Data Protection Pulse – 06/25/26: Everything You Need to Know Right Now
The most important data protection decisions and developments from the past two weeks.
I. Judgments
Munich Regional Court I, Case No. 26 O 869/26 (Google “AI Overviews”)
Sentencing on May 28, 2026
https://www.gesetze-bayern.de/Content/Document/Y-300-Z-BECKRS-B-2026-N-11860?hl=true
The 26th Civil Chamber of the Munich I Regional Court ordered the defendant (Google) to cease making inaccurate statements about two Munich-based publishers via Google’s AI bot “AI Overviews.” In response to search queries, the AI repeatedly linked the publishers to, among other things, fraud schemes, mixing information about actually dubious third-party companies and making unsourced references. The court classified Google as a direct infringer because the AI overview synthesized third-party content into an independent statement.
- First German Landmark Ruling on Liability for “AI Overviews”
- A Signal to AI Providers and Companies
Federal Court of Justice (BGH), Case No. I ZR 227/25 (Right to Access Schufa Information)
Oral hearing on June 18, 2026; judgment to be handed down on October 21, 2026
https://www.bundesgerichtshof.de/SharedDocs/Termine/DE/Termine/IZR227-25ua.html
The First Civil Division of the Federal Court of Justice (BGH) must rule on the scope of Schufa’s right to information under Article 15(1)(h) of the GDPR, in particular regarding the weighting of the most important scoring criteria. The Dresden Higher Regional Court (OLG) had ordered Schufa to provide such information. The BGH indicated that it is likely to overturn the Dresden ruling, as the mere calculation of a score does not constitute an automated decision under Article 22 of the GDPR.
- Standard for all scoring and credit rating systems
- Simultaneous entry into force of an amendment to the BDSG regarding scoring transparency in November 2026
ECJ, Case No. C-484/24 (Admissibility of Evidence)
Sentencing on June 18, 2026
The European Court of Justice ruled that courts may use personal data that a party has obtained unlawfully. A general prohibition on the use of such evidence cannot be inferred from the GDPR. The right to a fair trial (Art. 47 of the Charter of Fundamental Rights) may take precedence over data protection. When disclosing the data, however, courts must ensure data minimization and, where necessary, redact or pseudonymize sensitive data.
- It is not a GDPR violation that determines the admissibility of evidence, but rather a balancing of that violation against the right to effective legal protection
- Landmark European Ruling on Labor and Civil Proceedings
The facts of the case can be briefly summarized as follows:
According to her former employer, a former employee of NTH Haustechnik GmbH is alleged to have sold company property through her personal eBay account, thereby causing significant damage. To prove this, the employer gained access to her personal eBay account and used the data obtained from it as evidence in court. The former employee considers the access to her account to be unlawful. The Lower Saxony Regional Labor Court therefore asked the European Court of Justice whether, and under what conditions, courts may use personal data that may have been collected in violation of the GDPR.
And what's the result?
The outcome of the ECJ ruling can be summarized as follows:
There is no automatic exclusion of evidence. Personal data that may have been collected in violation of the GDPR may not be disregarded by a court solely for that reason. Inserted Text.txt
Courts may, in principle, process data if this is necessary to fulfill their statutory duties—in particular, to establish the facts of a case and reach a decision. The legal basis for this is generally Article 6(1)(c) of the GDPR (compliance with a legal obligation), not Article 17 of the GDPR. Inserted Text.txt
A proportionality assessment is required. The court must determine whether the use of personal data is necessary and appropriate and must balance the data subject’s data protection rights against the interest in the effective administration of justice. Inserted Text.txt
The GDPR itself does not impose a ban on the use of evidence. Whether a piece of evidence may be used is generally governed by national procedural law. However, this must be interpreted in accordance with fundamental rights and the GDPR. Inserted Text.txt
Bottom line
The European Court of Justice reaffirms the principle that a data protection violation does not automatically render evidence inadmissible in court. Rather, it must be determined on a case-by-case basis whether the use of the data is permissible and proportionate despite the data protection violation.
