European Data Protection Newsletter Archives

Europe

02/23/2026

EDPB-EDPS | Joint Statement | AI-Generated Imagery and Privacy

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) signed a joint statement on AI-generated imagery and the protection of privacy.

The statement, endorsed by 61 data protection authorities worldwide, raises concerns about AI tools that create highly realistic images and videos of individuals without their knowledge or consent. It calls on organisations to ensure full compliance with data protection laws, implement strong safeguards and transparency measures, and engage proactively with regulators to prevent potential harm.

For more information: EDPB Website

02/18/2026

EDPB | Coordinated Enforcement Framework | Report on the Right to be Forgotten

The European Data Protection Board’s (EDPB) has adopted a report under its Coordinated Enforcement Framework (CEF) action on the right to be forgotten.

The report highlights good practices identified across organizations, as well as recurring challenges they face when implementing the right to be forgotten. Among these challenges, the report particularly notes the lack of appropriate internal procedures, reliance on ineffective anonymization techniques, and difficulties in determining appropriate data retention periods.

For more information: EDPB Website

02/13/2026

EDPB | Policy | 2026-2027 Work Program

The European Data Protection Board’s (EDPB) has adopted its work program for 2026-2027, placing an emphasis on “easing compliance” for organizations.

To simplify GDPR compliance, the EDPB will develop ready-to-use templates for organizations, including models for legitimate interest assessments, records of processing activities, privacy notices, data breach notifications, and data protection impact assessments.

For more information: EDPB Press Release

02/13/2026

European Commission | Toolbox | ICT Supply Chain Security

The European Commission has introduced a new ICT Supply Chain Security Toolbox aimed at reducing systemic dependencies and mitigate supplier-related risks.

The toolbox defines key concepts, outlines major risk scenarios and proposes mitigation measures, including enhanced risk‑management practices and the adoption of multi‑vendor strategies. This initiative forms part of the Commission’s broader cybersecurity agenda, which also includes the proposed revision of the Cybersecurity Act presented in January 2026.

For more information: European Commission Website

02/11/2026

EDPB-EDPS | Joint Opinion | Digital Omnibus Regulation Proposal

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have published a joint opinion on the Digital Omnibus Regulation Proposal.

They welcome targeted amendments to the GDPR intended to reduce administrative burden and enhance legal certainty (e.g., new derogation allowing the processing of sensitive data for biometric authentication; introduction of EU‑wide templates for data breach notifications and data protection impact assessments). However, the EDPB and EDPS strongly oppose proposals to redefine “personal data” or to empower the Commission, via implementing acts, to determine when pseudonymized data “is no longer personal.” They warn that such changes would narrow the scope of the GDPR and risk undermining fundamental rights.

For more information: EDPB Website

02/02/2026

European Parliament | Opinion | AI Act Omnibus

The Committee of Legal Affairs of the European Parliament proposed substantial changes to the AI Act, tightening safeguards, expanding prohibited practices, and revising enforcement, governance and timelines.

On February 2, 2026, the Committee of Legal Affairs of the European Parliament issued a draft opinion on the AI Omnibus legislative proposal. The proposed amendments seek to explicitly cover agentic AI by extending the definition of AI systems to include systems that execute autonomous actions and proposes stricter rules for processing special-category data for bias detection by requiring it to be “strictly necessary.” It also suggests adding a new prohibited practice covering AI systems that generate or manipulate sexualized content.

On governance, the draft opinion seeks to remove broad real-world testing outside sandboxes, and align cybersecurity compliance with the Cyber Resilience Act. It also replaces the flexible entry-into-force mechanism with fixed dates, with high-risk obligations applying from December 2027 and 2028, and legacy systems to be compliant by the end of 2030.

For more information: Draft Opinion of the Committee on Legal Affairs

France

02/26/2026

CNIL | GDPR | AI models

PANAME Project: French authorities seek Testers for New AI Privacy Audit Tool.

The French supervisory authority (CNIL), alongside other French agencies including ANSSI, PEReN, and Inria, has launched a call for interest inviting organizations to test PANAME, an open-source software library designed to audit AI models for GDPR compliance. The tool enables users to conduct data extraction and re-identification tests to assess whether AI models trained on personal data meet privacy requirements. Public and private entities established in EU member states are eligible to participate in this testing phase. Applications are open from February 26 through March 28, 2026.

For more information: CNIL Website [FR]

02/25/2026

CNIL | Public Consultation | Recommendation on Session Replay Tools

The French supervisory authority (CNIL) opened public consultation on its draft recommendations on session replay tools.

The CNIL has launched a public consultation on draft recommendations governing session replay tools (i.e., technologies that record and reconstruct users’ complete browsing sessions on websites and mobile apps, including mouse movements, clicks, scrolling, and form inputs). The guidance targets both tool providers and website or app publishers, addressing key GDPR requirements such as data minimization and user consent mechanisms. Stakeholders are invited to submit comments by April 22, 2026.

For more information: CNIL Website [FR]

02/18/2026

DGFiP | Data Breach | Illegal access to the national bank accounts registers

FICOBA data breach exposed 1.2 million French bank accounts.

France’s General Directorate of Public Finances (DGFiP) has disclosed a data breach affecting approximately 1.2 million bank accounts in the national bank account registry (FICOBA) after a malicious actor gained access using stolen government credentials in late January 2026. Compromised data includes bank account details (RIB/IBAN), account holder identities, and addresses, though tax identification numbers were not accessed. Authorities have implemented immediate access restrictions, notified the French Supervisory Authority (CNIL), filed a criminal complaint, and are coordinating with French cybersecurity agency (ANSSI) and banking institutions. Affected individuals will receive direct notifications, and users are urged to remain vigilant against phishing attempts.

For more information: DGFiP Press Release [FR]

02/18/2026

CNIL | GDPR | Right to erasure

The French supervisory authority (CNIL) released findings from coordinated European right to erasure inspections.

As part of a coordinated enforcement action led by the European Data Protection Board (EDPB), the CNIL conducted on-site inspections of six organizations in 2025 to assess compliance with GDPR right to erasure requirements. While data controllers generally honored deletion requests, inspectors identified persistent issues including inadequate internal procedures, insufficient information provided to data subjects, and difficulties determining data retention periods. Larger organizations demonstrated higher compliance levels and more formalized processes. The CNIL has already issued two formal notices, with additional corrective measures potentially forthcoming.

For more information: CNIL Website [FR]

02/13/2026

French Council of State | Judgment | Pseudonymization

French Council of State (Conseil d’État) upheld €1.8 million in French supervisory authority (CNIL) fines against health data companies.

The French Council of State (Conseil d’État) has rejected appeals by health data group companies challenging CNIL fines totaling €1.8 million for unlawfully processing health data collected from physicians and pharmacies. The French court confirmed that the companies’ pseudonymized databases, containing data on millions of patients, constituted personal data under GDPR because re-identification remained possible using reasonable means. The ruling upheld CNIL’s position that such health data processing requires prior authorization under French law, and that pseudonymization alone does not render data anonymous or exempt from GDPR requirements.

For more information: Conseil d’État Website [FR]

02/09/2026

CNIL | Report | 2025 Enforcement Actions

The French supervisory authority (CNIL) reported record €487 million in fines for 2025.

The CNIL issued 83 sanctions totaling €486.8 million in 2025, with cookies, employee video surveillance, and data security violations among the top enforcement priorities. Two major fines of €325 million and €150 million were imposed for cookie consent violations, while 16 organizations were sanctioned for unlawfully surveilling employees. Other recurring issues included inadequate data security measures, failure to cooperate with the CNIL, and non-compliance with data subject rights such as erasure and access requests. The CNIL also issued 143 formal notices, notably targeting child welfare services and mobile apps used by minors.

For more information: CNIL Website [FR]

Germany

02/26/2026

Data Protection Conference (DSK) | Statement | “Chat Control”

The German Data Protection Conference (DSK) called for a complete rejection of proposals that would require indiscriminate scanning of private digital communications (Chat Control).

Ahead of EU negotiations, the DSK urged policymakers to abandon mass surveillance of private chats, bulk scanning of messages and any weakening of end-to-end encryption, while emphasizing that child-protection measures must remain targeted and proportionate; it also pointed to Article 28 of the Digital Services Act as already requiring platforms accessible to minors to adopt appropriate safeguards.

For more information: DSK Website [DE]

02/25/2026

Data Protection Authority North Rhine-Westphalia | Survey | Centralized Data Protection Supervision

The Data Protection Authority North Rhine-Westphalia cited a new Bitkom survey to argue against proposals to centralise private-sector data protection supervision at the federal level.

According to the authority, the survey of 603 companies found that 85% want clearer data protection rules, 79% call for GDPR reform and 69% want better alignment with other regulatory frameworks, while 62% are asking supervisory authorities for more practical guidance; the authority also said complaints in NRW rose by 67% last year and noted that only 9% of respondents saw no disadvantages in a shift to federal-level supervision.

For more information: LDI NRW Website [DE]

02/12/2026

Data Protection Conference (DSK) | Statement | Draft Research Data Act (FDG)

The German Data Protection Conference (DSK) welcomed the goal of improving access to research data but said the draft Research Data Act (FDG) requires substantial revision.

In its statement, the DSK called for clearer delineation between the FDG and sector-specific research laws, particularly for health data, stronger independence and separation safeguards for the proposed German Center for Microdata, a clearer allocation of controller responsibilities, more precise limits on data access and retention, mandatory data protection impact assessments for data linkages, and greater caution around the use of cross-sector identifiers such as the tax ID.

For more information: DSK Website [DE]

Spain

02/18/2026

Spanish Supervisory Authority | Guidelines | Agentic AI and Data Protection

The Spanish Supervisory Authority (AEPD) has issued guidance on the privacy implications of deploying agentic AI systems.

As a reminder, agentic AI systems operate with a high degree of autonomy and can plan and execute tasks with minimal human intervention. The AEPD identifies several risks arising from this autonomy and complexity, including excessive data collection, uncontrolled memory accumulation, limited auditability, and the possibility of significant actions being taken without adequate human oversight. The guidance highlights key GDPR compliance considerations – such transparency, lawfulness of processing, data minimization and automated decision-making – and recommends measures including memory controls, human supervision and technical safeguards (e.g., strict access management) to mitigate privacy-related risks.

For more information: AEPD Website [ES]

United Kingdom

02/27/2026

ICO | Public Consultation | Research, Archiving and Statistics

The UK Supervisory Authority (ICO) has opened a consultation on updated guidance relating to the research, archiving and statistics provisions under UK data protection law.

Following the introduction of the Data (Use and Access) Act 2025 (DUA Act 2025), the ICO revised its criteria for scientific research and is seeking feedback on the new “disproportionate effort” exemption from the requirement to inform data subjects when previously collected data is re-used for research purposes. The consultation is open until 27 April 2026 and invites stakeholder views on both the substance and impact of the proposed updates.

For more information: ICO Website

02/23/2026

Ofcom | Sanction | Age Assurance Measures

Ofcom has fined an adult-content provider £1.35 million (approx. €1.55 million) for failing to implement age assurance measures.

Under the UK Online Safety Act, providers of adult websites must deploy effective age assurance to prevent children from accessing pornographic material. Shortly after these duties came into force in July 2025, Ofcom launched several investigations into major adult-content websites. Following its investigation, Ofcom concluded that the company had not implemented compliant age assurance measures. It also found that the company had failed to respond to Ofcom’s requests in an accurate, complete and timely way, resulting with an additional fine of £50,000 (approx. €58,000).

For more information: Ofcom Website

02/19/2026

Court of Appeal | Judgment | Cyberattacks and Scope of the Security Duty

The Court of Appeal held that organizations must secure personal data they can identify, even if attackers cannot identify individuals from the stolen dataset.

The case arose from an ICO monetary penalty issued after a cyberattack, in which the ICO found that the company failed to implement adequate security measures. The First‑tier Tribunal upheld the ICO’s findings but reduced the fine from £500,000 to £250,000. On further appeal, the Upper Tribunal concluded that the scraped payment card details were not “personal data” because attackers could not identify individuals from them, meaning the company had no duty to prevent third‑party access. The Court of Appeal overturned that approach, confirming that personal data is defined from the controller’s perspective, not the attacker’s, and that controllers must apply security measures to all personal data they process.

For more information: Court of Appeal’s Judgment

The following Gibson Dunn lawyers prepared this update: Ahmed Baladi, Vera Lukic, Kai Gesing, Joel Harrison, Thomas Baculard, Ioana Burtea, Billur Cinar, Hermine Hubert, Christoph Jacob, Yannick Oberacker and Phoebe Rowson-Stevens.

Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of the firm’s Privacy, Cybersecurity & Data Innovation practice group:

Privacy, Cybersecurity, and Data Innovation:

United States:
Abbey A. Barrera – San Francisco (+1 415.393.8262, abarrera@gibsondunn.com)
Ashlie Beringer – Palo Alto (+1 650.849.5327, aberinger@gibsondunn.com)
Ryan T. Bergsieker – Denver (+1 303.298.5774, rbergsieker@gibsondunn.com)
Keith Enright – Palo Alto (+1 650.849.5386, kenright@gibsondunn.com)
Gustav W. Eyler – Washington, D.C. (+1 202.955.8610, geyler@gibsondunn.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650.849.5203, cgaedt-sheckter@gibsondunn.com)
Svetlana S. Gans – Washington, D.C. (+1 202.955.8657, sgans@gibsondunn.com)
Lauren R. Goldman – New York (+1 212.351.2375, lgoldman@gibsondunn.com)
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, shandler@gibsondunn.com)
Natalie J. Hausknecht – Denver (+1 303.298.5783, nhausknecht@gibsondunn.com)
Jane C. Horvath – Washington, D.C. (+1 202.955.8505, jhorvath@gibsondunn.com)
Martie Kutscher Clark – Palo Alto (+1 650.849.5348, mkutscherclark@gibsondunn.com)
Kristin A. Linsley – San Francisco (+1 415.393.8395, klinsley@gibsondunn.com)
Vivek Mohan – Palo Alto (+1 650.849.5345, vmohan@gibsondunn.com)
Ashley Rogers – Dallas (+1 214.698.3316, arogers@gibsondunn.com)
Sophie C. Rohnke – Dallas (+1 214.698.3344, srohnke@gibsondunn.com)
Eric D. Vandevelde – Los Angeles (+1 213.229.7186, evandevelde@gibsondunn.com)
Frances A. Waldmann – Los Angeles (+1 213.229.7914,fwaldmann@gibsondunn.com)
Debra Wong Yang – Los Angeles (+1 213.229.7472, dwongyang@gibsondunn.com)

Europe:
Ahmed Baladi – Paris (+33 1 56 43 13 00, abaladi@gibsondunn.com)
Patrick Doris – London (+44 20 7071 4276, pdoris@gibsondunn.com)
Kai Gesing – Munich (+49 89 189 33-180, kgesing@gibsondunn.com)
Joel Harrison – London (+44 20 7071 4289, jharrison@gibsondunn.com)
Lore Leitner – London (+44 20 7071 4987, lleitner@gibsondunn.com)
Vera Lukic – Paris (+33 1 56 43 13 00, vlukic@gibsondunn.com)
Lars Petersen – Frankfurt/Riyadh (+49 69 247 411 525, lpetersen@gibsondunn.com)
Christian Riis-Madsen – Brussels (+32 2 554 72 05, criis@gibsondunn.com)
Robert Spano – London/Paris (+44 20 7071 4000, rspano@gibsondunn.com)

Asia:
Connell O’Neill – Hong Kong (+852 2214 3812, coneill@gibsondunn.com)

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

We are pleased to provide you with the January 2026 edition of Gibson Dunn’s monthly European data privacy update. Please feel free to reach out to us to discuss any of these topics further.

Europe

01/27/2026

European Commission | Adequacy Decision | Brazil

The European Commission has adopted an adequacy decision under Article 45 GDPR, allowing EU personal data transfers to Brazil without additional safeguards.

The European Commission found that Brazil’s General Personal Data Protection Law provides a level of protection essentially equivalent to the EU data protection framework, permitting personal data to flow from the EU to Brazil without additional transfer mechanisms. On the same day, Brazil adopted its own adequacy decision for personal data transfers from Brazil to the EU.

For more information: European Commission Website

01/23/2026

EDPB | Guidance | EU-U.S. Data Protection Framework

The European Data Protection Board (“EDPB”) has updated its Data Protection Framework (DPF) FAQs to provide further guidance for businesses and individuals on EU-US personal data transfers.

The revised FAQs reiterate that exporters should first verify the U.S. recipient’s DPF self-certification status and the scope of that certification (including whether it covers any relevant subsidiaries). For transfers of HR data, the FAQs highlight additional steps, such as confirming that the importer’s certification includes HR data and informing the importer that the transferred data is HR data. The EDPB also reminds that participation in the DPF does not replace other GDPR obligations.

For more information: Businesses FAQs

01/22/2026

European Commission | Guidance | Data Act

The European Commission has released an updated version of its FAQs on the Data Act.

Developed with input from stakeholders, the FAQs are intended to support the practical implementation of the Data Act. They address topics such as unfair terms in business‑to‑business data‑sharing agreements, switching between data‑processing services, and interoperability requirements.

For more information: European Commission Website

01/21/2026

EDPB & EDPS | Joint Opinion | Digital Omnibus on AI

The European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) have published a joint opinion on the Proposal for the “Digital Omnibus on AI”.

In their opinion, the EDPB and EDPS support efforts to reduce the burdens of practical implementation, but caution that administrative simplification must not come at the expense of individuals’ rights. They recommend limiting any expanded use of special-category data for bias detection and raise concerns regarding the postponement of provisions relating to high-risk AI systems. The authorities also call for clearer definition of the role of market surveillance authorities, while emphasizing that the independence and powers of data protection authorities should remain preserved.

For more information: EDPS Website

01/20/2026

European Commission | Proposal | New Cybersecurity Package

The European Commission has launched a new cybersecurity package, including a Proposal for a revised Cybersecurity Act.

The revised Cybersecurity Act aims in particular to simplify the European Cybersecurity Certification Framework by introducing streamlined procedures designed to enable the development of certification schemes within 12 months. It would also expand ENISA’s powers, strengthening its role in the development of cybersecurity standards. The new cybersecurity package also includes targeted amendments to the NIS 2 Directive intended to enhance legal clarity by simplifying jurisdictional rules, improving the collection of data on ransomware attacks, and facilitating the supervision of cross‑border entities through ENISA’s reinforced coordinating role.

For more information: European Commission Website

France

01/22/2026

CNIL | Sanction | Data Breach

The French data protection authority (CNIL) fined a French governmental agency €5 million after a cyberattack exposed large-scale jobseeker data, citing major gaps in account security, monitoring, and access controls.

The sanction follows an unauthorized access to personal data relating to individuals registered with the agency over the past 20 years and account users. The CNIL found that security measures were not appropriate under Article 32 GDPR, pointing in particular to overly permissive password settings, lack of MFA for exposed adviser accounts, and insufficient real-time logging/monitoring.

For more information: CNIL Decision [FR]

01/22/2026

CNIL | Sanction | Data Sharing for Advertising Purposes

A company was fined €3.5 million for sharing loyalty-program contact data for ad-targeting without valid consent.

The CNIL sanctioned the company, finding the relied-upon “consent” was not valid because individuals were not properly informed of the targeting purpose. Other infringements identified include insufficient information, security shortcomings, failure to conduct a DPIA, and cookie/trackers compliance issues and was adopted in cooperation with 16 European counterparts given its cross-border impact.

For more information: CNIL Website [FR]

01/16/2026

CNIL | Recommendations | “Multi-device” Consent in Authenticated Environments

The CNIL published recommendations to set out how publishers can lawfully apply a user’s cookie/tracker choices across all devices tied to the same logged-in account without forcing repeated prompts.

The CNIL clarifies that multi-device consent is optional and only relevant in authenticated environments where user choices can be tied to an account and synced across logged-in devices. Consent, refusal, and withdrawal must all carry the same cross-device effect, and users should be informed upfront that their choice applies to all connected devices. The guidance also addresses conflicts between pre-login preferences and account settings, encourages consistent market practices, and highlights privacy-by-design concerns like avoiding the sharing of clear account identifiers with CMP vendors and handling shared devices carefully.

For more information: CNIL Recommendations [FR]

01/14/2026

CNIL | Sanction | Data Breach

The French data protection authority (CNIL) imposed a combined €42 million fine on a French telecom operator following a major customer data breach.

The CNIL reports that attackers accessed personal data tied to around 24 million subscriber contracts. The authority found shortcomings in security (including authentication and monitoring/detection measures), issues in the completeness of information provided to affected individuals, and non-compliant retention practices for certain categories of data. In addition to the fines (€27M for the mobile subsidiary and €15M for the parent company), the CNIL issued compliance orders with deadlines (notably to complete specific security measures within three months and bring certain retention practices into compliance within six months).

For more information: CNIL Website [EN]

Germany

01/27/2026

Data Authorities | Press Release | Record‑High Volume of Data Protection Complaints

German Data Protection Authorities have reported a strong increase in data protection complaints in 2025.

The authority of Lower Saxony received 4,022 complaints in 2025, marking a record high and representing a 70% increase from 2,361 the previous year. Similar trends were reported by various authorities across Germany. This increase reflects greater public awareness and sensitivity to improper data processing, partly driven by the growing digitalization of society.

For more information: LfDI Lower Saxony [DE], LfDI Hamburg [DE] and LfDI Berlin [DE]

01/26/2026

BfDI | Press Release | Privacy Sandbox

Germany’s federal DPA has launched “ReguLab,” a regulatory sandbox designed to reduce legal uncertainty for privacy-relevant innovation.

