Decoding the Past Year’s Legal Developments
The first part of Joost’s presentation focused on “What’s Been”—analyzing the significant legal developments that have shaped the privacy landscape over the past year. The session highlighted how globalization continues to drive enforcement trends, with international data transfers remaining a critical concern for supervisory authorities across Europe.
International Data Transfers Under Scrutiny
Several high-profile cases dominated the enforcement landscape in 2025. The Irish Data Protection Commission’s record €530 million fine against TikTok underscored the importance of transparency regarding data transfers to China and the practical implementation of Standard Contractual Clauses. Meanwhile, the European Commission’s approval of Microsoft 365 use, contingent on specific contractual safeguards, demonstrated how organizations can navigate complex international data transfer requirements through careful negotiation and documentation.
The Dutch DPA’s warning about DeepSeek, the Chinese large language model, exemplified regulators’ growing concern about AI tools and cross-border data flows. These cases collectively emphasize that having legal mechanisms in place isn’t enough—organizations must demonstrate their effectiveness in practice.
Landmark Court Decisions Reshaping Data Protection
The Court of Justice of the EU (CJEU) continues to be prolific in shaping data protection law, with over 300 cases since the early 2000s. He highlighted several pivotal judgments that privacy professionals need to understand:
- The EDPS v. Single Resolution Board case, which refined our understanding of when pseudonymized data constitutes personal data, potentially opening new avenues for data sharing arrangements
- The Latombe case, which upheld the EU-US Data Privacy Framework despite procedural questions about legal standing
- Three cases protecting LGBTQ+ rights, demonstrating how the GDPR serves as a tool for protecting minority rights and requiring organizations to respect individuals’ self-identified gender information
Looking Ahead: What’s Coming for Privacy Professionals
The second part of his session examined pending cases and upcoming regulatory developments. With Germany and Austria leading the charge in preliminary questions to the CJEU, fundamental concepts like legal grounds and compensation rights continue to require clarification despite years of GDPR implementation.
Pending Cases to Watch
Several advocate general opinions published recently signal important developments ahead. The Austrian doping case raises questions about proportionality in public disclosure of personal data and whether such information qualifies as health or criminal conviction data. The FIFA RRC Sports case explores the boundaries of legitimate interest as a legal basis, introducing concepts like “intolerable burden” that could reshape how organizations justify their data processing activities.
Particularly relevant for our Stockholm audience was the Stockholm public transport body camera case, which challenges conventional thinking about Articles 13 and 14 of the GDPR regarding information obligations when using surveillance technology.
The Expanding EU Digital Rulebook
In Joost’s final session, he addressed the broader EU digital regulatory landscape—what he calls the “tsunami” of digital laws coming from Brussels. This interconnected web of regulations extends far beyond the GDPR, creating new compliance challenges and opportunities for privacy professionals.
Cybersecurity Takes Center Stage
The NIS2 Directive and Cyber Resilience Act represent a paradigm shift in how Europe approaches cybersecurity. NIS2, which should have been transposed by October 2024, makes C-level executives personally liable for cybersecurity failures—a powerful incentive for organizational change. The Cyber Resilience Act extends security requirements to products with digital elements, mandating security updates and minimum maintenance periods.
The AI Act and Beyond
With Italy becoming the first country to enact complementary national AI legislation, we’re seeing the beginning of a complex regulatory patchwork. The proliferation of competent authorities—potentially over 200 across Europe for AI Act enforcement alone—presents coordination challenges that will require careful navigation.
The Data Act‘s focus on non-personal data from IoT devices increasingly intersects with personal data protection, requiring privacy professionals to expand their expertise beyond traditional GDPR boundaries.
Key Takeaways for Privacy Professionals
Joost’s presentations at Nordic Privacy Arena 2025 reinforced several critical insights for the privacy community:
- International data transfers remain a high-risk area requiring careful attention to both legal mechanisms and practical safeguards
- Fundamental GDPR concepts continue to evolve through case law, requiring ongoing professional development
- The convergence of privacy, cybersecurity, and AI regulation demands a broader skillset from privacy professionals
- Contractual negotiations and data protection impact assessments are becoming increasingly powerful tools for achieving compliance
- Early preparation for upcoming regulations like the Digital Fairness Act and sector-specific data space regulations will be essential
Building a Community of Knowledge
The Nordic Privacy Arena demonstrated that while it bears a regional name, it has truly become an international forum for privacy excellence. The engaged audience, spanning multiple countries and sectors, showed that the appetite for deep legal analysis and practical guidance remains strong within our professional community.
As privacy professionals, we face an ever-expanding regulatory landscape that challenges us to continuously update our knowledge and adapt our practices. The enthusiasm and engagement he witnessed in Stockholm reinforces his commitment to making complex legal developments accessible through Digibeetle’s platform.
Looking Forward
The regulatory tsunami he described isn’t slowing down. With pending GDPR reviews, new data space regulations, and evolving AI governance frameworks, privacy professionals have both challenges and opportunities ahead. The key is staying informed, building strong networks, and approaching these developments with both rigor and pragmatism.
I want to thank the Nordic Privacy Arena organizers for the opportunity to contribute to this important dialogue, and all attendees for their thoughtful questions and engagement. As we navigate this complex landscape together, platforms like Digibeetle will continue working to combat the “fear of missing out” that comes with the avalanche of legal developments in our field.
For those interested in accessing the detailed case analyses and staying updated on emerging legal developments, he invites you to explore Digibeetle’s platform, where we work daily to make sense of the evolving privacy and AI legal landscape.
