Gibson Dunn | Europe | Data Protection – April 2025
Client Alert | May 12, 2025
Europe
04/28/2025
CJEU | Fact Sheet | Case Law on Personal Data Protection
The Court of Justice of the European Union (“CJEU”) has updated its “case law fact sheet” on personal data protection which compiles its key rulings in the field.
For further information: CJEU Website
04/23/2025
European Data Protection Board | 2024 Annual Report
The European Data Protection Board (“EDPB”) has published its annual report for 2024.
The report provides an overview of the EDPB work in 2024 and highlights key achievements such as the adoption of the 2024-2027 strategy and an increase in the consistency opinions under Article 64(2) GDPR (e.g., on “Consent or Pay” models, the use of personal data to train AI models). The report also emphasizes the EDPB’s contribution to cross-regulatory cooperation for new pieces of legislation such as the Digital Services Act (DSA) and the AI Act.
For further information: EDPB Website
04/14/2025
European Data Protection Board | Guidelines | Personal data and blockchain
The European Data Protection Board (“EDPB”) has published Guidelines 02/2025 on processing of personal data through blockchain technologies, open to public consultation until 9 June 2025.
The guidelines describe the blockchain technologies and provide a framework for organizations considering their use. They outline key GDPR considerations for processing activities (e.g., data retention periods, data subjects’ rights), and clarify the responsibilities of different actors involved in a blockchain related processing.
For more information: EDPB Website
04/11/2025
European Commission | Public Consultation | EU Cybersecurity Act
The European Commission has opened a public consultation on the evaluation and revision of the 2019 EU Cybersecurity Act.
The EU Commission is seeking stakeholders’ feedback on key areas for the contemplated revision, including the mandate of the European Agency for Cybersecurity (ENISA), the European Cybersecurity Framework, challenges related to ICT supply chain security, and the simplification of cybersecurity measures. The public consultation is open until 20 June 2025.
For more information: European Commission Website
04/10/2025
European Commission | Guidelines | Generative AI in Research
The European Commission has updated its Living Guidelines on the responsible use of generative AI in research.
The guidelines provide recommendations for researchers and organizations to ensure they promote and support responsible use of generative AI in their research activities. They are regularly updated to reflect the technological developments in the field.
For more information: European Commission Website, Guidelines
04/10/2025
European Data Protection Board | Report | Large Language Models
The European Data Protection Board (“EDPB”) has published a report on AI Privacy Risks and Mitigations Large Language Models (“LLMs”).
The report provides a risk management methodology to help developers and users of LLMs identify, assess and mitigate privacy risks in the development and use of LLM systems. As such, it complements the Data Protection Impact Assessment process (Art. 35 GDPR) and supports requirements regarding data protection by design and by default (Art. 25 GDPR) and security of personal data (Art. 32 GDPR).
For more information: EDPB Website
04/02/2025
European Commission | Report | B2B Data Sharing & EU Data Act
The European Commission’s Expert Group has issued its final report on B2B data sharing and cloud computing contracts under the EU Data Act.
The report contains model contractual terms (MCTs) covering different data sharing scenarios (e.g., data holder to user, user to data recipient), as well as standard contractual clauses (SCCs) for cloud computing contracts.
For more information: European Commission Website
03/27/2025
European Commission | DORA Directive | Infringement Procedures
The European Commission has launched infringement procedures against 13 Member States (including France, Spain, and Belgium) for failing to fully transpose the Digital Operational Resilience Act (“DORA”) Directive within the given deadline (17 January 2025).
The Member States have two months to complete their transposition and notify the adopted measures to the Commission.
For more information: European Commission Website
France
04/29/2025
French Supervisory Authority | Annual Report | Enforcement
The French Supervisory Authority (“CNIL”) has released its 2024 annual report, recording 17,772 complaints, 87 sanctions, and over €55 million in fines.
The CNIL has stepped up enforcement efforts with 331 corrective actions and observed an increase in the use of simplified procedures. It has also strengthened its response to growing cybersecurity threats and expanded its oversight on AI and digital innovation.
