March 2026

TMT Newsletter | March 2026

Outlook

On 14.04.2026, the CJEU will decide on the conditions of the “pastiche”-exception (Art. 5 (3) (k) Directive 2001/29/EC (C-590/23).On 16.04.2026, the CJEU will decide whether a general ban on specific types of online gambling violates the freedom to provide services under Art. 56 TFEU (C-440/23). On the same day, GA Norkus will publish the opinion on whether data processing during complaints under Art. 77 GDPR may give rise to information claims against supervisory authorities under Art. 15 GDPR (C-205/25). On 23.04.2026, the German Federal Court of Justice will hear a case on whether a modular furniture systems is copyright-protected (I ZR 92/22). On the same day, the Federal Court of Justice will (again) hear a case on whether a publication on a former Federal Chancellor (Helmut Kohl) violates post-mortem personality rights and/or contractual duties of care (I ZR 41/24).

European Parliament – Resolution on copyright and generative AI

The EP seeks to apply EU copyright law requirements to AI systems available in the EU. In addition, the EP proposes remuneration claims for rightholders while opposing mandatory global licenses and lump sum payments. The EUIPO would administer reserved rights under Art. 4 DSM Directive. The EP also proposes a statutory presumption that protected works have been used to develop AI systems where operators fail to comply with transparency obligations which can also lead to an obligation to pay court fees (Resolution of 10.03.2026).

European Council – Proposal to amend the AI-Act

The proposal responds to EUCOM’s Digital Omnibus VII (draft of 20.11.2025). The requirements for “high-risk AI systems” under Art. 6 AI Act would only enter into force on 02.12.2027 (standalone systems) and 02.08.2028 (embedded systems) respectively. The Council proposes to qualify the placing on the market of AI systems generating pornographic content as a “prohibited practice” under Art. 5 AI Act. The AI Office should be granted the same powers as market surveillance authorities under Regulation (EU) 2019/1020 (draft of 13.03.2026).

CJEU –Refusal of broadcasting license violates EU law

The Hungarian Media Council refused to extend and renew a private radio station’s broadcasting license. Both the Media Council’s decisions and the Hungarian legal framework violate EU law, namely Directives 2002/20/EC; 2002/21/EC; 2002/77/EC; (EU) 2018/1972) as well as the principle of good administration and the freedom of expression and information. Minor and formal violations of the law or mistakes during the application process do not justify interfering with the rights guaranteed by Art. 11 CFR (C-92/23).

CJEU – Scientific editions may be protected by copyright

The scientific edition of a historic work reproduced the original text with comments and a “critical apparatus”. These editions meet the criteria of protected works under Art. 2 (a) InfoSoc-Directive (2001/29/EC) if the value they add to the original text “can be identified with sufficient precision and objectivity” (C-649/23).

CJEU – Initial information request may be considered “excessive” under the GDPR

Non-compliance with an information request under Art. 15 GDPR may result in a liability for damages under Art. 82 GDPR. The data subject must prove having suffered non-material damage (e.g.: loss of control over his / her data) and “that his or her conduct was not the determining cause of that damage.” However, even initial information requests can be considered “excessive” under Art. 12 (5) sentence 2 GDPR. The controller must demonstrate the data subject’s “abusive intention”. To that end, the controller may, inter alia, rely on “publicly available information” (C-526/24).

CJEU-AG – Collective management organizations may sponsor third parties

A collective management organization (CMO) allocated revenue to research projects carried-out by non-rightholders. According to AG Szpunar, Member States may allow CMOs to sponsor third parties under Art. 12(2) and (4) Directive 2014/26/EU if the sponsorship – at least indirectly – also benefits rightholders (affirmed here; C-840/24).

