Time for the Privacy Partnership Podcast Christmas Special, where Rob looks at his top 5 data protection CJEU judgments for 2025. 

Here's the list of cases I summarise in this podcast, which span data transfers, non-material damages, data minimisation, and more:

1. Bindl v European Commission

8 January 2025

Case T‑354/22

2. Mousse v CNIL (Mousse v Commission nationale de l'informatique et des libertés and SNCF Connect)

9 January 2025

Case C‑394/23

3. CK v Magistrat der Stadt Wien (involving Dun & Bradstreet Austria GmbH)

27 February 2025

Case C‑203/22

4. EDPS v SRB (European Data Protection Supervisor v Single Resolution Board)

4 September 2025

Case C‑413/23 P

5. X v Russmedia Digital (X v Russmedia Digital SRL and Inform Media Press SRL)

2 December 2025

Case C‑492/23

The CJEU will soon hear the Belgian DPA's case against FATCA, the tax treaty that results in the systematic bulk transfer of data about thousands of "Accidental Americans" to the IRS.

FATCA is a US law intended to prevent US citizens from hiding assets in foreign banks.

But it also hits "Accidental Americans"—people who might have been born in the US and acquired a US passport, but have very little connection to the country.

Under an intergovernmental agreement (IGA), the Belgian state regularly transfers personal data to the Inland Revenue. In May 2023, the DPA ordered these transfers to stop, saying that they were unlawful under the GDPR. 

Belgium argues that the 2014 IGS predated the GDPR and is thus valid under Article 96, which says that older international agreements remain valid as long as they were lawful at the time. 

Among 13 questions to the CJEU:

— Article 96: Does the "grandfather clause" offer indefinite protection to pre-GDPR international agreements, even if they violate fundamental rights?

— Are Member States obliged to renegotiate or revoke old treaties that clash with the GDPR?

— Can Article 49(1)(d) (important public interest) justify systematic, bulk, annual transfers? (The EDPB generally says "no").

— Does the EU-US Data Privacy Framework (DPF) imply that the US public sector bodies offer adequate protection in the context of data transfers?

If the CJEU rules that Article 96 is not a blank cheque and that public interest derogations cannot support bulk surveillance, the legal mechanism for FATCA across the entire EU could collapse.

Could be a pretty big deal!

Did the CJEU just use the GDPR to junk the intermediary liability exemption and impose a general monitoring obligation? Here's a look at yesterday's Russmedia judgment.

The facts are pretty grim: "X" saw an ad on an Russmedia's online marketplace falsely promoting her as a sex worker. She reported it, Russmedia took it down, but the ad had already been scraped and copied on other sites.

X sued Russmedia, which predictably said it was just an intermediary service and not liable for the contents of users' posts.

But the court said that Russmedia was a controller, and required a legal basis to post the content.

Because the ad included special category data, Russmedia was required to obtain the data subject's consent.

--

EU laws, like the eCommerce Directive and the Digital Services Act, say that platforms do not have a "general monitoring obligation". 

Platforms have some moderation obligations (including some limited monitoring obligations in some cases), and they have to respond to takedown requests, but there is no blanket requirement to check every post for illegal content. 

As such, the CJEU says that Russmedia doesn't HAVE TO "generally monitor" content; it has a specific obligation to avoid posting *this specific type of content* without consent.

But how can a platform know whether an ad contains special category data without checking every post? 

You know... *generally monitoring* them all?

A coalition of organisations and experts sent an open letter calling for a Parliamentary inquiry into the performance of the UK ICO. What's the problem, and will this work?

Full disclosure: I was asked to sign this letter, but I decided against it. Many people I know and respect are on the list of signatories, and while there's some stuff in here I'm not 100% behind, I think it makes some decent points. But I generally just don't sign open letters.

This document makes some pretty scathing allegations about the ICO's current enforcement strategy, specifically regarding the "Public Sector Approach", and suggests that a change in direction is needed.

