Gibson Dunn | Europe | Data Protection – February 2025
Client Alert | March 12, 2025
Europe
02/26/2025
European Parliament | Report | Algorithmic Discrimination
The European Parliament published a report on algorithmic discrimination under the AI Act and the GDPR.
The Parliament underlines the legal uncertainties regarding the interaction between the AI Act and the GDPR. Indeed, the AI Act allows processing of special categories of personal data to detect and correct bias, while the GDPR imposes stricter conditions on such data usage, potentially limiting AI bias mitigation efforts.
For further information: European Parliament Report
02/26/2025
Court of Justice of the European Union | Decision | Automated Decision-making System
The Court of Justice of the European Union (“CJEU”) ruled that when their data is used by automated decision-making systems, data subjects may require the controller to explain the procedure and principles actually applied when processing personal data to obtain a specific result.
The decision stems from a case filed by an Austrian customer who was denied a mobile phone contract based on an automatic decision-making system. The Court highlighted that when asked by data subjects to provide explanations, information should be provided in a “concise, transparent, intelligible and easily accessible form”. This decision also addresses the concept of trade secrets.
For further information: CJEU Decision
02/13/2025
Court of Justice of the European Union | Decision | Calculation of GDPR Fines
The Court of Justice of the European Union (“CJEU”) clarifies the calculation of the fines for undertakings (C-383/23).
The CJEU considers that the maximum amount of the fine that can be imposed on an undertaking must be determined “on the basis of a percentage of the undertaking’s total worldwide annual turnover in the preceding business year”.
For further information: CJEU Decision
02/04/2025
Cyber Solidarity Act | Entry Into Force | High Critical Sectors Concerned
On February 4, 2025, the Cyber Solidarity Act entered into force.
This regulation enhances the EU’s capacity to prepare for, detect, and respond to cybersecurity incidents. Entities operating in highly critical sectors or other critical sectors, as defined by Directive (EU) 2022/2555 (NIS 2), may be required to undergo “coordinated preparedness testing” to verify their compliance with minimum standards and expectations for critical services and infrastructure.
For further information: Commission Website and Cyber Solidarity Act
France
02/26/2025
CNIL | Work Program | Connected Vehicles
The French Supervisory Authority (“CNIL”) published the “compliance comity” work program for 2025 on connected vehicles and location data.
The comity’s work focuses on the use of location data from connected vehicles and will lead to the drafting of a recommendation which will soon be published for public consultation. Because of the lack of legal certainty surrounding the use of dashcams and associated privacy risks, the comity’s work program for 2025 is dedicated to the use of these devices by private individuals.
For further information: CNIL Press release [FR]
02/07/2025
French Supervisory Authority | Recommendations | Artificial Intelligence
On February 7, 2025, the French Supervisory Authority (“CNIL”) published two new recommendations on how AI should be used to comply with GDPR requirements.
The CNIL’s first recommendation focuses on data subject information and essentially provides that companies must ensure individuals are given sufficient information at the appropriate moment and that the processing of their data is entirely transparent. More specifically, it provides examples of information notices to be used in relation to web scraping or development of GPAI model. The second recommendation focuses on data subject rights and provide specific details on how companies can deal with their requests whether they apply to training data or to the model more generally.
For further information: CNIL Recommendations on Right of information, and Data subjects’ rights [FR]
02/05/2025
French Supervisory Authority | GDPR | 2024 Report
The French Supervisory Authority (“CNIL”) has published a 2024 report on sanctions issued during the year.
The report provides that a total of 331 decisions were handed down, including 87 sanctions, for a total of 55,212,400 euros in fines, 180 formal notices and 64 reminders of legal obligations. The recurring breaches found usually concern commercial prospecting and health data.
For further information: CNIL Report [FR]
01/31/2025
French Supervisory Authority | GDPR | Access Right
On January 31, 2025, the French Supervisory Authority (“CNIL”) updated its guidance on employees’ right of access to their work-related data and emails.
In this update, the authority clarifies that if a request involves a very large number of emails (though it did not define what constitutes “very large”), the employer may first provide the employee with a summary table listing the relevant messages. This allows the employee to specify which content they wish to receive. However, given the lack of further clarification, it appears that if the employee does not specify the data he wants, the employer remains obligated to provide all the requested data unless the employer identifies an actual risk for third party rights. Moreover, the French Authority published a case-law summary regarding the GDPR access right.
For further information: CNIL Guidance and Case-law Summary [FR]
Germany
02/14/2025
German Supervisory Authorities | Investigation | AI and Privacy
On February 14, 2025, several German Data Protection Supervisory Authorities announced a coordinated investigation into an AI provider.
