Personal data watch — June 2025
Each month, we deliver most of the latest data news in the newsletter Data4Coffee. Don't miss out on key information!
To receive it, please fill in This form.
1. FRANCE
1.1. 2024 review of the CNIL's actions: between record sanctions and AI supervision
[April 29] In 2024, the CNIL intensified its actions with 87 sanctions pronounced, totalling more than 55 million euros in fines, and 331 corrective measures, illustrating increased vigilance in the face of breaches of the GDPR. Its commitment has also been expressed in supporting artificial intelligence actors, through initiatives such as the “sandbox” dedicated to public services or the writing of fact sheets, recommendations and questions and answers.
Source: Annual report: the results and the major actions of the CNIL in 2024 | CNIL
1.2. The Court of Cassation outlines its roadmap for ethical and controlled judicial AI
[April 30] The Court of Cassation has published a report entitled “Court of Cassation and Artificial Intelligence: Preparing the Court of Tomorrow”, the result of a multidisciplinary working group commissioned in May 2024. This report identifies use cases of AI adapted to the specific needs of the Court, such as the pseudonymization of decisions, assistance with case law research, analysis of documents and drafting assistance. It explicitly excludes decision-making tools, in order to preserve the independence of the judge. Each use case was evaluated according to five criteria: ethical, legal, functional, technical and economic. The report insists on the need for rigorous governance, proposing the creation of an internal supervisory committee to ensure transparent deployment that respects fundamental rights.
Source: Artificial intelligence: submission of the AI report | Cour de cassation
1.3. Securing databases: the CNIL alerts and recommends
[April 30] Faced with a resurgence of data leaks in 2024, the CNIL alerts on recurrent security breaches: usurpation of identifiers, late detection of intrusions and insufficient measures by subcontractors. It recalls that the RGPD requires data controllers and their subcontractors to guarantee an appropriate level of security, in particular through appropriate technical and organizational measures. The CNIL states that “processing a very large amount of personal data involves implementing reinforced security measures”. According to the authority, “customer” databases and CRMs are thus concerned. It also highlights “essential” measures: multi-factor authentication, logging and limitation of data flows, regular awareness-raising of users according to their profiles and data security framework with subcontractors.
Source: The CNIL gives its instructions to strengthen the security of large databases | CNIL
1.4. Augmented cameras at the cash register: the CNIL regulates their use
[May 6] The CNIL recalls that so-called “augmented” cameras, integrating artificial intelligence to analyze the behavior of customers at the checkout (detection of forgotten scans, fraud, etc.), can only be used under strict conditions. Under no circumstances should these devices allow the identification of people in real time or facial recognition. Individuals need to be informed in a visible and understandable way. The CNIL lists the guarantees to be put in place by retailers, such as the reduction of the data retention period and the perimeter of the camera, the exclusion of any automatic consequences for customers.
Source: Augmented cameras at automatic checkouts: what are your rights? | CNIL
To find out more about the legal and regulatory framework for smart cameras in public spaces, consult our item on this subject.
1.5. Ministries and data hosting: use of SecNumCloud solutions
[May 7th] The latest version of the government doctrine “Cloud at the center” imposes on ministries a high level of security in terms of hosting, requiring them to ensure that the applications used to process sensitive data comply with the requirements to protect against any unauthorized access by public authorities of a third country, and in particular American ones. This level of requirement is found in the offers that have obtained the SecNumCloud visa, issued by the National Agency for Information System Security (ANSSI) after a rigorous procedure attesting to the highest level of security of data hosted in a cloud. As of May 31, 2025, the central purchasing bodies of goods and current services of ministries (CBCM) will have to obtain the prior opinion of the Interministerial Digital Directorate (Dinum) for any purchase of cloud services, except for specific exceptions. This measure is part of the SREN law of May 21, 2024, aimed at strengthening the State's digital sovereignty.