This month the BfDI presented ReguLab as a structured environment for organizations to test ideas and discuss data protection requirements early, aiming to accelerate compliant innovation by clarifying how rules apply in practice. The initiative is presented as a joint effort involving the Federal Ministry of the Interior and Community and the federal digital service, with initial focus areas including major public-sector digitization and digital identity building blocks (e.g., eIDAS/EU Digital Identity Wallet).

For more information: BfDI [DE]

12/11/2025

High Court of Frankfurt | Decision | Liability for Third‑Party Cookies Extends Beyond Website Operators

The recently published case of the Higher Regional Court (Oberlandesgericht) Frankfurt am Main concerns the liability of third-party service providers for cookie placement without valid user consent under German data-protection and telemedia law.

The court ruled that third-party providers who technically cause or contribute to the placement of cookies without valid user consent can be held liable, even if they are not the primary operator of the website on which the cookies are deployed. This includes third‑party analytics, advertising, and tracking providers, even when contracts with website operators stipulate that cookies should only be set with proper consent.

For more information: OLG Frankfurt [DE]

Sweden

01/26/2026

Swedish Supervisory Authority | Sanction | Data Breach

The Swedish Supervisory Authority (“IMY”) fined a Swedish digital sports administration platform €560,000 after a data breach.

IMY has fined the platform SEK 6 million (approximately €520,000) for GDPR violations following a January 2025 cyberattack that exposed personal data of over 2.1 million individuals, primarily children and young individuals. The leaked information, which included names, national ID numbers and health data, was subsequently published on the darknet. IMY found that the platform had long been aware of system vulnerabilities but failed to implement adequate technical and organizational safeguards, including real-time intrusion detection, to protect the sensitive data it processed.

For more information: IMY Website

Spain

01/19/2026

Spanish Supervisory Authority | Guidance | GenAI use cases

The Spanish Supervisory Authority (“AEPD”) released comprehensive GenAI management framework.

In late 2025, the AEPD published its General Policy for the Use of Generative AI, along with a practical annex establishing guidelines for the safe and ethical deployment of AI across the AEPD. In early 2026, it completed its internal framework with key obligations in governance, data protection, transparency, security, and vendor contracting, requiring prior approval of use cases, updated risk inventories, human oversight for automated decisions, and strict data minimization. Organizations are also reminded that GenAI should support, not replace, human decision-making, and must never be relied upon for critical or urgent processes requiring maximum accuracy.

For more information: AEPD Website

01/13/2026

Spanish Supervisory Authority | Informative Note | Risks of using third-party images in AI systems

The Spanish Supervisory Authority (“AEPD”) warned of visible and invisible risks in AI image use.

The AEPD published guidance analyzing the risks of using third-party images in AI systems, even in seemingly trivial or playful contexts. The document highlights high-risk scenarios such as sexualization, synthetic intimate content, and the use of images involving minors or vulnerable individuals. It also warns of less visible risks that arise simply from uploading images to AI systems, including loss of control, hidden data retention, and persistent identification risks, even when the output is never published.

For more information: AEPD Website [ES]

United Kingdom

01/21/2026

UK Government I Consultation I Under-16s Social Media Ban

The UK Government has launched a consultation on children’s social media use.

The UK Government’s consultation examining children’s use of mobile phones and social media will consider potential social media bans for children and the role of age assurance technologies. The consultation is expected to last three months with the UK Government’s response anticipated in the summer.

Alongside this consultation, an amendment was introduced during the passage of the Children’s Wellbeing and Schools Bill that would require the introduction of regulation raising the minimum age for social media access to 16. The Bill will move to the House of Commons, where ministers have signalled in the press they would seek to overturn the amendment and instead await the outcome of the consultation.

For more information: Consultation, Amendment, House of Lord website and Press Reporting

01/19/2026

UK Government I Memorandum of Understanding I Data protection

UK Department for Science, Innovation and Technology has published a Memorandum of Understanding (MOU) between the Information Commissioner’s Office (ICO) and the UK Government.

This MOU formalises the ICO and UK Government’s framework for cooperation on data protection. The MOU commits ministers and senior officials to earlier engagement with the regulator, regular assurance exercises and the creation of a data safety culture.

For more information: UK Government Website

01/15/2026

ICO I Guidance I International Transfers

The ICO has published updated guidance on international transfers.

This updated guidance does materially alter the substance of the ICO’s historic advice on international transfers but is intended to simplify the guidance for businesses. The updated guidance sets out a ‘three step test’ for organisations to use to help identify if they are making restricted transfers and reiterates the mechanisms available to ensure an equivalent level of protection for transferred data.

For more information: ICO

01/08/2026

ICO I Guidance I Agentic AI

The UK Information Commissioner’s Office (ICO) has published a report on the rise of agentic AI.

The ICO’s new report on agentic AI identifies certain key data protection compliance concerns, including in relation to transparency, purpose limitations in circumstances where the purpose of the agentic AI is unclear, data minimisation, and concerns in relation to automated decision-making (ADM). The report also notes that “[t]hroughout 2026 the ICO will actively monitor advancements and work with AI developers and deployers to ensure they are clear on what the law requires of them”, with a statutory code on AI and ADM being developed by the ICO and further regulatory guidance on agentic AI, ADM and profiling expected Q1 2026.

For more information: ICO report

01/07/2026

ICO I Investigation I AI Provider

The UK Information Commissioner’s Office (ICO) published a public statement in response to a social media and AI provider.

Following a statement on 7 January that the ICO had contacted a social media and AI provider to seek “clarity on the measures they have in place to comply with UK data protection law and protect individuals’ rights”, the ICO announced on 3 February it had opened formal investigations into the provider over the AI’s processing of personal data and the AI’s alleged generation of harmful sexualised content. The ICO’s investigation will also look into whether “appropriate safeguards were built into [the AI’s] design and deployment.” Alongside the data protection authority’s investigation, Ofcom and the European Commission have also launched investigations on 12 January into this social media and AI provider over the AI’s sexualised imagery under the Online Safety Act and the Digital Services Act respectively.

For more information: ICO Statement, ICO Investigation Announcement

The following Gibson Dunn lawyers prepared this update: Ahmed Baladi, Vera Lukic, Kai Gesing, Joel Harrison, Thomas Baculard, Ioana Burtea, Billur Cinar, Hermine Hubert, Christoph Jacob, Yannick Oberacker and Phoebe Rowson-Stevens.

Privacy, Cybersecurity, and Data Innovation:

Asia:
Connell O’Neill – Hong Kong (+852 2214 3812, coneill@gibsondunn.com)

Europe

12/19/2025

European Commission | Data Transfers | EU-UK Adequacy Decisions

The European Commission has renewed the adequacy decisions with the United Kingdom under both the GDPR and the Law Enforcement Directive.

This renewal follows a temporary extension granted in June 2025, which enabled the Commission to conduct a comprehensive assessment of the UK’s legal framework in light of recent amendments introduced by the Data (Use and Access) Act. The Commission concluded that the UK’s data protection regime continues to provide a level of protection that is essentially equivalent to that of the European Union. The new decisions are subject to a sunset clause of six years, running until 27 December 2031, with the possibility to be renewed.

For more information: European Commission Website

12/16/2025

European Commission | Data Act | Legal Helpdesk

The European Commission has launched a legal helpdesk to support the practical application of the Data Act.

The helpdesk is intended to provide guidance on compliance with the Data Act’s requirements by enabling stakeholders to submit questions directly. It complements existing support tools including FAQs and Draft Recommendation on non-binding Model Contractual Terms for data access and use (MCTs) and non-binding Standard Contractual Clauses for cloud computing contracts (SCCs).

For more information: European Commission Website

12/12/2025

European Union | Regulation | Procedural Rules on the Enforcement of the GDPR

Regulation (EU) 2025/2518 of the European Parliament and of the Council of 26 November 2025 laying down additional procedural rules on the enforcement of Regulation (EU) 2016/679 (“GDPR”) has been published.

The new regulation aims to improve cooperation between supervisory authorities, accelerate the complaint handling process, and make the GDPR enforcement more efficient in cross‑border cases. It will enter into force 20 days after publication and will apply 15 months thereafter.

For more information: Official Journal of the European Union

12/09/2025

Confederation of European Data Protection Organizations | Data Act | FAQ

The Confederation of European Data Protection Organizations (“CEDPO”) has published FAQs on the Data Act’s access-by-design and data-sharing requirements.

The FAQs are intended to support Data Protection Officers by clarifying the scope, key concepts, and core obligations of the Data Act. They also address issues at the intersection of the Data Act and the GDPR, including the impact of the Data Act on the handling of data subjects’ rights and the legal bases available for the processing of personal data to which the Data Act applies.

For more information: CEDPO Website

12/03/2025

European Data Protection Board | Recommendations | Creation of User Accounts on E-commerce Websites

The European Data Protection Board (“EDPB”) has adopted recommendations on the legal basis for requiring the creation of user accounts on e-commerce websites.

Although e-commerce controllers may have a business interest in requiring users to create an account, the EDPB emphasizes that doing so can expose individuals to additional risks concerning their rights and freedoms. Therefore, these recommendations provide guidance to e-commerce controllers on the circumstances under which they may lawfully require users to create an account. The recommendations are subject to public consultation open until February 12, 2026.

For more information: EDPB Website

12/02/2025

Court of Justice of the European Union | Judgment | Hosting Providers’ Status and Liability

The Court of Justice of the European Union (“CJEU”) issued a landmark ruling on the scope of liability for hosting providers under EU law.

The Court held that hosting providers may be considered joint controllers together with the advertisers for personal data in advertisements if they exert a decisive influence over the processing for their own purposes thereby going beyond a neutral intermediary role. The Court clarified that operators cannot rely on the liability exemptions for neutral intermediaries (under the E-Commerce Directive) to avoid GDPR obligations. This decision sets an important precedent for interpreting the concept of “controller” under the GDPR in the context of online platforms and reinforces the need for providers to implement robust compliance mechanisms – such as verifying advertisers’ identities for ads containing sensitive data – to avoid assuming legal responsibility for third-party content.

For more information: CJEU Website

France

12/22/2025

French Supervisory Authority | Sanction | Data Breach

The French Supervisory Authority (“CNIL”) imposed a €1,700,000 fine on a French IT company following a data breach, for failing to implement sufficient security measures.

The company, which specializes in the design of IT systems and software, was investigated after customers reported personal data breaches in 2022. The CNIL found that security vulnerabilities in the company’s software resulted from a failure to apply basic and state‑of‑the‑art security measures, despite the company being aware of these issues through prior audit reports. These failings were considered aggravated given the company’s core IT‑related activities.

For more information: CNIL Website

12/12/2025

French Supervisory Authority | Experimental Tool | AI Traceability

The French Supervisory Authority (“CNIL”) has launched an experimental tool to explore the traceability of AI models published in open source.

The tool maps genealogical links between open‑source AI models, enabling the identification of models within the same family tree that may have stored personal data relating to the same data subject. The project aims to contribute to the CNIL’s analysis of practical scenarios for exercising data subject rights, such as access, erasure, and objection.

For more information: CNIL Website [FR]

12/11/2025

French Supervisory Authority | Sanction | Data Breach

The French Supervisory Authority (“CNIL”) imposed a €1,000,000 fine on a data processor following a data breach affecting a controller.

In November 2022, a music streaming platform notified the CNIL of a data breach involving the publication of user data on the darknet and implicating its processor. Following investigations conducted in 2023 and 2024, the CNIL found that the processor had failed to comply with several GDPR obligations. In particular, it retained personal data relating to more than 46 million users after termination of the contract with the controller, processed the data without instructions to enhance its own services, and failed to maintain a record of processing activities in its capacity as a processor.

For more information: CNIL Website [FR]

Germany

12/12/2025

German Supervisory Authority | Guidance | Data Protection Certification Programs

The Data Protection Conference (“DSK”) has updated its guidelines on the requirements for data protection certification programs under the GDPR.

The DSK has issued guidelines setting out minimum requirements for GDPR certification programs under Article 42 of the GDPR. The guidelines outline certification criteria, audit methods, and assessment standards aligned with ISO IEC 17067, covering lawful processing, data protection by design, security, and data subject rights.

For more information: DSK Website [DE]

12/12/2025

German Supervisory Authority | Statement | Proposition of a GDPR Reform

The Data Protection Conference (“DSK”) has issued a statement criticizing the European Commission’s proposed GDPR reform for failing to deliver meaningful relief for small and medium-sized enterprises (SMEs).

According to the DSK, the draft neglects legislative adjustments that could reduce compliance burdens for SMEs, thereby missing the Commission’s own objective of cutting bureaucracy. The DSK emphasizes that effective reform should balance administrative simplification with robust data protection standards, warning that the current proposal risks undermining both goals. Instead, the DSK proposes a shift toward “manufacturer liability,” arguing that IT providers should be legally required to design compliant products. This would lift the primary compliance burden from SMEs, who often lack the leverage to enforce data protection standards in the software they utilize.

For more information: DSK Website [DE]

12/06/2025

German Parliament | Legislation | NIS-2 Implementation Act

On 6 December 2025, the German NIS-2 Implementation Act came into effect, transposing the EU NIS-2 Directive into national law and imposing stricter cybersecurity obligations on operators of essential and important entities.

The law requires organizations to promptly assess whether they fall within its scope, implement risk management measures, and prepare for enhanced reporting duties regarding security incidents. Companies must also ensure compliance with governance requirements, including management accountability and documentation of security processes. Failure to comply may result in significant administrative fines, making immediate action critical for affected entities.

For more information: Bundesgesetzblatt [DE]

12/05/2025

Supervisory Authority North-Rhine Westphalia | Fine | Transparency and Accountability

The Supervisory Authority of North-Rhine Westphalia (“LDI NRW”) has imposed a fine of €300,000 on a telecommunications company for persistent violations of transparency and accountability obligations under the GDPR.

According to the authority, the company repeatedly failed to comply with access requests from data subjects and demonstrated a lack of cooperation during complaint proceedings. These practices were deemed to infringe the core principles of lawful processing, transparency and the right to erasure. The enforcement action highlights the regulator’s strict stance on compliance within the telecommunications sector, especially when systemic deficiencies in data handling and responsiveness to data subject rights are identified.

For more information: LDI NRW [DE]

12/04/2025

German Federal Government & Länder | State Modernization | Federal Modernization Agenda

The German Federal Government and the Länder have adopted the Federal Modernization Agenda, a joint reform initiative aimed at reducing bureaucracy, accelerating administrative procedures, and advancing the digital transformation of public services.

The agenda includes measures to streamline administrative processes, particularly in the context of infrastructure projects. It also foresees a review of regulatory obligations, including in the area of data protection, with the aim of reducing administrative burdens while maintaining an adequate level of protection. The initiative serves as a strategic framework for improving efficiency and responsiveness within Germany’s federal system.

For more information: BMDS [DE]

Italy

11/27/2025

Italian Supervisory Authority | Sanction | Marketing Practices

The Italian Supervisory Authority (“Garante”) fined a security company €400,000 for unlawful direct marketing practices.

The Garante found that the company continued sending promotional messages despite objections, bundled marketing consent with quote requests, and retained prospect data for an excessive 12 months. In addition to the fine, the Garante ordered the company to cease unlawful processing, delete data collected without valid consent, update its disclosures to meet the GDPR requirements, and report compliance actions within 60 days, noting remedial steps were already underway.

For more information: Garante Website [IT]

11/27/2025

Italian Supervisory Authority | Sanction | Security | Marketing Practices

The Italian Supervisory Authority (“Garante”) fined a distributor of water and natural gas €300,000 for processing customer data without adequate security measures and valid legal basis for marketing purposes.

The investigation launched by the Garante found that anyone could register in a customer’s name using only a tax code and any email, gaining access to personal data. Consent boxes for privacy, advertising, and customer satisfaction were pre-checked, violating EU rules and transparency requirements. The processing also breached data retention limits.

For more information: Garante Website [IT]

United Kingdom

12/18/2025

UK Supervisory Authority & Crown Dependencies | Investigation | Cross-Border Breach

The UK Supervisory Authority (“ICO”) launched a joint investigation with Jersey, Guernsey, and Isle of Man authorities into a cyber incident affecting a trade union.

The ICO announced a coordinated enforcement action alongside data protection authorities from the three Crown Dependencies regarding a significant data breach affecting a trade union representing technology and science professionals. The breach reportedly exposed sensitive data (e.g., trade union membership, religious belief) of union members across these jurisdictions. The regulators highlighted that this joint approach reflects a new operational model for tackling complex cross-border incidents where data subjects in the UK and its dependencies are affected by the same cyber event.

For more information: ICO Website

12/05/2025

UK Supervisory Authority I Regulatory Action I Cookie Compliance

The UK Supervisory Authority (“ICO”) published an update on its cookie compliance review.

In January 2025, the ICO had announced a review of cookie compliance across the UK’s top 1,000 websites. On 4 December 2025, the ICO published an update on their review, noting that over 95% (979) of the UK’s top 1,000 websites now meet its compliance checks, with many organizations improving their practices after direct regulatory engagement (including warning letters and preliminary enforcement notices). Interim Executive Director of Regulatory Supervision, Tim Capel, said “we will continue to monitor compliance and engage with industry to ensure they uphold their legal obligations, while also supporting innovation that respects people’s privacy.” The next update on this work will be provided in 2026.

For more information: ICO Website

Privacy, Cybersecurity, and Data Innovation:

United States:
Abbey A. Barrera – San Francisco (+1 415.393.8262, abarrera@gibsondunn.com)
Ashlie Beringer – Palo Alto (+1 650.849.5327, aberinger@gibsondunn.com)
Ryan T. Bergsieker – Denver (+1 303.298.5774, rbergsieker@gibsondunn.com)
Keith Enright – Palo Alto (+1 650.849.5386, kenright@gibsondunn.com)
Gustav W. Eyler – Washington, D.C. (+1 202.955.8610, geyler@gibsondunn.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650.849.5203, cgaedt-sheckter@gibsondunn.com)
Svetlana S. Gans – Washington, D.C. (+1 202.955.8657, sgans@gibsondunn.com)
Lauren R. Goldman – New York (+1 212.351.2375, lgoldman@gibsondunn.com)
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, shandler@gibsondunn.com)
Natalie J. Hausknecht – Denver (+1 303.298.5783, nhausknecht@gibsondunn.com)
Jane C. Horvath – Washington, D.C. (+1 202.955.8505, jhorvath@gibsondunn.com)
Martie Kutscher Clark – Palo Alto (+1 650.849.5348, mkutscherclark@gibsondunn.com)
Kristin A. Linsley – San Francisco (+1 415.393.8395, klinsley@gibsondunn.com)
Vivek Mohan – Palo Alto (+1 650.849.5345, vmohan@gibsondunn.com)
Ashley Rogers – Dallas (+1 214.698.3316, arogers@gibsondunn.com)
Sophie C. Rohnke – Dallas (+1 214.698.3344, srohnke@gibsondunn.com)
Eric D. Vandevelde – Los Angeles (+1 213.229.7186, evandevelde@gibsondunn.com)
Frances A. Waldmann – Los Angeles (+1 213.229.7914, fwaldmann@gibsondunn.com)
Debra Wong Yang – Los Angeles (+1 213.229.7472, dwongyang@gibsondunn.com)

Asia:
Connell O’Neill – Hong Kong (+852 2214 3812, coneill@gibsondunn.com)

Europe

11/19/2025

European Commission | Legislative Package | Digital Omnibus and European Business Wallet

The European Commission has proposed simpler digital rules and new business wallets to cut costs and boost innovation.

The European Commission unveiled a digital omnibus to simplify EU rules on AI, cybersecurity and data, alongside a Data Union Strategy and European Business Wallets that will offer companies a single digital identity to simplify paperwork and make it easier to do business across EU. The initiative aims to streamline compliance, reduce administrative costs by €5 billion, and unlock €150 billion in annual business savings by 2029.

For more information: The European Commission website

11/19/2025

European Commission | Draft Recommendation | Model and Standard Contractual Clauses Under the Data Act

The European Commission publishes draft model terms and clauses to simplify data sharing and cloud contracts.

The European Commission released draft non-binding Model Contractual Terms for data access and use and Standard Contractual Clauses for cloud computing contracts. These templates aim to help businesses, especially small and medium-sized enterprises, implement the Data Act, ensuring fairness, legal certainty, and easier cloud switching.

For more information: The European Commission website

11/17/2025

Council of the European Union | Regulation | Cross-border GDPR Enforcement Procedures

The Council adopts new EU law to speed up handling of cross border GDPR complaints.

The Council adopted a regulation harmonizing procedures for cross-border data protection cases. The law establishes uniform admissibility criteria, defines rights for complainants and investigated parties, introduces a simple cooperation procedure, and sets investigation deadlines of 15 months for standard cases and 12 months for simpler ones.

For more information: The Council of the European Union website

11/13/2025

Court of Justice of the European Union (“CJEU”) | Judgment | e-Privacy Directive

The CJEU clarifies that where the exception provided under Article 13(2) of the e-Privacy Directive applies, no separate legal basis under the GDPR is required.

The Court held that email addresses collected when users create a free account to access limited content and a free daily newsletter can be considered as obtained “in the context of the sale of a … service”, even if it is free. The sending of the newsletter was considered as a use of an email for the purposes of direct marketing for similar services within the meaning of Article 13(2) of the e-Privacy Directive. The Court also ruled that when Article 13(2) applies, the conditions for lawful processing under Article 6 of the GDPR are not applicable.

For more information : CJEU judgment

10/30/2025

European Parliament | Study | Interplay between the AI Act and the EU Digital Legislation

The European Parliament has released a study examining the interaction between the AI Act and the broader EU digital regulatory framework.

