Data Protection Pulse – 07/07/26: Everything You Need to Know Right Now
The most important data protection decisions and developments from the past two weeks.
I. Judgments
U.S. Supreme Court: Trump v. Slaughter – June 29, 2026
https://www.supremecourt.gov/opinions/25pdf/25-332_qn12.pdf
Letter_noyb_EU-US_data_transfers.pdf
The U.S. Supreme Court has ruled that there are no government agencies independent of the U.S. President. This could have implications for the EU-U.S. Data Privacy Framework, as the European Commission had based its adequacy decision on the independence of the Federal Trade Commission, the U.S. agency responsible for this matter.
- Data privacy activist Max Schrems plans to file a lawsuit against the Data Privacy Framework as well.
- The Data Privacy Framework will remain in effect until the European Court of Justice issues a ruling, if any, in 2–3 years.
ECJ: Ruling on Concurrent Proceedings Before Regulatory Authorities and Courts – June 18, 2026
https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:62024CJ0414
The Supreme Court has (incidentally) overturned the EU-U.S. data deal
With regard to the same data protection-related matter, a complaint may be filed with the data protection supervisory authority, and a legal remedy (e.g., an injunction) may be sought in court. According to the European Court of Justice, the data protection authority cannot reject a complaint solely on the grounds that court proceedings are pending at the same time.
- The GDPR provides for both administrative and judicial proceedings to run in parallel; neither is exclusive of the other.
- If there is a final court decision, the supervisory authority must take it into account in its own decision.
Federal Court of Justice (BGH): Ruling on Access to Case Files in Foreclosure Proceedings – May 21, 2026
Until now, local courts have applied inconsistent standards when redacting their foreclosure case files. The Federal Court of Justice has now ruled that potential bidders are permitted to review an unredacted file, as this is in the public interest.
- The names, addresses, dates of birth, etc., of those affected by the foreclosure auction no longer need to be redacted.
- However, individuals accessing this data may not disclose it to third parties or publish it.
II. Fines and Government Agencies
Berlin State Data Protection Commissioner: Annual Report 2025 – June 23, 2026
The Berlin State Data Protection Commissioner published her annual report for 2025.
- Sharp rise in the number of complaints; the trend toward overburdening of data protection supervisory authorities continues.
- Fines for employee misconduct involving unauthorized access to customer data.
- Video Recordings: No Right to a Copy of the Data if the Effort Involved Is Disproportionate (Higher Administrative Court of Berlin-Brandenburg: Berlin S-Bahn).
Spanish Data Protection Agency (AEPD) – Warning About a Leak of Chat Histories – June 25, 2026
The Spanish Data Protection Agency (AEPD) has reported on an investigation published on the GitHub coding platform. According to the report, many well-known AI providers are leaking data to trackers.
- Data leakage is possible when using direct links in combination with tracking mechanisms such as cookies, and affects, among others, Claude, Perplexity, and OpenAI.
- Permalinks are publicly viewable, and tracking tools such as Meta or Google Pixel also index the content of the chatbot conversation
State Data Protection Commissioner of Baden-Württemberg – AI Transcription of City Council Meetings – June 10, 2026
https://www.baden-wuerttemberg.datenschutz.de/leitfaden-ki-transkription-von-gemeinderatssitzungen/
The State Data Protection Commissioner of Baden-Württemberg published a guide on the use of AI in municipal councils. While the guide addresses the specific requirements of municipal council meetings, the topics covered can also be applied, for example, to corporate shareholder meetings.
- Public meeting: Transcription is permitted; this may be governed by the bylaws.
- Public Question Time, internal municipal personnel matters: The transcription must be turned off.
III. Laws and News
Data Protection Conference: “Stuttgart’s Ideas for Modernizing Data Protection” – June 19, 2026
The GDPR was adopted 10 years ago, so a debate on reform is now in order. The state data protection authorities are participating in this debate with their statement dated June 19. Proposals include, among other things:
- Launch of a central data protection portal for businesses and citizens, e.g., for reports or complaints.
- Establishment of a joint decision-making database for data protection supervisory authorities.
- Order processing: e.g., conversion into a legal obligation; avoiding a multitude of order processing agreement (AVV) arrangements.
- Enact and institutionalize the Data Protection Conference within the BDSG.
Bundestag: Draft Bill to Implement the Regulation on Artificial Intelligence – June 11, 2026
https://www.bundestag.de/dokumente/textarchiv/2026/kw24-de-ki-1183820
The bill is intended to transpose the AI Regulation into German law and has been passed by Parliament.
- Designation of the competent national authorities, in particular AI supervisory authorities: the Federal Network Agency; for regulated financial activities: BaFin.
- Violations of the obligation to cooperate with the relevant authorities: a fine of up to 50k €.
Companies Hacked in June
In June 2026, several attacks on the databases of well-known large companies came to light. The attackers are threatening to publish the data on the dark web.
- Kodak: 2 million records containing customer data.
- Nintendo: Third-Party Provider Hacked, Employee Data Leaked.
- In addition to internal security measures (phishing awareness), it is also important to carefully select suppliers and, if necessary, conduct regular audits of them.