Source: Exit American clouds, ministers urged to use SecNumClou solutions | L'Usine Digitale
1.6. Judicial open data: Doctrine sanctioned for unfair competition, an ex-employee for violating STADs
[7 and 9 May] On May 7, 2025, the Paris Court of Appeal condemned Forseti, publisher of the Doctrine.fr platform, for unfair competition against five traditional legal publishers (Dalloz, Lexbase, LexisNexis, LexisNexis, Lextenso and Lamy Liaisons). Between 2016 and 2019, Forseti illegally collected hundreds of thousands of court decisions without the authorization of the transplants, giving itself an unfair competitive advantage. The company will have to pay between €40,000 and €50,000 to each of the complainants and post the decision on its site for 60 days. Two days later, a former Doctrine employee was sentenced to an 18-month suspended prison sentence and a €15,000 fine for having fraudulently extracted 52,000 judgments from the Poitiers Judicial Court in 2018, by usurping the identity of a judicial assistant and using the identifiers of a court clerk. Note that Doctrine indicated that she had “immediately laid off” this collaborator as soon as she learned of the accusations made against him.
Sources:
1.7. The CNIL fines CALOGA 80,000 euros for lack of valid consent for prospecting
[May 15] The CNIL sanctioned CALOGA with a fine of €80,000 for having conducted electronic commercial prospecting campaigns without valid consent and for having transmitted personal data to partners without an appropriate legal basis. CALOGA, specialized in the acquisition of data from data brokers, used information collected via misleading online forms (competitions, product tests) that did not allow free and informed consent. The CNIL considered that the contractual guarantees and the controls carried out by CALOGA were insufficient to ensure the validity of the consent of the persons concerned. In addition, the company did not allow users to easily unsubscribe from all of its databases, making withdrawing consent more complex than giving it. It also kept prospects' data for an excessive amount of time, extending the retention each time an email was opened, even if unintentionally.
Source: Data brokers: fine of 80,000 euros against CALOGA | CNIL
1.8. New practical guides on data breaches in the education sector
[May 15] While the education sector requires the processing of a lot of personal data, both when registering for school and through the use of digital work environments, the CNIL has found that, over the past five years, the number of notifications of data breaches (around 30 per year) did not correspond to the daily reality of schools. In order to support the actors of these establishments (DPO, school directors, school heads and administrative staff), the CNIL has published two guides aimed at identifying what constitutes a data breach, and detailing the actions to be taken in the event of a violation. Through five typical situations, the CNIL hopes to restore the balance between violations and notifications.
Source: National education: the CNIL publishes two practical guides on data breaches | CNIL
1.9. The CNIL launches a new HR module in its GDPR MOOC
[May 19] The CNIL is enriching its MOOC “GDPR Workshop”, free and accessible to all, with a sixth module entirely dedicated to HR data processing, covering around twenty hours of self-training. This module, designed by lawyers from the CNIL, guides step by step the management of professional data, from recruitment to the end of the contract, including personnel management, equipment, social dialogue and the exercise of employee rights.
To find out more about managing employee access rights, consult our item on the subject.
1.10. Appointment of a new Secretary General of the CNIL
[May 19] As of June 2, 2025, Vincent Villette will succeed Louis Dutheillet de Lamothe, as Secretary General of the CNIL. Current financial and legal director of the National Center for Cinema and Image (CNC), Vincent Villette was also appointed head of the Center for Legal Research and Distribution of the Council of State in 2018, where he oversees the work of production, analysis and valorization of the jurisprudence of this jurisdiction, and public rapporteur to the 1st chamber of the litigation section in 2020.
1.11. Penalty of 900,000 euros for canvassing without consent and transmission of customer files to partners without legal basis
[May 21] The CNIL imposed a fine of 900,000 euros against SOLOCAL MARKETING SERVICES, as well as an injunction to stop conducting commercial prospecting operations by electronic means in the absence of valid consent, accompanied by a penalty of 10,000 euros per day of delay at the end of a period of 9 months. The SOLOCAL company purchased prospect data from brokers whose data collection forms appear to be misleading and do not allow free and unequivocal consent to be obtained. Since the company could not demonstrate the valid consent of prospects before conducting its prospecting campaigns, the CNIL considered that the company had failed to meet its obligations in terms of collecting and proof of consent to receive prospecting by electronic means.
