Personal data watch — February 2025

Each month, we deliver you most of the data news in Data4Coffee. Don't miss out on key information!

‍

To register, write to data4coffee@squairlaw.com.

‍

‍

1. FRANCE

1.1. Several site editors called upon to change their cookie banners

[December 12] The CNIL announced that it had given notice to several website publishers to adjust their cookie banners deemed misleading. In particular, they are criticized for disproportionately highlighting the tracker acceptance button, thanks to choices of color, size and font, while making the refusal button less visible. Some publishers also place the opt out option in the middle of the informational mentions to make it less discernible or would phrase it ambiguously (“I decline non-essential purposes”), while displaying the acceptance option several times in the banner.

Source: Deceptive cookie banners: the CNIL puts website publishers on notice | CNIL

‍

1.2. Sanction of 240,000 euros against KASPR for its data extraction tool

‍

[December 19] The CNIL has fined €240,000 against the company KASPR, publisher of a tool that allows users to obtain the professional contact details of visitors to their LinkedIn profiles, including those who have opted for limited visibility of their information on the network. The CNIL considered that this treatment was unlawful due to the absence of a legal basis. The authority also noted that the persons were only informed 4 years after the establishment of this treatment, via an e-mail written in English. The CNIL considered that the use of English” did not allow transparent and understandable information ”.

‍

Source: Data extraction: penalty of 240,000 euros against the company KASPR | CNIL

‍

Consult our article for an analysis of this decision.

‍

1.3. Publication of the conclusions of the Lasserre mission on the dialogue between data protection and competition

‍

[December 19] The CNIL has published the conclusions of the Lasserre mission, aimed at strengthening the synergies between data protection and competition law. The report proposes 15 measures to harmonize these two areas, while respecting the independence of each authority. It highlights the importance for the CNIL to integrate competitive analysis in order to identify illicit treatments more effectively and to adapt certain economic concepts, such as “data power”, to the context of data protection.

‍

Sources:

• ‍Conclusions of the Lasserre mission on data protection and competition: to deepen the dialogue | CNIL‍
• Conclusions of the reflection mission on the link between data protection and competition — Mission Bruno Lasserre

‍

1.4. Publication of CNIL recommendations on permissions in mobile applications

‍

[January 14] In line with its recommendations for mobile application developers dated September 2024, the CNIL published an article aimed at helping OS providers and application publishers to articulate the concepts of consent and permission. In particular, she recalls that these “technical” permissions are not designed to collect valid consent within the meaning of the GDPR.

‍

Source: Permissions in mobile applications: the CNIL's recommendations to respect the privacy of users | CNIL

1.5. Publication of the 2025-2028 strategic plan of the CNIL

‍

[January 16] In its 2025-2028 strategic plan, the CNIL announced to focus its action on the following main areas: AI, the protection of minors online, cybersecurity, mobile applications and digital identity. In it, the CNIL details the various objectives and future actions associated with each of these axes.

‍

Source: AI, minors, cybersecurity, digital daily life: the CNIL publishes its 2025-2028 strategic plan | CNIL

1.6. The assessment of CNIL controls in terms of right of access as part of a coordinated European action

[January 20] The CNIL publishes the conclusions of its coordinated action with other European authorities on citizens' right of access to their personal data. Checks reveal frequent shortcomings, including late or incomplete responses. The CNIL recalls that this right is essential for transparency and the control of data by individuals. It mentions certain practices that may be subject to a sanction, such as the provision of processed information, without including a copy of the processed data or the systematic exclusion in the responses of certain treatments.

Source: Right of access: assessment of CNIL controls as part of a coordinated European action | CNIL

1.7. Mobile applications: integrating SDKs while respecting privacy

[January 21] The CNIL publishes recommendations for the integration of SDKs (software development kits) in mobile applications, in order to guarantee the protection of users' personal data. She insists on the importance of transparency, respect for consent and the minimization of collected data. Developers should verify the processing performed by the ESSK and integrate compliance measures by design (Privacy by Design).

Source: Mobile applications: how to integrate SDKs and respect user privacy? | CNIL

1.8. Massive data breaches in 2024: lessons learned and measures recommended by the CNIL

[January 28] In 2024, the CNIL recorded a 20% increase in the number of personal data breaches. The CNIL emphasizes that massive data breaches are often due to recurring security flaws. In this article, she describes the modus operandi of attackers and lists examples of measures that can prevent the various risks identified.

