March 16, 2026

The Ninth Circuit's partial reversal of the injunction blocking California's Age-Appropriate Design Code marks the most consequential development of the day for platform regulation in the United States. The panel's ruling—the court's third rebuke of NetChoice's First Amendment litigation strategy—applies the evidentiary and analytical standards the Supreme Court set in Moody v. NetChoice to find that broad constitutional arguments cannot serve as a blanket shield against technology-sector regulation. With significant CAADC provisions now eligible to take effect, and with EPIC and allied scholars simultaneously filing in support of California's SB 976 against algorithmic feed challenges from TikTok, Meta, and Google, a discernible pattern is emerging: federal courts are narrowing the doctrinal space in which platforms can invoke speech rights to defeat conduct-targeted regulation. The Supreme Court's grant of certiorari in Salazar v. Paramount Global—which will resolve circuit-level ambiguity over the VPPA's application to modern streaming services—and the Chatrie v. United States geofence warrant cases add further urgency to the US privacy litigation calendar. Taken together, these docket developments indicate that the constitutional and statutory architecture governing platform data practices faces meaningful judicial recalibration within the next term.

AI training data practices are drawing coordinated enforcement attention across the Atlantic. The Dutch DPA has expanded its ex-officio investigation into Reddit BV to include Article 5 GDPR—adding the foundational lawfulness, fairness, and transparency principle to existing scrutiny of Articles 6, 13, and 21—after media reporting on user content being sold or licensed for AI model development. The expansion reflects a deliberate prosecutorial sequencing: by folding Article 5 into the case before the Rechtbank Den Haag, the Dutch authority positions itself to contest not merely the legal basis for processing but the integrity of Reddit's data governance at a structural level. This approach mirrors the broader EU enforcement posture toward AI data pipelines and warrants close attention from any platform that has licensed or shared user-generated content for model training purposes. Separately, the CJEU Advocate General has issued an opinion in Case C-5/25 (Pilev) finding that Bulgarian law enforcement's systematic collection of identity data—including marital status and ethnicity—during criminal proceedings falls within the Law Enforcement Directive and violates its data minimisation principle. Should the Court follow the AG's reasoning, the ruling would carry direct compliance implications for member states where broad identity profiling is embedded in criminal procedure.

The intersection of AI and domestic surveillance is generating sustained legal uncertainty in the United States, with two developments reinforcing each other. A publicly surfaced dispute between the Department of Defense and Anthropic has renewed attention to the absence of definitive statutory authority either permitting or prohibiting AI-assisted bulk collection of data on US persons—a gap that has persisted since the partial legislative response to the Snowden disclosures. OpenAI's subsequent agreement to fill the DoD contracting gap has drawn criticism, with the EFF and others arguing that contractual usage restrictions contain insufficient protections against surveillance applications. The EFF's concurrent analysis of the SAFE Act—described as an imperfect vehicle for meaningful Section 702 reform—underscores that the legislative pathway to resolving these ambiguities remains contested. Compliance and legal teams operating at the defense-contracting and privacy interface should treat this cluster as an active regulatory risk zone, not a settled framework.

Enforcement activity across the EU and UK reinforces that GDPR accountability obligations extend well beyond commercial data brokers. Ireland's DPC has fined the University of Limerick €98,000 across six breach-related failures, signaling continued application of core accountability requirements to higher education institutions. Spain's AEPD has opened an Article 5(1)(f) investigation into a breach affecting approximately one million individuals, and separately imposed a €1.1 million fine against biometric identity provider Yoti for GDPR violations including unlawful processing and excessive data retention. Austria's Federal Administrative Court has affirmed DPA discretion to reject complaints filed in manifest bad faith—a notable procedural clarification for DPA resource management. In the UK, the ICO has secured criminal convictions for insider data sales in the insurance and claims management sectors, reinforcing that employee-level data access controls remain an active enforcement vector. France's CNIL has added texture to the standards environment with guidance on filtering web proxy servers and a formal cooperation agreement with the Haute Autorité de Santé, positioning both authorities to shape digital health data governance ahead of EU health data space implementation.

Several forward-looking pressure points warrant attention over the coming weeks. The CJEU's eventual ruling in Pilev will determine how far the Law Enforcement Directive constrains national criminal procedure data practices across all member states—a judgment with broad operational reach. The Supreme Court's docket in Chatrie will establish binding federal precedent on geofence warrants, with oral argument preparation now underway following competing amicus filings from EPIC, EFF, and ACLU. Nigeria's public consultation on social media age restrictions—explicitly benchmarked against Australia's model—should be monitored alongside the UK's parallel parliamentary activity as an indicator of whether a second wave of age-assurance mandates is consolidating globally. And the Dutch DPA's expanded Reddit investigation sets a near-term test for how aggressively European authorities will pursue AI training data cases under the full Article 5 framework, potentially establishing a procedural template that other member-state authorities adopt.