Gibson Dunn | Europe | Data Protection – December 2025
Client Alert | December 11, 2025
Europe
11/19/2025
European Commission | Legislative Package | Digital Omnibus and European Business Wallet
The European Commission has proposed simpler digital rules and new business wallets to cut costs and boost innovation.
The European Commission unveiled a digital omnibus to simplify EU rules on AI, cybersecurity and data, alongside a Data Union Strategy and European Business Wallets that will offer companies a single digital identity to simplify paperwork and make it easier to do business across EU. The initiative aims to streamline compliance, reduce administrative costs by €5 billion, and unlock €150 billion in annual business savings by 2029.
For more information: The European Commission website
11/19/2025
European Commission | Draft Recommendation | Model and Standard Contractual Clauses Under the Data Act
The European Commission publishes draft model terms and clauses to simplify data sharing and cloud contracts.
The European Commission released draft non-binding Model Contractual Terms for data access and use and Standard Contractual Clauses for cloud computing contracts. These templates aim to help businesses, especially small and medium-sized enterprises, implement the Data Act, ensuring fairness, legal certainty, and easier cloud switching.
For more information: The European Commission website
11/17/2025
Council of the European Union | Regulation | Cross-border GDPR Enforcement Procedures
The Council adopts new EU law to speed up handling of cross border GDPR complaints.
The Council adopted a regulation harmonizing procedures for cross-border data protection cases. The law establishes uniform admissibility criteria, defines rights for complainants and investigated parties, introduces a simple cooperation procedure, and sets investigation deadlines of 15 months for standard cases and 12 months for simpler ones.
For more information: The Council of the European Union website
11/13/2025
Court of Justice of the European Union (“CJEU”) | Judgment | e-Privacy Directive
The CJEU clarifies that where the exception provided under Article 13(2) of the e-Privacy Directive applies, no separate legal basis under the GDPR is required.
The Court held that email addresses collected when users create a free account to access limited content and a free daily newsletter can be considered as obtained “in the context of the sale of a … service”, even if it is free. The sending of the newsletter was considered as a use of an email for the purposes of direct marketing for similar services within the meaning of Article 13(2) of the e-Privacy Directive. The Court also ruled that when Article 13(2) applies, the conditions for lawful processing under Article 6 of the GDPR are not applicable.
For more information : CJEU judgment
10/30/2025
European Parliament | Study | Interplay between the AI Act and the EU Digital Legislation
The European Parliament has released a study examining the interaction between the AI Act and the broader EU digital regulatory framework.
The study highlights overlapping obligations between the AI Act and other key EU digital laws, including the GDPR, the Data Act, the Cyber Resilience Act, the Digital Services Act, the Digital Markets Act, and the NIS2 Directive. To address resulting challenges, it sets out recommendations ranging from short-term measures (promoting joint guidance and coordinated enforcement) to long-term actions (review of the EU’s digital regulatory landscape aimed at consolidation, simplification, and greater coherence).
For more information: European Parliament Website
10/20/2025
European Data Protection Board | Opinion | UK Adequacy Decisions
The European Data Protection Board (“EDPB”) adopted two opinions on the European Commission’s draft decisions extending the UK adequacy decisions under the GDPR and Law Enforcement Directive until December 2031.
With respect to the GDPR adequacy decision, the EDPB welcomes continued alignment but recommends further analysis of several issues, including amendments introduced by the Retained EU Law (Revocation and Reform) Act 2023, the Secretary of State’s new powers to modify the UK data protection framework, and rules governing transfers from the UK to third countries.
For more information: EDPB Website
10/14/2025
European Data Protection Board | Coordinated Enforcement Framework | Transparency
For its fifth coordination enforcement action, the European Data Protection Board (EDPB) will focus on transparency and information obligations under the GDPR.
National supervisory authorities will participate on a voluntary basis, conducting investigations at the national level. The findings from these actions will be aggregated and analyzed by the EDPB to gain deeper insights.
For more information: EDPB Website
10/09/2025
European Data Protection Board & European Commission | Guidelines | DMA & GDPR
The European Data Protection Board (“EDPB”) and the European Commission have published joint guidelines on the interplay between the Digital Markets Act (“DMA”) and GDPR.
