Digital Law Worldwide Update

Coverage Window: Monday March 30 - Wednesday April 1, 2026

Top Headlines

1. Portugal's NIS2 transposition entered into force on April 3, 2026, triggering immediate cybersecurity obligations for covered entities across energy, health, transport, digital infrastructure, and public administration.
2. The CJEU held in Brillen Rottler (C-526/24) that even a first GDPR access request may be abusive, giving controllers a narrow but real defense against serial compensation claims.
3. Colorado announced a consensus AI anti-discrimination framework to replace the heavily criticized SB 24-205.
4. Kentucky HB 692 advanced in the Senate, adding automatic content recognition to the state's sensitive-data categories.
5. Montana's MTCDPA cure period expired on April 1, 2026, moving the state to direct enforcement without a cure opportunity.
6. China's behavioral pricing regulations take effect on April 10, 2026, requiring PIPL-compliant controls for pricing algorithms and behavioral profiling.
7. The EDPB's 2026 Coordinated Enforcement Framework on transparency is now operational, with 25 DPAs contacting controllers across Europe.

Data Protection and Privacy

CJEU Rules First Access Request May Be Rejected as Abusive Under GDPR

Summary: On March 19, 2026, the Court of Justice of the European Union delivered its judgment in Case C-526/24 (Brillen Rottler), addressing so-called GDPR hopping. The Court held that even a first-time Article 15 request may be excessive under Article 12(5) GDPR if it was not made in good faith. Controllers, however, bear a high burden of proof and must show abusive intent rather than a genuine interest in verifying the lawfulness of processing.

Insight: The ruling rebalances data subject rights and controller obligations without diluting the right of access itself. It is especially important for controllers facing organized compensation strategies in Germany and Austria and may influence jurisdictions that model their privacy regimes on GDPR principles.

Action: DSAR procedures should now include an abuse-assessment path, centralized tracking of suspicious serial claims, and tightly documented use of Article 12(5) refusals.

Kentucky HB 692 Advances - Automatic Content Recognition Added as Sensitive Data

Summary: On March 31, 2026, Kentucky's HB 692 moved out of committee and onto Senate consent orders. The bill would classify automatic content recognition data, commonly used by smart TVs and streaming devices, as sensitive data requiring opt-in consent.

Insight: Kentucky is among the first states to target passive media-tracking technology directly in statute. The bill could become a template for other states looking beyond general privacy categories and toward device-specific surveillance practices.

Action: Smart-TV manufacturers, streaming platforms, and ad-tech vendors should prepare opt-in consent flows and update sensitive-data maps to include ACR.

Montana MTCDPA Right-to-Cure Period Expires

Summary: Montana's right-to-cure provision expired on April 1, 2026. Since the law took effect in October 2024, businesses had a 60-day chance to cure alleged violations before enforcement action could proceed. That grace period has now ended.

Insight: Montana's low applicability threshold means direct enforcement risk reaches businesses that may fall below thresholds used by many other state privacy laws. The state's compliance posture is moving from guidance to consequences.

Action: Organizations subject to the MTCDPA should immediately re-check privacy notices, opt-out flows, request timing, and processor agreements against direct-enforcement risk.

EDPB Coordinated Enforcement Framework 2026 - Transparency Obligations Now Operational

Summary: The EDPB's 2026 coordinated action on transparency and information obligations under Articles 12, 13, and 14 GDPR has entered its operational phase, with 25 authorities contacting controllers across sectors.

Insight: Regulators are treating weak privacy communications as a systemic compliance failure rather than a drafting issue. This increases risk for organizations with outdated, opaque, or operationally inaccurate privacy notices.

Action: Audit privacy notices, layered notices, and collection-point disclosures for readability, accessibility, and factual accuracy.

AI and Emerging Technology Regulation

Colorado Announces Consensus AI Anti-Discrimination Framework

Summary: Around March 30, 2026, Colorado Governor Jared Polis announced that a cross-sector working group had reached consensus on how the state should regulate AI systems to prevent discrimination, replacing SB 24-205.

Insight: The announcement suggests a more pragmatic second generation of US state AI governance, with narrower and more operationally realistic obligations focused on consequential uses of AI.

Action: Companies using AI in hiring, lending, insurance, housing, or healthcare should map high-risk systems now and watch for the legislative text once introduced.

White House National Policy Framework for AI - Federal Preemption Debate Intensifies

Summary: The White House's March 20, 2026 National Policy Framework for Artificial Intelligence continued to drive analysis during the coverage window, especially around its recommendation for a national federal standard and its treatment of state preemption.

Insight: The defining fault line in US AI governance is now federal simplification versus state experimentation. A single national standard could reduce compliance costs while also potentially overriding stronger state protections.

Action: Legal and compliance teams should assess how federal preemption would affect current state-law programs and monitor Congress for implementing proposals.

AI Industry Political Spending Surges Ahead of 2026 Midterms

Summary: Reporting during the coverage window confirmed that AI-linked political spending is ramping up ahead of the 2026 US midterms, including a USD 100 million commitment from Innovation Council Action.

Insight: AI governance is becoming mainstream political terrain. That raises the risk that campaign finance and lobbying pressure will shape regulatory outcomes as much as technical policy design.

Action: Government affairs teams should track AI-related campaign positions and prepare scenario plans for different post-election regulatory outcomes.

Cybersecurity Legislation

Portugal's NIS2 Transposition Enters Into Force

Summary: On April 3, 2026, Portugal's Decree-Law No. 125/2025 entered into force, bringing the country's NIS2 regime online after a 120-day implementation period. Covered entities must designate a Cybersecurity Officer within 20 days and meet 24-hour and 72-hour incident-reporting deadlines.

