Dechert Cyber Bits - Issue 82 - September 25, 2025

EU Court Upholds EU-US Data Privacy Framework (For Now)

The EU's General Court has dismissed an action for annulment of the EU-U.S. Data Privacy Framework ("DPF"). Member of French Parliament, Philippe Latombe, brought an action in his personal capacity seeking annulment of the European Commission's 2023 adequacy decision for the DPF. Mr. Latombe's primary arguments were that: (i) the Data Protection Review Court ("DPRC"), a redress mechanism under the DPF, is neither impartial nor independent, but dependent on the executive; and (ii) the practice of U.S. intelligence agencies of bulk data collection without prior authorization is insufficiently constrained and therefore illegal.

The Court dismissed these claims, finding that: (i) there were sufficient safeguards to ensure independence of the DPRC, notably that judges are removable by the U.S. Attorney General only where justified, and that there are protections from undue influence, as well as continuous monitoring by the European Commission; and (ii) after-the-event judicial review by the DPRC is required in the case of bulk data collection, which provides a level of protection essentially equivalent to as provided under EU law.

The judgment may be appealed to the Court of Justice of the European Union ("CJEU"). In the meantime, the adequacy decision for the DPF remains effective and businesses may continue to rely on it for their transatlantic data transfers.

Takeaway: The ruling stabilizes the DPF in the near term, which will be welcomed by those businesses whose operations rely on the DPF for the transfer of data between the EU and the U.S. However, a CJEU appeal remains a live risk, as inevitably does alternative action by Max Schrems. Businesses reliant on the DPF will want to continue to review their backup options such as standard contractual clauses and keep their transfer impact assessments up to date to mitigate transfer risks.

FTC Reaches $10 Million Settlement with Disney for Alleged COPPA Violations

On September 2, 2025, the U.S. Federal Trade Commission ("FTC") announced a stipulation and proposed order ("Proposed Order") with Disney Worldwide Services, Inc. and Disney Entertainment Operations LLC (collectively, "Disney") that addresses allegations that Disney, among other things, violated the Children's Online Privacy Protection Act ("COPPA") by collecting personal data from children who viewed videos directed to children on YouTube.

According to its complaint ("Complaint"), the FTC alleged, among other things, that Disney violated COPPA by failing to properly label videos that it uploaded to YouTube as "Made for Kids" ("MFK") or "Not Made For Kids" ("NMFK") to indicate whether the videos were subject to COPPA compliance requirements. YouTube requires this designation from its users pursuant to a 2019 proposed settlement with the FTC. Disney's allegedly improper designations allowed it to collect personal data from children under 13 and use that data for targeted advertising purposes. The FTC alleged that Disney did not comply with COPPA through its failure to: (i) provide direct notice to parents of the information collected online from children and how such information is used or disclosed; (ii) provide online notice of information practices with respect to children; and (iii) obtain verifiable parental consent before any collection, use or disclosure of personal information from children. Disney has not admitted any wrongdoing in connection with the matter.

Under the Proposed Order, Disney would be required, among other things, to implement and maintain for ten years a program to review whether videos posted to YouTube should be designated as MFK, unless YouTube implements age assurance technologies. Disney would also be required to: (i) comply with COPPA, including by notifying parents before collecting personal information from children under 13 and obtaining verifiable parental consent for collection and use of that data; and (ii) pay a civil monetary penalty in the amount of US$10 million.

Takeaway: The FTC's Proposed Order against Disney for alleged COPPA violations highlights the agency's ongoing focus on children's privacy, particularly regarding child-directed content labeling, parental notices and consents, and targeted advertising practices. The case also signals the FTC's interest in emerging age-assurance technologies, including AI-based methods, as potential tools for enhancing compliance. It is prudent for companies to evaluate whether adopting such technologies could mitigate regulatory risks and streamline COPPA compliance in an increasingly scrutinized digital landscape.

No More Games: Apitor Settlement Clarifies FTC's Prohibitions on Third-Party Data Sharing under COPPA

On September 2, 2025, the FTC announced a proposed settlement order ("Proposed Order") with Apitor Technology Co. Ltd. ("Apitor"), which sells robot toys targeted to children ages six to fourteen, to resolve allegations that Apitor had violated COPPA.

