RegRally Insights: Personal Data Protection and ICT Regulation – October 2025

Welcome to the October 2025 edition of RegRally Insights: Personal Data Protection and ICT Regulation.
This month’s edition highlights pivotal developments in European and Lithuanian data protection enforcement and regulation.

The EU General Court has upheld the validity of the EU–US Data Privacy Framework, ensuring stability for transatlantic data flows, while the EDPB issued guidance clarifying the interplay between the GDPR and the Digital Services Act. In France, the CNIL imposed significant fines on Google (€325 million) and Shein (€150 million) for unlawful cookie practices and advertising violations, signalling stricter scrutiny of online tracking and consent. Meanwhile, Lithuania’s VDAI clarified which incidents are not considered personal data breaches, helping organisations fine-tune their incident response and reporting obligations.

Our briefing summarises the key rulings, enforcement trends, and practical compliance actions organisations should take to stay aligned with evolving EU privacy standards.

EU Court Confirms Validity of the EU–US Data Privacy Framework

Another challenge to EU–US data transfers has failed. On 9 October 2025, the EU General Court upheld the EU–US Data Privacy Framework (DPF), confirming that personal data can continue to be transferred to the United States without using alternative mechanisms such as Standard Contractual Clauses (SCCs).

The Court rejected claims that the Data Protection Review Court (DPRC) lacked independence and that US intelligence agencies conducted unlawful bulk data collection. It found that Executive Order 14086 and the Attorney General Regulation provide sufficient safeguards to ensure the DPRC’s impartiality, independence, and effective redress. The Court also emphasised that EU law does not require prior judicial authorisation for bulk data collection, provided adequate ex post oversight exists.

The ruling leaves the DPF intact but notes that the European Commission must continue monitoring the framework and may revise or suspend it if US safeguards weaken.

Recommendations:

  • Continue using the DPF for transatlantic data transfers, ensuring your organisation’s self-certification is valid and current.
  • Monitor legal developments, as the judgment may be appealed. Designate a person or team to track updates from the European Commission, US Department of Commerce, and data protection authorities.

CNIL Fines Google €325 Million for Breaches of Advertising and Cookie Consent Rules

The French Data Protection Authority (CNIL) has fined Google LLC (€200 million) and Google Ireland Limited (€125 million) for violations of French rules on commercial prospecting and cookie consent.

Following a complaint by NOYB, CNIL found that Google:

  • Displayed promotional emails in Gmail without users’ consent, breaching Article L.34-5 of the CPCE.
  • Collected invalid consent for advertising cookies during Google account creation, as users were not clearly informed that such cookies were optional, violating Article 82 of the French Data Protection Act.

Google must cease displaying ads in Gmail without consent and ensure valid, informed cookie consent within six months or face €100,000 per day in penalties.

EDPB Clarifies GDPR-DSA Interplay for Online Platforms

The European Data Protection Board (EDPB) has issued its first guidelines on the interaction between the Digital Services Act (DSA) and the General Data Protection Regulation (GDPR). The aim is to ensure a coherent application of both frameworks, as many DSA obligations involve processing personal data by intermediary service providers, such as online platforms and search engines.

The guidelines address key DSA provisions related to:

  • Notice-and-action systems for reporting illegal content
  • Recommender systems used to personalise content
  • Protection of minors, including bans on profile-based advertising
  • Advertising transparency and prohibitions on using sensitive data for profiling

The EDPB also highlights the need for cross-regulatory cooperation between data protection and digital services authorities to ensure consistent enforcement. The guidelines are now open for public consultation.

Recommendations:

  • Review notice-and-action systems to ensure data minimisation, transparency, and security.
  • Assess recommender systems for compliance with GDPR principles on profiling and automated decisions.
  • Enhance protection for minors, prohibiting any profile-based advertising.
  • Ensure advertising transparency and avoid processing sensitive data for targeting purposes.

French SA: Cookies placed without consent: SHEIN fined 150 000 000 EUR by the CNIL

In August 2023, the CNIL inspected shein.com and found multiple breaches of cookie consent requirements under Article 82 of the French Data Protection Act. As a result, it fined INFINITE STYLES SERVICES CO. LIMITED (Shein) EUR 150 million for placing cookies without consent, failing to honour user choices, and providing incomplete information.

The CNIL noted that, despite prior sanctions since 2020, Shein’s website set advertising cookies immediately upon users’ arrival and displayed incomplete consent banners. The breaches were deemed particularly serious given Shein’s massive reach – around 12 million monthly visitors in France.

The committee acknowledged that Shein improved during the proceedings, so no compliance order was issued.

Key Recommendations for Organisations

1. Obtain Explicit Consent Before Placing Cookies

  • Do not place advertising or analytics cookies until users have actively consented.
  • Avoid pre-ticked boxes or automatic acceptance mechanisms.

2. Ensure Complete and Transparent Information

  • Cookie banners must clearly state each cookie’s purpose and identify any third parties.
  • Provide accessible second-level information detailing data uses and controllers.

3. Enable Real Refusal and Withdrawal Options

  • Users must be able to “reject all” cookies, with previously set cookies disabled or deleted.
  • Allow easy withdrawal of consent at any time, effective immediately.

4. Test and Audit Cookie Management Regularly

  • Perform technical audits to verify that consent mechanisms work as intended.
  • Ensure full alignment between consent records and cookies actually stored.

5. Monitor Regulatory Developments

  • Track enforcement trends and CNIL guidance to anticipate evolving standards.
  • Learn from similar public cases to strengthen internal compliance practices.

VDAI Clarifies Which Incidents Are Not Considered Personal Data Breaches

The State Data Protection Inspectorate (VDAI) has updated its guidance clarifying when an incident does not qualify as a personal data breach (PDB) under the GDPR. The aim is to help organisations identify situations where no risk to individuals’ rights or freedoms exists — and therefore, no notification to the VDAI is required.

The update introduces three new examples, including access to data of a deceased person, an account compromise due to the user’s negligence (where security measures were not breached), and a misdirected but sealed letter that did not expose any personal data.

While incidents caused by a data subject’s careless actions may fall outside PDB scope, controllers and processors must ensure adequate security measures and risk assessments are in place.

Recommended Actions for Organisations

1. Review Internal Breach Assessment Procedures

  • Update incident response policies to include VDAI’s new non-PDB examples.
  • Train staff to differentiate between actual data breaches and low-risk incidents.

2. Document and Evaluate All Incidents

  • Keep records of all incidents, including reasoning for non-PDB classification.
  • Demonstrate that security controls functioned effectively and were not compromised.

3. Monitor Regulatory Updates

  • Follow new VDAI and EDPB guidance to align with evolving GDPR interpretations.
Newsletter SubscriptionGet in touch
Free initial advice now!

Have a question or need more information?

Send us an e-mail message!