Data Protection Pulse – April 14, 2026: Everything You Need to Know Right Now
The most important data protection decisions and developments from the past two weeks.
Judgments
Prohibited Use of Artificial Intelligence in Student Exams
The Kassel Administrative Court (Case Nos. 7 K 2134/24.KS and 7 K 2515/25.KS) has ruled that the unauthorized use of AI in exam performance constitutes a particularly serious form of cheating and justifies exclusion from the retake exam.
- The use of AI without disclosure constitutes an unauthorized aid, even in the absence of an explicit prohibition in the examination regulations
- Exclusion from retesting is lawful – lack of originality in the work is the decisive factor
GDPR Damages: Ordinary Courts Have Jurisdiction – Even Against Government Agencies
https://nrwe.justiz.nrw.de/ovgs/vg_duesseldorf/j2026/29_K_2876_26_Beschluss_20260323.html
In its ruling of March 23, 2026 (Case No. 29 K 2876/26), the Düsseldorf Administrative Court clarified that claims for damages under Article 82 of the GDPR must be brought exclusively before the ordinary civil courts—even if the claim is directed against a public authority or a public-law institution.
- Claims for damages under the GDPR must be brought before the ordinary civil courts—proceedings in administrative courts are not permitted, even if the opposing party is a government agency
- Separation of legal proceedings is permissible: actions for disclosure remain within the jurisdiction of the administrative courts, while actions for damages fall under the jurisdiction of the civil courts
ECJ Preliminary Ruling: Does the refusal to accept “open invoice” as a payment method fall under Article 22(1) of the GDPR?
The Austrian Supreme Court (OGH, Case No. 6 Ob 15/25m) has referred the question to the European Court of Justice (ECJ) as to whether a mail-order company’s automated rejection of purchase on account constitutes an automated individual decision under Article 22 of the GDPR—even if the order itself is not rejected but merely redirected to secure payment methods such as credit card or PayPal.
- Is the automated credit decision “necessary” for the conclusion of the contract within the meaning of Article 22(2)(a) of the GDPR?
- Ruling pending – significant practical implications for the entire online retail sector
Fines and government agencies
Data Protection at a Glance: Hamburg Annual Report Published
https://datenschutz-hamburg.de/news/hmbbfdi-stellt-taetigkeitsbericht-datenschutz-2025-vor
On March 25, 2026, Thomas Fuchs, Hamburg’s Commissioner for Data Protection and Freedom of Information, presented the 34th Annual Report to Carola Veit, President of the Hamburg Parliament. The number of complaints rose to the highest level since the agency was established.
- 6,219 complaints – an increase of over 46% compared to the previous year
- AI-powered voice assistants as new channels for filing complaints
- The use of AI in government requires a clear legal framework
- Guest Checkout Now Standard in Online Retail: Account Registration Not Required
Data Protection at a Glance: EDSA 2025 Annual Report Published
https://www.edpb.europa.eu/our-work-tools/our-documents/annual-report/edpb-annual-report-2025_en
On April 9, 2026, the European Data Protection Board (EDPB) published its 2025 annual report. The report details increased cross-border cooperation and new guidelines on AI regulation.
- Binding EDSA decisions in cross-border cases are directly binding on national authorities and set the interpretive framework for the GDPR across Europe
- Joint guidelines with the European Commission on the interaction between the AI Act and the GDPR are currently being prepared
- National data protection authorities imposed fines totaling 1.15 billion euros – German data protection authorities imposed fines totaling 48,117,083 euros in 2025
New Guidance: Data Protection in AI Projects within the Bavarian Public Administration
https://www.datenschutz-bayern.de/ki/OH_KI.pdf
The Bavarian State Commissioner for Data Protection (BayLfD) has published new guidelines on the use of artificial intelligence in the Bavarian public administration. The guidelines classify AI projects from a data protection perspective and are primarily intended for public authorities.
- Focus on trustworthy, human-centered AI
- Transparency, clarity, and traceability as key requirements
- Context within the framework of the new AI regulatory framework
Laws and News
Digital investigative measures: Three legislative initiatives at the federal level
The federal government is currently pushing forward with several legislative initiatives aimed at expanding digital investigative powers in criminal prosecution and counterterrorism. The goal is to provide security agencies with additional digital analysis and access capabilities.
- Amendment to the Code of Criminal Procedure – Digital Investigative Measures (BMJ)
https://www.bmjv.de/SharedDocs/Gesetzgebungsverfahren/DE/2026_Digitale_Ermittlungsverfahren.html?nn=110490 - Strengthening Digital Investigative Powers in Police Work (BMI)
https://www.bmi.bund.de/SharedDocs/gesetzgebungsverfahren/DE/OESI3/ermittlungsbefugnisse-polizeiarbeit.html - Digital investigative powers to combat international terrorism (BMI)
https://www.bmi.bund.de/SharedDocs/gesetzgebungsverfahren/DE/OESI3/ermittlungsbefugnisse-abwehr-int-terrorismus.html
Data Protection Pulse – AI Piloting & Security
In its AI pilot program, the BSI makes it clear that companies must not only test AI from a technical standpoint but also implement structured security measures—including threat analysis, testing, and governance. The focus is on specific attack scenarios (e.g., model manipulation) as well as the need to continuously monitor and harden AI systems.
- AI pilot projects require security by design → Threat models and testing are mandatory
- New risks, such as data manipulation or model attacks, require ongoing monitoring and clear lines of responsibility
Class-action lawsuit: Apple is being sued over the use of YouTube channels for AI training
Three YouTube channels have filed a class-action lawsuit against Apple in a federal court in California. The allegation: Apple is said to have used millions of copyrighted videos for AI training through targeted scraping—as evidenced by Apple’s own research reports.
- YouTube's protective measures are alleged to have been intentionally circumvented – a violation of the Digital Millennium Copyright Act
- Identical lawsuits are currently pending against Amazon and OpenAI—part of a growing legal dispute over AI training data
