— Edition 1.247 52 verified trackers
ES EN
Politics · Technology · Digital regulation  ·  where data speaks before headlines
Snapshot data
AML/OFAC enforcement against banks and fintech — 418 penalties documented 418 AML/OFAC penalties documented across 177 countries and 379 regula… Corporate bankruptcy and insolvency (Chapter 11) — 4 major corporate bankrup… Corporate bankruptcies hit decade highs: over 717 in the year per S&P… High-impact litigation risk index — 4 high-impact litigations… The risk index (0-100) aggregates five objective factors —procedural … Merger control: multi-jurisdiction competition … — 9 decisions and jurisdict… Merger control diverges by jurisdiction in 2026: the Trump administra… PEPs and sanctions networks · Ibero-American graph — 40 PEP/company nodes with … Ibero-American PEP→company→sanction graph (core: Mapa del Poder, 424 … Sovereign debt distress and restructurings — 5 distress/restructuring … The IMF's 6th Global Sovereign Debt Roundtable report (April 15, 2026… Forced labor in supply chains: entity lists — 4 forced-labor exposure i… Upstream exposure intelligence densifies: the UFLPA Entity List reach… EU AI Act — designation of national authorities — 3/10/14 / 27 Member States Tracker's first event: 3 states with both authorities / 10 partial / … AI Act · Notified bodies for conformity assessment — 1 body with AI-specific a… Ecosystem 'not ready' as of Mar-2026 (standards unpublished, insuffic… Scandal → conviction gap — — milestones logged +1 mirror case: Uribe — 7 years to convict, 8 weeks to reverse, open-… Technology ↔ regulation gap — 26 regulatory milestones +1: Peru closes the generative-AI gap in ~3 years (DS 115-2025-PCM), … CNMC Spain · the Digital Services Coordinator g… — 6 documented milestones The gap becomes chronic: Congress struck down the CNMC's legal empowe… Corporate data breaches: from incident to response — 11 breaches documented +1: Canvas/Instructure, the largest known education breach (≈275M rec… Migration friction in corporate and event mobility — 3 incidents and policies … The 2026 World Cup works as a live stress test: 39 countries under fu… Power and corruption in the courts in Ibero-Ame… — 29 documented cases Jun-2026 review: Uribe updated — first-instance conviction overturned… Crypto · Licenses and authorizations by jurisdi… — 40+ CASPs with full MiCA au… July 1, 2026 cliff: the transitional regime expires (ESMA, Apr 17) wi… Data breaches · Class-action settlements — 5 settlements and mass ca… 271 million dollars across four settlements approved or with deadline… Digital regulatory risk index by country — 16 countries profiled Jun-2026 review: Brazil updated on two layers (EU adequacy Jan 26, 20… Digital services taxes (DST) by country — 3 tax-map milestones docu… About half of European OECD countries have a DST announced, proposed … Global election risk 2026: democracy and digita… — 32 elections profiled 32 electoral processes of 2026 profiled by political regime and digit… ESG · Greenwashing enforcement — 3 enforcement milestones … The legal floor arrives Sep 27, 2026 (ECGT across the 27; transpositi… EU · Digital & sustainability regulatory deadli… — 6 calendar milestones doc… Next critical deadlines: Jun 23, 2026 closes the high-risk classifica… Export controls · Entity List and advanced chips — 6 regime milestones docum… The 2026 shift: licensing for H200/MI325X and equivalents to China mo… GDPR · International transfers and adequacy dec… — 6 framework milestones do… The EU-US DPF remains in force after surviving its first judicial cha… LATAM · AI bills in legislative process — 150+ bills identified 150+ count re-verified; milestones: Peru only country with a regulate… LATAM · Judicial and regulatory sanctions on pl… — $5,2M USD · fine on X Corp. i… Paradigm shift: the STF declared Art. 19 of the Marco Civil partially… Digital political ad spending 2026 — 6 country-platform observ… AdImpact's revised projection (Jun 11): $11.6bn for the 2026 cycle — … Shadow fleet · Sanctioned vessels and enablers — 632 vessels designated by t… +46 vessels in the 20th package (Reg. 2026/506/509/511) to 632; Art. … Whistleblower awards · SEC, CFTC and equivalent… — 3 program milestones docu… The SEC awarded over $60M to 48 whistleblowers in fiscal year 2025 (2… AI Act · Sanctions regime and its actual enforc… — 0 documented AI Act fines… 0 AI Act penalties issued to date: enforcement of high-risk obligatio… Beneficial ownership transparency (UBO / CTA / … — 4 transparency milestones 4 beneficial-ownership transparency milestones documented; the EU req… Crypto industry: collapses, sanctions and convi… — 13 documented cases 13 cases of collapses, sanctions and convictions in the crypto sector… AI harms in court — litigation, rulings and set… — 103 documented cases 103 AI-related harm and rights lawsuits documented; 2026 