According to the complaint ("Complaint"), to program Apitor toys to move, users had to download and operate an application called "Apitor Kit." The application required Android device users to enable location permissions, which resulted in the collection of their location information. Apitor also integrated a Chinese third-party software development kit ("SDK") called "JPush," which collected precise geolocation data and used it for various purposes, including targeted advertising. The Complaint alleged that Apitor failed to: (i) notify parents and obtain their consent before collecting, or allowing a third party to collect, geolocation data from children as required by COPPA; (ii) disclose to users that the application allows a third party to collect precise geolocation data; and (iii) obtain verifiable consent from parents to collect precise geolocation data from children. Apitor has not admitted any wrongdoing in connection with the matter.

Under the Proposed Order, Apitor would be required to: (i) make reasonable efforts to ensure that parents receive direct notice of Apitor's data collection practices; (ii) post a clear and conspicuous link to an online notice of information practices with respect to children on the home page of its website or online service and at point of data collection; and (iii) obtain verifiable parental consent before any collection, use or disclosure of personal information from children. Importantly, the Proposed Order would also require Apitor to ensure that any third-party software it uses is also in compliance with COPPA. "COPPA is clear: Companies that provide online services to kids must notify parents if they are collecting personal information from their kids and get parents' consents—even if the data is collected by a third party," said Christopher Mufarride, Director of the FTC's Bureau of Consumer Protection in a related statement.

Takeaway: The Apitor settlement also highlights the FTC's continued focus on children's online privacy generally. More specifically, it also highlights the agency's focus on applying COPPA obligations to third party software and services embedded in products, in addition to ensuring that companies have documented parental notices and consents and transparency around data collection. Companies interacting with children would be wise to exercise heightened caution, in particular, in vendor due diligence to confirm that third-party providers are both capable of and actively complying with COPPA requirements, not only to stay off the FTC radar screen but also stay out of the crosshairs of plaintiffs' firms.

When is Pseudonymized Data Personal? EU Court Provides (Some) Clarity

On September 4, the Court of Justice of the European Union ("CJEU") clarified questions around pseudonymization and personal data in an appeal from the EU General Court. The case centered around a complaint that the data controller had not explained disclosure of certain comments/opinions in its privacy notice (for further background on the dispute and the General Court decision, see our previous OnPoint). The CJEU has now set aside the General Court's judgment.

The CJEU (unsurprisingly) confirmed that personal opinions constitute personal data as they are necessarily closely linked to a person. It also agreed with the General Court that pseudonymized data is not always personal data, as pseudonymization can be carried out so as to effectively mean that the data subject is not identifiable to others – this must be assessed on a case-by-case basis.

However, the CJEU disagreed with the General Court on the viewpoint from which to consider that question. The General Court had held that the relevant perspective for assessing the identifiable nature of the data subject was that of the transferee, while in the CJEU's judgment, the relevant perspective was that of the controller at the time of the collection of the data from the data subject.

The CJEU emphasized the importance of this timing given the obligation to provide privacy notice information to data subjects, including information about potential recipients. Thus, if an organization discloses personal data (personal to them, at least) to another party, that organization must cover this disclosure in its privacy notice, even if the data has been sufficiently pseudonymized so as to be anonymous to the recipient.

Takeaway: The CJEU's ruling somewhat shifts the balance back in favor of protections for data subjects. It does leave open questions as to how this scenario would be addressed in the context of other GDPR obligations, for example, whether or not a data processing agreement would still be required. In practice, it's likely that these will still be entered into "just in case". Businesses will want to review their privacy notices in relation to disclosures of data and consider if pseudonymized disclosures are adequately covered.

