Legal Watch No. 85 – July 2025. 

 

Compliance with the GDPR: what are the economic benefits?

Studies conducted by the Association for Adult Vocational Training (AFPA) and the CNIL now confirm the economic benefits linked to the presence of a data protection officer (DPO) within companies.

The statistical survey conducted by AFPE in January 2024, based on more than 3600 responses from DPOs, was supplemented by in-depth interviews by the CNIL with ten DPOs proposed by the French Association of Data Protection Correspondents (AFCDP).

The results of these analyses presented by the CNIL at the end of July identify four main benefits for companies with a DPO: competitiveness, avoidance of sanctions, avoidance of data leaks and rationalization of data management.

These benefits are perceived by companies of all sizes, and particularly in the "Research, IT and Consulting" and "Banking, Insurance and Mutuals" sectors.

• In terms of competitiveness, compliance with the GDPR thus appears as a lever to win tenders, particularly when these are related to data.

In this context, the DPO appears as a key contact for buyers.

• While the DPO helps to limit the risks of sanctions, these benefits extend not only to the amount of fines but also to reputational aspects.

In addition to the impact on company revenues, sanctions can also affect companies' financial ratings and therefore their financing capabilities.

• In terms of security, the DPO, together with the Chief Information Security Officer (CISO), plays a central role in raising staff awareness and implementing internal data protection and incident management policies.

In this regard, the CNIL points out that the average cost of a data breach is $5 million, according to a 2024 IBM study.

• Finally, streamlining data management allows us to save money on servers, potentially amounting to several hundred thousand euros, and to improve the efficiency of decision-making.

In this regard, a 2023 Annual Reviews study on the economic aspects of digital privacy also noted that "an excessive amount of data can reduce a company's market power."

The CNIL report takes into consideration how the data controller perceives the regulations. 

The more the DPO and the company are convinced of the benefits of complying with the GDPR and integrate its principles into internal processes, the more the positive effects are felt, unlike companies that perceive compliance as a constraint.

A virtuous circle of motivation and benefits would therefore be established when the principles of the regulation are taken into consideration.

The study conducted in France is not the only one to identify the economic benefits of data regulation. 

Additional aspects are also highlighted, for example by the European Data Protection Board (EDPB), which emphasizes the trust that the implementation of a visible data protection policy generates among individuals, beyond the context of calls for tenders.

Earlier this year, the OECD also published an analysis of international data flows, in which it stated that "regimes that provide for safeguards strike a balance between the trade costs associated with data regulation and the benefits in terms of trust provided by data safeguards."

In a context where data theft is intensifying and the development of artificial intelligence raises a growing number of ethical questions, gaining – and keeping – the trust of individuals represents a significant advantage with the public.

 

        

In a decision dated August 8, 2025, the Constitutional Council declared unconstitutional the practice, by the restricted formation of the CNIL, of not notifying the right to remain silent of the persons it wishes to hear during hearings or requests for observations.

This decision is based on the right not to incriminate oneself, resulting from Article 9 of the Declaration of the Rights of Man and of the Citizen.

In order to put an end to this unconstitutionality from the date of publication of its decision, the Constitutional Council decided that, until the entry into force of a new law or until the date of the repeal of the incriminated provisions, the person concerned before the restricted formation should be notified of his right to remain silent.

Following the decision of the Court of Justice of the European Union (CJEU), the Council of State (CE) published on July 31 its decision in the Mousse case, named after the association that initiated the complaint against the SNCF.

He believes that SNCF Connect "cannot force its customers to communicate their civility.

This data processing does not comply with the GDPR, which requires that only strictly necessary personal data be collected.

The EC considers that collecting civility is not essential for the sale of tickets or identity checks during travel and should be optional, except for certain services, such as sleeper compartments reserved for single women.

It therefore cancels the decision of the CNIL of March 23, 2021, which will have to re-examine the complaint of the Mousse association.

On August 6, 2025, Bouygues Telecom confirmed that it had suffered a computer intrusion which allowed cybercriminals to access the personal data of more than six million customers.

