Summer Data Wrap: A Snapshot Of Key Regulatory Developments

In a sneaky September entry to this Summer edition of the Data Wrap, the European General Court confirmed on 3 September 2025 that data transferred under the EU-US Data Privacy Framework ("DPF") is adequate for GDPR purposes. As a result, the DPF remains intact, unlike the EU-US Privacy Shield and Safe Harbor before it, which were before invalidated by decisions of the ECJ.

And this isn't just a win for businesses relying on the DPF — it's also a game‑changer for everyone undertaking data transfer impact assessments ("DTIAs")for data transfers to the US. Some analysis from Emmanuel Ronco in Paris below.

Key Findings

• Independent redress works: the Data Protection Review Court was deemed independent, impartial, "established by law," and empowered to issue binding, final remedies.
• The ECJ agreed that the US Foreign Intelligence Surveillance Act (FISA) 702 authorizes targeted surveillance, not bulk collection.
• US Executive Order 14086 permits bulk collection only if targeted collection is infeasible, restricted to specific national‑security objectives, under proportionality limits, independent oversight, and with DPRC review. "Mass" indiscriminate collection is not authorized.
• On automated decisions and security of processing, the ECJ found GDPR standards, US sectoral laws, and the DPF principles together provide substantially equivalent safeguards.

Impact on DTIAs for US Transfers

For privacy teams conducting DTIAs, the judgment provides the first EU‑court endorsement of US reforms post‑ SchremsII. This is likely to have some welcomed practical consequences:

• FISA702: you can now cite that an EU court confirms it is a targeted regime, not indiscriminate mass surveillance.
• Bulk collection under EO14086: lawful only as a proportionate fallback, with safeguards and redress. This lowers risk assessments.
• Remedies: the DPRC is court‑validated as an effective remedy under Art. 47 Charter — a decisive improvement for residual risk analysis.
• Residual risk recalibration: for typical B2B transfers (especially via DPF‑certified importers), the likelihood of disproportionate access can be marked down.
• Still case‑by‑case: if the importer qualifies as an electronic communications service provider under FISA 702, or handles highly intelligence‑sensitive data, stronger technical measures (encryption, key control, split‑processing) remain relevant.
• Stronger evidence: the ECJ's reasoning provides text that can be lifted into DTIAs to justify "essentially equivalent" findings, without relying solely on European Commission assurances.

Key takeaways

• Businesses can now rely on DPF certification or Standard Contractual Clauses plus DTIAs with far stronger backing.
• DTIAs don't go away, but they're lighter as EU‑court language can justify residual risk assessments.
• Keep monitoring: an appeal to the CJEU could come, and US law may evolve — but for now, this is the clearest green light yet.

On 28 June 2021, the European Commission (the "Commission") published two adequacy decisions finding that the UK benefits from an essentially equivalent level of protection to that guaranteed under EU law and allowed for transfers from Europe to the UK under the EU GDPR and the Law Enforcement Directive. Both adequacy decisions are currently due to expire on 27 December 2025.

The European Commission has now published its draft decision to renew the UK's adequacy status under the EU GDPR. The Commission's draft decision, published on 22 July 2025, proposes to extend the adequacy status until 27 December 2031. The draft decision considers whether the United Kingdom still ensures an adequate level of protection following changes in law since the 2021 adequacy decisions, particularly following the introduction of the Data Use and Access Act 2025 into law which amended UK GDPR, rules on international transfers, developments in law on the exceptions to or restrictions of rights, and government access. The Commission concluded that the UK continues to ensure an essentially equivalent level of protection for personal data.

While the draft decision is not yet final and remains subject to approval by EU Member State representatives and formal adoption by the European Commission, this is a positive direction for organisations relying on UK-EU data transfers. Notably, the Commission has clarified that it does not consider membership of the Global Cross-Border Privacy Rules Forum to offer adequate protection for EU personal data and will therefore monitor the UK's membership in the Forum closely. The Commission has also emphasised that its adequacy conclusion is grounded not only in the UK's domestic legal framework, but also in the UK's continued adherence to international commitments, including the European Convention on Human Rights and the jurisdiction of the European Court of Human Rights.

