Personal data watch — December 2025
Each month, we deliver most of the latest data news in the newsletter Data4Coffee. Don't miss out on key information!
To receive it, please fill in This form.
1. FRANCE
1.1. The Council of State confirms the fine of 8 million euros imposed on Apple for illegal targeted advertising
[October 15] The Council of State rejected Apple's appeal to cancel the sanction imposed by the CNIL in December 2022. The CNIL had imposed a fine of 8 million euros for having carried out operations to read and write data on user devices, for the purpose of targeted advertising, without prior consent. The Council of State confirmed the competence of the CNIL: the processing operations concerned, although managed by a foreign company, were linked to establishments located in France, which falls within the scope of application of national law. It also considered that the sanctioning procedure was fair, the rights of defence respected, and that the breach was characterized. As a result, the fine was confirmed to be “effective, proportionate and dissuasive” in accordance with GDPR criteria.
Source: France, Council of State, 10th - 9th combined chambers, October 15, 2025, 473833
1.2. LinkedIn trains its AI with user data
[November 3rd] Since November 3, 2025, LinkedIn has been using, by default and without explicit consent, a large part of the data of its European users (profile, publications, likes, comments, location, activity history) to feed its artificial intelligence models. LinkedIn justifies this processing based on its “legitimate interest” within the meaning of the GDPR, which is a legal basis subject to a balance test between its interests and the rights of users. However, LinkedIn has excluded private messages and salary information. From a legal perspective, this raises questions: the use of legitimate interest requires solid justification; without explicit consent, the balance of interests is fragile, which could expose LinkedIn to challenges. In order to restore balance, users have the right to opt out: simply uncheck the option” Use my data to train content creation AI models ” in the privacy settings to refuse such use of their data.
Source: LinkedIn siphons user data to train AIs - L'INFORMATICIEN & L'INFO CYBER-RISQUES
For more information on the use of legitimate interest to train an AI, see our article.
1.3. The CNIL launches an investigation into the role of the DPO in the age of AI
[November 5th] In cooperation with the Ministry of Labor, AFCDP and Afpa, the CNIL is launching a survey to measure the impact of AI on the practices, skills and responsibilities of DPOs. The objective is to identify how AI governance methods integrate the role of the DPO, and to determine its training or tooling needs. At the same time, the gradual entry into force of the AI Act requires the integration of the DPO from the very beginning of the discussions on the processing of personal data implemented by artificial intelligence systems. The conclusions, expected in the first half of 2026, will serve to guide the recommendations of the CNIL to regulate the use of AI.
For more information on GDPR compliance for data processing involving AI, see our article.
1.4. The CNIL publishes a map of health data warehouses in France
[November 5th] The CNIL (via its Digital Innovation Laboratory, the “LINC”) has published a national map of Health Data Warehouses (EDS), identifying health databases intended for research, management or evaluation. This map lists 125 EDS (in deployment or in operation) carried by 102 public, private or associative actors, and makes it possible to visualize their location, legal status, manager, nature of the warehouse and date of compliance. The objective of publishing this map is twofold: to increase transparency on the use of health data and to offer researchers a tool to identify relevant databases for their work.
Source: Explore the mapping of health data warehouses in France | CNIL
For more information on the processing of health data, see our two articles (1 and 2) on the collection of health data and the regulations governing their treatment.
1.5. New wave of cyberattacks in France: the case of the French Shooting Federation
[November 7th] The French Shooting Federation has announced that a computer intrusion that occurred between 18 and 20 October 2025 led to the violation of the personal data of its licensees (name, first name, date and place of birth, postal address, email, email, telephone and license number). No sensitive data (medical, banking, or relating to the possession of weapons) would be concerned. In accordance with the RGPD, the federation informed the persons concerned individually, referred the matter to the CNIL and filed a complaint. An investigation is opened by the prosecutor's office and the brigade specializing in cybercrime. The main risk identified is phishing attacks and scams using exposed data. The organization advises its licensees to be vigilant against suspicious calls, texts or emails.
[November 22] A recent overview of cybersecurity incidents in France shows several massive leaks of personal data affecting various organizations: logistics operators, public services, health, etc. Among the victims are Eurofiber France, Colis Privé, Urssaf and medical laboratories, for which names, addresses, social security numbers or sensitive information have been compromised. These incidents demonstrate the extent and diversity of the targets, ranging from service providers to public institutions, which suggests a widespread weakening of the IT security chain in France. For the organizations concerned, this is a stark reminder of the importance of data governance and the shared responsibility between contractors and subcontractors.
