May Data Protection Newsletter

We continue to share clear and practical insights on the latest developments in data protection, AI, and tech regulation, helping you stay informed and compliant in this ever-changing digital landscape.

Whether you manage compliance or simply want to stay safer and better informed online, this newsletter is for you.

As always, our Data Protection Team is here to help. If you would like tailored advice or to discuss a specific issue, please contact us using the details at the end of this page.

European Council and Parliament reached provisional agreement on AI Digital Omnibus

On 7th May 2026, the European Council and European Parliament (the Authorities), reached a provisional agreement to simplify and streamline the EU Artificial Intelligence Act (AI Act), as part of the Digital Omnibus package proposed by the European Commission in late 2025. 

🧩Key takeaway

The Authorities agreed to the following key adjustments of the AI Act in the provisional agreement:  

1.    Extended implementation timelines

Organisations get more time to prepare for several key obligations:

• Watermarking obligations for AI-generated content: 2 December 2026
• High-risk AI rules: 2 December 2027 for stand-alone high-risk AI systems (such as recruitment tools, credit-scoring systems, or AI used in education) 
• High-risk AI rules: 2 August 2028 for high-risk AI systems embedded in products ((such as medical devices, vehicles, or industrial machinery)
• National AI regulatory sandboxes: competent authorities have until 2 August 2027 to establish them.

2.    New Prohibition on Non-Consensual and Child Sexual Abuse Material

A new banned AI practice is added, regarding the generation of non-consensual sexual and intimate content or child sexual abuse material. Organisations have until 2 December 2026 to bring their systems into compliance.

3.      Broader Permission for Processing Special Categories of Personal Data

Providers and deployers of AI systems, whether high-risk or not, may process sensitive personal data (such as health, biometric, or racial information) where strictly necessary to detect and correct biases, provided appropriate safeguards are in place.

4.    Extended Support for Smaller Businesses 

Existing regulatory privileges for Small and Medium-sized Enterprises (SMEs) will be extended to small mid-cap enterprises, to support their growth. 

5.    Less duplication for regulated industries

Where equivalent rules already exist in sector-specific laws, for example in finance, healthcare, or insurance, companies will not have to comply twice. The Commission will issue further guidance to clarify exactly where this applies.

6.    Governance Clarifications

The supervisory competences of the AI Office over AI systems based on general-purpose AI models will be clarified, while listing exceptions where national authorities remain competent.

The provisional agreement remains subject to formal adoption by both the European Parliament and the Council, a process expected to conclude in the coming weeks, ahead of the original August 2026 deadline for high-risk AI system obligations.

❔Why is it important?

The provisional agreement confirms the EU institutions’ shared intent to simplify the AI Act and more workable in practice and removing regulatory overlaps.

Startups and scaleups, in particular, benefit from greater regulatory certainty and more room to innovate, without being overwhelmed by compliance burdens. 

For organisations operating in Luxembourg and across the EU, the extended timelines offer a valuable window to audit AI systems, update internal policies, and align with the new rules before they bite.

Ultimately, these changes send a clear signal that the EU is serious about fostering AI innovation - not just regulating it.

EU Commission draft guidelines on the implementation of the transparency obligations for certain AI systems under EU AI Act

On 8th May 2026, the European Commission published draft Guidelines on the implementation of the transparency obligations for certain AI systems under Article 50 of the EU AI Act (the Guidelines). 

The Guidelines run in parallel to the Code of Practice on marking and labelling of AI-generated content, aiming to clarify the scope of the legal obligations and addressing aspects not covered by the Code.

🧩Key takeaway

The draft Guidelines detailed several transparency obligations under Article 50 of the AI Act, applying to different types of AI systems or their outputs - with limited exceptions, such as for law enforcement purposes.

1.    For AI system talks or interacts directly with people (Art. 50(1)): people must be informed that they are interacting with an AI system, unless when it is already obvious. Disclosures contained only in terms and conditions, URLs or documentation do not count. 

2.   For AI systems creating or changing audio, image, video, or text (Art. 50(2)): the output must be technically marked (e.g. watermarked) so it can be detected as artificial. This includes content that mixes AI and human work.

3.   For AI systems involving emotion recognition or biometric categorisation (Art. 50(3)): deployers must inform individuals exposed to them - whether in writing, through standardised icons, or orally, depending on the context.

4.   For AI systems creating or changing images, audio, or videos that constitute deepfakes (Art. 50(4)): content resembling existing persons, objects, places, entities, or events and likely to be mistaken as authentic or truthful, deployers must be disclosed as artificial.

