March 12, 2026

The Dutch Data Protection Authority's decision to expand its ex-officio investigation into Reddit BV—now incorporating Article 5 GDPR alongside the originally-scoped Articles 6, 13, and 21—marks the most consequential development of the past 24 hours for the AI governance landscape. By extending scrutiny to the foundational lawfulness, fairness, and transparency principles, the AP signals that its inquiry is no longer confined to discrete consent or transparency failures but now interrogates the structural legitimacy of social media platforms' data licensing arrangements with AI developers. The Rechtbank Den Haag proceedings place this squarely in litigation territory, not merely supervisory review, and the outcome will carry significant precedential weight for any platform operator monetising user-generated content through AI training pipelines. Practitioners advising clients on data licensing agreements or AI readiness programs should treat this expansion as a material escalation, not a procedural update.

At the CJEU, the Pilev matter (Case C-5/25) is developing on two tracks simultaneously, both warranting close attention. A preliminary reference from the Sofia City Court asks whether Bulgaria's criminal procedural requirement to collect extended identity data—including marital status and ethnicity—can survive contact with EU data protection standards. More immediately actionable, the Advocate General's opinion issued March 5 applies the Law Enforcement Directive's data minimisation principle under Article 4(1)(c) directly to that national practice, finding it incompatible. Should the Court follow the AG, national criminal procedure codes across Member States that embed broad identity-profiling obligations will face a structured compliance challenge. Law enforcement data governance teams and national justice ministries operating under comparable procedural frameworks should begin gap assessments now, ahead of a judgment that could arrive within months.

A cluster of consent-integrity decisions reinforces an emerging supervisory pattern: regulators and courts are hardening expectations around affirmative, granular user action. The Landgericht Hamburg's ruling against auto-ticked consent checkboxes on a flight booking platform—where passive user behavior was construed as agreement—extends an established line of dark-pattern jurisprudence into the travel sector. Separately, France's Supreme Administrative Court has confirmed a €40 million GDPR penalty against an advertising company for deploying personalised advertising cookies without valid consent, failing to honor data subject rights, and operating without a joint-controller agreement, closing appellate review and rendering the sanction final. The French court's accompanying holding—that data qualifies as personal even where identification is indirect or incidental to the controller's purpose—reinforces a broad reading of GDPR Article 4(1) with significant implications for data classification and analytics programs. Taken together, these decisions signal that consent architecture and data qualification questions are receiving coordinated judicial and supervisory attention across multiple Member State jurisdictions.

Ireland's Data Protection Commission has imposed a €98,000 fine on the University of Limerick following six GDPR breaches, with particular emphasis on the Article 33(1) notification clock running independently of internal escalation procedures. The explicit rejection of organisational delay as justification for late breach notification is a holding that public-sector and higher-education compliance teams should operationalise immediately—internal incident review processes cannot be allowed to consume the 72-hour notification window. Romania's ANSPDCP has sanctioned Altex România under Article 83(5)(e) for non-cooperation with supervisory authorities during a data rights investigation, a signal that Romanian enforcement is prepared to layer procedural non-cooperation penalties on top of underlying substantive violations. Austria's BVwG has simultaneously affirmed DPA discretion to filter bad-faith GDPR complaints, and found a separate electricity operator liable for false deletion confirmation—establishing that affirmative misrepresentation in response to erasure requests constitutes an aggravating compliance failure beyond passive retention.

Looking ahead, practitioners should monitor the Pilev judgment timeline at the CJEU, which will define LED data minimisation obligations for law enforcement across 27 Member States. The Reddit BV proceedings at Rechtbank Den Haag will likely generate interim procedural developments as the AP's expanded Article 5 scope is tested in court. The Italian Garante's case 10211780 remains pending full publication, and completion of that record may surface enforcement priorities not yet visible from the case summary. Spain's AEPD investigation into the 2023 breach affecting one million individuals is in early stages; controllers operating at comparable scale should treat the Article 5(1)(f) security principle as an active enforcement vector rather than a secondary consideration.