Personal data watch — May 2025

Each month, we deliver most of the latest data news in the newsletter Data4Coffee. Don't miss out on key information!

‍

To receive it, please fill in this form.

‍

‍

1. FRANCE

1.1. CNIL recommendations: cybersecurity and multi-factor authentication

[1]^Er April] Faced with an increase in cyber threats, the CNIL is publishing new recommendations intended to support data controllers, subcontractors, DPO, CISO and providers of multi-factor authentication (MFA) solutions. Using explanatory boxes and practical examples, the CNIL guides these actors in implementing solutions adapted to the needs of personal data protection, in compliance with the key principles of the RGPD. These recommendations aim in particular to inform data controllers on the opportunities for using MFA, and on the most appropriate terms and conditions, while giving particular importance to complying with minimum technical requirements.

Source: Multi-factor authentication: the CNIL's recommendations to better protect data | CNIL

1.2. Review 2024: the CNIL reinforces the regulation of health data processing

[April 7th] In 2024, the CNIL received 619 authorization requests for health data processing, including 472 for research projects, marking an increase of 20% compared to 2023. Of these, 397 were granted, 174 were dismissed and 3 were refused. The CNIL highlights an improvement in the quality of the files received and a reduction in processing times. In this respect, it specifies that files closed without follow-up mainly concern incomplete applications, or applications that do not require specific authorization or prior formalities. The reasons for refusal, on the other hand, mainly relate to data security measures, such as pseudonymization or compliance with the principle of minimization. In order to improve the procedures and strengthen the files submitted, the CNIL plans to put a new authorization request form online by mid-2025.

Source: Applications for authorization in health: review of the CNIL's actions for the year 2024 | CNIL

1.3. Mobile applications: the CNIL updates its recommendations to strengthen the protection of personal data

[April 8] The CNIL has published an updated version of its recommendations relating to mobile applications published in September 2024. Without changing the substance, this revision aims to correct omissions or inconsistencies and to respond to requests for clarifications made by the actors concerned. The purpose of these recommendations is to clarify and frame the role of actors in the mobile ecosystem (publishers, developers, SDK providers, etc.), to improve the information of users on the use of their data and to emphasize the importance for applications of obtaining informed and unconstrained consent to process data that is not necessary for their operation. For the sake of transparency, the CNIL is also publishing the annotated version of this update.

Source: Mobile applications: the CNIL publishes a modified version of its recommendations to better protect privacy | CNIL

1.4. The EDPS issues recommendations on the Lexing certification project proposed by the CNIL

[April 8] The European Data Protection Board (EDPB) has published Opinion 3/2025 concerning the draft decision of the CNIL on the criteria for the national certification “Lexing RGPD certification” carried by the Lexing firm. The EDPS makes several recommendations aimed at strengthening the compliance of the criteria with the GDPR, in particular on the clarity of references to relevant articles, the definition of anonymization, the consideration of specific requirements for the consent of minors, and the integration of data protection principles by design. The CNIL must take these recommendations into account before definitively approving the certification scheme.

‍

Source: Opinion 3/2025 on the draft decision of the French Supervisory Authority (FR SA) regarding the “Lexing GDPR certification criteria” | EDPB

1.5. Recording of navigation sessions: launch of a consultation to oversee practices

[April 9th] Session replay tools make it possible to reconstruct the complete journey of a user on a website or a mobile application by recording their interactions (mouse movements, tactile interactions, clicks, etc.), resulting in the collection of a large volume of browsing data and the deduction of information on the privacy of a large number of users. Faced with the high risks that these tools are likely to cause for the rights and freedoms of Internet users, the CNIL decided to launch a consultation with the actors concerned and civil society in order to better understand the legal, technical, ethical and societal challenges of session replay tools. At the end of this consultation, the CNIL plans to publish practical recommendations for providers of session replay tools and publishers of websites and mobile applications in the second quarter of 2025.

