ARTICLE
15 April 2025

Technology And Innovation Client Update: January To March 2025 - Data Protection

AC
Arthur Cox

Contributor

Arthur Cox is one of Ireland’s leading law firms. For almost 100 years, we have been at the forefront of developments in the legal profession in Ireland. Our practice encompasses all aspects of corporate and business law. The firm has offices in Dublin, Belfast, London, New York and Silicon Valley.
The European Commission proposed to adopt an extension of the two 2021 adequacy decisions with the UK for a period of six months.
European Union Privacy

Extension of UK Adequacy Decisions

DATE OF UPDATE: 18 March 2025

APPLICABLE DATES:

The proposed extension is until 27 December 2025.

LINKS

Commission proposes to extend adequacy decisions for the UK by six months for free and safe data flows - EC Daily News

Amending Implementing Decision (EU) 2021/1772 of 28 June 2021 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom (PDF, 106KB)

CURRENT STATUS

The European Commission proposed to adopt an extension of the two 2021 adequacy decisions with the UK for a period of six months.

Once the UK's legislative process on the Data Bill introduced in the UK Parliament on 23 October 2024 concludes, the Commission will then assess whether the UK continues to provide an adequate level of protection for personal data.

In the meantime, the UK data protection rules that were found adequate in 2021 remain in place and continue to apply to data transferred from the EU.

WHY IS THIS APPLICABLE TO CLIENTS?

With the extension, data exporters can continue to avail of the adequacy decision with the UK until 27 December 2025.

Binding Corporate Rules

DATE OF UPDATE: 14 March 2025

LINKS

EDPB Document Setting Forth a Co-Operation procedure for the approval of Binding Corporate Rules for controllers and processors | European Data Protection Board

CURRENT STATUS

The European Data Protection Board (EDPB) has adopted a document setting forth a co-operation procedure for the approval of Binding Corporate Rules (BCRs) for controllers and processors.

It is an updated version of a Working Party 29 document on BCRs entitled 'Article 29 Working Party Document Setting Forth a procedure for the approval of "Binding Corporate Rules" for controllers and processors under Regulation 2016/679'.

WHY IS THIS APPLICABLE TO CLIENTS?

The new document will be of interest to data controllers and processors who wish to avail of the BCR process to transfer personal data intra-group.

CJEU Decision - Case C-247/23 | [Deldits] (fictitious name)

DATE OF UPDATE: 13 March 2025

LINKS

GDPR and transgender identity: the rectification of data relating to gender identity cannot be made conditional upon proof of surgery (PDF, 110KB)

CURRENT STATUS

GDPR and transgender identity: the rectification of data relating to gender identity cannot be made conditional upon proof of surgery.

WHY IS THIS APPLICABLE TO CLIENTS?

This decision illustrates the ongoing work of the Court of Justice in interpreting the GDPR for national courts.

Right of Access

DATE OF UPDATE: 7 March 2025

LINKS

The DPC's handling of Subject Access Requests | 07/03/2025 | Data Protection Commission

Balancing GDPR data access rights against the rights of others

CURRENT STATUS

The Data Protection Commission (DPC) has issued a statement on handling of Subject Access Requests.

In highly sensitive situations where the release of personal data is highly likely to result in significant harms and risks to other persons, the general presumption is that right of access can be restricted. Such decisions should be documented and the organisations concerned are required to cooperate in confidence with the DPC in the performance of its functions.

WHY IS THIS APPLICABLE TO CLIENTS?

The statement brings very welcome comfort to controllers who harbour genuine concerns about the consequences of disclosing vast quantities of documentation (even redacted documentation) to data subjects in circumstances where there may be a harmful motivation behind the request.

Coordinated Enforcement Framework 2025

DATE OF UPDATE: 5 March 2025

LINKS

Launch of coordinated enforcement action on the right to erasure | 05/03/2025 | Data Protection Commission

CEF 2025: Launch of coordinated enforcement on the right to erasure | European Data Protection Board

CURRENT STATUS

The DPC has confirmed it is to participate in the EDPB's 2025 Coordinated Enforcement Framework (CEF) by sending questionnaires to 40 data controllers across the public and private sectors to aid a fact-finding exercise.

