The Swedish Authority for Privacy Protection will prioritize high-risk privacy areas this year. The watchdog said it's raising its game on guidance and risk-based supervision but is ready to shift focus if necessary.

The European Data Protection Board Friday issued additional guidance on processing air passenger name record (PNR) data under the EU PNR Directive.

The European Data Protection Supervisor published a review of its activities during its 2020-2024 term, describing its work during the COVID-19 crisis. In addition, the report includes content about EDPS' enforcement activities and efforts to create global privacy standards and a more coherent approach to data protection across the EU. The term was "synonymous with adaptability and resilience," wrote EDPS supervisor Wojciech Wiewiorowski.

The European Commission's adequacy decision permitting data flows from Europe to the U.K. expires June 27 and there are concerns about U.K. legislative reforms to data protection rules, a March Parliamentary Research Services memo said.

The Serbian Commissioner for Information of Public Importance and Personal Data Protection approved a 2025-2027 action plan for implementing its 2023-2030 privacy strategy. The plan will "significantly contribute" to better data protection for Serbians, it said.

The Irish Data Protection Commission posted a statement to organizations on how it deals with concerns from data subjects that an organization isn't handling their data access requests appropriately under the General Data Protection Regulation. It noted that it "regularly handles" such complaints.

Businesses trying to limit information they would otherwise have to disclose under data protection laws but consider trade secrets could be forced to disclose those secrets to a court or arbitrator under a recent decision by the European Court of Justice (ECJ), Pinsent Masons attorneys noted Friday. The decision involves the interplay between General Data Protection Act provisions on automated decision-making and EU trade secrets law, they wrote.

The Latvian Data State Inspectorate published a list of data processing activities that don't require data protection assessments. The guidelines aim to give organizations a practical and clear approach to risk identification and management, the privacy watchdog said.

The Dutch data protection authority (DPA) Thursday launched a public consultation on ensuring meaningful human intervention in algorithmic decision-making. If organizations use only algorithms and AI for decision-making, it said, that could result in groups being excluded or discriminated against. If they want to use algorithms and AI, it said, they must comply with the General Data Protection Regulation.

The European Data Protection Board (EDPB) will focus this year on enforcing people's "right to be forgotten," or right to erasure, via its coordinated enforcement framework (CEF), it announced Wednesday. It chose this topic as it's one of the most frequently exercised rights under the General Data Protection Regulation (GDPR) and one where data protection authorities (DPAs) receive the most complaints, the board said.