December Data Wrap: A snapshot of key regulatory developments

On 30 November 2023, the French Data Protection Authority (the "CNIL") issued a EUR 40,000 fine against American Express Carte France for shortcomings in its cookie consent banner. Although the monetary value was modest, the decision highlights the CNIL’s increasingly standardised expectations for cookie consent and provides practical guidance for organisations operating in France. 

The CNIL's American Express decision does not signal a shift toward harsher enforcement, but rather confirms stable, predictable regulatory expectations regarding cookie consent, transparency, and the avoidance of deceptive design. Compliance is achievable with certain adjustments: balanced interfaces, accessible information, and clear consent mechanics.

To mitigate regulatory risk, organisations should therefore prioritise the following enhancements:

• Symmetrical Choice: Ensure “Accept All” and “Reject All” appear on the same layer with comparable size, colour, and visual prominence.
• Prior Consent Guarantee: Block all non-essential cookies and scripts until the user affirmatively consents.
• Strengthen Transparency: Provide concise first-layer explanations and direct links to detailed retention periods and third-party disclosures.
• Periodic Auditing: Regularly review Consent Management Platforms (CMPs) and vendor scripts to prevent accidental, non-compliant pre-consent cookie drops.

For a more detailed analysis of the decision, as well as a comparative analysis of the approaches being adopted by the CNIL vs the EDPB vs the ICO, please see our blog post, available here.

On 13 November 2025, the Court of Justice of the European Union ("CJEU") issued its judgment in Inteligo Media SA v ANSPDCP (Case C 654/23), providing important guidance on email marketing under the e Privacy Directive and its interaction with the GDPR.

Inteligo Media, a Romanian publisher of avocatnet.ro, offered a freemium model allowing users to read a limited number of articles for free and register for additional access. Registered users received a daily newsletter summarising legislative updates and linking to premium content. Romania’s data protection authority fined Inteligo €9,000, arguing that sending the newsletter constituted direct marketing without valid GDPR consent.

The CJEU made four key findings:

1. The newsletter was indeed direct marketing under Article 13 of the ePrivacy Directive because it promoted paid services, even though it contained editorial content.
2. Inteligo could rely on the soft opt-in exception under the ePrivacy Directive: email addresses collected during free account registration were deemed obtained “in the context of the sale of a product or service,” even though users made no monetary payment and accessed only the free tier.
3. No separate GDPR legal basis is required (e.g. GDPR consent, legitimate interests) where the soft opt-in conditions under ePrivacy rules are met, including offering an opt-out at registration and an unsubscribe link in each communication.
4. GDPR consent requirements (e.g. transparency, no bundled consent etc.) do not apply in addition when relying on the soft opt in under the e Privacy Directive.

This judgment is significant because it clarifies how freemium business models can lawfully use email addresses collected during account registration to send marketing about similar products and services under the e Privacy Directive’s soft opt in rule.

It also underscores that editorial content does not remove a communication from the scope of direct marketing if it serves a promotional purpose.

In light of this decision, organisations should:

• Ensure opt-out options are clearly offered at sign up and in every communication.
• Treat newsletters promoting paid services as direct marketing.
• Prioritise compliance with ePrivacy rules where soft opt-in applies, rather than duplicating GDPR consent requirements.

The newly published Digital Omnibus Package from the EU Commission is perhaps surprising in the obvious influence of AI and other technologies such as biometrics. Some might argue that this results in a more commercial approach, reflecting the reality of data processing in the 21st Century. Others will likely be concerned about the possible erosion of fundamental rights and freedoms. 

The package proposed the following key amendments to the GDPR:

• Definition of Personal Data: amendment to the definition of personal data to clarify that pseudonymised data in the hands of an entity that can’t re-identify the individual is not personal data. 
• Abuse of DSARs: a right for entities to refuse to respond to a data subject access request where the individual is abusing the right of access for a purpose other than concern about data processing. 
• Streamlining data breach notifications: several changes to the data breach notification regime, including raising the threshold for regulatory authority notifications; extending the deadline to 96 hours; creating a single notification regime to avoid multiple notifications to multiple regulators; and developing a single template notification form for use across the EU.
• Processing conditions for special category data: introduction of two new processing conditions to enable the processing of special category personal data: (i) processing in the context of the development and operation of an AI system (subject to some fairly strict parameters); and (ii) processing of biometric data where necessary for identity verification and provided that the biometric data is under the sole control of the data subject.
• Recognised legitimate interests for training AI: confirmation that the processing of personal data for training and operating AI systems can be considered a 'legitimate interest' for the purposes of Article 6 GDPR.
• Cookie consent: no consent required for analytics cookies creating aggregated information about the usage of an online service to measure the audience, provided that the analytics are carried out by the controller of the online service and for its own use.