Several German state data protection supervisory authorities, including those from Rhineland-Palatinate, Baden-Württemberg, Thuringia, Saxony-Anhalt, Hesse, Bremen, and Berlin, initiated coordinated investigations into the AI provider. This collaborative effort aims to ensure compliance with Article 27(1) of the General Data Protection Regulation (GDPR), which mandates that companies not established in the European Union appoint a representative within the EU. This effort underscores the impact of GDPR enforcement on AI development. In addition to this investigation, the Lower Saxony Supervisory Authority (“LfD Niedersachsen”) published a statement on February 21, 2025, drawing attention to the risks associated with the use of the Chinese AI-powered chatbot. The LfD Niedersachsen pointed out in particular that according to the privacy policy of the company providing the chatbot, user inputs including the uploaded documents are recorded, transmitted, stored and analyzed without any restriction.
For more information: Website of the Baden Württemberg Supervisory Authority [DE] and Website of the Lower Saxony Supervisory Authority [DE]
02/12/2025
Bremen Supervisory Authority | Recommendation | AI and Privacy
On February 12, 2025, the Data Protection Authority of Bremen (LfD Bremen) provided recommendations on the use of AI applications from providers outside the European Union that have not appointed a legal representative in the EU.
The LfD Bremen recommends, in order to ensure compliance with data protection regulations and mitigate risks associated with AI applications, to select AI providers who demonstrate transparency and provide documentation confirming GDPR compliance. Before installing AI models, the user should ensure that no personal data can be leaked, for example through a secure IT environment. According to the LfD Bremen, inputs of personal or confidential data into online interfaces should be avoided unless effective protective measures are in place. Users, especially workers, should be made aware of the risks involved, and AI competence as required by Article 4 of the AI Regulation from February 2, 2025, should be ensured. If the AI provider is based outside the EU, they should appoint a representative under Article 27 GDPR to facilitate the enforcement of data subjects’ rights and failure to do so can result in fines under Article 83(4) GDPR.
For more information: Website of the Bremen Supervisory Authority [DE]
01/29/2025
German Federal Administrative Court | Judgement | Advertisement
On January 29, 2025, the German Federal Administrative Court (BVerwG) ruled on the interplay of data processing under Article 6(1)(f) GDPR and consent for advertisement necessary under German competition law.
The BVerwG ruled that processing the contact data of dental practices taken from publicly accessible sources for the purpose of telephone advertising without at least presumed consent is impermissible. The court held that merely obtaining contact details from publicly accessible directories to conduct phone advertising does not constitute a legitimate interest under Article 6(1)(f) GDPR unless there is at least implied consent from the data subjects per § 7 Sec 2 No 1 UWG. Consequently, the company’s appeal was denied, as the interest in data processing for phone advertising did not outweigh the privacy protection guaranteed by GDPR and national law. The court confirmed that the prohibition on such data processing remains justified under the current legal framework, given its alignment with the need to protect the privacy of individuals from unsolicited advertising.
For more information: Official Court Website [DE]
Sweden
02/18/2025
Swedish Supervisory Authority | GDPR Guidance | Impact Assessment
On February 18, 2025, the Swedish Supervisory Authority (“IMY”) published a guidance on impact assessments.
The guidance consists of a practical guide and an annex with legal interpretative support.
For further information: IMY Website [SV] and Guidance for Impact Assessment [SV]
02/04/2025
Stockholm Administrative Court | Fine | Cookies
In February 2025, the Stockholm Administrative Court upheld a SEK 13 million (approx. €1.16M) fine against a media company for failure to comply with the principle of lawfulness provided under the GDPR.
The company was relying on legitimate interests for the processing of personal data collected via cookies. Such data was combined with purchase history and third-party data for creating profiles, including for marketing purposes. The court ruled that legitimate interest cannot serve as a legal basis and therefore upheld the administrative fine imposed by the Swedish Supervisory Authority (“IMY”). In its decision, the IMY stated that pursuant to Article 5(3) of the ePrivacy Directive, consent was required for the collection of data via cookies. This is the first publicly known case in Sweden where IMY explicitly referenced Article 5(3) of the ePrivacy Directive in its reasoning for a GDPR fine.
For further information: Stockholm Administrative Court Website [SV]
Switzerland
02/03/2025
Federal Data Protection and Information Commissioner | Guidelines | Cookies
The Swiss Supervisory Authority (“FDPIC”) published its guidelines on data processing using cookies and similar technologies.
The FDPIC describes the data protection requirements controllers must abide by when using cookies and similar technologies.
For further information: FDPIC Website
United Kingdom
02/22/2025
Information Commissioner’s Office | Report | Technologies
The Information Commissioner’s Office (“ICO”) published its Tech Horizons report of 2025.
