Insights

On February 27, 2025, the Court of Justice of the European Union (“CJEU”) issued a ruling about the requirements on data controllers to respond to data access requests regarding an automated decision-making system. In particular, the CJEU interpreted the meaning (under Article 15(1)(h) GDPR) of the phrase “meaningful information about the logic involved” in automated decision-making. Importantly, the ruling also separately addressed how to balance data access rights with the protection of the controller’s trade secrets, when the protection of trade secrets is invoked under Article 15(4) as a reason not to disclose a copy of personal data in an access request.

At the beginning of the year, we brought to your attention that a number of important Belgian and EU legislative changes are likely to have an impact in 2024: there are new laws that have been adopted and proposals that are expected to firm up into law.

On February 17, 2024, The Digital Services Act (DSA) will become applicable, introducing a new regulatory framework for providers of intermediary services. The DSA will apply to those offering their services to users located in the EU, regardless of the providers' place of establishment. We have discussed the new obligations in our previous client alert, when the DSA was adopted. In this alert, we will focus on the notice and action mechanisms, the positions of the users, intermediaries and the general public.

On June 13, 2024, the European Union (EU) adopted the Artificial Intelligence Act (EU AI Act), making it the first-ever global law to regulate the use of artificial intelligence in a broad and horizontal manner. The historic measure applies to the development, deployment, and use of AI in the EU. Importantly, the EU AI Act has a certain “extra-territorial” effect to the extent that it is applicable to providers placing AI systems on the market in the EU, even if these providers are established outside the EU.

The EU Cyber Resilience Act (CRA) was formally adopted by the European Council on October 10, 2024. Its main goal is to enhance cybersecurity and cyber resilience across the EU by establishing common cybersecurity standards for digitally enabled products, such as required incident reports and automatic security updates. This includes, for example, connected home products (cameras, fridges, toys), password managers, firewalls, and VPNs.

On October 18, 2024, the requirements of Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS2 Directive) entered into force. The NIS2 Directive outlines the cybersecurity responsibilities of both “essential” and “important” entities, and sets out the duties of “management bodies,” emphasizing their potential liability for failure to comply with the new mandates, along with significant penalties for entities that fail to meet their obligations.

In Collaboration with the IBJDuring this webinar we will dive into the European Directive on pay transparency that entered into force in June 2024 and has to be transposed for June 2026 in all EU Member States. This European Directive has the ambition to strengthen the application of the principle of equal pay for equal work or work of equal value between men and women, for all employees in all sectors. The Directive brings significant new reporting obligations and assessment obligations on employers that the EU Member States will publish. How will you have to calculate the threshold to know if your company as an employer falls under the scope of the Directive? And what happens when there is a gap in the equal pay? What will you have to do as an employer? What kind of enforcement does the Directive foresee? Lastly, did you know that in the US there is an Equal Pay Act that has been in force since 1963? How has that statute been applied in the US and what are the differences and similarities with the European Directive? Our special US guest will teach us some interesting US-insights.