Source: Launch of a consultation on tools for recording and replaying browsing sessions | CNIL

1.6. OVH fire: force majeure ruled out for a SaaS publisher

[April 11] The Versailles judicial court ordered a SaaS publisher to compensate a customer for data loss following the fire in the OVH datacenter in Strasbourg in 2021. The publisher invoked force majeure, but the court rejected this argument, considering that the loss of a data center is a foreseeable risk, especially when contractual redundancy commitments are made. In fact, the publisher indicated in its contract that “all the data is redundant on a minimum of 2 servers, each operated by a separate host (OVH and Gandi)” and did not dispute that it did not have a second host, as the court pointed out.

‍

Source: OVH fire: a SaaS publisher rejected in the case of force majeure - Le Monde Informatique

1.7. Review of the “sandbox” 2023-2024: the CNIL guides AI innovation in public services

[April 11] A personalized support program dedicated to artificial intelligence (AI) projects applied to public services, the CNIL's 2023-2024 “sandbox” is part of its desire to support the development of an AI that respects people's rights. By supporting the “Personalized Advice” projects of France Travail, “Ekonom'ia” of Nantes Métropole and “PIV-IA” of the RATP, the CNIL has taken an interest in numerous subjects, which it summarizes in its recommendations to the winners. In this summary, the CNIL addresses in particular the issues of significant human intervention to avoid automated individual decisions, the anonymization and pseudonymization of data, or the guarantees to be put in place to prevent the occurrence of discriminatory biases.

Source: Artificial intelligence and public services: the CNIL publishes the results of its “sandbox” | CNIL

To learn more about the use of augmented cameras in public spaces, see our article here.

1.8. The CNIL reveals its European and international strategy for 2025-2028

[April 14] In addition to its strategic plan for 2025-2028, unveiled in January 2025, the CNIL seeks to strengthen and coordinate its action by taking into account the guidelines of the European Data Protection Board (EDPS). To this end, the CNIL adopts a European and international strategy allowing it to clarify its position to stakeholders and to provide guidance on structuring issues at a supranational level. This strategy is based on three axes: to facilitate European cooperation, to promote high international standards of data protection, and to consolidate its network of influence by promoting a data protection model centered on the balance between innovation and the protection of individuals.

Source: The CNIL publishes its European and international strategy for 2025-2028 | CNIL

1.9. Sandbox” 2024-2025: the CNIL supports 6 silver economy projects

[April 18] After publishing its recommendations as part of the 2023-2024 “sandbox”, the CNIL announces the winners for the fourth edition of this action aimed at supporting innovative project leaders. For 6 months, the CNIL will support “O2” intended to support seniors in their stay at home, “OSO-AI” aimed at automatically detecting critical sounds in medico-social institutions via AI and sound recognition, and “Neural Vision (MISSIA)”, a mobile application allowing the family to follow their parent on a daily basis and to be alerted in the event of dangerous or unusual situations. The CNIL will also provide legal and technical support to three additional projects (“CDIET”, “DIWALL” and “SONAID”). The lessons learned from this “sandbox” will feed the update of the CNIL's action plan in connection with the silver economy, in particular through the update of the Compliance Pack published in November 2017.

Source: Silver economy (economy for seniors): the CNIL supports 6 innovative projects as part of its “sandbox” | CNIL

1.10. Multi-terminal consent: the CNIL launches a consultation on its new recommendation

[April 24] In reaction to the interaction of users with websites and applications via various devices (computer, smartphone, tablet, etc.), the CNIL was interested in the question of depositing cookies on all the terminals of the same user by collecting a single consent. The CNIL has thus established a draft recommendation on the automatic application of a user's choices in terms of trackers on all devices connected to his account. This document aims to offer practical and concrete recommendations on how to collect valid multi-terminal consent, and complements the previous recommendation of the CNIL relating to the use of cookies and other tracers. The consultation will end on June 5, 2025.

