March 15, 2026

The Dutch Data Protection Authority's expansion of its Reddit BV investigation to include Article 5 GDPR—covering the foundational principles of lawfulness, fairness, and transparency—marks the most significant development in the past 24 hours. Where the inquiry previously targeted specific provisions governing legal basis, information obligations, and objection rights, the broadened scope now implicates the structural integrity of Reddit's data processing practices as a whole. The Rechtbank Den Haag proceedings signal that EU supervisory authorities are treating social media platforms' licensing of user-generated content to AI developers not as an edge case but as a core data protection question. Compliance teams advising platforms with similar data licensing arrangements should assess whether their Article 5 posture can withstand the same scrutiny, particularly on repurposing of publicly accessible but user-authored content.

Two intersecting threads from the CJEU and U.S. courts crystallize broader tensions between law enforcement data access and individual rights protections. In Case C-5/25 (Pilev), a CJEU Advocate General has opined that Bulgarian law enforcement's systematic collection of identity data—including marital status and ethnicity—during criminal proceedings violates the Law Enforcement Directive's data minimisation principle under Article 4(1)(c). Should the Court follow this reasoning, the ruling would constrain identity profiling practices across member states where broad criminal procedure codes are the norm. In parallel, EFF, ACLU, and Georgetown Law have filed an amicus brief in Chatrie v. United States urging the Supreme Court to invalidate geofence warrants as unconstitutional general searches under the Fourth Amendment. The two cases converge on a shared principle: that state actors may not exploit procedural authority or technical infrastructure to conduct mass personal data collection without individualized justification. Separately, disclosed documents confirming U.S. Customs and Border Protection's use of ad-tech location data for warrantless surveillance reinforces that the same infrastructure enabling targeted advertising functions as a government data acquisition channel—a pattern that increases legislative pressure on Congress and commercial exposure for ad-tech intermediaries.

EU enforcement activity across Spain, Ireland, Germany, and France illustrates the breadth of current GDPR supervisory focus. Spain's AEPD has fined FC Barcelona €500,000 for deploying voice and facial biometric technology without a prior Data Protection Impact Assessment under Article 35, treating the procedural omission as a standalone enforcement basis independent of any demonstrated data misuse. The signal for organizations deploying biometric systems is direct: DPIA completion prior to deployment is not a formality but an enforceable prerequisite. Ireland's DPC has fined the University of Limerick €98,000 across violations spanning Articles 30, 32, 33, and 34, with the decision explicitly rejecting internal organizational delays as justification for late breach notification—a holding that tightens the operational window for incident escalation across all controllers. In Hamburg, the Landgericht has invalidated auto-ticked consent checkboxes on a flight booking platform, reinforcing that pre-selected consent mechanisms in e-commerce flows remain legally untenable under GDPR's affirmative action requirement. France's Conseil d'État has issued its ruling reviewing CNIL's €40 million sanction against Criteo, a decision that tests the durability of one of the EU's most closely watched adtech enforcement actions and will clarify how French administrative courts interpret consent validity and joint controllership in programmatic advertising.

In the United States, legislative and civil society dynamics around surveillance reform and child online safety are developing in tandem. CDT has submitted formal opposition to the House Energy and Commerce Committee's child safety bill package, arguing that several measures fail constitutional scrutiny and may compromise the protections they purport to create—intervention that signals organized resistance ahead of markup. Separately, EFF analysis characterizes the SAFE Act as an insufficient vehicle for genuine Section 702 reform, indicating that the bipartisan bill falls short of structurally constraining warrantless access to Americans' communications data. OpenAI's Pentagon contract continues to draw scrutiny over governance commitments that critics characterize as non-binding, with EFF's analysis contending that contractual language leaves surveillance applications effectively unconstrained. These threads collectively indicate that U.S. federal surveillance authority is expanding in practice even as legislative reform efforts remain structurally limited.

Several forward-looking items warrant attention in the coming weeks. The CJEU's judgment in C-5/25 (Pilev) is expected to follow the AG opinion and will carry immediate implications for law enforcement data practices across member states. The Supreme Court's docket in Chatrie v. United States makes geofence warrant doctrine one of the most consequential pending Fourth Amendment questions for technology companies. The Conseil d'État's Criteo ruling—decision text not yet fully published—will inform adtech compliance structuring across the EU once available. The CNIL and HAS joint public consultation on health data processing is open for response, and practitioners operating in French health data contexts should engage before the consultation closes. The Austrian BVwG's affirmation of DPA authority to reject abusive GDPR complaints also deserves monitoring as a procedural tool that other EU supervisory authorities may invoke to manage complaint volumes.