Source: Cyberattacks in France: the latest data breaches and affected businesses
1.6. Monetization of personal data: the results of the CNIL survey
[November 17] Based on a survey conducted in December 2024 among 2,082 French people, the CNIL questioned the willingness of French people to sell their personal data. According to her, 65% of respondents say they are ready to monetize their data; among them, the valuation most often mentioned is between €10 and €30 per month, while 14% ask for more than €200. However, 35% categorically refuse any monetization, regardless of the amount. The CNIL recalls that no current legal framework allows you to transfer “ownership” of your personal data: only limited forms of “use” may possibly be granted, while maintaining fundamental rights (access, rectification, deletion). Monetization, even if granted, must comply with the requirements of applicable law (in particular those of the GDPR).
Source: Monetizing personal data: how much is our data worth? | CNIL
1.7. Sovereign AI: partnership between Thales and Dassault Aviation
[November 25] On November 25, Thales and Dassault Aviation announced the conclusion of a strategic partnership for the development of controlled and supervised AI for defense aeronautics. This collaboration aims to cover all the functions necessary for the conduct of modern air operations, such as the observation and exploitation of multi-sensor data, the analysis of the operational situation in real time, algorithmic support for decision-making or even tactical planning. While this partnership marks an opening of defense systems to AI, companies insist on human supervision and the traceability of decisions.
Sources:
1.8. Orange Business migrates 70% of its IT infrastructure to the sovereign Blue Cloud
[November 25] Bleu, a sovereign cloud born from the alliance between Orange and Capgemini, aims to offer Microsoft 365 and Microsoft Azure services in an ultra-secure environment, in the process of being qualified by SecNumCloud with ANSSI. Orange Business announces that it conducted an in-depth analysis of more than 400 applications before opting for a hybrid cloud strategy by migrating its critical applications to Cloud Avenue, its private cloud solution, and the rest of its infrastructure to Bleu. This migration illustrates a strategy for modernizing cloud systems while promoting and strengthening data security, sovereignty, and compliance.
Sources:
1.9. Dating sites and applications: the CNIL sends recommendations to users
[November 26th] The CNIL wanted to recall that dating sites and applications often collect a lot of personal data (photos, tastes, age, orientation, location, etc.) likely to reveal the privacy of its users, including in particular sensitive data. To limit risks, the supervisory authority recommends in particular using a pseudonym rather than a real name and adopting a robust and unique password. According to the CNIL, it is also appropriate to check the general conditions of use of the site: they must mention the rights of users (rights of access, rectification, deletion) and clearly indicate whether and how the data is shared with third parties. Finally, the CNIL alerts on the dangers associated with the publication of sensitive data or intimate photos: in the event of hacking or leaking, this information can be used for malicious purposes.
Source: Dating sites and apps: how do you protect your privacy? | CNIL
1.10. The CNIL alerts on the real extent of damage linked to cybercrime
[November 26th] In a dedicated article, the CNIL alerts on the extent of the risks that computer attacks represent for personal data and the daily lives of individuals. A survey conducted in December 2024 among more than 2,000 French people reveals that 41% have already experienced fraudulent use of their data, and that 21% have lost money with an average loss of €740. The forms of violation are diverse: identity fraud, unsolicited canvassing, disclosure of confidential information, blackmail or harassment. Beyond financial harm, a psychological impact (stress, anxiety) is common, and many people give up using digital services due to a loss of trust. The CNIL underlines that this climate of mistrust weakens the digital economy and hampers trust in online services. Also, the supervisory authority recommends the implementation of appropriate technical and organizational measures, in accordance with the obligations of the RGPD and the awareness of citizens and professionals to improve resilience in the face of cybercrime.
Source: Cybercrime: risks and consequences for personal data | CNIL
1.11. Cookies without consent: the CNIL sanctions the publisher of Vanityfair.fr
[November 27th] A check by the CNIL revealed that the Vanityfair.fr site deposited non-essential cookies on French users' terminals without their prior consent, in contradiction with the requirements of article 82 of the “Informatique et Libertés” law, transposing the e-Privacy Directive. The company had failed to comply with the requirement to obtain free, informed, and specific consent before reading or writing trackers. In addition, the authority considered that the information provided to users was not sufficiently clear or complete as to the purpose of cookies and the third parties likely to use them, which undermines the validity of consent.