milestones: … DMA · designated gatekeepers and real compliance — 9 documented DMA acts 9 DMA compliance actions documented against gatekeepers; 2026 develop… Documented electoral disinformation 2026 — 7 documented campaigns 7 electoral disinformation campaigns or patterns documented with open… GDPR · which national authority really sanctions — 11 authorities profiled 11 GDPR enforcement country profiles and milestones documented; 2026 … LATAM · Internet shutdowns and platform blocks — 8 documented events · 202… 8 internet shutdown and blocking episodes documented in Latin America… Operational resilience & cyber (DORA / NIS2 / SEC) — 4 regulatory milestones 4 operational-resilience milestones documented; 2026 is the first rea… Digital fines actually imposed — 61 sanctions recorded 61 high-value penalties across 18 jurisdictions and 6 continents; cov… Commercial spyware: documented cases worldwide — 23 documented cases 23 spyware and surveillance cases documented across the Ibero-America… Trade compliance & forced labor (UFLPA) — 4 actions documented 4 trade-compliance actions on forced labor documented; under UFLPA ar… US · the state AI regulation patchwork — 10 laws and milestones 10 state AI laws or milestones documented in the U.S.; 2026 developme… Electoral digital integrity 2026 — 13 elections profiled 13 elections profiled by digital integrity; 5 with transparent politi… Climate: the gap between pledge and action — 12 countries assessed 12 countries assessed by the Climate Action Tracker: 10 with insuffic… Content moderation: appeals and reversals — 19 documented decisions 19 appealed and reviewed moderation decisions, with their policy, ori… Public AI spending — global government contracts — 50 documented contracts 50 public AI contracts across 15 jurisdictions on 5 continents (45 wi… Campaign promises → fulfillment — 29 term evaluations 29 terms evaluated across 25 countries on five continents EU · Consolidated DSA enforcement decisions — €120M first DSA fine · X · 5 … 5 Member States referred to CJEU for insufficient DSC implementation LATAM · Digital spending in 2026 electoral camp… — $14.794M COP · highest declared … Only 8 of 13 campaigns had reported in Cuentas Claras by mid-May Ibero-America · documented public contracts wit… — 3 contracts verified with… DC registry kickoff · ongoing monthly manual sweep RSF · Press freedom in Latin America — 144 Peru's rank (the region… AR -11 · PE -14 · SV -8 · EC -31 · USA -7 AML/OFAC enforcement against banks and fintech — 418 penalties documented 418 AML/OFAC penalties documented across 177 countries and 379 regula… Corporate bankruptcy and insolvency (Chapter 11) — 4 major corporate bankrup… Corporate bankruptcies hit decade highs: over 717 in the year per S&P… High-impact litigation risk index — 4 high-impact litigations… The risk index (0-100) aggregates five objective factors —procedural … Merger control: multi-jurisdiction competition … — 9 decisions and jurisdict… Merger control diverges by jurisdiction in 2026: the Trump administra… PEPs and sanctions networks · Ibero-American graph — 40 PEP/company nodes with … Ibero-American PEP→company→sanction graph (core: Mapa del Poder, 424 … Sovereign debt distress and restructurings — 5 distress/restructuring … The IMF's 6th Global Sovereign Debt Roundtable report (April 15, 2026… Forced labor in supply chains: entity lists — 4 forced-labor exposure i… Upstream exposure intelligence densifies: the UFLPA Entity List reach… EU AI Act — designation of national authorities — 3/10/14 / 27 Member States Tracker's first event: 3 states with both authorities / 10 partial / … AI Act · Notified bodies for conformity assessment — 1 body with AI-specific a… Ecosystem 'not ready' as of Mar-2026 (standards unpublished, insuffic… Scandal → conviction gap — — milestones logged +1 mirror case: Uribe — 7 years to convict, 8 weeks to reverse, open-… Technology ↔ regulation gap — 26 regulatory milestones +1: Peru closes the generative-AI gap in ~3 years (DS 115-2025-PCM), … CNMC Spain · the Digital Services Coordinator g… — 6 documented milestones The gap becomes chronic: Congress struck down the CNMC's legal empowe… Corporate data breaches: from incident to response — 11 breaches documented +1: Canvas/Instructure, the largest known education breach (≈275M rec… Migration friction in corporate and event mobility — 3 incidents and policies … The 2026 World Cup works as a live stress test: 39 countries under fu… Power and corruption in the courts in Ibero-Ame… — 29 documented cases Jun-2026 review: Uribe updated — first-instance conviction overturned… Crypto · Licenses and authorizations by jurisdi… — 40+ CASPs with full MiCA au… July 1, 2026 cliff: the transitional regime expires (ESMA, Apr 17) wi… Data breaches · Class-action settlements — 5 settlements and mass ca… 271 million dollars across four