A more detailed analysis of the proposals is provided in our blog post, available here.

The European Data Protection Board ("EDPB") recently published recommendations relating to mandatory user accounts on e-commerce platforms. These recommendations establish a strict standard for when an organisation can rely on the legal basis of "necessity for the performance of a contract" (Article 6(1)(b) of the GDPR) in order to require users to create permanent user accounts.

For organisations whose e-commerce flow currently mandates the creation of an account before making a purchase, the EDPB’s guidance suggests two paths:

1. Implement Guest Checkout: This is widely viewed as the safest path to immediate compliance. While personal data necessary for shipping and payment (name, address, etc.) can still be collected under the contract basis, no persistent user account profile is created unless the user actively consents.
2. Document a Detailed Necessity Defence:If mandatory account creation is deemed business-critical and impossible to bypass, the organization should formally document a necessity test. This documentation should detail why a guest checkout is technically or legally impossible for specific, non-marketing purposes and prepare to defend this position against regulatory scrutiny.

The EDPB has opened a public consultation on these recommendations until 12 February 2026. For a more detailed analysis of the EDPB's recommendations, please see our blog post, available here.

On 4 December 2025, the Court of Appeal heard arguments from the Information Commissioner’s Office (the "ICO") in a case that could reshape how UK courts assess liability for data breaches involving pseudonymised data. 

The appeal challenges an Upper Tribunal ruling that weakened the ICO’s enforcement against DSG Retail Limited following a 2020 cyberattack affecting 14 million customers. The ICO originally fined DSG Retail Limited ("DSG") the then maximum penalty of £500,000 under section 55A of the Data Protection Act 1998 (the "DPA") after hackers scraped payment card data from Currys PC World and Dixons Travel. While the First-tier Tribunal allowed DSG's appeal in part, halving the fine, the Upper Tribunal held that the 16 digit numbers and expiry dates on payment cards were not “personal data” for breach purposes because attackers could not easily identify individuals. Such data would only amount to personal data if it could be combined with the personal data in the hands of the data controller, DSG, or a third party. The Upper Tribunal stated that "[i]f a third party can only obtain anonymous data and the key to pseudonymised material remains behind a completely secure wall then… that vanilla data would not amount to "unauthorised or unlawful processing of personal data."

The ICO argues this interpretation is incorrect, insisting that pseudonymisation does not absolve organisations of security obligations. Under the seventh data protection principle ("DPP7"), "appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data". Information Commissioner, John Edwards, argued that the tribunal had "misinterpreted the meaning of personal data” and stressed that organisations must protect personal data, even when it has been pseudonymised. 

The Upper Tribunal’s approach aligned with the recent European Court of Justice rulings (including in the SRB v EDPS case, see our blog post here) which adopt a relative test: pseudonymised data is personal only if third parties can reasonably identify individuals. If upheld, this could limit liability for breaches where attackers cannot exploit the data. Although the decision concerns pre-GDPR law, the ICO regards it as highly relevant to current regulation as controllers and tribunals are likely to consider the approach to the DPA as applicable to the UK GDPR.

The Court of Appeal is yet to deliver its judgement; however, its decision is expected to have significant implications for cybersecurity enforcement and the definition of personal data in the UK.

The Spanish Data Protection Authority ("AEPD") has imposed an administrative fine of €10,043,002 on AENA S.M.E., S.A. (an airport operator) for deploying facial recognition systems at several Spanish airports without, in the AEPD’s view, a valid and prior data protection impact assessment ("DPIA") as required by Article 35 GDPR.

Adopted in sanctioning procedure PS-00431/2024, the decision concerns a series of pilot projects for biometric passenger identification carried out between 2019 and 2022 at airports including Madrid-Barajas, Barcelona-El Prat, Alicante, Palma de Mallorca, Menorca, Ibiza, Gran Canaria, and Tenerife Norte. The systems were intended to identify passengers via facial recognition to control access to certain areas and streamline passenger flows.

The AEPD found that the processing clearly qualified as high-risk under the GDPR due to the cumulative presence of several factors: (i) processing of biometric data (a special category under Article 9 GDPR); (ii) the large-scale nature of the operations; (iii) deployment in a public-access environment; and (iv) the use of biometric identification techniques, including one-to-many (1:N) matching supported by centralized databases. In such circumstances, a prior DPIA was deemed mandatory.

