March 17, 2026

The Ninth Circuit's partial reinstatement of California's Age-Appropriate Design Code marks the most consequential domestic development of the past 24 hours, delivering a third judicial rebuke to NetChoice's First Amendment litigation strategy and allowing substantial portions of the CAADC to take immediate effect. The panel's explicit reliance on Moody v. NetChoice's evidentiary standards signals that courts are narrowing the constitutional runway available to platforms contesting content and design regulations—a pattern reinforced by a separate EPIC-led amicus filing in support of California's SB 976, which contests the premise that surveillance-driven algorithmic feeds constitute protected speech. Together, these developments indicate that First Amendment absolutism as a defense against platform regulation faces sustained and coordinated judicial and academic resistance. The Supreme Court's grant of certiorari in Salazar v. Paramount Global adds a further dimension: the Court will now resolve circuit-level ambiguity over the Video Privacy Protection Act's application to modern streaming services, with direct exposure implications for any organization hosting or embedding digital video. Meanwhile, the Court's pending consideration of Chatrie v. United States—drawing amicus pressure from EPIC, EFF, ACLU, and Georgetown Law—will determine whether geofence warrants satisfy Fourth Amendment particularity requirements, a ruling that would bind law enforcement and technology companies nationally.

GDPR enforcement across the EU and UK continues to expand both in scope and sectoral reach. The Dutch DPA's decision to broaden its Reddit BV investigation to encompass Article 5's foundational principles—after initial scrutiny of Articles 6, 13, and 21—signals that regulators are prepared to apply GDPR's most fundamental lawfulness and fairness obligations to AI training data practices, not merely notice and consent mechanics. Ireland's DPC has fined the University of Limerick €98,000 across six breach-related failures, extending accountability expectations firmly into the higher education sector. Spain's AEPD has opened a parallel investigation into a breach affecting approximately one million individuals, focusing on Article 5(1)(f)'s security integrity requirement, while also having previously fined digital identity provider Yoti €1.1 million for unlawful biometric processing. The UK ICO's criminal convictions of two former claims-sector employees for insider data sales under the DPA 1998 and Computer Misuse Act underscore that enforcement extends beyond organizational fines to personal criminal liability for employees with privileged data access. Austria's Federal Administrative Court has separately affirmed DPA discretion to reject bad-faith GDPR complaints, offering regulators a procedural tool against complaint mechanisms weaponized for collateral purposes.

At the EU institutional level, two CJEU developments involving Case C-5/25 (Pilev) warrant close attention from compliance teams operating across member states. An Advocate General opinion issued March 5 holds that Bulgarian law enforcement's systematic collection of identity data—including marital status and ethnicity—conflicts with the Law Enforcement Directive's data minimisation principle under Article 4(1)(c). Should the Court adopt this reasoning, the ruling will constrain identity profiling practices embedded in criminal procedure codes across multiple member states, with particular implications for jurisdictions where broad identity verification is routine. Separately, the EDPS and EDPB have issued a joint opinion on proposed EU biotech regulation, demanding specific safeguards for sensitive health data in clinical trial harmonization—signaling data protection authorities' intent to shape emerging regulatory frameworks before legislative text is finalized. France's CNIL has reinforced this coordinated approach domestically, formalizing a partnership with the health quality authority HAS and publishing privacy-by-design guidance for filtering web proxy servers.

The AI surveillance nexus between US defense contracting and domestic privacy law has sharpened following a public dispute between the Department of Defense and Anthropic, which has exposed the absence of definitive statutory authority either permitting or prohibiting AI-assisted bulk collection on US persons. EFF's concurrent analysis of OpenAI's Pentagon contract terms characterizes contractual safeguards against domestic surveillance as insufficiently binding, a position that aligns with broader civil society concern about the adequacy of usage-policy constraints in national security contexts. Congress has not yet clarified the surveillance authority question, and no judicial resolution is imminent; the EFF's assessment of the SAFE Act as an imperfect vehicle for Section 702 reform further illustrates the legislative gap. YouTube's extension of AI likeness detection to journalists, officials, and political candidates represents a notable industry-side response to deepfake proliferation, complementing legislative momentum behind the federal NO FAKES Act.

Several forward-looking pressure points merit monitoring. The Supreme Court's VPPA and geofence warrant proceedings are likely to generate significant compliance obligations for technology companies and law enforcement agencies regardless of outcome. Maine's LD 1822, modeled on Maryland's privacy statute and now through the Senate, advances a replicable legislative template that other states are watching closely. Nigeria's public consultation on children's social media age restrictions—explicitly benchmarked against Australia—adds a significant jurisdiction to the convergent global wave of child online protection legislation, joining active proceedings in the UK and enforcement directives in Florida. The Dutch DPA's expanded Reddit investigation is likely to serve as a reference proceeding for GDPR enforcement on AI training data across Europe, and its trajectory through the Rechtbank Den Haag will be closely tracked by platforms with similar data licensing arrangements.