Legal News

The statement follows: The Competition and Consumer Protection Commission ( CCPC) serves as the designated competent authority for Articles 30, 31 and 32 of the Digital Services Act 2024 ( DSA), covering consumer-facing online platform operators (marketplaces) that enable consumers to enter into distance contracts. The CCPC will assume fresh oversight and enforcement duties regarding online marketplaces’ adherence to rules set out;......

The EU AI Liability Directive The EU AI Liability Directive surfaced on the Commission executive’s list of files to be scrapped at the eleventh hour, following pressure from EU digital chief, Henna Virkkunen, and as part of a wider push to reduce and simplify the regulatory framework. At a press briefing on the Commission’s 2025 work programme (which outlines upcoming initiatives and those to be abandoned), Šefčovič, responsible for deepening the Commission’s relations with lawmakers and Member States, said Commissioners had been examining how files marked for withdrawal were advancing through the co‑legislative process. ‘ When we observe that these particular proposals are stuck, at times for many years, we harbour serious doubts that they will progress this year,’ he said. The EU AI Liability Directive, a plan to harmonise certain administrative aspects of AI‑related damage claim proceedings, has indeed advanced little since it was...

The European Commission stated on 11 February 2025 that it will review whether to bring forward another SEP proposal or whether ‘another type of approach should be chosen’, signalling a sudden halt to the proposal. In particular, the proposal mooted the creation of a centralised registry for SEPs, overseen by the European Union Intellectual Property Office ( EUIPO), and empowering the office to decide whether these patents were genuinely essential to the claimed technology standard. The proposal sought to introduce far-reaching changes to the existing practices for licensing standard-essential patents across Europe......

MLex was informed by the Data Protection Commission that it has written to Deep Seek seeking details about how it processes data relating to individuals in Ireland. The watchdog declined to add anything more for now. Ordinarily, the DPC acts as the principal data regulator handling privacy issues involving major technology companies in the EU, since many base their European headquarters there. However, Deep Seek’s operators lack an EU establishment, so any member state authority is able to open a probe into issues impacting its own jurisdiction directly too......

EDPB report on DPA activity between 2018 and 2023 Strict GDPR enforcement only on paper When the General Data Protection Regulation ( GDPR) took effect in 2018, it signalled a new chapter for EU privacy protection — at least in theory. Individuals were armed with means to defend their fundamental rights, while regulators gained robust investigatory tools and the power to punish infringements with substantial penalties. Nearly seven years on, the picture is far gloomier. Marking Data Protection Day on 28 January 2025, noyb reviewed the latest EDPB figures on the (in)activity of national data protection authorities ( DPAs). The numbers reveal that, on average, only 1.3% of complaints handled by DPAs culminate in a fine. Yet data protection professionals consistently note that penalties are the most effective lever for driving companies to follow the law. Back in May 2018, the GDPR promised a decisive move...

The developer’s privacy notice states that all user information is transmitted to China, where it is retained indefinitely, and it makes no reference to European data protection law or any lawful basis for processing personal data. Although the model’s apparently strong performance on a modest training budget has depressed the share prices of US technology companies, consumer organisations in Europe have begun contacting Italy’s Data Protection Authority ( DPA), noted for proactively challenging Open AI two years ago over comparable issues linked to the launch of Chat GPT. The user terms for the Deep Seek generative AI application, jointly controlled by two Chinese companies, present multiple concerns for authorities responsible for enforcing the EU’s General Data Protection Regulation, Regulation ( EU) 2016/679 ( EU GDOR). All personal data is stored on servers located in China. Transfers will be “in...

The EU’s General Court ruled today that the EDPB has the authority to order Ireland’s data regulator to launch new investigations into Meta Platforms (see here) The General Court confirmed that the EDPB may instruct national supervisory authorities, including a lead supervisory authority, to widen their analysis, carry out supplementary investigations and adopt fresh decisions, holding that this competence is consistent with EU law. The court emphasised that the EDPB’s use of this power remains open to judicial review. In this matter, however, the applicant confined its challenge to asserting that the EDPB lacked competence, rather than contesting how the power was exercised. The judgment follows a bid by Ireland’s DPC to resist the EDPB’s direction to pursue additional inquiries into Meta, arguing the Board had overstepped its remit. The dispute dates back to 2018 and arose from complaints submitted by...