CJEU-AG – Streaming qualifies as a “digital service”

According to AG Szpunar, streaming services do not provide “digital content” under Art. 2 (11) Directive 2011/83/EU. Providing such content instead qualifies as a “digital service” under Art. 2(2) Directive (EU) 2019/770. As a result, streaming services are obligated to grant consumers a 14-day withdrawal period. The exception for “digital content” under Art. 16 (m) Directive 2011/83/EU does not apply (C-234/25).

CJEU-AG – Provider of online lotteries may be subject to distributor obligations

According to AG Ćapeta, the provider of an online lottery qualifies as the “dealer” (Art. 2 (13) Regulation (EU) 2017/1369) of a television offered as a prize. Pursuant to Art. 6 (1) (a) Regulation (EU) 2017/1369 in conjunction with Art. 4 (d) Delegated Regulation 2019/2013, the provider is therefore required to, inter alia, provide information on the energy efficiency class of the product (C-120/25).

CJEU-AG – Provider of a social media network must comply with EUCOM’s information request

The provider contested two EGC judgments (T‑451/20 and T‑452/20). The EGC had upheld the provider’s obligation to comply with an information request issued by EUCOM under Art. 18(1) Regulation (EC) 1/2003. According to GA Rantos, the CJEU should dismiss the appeals because: “it is for the Commission […] to decide, in the light of the available evidence, how to obtain information which is useful to its investigation” (C-496/23 P and C-497/23 P).

CJEU-AG – Licensing requirement for providers of online sports betting generally compatible with freedom to provide services

Such provider did not obtain a license required under German law (Sec. 4 (4) et seq. GlüStV 2012). According to GA Emiliou, courts may „draw the consequences provided for […]under the applicable civil law” (here: Sections 134 and 823 (2) German Civil Code). This applies even where the licensing procedure is incompatible with Art. 56 TFEU. Conversely, courts must also consider whether the responsible authorities had assured the provider it “could offer its services on the national market without a license” (C-530/24).

CJEU-AG – Authorization for the use of telecommunication technology may be subject to national security clearance

An Estonian authority denied a telecommunication provider authorization to use hard- and software from Chinese manufacturers. According to AG Ćapeta, authorities may restrict the „freedom to provide electronic communications networks and services” (Art. 12 (1) Directive (EU) 2018/1972) by requiring providers to assess whether the hard- and software poses a specific threat to national security. The Estonian legal framework applies despite Estonia having failed to notify EUCOM under Art. 12 (1) Sentence 3 Directive (EU) 2018/1972 (C-354/24).

CJEU-AG – OCSSPs (also) carry out reproductions

According to AG Emiliou, the communication to the public carried out by Online Content-Sharing Service Providers (OCSSPs; Art. 17 (1) DSMD ((EU) 2019/790) necessarily involves the creation of digital copies. This constitutes a reproduction (Art. 2 Info-Soc Directive (2001/29/EG)) requiring authorization from the rightholder. The exception for temporary reproductions (Art. 5(1) InfoSoc Directive) does not apply. However, the authorization granted for the communication to the public extends to such reproductions (C-579/24).

Federal Ministry of the Interior – Draft bill on cybersecurity introduces cooperation obligations for service providers

Amendments to the German BPolG, the German BKAG, and the German BSIG would, inter alia, require service providers (Art. 1 (1) (b) Directive (EU) 2015/1535; Section 1 (4) No. 5 DDG) to pass on threat notifications issued by the Federal Office for Information Security to their users. The Federal Criminal Police Office (BKA) and the Federal Police would be granted new powers, including the authority to prohibit the operation of affected IT systems; to collect, delete, or modify data in such systems; and to redirect or block data traffic. Service providers must comply with authorities, provide information, and may be subject to non-disclosure obligations. Noncompliance would be sanctioned with fines up to EUR 20 million (draft of 24.02.2026).