For more information: CNIL Website [FR]
04/24/2025
French Supervisory Authority | Public Consultation | Multi-terminal Consent
The French Supervisory Authority (“CNIL”) has launched a public consultation for its draft recommendation on multi-terminal consent across various devices.
The draft recommendation concerns stakeholders which intend to collect multi-terminal consent when users are authenticated on an account. They offer concrete recommendations on how to validly collect multi-terminal consent. The public consultation will end on 5 June 2025.
For more information: CNIL Website [FR]
04/23/2025
French Supervisory Authority | Publication | Data Breach
The French Supervisory Authority (“CNIL”) has published a fictional data breach use case to help professionals better understand and prevent risks related to unauthorized access to data handled by processors.
The use case outlines a typical data breach based on a real-life incident that was reported to the CNIL.
For more information: CNIL Website [FR]
04/14/2025
French Supervisory Authority | 2025-2028 European and International Strategy
The French Supervisory Authority (“CNIL”) has released its European and international strategy for 2025-2028.
The strategy focuses on three priorities: improving European cooperation, promoting high international data protection standards while supporting innovation, and reinforcing CNIL’s global influence.
For more information: CNIL Website [FR]
04/09/2025
French Supervisory Authority | Public Consultation | Session Recording and Replay Tools
The French Supervisory Authority (“CNIL”) has launched a public consultation on browsing session recording and replay tools.
These tools, which capture detailed user interactions, raise significant privacy concerns due to their potential to collect sensitive personal data without users’ awareness. The goal of the consultation is to develop practical recommendations to help tool providers and website editors ensure GDPR compliance and better protect user privacy.
For more information: CNIL Website [FR]
04/08/2025
French Supervisory Authority | Guidelines | Mobile Applications
The French Supervisory Authority (“CNIL”) has published an updated version of its recommendations on mobile applications recommendations.
The CNIL has published an updated version of its recommendations on mobile applications, originally adopted in July 2024 and released in September 2024. The revised version includes corrections and clarifications in response to stakeholder feedback, and an annotated version is available to highlight the updates.
For more information: CNIL Website [FR]
04/01/2025
French Supervisory Authority | Guidelines | Multi-Factor Authentication (MFA)
The French Supervisory Authority (“CNIL”) has published a recommendation on the implementation of multi-factor authentication (“MFA”) to help online services implement privacy-compliant cybersecurity solutions.
The guidance aims to support controllers and solution providers in aligning MFA practices with the GDPR—covering legal bases, data minimization, retention periods, and the appropriate use of authentication factors such as biometrics, SMS codes, and employee devices.
For more information: CNIL Website [FR]
04/01/2025
ANSSI | Cybersecurity | Information System Security Accreditation
The French National Cybersecurity Agency (“ANSSI”) has published updated guidance on the security accreditation of information systems.
This publication details the steps and documentation required to accredit an information system, including risk assessment, security objectives, and verification processes. It aims to ensure a structured and high-assurance approach to system security within both public and private organizations. The guidance forms part of ANSSI’s broader efforts to promote cybersecurity resilience and regulatory compliance in France.
For more information: ANSSI Website [FR]
Germany
04/29/2025
Hamburg Supervisory Authority | Data Act | Guidance
The Hamburg Supervisory Authority (“HmbBfDI”) has published guidance on the new European Data Act, which will apply from 12 September 2025.
The HmbBfDI’s guidance provides an overview of the new obligations for companies under the Data Act, in particular in relation to data sharing obligations applicable to manufacturers of connected devices. The guidance also identified the key steps companies should take to prepare for the application of the Data Act (e.g., data mapping, updating contracts, marking trade secrets). Since the Data Act applies without prejudice to the GDPR, the guidance analyses the interactions between obligations related to personal data under the GDPR and those related to personal data under the Data Act. Finally, the HmbBfDI has highlighted the responsibilities of supervisory authorities.
For further information: HmbBfDI Website [DE]
04/24/2025
Hamburg Supervisory Authority | Compliance Review | Third Party Services
The Hamburg Supervisory Authority (“HmbBfDI”) has reviewed 1.000 websites for data protection compliance regarding the use of third-party cookies and services and identified deficiencies in 185 of them.