settlements approved or with deadline… Digital regulatory risk index by country — 16 countries profiled Jun-2026 review: Brazil updated on two layers (EU adequacy Jan 26, 20… Digital services taxes (DST) by country — 3 tax-map milestones docu… About half of European OECD countries have a DST announced, proposed … Global election risk 2026: democracy and digita… — 32 elections profiled 32 electoral processes of 2026 profiled by political regime and digit… ESG · Greenwashing enforcement — 3 enforcement milestones … The legal floor arrives Sep 27, 2026 (ECGT across the 27; transpositi… EU · Digital & sustainability regulatory deadli… — 6 calendar milestones doc… Next critical deadlines: Jun 23, 2026 closes the high-risk classifica… Export controls · Entity List and advanced chips — 6 regime milestones docum… The 2026 shift: licensing for H200/MI325X and equivalents to China mo… GDPR · International transfers and adequacy dec… — 6 framework milestones do… The EU-US DPF remains in force after surviving its first judicial cha… LATAM · AI bills in legislative process — 150+ bills identified 150+ count re-verified; milestones: Peru only country with a regulate… LATAM · Judicial and regulatory sanctions on pl… — $5,2M USD · fine on X Corp. i… Paradigm shift: the STF declared Art. 19 of the Marco Civil partially… Digital political ad spending 2026 — 6 country-platform observ… AdImpact's revised projection (Jun 11): $11.6bn for the 2026 cycle — … Shadow fleet · Sanctioned vessels and enablers — 632 vessels designated by t… +46 vessels in the 20th package (Reg. 2026/506/509/511) to 632; Art. … Whistleblower awards · SEC, CFTC and equivalent… — 3 program milestones docu… The SEC awarded over $60M to 48 whistleblowers in fiscal year 2025 (2… AI Act · Sanctions regime and its actual enforc… — 0 documented AI Act fines… 0 AI Act penalties issued to date: enforcement of high-risk obligatio… Beneficial ownership transparency (UBO / CTA / … — 4 transparency milestones 4 beneficial-ownership transparency milestones documented; the EU req… Crypto industry: collapses, sanctions and convi… — 13 documented cases 13 cases of collapses, sanctions and convictions in the crypto sector… AI harms in court — litigation, rulings and set… — 103 documented cases 103 AI-related harm and rights lawsuits documented; 2026 milestones: … DMA · designated gatekeepers and real compliance — 9 documented DMA acts 9 DMA compliance actions documented against gatekeepers; 2026 develop… Documented electoral disinformation 2026 — 7 documented campaigns 7 electoral disinformation campaigns or patterns documented with open… GDPR · which national authority really sanctions — 11 authorities profiled 11 GDPR enforcement country profiles and milestones documented; 2026 … LATAM · Internet shutdowns and platform blocks — 8 documented events · 202… 8 internet shutdown and blocking episodes documented in Latin America… Operational resilience & cyber (DORA / NIS2 / SEC) — 4 regulatory milestones 4 operational-resilience milestones documented; 2026 is the first rea… Digital fines actually imposed — 61 sanctions recorded 61 high-value penalties across 18 jurisdictions and 6 continents; cov… Commercial spyware: documented cases worldwide — 23 documented cases 23 spyware and surveillance cases documented across the Ibero-America… Trade compliance & forced labor (UFLPA) — 4 actions documented 4 trade-compliance actions on forced labor documented; under UFLPA ar… US · the state AI regulation patchwork — 10 laws and milestones 10 state AI laws or milestones documented in the U.S.; 2026 developme… Electoral digital integrity 2026 — 13 elections profiled 13 elections profiled by digital integrity; 5 with transparent politi… Climate: the gap between pledge and action — 12 countries assessed 12 countries assessed by the Climate Action Tracker: 10 with insuffic… Content moderation: appeals and reversals — 19 documented decisions 19 appealed and reviewed moderation decisions, with their policy, ori… Public AI spending — global government contracts — 50 documented contracts 50 public AI contracts across 15 jurisdictions on 5 continents (45 wi… Campaign promises → fulfillment — 29 term evaluations 29 terms evaluated across 25 countries on five continents EU · Consolidated DSA enforcement decisions — €120M first DSA fine · X · 5 … 5 Member States referred to CJEU for insufficient DSC implementation LATAM · Digital spending in 2026 electoral camp… — $14.794M COP · highest declared … Only 8 of 13 campaigns had reported in Cuentas Claras by mid-May Ibero-America · documented public contracts wit… — 3 contracts verified with… DC registry kickoff · ongoing monthly manual sweep RSF · Press freedom in Latin America — 144 Peru's rank (the region… AR -11 · PE -14 · SV -8 · EC -31 · USA -7
/ trackers / gdpr-data-transfers-adequacy
Compliance · Privacy & data flows

