CMS Data Protection Update, February 2025

Europe

I. The latest from the data protection authorities and current topics

1. EDPB: Opinion on the processing of personal data in the context of the development and use of AI models

In December last year, the European Data Protection Board (EDPB) published its Opinion 28/2024 on certain data protection aspects related to the processing of personal data in the context of AI models. In it, the European data protection authorities comment on key data protection issues in connection with the development and use of AI models. The opinion contains a three-stage test to help data controllers determine whether they can cite legitimate interest as a legal basis. The Rhineland-Palatinate and Baden-Württemberg Commissioners for Data Protection and Freedom of Information have welcomed the opinion in a joint press release, even if not all data protection-related legal questions with regard to AI have been conclusively answered. The German Federal Commissioner for Data Protection and Freedom of Information (BfDI) has also published a press release. You can find an overview of the opinion on our blog.

The topic of AI continues to keep data protection authorities occupied. For example, the North Rhine-Westphalia Commissioner for Data Protection and Freedom (LDI NRW) in a recent interview named AI as one of the most important topics for her office and pointed out difficulties including in dealing with models trained outside the EU.

2. BfDI: Data protection policy agenda for the 21st legislative period

At the end of 2024, to coincide with the upcoming Bundestag elections, the German Federal Commissioner for Data Protection and Freedom of Information (BfDI) presented a data protection policy agenda for the next legislative period. In the agenda, the Commissioner lists topics that the parties should include both in their election manifestos and in a coalition agreement. These include establishing a ministry for digital affairs, legally compliant training and use of AI, data protection by design and an employee data act. The Commissioner also considers digital healthcare and the digital euro to be particularly important topics.

3. BfDI: Berlin Group's working papers on LLM and data sharing

Chaired by the German Federal Commissioner for Data Protection and Freedom of Information (BfDI), the Berlin Group, an international working group for data protection in technology, has adopted two new working papers. One paper concerns data protection risks posed by large language models (LLM). The other paper revolves around the topic of data sharing and is meant to contribute to the secure and protected exchange of data in compliance with the principles of data protection law.

4. German Federal Council: Consent Management Ordinance passed

In December last year, the German Federal Council approved the Consent Management Ordinance passed by the Federal Government. "Recognised consent management services", as the Ordinance calls them, are intended to simplify the management of cookie consents on the internet and reduce the number of consent banners in the long term. The recognised services should transmit to the digital service provider on request the user's decision as to whether or not it gives its consent. The German Federal Commissioner for Data Protection and Freedom of Information (BfDI) provides information on its website about the application for recognition as a consent management service.

The Lower Saxony State Commissioner for Data Protection (LfD Niedersachsen) criticised the Ordinance in a press release dated 27 December 2024: The Ordinance fails to achieve its aim and does not take into account some of the points of criticism voiced in the past by the Data Protection Conference (DSK). For example, consent banners are still necessary and the consent management services only cover consent in accordance with section 25 German Telecommunications Digital Services Data Protection Act (TDDDG) but not consent in accordance with the GDPR.

5. Rhineland-Palatinate: Mit Sicherheit gut behandelt initiative

In 2025, the Rhineland-Palatinate State Commissioner for Data Protection and Freedom of Information, together with the Rhineland-Palatinate Association of Statutory Health Insurance Physicians (KV RLP), the Rhineland-Palatinate State Chamber of Physicians (LÄK RLP) and the Rhineland-Palatinate State Chamber of Psychotherapists (LPK RLP), launched the Mit Sicherheit gut behandelt initiative with monthly practical tips for doctors and psychotherapists. The first practical tip deals with the right of access in the GDPR. Further tips on the use of email in practice, consent and cloud use are to follow.