Source: Multi-terminal consent: the CNIL launches a public consultation on its draft recommendation | CNIL

‍

‍

2. EUROPEAN UNION

2.1. Towards simplifying the GDPR: the EU is considering regulatory relief

[April 3rd] In the coming weeks, the European Commission plans to propose a revision of the GDPR in order to reduce its complexity, especially for SMEs. This initiative, led by Ursula von der Leyen, aims to alleviate administrative obligations considered too onerous, without compromising the protection of personal data. Critical voices, such as that of former Italian Prime Minister Mario Draghi, believe that the current rigidity of the GDPR is hampering European innovation and competitiveness in the face of the United States and China. This draft review risks triggering a new lobbying battle between tech giants and privacy advocates.

Source: Europe's GDPR privacy law is headed for red tape bonfire within 'weeks' — POLITICO

2.2. The CJEU specifies the lawfulness of the processing of personal data of representatives of legal persons

[April 3rd] In a recent ruling, the Court of Justice of the European Union confirmed that the personal data of representatives of legal entities, such as names and contact details, are protected by the GDPR. The processing of this data is lawful when it is necessary for the performance of a contract or for the pursuit of a legitimate interest, provided that the rights and freedoms of the persons concerned are respected. This decision clarifies the obligations of companies in terms of processing the data of their professional contacts.

Source: EU: CJEU clarifies the lawfulness of processing personal data of legal entity representative | News | DataGuidance

2.3. The EDPS publishes a risk management framework for generative AI models

[April 10] The European Data Protection Board (EDPS) has published a report detailing a risk management methodology for large language models (LLMs). This document provides concrete measures to mitigate privacy risks, including the involuntary storage of personal data. Use cases illustrate the application of this framework in various contexts such as virtual assistants, educational monitoring and travel management. This report aims to guide data protection authorities and developers in compliance with GDPR when designing and deploying generative AI systems.

‍

Source: AI Privacy Risks & Mitigations — Large Language Models (LLMs) | EDPB

2.4. The Spanish authority imposes a fine of €500,000 on a health provider for having recourse to a subsequent subcontractor without the authorization of the data controller

[April 10] The Spanish Data Protection Authority (AEPD) has imposed a fine of €500,000 against Marina Salud, a provider of public health services in the Alicante region, for failing to comply with the requirements of article 28 (2) of the RGPD in terms of subsequent subcontracting. An audit by the data controller revealed the use by Marina Salud of three subsequent unauthorized subcontractors. The data controller had been refused to communicate the contract concluded with the third party and had reiterated his instructions and his prohibition to use subsequent subcontractors without authorization. Despite the existence of a general authorization to use a subsequent subcontractor, the subcontracting agreement in place still required the agreement of the data controller. The AEPD concluded that there was a serious violation by nature and a violation of the requirements of the GDPR.

‍

Source: AEPD (Spain) — EXP202307719 | GDPRhub

2.5. X targeted by an investigation by the Irish Data Protection Authority for non-compliance with the GDPR

[April 11] The Irish Data Protection Authority (DPC) has launched an investigation into the processing of personal data of European users by X Internet Unlimited Company (XIUC), the European subsidiary of X (formerly Twitter). The investigation focuses on the use of data contained in users' public publications, to train the Grok generative AI model, developed by XiA and used by X to power its chatbot. While X had agreed in September 2024 to stop training its AI systems before European users could object, the practices would have continued. The DPC investigation, which aims to examine the compliance of these treatments with the RGPD, in particular with the principles of legality and transparency, illustrates the growing tensions between the European Union and the Web Giants.

‍

Sources:

• Data Protection Commission Announces Commencement of Inquiry into X Internet Unlimited Company (XIUC) | Data Protection Commission

• Irish regulator investigates X over use of EU personal data to train Grok AI | Reuters

2.6. Blockchain and RGPD: the EDPS publishes guidelines to regulate the processing of personal data

[April 14] On 14 April 2025, the European Data Protection Board adopted guidelines on the processing of personal data using blockchain technologies. A distributed and coherent database system, blockchains can in particular take care of the secure processing and transfer of data, guaranteeing their integrity and traceability. Faced with the development of these technologies, the EDPS recommendations clarify the roles and responsibilities of the various actors and emphasize the importance of integrating technical and organizational measures from the design stage (Privacy by design), to carry out an impact analysis (AIPD) in case of high risk, and to avoid the direct storage of personal data on the blockchain. The CEDP also focuses on respecting the rights of individuals, in particular in terms of transparency, correction and deletion. A public consultation on these recommendations is open until 9 June 2025.