The study highlights overlapping obligations between the AI Act and other key EU digital laws, including the GDPR, the Data Act, the Cyber Resilience Act, the Digital Services Act, the Digital Markets Act, and the NIS2 Directive. To address resulting challenges, it sets out recommendations ranging from short-term measures (promoting joint guidance and coordinated enforcement) to long-term actions (review of the EU’s digital regulatory landscape aimed at consolidation, simplification, and greater coherence).

For more information: European Parliament Website

10/20/2025

European Data Protection Board | Opinion | UK Adequacy Decisions

The European Data Protection Board (“EDPB”) adopted two opinions on the European Commission’s draft decisions extending the UK adequacy decisions under the GDPR and Law Enforcement Directive until December 2031.

With respect to the GDPR adequacy decision, the EDPB welcomes continued alignment but recommends further analysis of several issues, including amendments introduced by the Retained EU Law (Revocation and Reform) Act 2023, the Secretary of State’s new powers to modify the UK data protection framework, and rules governing transfers from the UK to third countries.

For more information: EDPB Website

10/14/2025

European Data Protection Board | Coordinated Enforcement Framework | Transparency

For its fifth coordination enforcement action, the European Data Protection Board (EDPB) will focus on transparency and information obligations under the GDPR.

National supervisory authorities will participate on a voluntary basis, conducting investigations at the national level. The findings from these actions will be aggregated and analyzed by the EDPB to gain deeper insights.

For more information: EDPB Website

10/09/2025

European Data Protection Board & European Commission | Guidelines | DMA & GDPR

The European Data Protection Board (“EDPB”) and the European Commission have published joint guidelines on the interplay between the Digital Markets Act (“DMA”) and GDPR.

The guidelines address DMA requirements that overlap with GDPR obligations, aiming to provide clarity and promote consistent interpretation across both frameworks. A public consultation is open until 4 December 2025.

For more information: EDPB Website

10/01/2025

General Court | Judgment | Unlawful Personal Data Processing

The General Court of the European Union (GCEU) has ordered the European Commission to pay €50,000 in compensation for non-material damages caused by a European Anti‑Fraud Office (“OLAF”) press release.

The claimant sought damages after OLAF published a press release that disclosed her personal data and allowed readers to identify her. The GCEU held that the press release unlawfully processed personal data, breached the presumption of innocence, and lacked neutrality, resulting in reputational harm, damage to professional career and mental distress.

For more information: European Union Website

France

10/15/2025

French Supervisory Authority | Paper | Postmortem Data

The French Supervisory Authority (“CNIL”) has published its report “Our Data After Us,” examining the challenges of managing postmortem data in a digital world.

The paper explores issues related to account management, data transmission, and the emergence of chatbots based on the data of deceased individuals. It highlights legal and ethical issues surrounding digital death and recommends raising public awareness, clarifying rights, and regulating AI applications involving postmortem data.

For more information: CNIL Website [FR]

10/14/2025

French Supervisory Authority | Guidance | Right to Data Portability

The French Supervisory Authority (“CNIL”) has published guidance on the application of the right to data portability in the context of loyalty programs.

Responding to requests from stakeholders in the distribution sector, the CNIL clarifies which information must be transmitted, focusing particularly on product barcodes and promotions associated with customers.

For more information: CNIL Website [FR]

10/13/2025

French Supervisory Authority | Sanction | Simplified Procedure

The French Supervisory Authority (“CNIL”) has announced issuing sixteen new sanctions under its simplified procedure since May 2025, totaling €108,000.

The sanctions relate to non-compliance with video surveillance rules, marketing without consent, and failure to cooperate with the CNIL.

For more information: CNIL Website [FR]

Germany

10/30/2025

Ministry for Digital and Civil Modernization (BMDS) | Draft Legislation | Data Act Implementation Law

The German Federal Cabinet has approved the draft legislation for the national implementation of the EU Data Act, aiming to establish a legal framework for data access and use in Germany.

The proposed Data Act Implementation Law (Data-Act-Durchführungsgesetz) outlines the responsibilities of the Federal Network Agency (Bundesnetzagentur) as the competent authority for enforcing the Data Act in Germany. It includes provisions on dispute resolution, supervisory powers, and sanctions. The draft also addresses the interplay between the Data Act and existing national regulations, particularly in the telecommunications and energy sectors. The law is still subject to parliamentary debate.

For more information: BMDS [DE]

10/28/2025

Data Protection Authority North Rhine-Westfalia (LDI NRW) | Enforcement Action | Sharing of Customer Data via Messenger Service

The LDI NRW has taken a firm stance against the practice of companies sharing personal data of customers through messenger services, deeming it a serious and ongoing violation of data protection law.

The LDI NRW has stopped a medical transport company from sharing client information including names, addresses and prescriptions in messenger groups. This information was intended to simplify the organization of patient transport. However, this does not justify the data processing that took place as the data was not necessary for the performance of a transport contract and should not have been made available to all members of the group chat, especially since health information is particularly sensitive and deserves special protection.

For more information: LDI NRW [DE]

10/28/2025

Hamburg and Austrian DPAs | Decisions | Credit Scoring as Automated Decision-Making

Automated credit scoring systems are facing increased scrutiny across Europe due to concerns over transparency, fairness, and compliance with the GDPR.

The Hamburg data protection authority imposed a substantial fine on a credit scoring provider for failing to adequately inform individuals about automated rejections and the logic behind the scoring process. Both cases underscore the importance of transparency, legal basis, and human oversight in automated credit assessments.

Meanwhile the Austrian data protection authority prohibited a scoring practice used by KSV1870, finding it incompatible with GDPR requirements. The case centered on the lack of transparency and the determinative impact of the score on contractual decisions, aligning with the CJEU’s SCHUFA ruling that such scoring may constitute automated decision-making under Article 22 GDPR.

For more information: Datenschutz-notizen [DE]

10/17/2025

Data Protection Conference (DSK) | Guideline | Data Protection in Generative AI Systems with RAG-methods

The DSK has issued guidance on data protection aspects specific to generative AI systems using the Retrieval-Augmented Generation (RAG) method.

RAG is a method that combines a language model with an external knowledge source — typically a database or document collection — so that the model retrieves relevant information and uses it to generate more accurate, context-specific responses. The guideline provides legal and technical advice on how to utilize the potential of such AI systems while minimizing the risks for those affected. Emphasis is placed on the requirements for transparency and purpose limitation. It concludes that RAG can improve compliance with GDPR principles such as data accuracy, integrity, and confidentiality, as it allows for better control, updating, and deletion of personal data. However, issues of transparency, purpose limitation, and data subject rights remain only partially resolved and must be evaluated on a case-by-case basis.

For more information: DSK [DE]

Norway

10/21/2025

Borgarting Court of Appeal | Sanction | Data Sharing Without Consent

Borgating Court of Appeal upholds €5.5 million fine against a dating app provider.

The Borgarting Court of Appeal dismissed dating app provider’s appeal and upheld the NOK 65 million (approximately €5.5 million) fine for unlawfully sharing users’ personal and special-category data with third-party advertisers without a valid consent. The ruling maintained earlier decisions issued by the Norwegian Supervisory Authority and the Privacy Appeals Board on all points.

For more information: Datatilsynet Website

10/01/2025

Norwegian Supervisory Authority | Consultation Response | EU AI Act

Norwegian Supervisory Auhtority (“Datatilsynet”) recommends full adoption of the EU AI Act with calls for stronger oversight and privacy safeguards

In its response to the Norwegian AI law consultation, the Datatilsynet backs full incorporation of the EU AI Act into national law to ensure equal citizen protections, while urging adequate resourcing, independence, expert complaint mechanisms, and litigation powers for market surveillance authorities. It also proposes a national ban on remote biometric identification and seeks clearer rules on jurisdiction, cross-border penalties, designated fundamental-rights authorities, and information sharing among regulators.

For more information: Datatilsynet Website [NO]

Finland

11/03/2025

Helsinki Administrative Court | Court Decision | GDPR Fine Overturned

The Finnish court overturns the €2.4 million GDPR fine imposed on the national postal and logistics operator.

The court annulled a fine against the national operator for creating digital mailboxes without user consent, holding that the processing was lawful under the GDPR because it was necessary for the performance of a contract – namely, the provision of digital postal services.

For more information: The Daily Finland website

Poland

10/16/2025

Polish Supreme Administrative Court | Judgment | Cookies & IP addresses

Polish Supreme Administrative Court (“NSA”) confirms that cookies and IP addresses are not automatically personal data.

In a case involving a web user-tracking tool, the NSA relied on the EU Court of Justice’s Breyer case law to emphasize that identifiability requires being able to distinguish one individual from another, not merely one device from another. As a result, there is no basis to treat IP addresses or cookie identifiers as personal data in all circumstances since their classification depends on whether, in the specific context, the data can be used to identify an individual.

United Kingdom

10/29/2025

UK Supervisory Authority | Fine | Unsolicited Marketing Messages

The UK Supervisory Authority (“ICO”) issued a £200,000 fine to a sole trader for sending nearly one million spam texts without valid consent.

The ICO found that the individual used data sourced from third parties without ensuring that data subjects’ consent had been obtained and without collecting their consent himself for the direct marketing. He also failed to identify himself or his business, instead concealing his identity by using hundreds of unregistered pre-paid SIM cards. The messages promoted debt solutions and energy saving schemes. 19,138 complaints were received via the spam reporting service in respect of these messages.

For more information: ICO Website

10/15/2025

UK Supervisory Authority | Fine | Cyber Attack

The UK Supervisory Authority (“ICO”) issued a fine of £14 million to two companies for failing to ensure the security of personal data following a cyber-attack in 2023.

Both entities belong to a business process outsourcing and professional services group. The attack began when a malicious file was downloaded onto an employee’s device. Despite a high-priority alert, the device was not quarantined for 58 hours, enabling malware deployment, privilege escalation, and lateral movement across the network. Nearly one terabyte of data was exfiltrated before ransomware was deployed, locking staff out of systems. The ICO considered that the companies failed to prevent privilege escalation and unauthorized lateral movement, to respond appropriately to security alerts, and to conduct adequate penetration testing and risk assessment.

For more information: ICO Website

09/26/2025

UK Government | Policy Announcement | Digital ID

The Prime Minister has announced plans to introduce a digital ID system for Right to Work checks.

The initiative aims to combat illegal employment while streamlining checks that currently rely on paper records. It will also simplify access to services such as driving licenses, childcare, and welfare. The digital ID will be free for UK citizens and legal residents and is expected to be integrated into a digital wallet. Public consultation will be launched later this year.

For more information: UK Government Website

The following Gibson Dunn lawyers prepared this update: Ahmed Baladi, Vera Lukic, Kai Gesing, Joel Harrison, Thomas Baculard, Ioana Burtea, Billur Cinar, Hermine Hubert, Christoph Jacob, Yannick Oberacker, Clemence Pugnet, and Phoebe Rowson-Stevens.

Privacy, Cybersecurity, and Data Innovation:

Asia:
Connell O’Neill – Hong Kong (+852 2214 3812, coneill@gibsondunn.com)

Europe

09/23/2025

EDPB | Letter | Administrative Fines

The European Data Protection Board (“EDPB”) confirms that no amendments are needed to its GDPR fine calculation guidelines.

The EDPB published a letter to CCIA Europe confirming that no revisions are required to its Guidelines 4/2022 on the Calculation of Administrative Fines following the Court of Justice’s ruling in C-383/23. In that case, the Court of Justice of the European Union (“CJEU”) clarified that the concept of an “undertaking” under Article 83 GDPR corresponds to the one used in EU competition law, meaning that fines may be based on the total worldwide turnover of a corporate group. The EDPB emphasized that this interpretation is already reflected in its existing guidelines and therefore no amendments are necessary.

For more information: EDPB Website

09/17/2025

EDPS | Opinion | EU-US Data Exchange Agreements

The European Data Protection Supervisor (“EDPS”) urges stronger safeguards and redress mechanisms in upcoming EU-US data-sharing frameworks.

The EDPS issued opinions raising concerns about two planned EU-US data-exchange arrangements – one covering security-screening data and another concerning passenger and border-security information. The EDPS called for strict necessity and proportionality limits, exclusion of migration and asylum databases, and independent oversight to ensure compliance with EU fundamental-rights standards. It also stressed that any agreement must guarantee effective judicial redress in the United States for all individuals, regardless of nationality.

For more information: EDPS Website

09/16/2025

European Commission | Call for Evidence | Digital Omnibus

The European Commission collects feedback to simplify EU rules on data, AI and cybersecurity.

The European Commission has launched a call for evidence, running until 14 October 2025, to gather public and stakeholder feedback on its Digital Omnibus initiative. The initiative aims to streamline existing legislation, reduce regulatory overlaps and lower compliance costs. Areas targeted for simplification include rules on cookies and other tracking technologies, cybersecurity incident-reporting obligations, and the application of the AI Act.

For more information: European Commission Website

09/16/2025

European Union | Data Transfers | PIPC Adequacy Decision

The Personal Information Protection Commission of Korea (“PIPC”) has recognized the European Union’s data protection framework as equivalent.

This complements the European Commission’s 2021 adequacy decision on Korea, establishing a comprehensive, reciprocal framework that covers both the private and public sectors and facilitating seamless and secure data flows between the two jurisdictions.

For more information: European Commission Website

09/16/2025

European Commission | Conference | European Competitiveness

The European Commission hosted a high-level conference to mark the one-year anniversary of Mario Draghi’s report on the future of European competitiveness.

In his keynote speech, former European Central Bank President Mario Draghi reiterated the report’s key priorities, including the need to close the innovation gap in advanced technologies. He emphasized the demand from European businesses for a radical simplification of the GDPR, citing high compliance costs. Additionally, he recommended postponing the enforcement of high-risk AI rules until their impact is better understood.

For more information: European Commission Website

09/12/2025

EDPB | Draft Guidelines | Interplay between the DSA and the GDPR

The European Data Protection Board (“EDPB”) has adopted draft guidelines on the interplay between the Digital Services Act (“DSA”) and the General Data Protection Regulation (“GDPR”).

The guidelines seek to provide guidance on how the GDPR should be applied in the context of obligations under the DSA and address key areas such as recommender systems, protection of minors, advertising transparency, and profiling-based advertising. They also aim to clarify the cross-regulatory cooperation between authorities. The draft guidelines are open for public consultation until 31 October 2025.

For more information: EDPB Website

09/12/2025

European Union | Regulation | Data Act

The EU Regulation 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonized rules on fair access to and use of data (“Data Act”) entered into application.

The Data Act aims to empower consumers and businesses by granting them greater control over the data generated by their connected devices. Among its key objectives, it seeks to ensure that such devices are designed to enable data sharing, provide businesses in specific sectors with access to performance-related data from industrial equipment, and allow consumers to transfer their data and switch between cloud service providers more easily.

For more information: European Commission Website

09/05/2025

European Commission | Draft Adequacy Decision | Brazil

The European Commission published a draft adequacy decision recognizing Brazil’s data-protection regime as providing an equivalent level of protection to the EU.

Once adopted, the decision will enable unrestricted transfers of personal data between the EU and Brazil, complementing the broader EU-Mercosur partnership. Brazil is expected to reciprocate by granting adequacy status to the EU.

For more information: European Commission Website

09/04/2025

CJEU | Judgment | Pseudonymized Data

The Court of Justice of the European Union (“CJEU”) clarifies under what circumstances pseudonymized data may qualify as personal data.

The CJEU ruled in Case C-413/23 P that pseudonymized data can be considered anonymous for recipients who lack the means to re-identify individuals. The Court adopted a relative, recipient-based approach, finding that personal-data status must be assessed from the perspective of each recipient. However, controllers remain fully subject to GDPR transparency obligations and must inform data subjects of potential recipients at the time of data collection.

For more information: Curia Europa

09/04/2025

CJEU | Judgment | Non-Material Damages under the GDPR

The Court of Justice of the European Union (“CJEU”) confirms that emotional harm may constitute compensable damage under Article 82 GDPR.

In Case C-655/23, the CJEU held that non-material damage – such as fear or annoyance – can give rise to compensation under Article 82 GDPR, provided a causal link exists between the infringement and the harm suffered. The ruling reinforces that even intangible harms may trigger liability where a data-protection violation can be established.

For more information: Curia Europa

09/03/2025

General Court | Judgment | EU-US Data Protection Framework

The General Court of the European Union dismissed an action for annulment of the European Commission’s adequacy decision for the EU-US Data Protection Framework (“DPF”).

The challenge, brought by a member of the French Parliament, alleged that the Data Protection Review Court (“DPRC”) established in the US lacks independence and that US intelligence agencies engage in bulk data collection without sufficient safeguards. The General Court rejected these arguments, thereby confirming the continued validity of the adequacy decision.

For more information: Curia Europa

France

09/23/2025

French Supervisory Authority | Sanction | Hidden Surveillance System

On September 18, 2025, the French Supervisory Authority (“CNIL”) fined a department store €100,000 for unlawfully installing hidden cameras in its stockrooms to record employees.

The CNIL sanctioned a department store after it installed disguised cameras with microphones in its stockrooms without conducting a GDPR compliance analysis or involving the Data Protection Officer (“DPO”). The authority found violations of fairness, minimization, and accountability principles. The decision follows European Court of Human Rights (“ECHR”) case law on exceptional surveillance.

For more information: CNIL Website

09/18/2025

French Supervisory Authority | Injunction | Cookie

On September 11, 2025, the French Supervisory Authority (“CNIL”) closed its injunction against a telecom operator regarding cookie consent practices.

In November 2024, the CNIL issued an order, in addition to a €50 million fine, requiring a telecom operator to stop reading the cookies after individuals withdrew their consent, with a compliance deadline of three months. In response, the operator provided evidence within the specified timeframe demonstrating that, once the user consent was withdrawn, no further cookie reading or writing occurred on its website. Under these circumstances, the CNIL decided not to enforce the penalty payment (i.e. not to require the additional fine of €100.000 euros per day of delay) and closed the injunction.

For more information: CNIL Website

09/03/2025

French Supervisory Authority | Sanction | Cookie

On September 1, 2025, the French Supervisory Authority (“CNIL”) fined an email provider €325 million for displaying advertisements between users’ emails and placing cookies without consent.

Following a complaint filed by the organization None Of Your Business (“NOYB”), the CNIL conducted several investigations and considered that the email provider encouraged users to accept personalized advertising cookies when creating accounts, without clearly informing them that this was required to access services, thereby making the consent invalid. In addition, the CNIL considered that the email provider displayed ads between users’ emails without obtaining consent. Along with the fine, the CNIL issued an order requiring the company to implement measures within six months to bring its cookie and email practices into compliance.

For more information: CNIL Website

09/03/2025

French Supervisory Authority | Sanction | Cookie

On September 1, 2025, the French Supervisory Authority (“CNIL”) fined an e-commerce platform €150 million for unlawful cookie practices.

The CNIL considered that the company placed advertising cookies on users’ devices without consent, failed to provide clear and complete information about cookies, and did not respect users’ choices to refuse or withdraw consent.

For more information: CNIL Website

Germany

10/01/2025

Federal Ministry of Health | Implementation | Electronic Health Record

Germany introduces a mandatory, opt-out digital health record giving patients granular control over their data.

As of October 1, 2025, German healthcare providers must use the electronic health record (“ePA”) for all publicly insured patients. Each insured person automatically receives a digital record unless they object. Patients can manage access permissions, restrict document uploads, and delete data directly through a dedicated app. The reform represents a major step in Germany’s healthcare digitalization.

For more information: Federal Ministry of Health Website [DE]

09/25/2025

German Supervisory Authority | Initiative | Data Barometer

The Federal Commissioner for Data Protection and Freedom of Information (“BfDI”) unveiled the “Data Barometer,” a recurring national survey measuring public attitudes toward data protection.

The initiative aims to ground regulatory debate in empirical data rather than perceptions. Early results show that 37 % of respondents view data protection as excessive or bureaucratic, which the BfDI described as a “wake-up call” to rebuild trust through more transparent and user-friendly frameworks.

For more information: BfDI Website [DE]

09/23/2025

Stuttgart Higher Regional Court | Judgment | “Paying with Data”

The Stuttgart Higher Regional Court decided in its ruling 6 UKI 2/25 that providing personal data for digital services does not constitute a “price” under EU or German consumer law.

According to the ruling, only monetary consideration qualifies as a price. As a result, services may be advertised as “free” if data-processing practices are sufficiently transparent. An appeal to the Federal Court of Justice (ZR 198/25) is pending.

For more information: Ruling [DE]

09/18/2025

German Supervisory Authorities | Resolution | Automated Data Analysis by Law Enforcement

The Data Protection Conference (“DSK”), bringing together Germany’s supervisory authorities, calls for clear legal limits on automated law enforcement data analytics.

The DSK adopted a resolution stating that automated data-analysis systems used by law enforcement must be grounded in specific, constitutionally compliant legislation and limited to combating serious offences. The DSK emphasized transparency, auditability, and the need to preserve digital sovereignty, warning against reliance on third-country providers with incompatible data-access regimes.

For more information: DSK Website [DE]

09/18/2025

German Supervisory Authorities | Resolution | Data Transfers for Scientific Research

The Data Protection Conference (“DSK”) provides guidance on international transfers for scientific research for medical purposes.

The guidance outlines applicable legal bases under Articles 6 and 9 GDPR, requirements for Standard Contractual Clauses and Transfer Impact Assessments, and the proper use of “broad consent.” It also highlights controllers’ obligations to inform data subjects about international transfers under Articles 13 and 14 GDPR.

For more information: DSK Website [DE]

Italy

09/18/2025

Italian Supervisory Authority | Order | Facial Recognition

The Italian Supervisory Authority (“Garante”) ordered an airport corporation to suspend the use of its facial recognition solution.

