Data Privacy & Cybersecurity

CJEU Rules Pre-Ticked Checkboxes Invalid for Cookie Consent

The European Court of Justice (CJEU) ruled that pre-ticked checkboxes are invalid for obtaining cookie consent. This decision, welcomed by data protection authorities, clarifies that active user behavior is required for valid consent regarding data processing.

Bundestag Strengthens Data Protection Authority

The German Bundestag's Budget Committee has allocated an additional 67 posts to the Federal Commissioner for Data Protection and Freedom of Information (BfDI) for the upcoming year. This funding aims to enhance supervision of security authorities, support new digitalization tasks in the health sector, and improve international cooperation.

BfDI Fines 1&1 Telecom EUR 9.55M and Rapidata EUR 10k under GDPR

Germany's Federal Commissioner for Data Protection and Freedom of Information (BfDI) has fined 1&1 Telecom GmbH EUR 9.55 million for insufficient technical and organizational measures to protect customer data and Rapidata GmbH EUR 10,000 for failing to appoint a data protection officer. These actions underscore the enforcement of GDPR provisions.

EDPB Agrees on GDPR Evaluation and Suggests Cooperation Improvements

The European Data Protection Board (EDPB) has agreed to contribute to the European Commission's evaluation of the GDPR. The EDPB suggests improvements in cooperation between data protection authorities and revisions to standard contractual clauses for data transfers.

ECJ Invalidates Privacy Shield, Impacts International Data Transfers

The European Court of Justice (ECJ) has declared the EU-US Privacy Shield invalid, impacting international data transfers. The German Federal Commissioner for Data Protection and Freedom of Information (BfDI) stated that companies and authorities can no longer rely on the Privacy Shield for data exchange with the USA, requiring special safeguards and adherence to fundamental rights.

France Travail fined €5 million for data security breach

The CNIL has fined FRANCE TRAVAIL (formerly Pôle Emploi) €5 million for failing to implement adequate security measures to protect job seeker data, following a hack in early 2024. The fine addresses inadequate technical and organizational measures, including weak authentication and logging.

CNIL Work Programme 2026-2028 on Data Economy

The CNIL has published its work programme for 2026-2028, focusing on understanding data-related business models and measuring the economic impact of its decisions. The programme aims to deepen expertise in data protection's economic implications and contribute to public debate on the data economy.

CNIL Annual Report: 2025 Fines and Sanctions

The CNIL reported imposing €486.8 million in fines and 83 sanctions in 2025, primarily for violations related to cookies, employee monitoring, and data security. The report details 143 compliance orders and 31 reminders of legal obligations issued during the year.

EDPB Guidelines on Article 48 GDPR

The European Data Protection Board (EDPB) has published final guidelines on Article 48 of the GDPR, concerning the recognition of judgments and decisions of public authorities of third countries. These guidelines clarify the conditions under which such judgments can be relied upon for international data transfers.

EDPB Consultation on DSA and GDPR Interplay Guidelines

The European Data Protection Board (EDPB) has opened a public consultation on its draft Guidelines 3/2025 concerning the interplay between the Digital Services Act (DSA) and the General Data Protection Regulation (GDPR). The consultation period is open until October 31, 2025.