Passwords and bank card numbers were not affected, but the hackers gained access to a lot of information including names, postal and email addresses, date of birth, contract number and IBAN. 

France Travail also suffered another personal data breach in mid-July, affecting 340,000 files of job seekers, including identity data, address, date of birth, and telephone number. Faced with the increasing number of data breaches, the CNIL (French Data Protection Authority) has updated its advice to individuals.

 

European institutions and bodies

The European Commission published on August 7 its code of good practice for companies operating general purpose AI (GPAI) systems.

This document was prepared in collaboration with industry and civil society and aims to facilitate compliance with the AI regulation.

The full list of signatories includes 26 companies, including Amazon, Anthropic, Google, Microsoft, Mistral and OpenAI.

Elon Musk's company, xAI, has only signed the portion of the code dedicated to safety and security issues. Therefore, xAI will have to demonstrate its compliance with the regulations' transparency and copyright obligations through suitable alternative means.

Having recently assumed the presidency of the Council of the European Union, Denmark is in a privileged position to shape EU policy over the next six months.

On July 4, an informal document from the Danish government mentioned its intention to propose a targeted revision of the GDPR and the ePrivacy Directive in order to reduce the compliance burden on businesses and ensure their competitiveness.

The European Commission is also expected to publish in the coming months a quality assessment of EU digital legislation, as well as a digital omnibus package.

The revision of the GDPR does not seem to be a given, if we are to believe the summary of the "implementation dialogue" organised by the Commission in mid-July, and whose conclusions were published in early August.

The private sector indicated that it had "invested in compliance and that a general reopening could create uncertainty, particularly in the context of international data transfers."

In a case concerning Swedish public transport, the Advocate General (AG) of the CJEU clarified on August 1 the scope of Articles 13 and 14 of the GDPR regarding the information of data subjects.

The specific case concerned the collection of images by the controllers' onboard cameras.

The AG considers that Article 13 applies whenever the data subject is the source of the data (“collected from the data subject”), irrespective of the latter’s involvement in the collection of the data and from the moment when there is no intermediary between the data subject and the controller.

Article 14 applies whenever data is collected from a source other than the data subject.

Therefore, in the event of the collection of images by on-board cameras, the obligation to inform the persons concerned must be immediate and does not benefit from the exemptions of art. 14.

On July 28, the European Data Protection Supervisor (EDPS) concluded its investigation into the European Commission's use of Microsoft 365 in a positive manner.

In a statement, it notes the significant improvement in data protection compliance in the Commission's use of Microsoft 365 and also acknowledges and appreciates "Microsoft's efforts to comply with the Commission's requirements arising from the EDPS decision of March 2024."

The report from the European Union Agency for Cybersecurity (ENISA) published on June 26 provides technical guidance to support the implementation of the NIS2 Directive for several types of entities in the NIS2 digital infrastructure, ICT service management and digital provider sectors.

It compiles an inventory of relevant European and international standards and frameworks (ISO 27001, NIST, ETSI, or CEN).

 

News from the member countries of the European Union.

In Germany, the Düsseldorf court awarded €200 in non-material damages to an individual following a data breach caused by the data controller's failure to ensure the deletion of personal data processed by its subcontractor within the legally required timeframes.

Echoing the Mousse case mentioned above, the Frankfurt court ruled that the German national railway company had illegally required its customers to provide their email address or mobile phone number to purchase tickets.

He considered that this was not necessary for the execution of the contract and that the consent given was not sincere and free.

The Croatian Data Protection Authority (APD) has fined a utility company €320,000 for failing to implement the required security measures when issuing new passwords to its users and for not cooperating with it.

The Spanish Data Protection Agency (APD) has fined a company operating sports centers €96,000 for implementing mandatory facial recognition systems for entering and exiting the premises without informing its members beforehand or obtaining their consent.

Also in Spain, the APD fined an energy supplier €1,380,000 for mistakenly awarding a gas supply contract to the wrong customer and charging that customer fees, in violation of the principles of data accuracy and security of processing.

