Guest editorial - Elisabeth Marrache
With the high speed and sheer volume of these changes, you may be finding it difficult to keep on top of all the relevant laws and guidance, but our Data specialists in the UK, EU and Middle East are available to help – we look forward to hearing from you.
Elisabeth Marrache is a partner in Addleshaw Goddard's IP/IT & Data Protection team, based in our Paris office.
Click on the links below to read more:
Social media bans for children – updates from France, the UK and further afield
In France, the Sénat (one of the two houses of the French Parliament) has recently voted to approve a bill to restrict social media for children under 15. The initial bill, prepared in line with the EU Digital Services Act (DSA) and the European Commission’s guidelines on protecting minors online (July 2025), proposed a “general and absolute ban” on social networks. This approach has been strongly criticised, as it could apply both to networks with proven harmful effects and to online services where no risks to the health and safety of minors have been demonstrated. In response, the Sénat opted to differentiate between (i) social networks that could harm the development of minors, which should be completely banned, and (ii) other social networks, which minors may access with the permission of a legal guardian under certain conditions (such as content, daily time limits, and hours of use). This latter category includes notably online encyclopaedias, educational directories, and platforms for developing and sharing open-source software. As the Sénat’s version of the bill now includes this two-tier approach which differs from that of the Assemblée Nationale (the lower house), both houses must meet in a joint committee to agree on a compromise before the bill can become law.
In the UK, the government is currently running a consultation on whether to introduce a minimum age for social media or address concerns differently, for example by introducing an overnight curfew or requiring providers to switch off addictive features. Australia’s social media ban for under-16s came into force in December 2025, but has already been challenged in court, and reports suggest that enforcement is proving difficult, prompting an investigation by the Australian eSafety Commissioner.
Age verification update
In addition to social media bans, the wider issue of protecting children from online harm is a hot topic in the UK, EU and worldwide. In the UK, the Information Commissioner’s Office (ICO) has fined Reddit £14.47 million for UK GDPR breaches relating to the absence of an age assurance mechanism and failure to conduct a data protection impact assessment (DPIA). In addition, the ICO and Ofcom have published joint guidance to clarify how UK online services can meet their obligations under the Online Safety Act (OSA) and data protection law when implementing age assurance.
In the EU, the European Commission has announced that it has opened an investigation into Snapchat's potential breaches of the DSA including insufficient age assurance measures (ie reliance on self-declaration), as well as other concerns about failure to protect minors from harmful messages and other consent. At an international level, the Global Privacy Enforcement Network has published a report highlighting concerns about children’s privacy online, including a lack of effective age assurance measures.
The EU Digital Omnibus
In November 2025 the European Commission published two proposals (referred to as the “Digital Omnibus”) to reform EU data, cyber and AI laws, including the GDPR, ePrivacy Directive, Data Act, Data Governance Act, NIS2 Directive and EU AI Act.
The proposals to reform the AI Act have been separated from the other proposals because of the need to move quickly to postpone deadlines due to take effect in August 2026. In March 2026 the European Parliament and Council adopted their respective positions on the AI Omnibus proposal and negotiations between the institutions began. The Commission, Parliament and Council need to reach agreement before the proposals can become law. We have published a series of articles about the Digital Omnibus:
EU Digital Omnibus proposals to reform data and AI laws – the official version
EU Digital Omnibus – the EDPB and EDPS joint opinion
EU Digital Omnibus on AI – the EDPB and EDPS joint opinion
EU Digital Omnibus on AI update: the Council and Parliament agreed positions
For more information and advice about how the proposals could impact your organisation, please contact a member of our Data team.
EU Cyber Resilience Act: Commission draft guidance
The EU Cyber Resilience Act (“CRA”) imposes cybersecurity requirements on manufacturers, importers and distributors of connected devices, meaning products with digital elements and data connection to a device or network. Most of the CRA’s provisions become applicable in December 2027, but the obligations to report vulnerabilities and incidents become applicable on 11 September 2026. The European Commission has recently published draft guidance on the CRA (“the Guidance”), which is intended to clarify a number of issues relating to the CRA’s scope and obligations.