The guidelines address DMA requirements that overlap with GDPR obligations, aiming to provide clarity and promote consistent interpretation across both frameworks. A public consultation is open until 4 December 2025.
For more information: EDPB Website
10/01/2025
General Court | Judgment | Unlawful Personal Data Processing
The General Court of the European Union (GCEU) has ordered the European Commission to pay €50,000 in compensation for non-material damages caused by a European Anti‑Fraud Office (“OLAF”) press release.
The claimant sought damages after OLAF published a press release that disclosed her personal data and allowed readers to identify her. The GCEU held that the press release unlawfully processed personal data, breached the presumption of innocence, and lacked neutrality, resulting in reputational harm, damage to professional career and mental distress.
For more information: European Union Website
France
10/15/2025
French Supervisory Authority | Paper | Postmortem Data
The French Supervisory Authority (“CNIL”) has published its report “Our Data After Us,” examining the challenges of managing postmortem data in a digital world.
The paper explores issues related to account management, data transmission, and the emergence of chatbots based on the data of deceased individuals. It highlights legal and ethical issues surrounding digital death and recommends raising public awareness, clarifying rights, and regulating AI applications involving postmortem data.
For more information: CNIL Website [FR]
10/14/2025
French Supervisory Authority | Guidance | Right to Data Portability
The French Supervisory Authority (“CNIL”) has published guidance on the application of the right to data portability in the context of loyalty programs.
Responding to requests from stakeholders in the distribution sector, the CNIL clarifies which information must be transmitted, focusing particularly on product barcodes and promotions associated with customers.
For more information: CNIL Website [FR]
10/13/2025
French Supervisory Authority | Sanction | Simplified Procedure
The French Supervisory Authority (“CNIL”) has announced issuing sixteen new sanctions under its simplified procedure since May 2025, totaling €108,000.
The sanctions relate to non-compliance with video surveillance rules, marketing without consent, and failure to cooperate with the CNIL.
For more information: CNIL Website [FR]
Germany
10/30/2025
Ministry for Digital and Civil Modernization (BMDS) | Draft Legislation | Data Act Implementation Law
The German Federal Cabinet has approved the draft legislation for the national implementation of the EU Data Act, aiming to establish a legal framework for data access and use in Germany.
The proposed Data Act Implementation Law (Data-Act-Durchführungsgesetz) outlines the responsibilities of the Federal Network Agency (Bundesnetzagentur) as the competent authority for enforcing the Data Act in Germany. It includes provisions on dispute resolution, supervisory powers, and sanctions. The draft also addresses the interplay between the Data Act and existing national regulations, particularly in the telecommunications and energy sectors. The law is still subject to parliamentary debate.
For more information: BMDS [DE]
10/28/2025
Data Protection Authority North Rhine-Westfalia (LDI NRW) | Enforcement Action | Sharing of Customer Data via Messenger Service
The LDI NRW has taken a firm stance against the practice of companies sharing personal data of customers through messenger services, deeming it a serious and ongoing violation of data protection law.
The LDI NRW has stopped a medical transport company from sharing client information including names, addresses and prescriptions in messenger groups. This information was intended to simplify the organization of patient transport. However, this does not justify the data processing that took place as the data was not necessary for the performance of a transport contract and should not have been made available to all members of the group chat, especially since health information is particularly sensitive and deserves special protection.
For more information: LDI NRW [DE]
10/28/2025
Hamburg and Austrian DPAs | Decisions | Credit Scoring as Automated Decision-Making
Automated credit scoring systems are facing increased scrutiny across Europe due to concerns over transparency, fairness, and compliance with the GDPR.
The Hamburg data protection authority imposed a substantial fine on a credit scoring provider for failing to adequately inform individuals about automated rejections and the logic behind the scoring process. Both cases underscore the importance of transparency, legal basis, and human oversight in automated credit assessments.
Meanwhile the Austrian data protection authority prohibited a scoring practice used by KSV1870, finding it incompatible with GDPR requirements. The case centered on the lack of transparency and the determinative impact of the score on contractual decisions, aligning with the CJEU’s SCHUFA ruling that such scoring may constitute automated decision-making under Article 22 GDPR.