2. EUROPEAN UNION
2.1. Personalized advertising: compliant information and valid consent are mandatory
[November 4] The Austrian supervisory authority has expressed its opinion on the need for valid consent in the area of personalized advertising. When registering consumers, the operator of a loyalty program collected their consent to the use of their data for profiling purposes, and on this basis had carried out automated analyses of consumer buying behavior in order to personalize advertising. After an investigation, the Austrian data protection authority concluded that the consent, which was associated with the registration and acceptance of the terms and conditions and the privacy policy, was invalid. The Austrian Administrative Court upheld this decision, as the visual presentation of the operator's website did not make the consent clear or distinct, and the persons concerned could not reasonably understand that they were consenting to profiling. This decision recalls the rules on consent, and the importance of distinguishing information relating to the processing of personal data from commercial information.
Source: vWGH — Ro 2023/04/0045 | GDPRhub
2.2. Brazil-EU: towards the acceptance of Brazil as a “suitable” country for data transfers
[November 4] The European Data Protection Board (EDPS) has unanimously adopted a favourable opinion on the European Commission's draft adequacy decision for Brazil, under the GDPR. This opinion recognizes that the Brazilian legal framework offers guarantees that are generally equivalent to those required in Europe. In practice, this decision would facilitate transfers of personal data from the European Union to Brazil without requiring additional guarantees. However, the EDPS draws attention to a few points requiring vigilance: the obligation to carry out impact assessments when the treatment warrants it, transparency around commercial secrecy, the supervision of onward transfers and the access of public authorities to the data concerned.
2.3. Standard documents and GDPR compliance: the EDPS opens a consultation to understand the expectations of European actors
[November 5th] The EDPS has launched a public consultation entitled” Help make GDPR compliance easy for organizations ” in order to gather the needs of actors (companies, DPO, associations...) in terms of standard documents to ensure compliance with the RGPD. The objective is to create operational models (information notice, treatment register, impact assessment, violation notification, etc.), which can be directly used, to reduce the documentary burden on organizations. Among the first models planned are impact assessment forms (DPIA) and data breach notification forms. This initiative is part of the approach endorsed by the Helsinki Declaration: to make the GDPR more accessible, in particular to small and medium-sized organizations. By offering standardized tools, the EDPS wishes to facilitate the harmonization of practices in the European Union and offer organizations better legal security. The consultation closed on 3 December 2025.
2.4. Lack of responsibility of the European representative for the breaches of the international data controller
[November 7th] In a case concerning the processing of personal data by an application operated by the Chinese company Ninebot (Beijing) Tech. Co Ltd for the activation of an electric scooter, a consumer had taken action against Segway Europe B.V., identified as the European representative of the data controller in the privacy policy. When considering the dispute, the Vienna Court of Appeal recalls that the representative appointed pursuant to Article 27 of the GDPR is only intended to serve as a contact point for the competent authorities and the persons concerned. As such, it has no power to receive procedural acts, such as a summons, in the name and on behalf of the data controller, unless otherwise provided by national law.
Source: OLG Wien — 11 R 75/25y | GDPRhub
2.5. The protection of public safety may take precedence over a request for access
[November 11] Injured during a parachute jump, a person concerned requested from the Royal Netherlands Aviation Association to transmit the incident report relating to his injury, as part of his right of access. The data controller refused to grant the request, on the grounds that the information was covered by confidentiality. The Dutch Court hearing the case confirmed the refusal made by the data controller, for reasons of protection of public safety, pursuant to national aviation safety regulations. With this decision, the Dutch court states that public interests may prevail over the personal interests and right of access of a person concerned.
Source: Rb. Zeeland-West-Brabant — C/02/437570/HA RK 25-163 (E) | GDPRhub
2.6. Direct prospecting for similar products or services: details by the CJEU
[November 13] In a recent case, the CJEU ruled on the practices of Inteligo Media SA, an online news publisher that informs the public about legislative developments in Romania. Before the Romanian courts, then before the CJEU, the question arose as to the legality of sending, without consent, a newsletter to users who created a free account on the Inteligo Media platform. The CJEU ruled that the user's email address was collected in the context of the sale of a product or service since he had created an account on the publisher's platform allowing him to access a certain number of articles free of charge and to receive, free of charge, a daily newsletter. As such, sending the newsletter is direct prospecting for similar products or services within the meaning of the e-Privacy Directive, without the need to obtain the consent required by the RGPD. This decision illustrates the distinction between the rules applicable to commercial prospecting.
2.7. Complaints & cross-border cooperation: the EU adopts new provisions to speed up their processing
[November 17] The Council of the European Union has adopted a new framework designed to streamline the management of cross-border complaints concerning the protection of personal data. Henceforth, the criteria for the admissibility of a complaint will be harmonized throughout the Union, regardless of the Member State where it is lodged. The text reinforces the rights of complainants and the entities concerned: everyone will have the right to be heard and to be aware of the provisional conclusions before a final decision. For simple cases, a simplified cooperation procedure can be used, avoiding cumbersome administrative procedures.
