Legal Watch No. 90 – December 2025. 

 

Data, AI, cybersecurity: who's who of the guidelines and regulations to follow in 2026.

Many regulations adopted in recent years will now come fully into force or reach decisive stages of their implementation.

At the same time, new initiatives from the European Commission, in particular the Digital Omnibus and the Digital Fairness Bill, announce new regulatory adjustments intended to complement or amend existing regulations.

The GDPR, in force since 2018, remains today the cornerstone of the data protection framework, along with the ePrivacy Directive, the revision of which is currently abandoned.

The Commission intends to simplify through its proposal Omnibus several aspects of the GDPR related to the development of artificial intelligence (AI): it plans to recognize the development and operation of AI systems as a "legitimate interest" within the meaning of the GDPR and to introduce a new legal basis for the processing of sensitive data intended for training AI models.

More broadly, the Digital Omnibus would reduce the compliance burden for businesses, for example by relaxing the threshold from which a data breach must be reported and by expanding the situations in which data can be considered "anonymous".

The regulations of the digital package, and more specifically the Digital Markets Regulation (DMA) and the Digital Services Regulation (DSA), clarify the rules applicable to the digital economy and the responsibility of platforms.

They have been in force since 2024 and the Commission began imposing sanctions in 2025.

The DSA applies to very large online platforms (VLOP) and very large online search engines (VLOSE) as well as all intermediaries that offer their services to users based in the EU.

Several obligations of the DSA overlap with those of the GDPR.

For example, there are similar or complementary obligations regarding "dark patterns", targeted advertising based on sensitive data or concerning minors, transparency, profiling, risk analysis and removal of illegal content.

In 2025, the European Data Protection Board (EDPB) published guidelines on these overlapping issues.

The primary objective of the DMA is to prevent tech giants or "gatekeepers" from taking advantage of their dominant position.

Some of these obligations reinforce those provided for by the DSA in terms of user protection, particularly with regard to profiling.

The EU's data strategy aims to create a single data market, encourage innovation and ensure secure and efficient data sharing across the European Union.

The following texts have an impact on personal data: the Data Governance Regulation (DGA), the Data Regulation (DA), the Regulation on Electronic Transactions (eIDAS) and the Regulation on the European Health Data Space (EHDS). 

The Commission's Omnibus proposal aims to simplify the legislative framework in this area.

The text notably provides for the repeal of DGA and the 2019 directive on open data.

THE DA would remain the central reference and would include the essential elements retained from the other texts.

In addition to a harmonization of definitions, small and medium-sized enterprises (up to 750 employees) would be exempt from certain obligations.

The DA, applicable since September 12, 2025, sees a significant part of its obligations come into force on September 12, 2026: the regulation provides for the obligation to design connected products and associated services in such a way that data relating to the products and associated services are accessible by default to users, and from September, manufacturers will have to ensure that access to data is technically ensured from the product development and design phases.

Regarding the regulations eIDASFrom 2026, Member States will be required to provide their citizens and businesses with at least one EU-compliant digital identity wallet, enabling users to securely store their identity data, identifiers and attributes (identity card, driving licence, payment information, etc.) and to selectively communicate them to public authorities and private providers.

Businesses, online platforms and administrative services will also have to adapt to these new forms of digital identification and authentication.

L'EHDS entered into force on March 26, 2025, but its main provisions will be fully applicable from March 2029.

AI regulations, in force since August 2024, becomes decisive for companies from August 2, 2026.

Some obligations already apply, such as transparency in interaction with chatbots or the labeling of AI-generated content, and ensuring sufficient AI competence among employees working with AI systems.

But from August onwards, more comprehensive requirements should apply to high-risk AI systems used in sensitive areas such as human resources management, performance evaluation or access to essential services.

However, the Commission plans in its Omnibus proposal to postpone the application of these rules until December 2027.

Some obligations would also be simplified, here too, for small and medium-sized enterprises with up to 750 employees.

In terms of security, we will mention the directive on the security of networks and information systems (NIS2) in effect since October 2024, the regulation on digital operational resilience (DORA) in force since January 2025, as well as the Regulation on Cyber Resilience (CRA)).

With regard to the latter, the main obligations of manufacturers of products containing digital elements will come into force on September 11, 2026, including the obligation to notify actively exploited vulnerabilities and serious security incidents.

Manufacturers will therefore have to report identified vulnerabilities and security incidents that significantly compromise product safety to the relevant market surveillance authorities within very short timeframes.

To top off this list of regulations, let's finally mention the proposal concerning a regulation on digital fairness (DFA) which is expected to further increase the complexity of the legal framework for online service providers.

In July 2025, the Commission launched a public consultation on this project which would aim to combat "unfair commercial practices" such as dark patterns, addictive features and abusive personalization, including those related to AI agents.