GDPR · International transfers and adequacy decisions

Tracks the legality framework for international personal-data transfers from the EU: Article 45 adequacy decisions (adoptions, reviews and revocations), the EU-US Data Privacy Framework and its litigation (the Schrems saga, the Latombe case), Standard Contractual Clauses and Binding Corporate Rules as fallback mechanisms, and the U.S. factors conditioning the whole (PCLOB, FISA 702). Each entry documents the instrument, the court or authority, the effect on companies and the status. Deliberate boundary: fines for unlawful transfers —like Meta's 1.2 billion— live in 'sanciones-multas-digitales' and per-authority enforcement in 'gdpr-enforcement-by-country'; this tracker covers the question prior to any fine: on what legal basis can the data travel, and how firm is that basis today?

Snapshot · June 12, 2026
6
framework milestones documented
→ The EU-US DPF remains in force after surviving its first judicial challenge (Latombe, General Court, Sep 3, 2025), but appeal C-703/25 P is pending before the CJEU —the court that already struck down Safe Harbor and Privacy Shield—, the PCLOB is in legal limbo and FISA 702 runs on a short-term extension; the cross-cutting operational recommendation: keep SCCs as backup; Brazil is the most recent adequacy, adopted Jan 26, 2026 — the first major Latin American market with free data flow from the EU

Evolution

Documented events (6)

June 12, 2026 US confirmed

Status as of June 2026: the PCLOB in legal limbo and FISA 702 on a short-term extension — the DPF's two American pillars, under strain

The framework remains valid law, but its two American supports are under documented strain: the PCLOB —the oversight body reviewing the DPF's intelligence safeguards and consulted before DPRC judges' appointments— sits in legal limbo, and the European Commission has stated that restoring its full operational capacity is important for the framework's continued functioning; FISA Section 702, the legal basis for foreign surveillance, runs on a short-term extension while Congress debates renewal. The EDPB's first review acknowledged improvements but asked for more transparency on how the DPRC handles complaints and clarification on how agencies apply the proportionality standard. The Latombe ruling turned the Commission's continuous monitoring into the framework's legal safeguard — meaning the deterioration of these pieces is not just American politics: it is matter on which the adequacy's suspension can depend.