The HmbBfDI found that although most of the websites reviewed met the data protection requirements, deficiencies were found for approximately 185 websites. Most violations result from the fact that certain tracking technologies are activated immediately when the page is first accessed, with the result that users are tracked before consent is obtained.
For more information: HmbBfDI Website [DE]
04/24/2025
Hamburg Supervisory Authority | Q&A | Tracking
The Hamburg Supervisory Authority (“HmbBfDI”) has published FAQs on tracking via third-party services on websites.
The HmbBfDI emphasises that tracking is only permitted with the explicit consent of the respective data subject. The authority included guidance on the design of consent banners, emphasising the need to implement a “reject all” option on the same level as an “accept all” button. The guidance highlights the importance of complying with the requirements of the ePrivacy Directive (transposed into national law) in relation to tracking, alongside the provisions of the GDPR.
For more information: HmbBfDI Website [DE]
04/10/2025
Federal Commissioner for Data Protection and Freedom of Information | Annual Report
The German Federal Commissioner for Data Protection and Freedom of Information (BfDI) has published its annual report.
The Federal Commissioner for Data Protection and Freedom of Information is responsible for monitoring data protection at federal public bodies and at companies that provide telecommunications and postal services. The report shows that most proceedings are related to information and transparency obligations.
For more information: BfDI Website [DE]
04/09/2025
New German Government | Coalition Agreement | Future of Data Protection
The new German Government consisting of the CDU/CSU (Christian Democratic Union of Germany/Christian Social Union of Germany) and SPD (Social Democratic Party of Germany) have published their coalition agreement.
The new German government intends to liberalize data protection law at both national and EU level and work towards “data utilization”, “data sharing” and a “data economy”. It is planned to bundle the data protection authorities of the individual federal states into a nationwide authority. At EU level, the coalition intends to exclude low-risk data processing activities as well as small and medium-sized enterprises from the scope of the GDPR.
For more information: SPD Website [DE]
02/20/2025
Federal Labour Court | Judgement | Right to Compensation
The Federal Labour Court (BAG) ruled in a recently published decision that a delay in providing information under Art. 15 GDPR does not by itself justify a claim for compensation.
According to the BAG, a delayed provision of information under Article 15 GDPR by a former employer does not by itself constitute non-material damage within the meaning of Article 82(1) GDPR. The BAG held that a mere delay, absent specific and substantiated fears of data misuse or an actual loss of control over personal data, does not give rise to a claim for damages. Subjective emotional responses such as worry, annoyance, or nervousness are not sufficient unless they are objectively substantiated by a real risk of data misuse.
For more information: Official Court Website [DE]
Greece
04/08/2025
Greek Supervisory Authority | Guidance | AI and GDPR
The Greek Supervisory Authority (“HDPA”) offers training sessions on AI and GDPR.
The HDPA published educational materials and provides training programs developed by external experts from the European Data Protection Board (“EDPB”). It notably offers a Data Protection Officers and Privacy Professionals Program, as well as a program for ICT Professionals. The material covers various topics such as core concepts of AI, Data Protection and Large Language Models, and Transparency.
For more information: HDPA Website [GR]
Netherlands
04/16/2025
Dutch Supervisory Authority | Survey | Algorithmic Data Processing
The Dutch Supervisory Authority (“AP”) has published survey results showing that many companies feel unprepared to manage algorithms processing personal data. Businesses often lack clarity on whether and how such algorithms are used.
The AP plans to provide guidance and practical tools, as well as and collect best practices to improve responsible algorithm procurement and use. More specifically, the AP is currently developing a checklist for businesses to adequately deal with the rights of people who are subject to algorithmic decision-making.
For more information: AP Press release [NL]
United Kingdom
04/29/2025
CPPA & Information Commissioner’s Office | International Cooperation | Privacy Enforcement
The California Privacy Protection Agency (“CPPA”) and the Information Commissioner’s Office (“ICO”) signed a declaration of cooperation to strengthen international collaboration on data protection.
