Gibson Dunn | Europe | Data Protection – September 2025

Client Alert  |  October 17, 2025

---

Europe

09/23/2025

EDPB | Letter | Administrative Fines

The European Data Protection Board (“EDPB”) confirms that no amendments are needed to its GDPR fine calculation guidelines. 

The EDPB published a letter to CCIA Europe confirming that no revisions are required to its Guidelines 4/2022 on the Calculation of Administrative Fines following the Court of Justice’s ruling in C-383/23. In that case, the Court of Justice of the European Union (“CJEU”) clarified that the concept of an “undertaking” under Article 83 GDPR corresponds to the one used in EU competition law, meaning that fines may be based on the total worldwide turnover of a corporate group. The EDPB emphasized that this interpretation is already reflected in its existing guidelines and therefore no amendments are necessary.

For more information: EDPB Website

09/17/2025

EDPS | Opinion | EU-US Data Exchange Agreements

The European Data Protection Supervisor (“EDPS”) urges stronger safeguards and redress mechanisms in upcoming EU-US data-sharing frameworks. 

The EDPS issued opinions raising concerns about two planned EU-US data-exchange arrangements – one covering security-screening data and another concerning passenger and border-security information. The EDPS called for strict necessity and proportionality limits, exclusion of migration and asylum databases, and independent oversight to ensure compliance with EU fundamental-rights standards. It also stressed that any agreement must guarantee effective judicial redress in the United States for all individuals, regardless of nationality.

For more information: EDPS Website

09/16/2025 

European Commission | Call for Evidence | Digital Omnibus

The European Commission collects feedback to simplify EU rules on data, AI and cybersecurity.

The European Commission has launched a call for evidence, running until 14 October 2025, to gather public and stakeholder feedback on its Digital Omnibus initiative. The initiative aims to streamline existing legislation, reduce regulatory overlaps and lower compliance costs. Areas targeted for simplification include rules on cookies and other tracking technologies, cybersecurity incident-reporting obligations, and the application of the AI Act.

For more information: European Commission Website

09/16/2025 

European Union | Data Transfers | PIPC Adequacy Decision

The Personal Information Protection Commission of Korea (“PIPC”) has recognized the European Union’s data protection framework as equivalent. 

This complements the European Commission’s 2021 adequacy decision on Korea, establishing a comprehensive, reciprocal framework that covers both the private and public sectors and facilitating seamless and secure data flows between the two jurisdictions.

For more information: European Commission Website

09/16/2025 

European Commission | Conference | European Competitiveness

The European Commission hosted a high-level conference to mark the one-year anniversary of Mario Draghi’s report on the future of European competitiveness. 

In his keynote speech, former European Central Bank President Mario Draghi reiterated the report’s key priorities, including the need to close the innovation gap in advanced technologies. He emphasized the demand from European businesses for a radical simplification of the GDPR, citing high compliance costs. Additionally, he recommended postponing the enforcement of high-risk AI rules until their impact is better understood.

For more information: European Commission Website

09/12/2025 

EDPB | Draft Guidelines | Interplay between the DSA and the GDPR

The European Data Protection Board (“EDPB”) has adopted draft guidelines on the interplay between the Digital Services Act (“DSA”) and the General Data Protection Regulation (“GDPR”). 

The guidelines seek to provide guidance on how the GDPR should be applied in the context of obligations under the DSA and address key areas such as recommender systems, protection of minors, advertising transparency, and profiling-based advertising. They also aim to clarify the cross-regulatory cooperation between authorities. The draft guidelines are open for public consultation until 31 October 2025.

For more information: EDPB Website

09/12/2025 

European Union | Regulation | Data Act

The EU Regulation 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonized rules on fair access to and use of data (“Data Act”) entered into application. 

The Data Act aims to empower consumers and businesses by granting them greater control over the data generated by their connected devices. Among its key objectives, it seeks to ensure that such devices are designed to enable data sharing, provide businesses in specific sectors with access to performance-related data from industrial equipment, and allow consumers to transfer their data and switch between cloud service providers more easily.

For more information: European Commission Website

09/05/2025

European Commission | Draft Adequacy Decision | Brazil

The European Commission published a draft adequacy decision recognizing Brazil’s data-protection regime as providing an equivalent level of protection to the EU.