2.8. Digital Omnibus: the European Commission presents a project to simplify European regulations
[November 19] The European Commission has presented a comprehensive “digital package” to ease the administrative obligations of businesses and to stimulate innovation in the EU. This system includes a “Digital Omnibus” aimed at simplifying and harmonizing rules relating to artificial intelligence, cybersecurity, data and privacy protection, while maintaining a high level of guarantees for fundamental rights. The reform includes adapting the obligations imposed on small and medium-sized enterprises, such as reducing technical documentation requirements and opening regulatory “sandboxes”. For cybersecurity, a one-stop shop will be created to report any incident, simplifying the obligations that until now fell under several regimes (cyber risks, data protection, etc.). The Digital Omnibus also makes changes to the GDPR, in particular by opening up possibilities for the processing of personal data for the purposes of developing and operating AI systems and models.
Source: Simpler EU Digital Rules and New Digital Wallets to Save Billions for Businesses
For more information on the changes brought to the GDPR by the Digital Omnibus, see our article.
2.9. Data Act: the Commission publishes model clauses to secure the sharing and use of data
[November 19] The European Commission has published models of non-binding contractual clauses intended to regulate access, sharing and cloud services under the Data Act. These “standard clauses” provide for various scenarios: transfer of data from the holder to a user, subsequent sharing to a third party, or use via cloud services, with technical and contractual guarantees. These models aim to offer a framework for drafting contracts compatible with the principles of non-discrimination, equity and transparency required by the Data Act.
2.10. Biometric and genetic data: the CJEU regulates the room for manoeuvre of States in criminal matters
[November 20] In a recent ruling, the CJEU specified under what conditions member states can collect and store biometric and genetic data in criminal proceedings. The case concerned a Czech official whose fingerprints, photos and DNA data were taken despite his refusal and then erased before the police contested the decision. The Court ruled that a generalized collection of data for any accused or suspected person is not prohibited, but that it must remain strictly proportionate to the security objectives pursued and respect the guarantees applicable to sensitive data. She also admitted that the lack of a maximum retention period may be in accordance with European law, provided that the law imposes regular checks to verify the need to maintain these data.
Source: C-57/23, CJEU, November 20, 2025
3. INTERNATIONAL
3.1. SitusAMC cyberattack: Wall Street is worried about the real estate finance sector
[November 22] SitusAMC, which is the leading provider of solutions in investment advice, outsourcing, talent management and technology, is a key provider in the real estate finance industry in the United States. On November 22, 2025, SitusAMC was the target of a cyberattack that resulted in unauthorized access to the company's computer systems. Accounting documents and contracts were allegedly exposed in connection with this incident. While the FBI, responsible for investigating the attack, says it has seen no operational impact on banking services, Wall Street actors are concerned about the possible exposure of borrower data, and their possible use for targeted phishing campaigns. Faced with the sensitivity of financial data, American supervisory authorities have been working for several years to strengthen the security obligations of critical service providers of financial institutions.
Sources:
3.2. Google Cloud and NATO: multi-million dollar agreement for a sovereign cloud
[November 24] The NATO Communications and Information Agency has signed a multi-million dollar contract with Google Cloud to deploy the air-gapped Google Distributed Cloud (GDC) infrastructure, a sovereign cloud solution that is completely isolated from the Internet and public clouds. This type of infrastructure, which significantly reduces the risk of cyberattacks, allows NATO to modernize its operational capabilities and manage classified workloads, while maintaining complete control of its data flows and systems. In addition, NATO intends to integrate AI and analytical tools into this cloud infrastructure in order to detect threats more quickly and optimize incident decision-making.
Sources:
3.3. OpenAI victim of a data leak
[November 27th] OpenAI has confirmed that a data leak has affected one of its analytics providers, Mixpanel, resulting in the exfiltration of a data set including some information from API customers. According to the company, no user of the ChatGPT consumer application is affected: the leak concerns only users of the API, namely developers or companies integrating OpenAI technologies into their own applications. OpenAI claims to have removed Mixpanel from its production services, conducted an audit of the exposed data, and collaborated with its partners to determine the extent of the incident, while informing those concerned.
Source: OpenAI confirms a data leak on ChatGPT: everything we know | Euronews
Caroline Chancé, Jeannie Mongouachon, Clémentine Beaussier, Victoire Grosjean and Juliette Lobstein
.png)
