This digest summarizes major 2026 developments in EU and US data-protection, AI, and cybersecurity law, including the CJEU’s clarification on GDPR access requests and compensation, proposed Cybersecurity Act 2, the Digital Omnibus Single-Entry Point for incident reporting, and coordinated EDPB enforcement on transparency. It also covers national actions such as Oklahoma’s new privacy law, South Dakota’s criminal deepfake statute, Washington and Maryland’s chatbot and AI rules, Sweden’s smart-glasses and political-advertising guidance, Poland’s Data Governance Act implementation, and the White House AI legislative recommendations. #CJEU #ENISA
Keypoints
- CJEU confirmed controllers may refuse manifestly unfounded or excessive DSARs but affirmed Article 82 allows compensation for non-material harm from access-right infringements.
- EDPB and EDPS urged explicit legal safeguards for ENISA’s expanded operational role under Cybersecurity Act 2 and recommended clearer alignment between cybersecurity and GDPR certification schemes.
- The Digital Omnibus proposal would create a Single-Entry Point for incident reporting routed by ENISA and would extend the GDPR breach notification deadline to 96 hours for high-risk incidents.
- Multiple US state actions advance: Oklahoma enacted a comprehensive privacy law, South Dakota criminalized non-consensual sexual deepfakes, Washington restricted AI companion chatbot practices, and Maryland proposed strict chatbot liability and data-use rules.
- Sweden’s IMY issued practical guidance on smart glasses and targeted political advertising, while Poland moved to transpose the EU Data Governance Act into national law.
Read More: https://keplernewsletter.substack.com/p/privacy-and-cybersecurity-63