Personal data watch — March 2025

Each month, we deliver you most of the data news in Data4Coffee. Don't miss out on key information!

‍

To register, write to data4coffee@squairlaw.com.

‍

‍

1. FRANCE

1.1. Penalty of 40,000 euros for excessive surveillance of employees

[February 4] The CNIL has imposed a fine of €40,000 on a real estate company for excessive surveillance of its employees. The CNIL checks revealed that the company had installed software on the computers of some employees to monitor their working time on the computers of certain employees, which counted working hours, but also periods of inactivity throughout the day by taking regular screenshots. In addition, the company's video surveillance system continuously captured images and sound of employees on the premises. The CNIL considered that these practices disproportionately infringed the rights of employees since the treatments carried out allowed systematic surveillance of employees.

Source: Excessive surveillance of employees: 40,000 euros fine against a company in the real estate sector | CNIL

‍

1.2. 2024 assessment of the CNIL's corrective measures: a sharp increase in sanctions

[February 5] In 2024, the CNIL doubled its corrective actions by issuing 331 decisions, including 87 sanctions, for a total amount of 55 million euros in fines. The CNIL report highlights recurring shortcomings in commercial prospecting and the management of health data, in particular due to the lack of consent of the persons concerned or of adequate anonymization measures. The CNIL also issued 180 formal notices in 2024, in particular due to a lack of response to an exercise of rights. Finally, the report shows the development of the simplified penalty procedure, which allowed the imposition of 69 of the 87 sanctions of the year. The intensification of corrective measures by the CNIL testifies to its desire to strengthen compliance with the RGPD.

Source: Sanctions and corrective measures: 2024 assessment of the CNIL's action | CNIL

1.3. AI and RGPD: the CNIL publishes recommendations for ethical innovation

[February 7th] The CNIL has published two new recommendations aimed at encouraging the use of artificial intelligence (AI) that complies with the requirements of the RGPD. These recommendations underline the importance of informing the persons concerned and facilitate the exercise of their rights, in particular in terms of transparency and access to data. The CNIL invites AI actors to develop innovative solutions that take into account the protection of privacy from the design stage of the model. Actors are required to comply with European legislation, finding a balance between technological innovation and respect for the fundamental rights of users.

Source: AI and RGPD: the CNIL publishes its new recommendations to support responsible innovation | CNIL

1.4. Reminder to Qwant based on findings from 2019

[February 11] After requalifying the data used by the search engine for advertising purposes as personal and not anonymous, the CNIL reminded Qwant of its legal obligations in terms of processing personal data. Despite the efforts made by Qwant to avoid the re-identification of individuals, the CNIL considered that the data in question was simply pseudonymized. This call to order comes following checks carried out by the CNIL in 2019 and exchanges with its European counterparts. Qwant updated its privacy policy in 2020, but corrective measures are still required due to a lack of transparency and information.

Source: QWANT: the CNIL considers that the search engine processes personal data and is sending it a reminder of its legal obligations | CNIL

1.5. 2025: a year under pressure for DPOs

[February 12] According to the latest quarterly barometer from AFCDP, 43% of data protection officers (DPOs) anticipate a difficult year 2025, due to the rapid evolution of data protection and cybersecurity regulations. This perception highlights the importance for organizations, including SMEs and local authorities, to strengthen their compliance strategies to meet new legal requirements.

Source: Press area | AFCDP

1.6. Siri at the heart of a complaint in France for violation of privacy

[February 14] The League for Human Rights (LDH) has filed a complaint against Apple in France for violating privacy, unlawful processing of personal data and deceptive commercial practices. The complaint, supported by the revelations of a whistleblower, denounces non-consensual recordings made by the Siri voice assistant. These recordings, made without the knowledge of users, were analyzed by subcontractors, raising questions about compliance with the GDPR. This action comes at a time when in the United States, the Californian justice system must decide on a similar class action lawsuit, accusing Apple of recording private conversations for commercial purposes between 2014 and 2024. The LDH calls for a thorough investigation to shed light on these practices and to protect the rights of users.

Source: The League for Human Rights files a complaint against Apple and its voice assistant “Siri” |France Inter

1.7. Assessment of cyberattacks in 2024: a growing threat to sensitive data

[February 17] The year 2024 was marked by a significant increase in cyberattacks in France, affecting various sectors, including businesses, local authorities and health institutions. The attacks resulted in significant financial costs and major service disruptions. Among the notable incidents, the city of Saint-Nazaire and the Ramsay Santé group were particularly affected, with thousands of personal data compromised. Businesses are responding by increasing their cybersecurity budgets and hiring specialists, while the NIS 2 directive imposes new security obligations.