What is the future of these proposals? The coming months should be decisive: the Cypriot presidency is aiming to secure a mandate by the end of March or early April to negotiate the Omnibus with the European Parliament, reflecting the desire to adopt it before the high-risk requirements of the AI regulation come into force in August.

 

We note several significant sanctions from the CNIL adopted just before and after the transition to 2026, all related to data security.

On January 13, 2026, the CNIL (French Data Protection Authority) fined the companies Free Mobile and Free €27 million and €15 million respectively. given the inadequacy of the measures taken to ensure the security of their subscribers' data.

In October 2024, an attacker managed to infiltrate the companies' information systems and access personal data concerning 24 million subscriber contracts, including IBANs.

On December 22, 2025, it fined the company Nexpublica France 1,700,000 euros.s for failing to implement sufficient security measures for its PCRM software, a tool for managing user relationships in the field of social action

On December 11, 2025, it sanctioned Mobius Solutions Ltd, a subcontractor responsible for a data breach affecting Deezer users.A fine of one million euros was imposed on it for non-compliance with applicable subcontracting rules: retention of data after expiry of the contract, unauthorized processing and failure to keep a record of processing.

Three employees of the company had retained a copy of the data of more than 46 million Deezer users after the end of their contractual relationship, exposing them to security flaws that led to the posting of data on the dark web.

The Versailles Administrative Court of Appeal ruled on December 11 that a patient could not ask a hospital to correct a medical assessment, as it constituted a subjective opinion.

This principle remains applicable even when the diagnosis of the person responsible for the treatment differs from subsequent diagnoses.

The hallucinations of AI in the conclusions of lawyers are sometimes perceived with indulgence by judges, this is at least the point of view of the judicial court of Périgueux in its decision of December 18.

The latter notes "(...) that the case law references cited by the applicant, but not produced in his documents, do not appear to correspond to published decisions. (...).

The court will therefore invite the applicant and his counsel to verify in the future that the references they have found on search engines or with the help of artificial intelligence are not "hallucinations".

This position contrasts with a recent Belgian decision, mentioned below.

The Ministry of the Interior suffered a large-scale cyberattack in mid-December.

The Minister of the Interior confirmed on Wednesday, December 17, that "the services at the Ministry of the Interior were the target of a massive cyberattack, describing it as a very serious act that resulted in the publication of files, including criminal records" and wanted persons. The cyber intrusion occurred via the email accounts of ministry staff.

In the area of cyberattacks, it should also be noted that the CNIL, in its restricted formation of December 18, 2025, requested a sanction of 5 million euros against France Travail for a lack of security which resulted in a data breach affecting 36.8 million people.

 

European institutions and bodies

The EU regulation establishing additional procedural rules relating to the application of the GDPR was published on December 12 and will apply from April 2, 2027.

The aim of this text is to streamline the procedural handling of cross-border cases under the GDPR by national data protection authorities (DPAs), to improve cooperation between DPAs through structured procedures, clearer roles and defined time limits, and to strengthen procedural safeguards and legal certainty for complainants and parties under investigation, including the right to be heard, access to files and the effectiveness of judicial remedies.

The European Commission published on December 17 its first draft code of good practice on the marking and labelling of AI-generated content.

The project comprises two sections.

The first section covers the rules relating to the marking and detection of AI-generated content, applicable to providers of generative AI systems.

• The second covers the labeling of deepfakes and certain texts generated or manipulated by AI on matters of public interest and applies to deployers of generative AI systems.

The Commission will collect comments until January 23, with the aim of finalizing the code by June.

On 19 December 2025, the European Commission announced the renewal of the two adequacy decisions relating to the United Kingdom initially adopted in 2021, reaffirming that personal data can continue to flow freely between the European Economic Area and the United Kingdom.

In the Storstockholms Lokaltrafik (C-422/24) judgment of December 18, the Court of Justice of the European Union clarified the concept of direct collection of personal data.

This law "does not require the person concerned to knowingly provide data or to take any particular action on their part. Therefore, data obtained through observation of the person who is its source is considered to have been collected directly from that person."

These clarifications have an impact on the timing and scope of the obligation to provide information, which must be immediate and more comprehensive.

The specific case involved the checking of a transport ticket by an agent equipped with a body camera.

The Court suggests that the most important information be indicated on a warning sign, and other information provided in an easily accessible location.

On December 23, the Trump administration imposed sanctions on 5 European nationals In response to the recent fine imposed by the European Commission on company X under the Digital Services Act (DSA), Thierry Breton, former European Commissioner for the Digital Economy, as well as several members of civil society working for the NGOs HateAid, Center for Countering Digital Hate and The Global Disinformation Index, are banned from entering the United States.

