becomes embedded in certification maintenance requirements.

The EDPB positions certification as a compliance-enhancing instrument that operationalises “data protection by design and by default,” while also strengthening trust in international data ecosystems. Compared to standard contractual clauses and binding corporate rules, certification introduces a more standardised, externally validated compliance benchmark, potentially reducing legal uncertainty in cross-border data transfers.

Overall, the development signals a shift toward more structured, auditable international data transfer mechanisms, with certification emerging as a strategic compliance and market-access tool for global data-driven businesses.

Recommendations

In light of the EDPB’s approval of international GDPR certification mechanisms, organisations transferring personal data outside the EEA should consider reviewing their current data transfer arrangements and compliance framework. In particular, businesses should:

• identify and map international data transfers involving personal data;
• review whether existing transfer mechanisms, such as Standard Contractual Clauses (SCCs), remain appropriate and sufficient;
• assess whether GDPR certification schemes, including Europrivacy, could support compliance and reduce transfer-related risks;
• evaluate third-party service providers and data processors located outside the EEA;
• update internal data protection policies and transfer impact assessments where necessary;
• monitor further guidance from the EDPB regarding the practical implementation of certification-based transfer mechanisms.

For organisations that regularly transfer personal data to non-EEA countries, certification may become a valuable tool for demonstrating GDPR compliance, strengthening business credibility and reducing legal uncertainty in cross-border data processing arrangements.

DPC launches GDPR investigation into Shein over transfers of EU customer data to China

The Irish Data Protection Commission (DPC) has opened an investigation into online retailer Shein, focusing on the transfer of EU customers’ personal data to China via its European headquarters, Infinite Styles Services in Dublin. The inquiry assesses whether Shein complies with core GDPR obligations, particularly Articles 5 and 13, as well as the strict requirements governing international data transfers under Chapter V of the GDPR.

Article 5 GDPR requires personal data to be processed lawfully, fairly, and transparently, while Article 13 imposes obligations to provide clear and accessible information to individuals about how their data is collected and used. The DPC is examining whether Shein’s privacy disclosures and data handling practices meet these transparency standards, and whether users are properly informed about cross-border data flows to jurisdictions outside the EU.

A key focus of the investigation is whether transfers of personal data to China meet GDPR requirements for international data transfers, which require “essentially equivalent” protection compared to EU standards. The DPC has emphasised that personal data exported outside the EU must remain subject to a comparable level of protection, regardless of where it is processed.

The case forms part of a broader regulatory trend of increased scrutiny of data transfers to China, particularly in the context of large-scale e-commerce platforms processing vast volumes of consumer data. The DPC confirmed it will coordinate with other EU supervisory authorities to ensure a consistent enforcement approach across jurisdictions.

Shein has stated that it is cooperating with the investigation and maintains that it prioritises data security and GDPR compliance, with ongoing internal initiatives to strengthen its data protection framework.

Key implications:

• Heightened enforcement focus on international data transfers to China under GDPR Chapter V.
• Increased scrutiny of e-commerce platforms operating EU hubs while processing data in third countries.
• Reinforcement of strict transparency obligations under Articles 5 and 13 GDPR.
• Continued convergence of EU supervisory authorities on cross-border data transfer enforcement strategy.

Overall, the investigation underscores the EU regulators’ increasingly strict interpretation of “equivalent protection” requirements for third-country data transfers and signals elevated compliance expectations for global digital commerce platforms operating in the EU.

Recommendations

1. Companies should maintain a clear and up-to-date overview of:

• Where personal data is stored and processed (cloud providers, IT vendors, outsourcing partners)
• Which third countries are involved
• Which third-party service providers have access to customer data

2. SCCs must be supported by:

• A Transfer Impact Assessment (TIA)
• A documented assessment of legal risks in the destination country
• Evidence that the protection level is effectively equivalent to the EU standard

3. For each data transfer, companies should:

• Assess local surveillance and government access risks
• Document legal and technical safeguards
• Justify why the transfer is still compliant under GDPR requirements

4. Strengthen technical and organisational measures

Regulators increasingly assess real-world protection, not just contractual terms. Companies should consider:

• End-to-end encryption (with EU-controlled keys where possible)
• Pseudonymisation before transferring data
• Strict access controls and audit logging
• Data minimisation (only transfer what is strictly necessary)

5. Ensure transparency and documentation readiness

Companies should ensure:

• Privacy notices clearly explain international transfers
• Records of processing activities (ROPA) are complete and updated
• Documentation is audit-ready for supervisory authorities.