Source: Massive data breaches in 2024: what are the main lessons and actions to take? | CNIL

1.9. The report of the CNIL Digital Innovation Laboratory (LINC) on the right of access on social networks

[January 30] After studying the path to access copies of personal data from 10 social networks on the basis of an analysis grid of 30 questions, the LINC (Digital Innovation and Compliance Laboratory) report highlights that between 44% and 76.5% of the good practices identified in its analysis grid are implemented in social network paths. The report highlights the delays and the lack of cooperation of platforms, as well as the legal consequences for the respect of the right of access, in particular for users and regulators. It calls for greater transparency on platforms and for stricter compliance with the requirements of the GDPR. This document also highlights the growing challenges of regulation in a constantly changing digital environment.

Source: Observatory of the right of access on social networks: the CNIL Digital Innovation Laboratory (LINC) publishes its report

‍

2. EUROPEAN UNION

2.1. Meta fined 251 million euros for a data leak in 2018

[December 17] The Irish Data Protection Commission (DPC) has fined Meta 251 million euros for breaches of the GDPR related to the hacking of 29 million Facebook accounts in 2018, including 3 million European users. The hackers had exploited a security vulnerability to access personal data such as names, phone numbers, and email addresses. The DPC considered that Meta had breached its security obligation, by not sufficiently protecting its users' data, and that it had not cooperated enough in the management of this data breach.

Source: Irish Data Protection Commission fines Meta €251 Million | 17/12/2024 | Data Protection Commission

2.2. The new EDPS guidelines on the processing of personal data in AI models

[December 18] In its Opinion 28/2024, the European Data Protection Board (EDPS) adopted the first harmonized European position on the application of the GDPR to AI. In this publication, the EDPS highlights that the use of legitimate interest as a legal basis for the development and deployment of AI models is possible but requires rigorous evaluation. To support this recommendation, the EDPS provides concrete examples of interests that can be considered legitimate, criteria to be used to conduct the assessment and measures to be put in place to mitigate risks for individuals. The EDPS also warns that not all AI models are anonymous by nature. Finally, the EDPS recalls that the unlawful processing of personal data during the development phase of an AI model may affect the legality of subsequent processing, stressing the importance of GDPR compliance from the early stages of development.

Sources:

• ‍edpb_opinion_202428_ai-models_en.pdf‍
• AI models and RGPD: the EDPS publishes its opinion for responsible AI | CNIL

2.3. The CJEU considers that communicating your gender is not mandatory to book a ticket on SNCF Connect

[January 9th] Seized by the Mousse association, the Court of Justice of the European Union ruled that the collection of gender identity carried out by SNCF to buy a train ticket was not necessary based on the principle of data minimization resulting from the GDPR. The CJEU considered that inclusive and generic formulas could replace the use of general pleasantries. The Council of State must decide the case in accordance with this opinion. Note that in 2021, the CNIL rejected the appeal made by the Mousse association on this practice.

Source: CJEU, First Chamber, 9 January 2025, case C-394/23

2.4. The EDPS adopts guidelines on pseudonymisation

[January 17] The European Data Protection Board has adopted guidelines clarifying pseudonymization within the meaning of the GDPR, emphasizing its role in data protection. These recommendations aim to harmonise practices within the EU and to strengthen cooperation between national authorities. In it, the EDPS recalls that pseudonymized data is always personal data and that pseudonymization can facilitate the use of legitimate interest as a legal basis for carrying out these treatments. These guidelines are subject to public consultation until 28 February 2025.

‍

Source: Guidelines 01/2025 on Pseudonymization | European Data Protection Board

2.5. Italian protection authority blocks DeepSeek, France and Ireland open investigations

[January 30] The Italian data protection authority has decided to block the DeepSeek application, a Chinese conversational AI, in order to protect the data of Italian users. The Italian authority took this decision following an unsatisfactory communication from DeepSeek, which pretended not to be subject to European legislation since it does not operate in Italy. This limitation of the application, and therefore of the treatment, is accompanied by an investigation by the Italian Authority. For their part, the CNIL and the Irish Data Protection Authority planned to question DeepSeek about its privacy protection measures.

Sources:

• ‍PRESS RELEASE - Artificial intelligence: the DeepSeek Privacy Block Guarantee‍
• International mail, Governments concerned about data processing by DeepSeek's AI

‍

3. INTERNATIONAL

3.1. The Trump administration is weakening the Data Privacy Framework

[January 23rd] The Noyb association alerts the European authorities to the impact of the resignation requests formalized by the Trump administration intended for Democratic members of the “Privacy and Civil Liberties Oversight Board” (PCLOB), the key body overseeing American surveillance laws. According to Noyb, these changes could lead to the invalidation of the Data Privacy Framework in the future, making data transfers to American providers potentially illegal.

Source: Is US Cloud soon illegal? Trump punches first hole in the EU-US Data Deal (noyb.eu)

‍

‍

Caroline Chancé, Jeannie Mongouachon, Clémentine Beaussier, Victoire Grosjean et Juliette Lobstein