Extension of UK Adequacy Decisions
DATE OF UPDATE: 18 March 2025
APPLICABLE DATES:
The proposed extension is until 27 December 2025.
LINKS
CURRENT STATUS
The European Commission proposed to adopt an extension of the two 2021 adequacy decisions with the UK for a period of six months.
Once the UK's legislative process on the Data Bill introduced in the UK Parliament on 23 October 2024 concludes, the Commission will then assess whether the UK continues to provide an adequate level of protection for personal data.
In the meantime, the UK data protection rules that were found adequate in 2021 remain in place and continue to apply to data transferred from the EU.
WHY IS THIS APPLICABLE TO CLIENTS?
With the extension, data exporters can continue to avail of the adequacy decision with the UK until 27 December 2025.
Binding Corporate Rules
DATE OF UPDATE: 14 March 2025
LINKS
CURRENT STATUS
The European Data Protection Board (EDPB) has adopted a document setting forth a co-operation procedure for the approval of Binding Corporate Rules (BCRs) for controllers and processors.
It is an updated version of a Working Party 29 document on BCRs entitled 'Article 29 Working Party Document Setting Forth a procedure for the approval of "Binding Corporate Rules" for controllers and processors under Regulation 2016/679'.
WHY IS THIS APPLICABLE TO CLIENTS?
The new document will be of interest to data controllers and processors who wish to avail of the BCR process to transfer personal data intra-group.
CJEU Decision - Case C-247/23 | [Deldits] (fictitious name)
DATE OF UPDATE: 13 March 2025
LINKS
CURRENT STATUS
GDPR and transgender identity: the rectification of data relating to gender identity cannot be made conditional upon proof of surgery.
WHY IS THIS APPLICABLE TO CLIENTS?
This decision illustrates the ongoing work of the Court of Justice in interpreting the GDPR for national courts.
Right of Access
DATE OF UPDATE: 7 March 2025
LINKS
The DPC's handling of Subject Access Requests | 07/03/2025 | Data Protection Commission
Balancing GDPR data access rights against the rights of others
CURRENT STATUS
The Data Protection Commission (DPC) has issued a statement on handling of Subject Access Requests.
In highly sensitive situations where the release of personal data is highly likely to result in significant harms and risks to other persons, the general presumption is that right of access can be restricted. Such decisions should be documented and the organisations concerned are required to cooperate in confidence with the DPC in the performance of its functions.
WHY IS THIS APPLICABLE TO CLIENTS?
The statement brings very welcome comfort to controllers who harbour genuine concerns about the consequences of disclosing vast quantities of documentation (even redacted documentation) to data subjects in circumstances where there may be a harmful motivation behind the request.
Coordinated Enforcement Framework 2025
DATE OF UPDATE: 5 March 2025
LINKS
CEF 2025: Launch of coordinated enforcement on the right to erasure | European Data Protection Board
CURRENT STATUS
The DPC has confirmed it is to participate in the EDPB's 2025 Coordinated Enforcement Framework (CEF) by sending questionnaires to 40 data controllers across the public and private sectors to aid a fact-finding exercise.
32 Supervisory Authorities across the European Economic Area will take part in the CEF throughout 2025, which is focussing on the "right to erasure" in accordance with Article 17 GDPR.
DPC Decision - Inquiry into Maynooth University - (IN-19-9-3)
DATE OF UPDATE: March 2025
LINKS
Maynooth University Final Decision (PDF, 1383 KB)
Processor Fined for Security Issues
CURRENT STATUS
The DPC has published its full decision following its inquiry into a personal data breach, which affected the email accounts of university employees and allowed unauthorised persons to gain control of up to six accounts. By so doing, the unauthorised persons used their access to perpetrate a fraud, leading to a financial loss by one person whose email account had been affected. The university was issued with:
- a reprimand
- administrative fines of €25,000 in respect of the infringement of Article 5(1)f and 32(1) GDPR and €15,000 in respect of the infringement of Article 33(1) GDPR
- an order to bring its processing into compliance with the GDPR's security requirements and to report to the DPC on the steps taken
WHY IS THIS APPLICABLE TO CLIENTS?
The decision of the DPC and corrective measures imposed will be of interest to other data controllers and processors under the jurisdiction of the DPC.
CJEU Decision - Case C-203/22 | Dun & Bradstreet Austria
DATE OF UPDATE: 27 February 2025
LINKS
Judgment of the Court in Case C-203/22 | Dun & Bradstreet Austria
How much information needs to be provided to data subjects about automated decisions?
CURRENT STATUS
Automated credit assessment: The data subject is entitled to an explanation as to how the decision was taken in respect of him or her. The explanation provided must enable the data subject to understand and challenge the automated decision.
WHY IS THIS APPLICABLE TO CLIENTS?
The decision offers some insight into the meaning in Article 15 GDPR of 'meaningful information about the logic involved' in the automated decision; and how controllers should manage the protected data of third parties or trade secrets in completing a data access request.