Lithuanian DPA clarifies limits of access, erasure, and transparency rights in healthcare data case

The Lithuanian State Data Protection Inspectorate (VDAI) has issued a decision against UAB “Pasaulio optika” concerning alleged GDPR violations in the handling of a patient’s personal data following an eye examination. The case examined the application of Articles 15 (right of access), 17 (right to erasure), and 12 (transparency) of the GDPR in the context of medical data processing.

The complaint arose after the patient requested a copy of the medical examination results, requested the deletion of personal data, and raised concerns about the alleged disclosure of data to a journalist. The controller directed the patient to the national e-health system rather than providing the data directly and refused to delete it, citing statutory retention obligations for medical records.

On the right of access, the VDAI held that referring a data subject to an external system does not satisfy GDPR requirements. Controllers must either provide a direct copy of personal data or ensure equivalent direct access without additional procedural burdens on the data subject.

On the right to erasure, the authority confirmed that medical data may be exempt from deletion under Article 17(3)(b) GDPR where retention is required by national law. However, the controller must still clearly identify and communicate the specific legal basis for retaining the data.

Regarding transparency obligations, the VDAI found that the controller failed to provide a sufficiently clear and legally substantiated explanation for its refusal to delete. This constituted a breach of Article 12(1) GDPR, which requires transparent and comprehensible communication with data subjects.

The allegation of unlawful disclosure to a journalist was referred to the Press Ethics Inspectorate for separate assessment.

Key implications:

• Direct access requirement reinforced: Controllers cannot rely solely on external systems (e.g. e-health portals) to fulfil Article 15 GDPR obligations.
• Erasure exceptions must be properly justified: Even where retention is legally required, controllers must clearly reference applicable legal provisions.
• Transparency obligations remain central: Adequate legal reasoning must be communicated in a clear and understandable manner under Article 12 GDPR.
• Increased scrutiny in healthcare data processing: National DPAs continue to enforce strict compliance standards for sensitive personal data.

Overall, the decision reinforces that GDPR compliance in the healthcare sector requires not only lawful processing and retention, but also precise, transparent, and user-accessible communication of data subject rights and limitations.

Recommendations

1. If a data subject requests their data (GDPR Article 15), companies should not simply:

• point to another platform, portal, or system
• assume the user will retrieve it themselves

Companies should ensure they can directly provide a copy of personal data in a clear and accessible format.

2. Even if data is stored in a national system, database, or customer portal:

• The controller still remains responsible for fulfilling the request;
• Indirect access may not satisfy GDPR requirements

3. When responding to data subjects’ requests for erasure under Article 17 GDPR, any refusal to satisfy such requests must be properly justified.

In such cases, companies should:

• clearly identify the specific legal basis for retaining the personal data;
• provide a clear explanation of why the erasure request cannot be fully or partially granted;
• reference specific legal obligations requiring data retention, rather than relying on general or abstract statements.

4. Under GDPR Article 12 (transparency principle), it is recommended to review and update the Privacy Policy / Privacy Notice to ensure that it is clear, concise, and sufficiently informative for data subjects.

The Privacy Notice should explicitly and clearly include:

• the legal bases on which personal data are processed;
• the circumstances in which personal data may not be deleted (e.g. due to statutory retention obligations);
• specific references to the legal provisions justifying restrictions on the right to erasure under Article 17 GDPR;
• a clear and understandable explanation provided to data subjects, rather than generic or overly broad statements.

Lithuanian DPA flags systemic GDPR failures in insurance data-sharing ecosystem (Lietuvos draudimas case)

The Lithuanian State Data Protection Inspectorate (VDAI) has issued a decision concerning UAB “Lietuvos draudimas” over the handling and sharing of personal data with external service providers in the context of insurance services. The case highlights systemic compliance risks in multi-processor environments, particularly in sectors relying heavily on outsourced claims handling, data enrichment, and third-party service platforms.

The investigation assessed whether the controller ensured lawful and transparent data sharing, maintained adequate oversight of processors, and complied with core GDPR principles when transferring personal data within its service ecosystem.

On processor governance (Article 28 GDPR), the VDAI found that the company failed to demonstrate sufficient control over its external service providers. Key deficiencies included unclear contractual limitations on processor access, insufficiently detailed data processing agreements, and inadequate oversight of how processors handled personal data in practice. As a result, personal data was shared across the service chain without robust and clearly enforceable safeguards.

On transparency obligations (Article 14 GDPR), the authority found that the controller did not properly inform data subjects about the origin of personal data obtained indirectly from third parties, such as public registers or external databases. In particular, the company failed to provide timely and complete information regarding the source of the data, the categories of processed data, and the timing of the disclosure required under Article 14(3) of the GDPR.