Although AENA maintained that it conducted impact assessments before launching the pilots, the AEPD concluded that those assessments did not meet the substantive requirements of Article 35 GDPR. Specifically, the documentation did not adequately demonstrate the necessity and proportionality of facial recognition, nor did it sufficiently justify why less intrusive alternatives could not achieve the same goals. The AEPD also found the risk assessment and the mitigation measures insufficient in relation to the rights and freedoms of data subjects.

The decision underscores that the voluntary nature of participation, reliance on informed consent, and the absence of data breaches do not relieve a controller of the obligation to conduct a robust, prior DPIA where high-risk processing is involved. The AEPD reiterates that a DPIA is not a formalistic step, but a substantive preventive tool that must convincingly justify the deployment of intrusive technologies.

In addition to the financial penalty, the AEPD ordered a temporary suspension of all biometric data processing, in particular facial recognition used for access control, until AENA completes a GDPR-compliant DPIA that satisfies Article 35 GDPR.

AENA has announced its intention to appeal, arguing that the fine is disproportionate and maintaining that DPIAs were conducted before deployment. The company also states that all personal data collected during the pilots has been deleted, and that the biometric systems are not currently operational.

From a wider legal perspective, the decision reinforces the stringent approach of Spanish data protection authority to biometric technologies in public spaces. It confirms that pilot or experimental projects remain fully subject to the GDPR, and that facial recognition may only be deployed where strict necessity and proportionality can be convincingly demonstrated. In any case, we will have to wait until the court issues a decision to clarify whether the AEPD fine has been correctly imposed or otherwise.

In a preliminary ruling handed down on 2 December 2025, the Court of Justice of the European Union ("CJEU") found that operators of online marketplaces owe duties as controllers in relation to individuals' personal data under the GDPR. In X v. Russmedia Digital and Inform Media Press (C-492/23), the personal information of the applicant in the main proceedings, including sensitive data such as photographs and her telephone number, was posted to an online advertisement page without her consent. Russmedia Digital, the online marketplace, argued that because the applicant's personal information was uploaded by an anonymous user without Russmedia's input, it could rely on an exemption from liability under EU Directive 2000/31 for online hosting services. 

The CJEU rejected this argument and found that an operator of an online marketplace cannot avoid liability, as controller of personal data, on the ground that it did not determine the content of the advertisement itself. It found that Russmedia was a controller because it had the freedom to exploit the information published on its marketplace, including reproducing it, modifying it, and removing it at any time, at its own convenience. Russmedia and the anonymous user who posted the applicant's personal information were therefore joint controllers in relation to the advertisement.

The CJEU further held that as a controller, Russmedia had a duty to put in place technical and organisational measures to identify advertisements containing sensitive data and to verify whether they could be published in compliance with GDPR, even before the sensitive data was published on the marketplace. This includes a requirement to verify the identity of the user seeking to place the advertisement and to check whether they are the person whose sensitive data appeared in the advertisement. If it is impossible to verify the user's identity, then operators of online marketplaces should refuse to publish the advertisement. 

This preliminary ruling places potentially onerous obligations on operators of online marketplaces, who must take a proactive approach to implement measures to ensure compliance as controllers and processors of personal data, even where personal data is uploaded by third parties.

The UK's Cyber Security and Resilience Bill (the "Bill") was formally introduced to Parliament on 12 November 2025, a milestone in the Government’s long-anticipated effort to strengthen the nation’s cyber defences and regulatory framework for critical infrastructure. The Bill was presented for its first reading in the House of Commons, a procedural stage with no debate, paving the way for substantive scrutiny in the coming weeks.

The Bill introduces three core reforms designed to strengthen the UK’s cyber defences and improve national resilience.

1. Expanded scope: The NIS regulations will now capture data centres, managed service providers (MSPs), large load controllers, and designated critical suppliers. This expansion of scope reflects how cyber threats have evolved, and in particular, the potential increased concentration risk which arises from interconnected supply chains where disruption to one entity can affect thousands.
2. Enhanced regulatory powers: The Bill also enhances regulators' ability to conduct inspections, issue enforcement notices, and recover supervision costs. Further, the Bill introduces clearer reporting requirements (including notifying significant cyber incidents within 24 hours, followed by a full report within 72 hours), matching the approach in NIS2, and expands powers for information-sharing across regulators and law enforcement.
3. Enabling resilience: To keep pace with emerging risks, the Government will have powers to update the regime through secondary legislation and direct regulators or operators to take proportionate action in response to urgent threats.

For a more detailed analysis of the Bill including a comparison of the current NIS requirements as against the proposed new requirements, please see our blog post, available here.