Legal Watch No. 80 – February 2025. 

Data transfers to the United States: a weakened legal framework.

On February 5, 19 MEPs from across the political spectrum asked the European Commission to look into whether the "Data Protection Framework" (DPF), which governs transatlantic data transfers, is still viable.

On February 6, the chairman of the Committee on Civil Liberties, Justice and Home Affairs asked him a similar question.

These questions were raised by Donald Trump's decision to end the terms of the three Democratic members of the Privacy and Civil Liberties Oversight Board (PCLOB), which no longer has the quorum required to operate.

The PCLOB was considered, in the context of the transatlantic agreement, as an essential recourse for the respect of individual rights in matters of mass surveillance.

Since then, American guarantees regarding data protection appear increasingly fragile.

According to an article published by Euractiv on March 3, one of the judges of the PCLOB's appeals body, the Data Protection Review Court, has disappeared from the list of judges on the website, and a special lawyer has resigned.

Furthermore, "if Donald Trump did not fire the inspectors general in charge of overseeing the intelligence agencies, he fired at least 17 others," and members of the privacy protection unit of the "Office of Personnel Management" were also reportedly dismissed.

Finally, the "Project 2025", a political program associated with the Trump administration, believes that the incoming president should conduct a study of the "Biden" executive order concerning the DPF, and "reset Europe's expectations".

This project also plans to suspend provisions that unduly hinder the collection of information.

It is worth recalling that the lack of independent control and recourse mechanisms concerning American intelligence agencies was the reason for the cancellation of the previous agreement, the Privacy Shield. 

These various factors do not bode well for the viability of the transatlantic agreement. The outstanding question is when the situation will be officially clarified.

The European Commission remains silent for the moment but is expected to respond to parliamentary questions before the end of the month.

The Court of Justice of the European Union, already seized of the matter, could issue a decision in line with its two previous decisions which respectively invalidated the "Safe Harbour Principles" and the "Privacy Shield", but the date of this decision is still unknown.

What about the data protection authorities?

The Norwegian Data Protection Authority (Datatilsynet) issued a statement on the matter on February 26. It reiterated that the European Commission's adequacy decision validating the transatlantic trade agreement remains in effect until it is potentially revoked by the European Commission or the Court of Justice of the European Union (CJEU).

Data protection authorities (DPAs) are bound by these decisions and cannot prohibit transfers that take place in accordance with an adequacy decision.

Given the current context, The APD nevertheless advises data controllers to develop an exit strategy in case the current framework is invalidated. because the change could occur without a transition period.

The first recommendation to data controllers today is to draw up a comprehensive inventory of all data transfers carried out by their company.

The task is arduous because the United States is now omnipresent in our digital world, and, like Monsieur Jourdain, we transfer data daily without knowing it.

It will be necessary to take into account the recipients clearly identified in the United States but also, for example, the use of American "cloud" services on European soil, and the multiple display or connection services such as Google fonts, analytics or maps, or even Facebook: the Court of Justice of the European Union in its decision T-354/22 condemned the European Commission for violation of the GDPR in the context of online registration for an event it was organizing.

By means of the "connect with Facebook" hyperlink displayed on the homepage, it had "created the conditions allowing the transmission of the applicant's IP address to Facebook" and, consequently, to the United States, during a period when the Privacy Shield had been invalidated.

Where European alternatives exist, these may present an interesting solution.We refer, for example, to the European cloud or the certified French cloud.

Regarding trackers, the CNIL has published a list of anonymous audience measurement tools.

In cases where the transfer remains essential, the exporter will have to rely on tools such as standard contractual clauses or binding corporate rules, and carry out an impact analysis by precisely documenting the risks of interception of data across the Atlantic by the authorities and the safeguards provided, a particularly difficult task.

On January 31, the CNIL published the final version of its guide on impact assessments for data transfers outside the European Union.

Like its Norwegian counterpart, it is likely that it will publish recommendations related to upcoming international developments.

 

  

An amendment has just been introduced into a proposed law against drug trafficking, which aims to force platforms to implement measures allowing law enforcement to access data, particularly that of encrypted messaging services.

In comments addressed to the government and parliamentarians, several companies including Apple, Amazon, Google and Microsoft opposed this amendment, referring to the positions of the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) against weakening end-to-end encryption.

The proposal will be examined in the plenary session starting on March 17.

These developments echo similar government initiatives in several European countries as well as in the United States (see below, national developments).

The CNIL reminded the Qwant search engine of its obligations under the GDPR regarding data anonymization.

The data used by the company in connection with the sale of advertising space on the search engine, operated via MICROSOFT, was presented as anonymous by Qwant. 