The solution was found to be non-compliant and incompatible with EU data protection rules, as clarified by the European Data Protection Board (“EDPB”) in its Opinion 11/2024 on the use of facial recognition to streamline passenger flow at airports. The Garante specified that other facial recognition solutions referenced in the EDPB Opinion 11/2024 remain permitted.

For more information: Garante Website [IT]

Netherlands

09/01/2025

Rechtbank Noord-Nederland | Judgment | GDPR Livestream

Court rules village livestream unlawfully infringed privacy rights despite blurring and residents’ partial non-objection.

The court confirmed AP’s sanction against a village livestream, finding serious infringements of private life and personal data rights. Even blurred images left individuals identifiable. Less intrusive alternatives existed, requiring compliance with data minimization. The fine was reduced for procedural delay.

For more information: Rechtspraak Website [Dutch]

United Kingdom

09/23/2025

UK Supervisory Authority I Announcement I AI Training

The Information Commissioner’s Office (“ICO”) announced that it will continue to monitor an online platform over newly announced AI training on user data.

On 18 September 2025, an online platform announced it will begin using user data from the EU and UK to train its generative AI models from 3 November 2025, reversing a 2024 commitment to exclude EU/UK data after regulatory backlash. The platform indicated it will rely on legitimate interests with an opt-out mechanism. The ICO emphasized the need to ensure the ongoing compliance of the platform’s approach. Further, supervisory authorities in the Netherlands (“AP”) and Belgium (“APD”) have issued public warnings, expressing concern and urging users to disable permissions if they do not want their data to be used.

For more information: ICO Website, AP Website, APD Website

09/11/2025

UK Supervisory Authority | Guidance | Encryption

The Information Commissioner’s Office (“ICO”) issues new guidance on implementing encryption to protect personal data and reduce breach risks.

The ICO has published guidance on encryption as an appropriate technical and organisational measure to secure personal data. This guidance is not a statutory code of practice; however, the ICO notes it will be taken into account by the ICO in breach assessments and compliance investigations.

For more information: ICO Website

08/28/2025

UK Government | Public Consultation | Telecommunications Security Code of Practice

UK Department for Science, Innovation and Technology has launched a consultation on updates to the 2022 Telecommunications Security Code of Practice.

These proposed updates are intended to help public telecoms providers protect UK telecoms networks and services in light of evolving threats and emerging technologies. Stakeholders may submit responses before the consultation closes on October 22, 2025.

For more information: UK Government Website

Privacy, Cybersecurity, and Data Innovation:

United States:
Abbey A. Barrera – San Francisco (+1 415.393.8262, abarrera@gibsondunn.com)
Ashlie Beringer – Palo Alto (+1 650.849.5327, aberinger@gibsondunn.com)
Ryan T. Bergsieker – Denver (+1 303.298.5774, rbergsieker@gibsondunn.com)
Keith Enright – Palo Alto (+1 650.849.5386, kenright@gibsondunn.com)
Gustav W. Eyler – Washington, D.C. (+1 202.955.8610, geyler@gibsondunn.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650.849.5203, cgaedt-sheckter@gibsondunn.com)
Svetlana S. Gans – Washington, D.C. (+1 202.955.8657, sgans@gibsondunn.com)
Lauren R. Goldman – New York (+1 212.351.2375, lgoldman@gibsondunn.com)
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, shandler@gibsondunn.com)
Natalie J. Hausknecht – Denver (+1 303.298.5783, nhausknecht@gibsondunn.com)
Jane C. Horvath – Washington, D.C. (+1 202.955.8505, jhorvath@gibsondunn.com)
Martie Kutscher Clark – Palo Alto (+1 650.849.5348, mkutscherclark@gibsondunn.com)
Kristin A. Linsley – San Francisco (+1 415.393.8395, klinsley@gibsondunn.com)
Vivek Mohan – Palo Alto (+1 650.849.5345, vmohan@gibsondunn.com)
Ashley Rogers – Palo Alto/Dallas (+1 650.849.5204, arogers@gibsondunn.com)
Sophie C. Rohnke – Dallas (+1 214.698.3344, srohnke@gibsondunn.com)
Eric D. Vandevelde – Los Angeles (+1 213.229.7186, evandevelde@gibsondunn.com)
Frances A. Waldmann – Los Angeles (+1 213.229.7914,fwaldmann@gibsondunn.com)
Debra Wong Yang – Los Angeles (+1 213.229.7472, dwongyang@gibsondunn.com)

Asia:
Connell O’Neill – Hong Kong (+852 2214 3812, coneill@gibsondunn.com)

Europe

06/26/2025

ENISA | Guidance | NIS 2 Support Documents

ENISA has released two guidance documents to assist companies in complying with the NIS 2 Directive.

The first document provides non-binding guidance to relevant entities on how to implement the requirements for the cybersecurity risk management measures by providing examples. The second document clarifies the organizational steps to take (including what roles and skills are needed internally) to implement NIS 2 obligations, such as cybersecurity risk measures, post-incident response and reporting.

For more information: ENISA Website link and link

06/26/2025

European Data Protection Board (EDPB) | Opinion | Draft Guidelines on Minors Under DSA

The EDPB provided preliminary comments on the European Commission’s draft guidelines under Article 28 of the Digital Services Act (DSA), that aim at enhancing online protection for minors.

The Board welcomed the initiative, noted the draft provides clear and practical recommendations on what measures to take to improve minor safety (including privacy) but also called for clarification of the material scope of Article 28. It also mentioned that it intends to provide additional guidance on data protection compliance in the context of its “Children’s guidelines” and reiterated its readiness to advise on age assurance and related data protection issues within the Digital Services Board’s Working Group 6.

For more information: EDPB Website

06/24/2025

European Commission | Adequacy Decision | UK

The European Commission has extended the UK’s adequacy decision under the GDPR until December 27, 2025.

As a reminder, the UK Government introduced on October 23, 2024, the Data (Use and Access Bill) which amends the UK GDPR and Data Protection Act 2018. The extension allows the European Commission to assess whether the UK continues to provide an adequate level of protection, pending the outcome of the legislative process.

For more information: European Commission Website

06/16/2025

Council of the EU/European Parliament | Agreement | Cross-Border GDPR Enforcement

The Council of the European Union and the European Parliament reached a provisional agreement on a new legislative proposal aimed at improving cooperation among national data protection authorities in cross-border enforcement of the GDPR.

The proposed regulation includes clearer procedural rules for handling cross-border cases, with the goal of streamlining investigations and enhancing the efficiency of cooperation mechanisms between supervisory authorities.

For further information: European Council Website

06/05/2025

European Data Protection Board | Guidelines | Data Transfers

The European Data Protection Board (“EDPB”) published the final version of its guidelines regarding data transfers to third country authorities.

The new guidelines aim to provide clarification on Article 48 of the GDPR, outlining how organizations should assess whether and under what conditions they may lawfully respond to requests for the transfer of personal data from authorities in third countries.

For more information: EDPB Website

06/05/2025

European Data Protection Board | Report | AI and Data Protection

The European Data Protection Board (“EDPB”) published two reports providing training material on AI and data protection.

The first report, “Law & Compliance in AI Security & Data Protection”, is tailored for privacy and data protection professionals, such as DPOs, while the second report, “Fundamentals of Secure AI Systems with Personal Data”, is designed for technically oriented professionals, including cybersecurity experts and developers.

For more information: EDPB Website

06/04/2025

European Union Agency for Cybersecurity | Update | National Cybersecurity Strategies

The European Union Agency for Cybersecurity (“ENISA”) updated its National Cybersecurity Strategies (“NCSS”) Interactive Map.

The NCSS Map serves as a platform offering insights on how EU Member States implement their cybersecurity strategies, highlighting their objectives, actions and best practices.

For more information: ENISA Website

Belgium

06/26/2025

Belgian Supervisory Authority | Procedural Decision | Dismissal of NOYB Complaints

The Belgian Supervisory Authority (“APD”) dismissed 16 complaints across 5 cases filed by NOYB, citing the prohibition of abuse of rights under GDPR.

The APD found that NOYB had instructed complainants on how to grant mandates for filing complaints, without properly representing the individual data subjects. The ADP recalled that in the European Union, including Belgium, associations cannot file complaints in their own name, but only as representative acting on the basis of a mandate from the data subject.

For more information: APD Press release [FR]

France

06/19/2025

French Supervisory Authority | Recommendations | AI and Legitimate Interest

The French Supervisory Authority (“CNIL”) published new recommendations on the use of legitimate interest in the development of AI systems.

The CNIL outlines the conditions which legitimate interest may be relied upon, in particular in the context of web scraping. These recommendations are intended to help stakeholders assess when legitimate interest can be used as a legal basis. The recommendations also provide concrete examples of data processing activities that may be justified on the grounds of legitimate interest.

For more information: CNIL Website [FR]

06/12/2025

French Supervisory Authority | Public consultation | Tracking Pixels

The French Supervisory Authority (“CNIL”) launched a public consultation on a draft recommendation on tracking pixels, aimed at clarifying the legal framework for their use in emails and on websites.

The draft recommendation outlines requirements related to user consent, information obligations, and data sharing with third parties. Stakeholders can submit feedback until 24 July 2025.

For more information: CNIL Website [FR]

06/10/2025

French Supervisory Authority | Recommendations | Workplace Diversity Surveys

The French Supervisory Authority (“CNIL”) published recommendations on the conduct of internal diversity surveys in the workplace.

These non-binding guidelines aim to help organizations collect sensitive personal data securely and in a way that respects individuals’ privacy rights and the GDPR through measures such as voluntariness, clear information, data minimization, and strong safeguards like anonymization or pseudonymization.

For more information: CNIL Website [FR]

06/06/2025

French Supervisory Authority | Guidance | Roles of Controllers and Processors

The French Supervisory Authority (“CNIL”) published a guidance on the roles of data controllers and data processors.

This guidance stresses that all parties in data processing must clearly define and document their roles based on actual responsibilities as misclassification can jeopardize GDPR compliance and lead the CNIL to reclassify roles during audits, possibly resulting in sanctions.

For more information: CNIL Website [FR]

Germany

06/17/2025

Data Protection Conference | Guidance | AI Systems and Data Protection

The Data Protection Conference of the German Supervisory Authorities (DSK) published an orientation guide outlining key data protection requirements for the development and use of AI systems, in particular regarding the required technical and organizational measures.

The guidance highlights the need for appropriate technical and organizational measures (TOMs) to mitigate risks, especially in high-risk processing scenarios. The document is intended to support both public and private sector actors in aligning AI deployment with fundamental rights and data protection standards.

For more information: DSK Website [DE]

06/16/2025

Data Protection Conference | Resolution | Confidential Cloud Computing

The Data Protection Conference of the German Supervisory Authorities (DSK) published a resolution on “confidential cloud computing”.

The resolution acknowledges that various diverse definitions of “confidential cloud computing” exist. It emphasizes, that confidential cloud computing may significantly enhance overall protection levels – especially against other cloud users and certain insider threats. As part of a “defense-in-depth” strategy, it provides valuable additional layers of security, even if absolute confidentiality from the cloud provider cannot be guaranteed. Clear attacker models and transparent documentation of implemented measures are essential prerequisites.

For more information: DSK Website [DE]

06/16/2025

Data Protection Conference | Guideline | Procedure on Fines of Data Protection Supervisory Authorities

The German Data Protection Conference (DSK) has adopted model guidelines for the conduct of administrative fine proceedings by data protection supervisory authorities.

The DSK aims to establish nationwide standards for supervisory authorities and how to handle fining procedures under the GDPR. The guidelines define procedural principles, responsibilities, cooperation obligations of the parties involved, and the methodology for calculating and assessing fines. They are intended to enhance transparency and legal certainty for both organizations and individuals, while also promoting consistency in enforcement practices.

For more information: DSK Website [DE]

06/10/2025

German Federal Supervisory Authority | Sanctions | Telecommunication Company

The German Federal Supervisory Authority has fined a telecommunication company a total of €45 million following investigations into its partner agencies and online service portal.

More specifically, a €15 million fine was imposed for insufficient supervision and auditing of partner agencies processing customer data. A €30 million fine was imposed for weak authentication procedures that could allow misuse of eSIMs via the hotline when used in combination with the Company’s online portal. A reprimand was also issued in relation to identified IT system vulnerabilities.

For more information: EDPB Website

06/10/2025

North Rhine-Westphalia Supervisory Authority | Activity Report

The North Rhine-Westphalia Supervisory Authority (LDI NRW) published their annual activity report.

The North Rhine-Westphalia Supervisory Authority has voiced opposition to the government’s plan to centralize data protection at the federal level, highlighting the importance of regional data protection authorities.

For more information: LDI NRW Website [DE]

Greece

06/11/2025

Hellenic Supervisory Authority | Decision | EU Representative

The Hellenic Supervisory Authority published a decision of May 2025 ordering a Chinese-based provider of a large language model (LLM) to appoint an EU representative, pursuant to Article 27 of the GDPR.

The Authority considered that the company targets EU data subjects, notably in Greece, through web and mobile services available in Greek, and failed to provide a compliant privacy policy or lawful basis for processing.

For more information: Hellenic Authority Website

Slovenia

06/04/2025

Slovenian Government | Publication | NIS II

The Information Security Act (“ZInfV-1”) transposing the NIS II Regulation was published in the official gazette of the Republic of Slovenia.

The Information Security Act will enter into effect on June 19, 2025.

For more information: Slovenian Government Website [SI]

United Kingdom

06/19/2025

Royal Assent | Data Use and Access Act | GDPR & PECR Update

The Data (Use and Access) Act (“DUUA”) received Royal Assent.

The DUUA updates certain aspects of data protection and e-privacy law, aiming to facilitate the safe and effective use of data, encourage innovation, simplify data protection compliance requirements for organisations and align the PECR enforcement regime to that under UK GDPR. The Act amends and supplements the UK GDPR, the DPA 2018 and PECR.

For more information: ICO Website

06/17/2025

Information Commissioner’s Office | Fine | Genetic Data

ICO fines 23andMe £2.31 million for failing to have appropriate security measures in place and to protect UK users’ genetic data.

The penalty results from a joint investigation conducted by the ICO and Canada Privacy Commissioner (“CPC”), after 23andMe failed to protect UK users’ personal data during a major 2023 cyber-attack. In particular, 23andMe did not have mandatory MFA, secure password protocols, unpredictable usernames, and effective systems in place to monitor, detect, or respond to cyber threats. It also failed to have adequate controls over access to raw genetic data.

For more information: ICO Website

06/16/2025

Information Commissioner’s Office | Guidance | IoT

ICO publishes draft guidance on Internet of Things (“IoT”) products.

The ICO’s draft guidance is intended to support IoT developers (e.g. of smart home appliances and wearable tech) with their data protection compliance. The guidance sets clear expectations on how to do so, addressing for instance how to request informed consent or provide transparent privacy information.

For more information: ICO Website

06/05/2025

Information Commissioner’s Office | Guidance | AI and Biometrics Strategy

The Information Commissioner’s Office (“ICO”) published its AI and biometrics strategy.

This new AI and biometrics strategy aims at ensuring organisations are developing new technologies lawfully, while supporting innovation.

For more information: ICO Website

06/04/2025

National Cyber Security Centre | Guidance | Cyber Security Culture Principles

The National Cyber Security Centre (“NCSC”) launched its Cyber security culture principles.

The guidance aims at helping professionals in supporting a cyber secure organization.

For more information: NCSC Website

The following Gibson Dunn lawyers prepared this update: Ahmed Baladi, Vera Lukic, Kai Gesing, Joel Harrison; Thomas Baculard, Ioana Burtea, Billur Cinar, Hermine Hubert, Christoph Jacob, Yannick Oberacker, Clémence Pugnet, and Phoebe Rowson-Stevens.

Privacy, Cybersecurity, and Data Innovation:

United States:
Abbey A. Barrera – San Francisco (+1 415.393.8262, abarrera@gibsondunn.com)
Ashlie Beringer – Palo Alto (+1 650.849.5327, aberinger@gibsondunn.com)
Ryan T. Bergsieker – Denver (+1 303.298.5774, rbergsieker@gibsondunn.com)
Keith Enright – Palo Alto (+1 650.849.5386, kenright@gibsondunn.com)
Gustav W. Eyler – Washington, D.C. (+1 202.955.8610, geyler@gibsondunn.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650.849.5203, cgaedt-sheckter@gibsondunn.com)
Svetlana S. Gans – Washington, D.C. (+1 202.955.8657, sgans@gibsondunn.com)
Lauren R. Goldman – New York (+1 212.351.2375, lgoldman@gibsondunn.com)
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, shandler@gibsondunn.com)
Natalie J. Hausknecht – Denver (+1 303.298.5783, nhausknecht@gibsondunn.com)
Jane C. Horvath – Washington, D.C. (+1 202.955.8505, jhorvath@gibsondunn.com)
Martie Kutscher Clark – Palo Alto (+1 650.849.5348, mkutscherclark@gibsondunn.com)
Kristin A. Linsley – San Francisco (+1 415.393.8395, klinsley@gibsondunn.com)
Timothy W. Loose – Los Angeles (+1 213.229.7746, tloose@gibsondunn.com)
Vivek Mohan – Palo Alto (+1 650.849.5345, vmohan@gibsondunn.com)
Rosemarie T. Ring – San Francisco (+1 415.393.8247, rring@gibsondunn.com)
Ashley Rogers – Dallas (+1 214.698.3316, arogers@gibsondunn.com)
Sophie C. Rohnke – Dallas (+1 214.698.3344, srohnke@gibsondunn.com)
Eric D. Vandevelde – Los Angeles (+1 213.229.7186, evandevelde@gibsondunn.com)
Benjamin B. Wagner – Palo Alto (+1 650.849.5395, bwagner@gibsondunn.com)
Frances A. Waldmann – Los Angeles (+1 213.229.7914,fwaldmann@gibsondunn.com)
Debra Wong Yang – Los Angeles (+1 213.229.7472, dwongyang@gibsondunn.com)

Asia:
Connell O’Neill – Hong Kong (+852 2214 3812, coneill@gibsondunn.com)
Jai S. Pathak – Singapore (+65 6507 3683, jpathak@gibsondunn.com)

Europe

28/05/2025

European Data Protection Board | Agenda | GDPR Simplification

The European Data Protection Board (EDPB) has published the agenda of its 106th plenary session, including discussions on a request for a joint opinion with the European Data Protection Supervisor (EDPS) on the European Commission’s draft proposal for the simplification of record-keeping obligations under Article 30(5) of the GDPR.

This follows a letter addressed by the EDPB and the EDPS to the European Commission on the upcoming proposal, expressing preliminary support for the proposed simplification. However, the EDPB and EDPS asked the Commission to better assess the impact on affected organizations and to ensure a fair balance between data protection and business interests.

For more information: Agenda of the 106th EDPB Meeting, Joint Letter

19/05/2025

European Digital Rights | Open Letter | Reopening of GDPR

The European Digital Rights (“EDRi”) and 107 other civil society organisations published an open letter calling on the European Commission not to reopen the GDPR.

The EDRi expresses concerns about ongoing efforts to reopen the GDPR, considering that this could make the regulation more vulnerable to broader deregulatory demands. It also points to the geopolitical context and the influence of foreign commercial and political actors on the EU digital regulatory landscape.

For more information: EDRi Website

16/05/2025

European Data Protection Board | Letter | In-Car Video Cameras and Dashcams

The European Data Protection Board (“EDPB”) published a letter in response to an inquiry from a member of the European Parliament outlining concerns on the growing use of in-car video cameras and dashcams.

The EDPB recalled that it has already issued relevant guidelines, in particular guidelines on processing of personal data through video devices, which are complemented by guidance and communication adopted by national data protection authorities.

For more information: EDPB Website

16/05/2025

European Supervisory Authorities | DORA | Registers of Information

The European Supervisory Authorities (“ESAs”) updated the Observations from reporting of Registers of Information (“ROI”) under the Digital Operational Resilience Act (DORA).

Originally published on April 16, 2025, the observations provide an overview of common issues identified in the reporting of the ROI and provide explanations of the most common errors.

For more information: EBA Website

07/05/2025

European Commission | Formal Requests | NIS 2 Directive

The European Commission has issued formal requests to 19 Member States to fully transpose the NIS2 Directive into national law.

As a reminder, the deadline for transposition was October 17, 2024. Member States – such as France, Germany, the Netherlands – now have two months to take the necessary measures. Failure to comply may result in referral to the Court of Justice of the European Union.

For more information: European Commission Website

06/05/2025

European Data Protection Board | Opinion | UK Adequacy Decisions

The European Data Protection Board (“EDPB”) adopted an opinion on the European Commission’s proposal to extend the validity of the UK adequacy decisions under the GDPR and the Law Enforcement Directive, which will expire on June 27, 2025.

The EDPB opinion acknowledges the need for an extension due to the ongoing data protection reform in the UK. However, it does not address the level of protection in the UK, which will be evaluated by the EDPB if new draft adequacy decisions are proposed.

For more information: EDPB Website

Denmark

15/05/2025

Danish Supervisory Authority | Guidance | Cookies

The Danish Supervisory Authority (“Datatilsynet”) and the Danish Agency for Digital Government have issued joint guidelines on cookies and similar technologies.

The guidelines are intended to help website and app providers comply with both the Danish Cookie Order and the GDPR. They clarify consent requirements, highlight common compliance pitfalls, and provide practical recommendations for implementing compliant practices.

For more information: Datatilsynet Website [DA]

France

22/05/2025

French Supervisory Authority | Fines | Simplified Procedure

The French Supervisory Authority (“CNIL”) announced ten new sanctions issued under its simplified procedure, totaling €104,000.

The majority of the cases involved employee monitoring, specifically through video surveillance and the geolocation of company vehicles. The CNIL found various breaches, including failure to comply with the principles of data minimization and storage limitation. In one instance, a company was fined for insufficient password policy and poor management of access rights to its video surveillance system.