32 Supervisory Authorities across the European Economic Area will take part in the CEF throughout 2025, which is focussing on the "right to erasure" in accordance with Article 17 GDPR.

DPC Decision - Inquiry into Maynooth University - (IN-19-9-3)

DATE OF UPDATE: March 2025

LINKS

Maynooth University Final Decision (PDF, 1383 KB)

Processor Fined for Security Issues

CURRENT STATUS

The DPC has published its full decision following its inquiry into a personal data breach, which affected the email accounts of university employees and allowed unauthorised persons to gain control of up to six accounts. By so doing, the unauthorised persons used their access to perpetrate a fraud, leading to a financial loss by one person whose email account had been affected. The university was issued with:

  • a reprimand
  • administrative fines of €25,000 in respect of the infringement of Article 5(1)f and 32(1) GDPR and €15,000 in respect of the infringement of Article 33(1) GDPR
  • an order to bring its processing into compliance with the GDPR's security requirements and to report to the DPC on the steps taken

WHY IS THIS APPLICABLE TO CLIENTS?

The decision of the DPC and corrective measures imposed will be of interest to other data controllers and processors under the jurisdiction of the DPC.

CJEU Decision - Case C-203/22 | Dun & Bradstreet Austria

DATE OF UPDATE: 27 February 2025

LINKS

Judgment of the Court in Case C-203/22 | Dun & Bradstreet Austria

How much information needs to be provided to data subjects about automated decisions?

CURRENT STATUS

Automated credit assessment: The data subject is entitled to an explanation as to how the decision was taken in respect of him or her. The explanation provided must enable the data subject to understand and challenge the automated decision.

WHY IS THIS APPLICABLE TO CLIENTS?

The decision offers some insight into the meaning in Article 15 GDPR of 'meaningful information about the logic involved' in the automated decision; and how controllers should manage the protected data of third parties or trade secrets in completing a data access request.

DPC Article 60 Draft Decision - Inquiry into TikTok

DATE OF UPDATE: 24 February 2025

LINKS

Irish Data Protection Commission submits Article 60 draft decision on inquiry into TikTok | 24/02/2025 | Data Protection Commission

CURRENT STATUS

The DPC submitted a draft decision in an inquiry into TikTok Technology Limited (TikTok) to other concerned supervisory authorities across the EU/EEA on Friday, 21 February 2025.

The draft decision considers transfers by TikTok of the personal data of users of its platform from the EU/EEA to China. It also considers whether TikTok is complying with its transparency obligations to users insofar as such data transfers are concerned.

WHY IS THIS APPLICABLE TO CLIENTS?

The final decision will be of interest to other organisations transferring personal data to third countries.

EDPB - Statement 1/2025 on Age Assurance

DATE OF UPDATE: 11 February 2025

LINKS

Navigating Age Assurance in the Online World: A Statement from the EDPB

Statement 1/2025 on Age Assurance | European Data Protection Board

CURRENT STATUS

The EDPB adopted a Statement on age assurance, which was welcomed by the DPC.

WHY IS THIS APPLICABLE TO CLIENTS?

The Statement provides welcome guidance and greater clarity on age assurance and should also be useful to controllers that must comply with the DPC's Fundamentals for a child-oriented approach to data processing.

EDPB - AI

DATE OF UPDATE: 11 February 2025

LINKS

EDPB adopts statement on age assurance, creates a task force on AI enforcement and gives recommendations to WADA | European Data Protection Board

CURRENT STATUS

During its plenary, the EDPB decided to extend the scope of the ChatGPT task force to AI enforcement. The EDPB members underlined the need to coordinate data protection authorities' actions regarding urgent sensitive matters and for that purpose will set up a quick response team.

WHY IS THIS APPLICABLE TO CLIENTS?

The enforcement of data protection rules in the development of AI has long been a priority for data protection authorities in Europe and will be of interest to controllers seeking to engage with AI.

European Legislative Proposals – ePrivacy and AI Liability Directive

DATE OF UPDATE: 11 February 2025

APPLICABLE DATES:

The European Parliament and the Council will have an opportunity to communicate their views on these proposed withdrawals before the Commission decides on whether to proceed.

LINKS

ePrivacy Regulation and AI Liability Directive

CURRENT STATUS

The European Commission published its 2025 work programme, announcing plans to withdraw a number of legislative proposals. Of particular note is the proposed withdrawal of the ePrivacy Regulation and the AI Liability Directive which may receive mixed reactions across the industry.