Source: Assessment of cyberattacks in 2024: the growing threat of the theft of sensitive data

1.8. Pegasus: a growing threat to business leaders

[February 19] According to a report by iVerify, the mobile security platform, Pegasus spyware attacks specifically targeting business leaders, particularly in finance, real estate and logistics, are on the rise. These cyberattacks increase the risk of confidential data leaks, legally exposing companies to potential sanctions for non-compliance with the GDPR. iVerify would have, in December 2024 alone, identified traces of Pegasus infections on a dozen devices, out of the 18,000 devices analyzed.

Source: How Democratizing Threat Hunting is Changing Mobile Security

‍

2. EUROPEAN UNION

‍

2.1. ChatGPT users will now be able to choose where their data resides

[February 5] In a blog post, OpenAI announced the establishment of data residency in Europe for ChatGPT Enterprise, ChatGPT Edu, and its API platform, allowing European organizations to process and store their data locally. This initiative aims to facilitate compliance with data sovereignty requirements, in particular with respect to the GDPR, by offering data processing options within the European Union. Customers can now choose Europe as the region for processing and storing their data.

Source: Introducing data residency in Europe | OpenAI

2.2. The Advocate General of the CJEU gives his opinion on the concept of pseudonymisation

[February 6] In a case opposing the European Data Protection Board (EDPS) to the Single Resolution Board of the European Union (SRB), the Advocate General of the Court of Justice of the European Union (CJEU) considered that pseudonymized data may escape the qualification of personal data when the risk of identifying the persons concerned is non-existent or insignificant. The General Counsel nevertheless indicates that this cannot impact the obligation of the data controller to provide the persons concerned with all the information required by the RGPD before any data transfer. This case should be monitored pending the final decision of the CJEU.

Source: Conclusions of the Advocate General

‍

For more information, see our article hither.

2.3. EDPB adopts key principles for online age verification

[February 11] The EDPB has published a statement setting out ten principles to ensure the compliance of the processing of personal data during online age verification. These principles emphasize the need to minimize data collection and to ensure the transparency of the methods used. They also highlight the importance of proportionality and accountability of actors involved in age verification. These recommendations aim to harmonize practices at European level and to ensure robust protection of the personal data of users, in particular the youngest.

Source: edpb_statement_20250211ageassurance_en.pdf

2.4. The CJEU specifies the calculation of GDPR fines for business groups

[February 13] On February 13, 2025, the Court of Justice of the European Union (CJEU) ruled on how to calculate fines for violating the GDPR. Borrowing from competition law to define the concept of a company and apply the principle of “decisive influence”, the CJEU ruled that, for this calculation, the overall turnover of a group must be taken into account, even if only a subsidiary is at fault. This decision reinforces the responsibility of parent companies and aims to ensure an adequate deterrent effect of sanctions, requiring groups to be more vigilant in terms of data protection.

Source: CURIA — Documents (CJEU, Case C‑383/23, 13 February 2025)

2.5. X contests the application of the DSA imposed by the Berlin court

[February 18] Platform X (formerly Twitter) has appealed a decision by the Berlin court requiring it to comply with the European Union's Digital Services Act (DSA). X contends that some of the DSA's requirements are inconsistent with its internal policies and could compromise freedom of expression on its platform, as well as the privacy of its users.

Source: X challenging Berlin Court's DSA decision - EURACTIV

2.6. Publication of the ENISA report on cyber threats in the financial sector

[February 21] The European Union Agency for Cybersecurity (ENISA) analyzed 488 incidents reported between January 2023 and June 2024, revealing that 46% of them affected European banks. Distributed denial-of-service (DDoS) attacks, often linked to geopolitical events like the invasion of Ukraine, have caused major operational disruptions.

Source: ENISA Threat landscape: Finance sector

‍

3. INTERNATIONAL

‍

3.1. Signature of an international commitment for innovative artificial intelligence that protects privacy

[February 11] At the AI Action Summit that took place in Paris from 6 to 11 February 2025, data protection authorities from Australia, Korea, Ireland, France and the United Kingdom signed a joint declaration aimed at establishing responsible governance of artificial intelligence. This initiative promotes transparent AI that respects the fundamental rights of individuals. Data protection authorities call for integrating data protection principles as early as the design of AI systems, and for anticipating the management of risks related to disinformation, discrimination and algorithmic biases. With this declaration, the authorities concerned commit in particular to clarifying the legal bases for data processing in AI, and to strengthening international cooperation to ensure ethical and compliant AI.

Source: Data governance and AI: five data protection authorities are committed to innovative AI that protects privacy | CNIL

3.2. Apple withdraws Advanced Data Protection on iCloud in the United Kingdom in the face of pressure from the British government

[February 24] Apple stopped offering its Advanced Data Protection feature to UK users after the UK government required access to encrypted data on iCloud. The decision raises legal questions about the balance between national security and the protection of user privacy, and could prompt other governments to make similar requests, thus affecting data privacy globally.

Source: Instead of introducing a backdoor, Apple is removing end-to-end encryption in the United Kingdom (The Digital Factory)

Caroline Chancé, Jeannie Mongouachon, Clémentine Beaussier, Victoire Grosjean and Juliette Lobstein