The ICO’s Tech Horizons report examines emerging technologies and the regulatory challenges they face from a privacy perspective. This third edition of the report focuses on four technologies: connected transport; quantum sensing and imaging; digital diagnosis, therapeutics and healthcare infrastructure; and synthetic media and its identification and detection.
For further information: ICO Website
02/10/2025
Information Commissioner’s Office| Response | Data (Use and Access) Bill
The Information Commissioner’s Office (“ICO”) published its updated response to the Data (Use and Access) (DUA) Bill.
The ICO welcomed the recent changes introduced to the Bill and expressed its position on some of the recent amendments, including those related to the protection of children’s data and the expansion of the soft opt-in in direct marketing to cover charities.
For further information: ICO Website
02/06/2025
Information Commissioner’s Office | Guidance | Employment Practices and Data Protection
On February 5, 2025, the Information Commissioner’s Office (“ICO”) issued new guidance for employers on the management of employment records.
The guidance addresses key questions employers may encounter in relation to the collection, retention and use of employment records. For instance, the guidance covers various questions including: what lawful bases might apply to employment records, when employers can share workers’ personal data with other people or organizations, and how employers can handle sickness and injury records.
For further information: ICO Guidance
Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of the firm’s Privacy, Cybersecurity & Data Innovation practice groups:
Privacy, Cybersecurity, and Data Innovation:
United States:
Abbey A. Barrera – San Francisco (+1 415.393.8262, abarrera@gibsondunn.com)
Ashlie Beringer – Palo Alto (+1 650.849.5327, aberinger@gibsondunn.com)
Ryan T. Bergsieker – Denver (+1 303.298.5774, rbergsieker@gibsondunn.com)
Keith Enright – Palo Alto (+1 650.849.5386, kenright@gibsondunn.com)
Gustav W. Eyler – Washington, D.C. (+1 202.955.8610, geyler@gibsondunn.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650.849.5203, cgaedt-sheckter@gibsondunn.com)
Svetlana S. Gans – Washington, D.C. (+1 202.955.8657, sgans@gibsondunn.com)
Lauren R. Goldman – New York (+1 212.351.2375, lgoldman@gibsondunn.com)
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, shandler@gibsondunn.com)
Natalie J. Hausknecht – Denver (+1 303.298.5783, nhausknecht@gibsondunn.com)
Jane C. Horvath – Washington, D.C. (+1 202.955.8505, jhorvath@gibsondunn.com)
Martie Kutscher Clark – Palo Alto (+1 650.849.5348, mkutscherclark@gibsondunn.com)
Kristin A. Linsley – San Francisco (+1 415.393.8395, klinsley@gibsondunn.com)
Timothy W. Loose – Los Angeles (+1 213.229.7746, tloose@gibsondunn.com)
Vivek Mohan – Palo Alto (+1 650.849.5345, vmohan@gibsondunn.com)
Rosemarie T. Ring – San Francisco (+1 415.393.8247, rring@gibsondunn.com)
Ashley Rogers – Dallas (+1 214.698.3316, arogers@gibsondunn.com)
Sophie C. Rohnke – Dallas (+1 214.698.3344, srohnke@gibsondunn.com)
Eric D. Vandevelde – Los Angeles (+1 213.229.7186, evandevelde@gibsondunn.com)
Benjamin B. Wagner – Palo Alto (+1 650.849.5395, bwagner@gibsondunn.com)
Frances A. Waldmann – Los Angeles (+1 213.229.7914,fwaldmann@gibsondunn.com)
Debra Wong Yang – Los Angeles (+1 213.229.7472, dwongyang@gibsondunn.com)
Europe:
Ahmed Baladi – Paris (+33 1 56 43 13 00, abaladi@gibsondunn.com)
Patrick Doris – London (+44 20 7071 4276, pdoris@gibsondunn.com)
Kai Gesing – Munich (+49 89 189 33-180, kgesing@gibsondunn.com)
Joel Harrison – London (+44 20 7071 4289, jharrison@gibsondunn.com)
Lore Leitner – London (+44 20 7071 4987, lleitner@gibsondunn.com)
Vera Lukic – Paris (+33 1 56 43 13 00, vlukic@gibsondunn.com)
Lars Petersen – Frankfurt/Riyadh (+49 69 247 411 525, lpetersen@gibsondunn.com)
Christian Riis-Madsen – Brussels (+32 2 554 72 05, criis@gibsondunn.com)
Robert Spano – London/Paris (+44 20 7071 4000, rspano@gibsondunn.com)
Asia:
Connell O’Neill – Hong Kong (+852 2214 3812, coneill@gibsondunn.com)
Jai S. Pathak – Singapore (+65 6507 3683, jpathak@gibsondunn.com)
© 2025 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.