Washington denounces the moderation, reporting and accountability obligations of platforms provided for by the DSA, which are considered here as extraterritorial censorship measures.

On December 5, the European Commission fined X 120 million euros for failing to meet its transparency obligations under the DSA.

The shortcomings include the misleading design of its "blue validation" for verified accounts, the lack of transparency in its advertising directory, and the failure to provide researchers with access to public data.

 

News from the member countries of the European Union.

In a decision dated November 10, the regional court of Darmstadt in Germany reduced to €0 the fees of an expert who had extensively used AI to prepare a judicial report without disclosing it.

The court cited the following factors to reduce the fees:

1. The failure to declare the use of AI and the absence of a true author constituted a breach of procedural obligations.
2. The report was deemed unusable: lack of personal review, factual errors, and obvious signs of AI-generated text.
3. Transparency and accountability are essential in expert opinions.

The German court in Lübeck awarded a plaintiff €5,000 in non-material damages against Meta for processing personal data without obtaining prior consent through the use of Meta Business Tools.

Data transfers from third-party websites to Meta occur independently of user activation of Meta applications and obtaining their consent.

The court found that Meta had breached Article 6(1) of the GDPR, resulting in a sufficiently concrete threat to the data subject, who suffered a well-founded fear of misuse of his personal data in the form of a loss of control.

In Austria, the Supreme Court ruled on November 26 that Meta must provide its users with full access to all their personal data, including its sources, recipients and purposes.

A simple indicative list is not sufficient.

The Court also held that personalized advertising and the processing of (sensitive) personal data from third-party websites required the consent of the person concerned.

A recent Belgian decision has fined claimants more than 25,000 euros for using generative AI tools to draft their appeal submissions, for manifest abuse of procedure, frivolous appeal and abusive recourse.

The Antwerp Court of Appeal notes a production of "incoherent and completely meaningless" arguments supported by non-existent case law and invented legal sources.

In Belgium too, the APD issued a reprimand to a company for illegally transmitting information about a former employee during a telephone conversation with another company as part of a recruitment process.

The APD also reprimanded the two companies for failing to respond to the individual's access requests.

In Croatia, the AZOP bank was fined €1,500,000 for multiple GDPR violations.

The bank processed the personal data of 433,922 users without a legal basis, without providing the required information to users, and it had not implemented the appropriate technical and organizational measures.

 

The UK's Data Protection Authority (DPA) has fined password manager provider LastPass UK Ltd £1.2 million following a 2022 data breach that compromised the personal information of nearly 1.6 million of its UK users.

The ICO found that LastPass had not implemented sufficiently robust technical and security measures, which ultimately allowed a hacker to gain unauthorized access to its backup database.

The United States has renewed its demand for access to the national biometric databases of EU countries participating in the Visa Waiver Program (VWP), and intends to conclude an agreement on this matter before the end of 2026.

Washington has been requesting this access since 2022, as part of the United States' "Enhanced Border Security Partnerships" (EBSP), and threatens to remove the visa exemption if it is refused.

The extent of access remains uncertain.

The European position at this stage seems to want to limit it to people travelling to the United States.

Access would include biometric data such as fingerprints and facial scans, but also other sensitive data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or data concerning health or sexual life when necessary and proportionate "to prevent or combat criminal and terrorist offenses".

European capitals agreed in December to grant the European Commission a mandate to negotiate the framework for this agreement, the details of which will be decided by the member states.

In the United States, the use of AI to transcribe reports from police body cameras in Heber City, Utah, has had incongruous consequences.

Draft One software, based on Open AI's LLM, reported that an agent had transformed into a frog.

The software had actually detected the film that was playing in the background, which happened to be "The Princess and the Frog".

Beyond the irony of the situation, this particular case raises questions highlighted by Cybernews. "While the goal is to reduce the amount of paperwork, with errors like the one made in Heber City, agents risk spending even more time reviewing reports." An investigation conducted last year by the Electronic Frontier Foundation (EFF) revealed that Draft One "appears to have been deliberately designed to avoid audits that could provide public accountability."

"It is often impossible to know which parts of a police report were generated by AI and which parts were written by an officer."

Finally, a report by Privacy Laws & Business indicates that privacy regulation is nevertheless strengthening in the United States, where 19 states have now followed California's lead in adopting privacy laws, often focused on issues relating to children.

Few states are interested in the collection and use of biometric data.

Illinois has long held a leading position, now followed by Texas and Washington State.

There is still no consensus on new federal privacy regulations, "but the FTC has taken enforcement action involving hundreds of millions of dollars in damages and monetary penalties in settlements with major online companies Epic Games, Amazon and Microsoft," or recently Disney Worldwide Services, with a $10 million settlement for violating the Children's Online Protection Act (COPPA).