Strict Safeguards Demanded for UBO Registers The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) has criticised the government’s proposed decree regarding Ultimate Beneficial Owner (UBO) registers. The AP noted the proposal lacks clarity on access conditions. Following the 2022 Court of Justice of the European Union (CJEU) ruling, access to UBO data requires a strictly demonstrable “legitimate interest” to protect sensitive information such as citizen service numbers (BSNs) and residential addresses.
EDPB Guidelines on Scientific Research The European Data Protection Board (EDPB) is consulting on Guidelines 1/2026, which address the processing of personal data for scientific research. The guidelines outline a “presumption of compatibility” for further data processing and define the technical framework for Article 89(1) safeguards. Organisations must prioritise anonymisation and pseudonymisation hierarchies when handling research data.
CJEU Clarifies Refusal of Abusive Access Requests The CJEU provided further clarification on its Brillen Rottler ruling (C-526/24). Controllers are permitted to refuse a first-time Data Subject Access Request (DSAR) if they can definitively prove the requester’s sole intent is to artificially generate a damages claim rather than to exercise their privacy rights. The threshold for categorising a request as “excessive” remains high.
AI Governance and Compliance Timelines
AI Omnibus Agreement Delays Compliance Deadlines A political agreement has been reached on the “AI Omnibus” proposal, formally amending the EU AI Act. The compliance deadline for high-risk AI systems has been postponed from August 2, 2026, to December 2, 2027. This extension allows member states additional time to designate competent authorities and finalise harmonised technical standards.
AP Appointed as Central AI Supervisor in the Netherlands The Dutch Cabinet proposed the AP as the primary supervisory authority for AI systems that do not fall under a sector-specific regulator. The AP will intervene at the early stages of AI development to enforce transparency and prevent structural bias. The authority is currently establishing an internal AI directorate to manage this mandate.
Cybersecurity and Digital Connectivity
Digital Networks Act Transitions to Regulation Draft The proposed Digital Networks Act (DNA) has advanced to a formal Regulation draft, intended to replace the European Electronic Communications Code (EECC). The legislation introduces a “Single Passport” authorisation system for telecom operators. Member states are now required to submit “National Transition Plans” detailing the infrastructure phase-out of copper networks in favor of full fibre.
ENISA Updates 2026 International Strategy The European Union Agency for Cybersecurity (ENISA) revised its operational priorities to align with the EU Cyber Solidarity Act. The primary focus for the remainder of the year is operationalising the EU Cybersecurity Reserve. This includes assisting candidate countries and strategic partners, such as Japan, in developing defenses against quantum-level cryptographic threats.
Digital Rights and Legal Precedents
ECHR Interim Measures on Algorithmic Enforcement The European Court of Human Rights granted an interim measure in the case of Dziurda and Others v. Poland. While this specific case involves legal professionals, the procedural emphasis on the “no punishment without law” principle establishes relevant legal parallels for ongoing EU debates regarding algorithmic enforcement and rule of law standards in digital environments.
More to come…
Drew Campbell
Sources and Further Reading
- Autoriteit Persoonsgegevens (AP): Advice on UBO Register Decree
- European Data Protection Board (EDPB): Guidelines 1/2026 on processing personal data for scientific research
- Court of Justice of the European Union (CJEU): Judgment in Case C-526/24 (Brillen Rottler)
- International Association of Privacy Professionals (IAPP): Analysis of the AI Omnibus Agreement
- ICTRecht: Analysis of AP AI Supervision Priorities for 2026
- European Commission: Digital Networks Act (DNA) Policy Framework
- Industrial Cyber: ENISA International Strategy 2026 Update
- European Court of Human Rights (ECHR): Interim Measures in Dziurda and Others v. Poland