Sources: Deliberation SAN-2025-001 of 15 May 2025, CNIL
Data brokers: penalty of 900,000 euros against SOLOCALMARKETING SERVICE | CNIL
1.12. Ten sanctions under simplified procedure for a cumulative amount of 104,000 euros
[May 22] Since January 2025, the CNIL has issued ten sanctions decisions as part of its simplified procedure, six of them concerning the supervision of employees. Between video surveillance and the geolocation of employee vehicles, the CNIL has identified numerous breaches of the principle of data minimization and has had to recall the prohibition of systematic surveillance of employees, or even the prohibition of keeping video images or geolocation data beyond what is necessary. The CNIL has also sanctioned breaches of data security, or even the notification and communication of a data breach to the persons concerned.
Source: Ten new sanctions pronounced by the CNIL in 2025 as part of the simplified procedure | CNIL
1.13. Draft framework and public consultation: good practices in credit granting and solvency assessment
[May 23] The granting of credit involves the implementation of complex personal data processing, in particular during the assessment of the applicant's repayment capacity, which is now often partially or fully automated. In order to increase the transparency and compliance of data processing in this sector, the CNIL is now proposing a draft framework for organizations authorized to grant loans (real estate loans and consumer loans). This framework aims to strengthen the transparency and compliance of the processing of personal data used to assess the repayment capacity of credit applicants. The framework, developed in consultation with players in the financial sector via the CNIL's “compliance club”, offers concrete recommendations on the collection of relevant data, the use of scoring tools, the minimization of data, the minimization of data, the transparency of processing and the duration of information conservation.
The consultation is open to all stakeholders concerned until 18 July 2025. The contributions will make it possible to refine the framework before its final adoption, thus offering a clear framework for financial organizations while guaranteeing the respect of the rights of the persons concerned.
Source: Granting of credit: the CNIL launches a public consultation on its draft framework | CNIL
2. EUROPEAN UNION
2.1. “Consent or Pay” model: rejection of Meta's appeal for annulment against EDPS opinion 8/2024
[April 29] In an opinion of 17 April 2024, the European Data Protection Board (EDPS) considered that the “Consent or Pay” model of major online platforms did not meet the requirement of free, specific, informed and unequivocal consent within the meaning of the GDPR. For the EDPS, simply offering users a binary choice between giving their consent to the processing of their data for targeted advertising purposes or paying a fee to be able to benefit from the service without receiving personalized advertising is insufficient. The EDPS then recommends that the major online platforms set up an alternative option. Following this opinion, Meta referred the matter to the General Court of the European Union (TEU), requesting its cancellation and the payment of damages for the damages suffered in reaction to this opinion. Meta's action was rejected, as the TEU considered that the EDPS opinion did not have legal effects in respect of third parties and therefore did not constitute an act that could be attacked by Meta. At the same time, the European Commission fined Meta 200 million euros for violating the Digital Market Act (DMA) by the same “Consent or Pay” model.
Sources:
2.2. Data protection and judicial disclosures: insights from the CJEU on the role of national courts
[April 30] While the deadline for submitting the annual asset declarations of judges, prosecutors and investigating magistrates was prescribed, the inspection of the Bulgarian Supreme Judicial Council requested the Sofia District Court to lift the banking secrecy of several judges and prosecutors, as well as their families. The court, questioning the relationship between the provisions of Bulgarian law and the GDPR, referred a preliminary question to the Court of Justice of the European Union (CJEU). European judges considered that a national court does not act as a data controller or supervisory authority when it authorises the disclosure of personal data to a judicial body competent to monitor the activities of judges, magistrates and prosecutors. The CJEU goes even further and also considers that the national court is not required to guarantee the security of data in the context of such disclosure.
Sources:
2.3. Fine of 530 million euros against TikTok for illicit transfer of data to China and breach of its information obligations
[May 2nd] The Irish Data Protection Authority (the Data Protection Commission (DPC)) has fined 530 million euros for transferring the personal data of European users to China, in violation of Article 46 of the GDPR. The DPC investigation revealed an insufficient level of protection by Chinese law, the impossibility for TikTok to demonstrate the establishment of adequate guarantees as well as a lack of transparency by users regarding the transfer of their data. TikTok now has 6 months to bring its treatments into compliance, otherwise its transfers to China will be suspended.
