Two-Minute Recap Data Protection Law Matters Around The Globe

EDPB Opens Consultation on Scientific Research Data Processing Guidelines

The European Data Protection Board (“EDPB”) has opened its Guidelines 1/2026 on the processing of personal data for scientific research purposes for public consultation until 25 June 2026.

The draft guidelines clarify when a processing activity may qualify as “scientific research” under the GDPR, highlighting factors such as a methodical and systematic approach, adherence to ethical standards, verifiabilirty and transparency, ,independcy and contribution to scientific knowledge. The draft also addresses the further use of personal data for research purposes, the use of broad consent, data subject rights and safeguards applicable to sensitive personal data.

In addition, the EDPB provides guidance on the allocation of responsibilities between parties involved in research activities and outlines examples of technical and organisational safeguards, including anonymisation, pseudonymisation and secure processing environments.

Japan Proposes APPI Reforms to Promote “Data Free Flow with Trust”

The Japanese Cabinet approved a bill on April 6 to significantly has reformed its Act on the Protection of Personal Information (“APPI”) as of 2026, to promote “Data Free Flow with Trust,” introducing a more flexible, risk-based framework focused on broader data utilization, particularly for AI development and statistical processing. With this amendment, the country moves away from Europe’s strict model and shifts toward a U.S.-style “presumed consent” framework. Companies can now collect and process personal data without explicit authorization for purposes such as AI model training or statistical analysis, provided there is a “reasonable justification” and the risk to individual rights is low. Under this system, accessing sensitive health and biometric data (like facial scans) has become much easier as long as transparency conditions are met, and citizens are not granted a general right to opt out.

In addition, the reforms broaden the scope of regulated data, introduce enhanced rules for biometric data, relax breach notification obligations for low-risk incidents, and strengthen accountability requirements for third-party data sharing. The amendments also expand the enforcement powers of the regulator and increase transparency obligations for organizations relying on the new processing exceptions.

EDPB Opens Consultation on Common DPIA Template

On 14 April 2026, the EDPB announced that its harmonised GDPR Data Protection Impact Assessment (“DPIA”) template has been opened for public consultation and that feedback may be submitted until 9 June 2026. Adopted on 10 March 2026 as Version 1.0, the template is intended to create a common minimum documentation standard that can be accepted by supervisory authorities across the EU.

The EDPB states that controllers may continue using the DPIA methodology of their choice, while using the template to document a minimum set of information in a standardised format. The draft template covers the full DPIA process, including processing descriptions, legal basis analyses, GDPR compliance measures, necessity and proportionality assessments, risk evaluations, DPO involvement and final approval decisions.

The template also separately addresses risks inherent in the processing itself and risks arising from non-default, accidental or unlawful events, including cyberattacks, operational errors and misconfigurations. Following the consultation period, the EDPB states that the template will be finalised and may be adopted either as a standalone national template or as a “metatemplate” compatible with country-specific formats.

UK ICO Publishes Final Guidance on New “Charitable Purposes Soft Opt-In”

On 28 April 2026, the Information Commissioner’s Office (“ICO”) published final guidance on the new “charitable purposes soft opt-in” introduced under the Data (Use and Access) Act 2025. The change, which entered into force on 5 February 2026, allows charities to send direct marketing messages by email, text message and social media direct message without prior consent, provided certain conditions are met.

According to the ICO, the new provision applies where individuals have expressed an interest in, or offered support for, a charity’s purposes.

The updated guidance also addresses issues raised during last year’s consultation process, including the role of third parties and direct collections. The ICO also noted that it worked closely with the Fundraising Regulator and that both organisations will continue cooperating to support charities in applying the new rules.

The ICO stated that the guidance is intended to help charities use the new soft opt-in provision while ensuring individuals’ rights remain protected. The ICO also reminded organisations that, by 19 June 2026, they must have a process in place for handling data protection complaints.

US Supreme Court Hears Case on Geofence Warrants and Smartphone Location Data

The Supreme Court of the United States heard arguments on 28 April 2026 in Chatrie v United States, a case concerning whether “geofence warrants” used to obtain smartphone location data violate constitutional privacy protections. The case relates to law enforcement requests requiring technology companies to disclose location data for devices located within a specific area during a certain time period.

During the hearing, the US Department of Justice argued that individuals do not generally have a reasonable expectation of privacy regarding movements observable in public while carrying a smartphone. Privacy advocates argued that geofence warrants may also capture location data relating to individuals unconnected to criminal investigations.

French Data Protection Authority Publishes HR Data Retention Reference Guide

The Commission nationale de l’informatique et des libertés (“French Data Protection Authority”) published a reference guide on data retention periods for human resources management activities. According to the authority, the guide is intended to help organisations identify and determine appropriate retention periods for HR-related personal data processing activities.

The guide applies to organisations subject to French labour law and covers processes such as recruitment, payroll management, workplace monitoring, workplace accidents and labour relations. The French Data Protection Authority also noted that the framework was developed with the participation of professional associations and stakeholder groups from both the public and private sectors.

The Authority clarified that the guide constitutes “soft law” and is therefore not mandatory, although certain retention periods referenced in the document remain binding where prescribed by legislation or regulation.

US Unveils “SECURE Data Act”: New Federal Privacy Draft

Published in May 2026, this critical commentary argues that the proposed U.S. federal privacy bill, the “SECURE Data Act,” legalizes Big Tech’s data exploitation instead of protecting consumers.

The bill allows companies unlimited data collection based on whatever purposes they disclose in their privacy policies, while failing to mandate universal opt-out signals (UOOM) and stripping citizens of their right to sue companies for violations. The most critical danger is the bill’s broad preemption clause, which would completely wipe out much stronger local privacy laws already active in 21 states. Ultimately, the text emphasizes that the SECURE Data Act is not a protective framework, but rather a legal gift of immunity to technology giants. This move aims to set a new nationwide standard for data privacy in the United States.

Belgian DPA Launches “AI & Data Protection” Awareness Series 

The Belgian Data Protection Authority published on 13 April 2026; a new brochure titled The Impact of Artificial Intelligence on Privacy as part of its “AI & Data Protection” initiative. According to the authority, the series aims to raise awareness among citizens and businesses regarding the interaction between artificial intelligence and data protection law.

The publication is intended for individuals who use or interact with AI systems in daily life and provides practical guidance on how AI systems process personal data, the privacy risks associated with such systems and the data subject rights available under the GDPR. The brochure also addresses topics such as profiling, automated decision-making, transparency obligations and the exercise of GDPR rights in AIdriven environments.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.