For more information: Datenschutz-notizen [DE]
10/17/2025
Data Protection Conference (DSK) | Guideline | Data Protection in Generative AI Systems with RAG-methods
The DSK has issued guidance on data protection aspects specific to generative AI systems using the Retrieval-Augmented Generation (RAG) method.
RAG is a method that combines a language model with an external knowledge source — typically a database or document collection — so that the model retrieves relevant information and uses it to generate more accurate, context-specific responses. The guideline provides legal and technical advice on how to utilize the potential of such AI systems while minimizing the risks for those affected. Emphasis is placed on the requirements for transparency and purpose limitation. It concludes that RAG can improve compliance with GDPR principles such as data accuracy, integrity, and confidentiality, as it allows for better control, updating, and deletion of personal data. However, issues of transparency, purpose limitation, and data subject rights remain only partially resolved and must be evaluated on a case-by-case basis.
For more information: DSK [DE]
Norway
10/21/2025
Borgarting Court of Appeal | Sanction | Data Sharing Without Consent
Borgating Court of Appeal upholds €5.5 million fine against a dating app provider.
The Borgarting Court of Appeal dismissed dating app provider’s appeal and upheld the NOK 65 million (approximately €5.5 million) fine for unlawfully sharing users’ personal and special-category data with third-party advertisers without a valid consent. The ruling maintained earlier decisions issued by the Norwegian Supervisory Authority and the Privacy Appeals Board on all points.
For more information: Datatilsynet Website
10/01/2025
Norwegian Supervisory Authority | Consultation Response | EU AI Act
Norwegian Supervisory Auhtority (“Datatilsynet”) recommends full adoption of the EU AI Act with calls for stronger oversight and privacy safeguards
In its response to the Norwegian AI law consultation, the Datatilsynet backs full incorporation of the EU AI Act into national law to ensure equal citizen protections, while urging adequate resourcing, independence, expert complaint mechanisms, and litigation powers for market surveillance authorities. It also proposes a national ban on remote biometric identification and seeks clearer rules on jurisdiction, cross-border penalties, designated fundamental-rights authorities, and information sharing among regulators.
For more information: Datatilsynet Website [NO]
Finland
11/03/2025
Helsinki Administrative Court | Court Decision | GDPR Fine Overturned
The Finnish court overturns the €2.4 million GDPR fine imposed on the national postal and logistics operator.
The court annulled a fine against the national operator for creating digital mailboxes without user consent, holding that the processing was lawful under the GDPR because it was necessary for the performance of a contract – namely, the provision of digital postal services.
For more information: The Daily Finland website
Poland
10/16/2025
Polish Supreme Administrative Court | Judgment | Cookies & IP addresses
Polish Supreme Administrative Court (“NSA”) confirms that cookies and IP addresses are not automatically personal data.
In a case involving a web user-tracking tool, the NSA relied on the EU Court of Justice’s Breyer case law to emphasize that identifiability requires being able to distinguish one individual from another, not merely one device from another. As a result, there is no basis to treat IP addresses or cookie identifiers as personal data in all circumstances since their classification depends on whether, in the specific context, the data can be used to identify an individual.
United Kingdom
10/29/2025
UK Supervisory Authority | Fine | Unsolicited Marketing Messages
The UK Supervisory Authority (“ICO”) issued a £200,000 fine to a sole trader for sending nearly one million spam texts without valid consent.
The ICO found that the individual used data sourced from third parties without ensuring that data subjects’ consent had been obtained and without collecting their consent himself for the direct marketing. He also failed to identify himself or his business, instead concealing his identity by using hundreds of unregistered pre-paid SIM cards. The messages promoted debt solutions and energy saving schemes. 19,138 complaints were received via the spam reporting service in respect of these messages.
For more information: ICO Website
10/15/2025
UK Supervisory Authority | Fine | Cyber Attack
The UK Supervisory Authority (“ICO”) issued a fine of £14 million to two companies for failing to ensure the security of personal data following a cyber-attack in 2023.