5.   For AI systems that create or change text published to inform the public on matters of public interest (Art. 50(4)): deployers must disclose that the content is AI-generated or manipulated.

The draft Guidelines is open for consultation till June 3 and after that the Commission will adopt a finalised official version. 

❔Why is it important?

According to Article 113 of the AI Act, Article 50 will apply as from 2 August 2026, requiring all in-scope AI systems placed on the EU market or put into service in the EU to be compliant, regardless of when they were introduced.   

The draft Guidelines offer valuable early regulatory insight, helping providers and deployers of AI systems to prepare for and comply with the upcoming transparency obligations.  

CNIL warns on smart glasses privacy risks and launches action plan

On 11 May, the CNIL (French data protection supervisory authority) published a warning that smart glasses raise significant privacy, ethical, and societal concerns, and announcing a dedicated action plan to address these risks.

🧩Key takeaway

Smart glasses are wearable devices fitted with sensors (microphone and camera), connected to a mobile phone or AI system. They enable hands-free calls, music, photos, and real-time AI interactions – such as voice commands, environmental analysis, and translation - and may include a built-in screen.

The CNIL warns that smart glasses can secretly capture and process personal data, risking widespread surveillance and threatening privacy and freedoms – especially in sensitive spaces. Users are subject to GDPR and may face civil and criminal liability.

Indeed, both France and Luxembourg impose sanctions on unauthorised data capture:

• French Penal Code (Article 226-1): capturing, recording, or transmitting - without consent - a person's image in a private place, their private or confidential communications, or their real-time or delayed location data, is punishable up to 1 year in prison and €45,000 fine.
• Luxembourg Law of 11 August 1982 on the Protection of Privacy (Article 2):  capturing, recording, transmitting, or observing - without consent - a person's private communications or image in a private place, by any device, is punishable by 8 days to 1 year in prison and a fine of €251–€5,000.  

The CNIL recommends users to follow these best practices:

• Inform people nearby when using smart glasses.
• Disable recording functions as soon as they are no longer needed.
• Turn off smart glasses whenever asked to turn off the mobile phone.
• Avoid using the glasses in places where people do not expect them.
• Obtain consent before sharing photos or videos featuring others on social media 
• Think before sharing – even a seemingly harmless post can have lasting consequences.

❔Why is it important?

The CNIL’s position is significant beyond France. As smart glasses are capable of capturing, processing, and interpreting data in real time without people being aware, the Concerns raised by CNIL apply broadly to all organisations subject to the GDPR and similar privacy frameworks across the EU, including Luxembourg. 

Accordingly, users of smart glasses, including organisations deploying or permitting the use of smart glasses in the workplace or customer-facing environments, should respect the right to privacy of people whose image or voice may be captured by the glasses and obtain their consent, where appropriate.

UK Data Use and Access: ICO recommendations on the obligation to have a complaint procedure

With the imminent entry into force of the UK Data (Use and Access) Act (DUAA), on June 19 2026, the Information Commissioner's Office (ICO) – British data protection supervisory authority – has published targeted guidance.

This guidance aims at reminding organisations of their upcoming obligation to establish a formal data protection complaints procedure. 

🧩Key takeaway

Under the DUAA's new complaints framework, organisations are required to provide an accessible method for individuals to submit complaints. The ICO's guidance sets out four core obligations:

• Provide a clear and accessible channel to receive complaints (electronic form + alternatives such as email and post)
• Acknowledge receipt within 30 days
• Investigate the complaint without undue delay and keep the complainant informed of progress
• Communicate the outcome in plain, accessible language and inform the individual of their right to escalate to the ICO if unsatisfied.

Data subjects must now first raise their complaint with the data controller before escalating to the ICO. This is a shift that introduces an intermediate step between individuals and regulatory intervention.

Beyond these obligations, organisations should also ensure the complaints process is easy to locate, prominently linked from privacy notices and websites, and staffed by trained personnel able to identify and escalate data protection complaints appropriately.

Organisations that fail to implement a compliant process by 19 June 2026 risk regulatory scrutiny and fines of up to £17.5 million or 4% of global turnover.

❔Why is it important?

This new regime allows organisations to have the opportunity to resolve complaints early and demonstrate accountability, only if the process is functional and accessible.

And individuals will now have a clearly defined, legally guaranteed route to raise concerns about how their personal data is being used directly with the organisation responsible.

Contact

Need advice on Data Protection, AI, or Whistleblowing compliance?

Our Data Protection team is here to support you. Contact us today to discuss your needs and explore how we can assist you: Dara Kelly, Head of Advisory, or Pasquale Esposito, Data Protection Officer.