Following a cyber security consultation into ransomware and the payment of ransom demands earlier in the year (January to April 2025), the UK Government has now published a report taking into account the response submissions received. Although the report does not confirm the measures to be adopted, it suggests that the Government is going to take forward three main proposals.

The proposals would include: (i) a targeted ban on ransomware payments; (ii) a pre-payment notification for the private sector; and (iii) mandatory ransomware incident reporting.

For further details on the proposals, please see the article on our Cyber and Data Security Notes blog.

On 17 June 2025, the ICO fined 23andMe £2.31 million after a cyberattack exposed the personal data of over 155,000 UK users. The breach, caused by a credential stuffing attack, exploited previously stolen customer data.

Following a joint investigation with the Canadian privacy regulator, the ICO found that 23andMe had failed to implement:

• strong authentication and password protocols;
• controls over access to and download of special category data;
• effective monitoring and incident response systems; and
• regular testing of its security measures.

The ICO also criticised the company's delayed response, noting it missed multiple warnings before acting and stressed the importance of putting in place additional safeguards to protect special category data.

On 21 July 2025, the Polish Data Protection Authority (Urząd Ochrony Danych Osobowych) (the "UODO") imposed a record fine of approximately €3.9 million on McDonald's Polska Sp. z o.o. ("McDonald's") and approximately €43,000 on its data processor, 24/7 Communication Sp. z o.o. (the "Processor") (together the "Parties"), following a significant breach of the EU General Data Protection Regulation (the "GDPR").

McDonald's had outsourced the processing of sensitive employee data to the Processor, for managing an employee scheduling module. Due to inadequate technical and organisational safeguards, a misconfigured server left sensitive employee data (including names, PESEL numbers (Polish national IDs), passport numbers, work hours, and job positions) exposed on a publicly accessible server. The breach affected employees at both corporate-owned and franchise restaurants. McDonald's reported this personal breach to the UODO in July 2020, and the UODO commenced its investigation in November 2020.

In the course of its investigation, the UODO concluded that neither Party had carried out a risk assessment or implemented adequate technical and organisational security measures. The data processing agreement between them also lacked effective oversight mechanisms, such as audit or inspection rights. The Processor had subcontracted processing to a further entity without a formal agreement, and had collected and processed personal data in excess of what was necessary for shift scheduling. Additionally, both Parties failed to involve a Data Protection Officer at any stage before or after the breach.

On these facts, the UODO held that the Parties had infringed Articles 24, 25, and 32 of the GDPR (failure to ensure appropriate measures), Article 28 (unlawful sub-processing), Article 5(1)(c) (insufficient data minimisation), and Article 38 (failure to involve the DPO). The UODO also issued McDonald's with a formal reprimand for failing to directly notify former employees of the breach, relying instead solely on press releases, which was deemed inadequate under the GDPR's notification requirements. Furthermore, the UODO found McDonald's to be the controller of franchisee employees' data, as it owned and designed the scheduling module, set the scope of data collected, selected the processor, and managed franchisee contracts, thereby making it fully liable under the GDPR for the breach.

This case underscores that controllers remain fully responsible for GDPR compliance, even when outsourcing data processing. The UODO emphasised that a data processing agreement alone is insufficient; ongoing due diligence, risk assessment, and oversight are essential.

The "consent or pay" model, increasingly used by online platforms generally offers users three choices:

1. consent to the use of their personal data for personalised advertising in exchange for free access to a product or service;
2. pay a fee to access the service (without the need to consent to personalised advertising); or
3. decide not to use the product or service.

However, in a landmark ruling, the Austrian Federal Administrative Court found that the implementation of this model by a national news outlet, Der Standard, violated the GDPR.

A key issue was the lack of granular consent. Users were forced to accept all data processing purposes - advertising, analytics, and social media plugins - via a single "agree" button. The court ruled this bundling invalidates consent, as GDPR mandates that users must be able to choose which types of data processing they accept.