For more information: CNIL Website [FR]

06/05/2025

French Supervisory Authority | Guidance | Augmented Cameras at Self-checkouts

The French Supervisory Authority (“CNIL”) published guidance on the use of augmented cameras at self-checkouts.

The CNIL explains how augmented cameras function, and clarifies that the data processed cannot be considered anonymous since individuals can be re-identified. In addition, it considers that legitimate interest is a possible legal basis, provided that the use of such cameras is necessary for the intended purpose and does not disproportionately infringe on individuals’ rights.

For more information: CNIL Website [FR]

05/05/2025

French Council of State | CJEU Referral | Consent and Direct Marketing

A French media and entertainment company has appealed to the French Council of State (“Conseil d’Etat”) to annul a fine of €60,000 imposed by the French Supervisory Authority (“CNIL”) for conducting marketing campaigns without valid consent.

In 2023, the CNIL found that the company had run marketing campaigns using personal data obtained from internet service providers, which had collected such data via consent forms referring vaguely to “partners” without naming them. The CNIL concluded the company processed this data without obtaining an informed consent, which the company challenged before the Conseil d’Etat. To resolve the dispute, the Council has referred to the Court of Justice of the European Union the question of whether a data subject’s consent – given to a primary collector for use by unnamed “partners” – constitutes valid consent, or whether each recipient, if not identified at the time of collection, must obtain separate consent before using the data for marketing purposes.

For more information: Conseil d’Etat Website [FR]

02/05/2025

French Parliament | Transposition | Representative Actions Directive

France has transposed the EU Directive 2020/1828 on representative actions for the protection of collective interests of consumers through Law No. 2025-391 of 30 April 2025, published in the Official Journal on May 2, 2025.

The new framework strengthens consumers’ ability to seek collective redress by establishing a unified regime for representative actions, replacing the previous sector-specific approach.

For further information: Official Journal [FR]

Germany

05/20/2025

Federal Commissioner for Data Protection and Freedom of Information | AI Questionnaire

The Federal Commissioner for Data Protection and Freedom of Information (BfDI) has published a questionnaire providing guidance on the data protection-compliant implementation of AI.

The questionnaire is intended to help controllers assess data protection-related topics when implementing AI-systems. It includes core questions companies should evaluate when operating AI systems including on the legal basis for data processing, the differentiation between controller and processor, and the general compliance with principles relating to processing of personal data.

For more information: BfDI Website [DE]

05/20/2025

Hesse and Brandenburg Supervisory Authorities | Annual Activity Reports

The Hesse as well as the Brandenburg supervisory authorities (HBDI and LDA) published their annual activity reports.

The reports include assessments regarding the lawfulness of advertising practices, in particular on the practice that web shops send out electronic reminders to consumers whether they would like to finish their purchase. When visitors to a web shop select one or more goods, start the ordering process, including entering their e-mail address, and then cancel the order during the process and leave the web store without concluding a purchase then advertising (such as a reminder about their purchase) may only be sent to these persons under certain conditions. The HBDI concludes that such an electronic reminder constitutes advertising and is generally only permitted with express consent within the meaning of Article 6(1)(a) GDPR in conjunction with Section 7 of the Federal Act against Unfair Competition (UWG).

For more information: HBDI Website [DE]

03/19/2025

Administrative Court of Hannover | Judgement | Cookie Banners

In a recently published decision, the Administrative Court of Hannover (VG Hannover) stated again that a cookie consent banner must contain the option to reject all cookies.

According to the court, websites must include a clearly visible “Reject All” button on the first level of cookie consent banners if they offer an “Accept All” option, reinforcing users’ data protection rights. The court found that manipulative banner designs using misleading labels, and hiding key information, violate the GDPR and the Telecommunications-Digital Services Data Protection Act (TDDDG).

For more information: LfD Website [DE]

Italy

19/05/2025

Italian Supervisory Authorities | Fine | AI Chatbot

The Italian Supervisory Authority (“Garante”) fined a company operating an AI-powered chatbot €5 million for multiple GDPR violations.

The Garante found that the company had not identified a valid legal basis for processing, failed to provide sufficient information in its privacy policy, and did not implement effective age verification mechanisms.

For more information: Garante Website

07/05/2025

Italian Supervisory Authority | Fine | Telemarketing

The Italian Supervisory Authority (“Garante”) imposed a €3 million fine on a gas and electricity provider and €850,000 on other companies for unlawful telemarketing practices.

The Garante noted that the companies operated within a network of procurement of energy supply contracts. It concluded that they engaged in promotional phone calls without individuals’ consent, and did not implement adequate security measures to ensure that such activities complied with data protection regulations.

For more information: Garante Website [IT]

05/05/2025

Italian Supervisory Authority | Public Consultation | Consent or Pay Model

The Italian Supervisory Authority (“Garante”) launched a public consultation to assess the lawfulness of “Consent or Pay” model.

As a reminder, the “Consent or Pay” model requires users whether to consent to the processing of their personal data or to agree to paid subscription in order to access online content, services or features. The consultation more specifically focuses on newspaper publishers. Stakeholders can contribute until June 28, 2025.

For more information: Garante Website [IT]

Spain

26/05/2025

Spanish Supervisory Authority | Annual Report | 2024

The Spanish Supervisory Authority (“AEPD”) published its 2024 annual report.

The AEPD received 18,855 complaints in 2024, primarily concerning video surveillance, online services, commerce, transport and hospitality. The authority issued 281 resolutions, which included administrative fines totaling over €35,5 million. Data breaches accounted for 37% of the total fines (€13.18 million).

For more information: AEPD Website [ES]

07/05/2025

Spanish Supervisory Authority | FAQs | Chatbot

The Spanish Supervisory Authority (“AEPD”) has implemented a virtual assistant on its website to facilitate the quick resolution of common questions related to data protection and privacy.

According to the AEPD, the chatbot handles more than 3,000 questions per month and maintains a user satisfaction rate of nearly 80%.

For more information: AEPD Website [ES]

Sweden

19/05/2025

Swedish Supervisory Authority | Guidance | Customer Data Sharing Between Banks

The Swedish Supervisory Authority (“IMY”) published a report on the sharing of customer data between banks in order to combat money laundering, terrorist financing and fraud.

The report was prepared in collaboration with Swedish banks as part of IMY’s regulatory sandbox initiative. The IMY highlights the need for a legislative change to enable effective data sharing in the sector.

For more information: IMY Website [SW]

United Kingdom

19/05/2025

National Cyber Security Centre | Guidance | Cybersecurity for Organizations

The National Cyber Security Centre (“NCSC”) has released “Top Tips for Staff”, an e-learning package to help organizations address common cybersecurity challenges.

The training covers essential topics such as using strong passwords, securing devices, recognizing phishing attempts, and reporting security incidents. It is particularly aimed at supporting SMEs, charities and the voluntary sector.

For more information: NCSC Website

13/05/2025

Information Commissioner’s Office | Consultation | Encryption

The Information Commissioner’s Office (“ICO”) has opened a consultation on its draft updated guidance on encryption.

The draft guidance focuses on the relationship between encryption and data protection and concentrates on data storage and data transfer as the primary use cases for encryption. The consultation remains open until June 24, 2025.

For more information: ICO Website

07/05/2025

National Cyber Security Centre | Code of Practice | Software Security

The National Cyber Security Centre (“NCSC”) and the Department for Science, Innovation and Technology (“DSIT”) have published the Software Security Code of Practice, a voluntary framework for technology providers.

The code establishes a baseline for cybersecurity expectations across the software industry. It provides a framework to help organizations to measure their progress and includes practical guidance for software vendors.

For more information: NCSC Website

02/05/2025

Information Commissioner’s Office & National Cyber Security Centre | Statement | Cyber Incidents Impacting Retailers

The Information Commissioner’s Office (“ICO”) and the National Cyber Security Centre (“NCSC”) have issued statements on recent cyber incidents impacting retailers.

The ICO confirmed that it has received reports from impacted retailers and sent enquiries to these organizations. Meanwhile, the NSCS stated that it is working closely with them to provide support and mitigate the impact of the incidents.

For more information: ICO Website and NSCS Website

Privacy, Cybersecurity, and Data Innovation:

United States:
Abbey A. Barrera – San Francisco (+1 415.393.8262, abarrera@gibsondunn.com)
Ashlie Beringer – Palo Alto (+1 650.849.5327, aberinger@gibsondunn.com)
Ryan T. Bergsieker – Denver (+1 303.298.5774, rbergsieker@gibsondunn.com)
Keith Enright – Palo Alto (+1 650.849.5386, kenright@gibsondunn.com)
Gustav W. Eyler – Washington, D.C. (+1 202.955.8610, geyler@gibsondunn.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650.849.5203, cgaedt-sheckter@gibsondunn.com)
Svetlana S. Gans – Washington, D.C. (+1 202.955.8657, sgans@gibsondunn.com)
Lauren R. Goldman – New York (+1 212.351.2375, lgoldman@gibsondunn.com)
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, shandler@gibsondunn.com)
Natalie J. Hausknecht – Denver (+1 303.298.5783, nhausknecht@gibsondunn.com)
Jane C. Horvath – Washington, D.C. (+1 202.955.8505, jhorvath@gibsondunn.com)
Martie Kutscher Clark – Palo Alto (+1 650.849.5348, mkutscherclark@gibsondunn.com)
Kristin A. Linsley – San Francisco (+1 415.393.8395, klinsley@gibsondunn.com)
Timothy W. Loose – Los Angeles (+1 213.229.7746, tloose@gibsondunn.com)
Vivek Mohan – Palo Alto (+1 650.849.5345, vmohan@gibsondunn.com)
Rosemarie T. Ring – San Francisco (+1 415.393.8247, rring@gibsondunn.com)
Ashley Rogers – Dallas (+1 214.698.3316, arogers@gibsondunn.com)
Sophie C. Rohnke – Dallas (+1 214.698.3344, srohnke@gibsondunn.com)
Eric D. Vandevelde – Los Angeles (+1 213.229.7186, evandevelde@gibsondunn.com)
Benjamin B. Wagner – Palo Alto (+1 650.849.5395, bwagner@gibsondunn.com)
Frances A. Waldmann – Los Angeles (+1 213.229.7914,fwaldmann@gibsondunn.com)
Debra Wong Yang – Los Angeles (+1 213.229.7472, dwongyang@gibsondunn.com)

Asia:
Connell O’Neill – Hong Kong (+852 2214 3812, coneill@gibsondunn.com)
Jai S. Pathak – Singapore (+65 6507 3683, jpathak@gibsondunn.com)

Europe

04/28/2025

CJEU | Fact Sheet | Case Law on Personal Data Protection

The Court of Justice of the European Union (“CJEU”) has updated its “case law fact sheet” on personal data protection which compiles its key rulings in the field.

For further information: CJEU Website

04/23/2025

European Data Protection Board | 2024 Annual Report

The European Data Protection Board (“EDPB”) has published its annual report for 2024.

The report provides an overview of the EDPB work in 2024 and highlights key achievements such as the adoption of the 2024-2027 strategy and an increase in the consistency opinions under Article 64(2) GDPR (e.g., on “Consent or Pay” models, the use of personal data to train AI models). The report also emphasizes the EDPB’s contribution to cross-regulatory cooperation for new pieces of legislation such as the Digital Services Act (DSA) and the AI Act.

For further information: EDPB Website

04/14/2025

European Data Protection Board | Guidelines | Personal data and blockchain

The European Data Protection Board (“EDPB”) has published Guidelines 02/2025 on processing of personal data through blockchain technologies, open to public consultation until 9 June 2025.

The guidelines describe the blockchain technologies and provide a framework for organizations considering their use. They outline key GDPR considerations for processing activities (e.g., data retention periods, data subjects’ rights), and clarify the responsibilities of different actors involved in a blockchain related processing.

For more information: EDPB Website

04/11/2025

European Commission | Public Consultation | EU Cybersecurity Act

The European Commission has opened a public consultation on the evaluation and revision of the 2019 EU Cybersecurity Act.

The EU Commission is seeking stakeholders’ feedback on key areas for the contemplated revision, including the mandate of the European Agency for Cybersecurity (ENISA), the European Cybersecurity Framework, challenges related to ICT supply chain security, and the simplification of cybersecurity measures. The public consultation is open until 20 June 2025.

For more information: European Commission Website

04/10/2025

European Commission | Guidelines | Generative AI in Research

The European Commission has updated its Living Guidelines on the responsible use of generative AI in research.

The guidelines provide recommendations for researchers and organizations to ensure they promote and support responsible use of generative AI in their research activities. They are regularly updated to reflect the technological developments in the field.

For more information: European Commission Website, Guidelines

04/10/2025

European Data Protection Board | Report | Large Language Models

The European Data Protection Board (“EDPB”) has published a report on AI Privacy Risks and Mitigations Large Language Models (“LLMs”).

The report provides a risk management methodology to help developers and users of LLMs identify, assess and mitigate privacy risks in the development and use of LLM systems. As such, it complements the Data Protection Impact Assessment process (Art. 35 GDPR) and supports requirements regarding data protection by design and by default (Art. 25 GDPR) and security of personal data (Art. 32 GDPR).

For more information: EDPB Website

04/02/2025

European Commission | Report | B2B Data Sharing & EU Data Act

The European Commission’s Expert Group has issued its final report on B2B data sharing and cloud computing contracts under the EU Data Act.

The report contains model contractual terms (MCTs) covering different data sharing scenarios (e.g., data holder to user, user to data recipient), as well as standard contractual clauses (SCCs) for cloud computing contracts.

For more information: European Commission Website

03/27/2025

European Commission | DORA Directive | Infringement Procedures

The European Commission has launched infringement procedures against 13 Member States (including France, Spain, and Belgium) for failing to fully transpose the Digital Operational Resilience Act (“DORA”) Directive within the given deadline (17 January 2025).

The Member States have two months to complete their transposition and notify the adopted measures to the Commission.

For more information: European Commission Website

France

04/29/2025

French Supervisory Authority | Annual Report | Enforcement

The French Supervisory Authority (“CNIL”) has released its 2024 annual report, recording 17,772 complaints, 87 sanctions, and over €55 million in fines.

The CNIL has stepped up enforcement efforts with 331 corrective actions and observed an increase in the use of simplified procedures. It has also strengthened its response to growing cybersecurity threats and expanded its oversight on AI and digital innovation.

For more information: CNIL Website [FR]

04/24/2025

French Supervisory Authority | Public Consultation | Multi-terminal Consent

The French Supervisory Authority (“CNIL”) has launched a public consultation for its draft recommendation on multi-terminal consent across various devices.

The draft recommendation concerns stakeholders which intend to collect multi-terminal consent when users are authenticated on an account. They offer concrete recommendations on how to validly collect multi-terminal consent. The public consultation will end on 5 June 2025.

For more information: CNIL Website [FR]

04/23/2025

French Supervisory Authority | Publication | Data Breach

The French Supervisory Authority (“CNIL”) has published a fictional data breach use case to help professionals better understand and prevent risks related to unauthorized access to data handled by processors.

The use case outlines a typical data breach based on a real-life incident that was reported to the CNIL.

For more information: CNIL Website [FR]

04/14/2025

French Supervisory Authority | 2025-2028 European and International Strategy

The French Supervisory Authority (“CNIL”) has released its European and international strategy for 2025-2028.

The strategy focuses on three priorities: improving European cooperation, promoting high international data protection standards while supporting innovation, and reinforcing CNIL’s global influence.

For more information: CNIL Website [FR]

04/09/2025

French Supervisory Authority | Public Consultation | Session Recording and Replay Tools

The French Supervisory Authority (“CNIL”) has launched a public consultation on browsing session recording and replay tools.

These tools, which capture detailed user interactions, raise significant privacy concerns due to their potential to collect sensitive personal data without users’ awareness. The goal of the consultation is to develop practical recommendations to help tool providers and website editors ensure GDPR compliance and better protect user privacy.

For more information: CNIL Website [FR]

04/08/2025

French Supervisory Authority | Guidelines | Mobile Applications

The French Supervisory Authority (“CNIL”) has published an updated version of its recommendations on mobile applications recommendations.

The CNIL has published an updated version of its recommendations on mobile applications, originally adopted in July 2024 and released in September 2024. The revised version includes corrections and clarifications in response to stakeholder feedback, and an annotated version is available to highlight the updates.

For more information: CNIL Website [FR]

04/01/2025

French Supervisory Authority | Guidelines | Multi-Factor Authentication (MFA)

The French Supervisory Authority (“CNIL”) has published a recommendation on the implementation of multi-factor authentication (“MFA”) to help online services implement privacy-compliant cybersecurity solutions.

The guidance aims to support controllers and solution providers in aligning MFA practices with the GDPR—covering legal bases, data minimization, retention periods, and the appropriate use of authentication factors such as biometrics, SMS codes, and employee devices.

For more information: CNIL Website [FR]

04/01/2025

ANSSI | Cybersecurity | Information System Security Accreditation

The French National Cybersecurity Agency (“ANSSI”) has published updated guidance on the security accreditation of information systems.

This publication details the steps and documentation required to accredit an information system, including risk assessment, security objectives, and verification processes. It aims to ensure a structured and high-assurance approach to system security within both public and private organizations. The guidance forms part of ANSSI’s broader efforts to promote cybersecurity resilience and regulatory compliance in France.

For more information: ANSSI Website [FR]

Germany

04/29/2025

Hamburg Supervisory Authority | Data Act | Guidance

The Hamburg Supervisory Authority (“HmbBfDI”) has published guidance on the new European Data Act, which will apply from 12 September 2025.

The HmbBfDI’s guidance provides an overview of the new obligations for companies under the Data Act, in particular in relation to data sharing obligations applicable to manufacturers of connected devices. The guidance also identified the key steps companies should take to prepare for the application of the Data Act (e.g., data mapping, updating contracts, marking trade secrets). Since the Data Act applies without prejudice to the GDPR, the guidance analyses the interactions between obligations related to personal data under the GDPR and those related to personal data under the Data Act. Finally, the HmbBfDI has highlighted the responsibilities of supervisory authorities.

For further information: HmbBfDI Website [DE]

04/24/2025

Hamburg Supervisory Authority | Compliance Review | Third Party Services

The Hamburg Supervisory Authority (“HmbBfDI”) has reviewed 1.000 websites for data protection compliance regarding the use of third-party cookies and services and identified deficiencies in 185 of them.

The HmbBfDI found that although most of the websites reviewed met the data protection requirements, deficiencies were found for approximately 185 websites. Most violations result from the fact that certain tracking technologies are activated immediately when the page is first accessed, with the result that users are tracked before consent is obtained.

For more information: HmbBfDI Website [DE]

04/24/2025

Hamburg Supervisory Authority | Q&A | Tracking

The Hamburg Supervisory Authority (“HmbBfDI”) has published FAQs on tracking via third-party services on websites.

The HmbBfDI emphasises that tracking is only permitted with the explicit consent of the respective data subject. The authority included guidance on the design of consent banners, emphasising the need to implement a “reject all” option on the same level as an “accept all” button. The guidance highlights the importance of complying with the requirements of the ePrivacy Directive (transposed into national law) in relation to tracking, alongside the provisions of the GDPR.

For more information: HmbBfDI Website [DE]

04/10/2025

Federal Commissioner for Data Protection and Freedom of Information | Annual Report

The German Federal Commissioner for Data Protection and Freedom of Information (BfDI) has published its annual report.

The Federal Commissioner for Data Protection and Freedom of Information is responsible for monitoring data protection at federal public bodies and at companies that provide telecommunications and postal services. The report shows that most proceedings are related to information and transparency obligations.

For more information: BfDI Website [DE]

04/09/2025

New German Government | Coalition Agreement | Future of Data Protection

The new German Government consisting of the CDU/CSU (Christian Democratic Union of Germany/Christian Social Union of Germany) and SPD (Social Democratic Party of Germany) have published their coalition agreement.

The new German government intends to liberalize data protection law at both national and EU level and work towards “data utilization”, “data sharing” and a “data economy”. It is planned to bundle the data protection authorities of the individual federal states into a nationwide authority. At EU level, the coalition intends to exclude low-risk data processing activities as well as small and medium-sized enterprises from the scope of the GDPR.

For more information: SPD Website [DE]

02/20/2025

Federal Labour Court | Judgement | Right to Compensation

The Federal Labour Court (BAG) ruled in a recently published decision that a delay in providing information under Art. 15 GDPR does not by itself justify a claim for compensation.

According to the BAG, a delayed provision of information under Article 15 GDPR by a former employer does not by itself constitute non-material damage within the meaning of Article 82(1) GDPR. The BAG held that a mere delay, absent specific and substantiated fears of data misuse or an actual loss of control over personal data, does not give rise to a claim for damages. Subjective emotional responses such as worry, annoyance, or nervousness are not sufficient unless they are objectively substantiated by a real risk of data misuse.

For more information: Official Court Website [DE]

Greece

04/08/2025

Greek Supervisory Authority | Guidance | AI and GDPR

The Greek Supervisory Authority (“HDPA”) offers training sessions on AI and GDPR.

The HDPA published educational materials and provides training programs developed by external experts from the European Data Protection Board (“EDPB”). It notably offers a Data Protection Officers and Privacy Professionals Program, as well as a program for ICT Professionals. The material covers various topics such as core concepts of AI, Data Protection and Large Language Models, and Transparency.

For more information: HDPA Website [GR]

Netherlands

04/16/2025

Dutch Supervisory Authority | Survey | Algorithmic Data Processing

The Dutch Supervisory Authority (“AP”) has published survey results showing that many companies feel unprepared to manage algorithms processing personal data. Businesses often lack clarity on whether and how such algorithms are used.