Federal Court of Justice – Foreign state cannot claim injunctive relief against suspicious press reports

The Kingdom of Morocco contested German press reports containing suspicions (specifically: allegations of espionage). A foreign states’ reputation does not constitute a protected right under German tort law (Section 823 (1) German Civil Code). Moreover, foreign states are not protected by criminal defamation offences (Sections 185 et seq. German Criminal Code) or the protection of Section 194 (3) sentence 2 German Criminal Code (VI ZR 415/23 und VI ZR 416/23).

Federal Administrative Court – Private insurance companies require consent when processing health data for preventive health programs

A private insurance company used diagnostic data from invoices to recommend preventive health programs to clients. Such data processing is necessary for purposes of preventive healthcare under Art. 9 (2) (h) GDPR but not justified under Art. 6 (1) (f) GDPR: the protection of sensitive information by data subjects outweighs the insurance company’s commercial interests. The court does not consider the programs “essential health care” and criticizes the “indiscriminate scope” of data processing (press release of 06.03.2026; 6 C 7.24, not yet published).

Federal Administrative Court – Federal Intelligence Agency not required to grant Federal Data Protection Commissioner access to extraterritorial intelligence operations

A corresponding obligation is established by Section 63 German BNDG in conjunction with Section 28 (3) sentence 2 No. 1 German BVerfSchG. However, the Federal Commissioner for Data Protection and Freedom of Information cannot enforce this obligation before administrative courts. The Commissioner is limited to raining an appeal with the Federal Chancellery (press release of 04.04.2026; 6 A 2.24, not yet published).

Higher Regional Court of Cologne – Embedding of ARD media library content constitutes unfair competition

A private streaming platform embedded links to content from the ARD media library (Mediathek) alongside its own offerings. No corresponding agreement with ARD was in place. Embedding ARD’s content therefore constitutes an unfair commercial practice and violates the State Media Treaty (MStV; press release of 27.02.2026; 6 U 75/25, not yet published).

Administrative Court of Neustadt an der Weinstraße – Blocking orders against Cypriot websites violate EU law

A German access provider challenged orders issued by a State Media Authority (Landesmedienanstalt, LMA) under the Interstate Treaty on the Protection of Minors in the Media (JMStV). Because of the DSA’s fully harmonizing effect in this area, the national legal basis does not apply even in light of the AVMSD (2010/13/EU). Moreover, the LMA’s order would violate the country-of-origin principle under Art. 3 (1) and (2) Directive 2000/31/EC. The requirements of – the applicable – Art. 51(3) and 28 DSA are not met (5 K 475/24.NW; 5 K 476/24.NW; 5 K 1203/24.NW; 5 K 1204/04.NW).

Regional Court of Berlin – Social media platform operator not required to delete data transmitted by messenger service

A messenger service transmitted personal data of its (German) users as well as third parties to the operator. Such processing is unlawful where the consent obtained is structured as set out in the messenger’s terms of use and privacy policy (dating from 2016). The incorporation of this privacy policy into user agreements is invalid. However, the messenger service is not required to cause the social media operator to delete the data already transmitted (press release of 23.02.2026; 52 O 22/17, not yet published).

Regional Court of Cologne – Social media platform operator required to block parody accounts

The account had published political content under the name of a comedian. By refusing to block the account, the platform’s operator violated the comedian’s general right of personality (Art. 2 (1) in conjunction with Art. 1 (1) Basic Law) as well as the right to one's name (Section 12 German Civil Code). The parodic character of accounts sharing political content must be “unambiguously recognizable” to all users (28 O 30/26).

Administrative Court of Luxembourg – No GDPR fine without examination of culpability and necessity

The Luxembourg data protection authority imposed a fine of EUR 746 million on an e-commerce provider for alleged GDPR violations. However, a fine under the GDPR (likely: Art. 83 (2) GDPR) requires authorities to establish culpability and examine the sanction’s necessity (CJEU, decisions of 05.12.2023, C-807/21 and C-683/21). The authority’s decision failed to do so. It must now reassess the sanction (press release of 13.03.2026; 52757C).