2024 witnessed another rise in enforcement of consumer protection rules at both national level and across the EU, lending tangible force to the suite of reforms rolled out under the EU’s New Deal for Consumers (including, for instance, the Sale of Goods Directive, the Digital Services Directive, and the Omnibus Directive), as a whole. In this article, we: explore the changing enforcement strategy and methodology of the CCPC, alongside the EU’s Consumer Protection Cooperation Network (the CPC Network), in particular spotlight the principal enforcement priorities in 2024—such as price transparency and, more broadly, unfair and misleading commercial practices consider where regulators are expected to concentrate their attention over the coming year in practice Evidence of a shift in the CCPC approach to enforcement? The CCPC’s method for enforcing consumer protection law is generally guided by four overarching...

Some of the world’s largest tech and AI bosses occupied front-row seats at Trump’s 20 January 2025 swearing-in, after their firms each contributed US$1m to his inaugural fund. Among them were Meta’s Mark Zuckerberg, Google’s Sundar Pichai and Open AI’s Sam Altman. Another Silicon Valley heavyweight expected to hold considerable sway, X Corp owner Elon Musk — a past advocate of AI rules — was also present. Trump is already highlighting his connections with the AI sector. On 22 January 2025 he unveiled a joint venture, pledging up to US$500bn for AI-linked infrastructure, from a new alliance between Open AI, Oracle and Soft Bank. Yet, despite such headline-grabbing AI announcements, clear direction on forthcoming AI regulation may take months, pending firm guidance from Trump appointees. During his first term, Trump largely avoided heavy-handed AI oversight, instead issuing two AI-focused executive orders. A 2019 order aimed to...

Following referrals from the Finland Market Court and Ireland’s Supreme Court arising from disputes featuring Teva and Merck Sharp & Dohme, the EU’s highest court ruled last month that a product may obtain an SPC even where a previously patented active substance is combined with a known, public‑domain ingredient, provided the regulatory requirements are satisfied (see here). The decision bolsters originator, brand‑name manufacturers that create and own pioneering drug patents. By permitting SPCs for combination therapies, the Court of Justice of the EU granted those brands as much as five extra years of exclusivity across a wider spectrum of treatments, postponing generic rivalry from companies that have traditionally waited for patent expiry before incorporating such substances into medicinal products. As Matthieu Dhenne, founding partner at Paris‑based Dhenne Avocats, told MLex, for pharmaceutical businesses the judgment favours SPC holders and...

Where this substantial compliance burden ultimately settles may turn on the idea of ‘intended purpose’—defined in the EU AI Act as ‘the use for which an AI system is intended by the provider, including the specific context and conditions of use.’ Drawn from EU product safety law, of which the EU AI Act is a standout example, the concept sits awkwardly with general-purpose AI ( GPAI) such as Open AI’s Chat GPT and Microsoft’s Copilot, which lack a singular aim and can execute a wide range of tasks. What, then, is the intended purpose of a system built for innumerable applications? Who carries the duty of due diligence when a GPAI supports a high-risk use? What regulatory exposure do users face when they step beyond a system’s stated purpose? These questions—and more—are likely to preoccupy the...

EU database The European Commission will set up, run and oversee an EU database for high-risk AI systems from 2 August 2026. Before putting certain high-risk AI systems on the market or into operation, the provider must register — either directly or via an authorised representative — both themselves and the system in this database. The repository will also hold entries for non-high-risk AI systems. Most fields will be public, user-friendly, easy to navigate and machine-readable. Its purpose is to uphold fundamental rights and the safe deployment of AI through greater transparency and accountability. It will also enable supervisory authorities to track high-risk AI systems and verify that they satisfy applicable requirements. Registering Annex III high-risk AI systems The registration duty under Article 49 of Regulation ( EU) 2024/1689 (the EU AI Act) covers specified high-risk AI systems. Under the Act, high-risk AI systems are those deemed to...

Our observations so far suggest the Unified Patent Court’s approach to inventive step is more all-encompassing, concentrating on whether the skilled person would have been prompted to contemplate the claimed solution and adopt it as a natural progression from the prior art. Further, in contrast to the EPO’s problem–solution methodology, the UPC does not yet appear persuaded that a reasonable expectation of success must be shown to establish obviousness. Given these differing frameworks, there is scope for divergent outcomes on identical facts. Even so, both the UPC and the EPO seem conscious of the danger of inconsistent rulings between the two systems. In this piece, we consider four EPO practices which, though not invariably applied today, may gain traction in the interests of harmonisation, as they arguably align more closely with the UPC’s stance on inventive...