The AP plans to provide guidance and practical tools, as well as and collect best practices to improve responsible algorithm procurement and use. More specifically, the AP is currently developing a checklist for businesses to adequately deal with the rights of people who are subject to algorithmic decision-making.

For more information: AP Press release [NL]

United Kingdom

04/29/2025

CPPA & Information Commissioner’s Office | International Cooperation | Privacy Enforcement

The California Privacy Protection Agency (“CPPA”) and the Information Commissioner’s Office (“ICO”) signed a declaration of cooperation to strengthen international collaboration on data protection.

The agreement will enable joint research, best practice sharing, and coordinated enforcement efforts. It marks the CPPA’s third international partnership, following agreements with Korea’s PIPC and France’s CNIL, and reflects its broader commitment to global privacy cooperation.

For more information: CPPA Press release

The following Gibson Dunn lawyers prepared this update: Ahmed Baladi, Vera Lukic, Kai Gesing, Joel Harrison, Thomas Baculard, Billur Cinar, Hermine Hubert, Christoph Jacob, and Yannick Oberacker.

Privacy, Cybersecurity, and Data Innovation:

United States:
Abbey A. Barrera – San Francisco (+1 415.393.8262, abarrera@gibsondunn.com)
Ashlie Beringer – Palo Alto (+1 650.849.5327, aberinger@gibsondunn.com)
Ryan T. Bergsieker – Denver (+1 303.298.5774, rbergsieker@gibsondunn.com)
Keith Enright – Palo Alto (+1 650.849.5386, kenright@gibsondunn.com)
Gustav W. Eyler – Washington, D.C. (+1 202.955.8610, geyler@gibsondunn.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650.849.5203, cgaedt-sheckter@gibsondunn.com)
Svetlana S. Gans – Washington, D.C. (+1 202.955.8657, sgans@gibsondunn.com)
Lauren R. Goldman – New York (+1 212.351.2375, lgoldman@gibsondunn.com)
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, shandler@gibsondunn.com)
Natalie J. Hausknecht – Denver (+1 303.298.5783, nhausknecht@gibsondunn.com)
Jane C. Horvath – Washington, D.C. (+1 202.955.8505, jhorvath@gibsondunn.com)
Martie Kutscher Clark – Palo Alto (+1 650.849.5348, mkutscherclark@gibsondunn.com)
Kristin A. Linsley – San Francisco (+1 415.393.8395, klinsley@gibsondunn.com)
Timothy W. Loose – Los Angeles (+1 213.229.7746, tloose@gibsondunn.com)
Vivek Mohan – Palo Alto (+1 650.849.5345, vmohan@gibsondunn.com)
Rosemarie T. Ring – San Francisco (+1 415.393.8247, rring@gibsondunn.com)
Ashley Rogers – Dallas (+1 214.698.3316, arogers@gibsondunn.com)
Sophie C. Rohnke – Dallas (+1 214.698.3344, srohnke@gibsondunn.com)
Eric D. Vandevelde – Los Angeles (+1 213.229.7186, evandevelde@gibsondunn.com)
Benjamin B. Wagner – Palo Alto (+1 650.849.5395, bwagner@gibsondunn.com)
Frances A. Waldmann – Los Angeles (+1 213.229.7914,fwaldmann@gibsondunn.com)
Debra Wong Yang – Los Angeles (+1 213.229.7472, dwongyang@gibsondunn.com)

Asia:
Connell O’Neill – Hong Kong (+852 2214 3812, coneill@gibsondunn.com)
Jai S. Pathak – Singapore (+65 6507 3683, jpathak@gibsondunn.com)

Europe

03/19/2025

European Data Protection Board | Approval Procedure | Binding Corporate Rules

The European Data Protection Board (“EDPB”) published a document outlining the cooperation procedure for approving Binding Corporate Rules (“BCRs”) for both controllers and processors.

Drawing from practical experience of the previous version of the Guidelines on BCR approval, the procedure presented aims to streamline the approval of BCRs, promoting consistent data protection practices across organizations operating within the EU.

For more information: EDPB Website

03/05/2025

European Commission | Publication | European Health Data Space Regulation

On March 5, 2025, the European Health Data Space Regulation was published in the Official Journal of the European Union.

The regulation aims to establish a common framework for the use and exchange of electronic health data across the EU. It will also enhance individuals’ access to and control over their personal electronic health data, for instance, patients will have the right to restrict the access for health professionals to all or parts of their personal electronic health data exchanged though EHDS infrastructures. The regulation will enter into force on March 26, 2025, and will become applicable two years later.

For further information: European Commission Website and Official Journal of the EU

03/05/2025

European Data Protection Board | Coordinated Enforcement | Right to Erasure

On March 5, 2025, the European Data Protection Board (EDPB) published that they are launching a Europe-wide review of the right to erasure.

This initiative involves 32 data protection authorities across Europe. The aim is to evaluate how well the right to erasure, which allows individuals to request the deletion of their personal data, is being implemented in practice. The assessment will be conducted using a standardized questionnaire to analyze and compare procedures established by various data controllers. The results will be published in a report by the EDPB, highlighting best practices and areas for improvement.

For further information: EDPB Website

03/04/2025

European Commission | EU Adequacy Decision | Article 45 GDPR

On March 4, 2025, the European Commission proposed the first EU adequacy decision under Article 45 GDPR for an international organization.

The European Commission proposed an EU adequacy decision for the European Patent Organisation (EPO). The decision, based on Article 45 GDPR, finds EPO’s data protection rules comparable to the EU’s. The EPO is an international organization comprising the member states of the EU and various other European states to grant patents. The adequacy decision will enable safe data flow between the EU and EPO. Once adopted, companies in the EU can transfer data such as for patent applications to EPO without extra safeguards. The draft will be reviewed by the European Data Protection Board (EDPB) and other EU bodies before final adoption.

For further information: European Commission Website

France

03/27/2025

French Supervisory Authority | Work Program | 2025 Priorities

As part of its mission to guide professionals towards compliance, the French Data Protection Authority (“CNIL”) issued the main guidance materials it will issue in 2025.

The CNIL regularly issues soft law guidance (e.g., recommendations, guidelines, code of practice) to clarify the applicable law and provide best practices. In 2025, the CNIL will issue fact sheets on artificial intelligence (help professionals balance innovation and data subject rights), recommendations on the use of pixels in emails, and continue clarifying the use of dashcams.

For more information: CNIL Website [FR]

03/25/2025

French Supervisory Authority | Public Consultation | Connected Vehicles and Location Data

The French Supervisory Authority (“CNIL”) is submitting for public consultation a draft recommendation on the use of location data of connected vehicles.

The CNIL indicated that location data is considered as highly personal data as it can reveal individuals’ frequently visited places, habits, or areas of interest. The draft focuses on the use of connected vehicles by private individuals and aims at helping main actors to ensure compliance with GDPR principles. The public consultation will end on 20 May 2025. Any public or private actor can participate in the consultation.

For more information: CNIL Website [FR]

03/21/2025

French Supervisory Authority | Investigation | 2025 Priorities

The French Supervisory Authority (“CNIL”) announced its 2025 data protection priorities.

This year, the CNIL announced that it will focus on enforcing rules with respect to mobile app data collection, local government cybersecurity, penitentiary data management, and the enforcement of the right to erasure.

For more information: CNIL Website [FR]

03/05/2025

French Supervisory Authority | Guidelines | Case Law and Doctrine

The French Supervisory Authority (“CNIL”) published its “Tables Informatiques et Libertés” and its recap books (“Cahiers récapitulatifs”) for the year 2024.

The Tables are designed to give access to data professionals and academics to the CNIL’s doctrinal positions as well as case law from national and European courts. This tool allows practitioners to easily find precedents based on thematic classification.

For more information: CNIL Website [FR]

03/06/2025

French National Cybersecurity Authority | Strategic Plan | 2025-2027

The French National Cybersecurity Authority (“ANSSI”) published its strategic plan for 2025-2027.

The plan developed by ANSSI focuses on four key areas: (i) amplifying and coordinating the cyber response to the growing threat, (ii) developing the expertise needed to counter cyber threats, (iii) promoting effective European and international cyber action, and (iv) reinforcing the consideration of societal issues in ANSSI’s actions.

For further information: ANSSI Website [FR]

Germany

03/27/2025

German Federal Court of Justice | Judgement | GDPR and Competition Law

On March 27, 2025, the German Federal Court of Justice (BGH) ruled (I ZR 186/17) that a breach of information obligations by the controller may give rise to claims for injunctive relief under the German Act Against Unfair Competition (UWG). These can be pursued by consumer protection associations by way of an action before the civil courts.

According to the BGH, the Unfair Competition Act (UWG) and the Injunctions Act (UKlaG) provide for a legal basis under Article 80 Abs. 2 DSGVO for consumer protection associations to pursue violations of the GDPR. Consumer associations can take legal action against breaches of information obligations under Art. 12(1) and Art. 13(1)(c) and (e) GDPR, even without specific authorization from affected individuals. Breaches of data protection information obligations may constitute unfair competition if material information is withheld.

For further information: BGH Website [DE]

03/27/2025

German Federal Court of Justice | Judgement | GDPR and Competition Law

On March 27, 2025, the German Federal Court of Justice (BGH) ruled in two cases (I ZR 222/19, I ZR 223/19) that a breach of GDPR regulations regarding special categories of data by the controller may give rise to claims for injunctive relief under the German Act Against Unfair Competition (UWG). These can be pursued by competitors by way of an action before the civil courts.

According to the BGH, the Unfair Competition Act (UWG) provides a legal basis for competitors to pursue violations of the GDPR. In the decisions, the BGH ruled that a violation of Article 9(1) GDPR can be pursued by a competitor by way of a competition law action before the civil courts under Article 8(3)(1) UWG.

For further information: BGH Website (I ZR 222/19 [DE], I ZR 223/19 [DE])

03/20/2025

German Federal Office for Information Security | Certification | Cybersecurity Act

The German Federal Office for Information Security (“BSI”) was designated by the European Commission as the German certification body under the Cybersecurity Act.

The BSI is now the body in charge of the approval of applications from manufacturers seeking to obtain a European cybersecurity certificate for products with a high assurance level under the Implementing Regulation on the adoption of European Common Criteria-based cybersecurity certification scheme (EUCC).

For more information: BSI Website [DE]

03/19/2025

Hamburg Supervisory Authority | Recommendations | Data Retention

The Hamburg Supervisory Authority (“HmbBfDI”) recommends organizations to review and delete outdated data as part of a “digital spring cleaning”.

The HmbBfDI particularly recalls that, with the Fourth Bureaucracy Relief Act (BEG IV) , the federal legislator has reduced some retention periods defined under the German Fiscal and Commercial Codes, requiring businesses to adjust their data retention policies accordingly. In particular, the data retention period for accounting documents under tax law is reduced from ten to eight years which also affects the right to erasure under the GDPR.

For more information: HmbBfDI Website [DE]

03/13/2025

German Data Protection Conference | Statement | Data Act

On March 13, 2025, the German Data Protection Conference (DSK) published a statement on the implementation legislation for the EU Data Act.

The DSK, the conference of the independent data protection supervisory authorities of the German federal states, has published a position paper on the German legislation for the implementation of the EU Data Act, emphasizing the need for harmonized regulations across member states to be implemented effectively and in harmony with the legal requirements from the European legislation. The DSK criticizes the current German draft legislation in various aspects and emphasizes the interplay of EU regulations and their implementation in each member state, even in the case of regulation with direct application.

For further information: DSK Website [DE]

03/12/2025

Hamburg Supervisory Authority | Guest Orders | Online Retail

The Hamburg Supervisory Authority (“HmbBfDI”) announced having ordered a Hamburg-based online retailer to allow guest orders, without requiring users to create a customer account.

The HmbBfDI notes that in a resolution dated March 24, 2022, the German Data Protection Conference (DSK) stated that requiring users to create a customer account to place orders is incompatible with the principle of data minimization. As part of its enforcement actions, the HmbBfDI examined multiple online shops in January 2025 and will continue to monitor their practices. Online shops which are considered a marketplace do not have to allow guest orders.

For more information: HmbBfDI Website [DE]

03/06/2025

Bavarian Supervisory Authority | Guidance | Article 28 GDPR

On March 6, 2025, the Bavarian Supervisory Authority (“BayLDA”) published an updated version of their guidance on the correct classification of data controllers and data processors.

The new guidance focusses on explaining the different legal criteria for proper classification of controllers and processors by providing detailed elaborations on the exact wording of the GDPR to facilitate case by case decisions.

For further information: BayLDA Website [DE]

03/2025

German Supervisory Authorities | Activity Reports

In March 2025, several Supervisory Authorities published their annual Activity Reports.

In addition to the increasingly important interplay between AI regulations and the GDPR, the reports also focus on data protection in employment contexts. By way of example, the Supervisory Authority of Bremen (LfDI Bremen) highlighted that video surveillance of areas frequented by employees is only permissible in non-sensitive areas and always demands an assessment of interests. The Bavarian Supervisory Authority (LDA Bayern) recommends that the publishing of images of employees after their employment ends should be contractually agreed upon in advance to ensure GDPR compliance.

For further information: LfDI Baden-Württemberg Website [DE], LfDI Bremen Website [DE], LfDI Sachsen Website [DE] and LDA Bayern Website [DE]

02/25/2025

Higher Regional Court of Stuttgart | Judgement | Data Processing and Employment

In a recent decision (2 ORbs 16 Ss 336/24), the Higher Regional Court of Stuttgart (OLG Stuttgart) dealt with the so-called employee excess in data protection law. Of practical relevance is the OLG’s classification of when employees, who process personal data for non-work purposes, become data controllers themselves.Thus replacing the employer as addressee of potential GDPR fines.

If the data protection breach is committed deliberately and intentionally for reasons unrelated to work, the employee may be considered as an independent controller not solely acting contrary to employer instructions.

For further information: Official Court Website [DE]

02/21/2025

Higher Administrative Court of Bavaria | Judgement | Access to Controller Agreements

On February 21, 2025, the Higher Administrative Court of Bavaria (VGH Bayern) ruled (7 ZB 24.651) that data subjects cannot demand access to data processing agreements as part of their information rights under Art. 15 GDPR.

Art. 15 GDPR only grants data subjects a right to access their own personal data. The court argues that the supervisory authorities and not the data subjects are responsible for monitoring the application of the GDPR, including the data processing agreements and its requirements between a controller and the processor.

For further information: Official Court Website [DE]

Ireland

03/07/2025

Irish Supervisory Authority | Complaints | Data Access Requests

The Irish Supervisory Authority (“DPC”) has published a blog post on how it handles complaints related to data subjects’ access requests.

The DPC states that it regularly deals with complaints from data subjects concerned that their access requests have not been fulfilled. The authority details how it determines the validity of the restrictions that organizations use to refuse access requests, emphasizing that each restriction must be justified on an evidential basis.

For more information: DPC Website

03/05/2025

Irish Government | AI Act | Designation of Competent Authorities

The Irish Government approved the designation of eight public authorities as competent authorities, responsible for implementing and enforcing the AI Act.

These authorities are the Central Bank of Ireland, the Commission for Communications Regulation, the Commission for Railway Regulation, the Competition and Consumer Protection Commission, the Data Protection Commission, the Health and Safety Authority, the Health Products Regulatory Authority, the Marine Survey Office of the Department of Transport. Additional authorities, as well as a lead regulator, will be designated through a forthcoming decision.

For further information: Irish Government Website

Netherlands

03/06/2025

Dutch Supervisory Authority | Public Consultation | Human Intervention in Algorithmic Decision-making

The Dutch Supervisory Authority (“AP”) launched a public consultation on the tools it has developed to enable meaningful human intervention in algorithmic decision-making.

The AP recalls that organizations using algorithmic decision-making must comply with the obligation to ensure human intervention. Such intervention must be meaningful — not merely symbolic — and designed to guarantee that decisions are made carefully, without discrimination. Organizations must also ensure that human intervention is not undermined by factors such as time pressure or lack of knowledge about the system.

For further information: AP Website [NL]

United Kingdom

03/28/2025

Information Commissioner’s Office | Guidance | Data Anonymisation

The Information Commissioner’s Office (“ICO”) has published new guidance on data anonymisation.

This guidance explains the distinction between anonymisation and pseudonymisation, discusses what should be considered when anonymizing personal data, provides good practice advice and case studies, and discusses technical and organisational measures to mitigate the risks to people. It applies to all mediums, including tabular data, free text, video, images, and audio.

For more information: ICO Website

03/27/2025

Information Commissioner’s Office | Fine | Hacker Attack

The Information Commissioner’s Office (“ICO”) imposed a fine of £3.07 million (approx. €3.67 million) on a computer software company for security failures that compromised the personal data of 79,404 individuals.

In 2022, the company suffered a ransomware attack that was initiated through a customer account. The attack affected personal data processed on behalf of multiple organizations, including the National Health Service and healthcare providers. The ICO found that the software provider failed to implement appropriate technical and organizational measures in accordance with Article 32 of the GDPR (e.g., lack of multi-factor authentication, insufficient vulnerability scanning, and inadequate patch management).

For more information: ICO Website

03/24/2025

Information Commissioner’s Office | Notice of Intent | Data Breach

The Information Commissioner’s Office (“ICO”) issued a notice of intent to fine a DNA testing company £4.59 million (EUR 5.5 million).

The ICO had launched a joint investigation with the Office of the Privacy Commissioner of Canada (“OPC”) after the company reported a data breach in October 2023. The breach concerned genetic information which the ICO considers is “among the most sensitive personal data that a person can entrust to a company”.

For more information: ICO Website

03/01/2025

Information Commissioner’s Office | Code of Practice | Children’s Data Protection

The Information Commissioner’s Office (“ICO”) has updated its Children’s Code of Practice to enhance the protection of children’s data in the digital world.

The revised code includes stronger guidelines for businesses regarding age-appropriate design and data minimization principles, aiming to ensure children’s privacy online. The code highlights the importance of high privacy by default settings, limitation of the processing of geolocation data, and switching off by default targeted advertisement for children.

For further information: ICO Code of practice and Press release

The following Gibson Dunn lawyers prepared this update: Ahmed Baladi, Vera Lukic, Kai Gesing, Joel Harrison; Thomas Baculard, Billur Cinar, Hermine Hubert, Christoph Jacob, and Yannick Oberacker.

Privacy, Cybersecurity, and Data Innovation:

United States:
Abbey A. Barrera – San Francisco (+1 415.393.8262, abarrera@gibsondunn.com)
Ashlie Beringer – Palo Alto (+1 650.849.5327, aberinger@gibsondunn.com)
Ryan T. Bergsieker – Denver (+1 303.298.5774, rbergsieker@gibsondunn.com)
Keith Enright – Palo Alto (+1 650.849.5386, kenright@gibsondunn.com)
Gustav W. Eyler – Washington, D.C. (+1 202.955.8610, geyler@gibsondunn.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650.849.5203, cgaedt-sheckter@gibsondunn.com)
Svetlana S. Gans – Washington, D.C. (+1 202.955.8657, sgans@gibsondunn.com)
Lauren R. Goldman – New York (+1 212.351.2375, lgoldman@gibsondunn.com)
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, shandler@gibsondunn.com)
Natalie J. Hausknecht – Denver (+1 303.298.5783, nhausknecht@gibsondunn.com)
Jane C. Horvath – Washington, D.C. (+1 202.955.8505, jhorvath@gibsondunn.com)
Martie Kutscher Clark – Palo Alto (+1 650.849.5348, mkutscherclark@gibsondunn.com)
Kristin A. Linsley – San Francisco (+1 415.393.8395, klinsley@gibsondunn.com)
Timothy W. Loose – Los Angeles (+1 213.229.7746, tloose@gibsondunn.com)
Vivek Mohan – Palo Alto (+1 650.849.5345, vmohan@gibsondunn.com)
Rosemarie T. Ring – San Francisco (+1 415.393.8247, rring@gibsondunn.com)
Ashley Rogers – Dallas (+1 214.698.3316, arogers@gibsondunn.com)
Sophie C. Rohnke – Dallas (+1 214.698.3344, srohnke@gibsondunn.com)
Eric D. Vandevelde – Los Angeles (+1 213.229.7186, evandevelde@gibsondunn.com)
Benjamin B. Wagner – Palo Alto (+1 650.849.5395, bwagner@gibsondunn.com)
Frances A. Waldmann – Los Angeles (+1 213.229.7914,fwaldmann@gibsondunn.com)
Debra Wong Yang – Los Angeles (+1 213.229.7472, dwongyang@gibsondunn.com)

Asia:
Connell O’Neill – Hong Kong (+852 2214 3812, coneill@gibsondunn.com)
Jai S. Pathak – Singapore (+65 6507 3683, jpathak@gibsondunn.com)

Europe

02/26/2025

European Parliament | Report | Algorithmic Discrimination

The European Parliament published a report on algorithmic discrimination under the AI Act and the GDPR.

The Parliament underlines the legal uncertainties regarding the interaction between the AI Act and the GDPR. Indeed, the AI Act allows processing of special categories of personal data to detect and correct bias, while the GDPR imposes stricter conditions on such data usage, potentially limiting AI bias mitigation efforts.

For further information: European Parliament Report

02/26/2025

Court of Justice of the European Union | Decision | Automated Decision-making System

The Court of Justice of the European Union (“CJEU”) ruled that when their data is used by automated decision-making systems, data subjects may require the controller to explain the procedure and principles actually applied when processing personal data to obtain a specific result.

The decision stems from a case filed by an Austrian customer who was denied a mobile phone contract based on an automatic decision-making system. The Court highlighted that when asked by data subjects to provide explanations, information should be provided in a “concise, transparent, intelligible and easily accessible form”. This decision also addresses the concept of trade secrets.