Once adopted, the decision will enable unrestricted transfers of personal data between the EU and Brazil, complementing the broader EU-Mercosur partnership. Brazil is expected to reciprocate by granting adequacy status to the EU.

For more information: European Commission Website

09/04/2025

CJEU | Judgment | Pseudonymized Data

The Court of Justice of the European Union (“CJEU”) clarifies under what circumstances pseudonymized data may qualify as personal data. 

The CJEU ruled in Case C-413/23 P that pseudonymized data can be considered anonymous for recipients who lack the means to re-identify individuals. The Court adopted a relative, recipient-based approach, finding that personal-data status must be assessed from the perspective of each recipient. However, controllers remain fully subject to GDPR transparency obligations and must inform data subjects of potential recipients at the time of data collection.

For more information: Curia Europa

09/04/2025

CJEU | Judgment | Non-Material Damages under the GDPR

The Court of Justice of the European Union (“CJEU”) confirms that emotional harm may constitute compensable damage under Article 82 GDPR.

In Case C-655/23, the CJEU held that non-material damage – such as fear or annoyance – can give rise to compensation under Article 82 GDPR, provided a causal link exists between the infringement and the harm suffered. The ruling reinforces that even intangible harms may trigger liability where a data-protection violation can be established.

For more information: Curia Europa

09/03/2025 

General Court | Judgment | EU-US Data Protection Framework

The General Court of the European Union dismissed an action for annulment of the European Commission’s adequacy decision for the EU-US Data Protection Framework (“DPF”). 

The challenge, brought by a member of the French Parliament, alleged that the Data Protection Review Court (“DPRC”) established in the US lacks independence and that US intelligence agencies engage in bulk data collection without sufficient safeguards. The General Court rejected these arguments, thereby confirming the continued validity of the adequacy decision.

For more information: Curia Europa

France

09/23/2025

French Supervisory Authority | Sanction | Hidden Surveillance System

On September 18, 2025, the French Supervisory Authority (“CNIL”)  fined a department store €100,000 for unlawfully installing hidden cameras in its stockrooms to record employees.

The CNIL sanctioned a department store after it installed disguised cameras with microphones in its stockrooms without conducting a GDPR compliance analysis or involving the Data Protection Officer (“DPO”). The authority found violations of fairness, minimization, and accountability principles. The decision follows European Court of Human Rights (“ECHR”) case law on exceptional surveillance.

For more information: CNIL Website

09/18/2025

French Supervisory Authority | Injunction | Cookie

On September 11, 2025, the French Supervisory Authority (“CNIL”) closed its injunction against a telecom operator regarding cookie consent practices.

In November 2024, the CNIL issued an order, in addition to a €50 million fine, requiring a telecom operator to stop reading the cookies after individuals withdrew their consent, with a compliance deadline of three months. In response, the operator provided evidence within the specified timeframe demonstrating that, once the user consent was withdrawn, no further cookie reading or writing occurred on its website. Under these circumstances, the CNIL decided not to enforce the penalty payment (i.e. not to require the additional fine of €100.000 euros per day of delay) and closed the injunction.

For more information: CNIL Website

09/03/2025

French Supervisory Authority | Sanction | Cookie

On September 1, 2025, the French Supervisory Authority (“CNIL”) fined an email provider €325 million for displaying advertisements between users’ emails and placing cookies without consent.

Following a complaint filed by the organization None Of Your Business (“NOYB”), the CNIL conducted several investigations and considered that the email provider encouraged users to accept personalized advertising cookies when creating accounts, without clearly informing them that this was required to access services, thereby making the consent invalid. In addition, the CNIL considered that the email provider displayed ads between users’ emails without obtaining consent. Along with the fine, the CNIL issued an order requiring the company to implement measures within six months to bring its cookie and email practices into compliance.

For more information:  CNIL Website

09/03/2025

French Supervisory Authority | Sanction | Cookie

On September 1, 2025, the French Supervisory Authority (“CNIL”) fined an e-commerce platform €150 million for unlawful cookie practices.

The CNIL considered that the company placed advertising cookies on users’ devices without consent, failed to provide clear  and complete information about cookies, and did not respect users’ choices to refuse or withdraw consent.

For more information:  CNIL Website

Germany

10/01/2025

Federal Ministry of Health | Implementation | Electronic Health Record 

Germany introduces a mandatory, opt-out digital health record giving patients granular control over their data. 