II. Fines and Government Agencies
Berlin Regional Court I, Case No. 526 OWi LG 1/20 – Deutsche Wohnen SE (from €14.5 million to €900,000)
The Berlin Regional Court I upheld Deutsche Wohnen SE’s liability for the fine but reduced the fine—originally imposed in 2019—from €14.5 million to €900,000. The company had stored sensitive tenant data in an archive system without the option to delete it and had failed to adapt its IT systems in a timely manner, thereby violating the principles of data minimization and storage limitation (Art. 5(1)(c) and (e) of the GDPR) as well as Art. 6 of the GDPR. Mitigating factors included the company’s willingness to cooperate, the corrective measures it had implemented, and the circumstances surrounding the GDPR implementation phase.
- Courts Are Not Bound by the Regulatory Authority's Determination of Fines
- Reduction of the fine through cooperation and remedial measures taken after the fact (Art. 83(2) of the GDPR)
Regulatory Authorities (Germany & Austria) – Response to the Cyberattack on the Photo Service Provider “Portraitbox” (June 2026)
https://www.ldi.nrw.de/cyberangriff-dienstleister-foto
In mid-May 2026, attackers gained access to the cloud infrastructure of the well-known photo service provider Portraitbox and stole large amounts of customer data and image files—including photos of children in daycare and school. The perpetrators are now believed to be threatening to release the data in order to extort a ransom. Several state supervisory authorities, as well as the Austrian Data Protection Authority, subsequently issued coordinated notices stating that photographers and photo studios working with Portraitbox, as data controllers, are subject to reporting and notification obligations under Articles 33 and 34 of the GDPR.
- Highlighting the risks associated with centralized cloud service providers handling data requiring special protection
- The possibility of cross-border coordinated supervisory communication in the event of major incidents.
AEPD (Spain), Fine Decision dated June 17, 2026 – Vodafone España (€1,050,000)
The AEPD imposed a fine of €1,050,000 on the telecommunications company Vodafone España for violations of the lawfulness of processing under Article 6(1) of the GDPR and of the security of processing under Article 32 of the GDPR. The case involved a third party contacting customer service, passing security checks, and subsequently receiving a copy of a bill containing personal data. In addition, there was an additional cell phone subscription registered in the name of the affected customer, even though she had never signed up for it.
- Simply answering security questions is an insufficient authentication method
- Setting up a mobile phone block without the affected person's knowledge constitutes the processing of personal data without a legal basis
III. Laws and News
DSK Statement dated June 18, 2026 – Radar Sensors and 6G
The Data Protection Conference (DSK) addressed the planned radar function (ISAC) of the future 6G mobile communications standard, which is scheduled to be introduced starting in 2030. The technology allows for the detection of spaces and the people within them—potentially through walls—thereby enabling tracking based on movement patterns. Similar features are planned for future Wi-Fi standards. The DSK emphasizes that privacy must be incorporated into the standardization process at an early stage in accordance with the “Privacy by Design” principle (Art. 25(1) GDPR).
- Potential Surveillance Infrastructure Through Sensor Capabilities in Future Mobile and Wi-Fi Standards
- The Importance of “Privacy by Design” in the Technical Standardization of 6G and Wi-Fi
Federal Council – Planned Expansion of Data Retention
In April 2026, the federal government introduced a bill calling for the retention of IP addresses—including connection and user identifiers, as well as timestamps accurate to the second—without any specific cause. The Legal Affairs Committee of the Bundesrat has now called for an examination of extending the retention period from three to up to six months. In addition, a new “preservation order” would require providers to store location and content data as well.
- The Bundesrat is pushing for a significantly more extensive data retention policy than the federal government
- Another Conflict Over Fundamental Rights Regarding Mass Data Retention Without Cause
Bavaria – Use of AI in College Exams
https://www.bayern.de/bericht-aus-der-kabinettssitzung-vom-23-juni-2026/
On June 23, 2026, the Bavarian Cabinet approved an amendment to the Bavarian Higher Education Innovation Act (BayHIG). This amendment explicitly promotes the use of AI at universities and enshrines in law the further development of AI as a responsibility of universities in their academic programs and teaching. The following will apply to unsupervised exams in the future: A general ban on the use of AI is no longer permitted; instead, its use must be accompanied by a requirement to disclose its use.
- Promotion of AI Established for the First Time as a Statutory Duty of Universities
- In line with Bavaria's AI initiative, featuring the AI Factory in Munich
Discover more podcasts