WHY IS THIS APPLICABLE TO CLIENTS?

These legislative proposals, if they were to proceed, would impact organisations across a number of sectors.

CJEU - Advocate General's Opinion in Case C-492/23 | Russmedia Digital and Inform Media Press

DATE OF UPDATE: 6 February 2025

APPLICABLE DATES:

The Judges of the Court are now beginning their deliberations in this case. Judgment will be given at a later date.

LINKS

Electronic commerce and the GDPR: Advocate General Szpunar clarifies the responsibilities of the operator of an online marketplace (PDF, 106 KB)

CURRENT STATUS

In this Opinion, Advocate General Maciej Szpunar (the "AG") analyses the link between the Directive on electronic commerce (Directive 2000/31/EC) and the GDPR. The AG opines that the operator of an online marketplace can be considered eligible for an exemption from liability in respect of the content of advertisements published on its marketplace provided that its role remains neutral and purely technical.

The AG opines that as regards the personal data of user advertisers registered on the online marketplace, the operator of that marketplace acts as a controller and must verify the identity of the user advertisers.

WHY IS THIS APPLICABLE TO CLIENTS?

This decision will be of interest to data controllers and processors operating websites and other intermediary services.

CJEU - Commission v European Data Protection Board – Competence of EDPB conferred by Article 65(1) GDPR

DATE OF UPDATE: 29 January 2025

LINKS

Judgment of the General Court

CURRENT STATUS

The DPC sought annulment in part of Binding Decisions 3/2022, 4/2022 and 5/2022 of 5/12/2022 of the EDPB on the disputes between the supervisory authorities concerned arising from its draft decisions regarding Facebook, Instagram and WhatsApp, in so far as those binding decisions require it to carry out new investigations and to issue new draft decisions.

The Tenth Chamber of the General Court held against the DPC and dismissed the actions, ordering the DPC to pay the costs.

WHY IS THIS APPLICABLE TO CLIENTS?

The decision clarifies the role of the EDPB and its competence to instruct national supervisory authorities to carry out new investigations and issue new draft decisions in cross-border data protection investigations.

EDPB Report on Right of Access

DATE OF UPDATE: 20 January 2025

LINKS

Coordinated Enforcement Action, implementation of the right of access by controllers | European Data Protection Board

EDPB draft guidelines on data subject access requests ("DSARs"): key points

CURRENT STATUS

The EDPB has adopted a report on the implementation of the right of access by controllers. The report summarises the outcome of a series of coordinated national actions carried out in 2024 under the Coordinated Enforcement Framework (CEF).

WHY IS THIS APPLICABLE TO CLIENTS?

This Report will be of interest to controllers and their processors.

'Consent or Pay' Models

DATE OF UPDATE: 16 January 2025

LINKS

IAB Europe Sends Feedback Paper to the EDPB after the Stakeholder Event Regarding the 'Consent or Pay' Models - IAB Europe

EDPB: 'Consent or Pay' models should offer real choice | European Data Protection Board

Digital Markets Act

CURRENT STATUS

IAB Europe submitted its Feedback Paper regarding the 'Consent or Pay' Models to the EDPB outlining key remarks and concerns after the EDPB's stakeholder event on the forthcoming draft Guidelines concerning "Consent or Pay" (CorP) models. They encourage the EDPB to adopt a balanced, evidence-based approach to CorP models, recognising their role in sustaining access to free online services while respecting user autonomy.

WHY IS THIS APPLICABLE TO CLIENTS?

The regulation of 'Consent or Pay' Models will be of interest to organisations involved in online advertising.

EDPB Guidelines on Pseudonymisation for GDPR compliance

DATE OF UPDATE: 16 January 2025

LINKS

Guidelines 01/2025 on Pseudonymisation | European Data Protection Board

CURRENT STATUS

During its January 2025 plenary meeting, the EDPB adopted Guidelines 01/2025 on pseudonymisation. They clarify the definition and applicability of pseudonymisation and pseudonymised data, and the advantages of pseudonymisation.

WHY IS THIS APPLICABLE TO CLIENTS?