DPC Article 60 Draft Decision - Inquiry into TikTok
DATE OF UPDATE: 24 February 2025
LINKS
CURRENT STATUS
The DPC submitted a draft decision in an inquiry into TikTok Technology Limited (TikTok) to other concerned supervisory authorities across the EU/EEA on Friday, 21 February 2025.
The draft decision considers transfers by TikTok of the personal data of users of its platform from the EU/EEA to China. It also considers whether TikTok is complying with its transparency obligations to users insofar as such data transfers are concerned.
WHY IS THIS APPLICABLE TO CLIENTS?
The final decision will be of interest to other organisations transferring personal data to third countries.
EDPB - Statement 1/2025 on Age Assurance
DATE OF UPDATE: 11 February 2025
LINKS
Navigating Age Assurance in the Online World: A Statement from the EDPB
Statement 1/2025 on Age Assurance | European Data Protection Board
CURRENT STATUS
The EDPB adopted a Statement on age assurance, which was welcomed by the DPC.
WHY IS THIS APPLICABLE TO CLIENTS?
The Statement provides welcome guidance and greater clarity on age assurance and should also be useful to controllers that must comply with the DPC's Fundamentals for a child-oriented approach to data processing.
EDPB - AI
DATE OF UPDATE: 11 February 2025
LINKS
CURRENT STATUS
During its plenary, the EDPB decided to extend the scope of the ChatGPT task force to AI enforcement. The EDPB members underlined the need to coordinate data protection authorities' actions regarding urgent sensitive matters and for that purpose will set up a quick response team.
WHY IS THIS APPLICABLE TO CLIENTS?
The enforcement of data protection rules in the development of AI has long been a priority for data protection authorities in Europe and will be of interest to controllers seeking to engage with AI.
European Legislative Proposals – ePrivacy and AI Liability Directive
DATE OF UPDATE: 11 February 2025
APPLICABLE DATES:
The European Parliament and the Council will have an opportunity to communicate their views on these proposed withdrawals before the Commission decides on whether to proceed.
LINKS
ePrivacy Regulation and AI Liability Directive
CURRENT STATUS
The European Commission published its 2025 work programme, announcing plans to withdraw a number of legislative proposals. Of particular note is the proposed withdrawal of the ePrivacy Regulation and the AI Liability Directive which may receive mixed reactions across the industry.
WHY IS THIS APPLICABLE TO CLIENTS?
These legislative proposals, if they were to proceed, would impact organisations across a number of sectors.
CJEU - Advocate General's Opinion in Case C-492/23 | Russmedia Digital and Inform Media Press
DATE OF UPDATE: 6 February 2025
APPLICABLE DATES:
The Judges of the Court are now beginning their deliberations in this case. Judgment will be given at a later date.
LINKS
CURRENT STATUS
In this Opinion, Advocate General Maciej Szpunar (the "AG") analyses the link between the Directive on electronic commerce (Directive 2000/31/EC) and the GDPR. The AG opines that the operator of an online marketplace can be considered eligible for an exemption from liability in respect of the content of advertisements published on its marketplace provided that its role remains neutral and purely technical.
The AG opines that as regards the personal data of user advertisers registered on the online marketplace, the operator of that marketplace acts as a controller and must verify the identity of the user advertisers.
WHY IS THIS APPLICABLE TO CLIENTS?
This decision will be of interest to data controllers and processors operating websites and other intermediary services.
CJEU - Commission v European Data Protection Board – Competence of EDPB conferred by Article 65(1) GDPR
DATE OF UPDATE: 29 January 2025
LINKS
CURRENT STATUS
The DPC sought annulment in part of Binding Decisions 3/2022, 4/2022 and 5/2022 of 5/12/2022 of the EDPB on the disputes between the supervisory authorities concerned arising from its draft decisions regarding Facebook, Instagram and WhatsApp, in so far as those binding decisions require it to carry out new investigations and to issue new draft decisions.
The Tenth Chamber of the General Court held against the DPC and dismissed the actions, ordering the DPC to pay the costs.
WHY IS THIS APPLICABLE TO CLIENTS?
The decision clarifies the role of the EDPB and its competence to instruct national supervisory authorities to carry out new investigations and issue new draft decisions in cross-border data protection investigations.
EDPB Report on Right of Access
DATE OF UPDATE: 20 January 2025
LINKS
EDPB draft guidelines on data subject access requests ("DSARs"): key points
CURRENT STATUS
The EDPB has adopted a report on the implementation of the right of access by controllers. The report summarises the outcome of a series of coordinated national actions carried out in 2024 under the Coordinated Enforcement Framework (CEF).
WHY IS THIS APPLICABLE TO CLIENTS?
This Report will be of interest to controllers and their processors.
'Consent or Pay' Models
DATE OF UPDATE: 16 January 2025
LINKS
EDPB: 'Consent or Pay' models should offer real choice | European Data Protection Board
CURRENT STATUS
IAB Europe submitted its Feedback Paper regarding the 'Consent or Pay' Models to the EDPB outlining key remarks and concerns after the EDPB's stakeholder event on the forthcoming draft Guidelines concerning "Consent or Pay" (CorP) models. They encourage the EDPB to adopt a balanced, evidence-based approach to CorP models, recognising their role in sustaining access to free online services while respecting user autonomy.