2.4. Fine of 1.6 million euros for a bank that verified the origin of a prospect's funds without a legal basis
[May 5] The Spanish Data Protection Authority (AEPD) has imposed a fine of 1.6 million euros on ING Bank Spain for requiring, without a valid legal basis, access to a prospect's data in order to verify the origin of their funds in order to open a bank account. As a basis for this treatment, the bank invoked a legal obligation to combat money laundering. The AEPD investigation revealed that the regulations invoked imposed an obligation to verify the information submitted only when a high risk was identified, which was not the case of the person concerned. This decision reiterates the importance of choosing the legal basis for any data processing.
Source: ADP (Spain) — EXP202213634 | GDRPhub
2.5. Targeted advertising: the Council of State questions the CJEU on the validity of indirect consent in the context of the sanction pronounced against Canal+
[May 5] The Council of State decided to stay proceedings on Canal+'s appeal against a penalty of €600,000 imposed by the CNIL for illegal commercial prospecting. At issue: the use by Canal+ of personal data collected by Internet access providers (ISPs), on the basis of a consent given to them for use by “partners” not clearly identified. The core of the dispute concerns the validity of such consent under the RGPD and Article L. 34-5 of the Postal and Electronic Communications Code. The CNIL considers that Canal+ should have obtained specific and informed consent before using this data for prospecting purposes. The Council of State referred two questions to the Court of Justice of the EU (CJEU) for a preliminary ruling:
- On the one hand, can the consent of the person concerned, given to a first-time collector, for his data to be used by a category of recipients (in this case, the “partners” of ISPs), allow any person belonging to this category to carry out commercial prospecting operations by electronic means without the need to seek new consent?
- On the other hand, what level of precision of the concept of “category” of recipients is required to comply with the requirements of informed consent within the meaning of European regulations?
The CJEU's response could have a strong impact on current emailing practices.
Source: Decision No. 490202 - Council of State
2.6. Data transfers: the EPO recognized as adequate, the United Kingdom under surveillance
[May 6] The European Data Protection Board (EDPS) has approved two major opinions. The first concerns the European Patent Office (EPO), whose data protection framework is considered to be in compliance with the GDPR. This recognition, a first for an international organization, will allow data transfers without additional measures. The second opinion concerns the extension of adequacy decisions for the United Kingdom by six months, until 27 December 2025, due to ongoing legislative reforms. The EDPS underlines the exceptional nature of this extension and insists on the need for a continuous assessment of the level of data protection across the Channel.
Sources:
2.7. Independence of the EDPS and challenge to the amended Europol Regulation
[May 8] The European Data Protection Board (EDPS) has filed an appeal against the Parliament and the Council of the European Union, challenging the legality of Articles 74a and 74b of the Europol Regulation amended in 2022. These provisions retroactively allow Europol to store and process massive sets of personal data, including those collected without prior categorization, calling into question a decision of the EDPS of 3 January 2022 that required their deletion. In September 2023, the General Court of the European Union ruled the appeal inadmissible, considering that the EDPS did not have standing to act under Article 263 TFEU, as it was not directly and individually concerned. The EDPS appealed this decision to the Court of Justice of the European Union (CJEU), arguing that the absence of a remedy would undermine its institutional independence guaranteed by Article 8 (3) of the EU Charter of Fundamental Rights. In his conclusions of 8 May 2025, the Advocate General considered that the EDPS was directly affected by the contested provisions and should therefore be allowed to challenge them. He recommended that the CJEU declare the appeal admissible and refer the case back to the Tribunal for examination on the merits. This case raises fundamental questions about institutional balance in the EU and about the ability of data protection authorities to challenge legislative acts affecting their prerogatives.