For further information: CJEU Decision

02/13/2025

Court of Justice of the European Union | Decision | Calculation of GDPR Fines

The Court of Justice of the European Union (“CJEU”) clarifies the calculation of the fines for undertakings (C-383/23).

The CJEU considers that the maximum amount of the fine that can be imposed on an undertaking must be determined “on the basis of a percentage of the undertaking’s total worldwide annual turnover in the preceding business year”.

For further information: CJEU Decision

02/04/2025

Cyber Solidarity Act | Entry Into Force | High Critical Sectors Concerned

On February 4, 2025, the Cyber Solidarity Act entered into force.

This regulation enhances the EU’s capacity to prepare for, detect, and respond to cybersecurity incidents. Entities operating in highly critical sectors or other critical sectors, as defined by Directive (EU) 2022/2555 (NIS 2), may be required to undergo “coordinated preparedness testing” to verify their compliance with minimum standards and expectations for critical services and infrastructure.

For further information: Commission Website and Cyber Solidarity Act

France

02/26/2025

CNIL | Work Program | Connected Vehicles

The French Supervisory Authority (“CNIL”) published the “compliance comity” work program for 2025 on connected vehicles and location data.

The comity’s work focuses on the use of location data from connected vehicles and will lead to the drafting of a recommendation which will soon be published for public consultation. Because of the lack of legal certainty surrounding the use of dashcams and associated privacy risks, the comity’s work program for 2025 is dedicated to the use of these devices by private individuals.

For further information: CNIL Press release [FR]

02/07/2025

French Supervisory Authority | Recommendations | Artificial Intelligence

On February 7, 2025, the French Supervisory Authority (“CNIL”) published two new recommendations on how AI should be used to comply with GDPR requirements.

The CNIL’s first recommendation focuses on data subject information and essentially provides that companies must ensure individuals are given sufficient information at the appropriate moment and that the processing of their data is entirely transparent. More specifically, it provides examples of information notices to be used in relation to web scraping or development of GPAI model. The second recommendation focuses on data subject rights and provide specific details on how companies can deal with their requests whether they apply to training data or to the model more generally.

For further information: CNIL Recommendations on Right of information, and Data subjects’ rights [FR]

02/05/2025

French Supervisory Authority | GDPR | 2024 Report

The French Supervisory Authority (“CNIL”) has published a 2024 report on sanctions issued during the year.

The report provides that a total of 331 decisions were handed down, including 87 sanctions, for a total of 55,212,400 euros in fines, 180 formal notices and 64 reminders of legal obligations. The recurring breaches found usually concern commercial prospecting and health data.

For further information: CNIL Report [FR]

01/31/2025

French Supervisory Authority | GDPR | Access Right

On January 31, 2025, the French Supervisory Authority (“CNIL”) updated its guidance on employees’ right of access to their work-related data and emails.

In this update, the authority clarifies that if a request involves a very large number of emails (though it did not define what constitutes “very large”), the employer may first provide the employee with a summary table listing the relevant messages. This allows the employee to specify which content they wish to receive. However, given the lack of further clarification, it appears that if the employee does not specify the data he wants, the employer remains obligated to provide all the requested data unless the employer identifies an actual risk for third party rights. Moreover, the French Authority published a case-law summary regarding the GDPR access right.

For further information: CNIL Guidance and Case-law Summary [FR]

Germany

02/14/2025

German Supervisory Authorities | Investigation | AI and Privacy

On February 14, 2025, several German Data Protection Supervisory Authorities announced a coordinated investigation into an AI provider.

Several German state data protection supervisory authorities, including those from Rhineland-Palatinate, Baden-Württemberg, Thuringia, Saxony-Anhalt, Hesse, Bremen, and Berlin, initiated coordinated investigations into the AI provider. This collaborative effort aims to ensure compliance with Article 27(1) of the General Data Protection Regulation (GDPR), which mandates that companies not established in the European Union appoint a representative within the EU. This effort underscores the impact of GDPR enforcement on AI development. In addition to this investigation, the Lower Saxony Supervisory Authority (“LfD Niedersachsen”) published a statement on February 21, 2025, drawing attention to the risks associated with the use of the Chinese AI-powered chatbot. The LfD Niedersachsen pointed out in particular that according to the privacy policy of the company providing the chatbot, user inputs including the uploaded documents are recorded, transmitted, stored and analyzed without any restriction.

For more information: Website of the Baden Württemberg Supervisory Authority [DE] and Website of the Lower Saxony Supervisory Authority [DE]

02/12/2025

Bremen Supervisory Authority | Recommendation | AI and Privacy

On February 12, 2025, the Data Protection Authority of Bremen (LfD Bremen) provided recommendations on the use of AI applications from providers outside the European Union that have not appointed a legal representative in the EU.

The LfD Bremen recommends, in order to ensure compliance with data protection regulations and mitigate risks associated with AI applications, to select AI providers who demonstrate transparency and provide documentation confirming GDPR compliance. Before installing AI models, the user should ensure that no personal data can be leaked, for example through a secure IT environment. According to the LfD Bremen, inputs of personal or confidential data into online interfaces should be avoided unless effective protective measures are in place. Users, especially workers, should be made aware of the risks involved, and AI competence as required by Article 4 of the AI Regulation from February 2, 2025, should be ensured. If the AI provider is based outside the EU, they should appoint a representative under Article 27 GDPR to facilitate the enforcement of data subjects’ rights and failure to do so can result in fines under Article 83(4) GDPR.

For more information: Website of the Bremen Supervisory Authority [DE]

01/29/2025

German Federal Administrative Court | Judgement | Advertisement

On January 29, 2025, the German Federal Administrative Court (BVerwG) ruled on the interplay of data processing under Article 6(1)(f) GDPR and consent for advertisement necessary under German competition law.

The BVerwG ruled that processing the contact data of dental practices taken from publicly accessible sources for the purpose of telephone advertising without at least presumed consent is impermissible. The court held that merely obtaining contact details from publicly accessible directories to conduct phone advertising does not constitute a legitimate interest under Article 6(1)(f) GDPR unless there is at least implied consent from the data subjects per § 7 Sec 2 No 1 UWG. Consequently, the company’s appeal was denied, as the interest in data processing for phone advertising did not outweigh the privacy protection guaranteed by GDPR and national law. The court confirmed that the prohibition on such data processing remains justified under the current legal framework, given its alignment with the need to protect the privacy of individuals from unsolicited advertising.

For more information: Official Court Website [DE]

Sweden

02/18/2025

Swedish Supervisory Authority | GDPR Guidance | Impact Assessment

On February 18, 2025, the Swedish Supervisory Authority (“IMY”) published a guidance on impact assessments.

The guidance consists of a practical guide and an annex with legal interpretative support.

For further information: IMY Website [SV] and Guidance for Impact Assessment [SV]

02/04/2025

Stockholm Administrative Court | Fine | Cookies

In February 2025, the Stockholm Administrative Court upheld a SEK 13 million (approx. €1.16M) fine against a media company for failure to comply with the principle of lawfulness provided under the GDPR.

The company was relying on legitimate interests for the processing of personal data collected via cookies. Such data was combined with purchase history and third-party data for creating profiles, including for marketing purposes. The court ruled that legitimate interest cannot serve as a legal basis and therefore upheld the administrative fine imposed by the Swedish Supervisory Authority (“IMY”). In its decision, the IMY stated that pursuant to Article 5(3) of the ePrivacy Directive, consent was required for the collection of data via cookies. This is the first publicly known case in Sweden where IMY explicitly referenced Article 5(3) of the ePrivacy Directive in its reasoning for a GDPR fine.

For further information: Stockholm Administrative Court Website [SV]

Switzerland

02/03/2025

Federal Data Protection and Information Commissioner | Guidelines | Cookies

The Swiss Supervisory Authority (“FDPIC”) published its guidelines on data processing using cookies and similar technologies.

The FDPIC describes the data protection requirements controllers must abide by when using cookies and similar technologies.

For further information: FDPIC Website

United Kingdom

02/22/2025

Information Commissioner’s Office | Report | Technologies

The Information Commissioner’s Office (“ICO”) published its Tech Horizons report of 2025.

The ICO’s Tech Horizons report examines emerging technologies and the regulatory challenges they face from a privacy perspective. This third edition of the report focuses on four technologies: connected transport; quantum sensing and imaging; digital diagnosis, therapeutics and healthcare infrastructure; and synthetic media and its identification and detection.

For further information: ICO Website

02/10/2025

Information Commissioner’s Office| Response | Data (Use and Access) Bill

The Information Commissioner’s Office (“ICO”) published its updated response to the Data (Use and Access) (DUA) Bill.

The ICO welcomed the recent changes introduced to the Bill and expressed its position on some of the recent amendments, including those related to the protection of children’s data and the expansion of the soft opt-in in direct marketing to cover charities.

For further information: ICO Website

02/06/2025

Information Commissioner’s Office | Guidance | Employment Practices and Data Protection

On February 5, 2025, the Information Commissioner’s Office (“ICO”) issued new guidance for employers on the management of employment records.

The guidance addresses key questions employers may encounter in relation to the collection, retention and use of employment records. For instance, the guidance covers various questions including: what lawful bases might apply to employment records, when employers can share workers’ personal data with other people or organizations, and how employers can handle sickness and injury records.

For further information: ICO Guidance

The following Gibson Dunn lawyers prepared this update: Partners: Ahmed Baladi, Vera Lukic, Joel Harrison, and Kai Gesing; Associates: Thomas Baculard, Billur Cinar, Hermine Hubert, and Christoph Jacob.

Privacy, Cybersecurity, and Data Innovation:

United States:
Abbey A. Barrera – San Francisco (+1 415.393.8262, abarrera@gibsondunn.com)
Ashlie Beringer – Palo Alto (+1 650.849.5327, aberinger@gibsondunn.com)
Ryan T. Bergsieker – Denver (+1 303.298.5774, rbergsieker@gibsondunn.com)
Keith Enright – Palo Alto (+1 650.849.5386, kenright@gibsondunn.com)
Gustav W. Eyler – Washington, D.C. (+1 202.955.8610, geyler@gibsondunn.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650.849.5203, cgaedt-sheckter@gibsondunn.com)
Svetlana S. Gans – Washington, D.C. (+1 202.955.8657, sgans@gibsondunn.com)
Lauren R. Goldman – New York (+1 212.351.2375, lgoldman@gibsondunn.com)
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, shandler@gibsondunn.com)
Natalie J. Hausknecht – Denver (+1 303.298.5783, nhausknecht@gibsondunn.com)
Jane C. Horvath – Washington, D.C. (+1 202.955.8505, jhorvath@gibsondunn.com)
Martie Kutscher Clark – Palo Alto (+1 650.849.5348, mkutscherclark@gibsondunn.com)
Kristin A. Linsley – San Francisco (+1 415.393.8395, klinsley@gibsondunn.com)
Timothy W. Loose – Los Angeles (+1 213.229.7746, tloose@gibsondunn.com)
Vivek Mohan – Palo Alto (+1 650.849.5345, vmohan@gibsondunn.com)
Rosemarie T. Ring – San Francisco (+1 415.393.8247, rring@gibsondunn.com)
Ashley Rogers – Dallas (+1 214.698.3316, arogers@gibsondunn.com)
Sophie C. Rohnke – Dallas (+1 214.698.3344, srohnke@gibsondunn.com)
Eric D. Vandevelde – Los Angeles (+1 213.229.7186, evandevelde@gibsondunn.com)
Benjamin B. Wagner – Palo Alto (+1 650.849.5395, bwagner@gibsondunn.com)
Frances A. Waldmann – Los Angeles (+1 213.229.7914,fwaldmann@gibsondunn.com)
Debra Wong Yang – Los Angeles (+1 213.229.7472, dwongyang@gibsondunn.com)

Asia:
Connell O’Neill – Hong Kong (+852 2214 3812, coneill@gibsondunn.com)
Jai S. Pathak – Singapore (+65 6507 3683, jpathak@gibsondunn.com)

Europe

01/20/2025

European Data Protection Board | Case Digest & Report | Right of Access

The European Data Protection Board (“EDPB”) has published a “One-Stop-Shop case digest on right of access” and a report on the “Implementation of the right of access by controllers”.

On January 16, 2025, the EDPB published a case digest providing examples on the exercise of the right of access in different contexts and analyzes, in this respect, national Supervisory Authorities’ (SAs) decisions under the one-stop-shop mechanism. In addition, on January 20, 2025, the EDPB released a report on the “Implementation of the right of access by controllers”. The report aggregates the findings of the SAs on the level of compliance of organizations regarding Article 15 of the GDPR, following a survey they conducted among 1,185 controllers from different sectors.

For more information: EDPB Website (Case Digest), EDPB Website (Report)

01/17/2025

European Data Protection Board | Guidelines | Pseudonymization

The European Data Protection Board (“EDPB”) has published new guidelines on pseudonymization.

The guidelines aim to clarify in particular the definition of pseudonymization, its objectives and benefits. They also provide guidance on the technical and organizational measures to be implemented to ensure its effectiveness, as well as examples of how pseudonymization is applied in real-world scenarios. The guidelines are under public consultation until February 28, 2025.

For more information: EDPB Website

01/17/2025

European Data Protection Board | Position Paper | Competition law

The European Data Protection Board (“EDPB”) has published a position paper regarding the interplay between data protection and competition law.

The EDPB recognizes that data protection and competition law have different legal frameworks but carry nonetheless many commonalities, such as the protection of individuals and their decision making. It stresses the importance of the cooperation between the data protection and competition authorities, and of a better understanding of related concepts in both areas, in order to improve consistency and efficiency.

For more information: EDPB Website

01/17/2025

European Commission | Regulation | Digital Operational Resilience Act

The Digital Operational Resilience Act (“DORA”) is applicable as of January 17, 2025.

As a reminder, the DORA lays down new requirements for the security of network and information systems in the financial sector.

For more information: Official Journal of the EU

01/15/2025

European Data Protection Supervisor | Concept Note | Digital Clearinghouse

The European Data Protection Supervisor (“EDPS”) published a concept note proposing the creation of the Digital Clearinghouse (“DCH”) 2.0.

The DCH was conceived by the EDPS as a voluntary network to promote a coherent enforcement of the EU legislation in the digital sector. With the DCH 2.0, the EDPS suggest turning this initiative into a forum with a permanent secretariat in order to identify cross-regulatory areas and allow interested authorities to exchange and coordinate their efforts.

For more information: EDPS website

01/09/2025

Court of Justice of the European Union | Judgment | Concepts of a ‘Request’ and ‘Excessive Requests’

On January 9, 2025, the Court of Justice of the European Union (“CJEU”) provides clarifications on the concepts of a ‘request’ and ‘excessive requests’ as part of a preliminary question referred by the Austrian Supervisory Authority.

The CJEU held that (i) the notion of “request” under Article 57(4) of the GDPR should be understood as including complaints lodged; (ii) the concept of “excessiveness” must be interpreted restrictively and the authority must demonstrate that the excessiveness of the requests stems from the applicant’s abusive intent, and (iii) when faced with excessive requests, the authorities may choose between charging reasonable fees and refusing to act on the requests.

For more information: Curia

01/09/2025

Court of Justice of the European Union | Judgment | Title and Gender Identity

On January 9, 2025, the CJEU published its judgment in Case C‑394/23 ruling that a customer’s gender identity was not necessary for the purchase of a rail transport ticket.

The CJEU clarified that the processing of personal data is only lawful if necessary for fulfilling a contract or for legitimate interest purposes. It ruled that personalizing commercial communications based on presumed gender identity, determined by a customer’s civil title, is not necessary, as it is not essential for a rail transport contract and could risk discrimination based on gender identity.

For more information: Curia

France

01/31/2025

French Supervisory Authority | Guidelines | Transfer Impact Assessment

The French Supervisory Authority (“CNIL”) published the final version of its guidelines on Transfer Impact Assessments (“TIA”) to help organizations comply with the GDPR when transferring data to third countries.

The CNIL’s guidelines outlines a methodology for evaluating the adequacy of protection in third countries, assessing potential legal and practical risks, and implementing supplementary measures where necessary.

For more information: CNIL Website

01/28/2025

French Supervisory Authority | Guidelines | Data Breach

The French Supervisory Authority (“CNIL”) published guidelines on personal data security.

In 2024, the CNIL saw a 20% increase in data breaches compared to the previous year. It has issued guidelines to help organizations prevent and manage data breaches, with cybersecurity being one of its priorities for 2025-2028.

For more information: CNIL Website [FR]

01/23/2025

French Supervisory Authority | GDPR | Publicly Available Databases

On January 23, 2025, the French Supervisory Authority (CNIL) published an article on its website outlining the necessary checks for controllers when using publicly available or third-party databases.

Data controllers must ensure that the database complies with the GDPR and other relevant regulations, such as information system security and intellectual property rights. Key considerations include whether the data was processed with the consent of the individuals and if the processing is based on legitimate legal grounds, especially for sensitive data or data related to criminal offenses. Additionally, the CNIL recommends formalizing the relationship with the data provider through a contract.

For further information: CNIL Website [FR]

01/16/2025

French Supervisory Authority | Action Plan | Children, AI, cybersecurity and digital

The French Supervisory Authority (“CNIL”) published its strategic action plan for 2025 to 2028.

The CNIL will focus on four main priorities: AI, children’s online privacy, cybersecurity, and daily digital use (mobile applications and digital identity). The CNIL plans to diversify its support for organizations and strengthen its dialogue with stakeholders in these areas.

For more information: CNIL Website [FR]

Germany

01/15/2025

Higher Regional Court of Karlsruhe | Judgement | Right of Erasure

On January 15, 2025, the Higher Regional Court of Karlsruhe (OLG Karlsruhe) ruled on the right to erasure and the possibility to retain personal data for the use in future legal disputes.

The OLG Karlsruhe ruled that companies cannot indefinitely store personal data for potential future claims if the underlying incident has already been subject to legal proceedings. The court held that once data is no longer necessary for the purpose it was collected, it must be deleted. Even if future claims are possible, there must be more than just a theoretical possibility that these claims are pursued to justify continued data storage under Article 17(3)(e) GDPR and to deny the right to erasure. The decision emphasized that the mere abstract possibility of future claims is not sufficient for data retention.

For more information: Official Court Website [DE]

Italy

01/31/2025

Italian Supervisory Authority | Temporary Ban | Chatbot

The Italian Supervisory Authority (“Garante”) imposed a temporary ban on an AI-powered chatbot service.

This follows a request for information addressed by the Garante to the companies providing the chatbot service. According to the Garante, the responses communicated by the companies were not satisfactory. In addition to the limitation order on the processing of Italian users’ data, the Garante opened an investigation.

For more information: Garante Website

Spain

01/14/2025

Spanish Council of Ministers | Transposition | NIS 2 Directive

The Spanish Council of Ministers approved the Draft Law on Coordination and Governance of Cybersecurity, transposing the NIS 2 Directive.

The Draft Law specifies the public and private entities that fall under the scope of the NIS 2 Directive as well as their obligations in terms of cybersecurity (such as incident notification). It also designates several national supervisory authorities for enforcement purposes, and creates the National Cybersecurity Centre, which will be the sole point of contact with the European Union and be in charge of intersectoral and cross-border cooperation.

For more information: Ministry of Interior Website [ES]

United Kingdom

01/23/2025

UK Supervisory Authority | Online Tracking | 2025 Strategy

The UK Supervisory Authority (“ICO”) has introduced its 2025 online tracking strategy.

The strategy aims to ensure that individuals have control over tracking within the context of online advertising. The ICO’s plan of action includes publishing guidelines on different subjects such as ‘consent or pay’ models or Internet of Things, engaging with different actors to promote and ensure compliance with the law (website publishers, consent management platforms, app developers, connected TV manufacturers). The ICO will also investigate data management platforms connecting advertisers and publishers.

For more information: ICO Website

The following Gibson Dunn lawyers prepared this update: Partners: Ahmed Baladi, Vera Lukic, and Kai Gesing; Associates: Thomas Baculard, Billur Cinar, Hermine Hubert, and Christoph Jacob.

Privacy, Cybersecurity, and Data Innovation:

United States:
Ashlie Beringer – Co-Chair, Palo Alto (+1 650.849.5327, aberinger@gibsondunn.com)
Ryan T. Bergsieker – Denver (+1 303.298.5774, rbergsieker@gibsondunn.com)
Gustav W. Eyler – Washington, D.C. (+1 202.955.8610, geyler@gibsondunn.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650.849.5203, cgaedt-sheckter@gibsondunn.com)
Svetlana S. Gans – Washington, D.C. (+1 202.955.8657, sgans@gibsondunn.com)
Lauren R. Goldman – New York (+1 212.351.2375, lgoldman@gibsondunn.com)
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, shandler@gibsondunn.com)
Natalie J. Hausknecht – Denver (+1 303.298.5783, nhausknecht@gibsondunn.com)
Jane C. Horvath – Co-Chair, Washington, D.C. (+1 202.955.8505, jhorvath@gibsondunn.com)
Martie Kutscher Clark – Palo Alto (+1 650.849.5348, mkutscherclark@gibsondunn.com)
Kristin A. Linsley – San Francisco (+1 415.393.8395, klinsley@gibsondunn.com)
Timothy W. Loose – Los Angeles (+1 213.229.7746, tloose@gibsondunn.com)
Vivek Mohan – Palo Alto (+1 650.849.5345, vmohan@gibsondunn.com)
Rosemarie T. Ring – Co-Chair, San Francisco (+1 415.393.8247, rring@gibsondunn.com)
Ashley Rogers – Dallas (+1 214.698.3316, arogers@gibsondunn.com)
Sophie C. Rohnke – Dallas (+1 214.698.3344, srohnke@gibsondunn.com)
Eric D. Vandevelde – Los Angeles (+1 213.229.7186, evandevelde@gibsondunn.com)
Benjamin B. Wagner – Palo Alto (+1 650.849.5395, bwagner@gibsondunn.com)
Debra Wong Yang – Los Angeles (+1 213.229.7472, dwongyang@gibsondunn.com)

Europe:
Ahmed Baladi – Co-Chair, Paris (+33 (0) 1 56 43 13 00, abaladi@gibsondunn.com)
Kai Gesing – Munich (+49 89 189 33-180, kgesing@gibsondunn.com)
Joel Harrison – Co-Chair, London (+44 20 7071 4289, jharrison@gibsondunn.com)
Lore Leitner – London (+44 20 7071 4987, lleitner@gibsondunn.com)
Vera Lukic – Paris (+33 (0) 1 56 43 13 00, vlukic@gibsondunn.com)
Lars Petersen – Frankfurt/Riyadh (+49 69 247 411 525, lpetersen@gibsondunn.com)
Robert Spano – London/Paris (+44 20 7071 4000, rspano@gibsondunn.com)

Asia:
Connell O’Neill – Hong Kong (+852 2214 3812, coneill@gibsondunn.com)
Jai S. Pathak – Singapore (+65 6507 3683, jpathak@gibsondunn.com)

Personal Data | Cybersecurity | Data Innovation

Europe

03/14/2023 – European Union Agency for Cybersecurity | Report | Cybersecurity of AI and Standardisation

On 14 March 2023, the European Union Agency for Cybersecurity published a report on Cybersecurity of AI and Standardisation.