The court also questioned whether users were offered genuine choice. Despite surveys showing only 1–7% of users prefer tracking, Der Standard achieved a 99.9% consent rate, suggesting users felt coerced into agreeing. Privacy advocacy group noyb, which brought the complaint, argued that economic pressure undermines the principle of freely given consent. The court agreed, stating that charging users to protect their privacy creates an imbalance of power.

Importantly, the ruling rejected Der Standard's claim that granular consent was technically or economically unfeasible. The court emphasised that journalistic organisations are not exempt from GDPR obligations and that financial concerns cannot justify non-compliant practices.

The case is expected to be appealed to Austria's Supreme Administrative Court, and potentially escalated to the Court of Justice of the European Union ("CJEU"). If the CJEU takes up the case, it could set a binding precedent across the EU, clarifying the limits of consent-based monetisation models.

Across Europe, regulators are increasingly scrutinising similar models. Authorities in France, Belgium, and Germany have already taken enforcement actions against various cookie consent mechanisms. The ruling may accelerate a broader regulatory crackdown on designs that are perceived to pressure users into consenting. For businesses, this signals a shift: valid consent must be granular, informed, and free from coercion. Organisations relying on advertising revenue must now reassess their consent strategies, especially if they operate across multiple EU jurisdictions.

Alongside the introduction of the EU AI Act, another key piece of legislation will come into effect across all EU Member States from 12 September 2025. The EU Data Act (Regulation (EU) 2023/2854) (the "Data Act") entered into force on 11 January 2024, and will become directly applicable from 12 September 2025, with a phased implementation for certain provisions.

Although the Data Act has not received as much scrutiny as the EU's AI legislation or the data protection reforms in the UK, the scope of the Data Act is broad (covering both personal and non-personal data) and its provisions will have a material impact on businesses that manufacture data-driven products and services. The European Commission has stated that the Data Act will contribute to the establishment of an EU single market for data, by enabling greater transparency and access rights (for both consumers and businesses) to data that is generated from 'Internet of Things' products and related services.

In particular, the Data Act aims to mitigate the contractual imbalances in B2B data sharing arrangements that may impede equitable data sharing, by introducing a prohibition on 'unfair' contractual terms that relate to the access and use of data. There are also specific obligations on cloud service providers which will enable consumers to switch easily between different providers in the market.

We expect to see Member States provide additional guidance or national legislation to complement the Data Act in the coming months (as well as set the parameters for the applicable penalties), but in the meantime businesses should assess the potential impact and seek to put in place compliance measures.

On 17 July 2025, the European privacy advocacy group, the European Center for Digital Rights ("noyb"), filed formal complaints with data protection authorities ("DPAs") in Greece, Belgium, and the Netherlands against TikTok, AliExpress, and WeChat (collectively, the "Companies"), respectively, alleging that all three Companies failed to comply with users' data access rights under the EU General Data Protection Regulation (the "GDPR").

The July complaints specifically target the Companies' failure to provide users with a full and intelligible copy of their personal data, as required by Article 15 of the GDPR.

According to noyb, all three Companies failed to provide users with a full and intelligible copy of their personal data. TikTok allegedly supplied only partial and unstructured data, making it difficult for users to interpret or verify processing activities. AliExpress reportedly sent a corrupted file that could only be opened once, while WeChat failed to respond to the access request altogether. In each case, follow-up queries from users were met with generic privacy policy information rather than the specific data required by law. The complaints allege breaches of both Article 12 of the GDPR (requiring transparent, accessible, and timely responses to data subject requests) and Article 15 (the right of access).

Noyb has requested that the DPAs issue decisions confirming the violations, order the Companies to fulfil the access requests, and impose administrative fines to prevent similar violations in the future. This marks a new escalation in efforts by noyb to hold non-EU tech giants accountable for data privacy violations.

On 16 June 2025, the Council of the European Union (the "Council") and the European Parliament (the "Parliament") reached a provisional agreement on a draft procedural regulation intended to reform the one-stop-shop mechanism under the General Data Protection Regulation (the "GDPR").