As of October 1, 2025, German healthcare providers must use the electronic health record (“ePA”) for all publicly insured patients. Each insured person automatically receives a digital record unless they object. Patients can manage access permissions, restrict document uploads, and delete data directly through a dedicated app. The reform represents a major step in Germany’s healthcare digitalization.

For more information: Federal Ministry of Health Website [DE]

09/25/2025

German Supervisory Authority | Initiative | Data Barometer 

The Federal Commissioner for Data Protection and Freedom of Information (“BfDI”) unveiled the “Data Barometer,” a recurring national survey measuring public attitudes toward data protection.

The initiative aims to ground regulatory debate in empirical data rather than perceptions. Early results show that 37 % of respondents view data protection as excessive or bureaucratic, which the BfDI described as a “wake-up call” to rebuild trust through more transparent and user-friendly frameworks.

For more information: BfDI Website [DE]

09/23/2025 

Stuttgart Higher Regional Court | Judgment | “Paying with Data” 

The Stuttgart Higher Regional Court decided in its ruling 6 UKI 2/25  that providing personal data for digital services does not constitute a “price” under EU or German consumer law.

According to the ruling, only monetary consideration qualifies as a price. As a result, services may be advertised as “free” if data-processing practices are sufficiently transparent. An appeal to the Federal Court of Justice (ZR 198/25) is pending.

For more information: Ruling [DE]

09/18/2025

German Supervisory Authorities | Resolution | Automated Data Analysis by Law Enforcement 

The Data Protection Conference (“DSK”), bringing together Germany’s supervisory authorities, calls for clear legal limits on automated law enforcement data analytics.

The DSK adopted a resolution stating that automated data-analysis systems used by law enforcement must be grounded in specific, constitutionally compliant legislation and limited to combating serious offences. The DSK emphasized transparency, auditability, and the need to preserve digital sovereignty, warning against reliance on third-country providers with incompatible data-access regimes.

For more information: DSK Website [DE]

09/18/2025

German Supervisory Authorities | Resolution | Data Transfers for Scientific Research

The Data Protection Conference (“DSK”) provides guidance on international  transfers for scientific research for medical purposes.

The guidance outlines applicable legal bases under Articles 6 and 9 GDPR, requirements for Standard Contractual Clauses and Transfer Impact Assessments, and the proper use of “broad consent.” It also highlights controllers’ obligations to inform data subjects about international transfers under Articles 13 and 14 GDPR.

For more information: DSK Website [DE]

Italy

09/18/2025 

Italian Supervisory Authority | Order | Facial Recognition 

The Italian Supervisory Authority (“Garante”) ordered an airport corporation to suspend the use of its facial recognition solution. 

The solution was found to be non-compliant and incompatible with EU data protection rules, as clarified by the European Data Protection Board (“EDPB”) in its Opinion 11/2024 on the use of facial recognition to streamline passenger flow at airports. The Garante specified that other facial recognition solutions referenced in the EDPB Opinion 11/2024 remain permitted.

For more information: Garante Website [IT]

Netherlands

09/01/2025

Rechtbank Noord-Nederland | Judgment | GDPR Livestream

Court rules village livestream unlawfully infringed privacy rights despite blurring and residents’ partial non-objection. 

The court confirmed AP’s sanction against a village livestream, finding serious infringements of private life and personal data rights. Even blurred images left individuals identifiable. Less intrusive alternatives existed, requiring compliance with data minimization. The fine was reduced for procedural delay.

For more information: Rechtspraak Website [Dutch]

United Kingdom

09/23/2025

UK Supervisory Authority I Announcement I AI Training

The Information Commissioner’s Office (“ICO”) announced that it will continue to monitor an online platform over newly announced AI training on user data.

On 18 September 2025, an online platform announced it will begin using user data from the EU and UK to train its generative AI models from 3 November 2025, reversing a 2024 commitment to exclude EU/UK data after regulatory backlash. The platform indicated it will rely on legitimate interests with an opt-out mechanism. The ICO emphasized the need to ensure the ongoing compliance of the platform’s approach. Further, supervisory authorities in the Netherlands (“AP”) and  Belgium (“APD”) have issued public warnings, expressing concern and urging users to disable permissions if they do not want their data to be used.