On data minimisation (Article 5(1)(c) GDPR), the VDAI concluded that the scope of data shared with external partners was potentially excessive. The controller did not adequately justify the requirement for full datasets in all cases, indicating a lack of strict enforcement of the “need-to-know” principle across its operational processes.

Instead of imposing a financial penalty, the VDAI ordered corrective measures, requiring the company to:

• strengthen its data processing agreements under Article 28 GDPR
• improve transparency notices and disclosures to data subjects
• reinforce internal data minimisation controls
• review and tighten data-sharing practices with external partners

Key implications:

• Reinforces strict expectations for controller oversight in multi-vendor insurance ecosystems
• Confirms heightened scrutiny of Article 14 transparency obligations for indirectly sourced data
• Highlights data minimisation as a practical operational requirement, not a formal policy principle
• Signals regulatory focus on processor chain governance rather than only standalone controller actions

Overall, the decision underscores that GDPR compliance in outsourced service environments requires end-to-end control over data flows, precise contractual limitations, and full transparency to data subjects about all sources and uses of their personal data.

Recommendations

Under GDPR Article 28, companies must ensure that any external service provider processing personal data operates under clear, enforceable, and actively monitored conditions.

1. It is not sufficient to have Data Processing Agreements in place. Organisations must also ensure:

• clear limitation of data access for each processor
• documented and technically enforced access controls
• ongoing oversight of processing activities

2. Lack of transparency in indirect data collection and disclosure of data source (GDPR Article 14).

Under Article 14 GDPR, where personal data is not obtained directly from the data subject, companies must inform individuals about the origin of their personal data, including the specific source of collection.

Regulators expect transparency that ensures individuals are clearly informed about:

• the exact source from which personal data was obtained (e.g. public registers such as the Register Centre or other third parties
• the categories of personal data collected from those sources
• the timing of information provision in accordance with Article 14(3), including the requirement to inform the data subject without undue delay and no later than one month, or at the latest at the first communication

3. Under GDPR Article 5(1)(c), companies may only share personal data that is strictly necessary for the intended purpose. This principle must be applied in practice, not only in policy.

Companies should ensure:

• datasets shared with third parties are purpose-specific
• “full data exports” are avoided by default
• necessity is documented per processing activity

Meta faces EU scrutiny over employee data use in AI training under GDPR

Meta is facing increased regulatory scrutiny in Europe over its internal artificial intelligence training programme, the Model Capability Initiative (MCI), which trains AI systems using employee activity data collected from work devices. The initiative is intended to improve automation capabilities for digital workplace tasks, but has raised significant concerns under the EU General Data Protection Regulation (GDPR).

The key issue concerns whether the scope of data collection exceeds what was originally disclosed. Reports indicate that the system may capture a broad range of workplace communications, including emails and chat messages exchanged between US-based employees and their colleagues in Europe. This raises the possibility that EU personal data could be indirectly incorporated into AI training datasets without a clearly defined legal basis.

Under GDPR, personal data must be processed for specific, explicit, and legitimate purposes, and any further processing must remain compatible with those original purposes. Privacy experts and advocacy groups, including NOYB, argue that using workplace communications for AI model training may constitute a new processing purpose requiring separate legal justification, such as consent or another valid legal basis under Article 6 of the GDPR.

Meta has stated that the programme is limited to US-based employee devices and includes safeguards intended to prevent the inclusion of sensitive information. However, critics argue that the actual scope of data processing may extend beyond publicly stated boundaries, particularly where cross-border communications are involved.

European supervisory authorities, including the Irish Data Protection Commission, are expected to examine the initiative more closely in light of increasing concerns over transparency, purpose limitation, and employee data protection in AI development contexts.

Key implications:

• Potential application of GDPR purpose limitation rules to AI training using workplace communications
• Heightened scrutiny of employee monitoring and internal data reuse for AI model development
• Cross-border risk where EU employee communications are indirectly processed in non-EU AI systems
• Likely regulatory focus on transparency, legal basis, and internal governance of AI training datasets

Overall, the case highlights an emerging regulatory frontier in the EU: the use of employee-generated data for AI training, and the extent to which existing GDPR principles constrain internal corporate AI development practices.

Recommendations

Companies should ensure that any employee data used for AI training is collected transparently and in full compliance with applicable data protection laws, such as the EU GDPR. It is essential to clearly define the purpose of data processing and avoid using workplace communications for secondary purposes without a valid legal basis or informed consent.

Organisations should also regularly review their data collection practices, implement strong anonymisation or minimisation techniques, and maintain clear internal policies on how employee communications are accessed and used. Close cooperation with data protection officers and legal teams can help reduce compliance risks and prevent potential regulatory action.