The proposed regulation (the "Regulation") was introduced by the European Commission in July 2023 to address longstanding challenges in cross-border GDPR enforcement by harmonising procedures, clarifying rights, and introducing rules to enhance efficiency, transparency, and cooperation among national data protection authorities ("DPAs").

The key features of the Regulation are as follows:

• Harmonised admissibility criteria for complaints: Cross-border complaints should be assessed consistently across all EU Member States, ensuring that admissibility is determined using uniform standards regardless of where a complaint is filed.
• Enhanced rights for complainants and organisations: Both complainants and investigated parties will benefit from enhanced procedural rights, including the right to be heard at key stages and to comment on preliminary findings before a final decision is made. Procedures for rejecting complaints have also been standardised, and common rules have been established for complainant involvement.
• Deadlines for investigations: Cross-border investigations must generally be completed within 15 months, with a possible 12-month extension for complex cases. Simpler cases handled under a streamlined cooperation procedure must be resolved within 12 months.
• Early resolution mechanism: DPAs may close cases swiftly when the alleged infringement has been remedied and the complainant does not object, thereby reducing administrative burdens and expediting outcomes.
• Role of the lead supervisory authority: The lead supervisory authority will be required to share a summary of key issues with other concerned DPAs early in the process to facilitate consensus and minimise protracted disputes.
• Simple cooperation procedure: For straightforward cases, DPAs may apply a simplified procedure that avoids unnecessary administrative steps, while still enabling additional cooperation mechanisms for more complex investigations.

Stakeholders have generally welcomed the Regulation as a significant step forward. Markéta Gregorová, the Parliament's rapporteur, highlighted the introduction of enforceable deadlines and stronger rights for all parties, stating that the reforms will make the system "faster, fairer, and more transparent." However, some privacy advocacy groups, including noyb, have criticised the Regulation for potentially introducing excessive complexity and protracted procedures. This could mean we should expect possible legal challenges in the future.

The Regulation must now be formally adopted by both the Council and the Parliament before it can enter into force, and once adopted, the Regulation will be directly applicable across the EU.

The Information Commissioner's Office ("ICO") has published an explanation of its decision not to take further regulatory action with respect to a Ministry of Defence ("MoD") data breach in 2022. The data breach involved the exposure of the personal details of thousands of Afghans connected to the Afghan Relocations and Assistance Policy (ARAP). Unusually, after a two-year engagement with the MoD under strict court and classification constraints, the ICO elected not to take further regulatory action against the MoD, while emphasising the preventative lessons learned. The data leaked was subject to a strict court injunction popularly described as a "super-injunction".

This decision follows earlier enforcement by the ICO against the MoD. In December 2023, the regulator fined the department £350,000 for a separate ARAP-related breach in 2021, when email recipients under the ARAP programme were exposed to one another. The ICO highlighted the absence of appropriate technical and organisational measures and recommended bulk-mail tools, secure transfer, and a 'second pair of eyes' control for high-risk communications.

The ICO explained its decision not to take further action with respect to the 2022 breach was predicated on several factors:

• The mitigative measures implemented by the MoD, working with the ICO, at a significant cost to the public. Further, the ICO had already fined the MoD in 2023. With the risk of a recurrence properly addressed and penalties for the mishandling of data already imposed, the ICO considered that levying further fines would not be in the public's interest.
• The super-injunction imposed, and classified nature of the information, meant that the investigation would require the diversion of a limited cache of staff with the requisite clearances from other matters. In total, the ICO reported that only five members of staff were "read on".
• The cause of the breach was the mishandling of a spreadsheet which had hidden, sensitive data when it was shared "for a legitimate operational reason under the pressures of a military operation." The MoD only became aware the data had surfaced online in August 2023 and notified the ICO within 72 hours, as required by UK GDPR.

Faced with these factors, the ICO decided that opening a separate, resource-intensive investigation would add little beyond what had already been achieved through close oversight of the MoD's internal work, and therefore took no further regulatory action.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.