The guidelines also explain how pseudonymisation can help organisations meet their obligations relating to the implementation of data protection principles (Art. 5 GDPR), data protection by design and default (Art. 25 GDPR) and security (Art. 32 GDPR).

EDPB Statement on Interplay between Competition Law and Data Protection

DATE OF UPDATE: 16 January 2025

LINKS

Position paper on Interplay between data protection and competition law | European Data Protection Board

CURRENT STATUS

At the EDPB's plenary in January, the Board adopted a statement on the interplay of competition law and data protection. The statement suggests steps for incorporating market and competition factors into data protection practices and for data protection rules to be considered in competition assessments. It also provides recommendations for improving cooperation between regulators.

WHY IS THIS APPLICABLE TO CLIENTS?

The Statement picks up on the decision in CJEU Meta vs. Bundeskartellamt of 4 July 2023. This, the Board says, indicates that data protection and competition authorities are required to work together, in some cases, to achieve effective and coordinated enforcement of data protection and competition law.

DPC Decision - Inquiry into Meta Platforms Ireland Limited – (IN-19-4-1)

DATE OF UPDATE: January 2025

DATE OF DECISION:

26 September 2024

LINKS

Meta Final Decision IN-19-4-1 (PDF, 1,232 KB)

CURRENT STATUS

The DPC has published its full decision in the Meta passwords inquiry which considered the storage of certain passwords of social media users in 'plaintext' on Meta's internal systems. Meta conducted an investigation which found that the passwords had not been accessed by anyone, including employees. The DPC determined that the incident constituted a personal data breach and that Meta breached the GDPR by failing to notify the DPC of the breach and log it. Meta received a €91 million fine and a reprimand.

WHY IS THIS APPLICABLE TO CLIENTS?

The decision of the DPC and corrective measures imposed will be of interest to other data controllers and processors under the jurisdiction of the DPC.

CJEU Decision – Data Subject Access Requests

DATE OF UPDATE: 9 January 2025

LINKS

"Manifestly Excessive" Requests Under the GDPR: Numbers Alone Are Not Enough

Balancing GDPR data access rights against the rights of others

CURRENT STATUS

Judgment of the Court of Justice of the European Union (CJEU) in Case C-416/23 Österreichische Datenschutzbehörde v FR sheds light on the threshold for requests submitted to a data protection supervisory authority to be considered manifestly excessive, in a ruling that will also be of interest to controllers considering the extent of their obligations in the context of data subject right requests.

WHY IS THIS APPLICABLE TO CLIENTS?

The judgment will be of interest to controllers considering the extent of their obligations in the context of data subject rights requests (in particular access requests under Article 15 GDPR) in cases where they have received a high volume and / or frequency of similar requests from the same data subject.

CJEU Decision – Data Minimisation

DATE OF UPDATE: 9 January 2025

LINKS

GDPR and rail transport: a customer's gender identity is not necessary data for the purchase of a transport ticket (PDF, 130 KB)

Summary of 2024's Key CJEU Data Protection Judgments

CURRENT STATUS

Judgment of the CJEU in Case C-394/23 | Mousse GDPR and rail transport: A customer's gender identity is not necessary data for the purchase of a transport ticket. The collection of data regarding customers' titles is not objectively indispensable, in particular where its purpose is to personalise commercial communication.

WHY IS THIS APPLICABLE TO CLIENTS?

Controllers are reminded that in accordance with the principle of data minimisation, which gives expression to the principle of proportionality, data collected must be adequate, relevant and limited to what is necessary in the light of the purposes for which those data are processed.

CJEU Decision – Non-Material Damages

DATE OF UPDATE: 8 January 2025

LINKS

All the small things: EU - US transfers and non-material damages

Circuit Court Considers GDPR Non Material Damages

CURRENT STATUS

The General Court in Case T-354/22 (Bindl v Commission) awarded Thomas Bindl €400 damages in respect of an unlawful transfer of his personal data to the US via a Facebook sign-in link on a European Commission website.

WHY IS THIS APPLICABLE TO CLIENTS?

This judgment highlights the continued scrutiny with which the European courts review EU-US data transfers. Although it relates to the GDPR's sister law, it is no less significant, in that it indicates that mere "uncertainty" can, according to the General Court, become a qualifying threshold for demonstrating loss in relation to personal data.

This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More