March 14, 2026

The Dutch Data Protection Authority's expansion of its Reddit BV investigation to include Article 5 GDPR—covering the foundational principles of lawfulness, fairness, and transparency—marks the most significant development of the past 24 hours. The move, in proceedings before the Rechtbank Den Haag, signals that European regulators are no longer content to probe AI training data practices through the narrower lens of Articles 6 and 13 alone; they are now reaching for the structural principles that govern all processing. This broadening establishes a template for investigations into any platform that licenses or otherwise supplies user-generated content to AI developers, and practitioners advising social media operators, data brokers, or AI firms with EU data exposure should treat the Reddit case as a leading indicator of enforcement posture across the bloc.

Two threads from the CJEU warrant parallel attention. In Case C-5/25 (Pilev), an Advocate General has opined that Bulgarian law enforcement's systematic collection of identity data—including marital status and ethnicity—exceeds what the Law Enforcement Directive permits under its data minimisation principle. Should the Court follow the AG, the ruling would constrain criminal procedure codes across member states that currently authorize broad identity profiling, with immediate compliance implications for national law enforcement agencies and the judicial systems that process their data requests. Separately, Spain's AEPD has imposed a €500,000 fine on FC Barcelona for deploying voice and facial biometric systems without a prior Data Protection Impact Assessment—a decision notable for treating the procedural DPIA obligation as a standalone enforcement basis, entirely independent of any demonstrated harm from the underlying processing. That enforcement posture, now visible in Spain, aligns with a broader EU pattern of penalizing governance failures rather than waiting for misuse to materialize.

In Ireland, the DPC's €98,000 fine and reprimand against the University of Limerick—arising from six concurrent breaches and violations across Articles 30, 32, 33, and 34—carries a specific doctrinal note: the commission explicitly rejected internal organisational delays as justification for late breach notification, confirming that the Article 33(1) 72-hour clock runs from the moment the controller becomes aware, not when the matter clears internal escalation channels. The French Conseil d'État's review of CNIL's €40 million Criteo sanction adds further texture, as the administrative court's treatment of consent validity and joint controllership in adtech will either entrench or complicate one of the largest GDPR fines in the advertising sector. Germany's LG Hamburg, meanwhile, has voided auto-ticked consent checkboxes on a flight booking platform, reinforcing that dark-pattern consent implementations remain a live litigation and enforcement risk across civil and regulatory channels simultaneously.

In the United States, two developments converge on the same structural vulnerability: the use of commercially harvested location data as a government surveillance instrument. CBP's confirmed use of ad-tech location data for warrantless tracking—documented through materials obtained by 404 Media—provides concrete confirmation that the real-time bidding ecosystem functions as a passive surveillance infrastructure accessible to federal agencies. That disclosure arrives as civil liberties organizations urge the Supreme Court, in Chatrie v. United States, to rule geofence warrants unconstitutional. The EFF and ACLU's amicus brief frames such warrants as digital dragnets structurally incompatible with Fourth Amendment particularity requirements. Together, the CBP disclosure and Chatrie briefing constitute a significant moment of convergent pressure on Congress to advance data broker legislation and on the ad-tech industry to restrict government access to passively collected location signals.

Several forward-looking pressure points deserve monitoring. The CJEU's ultimate ruling in Pilev will determine whether the AG's opinion translates into binding constraints on member-state criminal procedure—a decision with potentially wide reach given the variety of national identity verification regimes across the EU. The House Energy and Commerce Committee's markup of child online safety legislation is drawing organized opposition from CDT on both constitutional and privacy grounds, signaling a contested legislative path ahead. The Conseil d'État's Criteo ruling, once published in full, will clarify the durability of CNIL's consent and joint-controllership framework for adtech—a question that has structured compliance programs across the digital advertising industry for the past two years. And the Italian Garante's two pending enforcement decisions (10211780 and 10224627), currently awaiting full publication, warrant close monitoring for applicable precedent given Italy's status as one of the EU's more prolific enforcement jurisdictions.