Personal data watch — April 2025
Each month, we deliver you most of the data news in Data4Coffee. Don't miss out on key information!
To register, write to data4coffee@squairlaw.com.
1. FRANCE
1.1. The National Assembly adopts a law prohibiting telephone canvassing without prior consent
[March 6] The bill” for consensual telephone canvassing and strengthened consumer protection against abuse ” was adopted by the National Assembly. This text, already approved at first reading by the Senate in November 2024, requires companies to obtain the explicit agreement of individuals before contacting them for commercial purposes. This measure aims to protect consumers against unsolicited calls and potential abuse related to cold calling. Exceptions are provided, in particular for businesses specializing in home delivery of food products, in order to maintain local services. The law also reinforces sanctions for non-compliance, with fines of up to 500,000 euros for natural persons and up to 20% of annual turnover for legal entities in case of abuse of weakness. The bill must now be examined by the Senate.
1.2. ANSSI launches a public consultation on electronic voting for non-political elections
[March 10] ANSSI is calling for comments on the use of internet voting for non-political elections, aimed at guaranteeing the security and reliability of the electoral process. This initiative follows the updating of the CNIL's recommendations on Internet voting at the beginning of 2025. On the occasion of this update, the CNIL defined security objectives to be met in order to protect personal data and respect the main electoral principles. To meet each of these objectives, ANSSI proposes to formulate technical recommendations.
Source: Call for comments on internet voting for non-political elections | ANSSI
1.3. The CNIL calls for a sovereign solution for hosting EMC2 health data
[March 11] In a decision published at the beginning of March relating to the establishment of the “EMC2" health data warehouse, the CNIL alerts on the legal risks associated with hosting by Microsoft, in particular due to potential interference by American authorities via the Cloud Act. She” reiterates its regrets that the PDS [(Health Data Platform]) still does not currently have a service provider capable of meeting its needs while protecting SNDS data against access by public authorities from third countries ”. Noting the fact that no call for tenders has been published in this regard, the CNIL invites the Government” to work actively to implement a sovereign solution ”. The day after the publication of this decision, the Health Data Hub shared its results for 2024, in which it announced that it was considering a” Interlayer solution ” to migrate from Azure to a” environment sovereign ”.
Sources:
- Deliberation 2025-013 of January 13, 2025 - Légifrance
1.4. Massive data theft at Free: The CNIL launches a sanction procedure
[March 12] In October 2024, Free notified its customers of an unauthorized consultation of their personal data, compromising the privacy of 19 million subscribers, including 5 million email addresses. The CNIL subsequently received numerous complaints from persons concerned, to which it responded by an email dated 12 March last. In this email, the CNIL explains that an in-depth analysis of the information collected led it to initiate a sanction procedure before the restricted formation of the CNIL.
Source: Massive Free data theft: The CNIL launches a sanction procedure - Le Monde Informatique
1.5. Towards “reduced” sensors for video surveillance that respects individual rights
[March 13] The CNIL Digital Innovation Laboratory is exploring the use of “reduced” sensors which, by limiting data collection at the source, offer an alternative to “augmented” cameras for video surveillance that is more respectful of people's rights. In this respect, the LINC emphasizes that these sensors, whether “passive” (infrared cameras, event cameras, etc.) or “active” (LIDAR and flight time), can offer an initial minimization by limiting the risks associated with the use of conventional cameras.
1.6. France is embarking on the NIS 2 project to strengthen cybersecurity
[March 13] France has begun the process of transposing the European NIS 2 directive, aimed at strengthening the cybersecurity of critical infrastructures. The transposition bill, whose consideration was delayed by the dissolution of the National Assembly, is now in the hands of the Senate. The NIS 2 directive, published on December 27, 2022, significantly expands the number of entities concerned, from around 300 to 15,000, including sectors such as energy, transport, health and digital services. Businesses will have to comply with strict network and information system security requirements, or face penalties for non-compliance. This approach aims to improve the resilience of the French economic fabric in the face of growing cyber threats. In addition to the provisions of this directive, the bill incorporates the provisions of the Critical Entity Resilience Directive and the Dora Regulation.
1.7. The CNIL and the Autorité de la Concurrence strengthen their collaboration for ethical and competitive AI
[March 20] On 5 March 2025, the CNIL and the Autorité de la Concurrence organized an internal seminar to deepen the links between personal data protection and competition in the development of artificial intelligence (AI). The discussions focused on the competitive analysis of the generative AI sector, in particular after the opinion of the Autorité de la Concurrence on 28 June 2024, as well as on ways to legally secure the training of AI models in accordance with the GDPR, based on the opinion of the European Data Protection Board. The authorities also discussed recent recommendations from the CNIL to promote responsible AI, the economic issues related to AI business models and the implications of open-source strategies in terms of data protection and competition law. This initiative is a continuation of their joint statement of 12 December 2023, reflecting their commitment to cooperate closely to support new European regulations and promote trustworthy AI.
