Luxembourg is one of the smallest member states by size in the EU, yet it hosts one its most influential institutions: the Court of Justice of the European Union. This week was a good illustration, with more to come.

The first piece of news that got our attention is that Germany again put forward Thomas von Danwitz to remain the German judge sitting on the court since 2006. The extension of his four-year term is expected to get the formal validation from the Council of the European Union in the coming weeks. Von Danwitz's track-record spans various areas of European law but he is best known to privacy professionals as the judge-rapporteur in both "Schrems" cases to date, which saw the invalidation of both the EU-U.S. Safe Harbor and the EU-U.S. Privacy Shield. That is to say his views on the use of EU General Data Protection Regulation Article 49 derogations, government access and national security practices and exemptions have largely crafted today's data transfers landscape.

Separately, the Luxembourg court issued several interesting rulings this week. The first addresses the threshold regulators must meet to impose an administrative fine. Lo and behold, the court found a data controller may not have an administrative fine imposed on it for an infringement of the GDPR "unless that infringement was committed wrongfully, that is to say, intentionally or negligently." The ruling also confirms "a controller may also have a fine imposed on it in respect of operations performed by a processor, to the extent that the controller may be held responsible for such operations.”

In a second ruling two days later, the court determined the GDPR "opposes two data processing practices by credit information agencies. While 'scoring' is permitted only under certain conditions, the prolonged retention of information relating to the granting of a discharge from remaining debts is contrary to the GDPR."

Elsewhere:

• The European Data Protection Board published its urgent binding decision on an enforcement action by Norway's data protection authority, Datatilsynet, against Meta for alleged illegal use of targeted advertising.
• As I write this column, there is no white smoke yet on the Artificial Intelligence Act. Co-legislators gathered this week for what was hoped by some to be the final trilogue on the heavily-debated text. As of Thursday afternoon, co-legislators have pulled an all-nighter, reaching a provisional agreement on foundation models and governance elements such as fundamental rights impact assessments. Many thorny issues still need to be discussed on Friday, most significantly on prohibitions, law enforcement and national security provisions. Keep an eye out for IAPP reporting on the news.
• The council and Parliament late last week reached a provisional political agreement on the proposal aimed at raising cybersecurity requirements of digital products placed on the EU market. Once into force, the Cyber Resilience Act will introduce EU-wide cybersecurity requirements for the design, development, production and market availability of hardware and software products.
• Parliament's Committee on Industry, Research and Energy voted to adopt the provisional agreement resulting from interinstitutional negotiations on the European Digital Identity proposal. The EU Council is hoping to start negotiations with Parliament and hold the first trilogue meeting before the end of the year. The European Parliament is convening an internal meeting next Monday to discuss the file. 
• The IAPP recently released two highly-recommended reports for your reading pleasure: the IAPP-EY Privacy Governance Report 2023 shines a light on the location, performance and significance of privacy governance within organizations. The IAPP-EY Professionalizing Organizational AI Governance Report reflects more specifically on practices and trends in organizational AI governance.