II. New GDPR fines

1. Ireland: EUR 251 million fine for insufficient technical and organisational measures (TOMs)

In Ireland, the operator of a social media platform has received a fine of EUR 251 million due to a lack of suitable technical and organisational measures (TOMs). According to the Irish Data Protection Commission (DPC), a GDPR violation resulted from unauthorised third parties exploiting user tokens on the platform. The DPC found that Article 33 GDPR had been violated (incurring fines of EUR 11 million), as, for example, information was missing from the notification of GDPR violations. In addition, the DPC found violations of Article 25 GDPR (incurring fines of EUR 240 million) and concluded that the design of processing systems had not ensured that data protection principles were protected and that the obligations as a data controller to process only personal data that are necessary for specific purposes by default had not been complied with.

2. Ireland: EUR 310 million fine for having an insufficient legal basis for data processing

Also in Ireland, a fine of EUR 310 million was issued under the GDPR. The recipient of the fine is the operator of a professional social network that has no valid legal basis for processing user data for the purpose of behavioural analysis and targeted advertising. The DPC affirmed violations of, among others, Article 6 (1) (a) GDPR, Article 6 (1) (f) GDPR, Article 13 (1) (c) GDPR and Article 14 (1) (c) GDPR.

III. Recent case law

1. Latest developments on GDPR damages

A lot happened around the turn of the year regarding data protection claims for compensation under Article 82 GDPR.

For one, the German Federal Court of Justice designated one case from the scraping claims cases for the first leading decision procedure and issued a ruling on 18 November 2024 (VI ZR 10/24) on Article 82 GDPR stating that even a mere temporary loss of control over personal data as a result of a GDPR violation can be enough to constitute immaterial damage. To this end, there does not have to be any specific misuse of these data to the detriment of the data subject, nor are any other additional noticeable negative consequences for the data subject required. The German Federal Court of Justice set the amount of compensation to be paid in these cases at EUR 100. The German Federal Court of Justice has thus set the requirements for non-material compensation pursuant to Article 82 GDPR significantly lower than some lower courts have previously done, meaning that an increase in legal actions against GDPR violations can be expected.

The first German courts have followed the German Federal Court of Justice's case law and in some scraping cases awarded amounts of EUR 100, e.g. Dresden Higher Regional Court, judgment dated 10 December 2024 – 4 U 808/24. However, even after this judgment by the German Federal Court of Justice, some courts have continued to reject claims for compensation by data subjects, for example on the grounds that there was no loss to compensate, e.g. Hamm Higher Regional Court, judgment dated 22 November 2024 – 25 U 33/24.

2. EGC: EU Commission ordered to pay compensation

Another fascinating court decision did not concern Article 82 GDPR, but the corresponding provision of Article 46 GDPR, as the EU Commission was the defendant in the proceedings. The Commission was ordered to pay EUR 400 in compensation to a data subject in a decision by the General Court (EGC) dated 8 January 2025 (T-354/22). By using a user authentication service "EU Login" hyperlink on the website, the Commission had created the conditions for the IP address of the claimant to be transmitted to a US enterprise operating a social media platform. At the time of the data transfer, there was not yet an adequacy decision by the EU Commission for the USA. The General Court (EGC) affirmed the claimant's asserted loss of control, but rejected a further claim by the claimant for EUR 800 as compensation for the non-material loss he had suffered as a result of the Commission's violation of Article 14 (3) and (4), Article 17 (1) and (2) and Article 4 (1) (a) GDPR.

3. CJEU: Customer's gender identity not required for the purchase of a ticket

In its judgment dated 9 January 2025, the Court of Justice of the European Union (CJEU) ruled in the case C-394/23 in response to a referral from France that the gender identity of the traveller is not required information to purchase a ticket. In the case underlying the proceedings, the seller had made it mandatory for travellers to choose either "Mr" or "Ms" when purchasing tickets online. According to the CJEU, this is not in line with the principle of data minimisation, as the gender-identity-based form of address is not necessary and not objectively indispensable for purchasing a ticket.

IV. CMS events, fascinating blog posts and more

1. Data protection and AI: EU regulators answer important questions.

2. Article 17 GDPR in the EDPB's Next Coordinated Action.

3. With CMS Digital Laws, you can also work with the full texts of the AI Act and the P2B Regulation in German and English in addition to the Digital Services Act (DSA) and the Data Governance Act (DGA). More content is coming!