Data Protection Pulse – May 18, 2026: Everything You Need to Know Right Now
The most important data protection decisions and developments from the past two weeks.
I. Judgments
ECJ, Judgment of May 12, 2026 – C-797/23 (Meta Platforms Ireland)
The Court of Justice of the European Union ruled that member states may grant publishing companies the right to claim remuneration from online platforms such as Meta. The remuneration must be structured as economic consideration for the license to use the content, and publishers must be able to refuse to grant the license or grant it free of charge. Platforms are required to provide data to the extent necessary for calculating the remuneration.
- Data Protection Implications Under Article 6 of the GDPR Regarding the Processing of Reach and Usage Data
- Signal effect for the German implementation of the DSM Directive in Sections 87f through 87k of the German Copyright Act (UrhG)
Berlin Administrative Court, Judgment of May 6, 2026 – VG 42 K 73/25 (Berlin Summer Pools)
The Berlin Administrative Court overturned the warning issued by the BlnBDI against the Berlin Public Bathing Facilities. ID checks for individuals aged 14 and older and selective video surveillance at five summer swimming pools are in compliance with data protection regulations. The protection of bathers’ lives, health, and freedom outweighs the minor infringement on the right to informational self-determination.
- First administrative court ruling establishing standards for comprehensive identification measures in public facilities with security concerns
- The ruling is not yet final; the Berlin-Brandenburg Chamber of Industry and Commerce is considering an appeal to the Higher Administrative Court of Berlin-Brandenburg
Administrative Court of Berlin, Judgment of April 30, 2026 – 20 VKl 1/25 (SOMI v. X)
The Berlin Court of Appeal dismissed the action for relief brought by Stichting Onderzoek Marktinformatie against X as inadmissible. SOMI sought at least 750 euros per German user and an additional 250 euros per person affected by the data breach. The claims are not “essentially similar” under Section 15(1) of the German Data Protection Act (VDuG), because loss of control and aggravating circumstances depend on the individual case.
- Alignment with the ECJ’s approach to Article 82 of the GDPR (requirement of actual, causal harm)
- An appeal to the Federal Court of Justice is possible; for the time being, class-action lawsuits must continue to be filed as individual lawsuits
II. Fines and Government Agencies
BfDI, 34th Annual Report 2025 (Submitted May 6, 2026)
https://www.bfdi.bund.de/SharedDocs/Pressemitteilungen/DE/2026/06_TB34.html
Prof. Dr. Louisa Specht-Riemenschneider presented the 34th Annual Report to Bundestag President Julia Klöckner. In 2025, the BfDI received a total of 11,824 complaints (a 36 percent increase compared to 2024), conducted 80 on-site inspections, and took 129 regulatory actions. Central to this is the confirmation of fines against Vodafone totaling 45 million euros (15 million euros for inadequate control of data processors, 30 million euros for security deficiencies in the “MeinVodafone” authentication process).
- New initiatives: ReguLab (data protection sandbox), Data Barometer, and Strategic Foresight Process for neurodata
- Specht-Riemenschneider will remain in office until a successor is appointed; pending reform issues include, among other things, the transfer of intelligence service oversight to the UKRat
BlnBDI, Warning Issued to Berliner Verkehrsbetriebe (Press Release, May 4, 2026)
https://www.datenschutz-berlin.de/pressemitteilung/datenschutzbeauftragte-verwarnt-bvg/
The BlnBDI issued a warning to the BVG for its inadequate handling of a data protection incident. A data processor continued to store approximately 180,000 data records after the contract had ended and fell victim to a cyberattack. The BVG reported the incident late and failed to verify that the data had been deleted as required by the contract.
- Violations identified: Article 5(2) in conjunction with Article 5(1)(c), (e), and (f), Article 32(1), Article 33, and Article 28(3), second sentence, (f) of the GDPR
- In line with the Federal Court of Justice: Controllers must verify and demonstrate that the data has actually been deleted by the processor
AP Netherlands, €100 million against MLU B.V. / Yango (May 8, 2026)
https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2026/yango-far-gebyr-pa-100-millioner-euro/
The Dutch Data Protection Authority—in coordination with Finland and Norway—imposed a fine of 100 million euros on MLU B.V., the Yandex subsidiary and operator of Yango. MLU transferred personal data to servers in Russia; the standard contractual clauses were insufficient because the encryption keys were located in Russia and the “Yarovaya Law” allows for extensive government access. The AP ordered an immediate halt to all data transfers.
- Schrems II ruling: A data transfer impact assessment is required, including an evaluation of encryption architecture, key storage, and the legal situation in third countries
- MLU has announced that it will appeal; there is a significant risk of sanctions for similar situations involving Russia, China, and other third countries
III. Laws and News
Political trilogue agreement on the “Digital Omnibus on AI” (May 7, 2026)
The Council and Parliament agreed on a substantial amendment to the AI Regulation. The high-risk obligations under Annex III will take effect on December 2, 2027, instead of August 2, 2026; embedded safety components will have until August 2, 2028. New provisions: A ban on “nudifier” applications until December 2, 2026, and SME relief for “small mid-caps” with revenue up to 200 million euros.
- Controversial under data protection law: Relaxation of restrictions on the processing of special categories of data under Article 9 of the GDPR for the purpose of bias correction
- The goal is to have the proposal formally adopted by the Parliament and the Council by August 2, 2026
DSK, Resolution Opposing Unwarranted Monitoring of Chat Rooms (Press Release, May 5, 2026)
https://www.datenschutzkonferenz-online.de/media/pm/2026-05-05_PM_Chatkontrolle_Entschliessung.pdf
In a resolution dated April 17, 2026, the DSK called on the EU legislative bodies and the German federal government to definitively abandon plans for warrantless chat monitoring. Warrantless mass surveillance, the circumvention of end-to-end encryption, and client-side scanning constitute disproportionate infringements of fundamental rights. The fourth round of trilogues began as scheduled on May 11, 2026.
- The ePrivacy exemption for voluntary scanning expired in early April 2026; voluntary scans currently lack an explicit legal basis
- Benchmark based on the Federal Constitutional Court’s ruling on data retention and the European Court of Justice’s decisions in the Tele2 and La Quadrature du Net cases
Regional Court of Cologne, Judgment of November 13, 2025 – 30 O 146/25 (Salary Data Provided to Recruiters)
https://nrwe.justiz.nrw.de/lgs/koeln/lg_koeln/j2025/30_O_146_25_Teilurteil_20251113.html
The Regional Court of Cologne ruled that an employer may disclose salary data of a placed employee to the recruitment agency—even if the employee objects. The transfer is justified under Article 6(1)(f) of the GDPR because the agency must calculate its fee (a percentage of the gross annual salary). The controller’s compelling legitimate grounds under Article 21(1), second sentence, of the GDPR outweigh the objection.
- Best practice: Document the objection, conduct the balancing of interests in writing, and notify the data subject of the outcome
- Applicable to recruiting, credit reporting agencies, insurers, and debt collection firms under standard industry-based salary-dependent compensation structures
Discover more podcasts