UK Court of Appeal Clarifies GDPR Rules on Compensation for "Non-Material Damage"

In Farley v Paymaster (1836) Ltd (t/a Equiniti) [2025] EWCA Civ 1117, the UK Court of Appeal allowed an appeal against the High Court's strike out of most data protection claims made by 432 pension scheme members whose annual benefit statements were sent to outdated addresses. They claimed that this caused them to suffer "anxiety, alarm, distress and embarrassment" for fear that their personal data may have passed to unknown third parties. The High Court had struck out most claims on the basis that the claimants could not prove that their data had been disclosed, and the key question here was whether fear of possible third-party misuse of data counted as "non-material damage" under the GDPR such that it was eligible for compensation.

Following EU case law, the Court of Appeal confirmed there is no "threshold of seriousness" under the GDPR, but the claimant must be able to prove at least non-material damage. The Court held that compensation may be awarded for non material damage, including fear of consequences, where that fear is objectively well founded (but not if purely hypothetical or speculative). It remitted the case to the High Court to assess, claim by claim, whether each claimant had set out a reasonable basis to fear misuse of their personal data. The relevant recent EU case of Quirin found that non-material damage can in principle encompass negative feelings (such as fear or annoyance) provided the data subject can demonstrate such feelings, with their negative consequences, on account of the infringement.

Finally, the Court also rejected an argument under the principle that sufficiently trivial claims can be dismissed as an abuse of process: modest damages alone do not justify dismissal. The Court outlined that, instead, the correct approach is proportionate case management. As a class, the claims were not abusive, though individual cases may still be scrutinized.

Takeaway: The Court was clearly very conscious of the potential consequences of choosing to divert from EU case law on this issue, noting that a "judicial decision to do so would call for sufficiently compelling legal reasons...it makes good legal sense for the court to interpret and apply the GDPR in conformity with settled CJEU jurisprudence." While the Court may have confirmed that there is no official "threshold of seriousness", it has in effect shifted the test to instead be one of whether there is an objective basis for non-material damage in the first place. This will now become the key battleground in compensation claims, much as it is in the United States through the equivalent "standing" threshold as to whether there is sufficient injury for class action litigation to survive a motion to dismiss.

Dechert Tidbits

FTC Investigates Consumer-Facing AI Chatbots

The FTC is issuing 6(b) orders to seven companies that operate consumer-facing AI-powered chatbots, including: Alphabet, Inc.; Character Technologies, Inc.; Instagram, LLC; Meta Platforms, Inc.; OpenAI OpCo, LLC; Snap, Inc.; and X.AI Corp. Through this inquiry, the FTC is looking to understand the steps that companies have taken to evaluate the safety of their chatbots when acting as companions, to limit their use by and potential negative effects on children and teens, and to inform the public of the risks associated with the products.

EU Commission to Adopt Adequacy Decision With Brazil

On September 5, the European Commission announced it has launched the process to adopt a data protection adequacy decision with Brazil after having determined that the Brazilian legal framework provides an adequate level of data protection that is comparable to that of the EU. The Brazilian authorities have also initiated a process for an equivalent decision for the EU. In terms of next steps, the draft adequacy decision will be sent to the European Data Protection Board for its opinion, and approval from a committee of representatives of EU member states will be sought.

U.S. Supreme Court Stays Reinstatement of FTC Commissioner Slaughter

On September 22, 2025, in a brief, unsigned order, the U.S. Supreme Court allowed President Donald Trump to remove FTC Commissioner Rebecca Slaughter, halting the lower court's order that had reinstated her. The Court will hear arguments in December on whether statutory protections for FTC Commissioners violate the separations of powers and whether courts can block such removals. The decision could overturn the U.S. Supreme Court's 1935 decision in Humphrey's Executor v. United States, which held that FTC commissioners could only be removed for "inefficiency, neglect of duty, or malfeasance in office."

UK ICO Publishes Final Encryption Guidance

The UK Information Commissioner's Office has finalized its encryption guidance following the public consultation. See our prior issue of Cyber Bits for further information. The updated guidance includes scenarios illustrating when and how to deploy encryption.

We are honored to have been recognized in The Legal 500, Chambers USA, nominated by The American Lawyer for the Best Client-Law Firm Team award with our client Flo Health, Inc., and named Law360 Cybersecurity & Privacy Practice Group of the year! Thank you to our clients for entrusting us with the types of matters that led to these recognitions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.