Both entities belong to a business process outsourcing and professional services group. The attack began when a malicious file was downloaded onto an employee’s device. Despite a high-priority alert, the device was not quarantined for 58 hours, enabling malware deployment, privilege escalation, and lateral movement across the network. Nearly one terabyte of data was exfiltrated before ransomware was deployed, locking staff out of systems. The ICO considered that the companies failed to prevent privilege escalation and unauthorized lateral movement, to respond appropriately to security alerts, and to conduct adequate penetration testing and risk assessment.
For more information: ICO Website
09/26/2025
UK Government | Policy Announcement | Digital ID
The Prime Minister has announced plans to introduce a digital ID system for Right to Work checks.
The initiative aims to combat illegal employment while streamlining checks that currently rely on paper records. It will also simplify access to services such as driving licenses, childcare, and welfare. The digital ID will be free for UK citizens and legal residents and is expected to be integrated into a digital wallet. Public consultation will be launched later this year.
For more information: UK Government Website
The following Gibson Dunn lawyers prepared this update: Ahmed Baladi, Vera Lukic, Kai Gesing, Joel Harrison, Thomas Baculard, Ioana Burtea, Billur Cinar, Hermine Hubert, Christoph Jacob, Yannick Oberacker, Clemence Pugnet, and Phoebe Rowson-Stevens.
Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of the firm’s Privacy, Cybersecurity & Data Innovation practice group:
Privacy, Cybersecurity, and Data Innovation:
United States:
Abbey A. Barrera – San Francisco (+1 415.393.8262, abarrera@gibsondunn.com)
Ashlie Beringer – Palo Alto (+1 650.849.5327, aberinger@gibsondunn.com)
Ryan T. Bergsieker – Denver (+1 303.298.5774, rbergsieker@gibsondunn.com)
Keith Enright – Palo Alto (+1 650.849.5386, kenright@gibsondunn.com)
Gustav W. Eyler – Washington, D.C. (+1 202.955.8610, geyler@gibsondunn.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650.849.5203, cgaedt-sheckter@gibsondunn.com)
Svetlana S. Gans – Washington, D.C. (+1 202.955.8657, sgans@gibsondunn.com)
Lauren R. Goldman – New York (+1 212.351.2375, lgoldman@gibsondunn.com)
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, shandler@gibsondunn.com)
Natalie J. Hausknecht – Denver (+1 303.298.5783, nhausknecht@gibsondunn.com)
Jane C. Horvath – Washington, D.C. (+1 202.955.8505, jhorvath@gibsondunn.com)
Martie Kutscher Clark – Palo Alto (+1 650.849.5348, mkutscherclark@gibsondunn.com)
Kristin A. Linsley – San Francisco (+1 415.393.8395, klinsley@gibsondunn.com)
Vivek Mohan – Palo Alto (+1 650.849.5345, vmohan@gibsondunn.com)
Ashley Rogers – Dallas (+1 214.698.3316, arogers@gibsondunn.com)
Sophie C. Rohnke – Dallas (+1 214.698.3344, srohnke@gibsondunn.com)
Eric D. Vandevelde – Los Angeles (+1 213.229.7186, evandevelde@gibsondunn.com)
Frances A. Waldmann – Los Angeles (+1 213.229.7914,fwaldmann@gibsondunn.com)
Debra Wong Yang – Los Angeles (+1 213.229.7472, dwongyang@gibsondunn.com)
Europe:
Ahmed Baladi – Paris (+33 1 56 43 13 00, abaladi@gibsondunn.com)
Patrick Doris – London (+44 20 7071 4276, pdoris@gibsondunn.com)
Kai Gesing – Munich (+49 89 189 33-180, kgesing@gibsondunn.com)
Joel Harrison – London (+44 20 7071 4289, jharrison@gibsondunn.com)
Lore Leitner – London (+44 20 7071 4987, lleitner@gibsondunn.com)
Vera Lukic – Paris (+33 1 56 43 13 00, vlukic@gibsondunn.com)
Lars Petersen – Frankfurt/Riyadh (+49 69 247 411 525, lpetersen@gibsondunn.com)
Christian Riis-Madsen – Brussels (+32 2 554 72 05, criis@gibsondunn.com)
Robert Spano – London/Paris (+44 20 7071 4000, rspano@gibsondunn.com)
Asia:
Connell O’Neill – Hong Kong (+852 2214 3812, coneill@gibsondunn.com)
© 2025 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.