The CNIL notes that "despite the strong precautions taken in 2019 to avoid the re-identification of persons, the transmitted data set led to the application of the GDPR and in particular its articles 12 and 13".

The Commission considers that this is an initial analysis error regarding the classification of the transmitted data without intention of circumventing the provisions of the GDPR, and therefore does not impose any sanction.

The Commission also fined a real estate agency €40,000 for excessively monitoring its employees using software (Time Doctor) that recorded the alleged periods of inactivity and regularly took screenshots of their computer.

Furthermore, the employees were constantly recorded.

The CNIL notably criticizes the person in charge for the lack of an impact assessment, the lack of a legal basis for the processing, and the failure to comply with the principle of data minimization.

It has also published an update of its Data Protection Tables, and the 2024 Summary Notebooks concentrating its important new decisions as well as the essentials of national and European case law on data protection.

 

European institutions and bodies

Following the Digital Fairness Fitness Check report published on October 3, 2024, the European Commission is considering developing a regulation on digital fairness (“Digital Fairness Act”) to address consumer protection issues in the online environment, such as the automatic termination or renewal of subscriptions and the conversion of free trials into paid subscriptions.

A public consultation and a preliminary impact analysis are reportedly being prepared.

The Commission has finally decided to withdraw its proposal for an ePrivacy Regulation, which aimed to modernize and clarify the obligations of the current directive, while harmonizing them with the principles of the GDPR.

The text sparked controversy, particularly regarding the scope of exceptions to the principles of confidentiality of communications.

New legislative proposals are on the table, which aim to address privacy issues while separating commercial surveillance from state surveillance.

The AI Liability Directive, which aimed to update EU product safety rules to cover AI and automation, is also on the list of withdrawn legislative proposals.

Echoing the conclusions of last February’s Paris AI summit, the European Commission’s 2025 work programme emphasizes competitiveness, with the explicit objective of fostering economic growth by supporting innovation.

On February 2, the first provisions of the AI regulation came into force, including Article 5, which deals with prohibited AI practices.

Two days later, the European Commission published guidelines outlining AI practices deemed unacceptable due to the risks they pose to European values and fundamental rights.

Several data protection authorities (DPAs), present at the AI summit, issued a joint statement following a roundtable discussion "on establishing reliable data governance frameworks to encourage the development of innovative and privacy-protective AI," stressing the need to integrate privacy principles from the design stage of AI systems and to implement robust internal data governance frameworks.

At the same time, the EDPB announced on February 12 that it was extending the scope of its ChatGPT working group to the application of AI and setting up a "rapid response team to coordinate the actions of data protection authorities" regarding urgent sensitive issues related to AI.

The EDPB announced in early March the launch of its coordinated action of controls for 2025 on the right to erasure.

This action follows coordinated actions on the use of the cloud by the public sector (2022), the designation and role of DPOs (2023) and the right of access (2024).

The European Parliament's research service published an information note on February 26th on the tension between preventing algorithmic discrimination and dealing with special categories of data.

The document identifies uncertainties regarding the joint application of the AI regulation and the GDPR, which may require legislative reform or additional guidance.

On February 27, the CJEU issued an important ruling concerning the scope of the rights of individuals affected by an automated decision.

In Case C 203/22 Dun & Bradstreet Austria, the Court clarifies that Article 15(1)(h) of the GDPR "offers the data subject a genuine right to an explanation of the functioning of the mechanism underlying an automated decision-making process to which that person has been subjected and of the result to which that decision has led" (para. 57).

The data of protected third parties or trade secrets does not exempt the controller from concrete explanations: the latter is "required to communicate this allegedly protected information to the competent supervisory authority or court, which is responsible for weighing the rights and interests involved in order to determine the scope of the data subject's right of access provided for in Article 15 of the GDPR" (para. 67).

The CJEU also considered on February 13 that supervisory authorities and courts must take into account the fact that a data controller is part of an undertaking within the meaning of Articles 101 and 102 of the Treaty on the Functioning of the European Union (TFEU) when setting the amount of fines.

Furthermore, they must base the maximum amount of fines on the company's turnover and not on that of the data controller.

The Advocate General of the Court of Justice of the EU shared his conclusions on the case of EDPS v SRB (C-413/23 P) on February 6.

The case concerns whether pseudonymized data transmitted by an EU agency, the Single Resolution Board, to its consulting firm Deloitte constitutes personal data from Deloitte's point of view.

The General Assembly focuses on the reasonable means available to the recipient to identify the individuals concerned, adopting a significantly narrower interpretation of the concept of personal data than the EDPS and the EDPB. The final decision is expected before the summer.

 

News from the member countries of the European Union.

