- within Media, Telecoms, IT and Entertainment topic(s)
CJEU Clarifies Status of Pseudonymised Data Under EU Data Protection Law
On 4 September 2025, The Court of Justice of the European Union (‘'CJEU'') issued its judgment in case C413/23 P, which involves a legal dispute European Data Protection Supervisor (‘'EDPS'') v Single Resolution Board (‘'SRB''). The CJEU held that pseudonymised data is not always personal data under EU law and that the legal classification depends on the context and means available to identify individuals. The Court confirmed that where a controller pseudonymises data before disclosing it to a third party, EU data protection law continues to apply to the disclosing controller, including the obligation to inform individuals about the processing of their data.
FTC Fines Toy Manufacturer for Allowing Third-Party Access to Children's Data
The U.S. Federal Trade Commission (“FTC”) took action against the Apitor, a China-based toy manufacturer, for collecting children's geolocation data through its mobile app without parental consent, in violation of the Children's Online Privacy Protection Act (‘'COPPA''). The app embedded a third-party software kit that allowed China-based service to access children's data without informing families. Under the proposed order, Apitor must delete any data collected without consent and obtain parental permission before collecting children's data in the future. A $500,000 penalty was also announced but is currently suspended based on the company's financial condition. The case reflects the FTC's continued focus on children's privacy.
CNIL fines Google €325 million over Gmail ads and invalid cookie consent
The French data protection authority (‘'CNIL'') fined Google LLC and Google Ireland Limited a total of €325 million for displaying advertising emails in Gmail without user consent and for obtaining invalid cookie consent during Google account creation. The CNIL found breaches of Article L.34-5 CPCE (direct marketing without consent) and Article 82 of the French Data Protection Act (cookies). Google has six months to comply or face €100,000 per day in penalties.
ICO published cyber security tips for small businesses
On 17 September 2025 The UK Information Commissioner's Office (‘'ICO'') published practical security guidance for small businesses, noting that an estimated 7.7 million cyber crimes occurred in the UK over the past year. The ICO said many incidents result from basic security failures, not sophisticated attacks, and encouraged organisations to review their practices. The guidance recommends simple steps such as regular data backups, use of strong passwords and multi-factor authentication, anti-virus protection, secure Wi-Fi, and limiting access to personal data. The ICO also reminded organisations that data breaches linked to cyberattacks must be reported within 72 hours under data protection law.
EU proposes adequacy for data transfers to Brazil
The European Commission published a draft adequacy decision on 5 September 2025 proposing recognition of Brazil as offering a level of personal-data protection essentially equivalent to the General Data Protection Regulation (‘'GDPR''). If adopted, the decision would allow transfers of personal data from the EU to Brazil without additional safeguards, such as standard contractual clauses or binding corporate rules. The assessment considered Brazil's legal framework — including the Lei Geral de Proteção de Dados (‘'LGPD'') — its independent supervisory authority, and rights available to individuals akin to those under the GDPR. The next steps include a formal opinion from the European Data Protection Board (‘'EDPB'') and approval by member-state representatives before the decision can enter into force.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