Sources:

• EDPB adopts guidelines on processing personal data through blockchains and is ready to cooperate with AI office on guidelines on AI Act and EU data protection law | EDPB

• Certification, blockchain (blockchains) and AI: the EDPS adopts new documents during its last plenary | CNIL

2.7. Conflict of interests of a managing director exercising the functions of data protection officer

[April 15] In Croatia, an investigation by the National Data Protection Authority (AZOP) imposed a fine of €12,000 following the appointment of a managing director as Data Protection Officer (DPO). AZOP recognized that this role was one of the most important in the company, since the managing director can conclude all contracts and take all legal actions, in the name and on behalf of the company, and represent it before administrative bodies, public institutions and courts. Thus, AZOP concluded that a conflict of interests was characterized between the functions of DPO and CEO, the latter being able to inevitably influence the determination of the purpose and the means of processing personal data carried out by the company. This results in a violation of Article 38 (6) of the GDPR. Moreover, the company had not published the contact details of the DPO on its official website. This decision highlights the importance of guaranteeing the independence of the DPO and the transparency of information concerning him.

Source: AZOP (Croatia) — UP/I-034-01/24-01/33 | GDPRhub

2.8. Historic sanctions against Apple and Meta: first decisions of non-compliance with the DMA

[April 23rd] The European Commission has imposed fines of 500 million euros on Apple and 200 million euros on Meta for non-compliance with the Digital Markets Act. Apple is being sanctioned for interfering with the freedom of app developers to direct users to offerings outside the App Store. Meta, for its part, is penalized for its “Consent or Pay” advertising model, considered non-compliant because it did not offer an equivalent alternative without excessive use of personal data. Both companies must comply with the decisions within 60 days, or face additional sanctions.

‍

Source: Commission Finds Apple and Meta in Breach of the Digital Markets Act | European Commission

‍

3. INTERNATIONAL

3.1. Cyberattack at DPP Law: £60,000 fine for data security breaches

[April 16th] The law firm DPP Law was fined £60,000 by the British Data Protection Authority (ICO) following a cyberattack in June 2022. Through a brute-force attempt, the attackers exploited a little-used administrator account that lacked multi-factor authentication (MFA) to seize 32GB of sensitive data. DPP Law only became aware of this attack after an alert from the National Crime Agency informing them that information relating to their clients had been published on the dark web. The firm, which did not consider this loss of data access to be a personal data breach, reported the incident to the ICO only 43 days after becoming aware of it. In its decision, the ICO noted that DPP Law did not put in place appropriate measures to ensure the security of personal information held electronically. This sanction reminds entities dealing with sensitive data of the importance of proactive cybersecurity measures and timely notification of breaches.

Source: Law firm fined £60,000 following cyber attack | Information Commissioner's Office

3.2. Meta will train its AIs with European user data: the CNIL explains how to oppose it

[April 25] Starting at the end of May 2025, Meta plans to use public posts (texts, photos, comments) from European Facebook and Instagram users to train its artificial intelligence systems, such as Meta-ai and Llama. In a dedicated article, the CNIL explains that users can oppose it via an online form, without having to justify their request. This project, which was initially suspended in 2024 following discussions with the Irish Data Protection Authority, raises legal questions regarding the legal basis for processing and transparency towards users.

‍

Source: AI: Meta will train its AI systems with European user data from the end of May 2025 | CNIL

Caroline Chancé, Jeannie Mongouachon, Clémentine Beaussier, Victoire Grosjean and Juliette Lobstein