WHY IS THIS APPLICABLE TO CLIENTS?
The regulation of 'Consent or Pay' Models will be of interest to organisations involved in online advertising.
EDPB Guidelines on Pseudonymisation for GDPR compliance
DATE OF UPDATE: 16 January 2025
LINKS
Guidelines 01/2025 on Pseudonymisation | European Data Protection Board
CURRENT STATUS
During its January 2025 plenary meeting, the EDPB adopted Guidelines 01/2025 on pseudonymisation. They clarify the definition and applicability of pseudonymisation and pseudonymised data, and the advantages of pseudonymisation.
WHY IS THIS APPLICABLE TO CLIENTS?
The guidelines also explain how pseudonymisation can help organisations meet their obligations relating to the implementation of data protection principles (Art. 5 GDPR), data protection by design and default (Art. 25 GDPR) and security (Art. 32 GDPR).
EDPB Statement on Interplay between Competition Law and Data Protection
DATE OF UPDATE: 16 January 2025
LINKS
CURRENT STATUS
At the EDPB's plenary in January, the Board adopted a statement on the interplay of competition law and data protection. The statement suggests steps for incorporating market and competition factors into data protection practices and for data protection rules to be considered in competition assessments. It also provides recommendations for improving cooperation between regulators.
WHY IS THIS APPLICABLE TO CLIENTS?
The Statement picks up on the decision in CJEU Meta vs. Bundeskartellamt of 4 July 2023. This, the Board says, indicates that data protection and competition authorities are required to work together, in some cases, to achieve effective and coordinated enforcement of data protection and competition law.
DPC Decision - Inquiry into Meta Platforms Ireland Limited – (IN-19-4-1)
DATE OF UPDATE: January 2025
DATE OF DECISION:
26 September 2024
LINKS
Meta Final Decision IN-19-4-1 (PDF, 1,232 KB)
CURRENT STATUS
The DPC has published its full decision in the Meta passwords inquiry which considered the storage of certain passwords of social media users in 'plaintext' on Meta's internal systems. Meta conducted an investigation which found that the passwords had not been accessed by anyone, including employees. The DPC determined that the incident constituted a personal data breach and that Meta breached the GDPR by failing to notify the DPC of the breach and log it. Meta received a €91 million fine and a reprimand.
WHY IS THIS APPLICABLE TO CLIENTS?
The decision of the DPC and corrective measures imposed will be of interest to other data controllers and processors under the jurisdiction of the DPC.
CJEU Decision – Data Subject Access Requests
DATE OF UPDATE: 9 January 2025
LINKS
"Manifestly Excessive" Requests Under the GDPR: Numbers Alone Are Not Enough
Balancing GDPR data access rights against the rights of others
CURRENT STATUS
Judgment of the Court of Justice of the European Union (CJEU) in Case C-416/23 Österreichische Datenschutzbehörde v FR sheds light on the threshold for requests submitted to a data protection supervisory authority to be considered manifestly excessive, in a ruling that will also be of interest to controllers considering the extent of their obligations in the context of data subject right requests.
WHY IS THIS APPLICABLE TO CLIENTS?
The judgment will be of interest to controllers considering the extent of their obligations in the context of data subject rights requests (in particular access requests under Article 15 GDPR) in cases where they have received a high volume and / or frequency of similar requests from the same data subject.
CJEU Decision – Data Minimisation
DATE OF UPDATE: 9 January 2025
LINKS
Summary of 2024's Key CJEU Data Protection Judgments
CURRENT STATUS
Judgment of the CJEU in Case C-394/23 | Mousse GDPR and rail transport: A customer's gender identity is not necessary data for the purchase of a transport ticket. The collection of data regarding customers' titles is not objectively indispensable, in particular where its purpose is to personalise commercial communication.
WHY IS THIS APPLICABLE TO CLIENTS?
Controllers are reminded that in accordance with the principle of data minimisation, which gives expression to the principle of proportionality, data collected must be adequate, relevant and limited to what is necessary in the light of the purposes for which those data are processed.
CJEU Decision – Non-Material Damages
DATE OF UPDATE: 8 January 2025
LINKS
All the small things: EU - US transfers and non-material damages
Circuit Court Considers GDPR Non Material Damages
CURRENT STATUS
The General Court in Case T-354/22 (Bindl v Commission) awarded Thomas Bindl €400 damages in respect of an unlawful transfer of his personal data to the US via a Facebook sign-in link on a European Commission website.
WHY IS THIS APPLICABLE TO CLIENTS?
This judgment highlights the continued scrutiny with which the European courts review EU-US data transfers. Although it relates to the GDPR's sister law, it is no less significant, in that it indicates that mere "uncertainty" can, according to the General Court, become a qualifying threshold for demonstrating loss in relation to personal data.
This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.