October 31, 2025 EU confirmed

Latombe appeals to the CJEU (C-703/25 P): the DPF before the court that already demolished two frameworks

In October 2025, Latombe took the case up to the Court of Justice as Case C-703/25 P, now pending: the DPF stands before the same court that invalidated Safe Harbor and the Privacy Shield, and analysts agree an invalidation 'remains a distinct possibility'. The risk has grown costlier: the General Court's Bindl v. Commission doctrine opens the way to damages for unlawful transfers, so a third demolition would cost more than the previous two. NOYB, Max Schrems's organization, monitors the case and weighs a broader challenge of its own. The operative consequence, repeated by every law firm: anyone relying solely on the DPF should keep Standard Contractual Clauses as backup, because this bridge's history is the history of its collapses.

September 3, 2025 EU confirmed

The General Court dismisses Latombe: the DPF survives its first trial under the essential-equivalence doctrine

On September 3, 2025, the General Court dismissed action T-553/23 and confirmed that the United States ensures an adequate level of protection: it found the DPRC sufficiently independent and impartial —its final, binding decisions satisfying Schrems II's essential-equivalence standard—, that U.S. law adequately limits bulk collection, and that GDPR-like sectoral protections exist in credit, employment, housing and insurance for automated decisions. Two principles of the ruling govern the future: adequacy requires not identical but substantially equivalent protection through potentially different means (para. 178), and the Commission continuously monitors the framework with the power to suspend, amend or repeal it if protection ceases to be ensured. It is the first measured judicial assessment that current safeguards suffice — after two failed attempts.

July 10, 2023 EU confirmed

Third attempt: the Commission adopts the EU-US Data Privacy Framework adequacy, challenged within two months

On July 10, 2023, the European Commission adopted the EU-US Data Privacy Framework adequacy decision under GDPR Article 45: self-certified U.S. organizations may receive EU personal data without additional safeguards, with the new Data Protection Review Court (DPRC) as the redress mechanism —the piece whose absence killed the Privacy Shield—. The challenge came almost immediately: on September 6, 2023, Philippe Latombe —a French MP and CNIL commissioner, acting in a personal capacity— filed annulment action T-553/23 before the General Court, the framework's first direct judicial challenge, alleging the DPRC's lack of independence and the disproportionality of bulk intelligence collection.

July 16, 2020 EU confirmed

Schrems II strikes down the Privacy Shield: the second demolition defining the data bridge's structural fragility

On July 16, 2020, the CJEU invalidated the Privacy Shield (Schrems II), five years after striking down Safe Harbor (Schrems I, Case C-362/14, October 2015, in the wake of Snowden's mass-surveillance revelations): in both cases, the court found the U.S. Government's potential 'bulk' surveillance of transferred European data incompatible with EU law, and in Schrems II the decisive piece was the lack of an appropriate judicial redress mechanism. The double invalidation set the pattern governing everything since: transatlantic transfer frameworks are born under suspicion of judicial death, and companies learned never to depend on a single mechanism. It is the precedent against which every adequacy decision has been measured since.

January 26, 2026 BR confirmed

Brazil obtains EU adequacy: the first major Latin American market with free data flow

On January 26, 2026, the European Commission adopted the final adequacy decision for Brazil, following the draft published in September 2025 and a multi-year assessment: personal data may flow from the EU to Brazil without additional safeguards. The foundation is a decade of regulatory convergence: the LGPD mirrors the GDPR's structure and principles —lawful bases, data-subject rights, breach notification, data protection officers— and the ANPD, as an independent supervisory authority, issued the international-transfer and incident-notification regulations that completed the alignment. For Latin America it is the major precedent: adequacy stops being a Euro-Asian club (Japan, the UK, South Korea, with Uruguay and Argentina as regional antecedents) and demonstrates the route Chile, Colombia or Mexico can follow — with free data flow as a measurable competitive advantage for Brazil's tech and services industry.

Methodology

Type
event-log
Construction
Multi-source verified
Cadence
event-driven

Sources consulted

  1. Comisión Europea — Decisiones de adecuación (Art. 45 GDPR) ↗ official
  2. CURIA — Tribunal de Justicia de la UE (asuntos T-553/23 y C-703/25 P) ↗ official
  3. Recording Law — EU-US Data Privacy Framework: complete guide 2026 ↗ press
  4. Berkeley Technology Law Journal — The fate of the EU-US DPF ↗ press

Related pieces