The agreement will enable joint research, best practice sharing, and coordinated enforcement efforts. It marks the CPPA’s third international partnership, following agreements with Korea’s PIPC and France’s CNIL, and reflects its broader commitment to global privacy cooperation.
For more information: CPPA Press release
The following Gibson Dunn lawyers prepared this update: Ahmed Baladi, Vera Lukic, Kai Gesing, Joel Harrison, Thomas Baculard, Billur Cinar, Hermine Hubert, Christoph Jacob, and Yannick Oberacker.
Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of the firm’s Privacy, Cybersecurity & Data Innovation practice group:
Privacy, Cybersecurity, and Data Innovation:
United States:
Abbey A. Barrera – San Francisco (+1 415.393.8262, abarrera@gibsondunn.com)
Ashlie Beringer – Palo Alto (+1 650.849.5327, aberinger@gibsondunn.com)
Ryan T. Bergsieker – Denver (+1 303.298.5774, rbergsieker@gibsondunn.com)
Keith Enright – Palo Alto (+1 650.849.5386, kenright@gibsondunn.com)
Gustav W. Eyler – Washington, D.C. (+1 202.955.8610, geyler@gibsondunn.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650.849.5203, cgaedt-sheckter@gibsondunn.com)
Svetlana S. Gans – Washington, D.C. (+1 202.955.8657, sgans@gibsondunn.com)
Lauren R. Goldman – New York (+1 212.351.2375, lgoldman@gibsondunn.com)
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, shandler@gibsondunn.com)
Natalie J. Hausknecht – Denver (+1 303.298.5783, nhausknecht@gibsondunn.com)
Jane C. Horvath – Washington, D.C. (+1 202.955.8505, jhorvath@gibsondunn.com)
Martie Kutscher Clark – Palo Alto (+1 650.849.5348, mkutscherclark@gibsondunn.com)
Kristin A. Linsley – San Francisco (+1 415.393.8395, klinsley@gibsondunn.com)
Timothy W. Loose – Los Angeles (+1 213.229.7746, tloose@gibsondunn.com)
Vivek Mohan – Palo Alto (+1 650.849.5345, vmohan@gibsondunn.com)
Rosemarie T. Ring – San Francisco (+1 415.393.8247, rring@gibsondunn.com)
Ashley Rogers – Dallas (+1 214.698.3316, arogers@gibsondunn.com)
Sophie C. Rohnke – Dallas (+1 214.698.3344, srohnke@gibsondunn.com)
Eric D. Vandevelde – Los Angeles (+1 213.229.7186, evandevelde@gibsondunn.com)
Benjamin B. Wagner – Palo Alto (+1 650.849.5395, bwagner@gibsondunn.com)
Frances A. Waldmann – Los Angeles (+1 213.229.7914,fwaldmann@gibsondunn.com)
Debra Wong Yang – Los Angeles (+1 213.229.7472, dwongyang@gibsondunn.com)
Europe:
Ahmed Baladi – Paris (+33 1 56 43 13 00, abaladi@gibsondunn.com)
Patrick Doris – London (+44 20 7071 4276, pdoris@gibsondunn.com)
Kai Gesing – Munich (+49 89 189 33-180, kgesing@gibsondunn.com)
Joel Harrison – London (+44 20 7071 4289, jharrison@gibsondunn.com)
Lore Leitner – London (+44 20 7071 4987, lleitner@gibsondunn.com)
Vera Lukic – Paris (+33 1 56 43 13 00, vlukic@gibsondunn.com)
Lars Petersen – Frankfurt/Riyadh (+49 69 247 411 525, lpetersen@gibsondunn.com)
Christian Riis-Madsen – Brussels (+32 2 554 72 05, criis@gibsondunn.com)
Robert Spano – London/Paris (+44 20 7071 4000, rspano@gibsondunn.com)
Asia:
Connell O’Neill – Hong Kong (+852 2214 3812, coneill@gibsondunn.com)
Jai S. Pathak – Singapore (+65 6507 3683, jpathak@gibsondunn.com)
© 2025 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.