March 11, 2026

The Dutch Data Protection Authority's expansion of its ex-officio investigation into Reddit BV stands as the most consequential development in today's cycle. The Autoriteit Persoonsgegevens has extended its scrutiny from Articles 6, 13, and 21 GDPR to encompass Article 5—the foundational lawfulness, fairness, and transparency principles—following reports that Reddit licensed or sold user-generated content to AI model developers. The expansion is significant because Article 5 liability is structurally broader than purpose-limitation or rights-notification failures: a finding against Reddit at this level could implicate the entire commercial model of repurposing social media content for AI training pipelines. With the case before the Rechtbank Den Haag and GDPRhub documenting iterative scope expansions, practitioners advising platforms with similar data-licensing arrangements should treat this investigation as an active risk signal rather than a jurisdictional outlier.

At the CJEU, an Advocate General opinion in Case C-5/25 (Pilev) clarifies that the Law Enforcement Directive governs—and materially constrains—the categories of identity data national courts may collect during criminal proceedings. The AG's March 5 opinion holds that the systematic collection of data points such as marital status and ethnicity for identification purposes violates Article 4(1)(c) LED's data minimisation requirement. Should the Court follow this reasoning, the ruling will carry direct compliance obligations for member states whose criminal procedure codes—including Bulgaria's Article 272(1)—routinely mandate broad personal data collection at the point of court identification. The case is distinct from the mainstream GDPR enforcement track but warrants close attention from public-sector legal teams and ministries of justice across the EU, where analogous procedural statutes may be equally vulnerable to LED challenge.

Consent architecture and data subject rights enforcement produced a cluster of decisions today. The Landgericht Hamburg confirmed that auto-ticked consent boxes on a flight booking site violated GDPR's unambiguous affirmative-action standard, reinforcing a long-established but persistently violated principle in e-commerce UX design. In France, the Council of State confirmed a €40 million fine against an advertising company for consent-free cookie placement, failure to honor access and erasure requests, and deficient joint-controller arrangements—with the judgment now final after appellate review. Ireland's DPC fined the University of Limerick €98,000 across six breach-related violations, explicitly rejecting internal escalation delays as justification for late DPA notification under Article 33(1). Together, these decisions signal that the middle tier of GDPR enforcement—covering consent mechanics, breach notification timelines, and records of processing—remains active across multiple jurisdictions simultaneously, not concentrated in high-profile platform cases.

Several secondary developments warrant tracking. Austria's BVwG upheld DPA authority to reject complaints filed in bad faith to obstruct debt enforcement, providing useful precedent for authority resource management. Romania's ANSPDCP fined Altex România under Article 83(5)(e) for non-cooperation with supervisory inquiries—a procedural enforcement posture that indicates DPAs are increasingly willing to sanction investigative obstruction independently of underlying violations. The Belgian APD clarified that email data reproduction, rather than full file extraction, satisfies GDPR access requests, offering practical guidance for organizations managing high-volume employee subject access requests. Italy's Garante issued a €30,000 fine for consent-free marketing email campaigns, continuing a pattern of mid-range sanctions for direct marketing violations.

Looking ahead, the CJEU's disposition of Case C-5/25 merits monitoring as the Court weighs the AG opinion against member state procedural autonomy arguments. The Dutch Reddit investigation is at an early evidentiary stage, and any interim injunctive relief sought before the Rechtbank Den Haag could accelerate the compliance timeline for similarly situated platforms. The EU Data Governance Act's recognized data altruism organization framework is now operational, and organizations considering data-sharing for public-benefit purposes should assess DGA registration eligibility before regulatory guidance firms up further. The ICO's nuisance-call criminal prosecution—now encompassing ten convictions across a decade-long investigation—signals that the UK regulator views criminal enforcement as a durable complement to its civil penalty powers, a posture compliance teams should factor into UK data broker and telemarketing risk assessments.