The objective of the report is to provide an overview of standards (existing, being drafted, under consideration and planned) related to cybersecurity of artificial intelligence, assess their scope and identify gaps in standardisation.

For further information: ENISA Website

03/14/2023 – European Parliament | Regulation | Data Act

On 14 March 2023, the European Parliament adopted the draft Data Act.

The Data Act aims to boost innovation by removing barriers obstructing access by consumers and businesses to data.

For further information: European Parliament Website

02/28/2023 – European Data Protection Board | Opinion | EU-US Data Privacy Framework

On 28 February 2023, the European Data Protection Board adopted its opinion on the draft adequacy decision regarding the EU-US Data Privacy Framework.

The European Data Protection Board welcomes substantial improvements such as the introduction of requirements embodying the principles of necessity and proportionality for US intelligence gathering of data and the new redress mechanism for EU data subjects. At the same time, it expresses concerns and requests clarifications on several points.

For further information: EDPB Website

02/24/2023 – European Data Protection Board | Guidelines | Transfers, Certification and Dark Patterns

On 24 February 2023, the European Data Protection Board published final version of three guidelines.

Following public consultation, the European Data Protection Board has adopted three sets of guidelines in their final version: the Guidelines on the interplay between the application of Article 3 and the provisions on international transfers as per Chapter V GDPR; the Guidelines on certification as a tool for transfers; and the Guidelines on deceptive design patterns in social media platform interfaces.

For further information: EDPB Website

02/15/2023 – European Commission | Decision | Whistleblowing

On 15 February 2023, the European Commission announced its decision to refer eight Member States to the Court of Justice of the European Union for failing to transpose the Directive (EU) 2019/1937 on the Protection of Persons who Report Breaches of Union Law before 17 December 2021.

The relevant Members States include the Czech Republic, Germany, Estonia, Spain, Italy, Luxembourg, Hungary, and Poland.

For further information: European Commission Website

01/18/2023 – European Data Protection Board | Report | Cookie Banner Taskforce

On 18 January 2023, the European Data Protection Board adopted its final report of the cookie banner task force.

The French Supervisory Authority and its European counterparts adopted the report summarizing the conclusions of the task force in charge of coordinating the answers to the questions on cookie banners raised by the complaints of the None Of Your Business Association. The main points of attention that were discussed concern the modalities of acceptance and refusal to the storage of cookies and the design of banners.

For further information: EDPB Website

01/16/2023 – European Union | Regulation | Digital Operational Resilience Act

The Digital Operational Resilience Act (“DORA”) entered into force on 16 January 2023.

The DORA aims to ensure that financial-sector information and communication technology (“ICT”) systems can withstand security threats and that third-party ICT providers are monitored.

For further information: Official Journal Website

01/12/2023 – Court of Justice of the European Union | Decision | Right of access

On 12 January 2023, the Court of Justice of the European Union ruled that everyone has the right to know to whom their personal data has been disclosed.

The data subject’s right of access to personal data under the GDPR entails, where those data have been or will be disclosed to recipients, an obligation on the part of the controller to provide the data subject with the actual identity of those recipients, unless it is impossible to identify those recipients or the controller demonstrates that the data subject’s requests for access are manifestly unfounded or excessive within the meaning of the GDPR, in which cases the controller may indicate to the data subject only the categories of recipient in question.

For further information: Press Release

Austria

02/01/2023 – Austrian Parliament | National Council | Whistleblowing

On February 1st 2023, the Directive (EU) 2019/1937 on the protection of persons who report breaches of union law (“the Whistleblowing Directive”) was implemented by the Austrian National Council.

For further information: Austrian Parliament Website

Belgium

02/15/2023 – House of Representatives | Legislation | Whistleblowing

On 15 February 2023, the Whistleblowing law for the private sector which partially transposes the Whistleblowing Directive entered into force.

For further information: Whistleblowing Law

Bulgaria

01/27/2023 – Bulgarian National Assembly | Legislation | Whistleblowing

On 27 January 2023, the Bulgarian National Assembly (“CPDP”) adopted the Whistleblower Protection and Public Disclosure Act (“PWIPDA”) transposing the Whistleblowing Directive.

For further information: CPDP Website [BG]

Czech Republic

03/07/2023 – Czech Supervisory Authority | FAQ | Cookies

On 7 March 2023, the Czech Supervisory Authority (“UOOU”) published a FAQ on cookie banners and consent.

For further information: UOOU Website [CZ]

Denmark

02/20/2023 – Danish Supervisory Authority | Decision | Cookie Walls

The Danish Supervisory Authority issued two decisions regarding the use of cookie walls on websites and published general guidelines for the use of such consent solutions.

The Danish Supervisory Authority generally found that a method whereby the website visitor can access the content of a website in exchange for either giving consent to the processing of his personal data or paying an access fee, meets the requirements of the data protection rules for a valid consent.

For further information: Danish DPA Website [DK]

01/20/2023 – Danish Supervisory Authority | Guidelines | Storage and Consent

On 20 January 2023, the Danish Supervisory Authority has prepared guidance dealing with the storage of personal data with the aim of being able to demonstrate compliance with data protection rules on consent.

For further information: Danish DPA Website [DK]

Finland

02/17/2023 – Finnish Supervisory Authority | Sanction | GDPR Violation

On 17 February 2023, the Finnish Supervisory Authority issued an administrative fine of €440,000 against a company for failing to comply with the authority’s order to rectify its practices.

In particular, the authority stated that the company failed to erase inaccurate payment default entries saved into the credit information register due to inadequate practices. The authority stresses that the processing of payment default information has a significant impact on the rights and freedoms of individuals.

For further information: Finnish DPA Website

France

03/28/2023 – French Supervisory Authority | Sanction | Geolocation Data

On 28 March 2023, the French Supervisory Authority (“CNIL”) announced that it imposed a fine of €125,000 on a company of rental scooters because it geolocated its customers almost permanently.

The CNIL noted a failure to comply with several obligations, namely to ensure data minimization, to comply with the obligation to provide a contractual framework for the processing operations carried out by a processor, to inform the user and obtain his or her consent before writing and reading information on his or her personal device.

For further information: CNIL Website

03/15/2023 – French Supervisory Authority | Investigation | Smart Cameras

On 15 March 2023, the French Supervisory Authority (“CNIL”) announced setting “smart” cameras, mobile apps, bank and medical records as priority topics for investigations in 2023.

The CNIL carries out investigations on the basis of complaints received, current events, but also annual priority topics. In 2023, it will focus on the use of “smart” cameras by public actors, the use of the file on personal credit repayment incident, the management of health files and mobile apps.

For further information: CNIL Website

02/09/2023 – French Supervisory Authority | Guidance | Data Governance Act

On 9 February 2023, the French Supervisory Authority (“CNIL”) published a guidance on the economic challenges of implementing the Data Governance Act.

For further information: CNIL Website

01/26/2023 – French Supervisory Authority | Statement | Artificial Intelligence

On 26 January 2023, the French Supervisory Authority (“CNIL”) announced creating an Artificial Intelligence (“AI”) Department and starting to work on learning databases.

The CNIL is creating an AI Department to strengthen its expertise on these systems and its understanding of the risks to privacy while preparing for the implementation of the European regulation on AI. In addition, the CNIL has announced that it will propose initial recommendations on machine learning databases.

For further information: CNIL Website

01/24/2023 – Ministry of Home Affairs | Legislation | Cyberattack Risk Insurance

On 24 January 2023, the French Parliament adopted the LOPMI Act that authorizes the insurability of “cyber-ransoms” paid by victims, subject to the prompt filing of a complaint.

For further information: LOPMI

01/04/2023 – French Supervisory Authority | Sanction | Consent

On 4 January 2023, the French Supervisory Authority (“CNIL”) imposed an administrative €8 million fine on a technology company because it did not collect the consent of French users before depositing and/or writing identifiers used for advertising purposes on their terminals.

The CNIL found that the advertising targeting settings were pre-checked by default. Moreover, the user had to perform a large number of actions in order to deactivate this setting.

The CNIL explained the amount of the fine by the scope of the processing, the number of people concerned in France, the profits the company made from advertising revenues indirectly generated from data collected by these identifiers and the fact that since then, the company has reached compliance.

For further information: CNIL Website

01/17/2023 – French Supervisory Authority | Sanction | Consent

On 17 January 2023, the French Supervisory Authority (“CNIL”) imposed a €3 million fine on a company which publishes video games for smartphones.

The company was using an essentially technical identifier for advertising purposes without the user’s consent.

For further information: CNIL Website

Germany

03/22/2023 – Supervisory Authorities| Opinion | “Pure Subscription Models”

The Conference of the Independent Data Protection Authorities of Germany (DSK) adopted an opinion on so-called “pure subscription models” on websites.

The opinion assesses pure (no-tracking) subscription models and alternative free consent-based tracking models and provides criteria to assess these alternative access instruments on websites.

For further information: DSK Website [DE]

03/15/2023 – Supervisory Authorities| BfDI | Activity Report

The Federal Commissioner for Data Protection and Freedom of Information (BfDI), Ulrich Kelber, has presented the BfDI’s Activity Report for 2022.

For further information: BfDI [DE]

03/15/2023 – Supervisory Authorities| Activity Reports

The Commissioners for Data Protection and Freedom of Information of Baden-Württemberg, Hamburg and Schleswig Holstein have presented their activity reports on the year 2022.

The activity reports cover various data protection and information freedom topics. For example in Schleswig-Holstein data breaches remained frequent while the number of complaints dropped, with video surveillance being the main cause of complaints. The reports emphasize the need to proactively address risks such as artificial intelligence and data sharing.

For further information: ULD Website [DE] and LfDI-BW Website [DE] and HmbBfDI Website [DE]

03/01/2023 – Supervisory Authorities| Opinion | EU-US Privacy Framework

The Hamburg Supervisory Authority (on 1 March 2023) and the German Supervisory Authority (on 28 February 2023) both issued an opinion on the draft adequacy decision on the EU-US Data Privacy.

For further information: Bundestag Website [DE] and BfDI [DE]

02/13/2023 – German Competition Authority | Decision | US Data Transfers

On 13 February 2023 the German Competition Authority (“BKartA”) issued a ruling on data transfers under the GDPR.

In particular, the authority ruled that a company relying on a German subsidiary of a US parent company as a data processor cannot be excluded from a contract bid due to possible violations of the GDPR.

For further information: BKartA Website [DE]

02/09/2023 – ArbG Oldenburg | Decision | Claim for Damages

On 9 February 2023, the Oldenburg Labor Court has ordered a company to pay a former employee damages in the amount of 10,000 euros under Article 82 of the GDPR for failing to comply with an information request under Article 15 (1) of the GDPR without establishing any additional (immaterial) harm.

In the opinion of the court the violation of the GDPR itself already resulted in immaterial harm to be compensated; according to the court, no additional proof of harm was required.

Italy

03/30/2023 – Italian Supervisory Authority | Temporary limitation | AI Chatbot

The Italian Supervisory Authority (“Garante”) imposed an immediate temporary limitation on the processing of Italian users’ data by an US-based company developing and managing an AI chatbot.

The Garante opened a probe over a suspected breach of GDPR. The authority alleged “the absence of any legal basis that justifies the massive collection and storage of personal data in order to ‘train’ the algorithms underlying the operation of the platform”. The authority also accused the company of failing to check the age of its users.

For further information: Garante Website [IT]

03/09/2023 – Council of Ministers | Legislation | Whistleblowing

On 9 March 2023, the Italian Council of Ministers approved the whistleblowing legislative decree.

The Council of Ministers announced, on 9 March 2023, the approval, after final review, of the legislative decree to transpose into Italian law the Whistleblowing Directive.

For further information: Governo Italiano Website [IT]

02/21/2023 – Italian Supervisory Authority | Sanction | Marketing Practices

The Italian Supervisory Authority (“Garante”) announced, on 21 February 2023, that it issued, on 15 December 2022, a €4.9 million fine against an energy company for various non-compliances with the GDPR, including unlawful marketing practices.

For further information: Garante Website [IT]

02/03/2023 – Italian Supervisory Authority | Temporary limitation | AI Chatbot

The Italian Supervisory Authority (“Garante”) issued an order on an AI chatbot noting that tests performed identified risks for minors and vulnerable individuals.

The US-based developer was ordered to terminate processing of data relating to Italian users and to inform the Garante within 20 days on any measures taken to implement its orders.

For further information: Garante Website

Ireland

02/27/2023 – Irish Supervisory Authority | Sanction | Security

On 27 February 2023, the Irish Supervisory Authority (“DPC”) imposed a fine of €750,000 on a banking company for inadequate data security measures.

The inquiry was initiated after the notification to the DPC of a series of 10 data breaches. In this context, the DPC found that the technical and organizational measures in place at the time were not sufficient to ensure the security of the personal data processed.

For further information: #DPC Website

02/23/2023 – Irish Supervisory Authority | Sanction | Security

On 23 February 2023, the Irish Supervisory Authority (“DPC”) imposed a €460,000 fine against a health care provider.

The DPC initiated an enquiry after receiving a personal data breach notification related to a ransomware attack affecting patient data (70,000 people). The DPC considered that the health care provider failed to ensure that the personal data were processed in a manner that ensured appropriate security.

For further information: DPC Website

01/16/2023 – Irish Supervisory Authority | Sanction | CCTV

On 16 January 2023, the Irish Supervisory Authority (“DPC”) imposed a €50,000 fine and a temporary ban on the processing of personal data with CCTV cameras on a company for violations of the GDPR.

For further information: DPC Website

Netherlands

02/22/2023 – Dutch Supervisory Authority | Statement | Camera Settings

The Dutch Supervisory Authority (“AP”) published a statement on changes made by a car manufacturer in the settings of the built-in security cameras of its cars, following an investigation of these cameras by the AP.

For instance, the car may still take camera images, but only when the user activates that function.

For further information: AP Website [NL]

02/18/2023 – House for Whistleblowers | Legislation | Whistleblowing

On 18 February 2023, the House for Whistleblowers announced the entry into force of the Whistleblower Protection Act.

For further information: AP Website [NL]

Norway

03/01/2023 – Norwegian Supervisory Authority | Preliminary conclusion | Analytics Tool

On 1st March 2023, the Norwegian Supervisory Authority (“Datatilsynet”) published its preliminary conclusion on a case related to the use of the analytics tool of a US-based company considering that the use of this tool is not in line with the GDPR.

For further information: Datatilsynet Website [NO]

02/06/2023 – Norwegian Supervisory Authority | Sanction | GDPR Violation

On 6 February 2023, the Norwegian Supervisory Authority (“Datatilsynet”) fined a company operating fitness centers NOK 10 million (approximately €912,940) for various GDPR violations (e.g., lawfulness of processing, transparency and data subjects rights).

For further information: Datatilsynet Website [NO]

Portugal

01/27/2023 – Portuguese Supervisory Authority | Guidelines | Security Measures

The Portuguese Supervisory Authority (“CNPD”) published guidelines on security measures in order to minimize consequences in case of attacks on information systems.

These guidelines aim to inform controllers and processors about their legal obligations, with the increase of cyberattacks on information systems, listing organizational and technical measures that must be considered by organizations.

For further information: Press release [PT]

Romania

03/28/2023 – President of Romania | Legislation | Whistleblowing

The Law No. 67/2023 which amends article 6 (2) of the Law no. 361/2022 on the protection of whistleblowers in the public interest, was published in the Official Gazette on 28 March 2023 and entered into force on 31 March 2023.

For further information: CDEP Website [RO]

Spain

03/16/2023 – Spanish Supervisory Authority | Sanction | Data Minimization

The Spanish Supervisory Authority (“AEPD”) published, on 16 March 2023, its decision in which it imposed a fine of €100,000 on a telecommunications company for violation of the data minimization principle.

For further information: AEPD Website [ES]

03/15/2023 – Spanish Supervisory Authority | Sanction | GDPR Violation

The Spanish Supervisory Authority (“AEPD”) fined a bank €100,000 for violation of the GDPR.

In particular, the bank used the information provided by the claimant and her child to open several accounts in the name of the child without consent and while it was not necessary for the services requested.

For further information: AEPD Website [ES]

03/15/2023 – Spanish Supervisory Authority | Sanction | Data Portability

The Spanish Supervisory Authority (“AEPD”) published, on 15 March 2023, a decision in which it imposed a fine of €136,000 on a telecommunications company for completing a data portability request without ensuring the security of the personal data of the client.

For further information: AEPD Website [ES]

03/13/2023 – Spanish Senate | Legislation | Whistleblowing

The Spanish Law 2/2023 implementing the EU Whistleblower Directive was published in the Official Gazette on 20 February 2023 and entered into force on 13 March 2023.

For further information: BOE Website [ES]

United Kingdom

03/28/2023 – UK Supervisory Authority | Guidance | Direct Marketing

On 28 March 2023, the UK Supervisory Authority (“ICO”) issued guidance to businesses operating in regulated private sectors (e.g., finance, communications or utilities) on direct marketing and regulatory communications.

The guidance aims to help businesses identify when a regulatory communication message might count as direct marketing. If the message is direct marketing, it also covers what businesses need to do to comply with data protection and ePrivacy law.

For further information: ICO Website

03/16/2023 – UK Supervisory Authority | Sanction | GDPR Violations

The UK Supervisory Authority (“ICO”) reached an agreement with a retailer to reduce the monetary penalty notice issued for breaching the GDPR from £1,350,000 to £250,000.

The ICO found that the company was making assumptions about customers’ medical conditions, based on their purchase history, to sell them further health related products. The processing involved special category data and the ICO concluded that the processing had been conducted without a lawful basis. The retailer appealed the decision which led to an agreement to reduce the monetary penalty notice, taking into account that the retailer has stopped the unlawful processing.

For further information: ICO Website

03/15/2023 – UK Supervisory Authority | Guidelines | AI and Data Protection

The UK Supervisory Authority (“ICO”) announced on 15 March 2023 that it had updated its guidance on artificial intelligence (“AI”) and data protection.

The ICO indicates that the changes respond to requests from UK industry to clarify requirements for fairness in AI.

For further information: ICO Website

03/13/2023 – UK Supervisory Authority | Guidance | Data Protection by Default

The UK Supervisory Authority (“ICO”) has produced new guidance to help user experience designers, product managers and software engineers embed data protection into their products and services by default.

The guidance looks at key privacy considerations for each stage of product design, from kick-off to post-launch. It includes both examples of good practice and practical steps that organisations can take to comply with data protection law when designing websites, apps or other technology products and services.

For further information: ICO Website

03/08/2023 – UK Government | Legislation | Cookies

The government re-introduced new laws on 8 March 2023 aiming to cut down paperwork for businesses and reduce unnecessary cookie pops-up.

The Data Protection and Digital Information Bill was first introduced last summer and paused in September 2022 so ministers could engage in a co-design process with business leaders and data experts. According to the government, this was to ensure that the new regime built on the UK’s high standards for data protection and privacy, and seeks to ensure data adequacy while moving away from the “one-size-fits-all” approach of the European Union’s GDPR.

For further information: UK Government Website

02/16/2023 – UK Supervisory Authority | Guidance | Protection of Children

The UK Supervisory Authority (“ICO”) issued a series of recommendations to game developers to ensure the protection of children and compliance with data protection laws.

For further information: ICO Website

This newsletter has been prepared by the EU Privacy team of Gibson Dunn. For further information, you may contact us by email:

Ahmed Baladi – Partner, Partner, Co-Chair, PCCP Practice, Paris (abaladi@gibsondunn.com)
Vera Lukic – Partner, Paris (vlukic@gibsondunn.com)
Kai Gesing – Partner, Munich (kgesing@gibsondunn.com)
Joel Harrison – Partner, London (jharrison@gibsondunn.com)
Alison Beal – Partner, London (abeal@gibsondunn.com)
Thomas Baculard – Associate, Paris (tbaculard@gibsondunn.com)
Roxane Chrétien – Associate, Paris (rchretie@gibsondunn.com)
Christoph Jacob – Associate, Munich (cjacob@gibsondunn.com)
Yannick Oberacker – Associate, Munich (yoberacker@gibsondunn.com)
Clémence Pugnet – Associate, Paris (cpugnet@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice. Please note, prior results do not guarantee a similar outcome.