The Irish Supreme Court held that claims for compensation for emotional distress related to distress, upheaval or anxiety may fall directly under the GDPR, and that national provisions requiring authorization from an independent body before claiming damages for personal injury are not applicable.

The Italian competition authority launched an investigation on July 22 into Meta Platforms regarding the addition of AI services to WhatsApp without user consent.

As a reminder, on May 23, 2025, the Cologne Higher Regional Court rejected an injunction against Meta concerning Meta's training of its AI.

The Court had considered that the combination of anonymized data from Facebook and Instagram in a training dataset did not constitute an unlawful "fusion" of data within the meaning of Article 5(2) of the Digital Markets Regulation (DMA).

The Lithuanian Data Protection Authority (DPA) considered, in a case involving two neighbors, that the occasional collection of personal data using an aerial drone, for the purpose of gathering evidence for a legal proceeding, fell under the domestic exemption provided for by the GDPR.

The APD indicates that it referred to the EDPB guidelines of 2020 on this point.

In Poland, the Federal Administrative Court sided with the ombudsman and ruled that Polish legislation requiring judges and prosecutors to disclose their affiliation with religious, trade union and political organizations was incompatible with their rights under the EU Charter and the European Convention on Human Rights.

In Poland too, McDonald's Polska Sp. z oo was fined €3,955,000 for failing to comply with general principles regarding data processing, in particular for taking inadequate measures to protect personal data.

 

In the UK, the government may, under pressure from the US, abandon its order targeting Apple's advanced data protection feature.

The Home Office's request was made under the Investigative Powers Act (IPA), which authorizes the UK government "to issue secret orders requiring suppliers to circumvent encryption by inserting backdoors into their software products."

According to Ars Technica, US officials, including Vice President JD Vance, are pressuring the UK to reverse its decision. "This is something that greatly annoys the Vice President and needs to be resolved," a British department official reportedly said.

Wetransfer, used by many professionals and individuals for sharing documents, changed its terms and conditions in mid-July: the company had indicated that from August it would use the content of its users' data to train its AI system.

As a result of the reactions provoked by this information, and the questions raised in terms of data confidentiality, the company reportedly backtracked in the following days.

The use of ChatGPT can lead to the disclosure of data without the users' knowledge: this is what a July 31 publication from Digital Digging reveals.

The investigation reports 512 ChatGPT conversations made public using targeted keyword searches, revealing compromising information and confidential data.

Thanks to the "share" feature, users unknowingly made their interactions with ChatGPT public and indexable by search engines.

The shared conversations would concern cases of insider trading, detailed financial information on companies, confessions of fraud and evidence of regulatory violations, all kept in the form of permanently accessible public archives.

In India, the impact of geopolitics on digital technology The IAPP reports that at the end of July, Nayara Energy, India's third largest refinery with 6,000 service stations, was denied access to its data by Microsoft without prior notice, even though it had fully paid for its licenses.

Rosneft, a Russian entity, holds a 49.13 % stake in Nayara Energy. This move is believed to be a consequence of sanctions imposed on Russia in the context of the war in Ukraine.

Another incident concerns the withdrawal of the service authorization granted by the Indian National Space Promotion and Authorisation Centre to two satellites of the Asia Satellite Telecommunications Company after March 31, 2026.

AsiaSat's main shareholder is an entity owned by the Chinese government.

This decision has repercussions for some of India’s biggest entertainment broadcasters, such as Zee and Jiostar, who will now have to look for alternatives.

These events echo Microsoft's blocking last spring of the email account of the Prosecutor General of the International Criminal Court (ICC).

This blockage was a direct consequence of the measures taken by US President Donald Trump against the Hague Court in February, after a panel of ICC judges issued arrest warrants against Israeli Prime Minister Benjamin Netanyahu and his former Defense Minister Yoav Gallant for war crimes in the Gaza Strip.

The August edition of the PL&B International Report features an article by Maria Tzanou, a lecturer in law at the British University of Sheffield, and head of the FemTech surveillance project.

She raises questions about the surveillance of women through products and services such as fertility and period tracking apps, stating that there are "problematic and often illegal data collection practices".