1.8. The CNIL launches a public consultation to strengthen the security of computerized medical records
[March 20] The CNIL has initiated a public consultation on a draft recommendation aimed at improving the compliance and security of electronic patient records (EHR). This initiative follows a significant increase in personal data breaches in the healthcare sector, with notifications rising from 16 in 2018 to 196 in 2024. Checks conducted between 2020 and 2023 revealed illegitimate access to PGD, with some health professionals consulting information that is not necessary for the care of patients. The draft recommendation recalls the legal obligations in terms of the security and confidentiality of health data, in accordance with article 32 of the GDPR. It proposes technical and organizational measures to ensure the protection of sensitive patient information. Stakeholders are invited to participate in this public consultation until 16 May 2025, in order to contribute to the development of practices that build trust in the digital health system.
For more information, see our article hither.
1.9. CNIL priorities for 2025: mobile applications, cybersecurity and prison administration
[March 21] In 2025, the CNIL will focus its control missions on three key areas: data collection through mobile applications, the cybersecurity of local authorities and data processing by the prison administration. These controls aim to ensure the compliance of these various treatments with the applicable regulations on the protection of personal data, and in particular with regard to consent and information security. In addition, as part of a coordinated action, the CNIL, with its European counterparts, will carry out actions to verify the conditions for implementing the right to erasure.
Source: CNIL controls in 2025: mobile applications, prison administration, community cybersecurity | CNIL
1.10. Operation CACTUS: the CNIL makes young people aware of cybersecurity
[March 25] Faced with the multiplication of malicious attacks via student digital workspaces (ENT), the CNIL is joining forces with public authorities as part of the CACTUS operation. Awareness-raising campaign launched by the cybercrime section of the Paris Public Prosecutor's Office and JUNALCO, the operation targeted 2.5 million middle and high school students. The students were invited via their ENT to click on a link encouraging them to get free cracked games and Cheats free, nearly one in twelve students clicked on the link, redirecting them to an awareness-raising message. This initiative is part of the CNIL's strategic plan for the protection of minors and cybersecurity, and educational resources have been made available to academies in order to extend this awareness-raising effort.
Source: Raising young people's awareness of cybersecurity: the CNIL committed to Operation CACTUS | CNIL
1.11. CNIL public consultation: recommendations on the use of location data for connected vehicles
[March 25] The CNIL is launching a public consultation on its draft recommendation on the use of location data for connected vehicles. Faced with highly personal and particularly intrusive data on privacy that is location data, the CNIL seeks to increase the vigilance of actors on the processing of this data. The project focuses on the uses of connected vehicles by individuals, as owner or tenant, and is aimed at all vehicle actors (manufacturers, fleet managers, suppliers of telematics tools, data aggregators and integrators). The project offers concrete recommendations on the most frequent uses of location data in order to facilitate compliance with the key principles of the GDPR by actors. The consultation is open until May 20, 2025.
1.12. Cyberattack against Harvest: a data leak discovered
[March 27th] At the end of February, Harvest, a French financial software publisher, was the victim of a cyberattack by ransomware, temporarily paralyzing its services and impacting many players in the financial sector. Sensitive customer data, in particular from MAIF and GroupeBPCE, have been compromised, exposing the individuals concerned to increased risks of phishing and identity theft. Harvest notified the appropriate authorities and its customers of the violation. Several weeks after this attack, and after informing its customers that no data leak had been detected, Harvest finally confirmed the compromise of “some internal files and employee email accounts”, without however specifying the extent of this information leak.
Sources:
- Data breach, financial sector paralysis: What you need to know about the Harvest cyberattack
- Harvest: new twists and turns after the announcement of a data leak | Les Echos
1.13. Support for professionals: the CNIL's work program for 2025
[March 27th] In 2025, the CNIL is continuing its work to support professionals with new practical tools to facilitate their compliance with the RGPD. Among its main projects of 2025, the CNIL will set up new fact sheets relating to artificial intelligence, will work on three draft standards (subcontractor evaluation framework, update of “health” standards, reference framework for banks on the granting of credit), as well as on three recommendation projects (multi-terminal consent, pixels in emails, economics for seniors). The CNIL will also begin work to develop recommendations on the use of embedded cameras (Dash Cams).
Source: Support for professionals: the CNIL's work program for 2025 | CNIL
1.14. Apple sanctioned for anti-competitive practices in advertising targeting
[March 28] The Competition Authority imposed a fine of 150 million euros on Apple for having promoted its own targeted advertising service in mobile applications to the detriment of its competitors, between April 2021 and July 2023. The Competition Authority concluded that, while the objective of Apple's system (“App Tracking Transparency” or “ATT”) to strengthen the protection of users' privacy was not open to criticism, its implementation methods were neither necessary nor proportionate to Apple's stated objective, due to the constraints it imposed on publishers and users. In its competitive analysis, the authority took into account the conclusions issued by the CNIL.As the CNIL points out, this decision comes from” confirm that competition law and the right to the protection of personal data are not opposed, but converge on the same objective, in the service of responsible digital technology ”.