Insight: Portugal's delayed transposition still produces an immediate compliance shock because affected entities now face active obligations and board-level accountability with little further transition time.

Action: Covered entities should confirm scope, appoint the officer, test reporting workflows, and brief management on the liability implications.

EU Commission's January 2026 NIS2 Amendment Proposals Continue to Generate Discussion

Summary: The Commission's January 20, 2026 targeted NIS2 amendment proposals continued to generate analysis, especially around cross-border jurisdiction, ransomware reporting, the proposed small mid-cap category, and ENISA's expanded coordination role.

Insight: The amendments reflect recognition that the original directive created implementation friction, but they do not justify delaying current compliance work.

Action: Continue NIS2 implementation while monitoring the legislative process for future simplifications.

Platform and Digital Services Regulation

EU-US Tensions Over DMA and DSA Enforcement Continue to Escalate

Summary: Enforcement against major US technology companies under the DMA and DSA continued to fuel political confrontation between Brussels and Washington during the coverage window.

Insight: Platform regulation is now also a geopolitical issue. Compliance and enforcement risk cannot be analyzed in isolation from broader EU-US trade and political tensions.

Action: Gatekeepers and large platforms should keep compliance programs fully active and monitor policy statements on both sides of the Atlantic.

Digital Trade and Cross-Border Data

China's Behavioral Pricing Regulations Take Effect April 10, 2026

Summary: China's Rules for Price Behavior on Internet Platforms take effect on April 10, 2026. The rules require valid consent, transparency, and access to non-personalized pricing where personal data is used in pricing algorithms.

Insight: China is treating behavioral pricing as a combined data-protection, consumer-protection, and competition issue. That creates new compliance work at the intersection of profiling, consent, and commercial pricing logic.

Action: Platforms should audit pricing inputs immediately and implement disclosure and consent controls before the effective date.

Intellectual Property in the Digital Space

US Supreme Court Denies Certiorari in Thaler v. Perlmutter

Summary: Continued analysis during the coverage window focused on the Supreme Court's refusal to hear Thaler v. Perlmutter, leaving intact the rule that works generated entirely by AI without human creative contribution are not eligible for copyright protection under US law.

Insight: The decision settles only the zero-human-input edge case. The commercially important question remains how much human contribution is enough in AI-assisted works.

Action: Document human creative input carefully in AI-assisted content workflows and keep tracking Copyright Office guidance.

AI Copyright Litigation Wave Continues - OpenAI Output Logs Ordered Disclosed

Summary: Major AI copyright cases continued to advance, including further output-log discovery in the OpenAI litigation and the consequences of Thomson Reuters v. Ross Intelligence for specialized AI training uses.

Insight: Courts are beginning to distinguish between highly transformative general-purpose training and more vulnerable specialized training uses that compete directly with protected source material.

Action: AI developers should tighten training-data provenance records and reassess output-related copyright exposure.

Digital Identity and Authentication

Ireland Confirms EUDI Wallet Launch Timeline for End of 2026

Summary: Ireland confirmed that it remains on track to launch its EUDI Wallet by the end of 2026, in line with eIDAS 2.0.

Insight: The timeline reinforces the practical momentum behind the EUDI Wallet even though technical specifications and interoperability details remain incomplete.

Action: Financial institutions and identity vendors should begin integration planning and DPIA work now.

Telecommunications and Spectrum

FCC Launches Rulemaking on Wireless Infrastructure Deployment

Summary: The FCC launched a new rulemaking on wireless infrastructure and cell towers aimed at accelerating network densification and clearing local barriers to 5G and future 6G deployment.

Insight: The move signals stronger federal willingness to subordinate local siting friction to national connectivity goals.

Action: Telecom operators should engage in the rulemaking and assess infrastructure, privacy, and permitting implications.

Upcoming Deadlines and Effective Dates

• April 3, 2026: Portugal NIS2 transposition takes effect.
• April 10, 2026: China's Rules for Price Behavior on Internet Platforms take effect.
• April 28, 2026: Expected second trilogue on EU AI Act Digital Omnibus amendments.
• May 1, 2026: Deadline pressure increases for multiple US state privacy-law compliance updates.
• May 2, 2026: Practical 30-day milestone tied to Portugal's Cybersecurity Officer notification timeline.

Trend Watch

The dominant theme this week is enforcement maturity. Across privacy, cybersecurity, AI governance, and platform regulation, regulators are moving from consultation and transition to direct operational scrutiny. Organizations now need provable readiness, not just policy intent.

Executive Summary

This week's developments show a global digital-law landscape moving decisively from adoption into enforcement. Portugal's NIS2 go-live, the EDPB's live transparency action, Montana's expired cure period, and China's imminent pricing rules all reinforce the same message: in 2026, compliance maturity is being tested operationally.

Sources

• CJEU Brillen Rottler ruling
• Kentucky HB 692
• Montana MTCDPA cure period
• EDPB CEF 2026
• Colorado AI framework
• White House AI Framework
• AI midterm spending
• Portugal NIS2
• NIS2 amendments
• EU-US DMA and DSA tensions
• China pricing regulations
• Thaler v. Perlmutter certiorari denial
• AI copyright litigation update
• Ireland EUDI Wallet
• FCC wireless infrastructure rulemaking

Digital Law Worldwide Update is produced for legal professionals, in-house counsel, compliance officers, and consultants.