We have published an article about the Guidance, focused on the key issues that clients are asking us about:
- The concept of “placing on the market”, including how this applies to software
- Substantial modifications and software updates – when are substantially modified products treated as new products, and how does this apply to software?
- Complex systems – when do they constitute a product under the CRA?
- Support periods – how do the rules apply to new versions of software?
For advice about the scope of the CRA and how to comply with its requirements, please contact a member of our Data team.
DSARs: CJEU confirms that data subjects must prove damage caused by breach to receive compensation
The right of access under the GDPR is a cornerstone of data protection, empowering individuals to understand and control how their personal data is processed. However, controllers have increasingly faced challenges from data subjects who appear to misuse this right, submitting access requests not for genuine data protection purposes but to create grounds for compensation claims.
In its decision of 19 March 2026, the CJEU held that even a first request for access can be considered abusive if it is made solely to create the conditions for claiming compensation under the GDPR, rather than to verify data processing. The CJEU further clarified that compensation under the GDPR requires the data subject to demonstrate actual damage, and that compensation may be denied if the damage is primarily the result of the data subject’s own conduct.
For more information read our article GDPR gold diggers beware: CJEU rules data access requests aren’t a free ticket to compensation.
For advice on how to respond to DSARs, including those that you consider abusive, please contact a member of our Data team.
Update on the UK Data (Use and Access) Act’s entry into force
The Data (Use and Access) Act 2025 (DUAA) received Royal Assent in June 2025 and has been entering into force in stages. See our article The Data (Use and Access) Act 2025: top 7 changes you need to know about for an overview of the key changes that DUAA makes to data protection law. Most of these changes came into force in February 2026, including the changes to the rules on cookies, which introduce new exceptions to the requirement to obtain consent. Addleshaw Goddard partner Claire Edwards and senior knowledge lawyer Sam Morrow have written a practice note for Practical Law: Changes to UK cookie rules: Data (Use and Access) Act 2025 (subscription required). This covers:
- The updated law – the new exceptions to the consent requirement, plus the obligations to provide information and an opt-out
- Practical steps to take when placing cookies or similar technologies – this includes how the opt-out may work
- The ICO's guidance and evolving approach to enforcing the cookie rules – this highlights that the ICO is expected to publish an update on further changes to PECR's cookie rules
- The implications for organisations operating cross-border in the UK and EU – as DUAA only amends UK law, how should organisations operating in the UK and EU address the changes?
The requirement to implement a procedure to facilitate complaints about breaches of data protection law comes into force on 19 June 2026.
For advice about compliance with the complaints procedure requirement or on how to make use of DUAA’s relaxation of certain aspects of UK data protection law, please contact a member of our UK team. As DUAA only amends UK law, organisations operating in both the UK and EU may wish to discuss what changes they could make while continuing to comply with the EU version of the GDPR where applicable.
Presumption of use of protected content by AI providers – French striking procedural innovation
In France, the Sénat has unanimously adopted a bill to amend French Code of Intellectual Property by introducing a presumption of use of cultural content by AI providers. The bill states: “Unless proven otherwise, in any civil dispute, a work or object protected by copyright or related rights, as defined in this Code, is presumed to have been used by the provider of the artificial intelligence model or system, provided that any evidence relating to the development or deployment of that system or to the result generated by it makes such use plausible.”
In other words, if evidence related to an AI system’s development, deployment, or outputs makes the use of a protected work plausible, that work is deemed to have been used. The bill seeks to address information asymmetry in AI disputes by shifting the burden of proof, as AI providers control key details that rightsholders cannot access. This presumption lowers the threshold for initiating litigation, as even relatively weak indications of output similarity can trigger it. Once the presumption is in play, the defendant must disprove use—a difficult task in complex technical systems.
This French bill aligns with recent EU developments, which also aim to strengthen the legal framework governing the use of copyright-protected works by AI models (European Parliament resolution on copyright and generative AI, 10 March 2026). These EU developments emphasise that copyright is a fundamental right that must be protected at every stage of AI tool development and highlights the challenges of proving the use of protected works.