A German court decision (OLG Dresden/Germany (Az.: 4 U 940/24) confirms that data controllers are responsible not only for their own actions, but also for the actions of their subcontractors.

The Court stressed that it is not enough to trust the subcontractor without verifying, as in this case, that he has actually deleted the subcontracted data at the end of the contract.

The consequences of insufficient verification can persist long after the initial incident, as was the case here following a hack that caused a data leak, followed by legal proceedings and damage to the reputation of the data controller.

In Spain, the APD fined mobile phone provider Orange 1.2 million euros for failing to prevent the issuance of a duplicate SIM card to a third party who used it to access the bank account of the person concerned.

The APD considered that the operator had not implemented appropriate protection measures.

Also in Spain, the APD imposed several fines on the cooperative banking group Caja Rural for violating the GDPR following a data breach due to inadequate security measures and a vulnerability in the IT system.

In this case, the APD considered each bank member of the cooperative group as individually responsible, even though all used the same IT service provider, and imposed sanctions ranging from 6,200 euros to 400,000 euros depending on the number of customers and the speed of reaction of the banks.

The Greek Data Protection Authority (APD) has taken a decision aimed at facilitating the exercise of individual rights with Google.

She ordered the company to remove links appearing in search results for the person's name, and ordered Google to change its removal request procedure by allowing attachments, providing direct contact information, and ceasing automated responses.

In the Netherlands, a screenshot shared by a cybersecurity expert (and former supervisor of the civilian intelligence service) on the Bluesky platform reveals that Google Analytics is collecting data on job applicants within the country's civilian and military intelligence services.

This information led a member of parliament to request clarification from the Minister of the Interior.

The Polish Data Protection Authority (APD) has fined the operator of a website 350,000 euros (1,527,855 PLN) and its subcontractor 4,590 euros (20,037 PLN) for breaching data security after a website misconfiguration led to a data breach affecting 21,453 people.

In Romania, the company Unicredit was fined 15,000 euros (74,652 lei) for two data breaches due to internal applications.

These had not been tested prior to their deployment, and the APD is penalizing a failure to comply with Article 25(1) of the GDPR, which requires data protection from design ("privacy by design").

Following an order from the British government to break iCloud encryption, Apple has just withdrawn its entire advanced security feature from the UK.

The order specifically concerned the feature introduced in 2023, which allows iCloud users to opt for end-to-end encryption of all data stored on the company's cloud and ensures that no third party, including Apple, can access the data.

The company had the choice between removing the encryption feature or creating a backdoor that would have compromised encryption for all users worldwide, the second option being excluded for Apple.

At the same time, Sweden also requires backdoors, prompting Signal to warn that it would leave the country if such legislation were adopted.

Let us add that the United States is pursuing, according to a Forbes article from February 24, the same objective of accessing encrypted data.

 

South Korea has just adopted an AI law that will come into effect in January 2026.

The law aligns with the European regulation on AI: it introduces obligations for AI companies, particularly for high-impact AI and generative AI, with an emphasis on risk management, user protection and transparency.

The IAPP reports that a group of US senators sitting on the "Senate Select Committee on Intelligence" sent a letter on February 5 to the White House to "express alarm at the risks to privacy and national security posed by the recently created Department of Government Efficiency" (DOGE).

The letter argues that the DOGE's actions risk exposing classified and other sensitive information, jeopardizing national security and violating the privacy of Americans.

Several lawsuits are currently underway concerning illegal access to data processed by these agencies.

Requests from intelligence services for data held by GAFAM have exploded in recent years.

This is what emerges from a study published by the company Proton, based on the transparency reports of Apple, Meta and Google between 2014 and 2024.

As 01net points out, these companies are required by US law (FISA, Cloud Act) to respond to requests from authorities who want access to telephone recordings, texts, emails or Cloud backups.

“Requests for access to user data (of any nationality), such as emails or messages, submitted to US authorities by Google, Apple, and Meta over the past ten years have (…) increased on average, for these three companies, by… 600 %.”

Malaysian law on the protection of personal data has been strengthened in order to significantly increase the powers of the regulatory authority and strengthen the rights of individuals.

It will be implemented in three phases during the first half of 2025, namely on January 1st, then April 1st and June 1st.

The "tracking files" investigation, conducted by several media outlets internationally, including Le Monde, France Info and the 8pm news program in France, reveals the extent of the tracking and the details of the personal data processed by data brokers.

The geolocated personal data of millions of users is aggregated under conditions that are often not very transparent: for example, playing online on your smartphone using an application can generate the transmission of data such as connection times, smartphone model or geographical location, elements collected in gigantic files sold by brokers such as the American Datastream Group.

More than 47 million people are included in this latest file.

The data of everyone can be affected, but also that of diplomats, military personnel or journalists.