On 8 January 2025, EU judges ruled that the Commission must pay compensation to a user of one of its websites after personal data was sent to the US without the necessary safeguards in place. German consumer Thomas Bindl argued that his personal details, including his IP address, were unlawfully transferred to the US after he registered for an event on its website using a service that lets users log in via Facebook. In 2022, he brought legal action against the EU’s executive arm for employing the US cloud service, Amazon Cloud Front, to move personal data from its websites to the US, in breach of a 2020 judgment designed to prevent US surveillance authorities from accessing EU citizens’ data. He said the Commission’s website on the Conference on the Future of the EU, and a separate website for a ' Go Green' event,...

Irish Data Protection Commission welcomes EDPB opinion on the use of personal data for the development and deployment of AI models The Irish Data Protection ( DPC) today greets the European Data Protection Board’s ( EDPB) opinion addressing the utilisation of personal data in building and rolling out Artificial Intelligence ( AI) models. The DPC requested this opinion in September 2024, aiming to secure EU-wide regulatory consistency and prompt clarity on several central questions without undue delay. In reply to that request, the EDPB rapidly activated the Article 64(2)1 GDPR procedure. This sought European-wide harmonisation and timely clarification on a range of vital issues. The DPC’s referral concentrated on four principal matters: (i) In which situations might an AI model be treated as ‘anonymous’?; (ii) How controllers can evidence the suitability of legitimate interest as a lawful basis for......

The Market Court in Brussels has referred to the EU Court of Justice the question of whether the right to erasure — the so‑called right to be forgotten — can be relied upon in a matter centred on an unnamed individual’s attempt to have his baptismal entry removed, according to a decision seen by MLex. It asks whether Article 17 of the General Data Protection Regulation, alongside the freedom of religion in the EU’s Charter of Fundamental Rights, means that a person baptised as a child who, as an adult, seeks to dissociate himself from the Roman Catholic Church does or does not have the right to have his personal data deleted from the register of baptisms......

EI Technology Unlimited Co, headquartered in County Clare, Ireland, told the High Court that a fire alarm range marketed by Hispec Electrical Products Ltd reproduces core aspects of EI Electronics’ patent for a system that oversees alarm devices linked via a common cable, according to a claim lodged on 28 November 2024. The claim plainly states that a reasonable person would see that the control unit and the mains interconnectable detectors are suited to put, and are meant to put, EI Electronics’ invention into effect in the United Kingdom, the claim reads. The company, which trades as EI Electronics, claimed that Lancashire, England based......

Social network X is moving to contest Ireland’s Online Safety Code, claiming it both overlaps with and goes beyond other EU statutes, undermining efforts to align the bloc’s platform rules. The case, lodged last month, reached the Dublin High Court on 16 December 2024, with the firm seeking to quash the online safety regulator’s finding that it is captured by the code. Filings reviewed by MLex further illuminate the firm’s grounds for suing the authority. Its position only became public today, as particulars surfaced via a hearing in the Irish High Court and related court documents filed in the case. Policy background The Irish Online Safety Code, released in October 2024, sets fresh duties to block harmful material, deploy age-assurance tools and bolster parental controls (see here). The regulator billed it as ‘an end to the era of social media...

Urgency requirement Recent jurisprudence underscores that patentees must move quickly once they learn, or become aware, of infringing conduct. If the patentee does not respond without delay, preliminary measures are unlikely to be granted by the court. The authorities have not been entirely uniform on how swiftly an applicant must proceed in this context. In Ortovox v Mammut ( UPC_ CFI_452/2023), the court concluded that, once the applicant holds all information and documentation that credibly supports a promising legal action, there is a one‑month window in which to act. By contrast, in Dyson v Shark Ninja ( UPC_ CFI_443/2023), the allowed period was assessed as two months in which to take steps. That approach was subsequently confirmed in Hand held Products v Scandit ( UPC_ CFI_74/2024), where the court observed that filing the application for a preliminary injunction on the very day on which...

NOYB has now been recognised as a ‘ Qualified Entity’, allowing it to pursue collective redress actions before courts across the EU. Under Directive ( EU) 2020/1828, these proceedings may take the shape of either an ‘injunction’ or a ‘redress’ measure. An injunction typically bars a company from unlawful conduct, including any GDPR breaches. Redress measures provide a European counterpart to a ‘ Class Action’, so NOYB can represent thousands or even millions of users and, for instance, claim non-material damages when personal data has been processed unlawfully. Approval in Austria and Ireland-valid throughout the EU. The EU’s collective redress model relies on non-profit organisations that must first be approved as ‘ Qualified Entities’ ( QE) to bring enforcement proceedings. Unlike the ‘wild west’ style under US law, where any law firm can launch so-called ‘ Class Actions’—often to their own...