Sources:
- Decision 25-D-02 of 28 March 2025 | Autorité de la Concurrence
1.15. Controversial over the proposed anti-drug trafficking law: creation of a “separate report”
[March 28] The proposed law to combat drug trafficking sparked debate because of article 8 ter, which would have required encrypted messaging services to provide the authorities with a copy of the decrypted communications. This measure, supported by the Minister of the Interior Bruno Retailleau, aimed to facilitate access to exchanges for criminals using secure applications such as WhatsApp, Signal or Telegram. However, cybersecurity experts, associations for the defense of digital freedoms and the AFCDP have warned of the risks of a general weakening of communications security, fearing that the introduction of back doors could compromise the confidentiality of data for all users. Faced with these concerns, the National Assembly finally rejected this measure, thus maintaining end-to-end encryption and stressing the importance of reconciling the fight against crime and the protection of individual freedoms. The text, without its most controversial article, has been debated in plenary session since 17 March. The debates are now focused on a new article, approved by the deputies on 28 March. This article sets up a “separate report” that would allow investigators not to disclose to traffickers' lawyers certain information about the implementation of special investigative techniques (place of their implementation, identity of the person who allowed them to be installed, etc.).
Sources:
2. EUROPEAN UNION
2.1. The CNIL and its European counterparts launch checks on the right to erasure
[March 5] After the coordinated action on the right of access carried out by the European Data Protection Board (EDPS) in 2025, the Committee for a Coordinated Implementation Framework (Coordinated EnforcementAction, CEF) will focus its efforts this year on exercising the right to erasure. Thirty-two European data protection authorities will participate in this initiative through a series of checks to verify the implementation of the right to the erasure of personal data by organizations, in accordance with article 17 of the GDPR. This coordinated action aims to ensure that erasure requests are properly handled. In this respect, the CNIL recalls that 34% of the complaints it received in 2024 concerned the right to erasure, making this right one of the most frequently exercised rights.
Sources:
- Right to erasure: the CNIL and its European counterparts carry out a series of checks | CNIL
2.2. The EDPS adopts a statement on the implementation of the PNR Directive
[March 14] The European Data Protection Board (EDPS) has adopted a statement on the implementation of the PNR Directive relating to passenger name record data processed by air carriers. This statement follows a judgment by the CJEU on the subject and includes practical recommendations for national legislation transposing the PNR Directive in order to give effect to the CJEU's conclusions. In particular, the EDPS recommends that the retention period of this data should not exceed six months.
2.3. Absence of a DPO: Fine of 350,000 euros for a telecommunications company
[March 17] The Datatilsynet (Norwegian Data Protection Authority) has imposed a fine of NOK 4 million (around 350,000 euros) against Telenor ASA for non-compliance with its obligations in terms of appointing a data protection officer (DPO). During an investigation, Datatilsynet was able to find that Telenor ASA had ended the functions of its DPO considering that it did not meet the mandatory designation criteria of Article 37 of the RGPD, without being able to provide any justification for this evaluation. The investigation also revealed the lack of involvement of the DPO in its missions, a lack of resources made available to it, a lack of independence in the exercise of its functions, the non-publication of the DPO's contact information and the incompleteness of the Telenor ASA processing register. This decision highlights the importance of not neglecting organizational and governance measures when it comes to data protection.
Source: Datatilsynet (Norway) — 21/03823-45 | GDPR hub
2.4. Violation of the principle of data accuracy: complaint against OpenAI
[March 20] The NGO NOYB co-founded by the Austrian activist Max Schrems and which works to enforce data protection laws has filed a complaint against OpenAI before the Datatilsynet (Norwegian Data Protection Authority) denouncing the “hallucinations of AI”. While a Norwegian user was trying to find out if ChatGPT had information about him, he was confronted with a false story accusing him of murdering two of his children and attempting to murder the third, mixed with real elements of his personal life. With this complaint, NOYB denounces the potentially considerable consequences of defamatory and erroneous results, as well as the violation of the principle of data accuracy in Article 5 § 1 d) of the GDPR.
Sources:
- AI hallucinations: ChatGPT created a fake child murderer | NOYB
3. INTERNATIONAL
3.1. United States: Judicial blocking of access to Social Security Administration systems by DOGE
[March 20] As part of a complaint by a group of unions, Maryland District Court Judge EllenHollander temporarily prohibited access by the Department of Government Effectiveness (DOGE) to Social Security Administration (SSA) files. In her order, Judge Hollander also required DOGE to delete all non-anonymized personal information that it had access to. The SSA would have given access to a massive amount of personal, sensitive and confidential data to DOGE members, with no justification for the need for such access. Justice Hollander concludes that there was “unfettered access” to this data causing an intrusion into the personal affairs of millions of Americans, and considers that the plaintiffs have every chance of winning their case by claiming that this access violates Federal Data Protection Act.
Sources:
- Judge stops Musk's team from 'unbridled access' to Social Security private data | Reuters
- Judge temporarily blocks DOGE access to sensitive Social Security Administration systems | CBS NEWS
- Memorandum Opinion | District Court for the District of Maryland
Caroline Chancé, Jeannie Mongouachon, Clémentine Beaussier, Victoire Grosjean and Juliette Lobstein
.png)