Sources:
2.8. Towards targeted relief of record-keeping requirements for SMEs
[May 8] The European Data Protection Board and the European Data Protection Supervisor have sent a joint letter to the European Commission concerning a proposal for a targeted amendment to Article 30 (5) of the GDPR. This initiative aims to simplify the obligation to keep records of processing activities for organizations with fewer than 750 employees whose net annual turnover does not exceed 150 million euros. This proposal is part of an approach aimed at reducing the administrative burdens of SMEs while ensuring adequate protection of personal data. A formal consultation is planned after the publication of the legislative proposal. Note that to date, organizations that do not exceed the thresholds set by the regulations are still required to have a register in case of non-occasional, high-risk or sensitive data processing.
2.9. Belgian courts rule on the IAB Europe Transparency & Consent Framework
[May 14] The Belgian Market Court has confirmed the fine of €250,000 imposed on IAB Europe for breaches of the GDPR related to its Transparency & Consent Framework (TCF), a widely used standard for managing consent in online advertising. The Court recognized that the “TC String”, which encodes user preferences, constitutes personal data, and that IAB Europe acts as the data controller for this part of the system. On the other hand, the Court limited IAB Europe's liability to only operations related to the creation and use of TC Strings, excluding subsequent processing carried out via the OpenRTB protocol. This decision should guide IAB Europe in bringing the TCF system into compliance.
Source: Digital advertising: Belgian justice clarifies the Transparency & Consent Framework
2.10. Meta targeted by a formal notice from NOYB for using European data in training its AI
[May 14] The digital rights organization NOYB announced that it had sent a letter of formal notice to Meta. It demands the immediate end of the use of the personal data of European users of Facebook and Instagram to train its artificial intelligence systems, scheduled to begin on 27 May. Meta justifies this practice by “legitimate interest”, opting for an opt-out system rather than seeking explicit consent (opt-in). NOYB challenges this legal basis, stressing that users have not been adequately informed and that their rights, such as access, correction, or deletion of data, could be compromised once the data is integrated into the AI models. The organization plans to use the European directive on collective redress to take legal action at EU level, with potential damages amounting to several billion euros.
For more information on the legal basis for Meta's training, its Meta AI artificial intelligence model on personal data, please see our article.
2.11. Refusal of an interim injunction prohibiting Meta from using its users' personal data to train its AI model
[May 23] In April, Meta announced its intention to use, as of May 27, 2025, personal data from the public profiles of its users to train its artificial intelligence, MetaAI, as long as the persons concerned had not opposed it. In reaction, the German consumer rights organization referred the matter to the Higher Court of Cologne for summary proceedings, requesting the prohibition of such treatment. After preliminary examination, the German court considered that the processing was lawful within the meaning of Article 6§1, f) of the GDPR, as long as it was based on Meta's legitimate interest in using the data to train artificial intelligence systems. The processing of large quantities of data, including sensitive data, from third parties and minors, is not enough, in the eyes of German judges, to rule out the legality of the processing. The request for an interim injunction to prohibit the treatment in question was therefore dismissed.
Source: OLG Cologne — PM 10/2025 | GDPRhub
For more information on the legal basis for Meta training its artificial intelligence model, Meta AI on personal data, please see our article.
3. INTERNATIONAL
3.1. Lostkeys: the new malware from the Russian cybercriminal group “Coldriver”
[May 7th] The Google Threat Intelligence Team (GTIG), published a report on May 7, 2025, on May 7, 2025 on the LOSTKEYS malware, attributed to the cybercriminal group “Coldriver”, supported by the Russian government. This malicious software, which operates on the basis of false CAPTCHA verifications, generally targets important figures such as armed forces advisers, NGOs, think tanks and journalists, in particular those linked to Ukraine. The GTIG mentions the use on three occasions, in January, March, and April 2025, of this malware capable of stealing files from a hard-coded list of extensions and directories and sending system information and running processes to the attacker. In June 2023, the European Union sanctioned two members of Coldriver with a ban on entering the territory of the Union, accompanied by a freeze on their assets and a ban on European nationals from making funds available to them. In the United States, a reward of up to $10 million is being offered for anyone with information about Coldriver.
Sources:
Caroline Chancé, Jeannie Mongouachon, Clémentine Beaussier, Victoire Grosjean and Juliette Lobstein
.png)