For more information: ICO Website, AP Website, APD Website

09/11/2025

UK Supervisory Authority | Guidance | Encryption 

The Information Commissioner’s Office (“ICO”) issues new guidance on implementing encryption to protect personal data and reduce breach risks.

The ICO has published guidance on encryption as an appropriate technical and organisational measure to secure personal data. This guidance is not a statutory code of practice; however, the ICO notes it will be taken into account by the ICO in breach assessments and compliance investigations.

For more information: ICO Website

08/28/2025

UK Government | Public Consultation | Telecommunications Security Code of Practice

UK Department for Science, Innovation and Technology has launched a consultation on updates to the 2022 Telecommunications Security Code of Practice. 

These proposed updates are intended to help public telecoms providers protect UK telecoms networks and services in light of evolving threats and emerging technologies. Stakeholders may submit responses before the consultation closes on October 22, 2025.

For more information:  UK Government Website

---

The following Gibson Dunn lawyers prepared this update: Ahmed Baladi, Vera Lukic, Kai Gesing, Joel Harrison, Thomas Baculard, Ioana Burtea, Billur Cinar, Hermine Hubert, Christoph Jacob, Yannick Oberacker, and Phoebe Rowson-Stevens.

Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of the firm’s Privacy, Cybersecurity & Data Innovation practice group:

Privacy, Cybersecurity, and Data Innovation:

United States:
Abbey A. Barrera – San Francisco (+1 415.393.8262, abarrera@gibsondunn.com)
Ashlie Beringer – Palo Alto (+1 650.849.5327, aberinger@gibsondunn.com)
Ryan T. Bergsieker – Denver (+1 303.298.5774, rbergsieker@gibsondunn.com)
Keith Enright – Palo Alto (+1 650.849.5386, kenright@gibsondunn.com)
Gustav W. Eyler – Washington, D.C. (+1 202.955.8610, geyler@gibsondunn.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650.849.5203, cgaedt-sheckter@gibsondunn.com)
Svetlana S. Gans – Washington, D.C. (+1 202.955.8657, sgans@gibsondunn.com)
Lauren R. Goldman – New York (+1 212.351.2375, lgoldman@gibsondunn.com)
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, shandler@gibsondunn.com)
Natalie J. Hausknecht – Denver (+1 303.298.5783, nhausknecht@gibsondunn.com)
Jane C. Horvath – Washington, D.C. (+1 202.955.8505, jhorvath@gibsondunn.com)
Martie Kutscher Clark – Palo Alto (+1 650.849.5348, mkutscherclark@gibsondunn.com)
Kristin A. Linsley – San Francisco (+1 415.393.8395, klinsley@gibsondunn.com)
Vivek Mohan – Palo Alto (+1 650.849.5345, vmohan@gibsondunn.com)
Ashley Rogers – Palo Alto/Dallas (+1 650.849.5204, arogers@gibsondunn.com)
Sophie C. Rohnke – Dallas (+1 214.698.3344, srohnke@gibsondunn.com)
Eric D. Vandevelde – Los Angeles (+1 213.229.7186, evandevelde@gibsondunn.com)
Frances A. Waldmann – Los Angeles (+1 213.229.7914,fwaldmann@gibsondunn.com)
Debra Wong Yang – Los Angeles (+1 213.229.7472, dwongyang@gibsondunn.com)

Europe:
Ahmed Baladi – Paris (+33 1 56 43 13 00, abaladi@gibsondunn.com)
Patrick Doris – London (+44 20 7071 4276, pdoris@gibsondunn.com)
Kai Gesing – Munich (+49 89 189 33-180, kgesing@gibsondunn.com)
Joel Harrison – London (+44 20 7071 4289, jharrison@gibsondunn.com)
Lore Leitner – London (+44 20 7071 4987, lleitner@gibsondunn.com)
Vera Lukic – Paris (+33 1 56 43 13 00, vlukic@gibsondunn.com)
Lars Petersen – Frankfurt/Riyadh (+49 69 247 411 525, lpetersen@gibsondunn.com)
Christian Riis-Madsen – Brussels (+32 2 554 72 05, criis@gibsondunn.com)
Robert Spano – London/Paris (+44 20 7071 4000, rspano@gibsondunn.com)

Asia:
Connell O’Neill – Hong Kong (+852 2214 3812, coneill@gibsondunn.com)

© 2025 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.