The letter appears to have been triggered by the ICO’s recent decision regarding the Ministry of Defence.

As many of you will know, the MoD was involved in a serious data breach where a spreadsheet containing the details of over 19,000 Afghan nationals eligible for relocation was leaked. 

The ICO decided not to formally investigate the MoD for this incident. a decision the signatories describe as "extraordinary." 

The central policy point here is the ICO’s "public sector approach", where the ICO generally prioritises engagement and reprimands over fines for public bodies, the logic being that fining public bodies simply moves taxpayer money around.

The open letter challenges the effectiveness of this policy. 

The signatories cite figures from the ICO’s own post-implementation review, which they say indicate that the average number of reported breaches in the public sector increased by 11% following the adoption of the PSA.

They also point to an 8% increase in complaints against public sector organisations. 

The signatories are asking the Science, Innovation and Technology Committee to open an inquiry to examine whether the current enforcement priorities are delivering the best results for the UK.

I'm interested to see how the Committee responds...

In this episode of the Privacy Partnership Podcast, Rob walks you through the most important aspects of the proposed Digital Omnibus Regulation.

 • A new Article 88c states that processing of personal data for the development and operation of AI systems may be pursued for legitimate interests (p85).

• A new condition under Article 9 allows the processing of special category data for AI training if state-of-the-art security is used and the data is subsequently removed or anonymised (p79).

• Article 4 is amended to clarify that information is not personal data for a given person if they do not have the means "reasonably likely to be used" to identify an individual (p78-79).

• The threshold for notifying a DPA about a data breach would be raised to "high risk," the deadline would be extended to 96 hours, and there would be a new Single Entry Point for breach reporting (p81).

• Article 12 is amended to allow controllers to refuse a data subject rights request where the data subject "abuses the rights conferred by (the GDPR) for purposes other than the protection of their data" (p80).

• ePrivacy rules are absorbed into new GDPR Articles 88a and 88b, introducing a 6-month "cookie fatigue" period and mandating respect for automated browser signals (p83-84).

• There are new rules about automated browser signals with a specific exemption for "media service providers" (p84).

• A new Article 9 derogation permits processing biometric data for verification (authentication) purposes if the data remains under the sole control of the data subject (p79). 

"Death by a thousand cuts?" That's what the leaked Digital Omnibus proposals represent to the GDPR, according to noyb.eu. Here's a look at some of the most significant ideas, from the new definition of "personal data" to the narrowing of Article 9.

--

Note: This is an unconfirmed internal draft from the Commission’s DG CONNECT and not an official proposal. 

It may change substantially before it’s formally presented, and we’re expecting that to happen on 19 November. 

Some say this document has been leaked for nefarious purposes, and that no one should so much as glance at it until the details are confirmed. 

But of course, us data protection dorks can hardly be expected to keep our eyes off this juicy bundle of reforms for long.

--

The very definition of "personal data" would change under this draft to reflect an interpretation of the recent CJEU judgment in SRB v EDPS.

Noyb argues this is a very expansive reading of the SRB case, and that it goes against other CJEU precedents and the Charter of Fundamental Rights. 

The practical effect could be that companies processing pseudonymous data, like online advertising IDs, might argue they are outside the GDPR's scope altogether.

--

The draft proposes a new Article 88c, which would establish "legitimate interest" as a legal basis for processing personal data for the "development and operation of an AI system."

This could give AI developers a much broader license to use personal data for training models, shifting the default in favour of data collection.

--

The proposals would also narrow the scope of "special category data" under Article 9. The draft suggests narrowing the definition to data that "directly reveals" sensitive information.

Noyb argues, not unreasonably in my opinion, that this is a direct attempt to overturn CJEU rulings that have established a broad interpretation of what it means to "reveal" sensitive data.

--

Beyond these three ideas, the draft proposes some new restrictions on data subject rights and the absorption of the ePrivacy Directive's "cookie rules" into the GDPR itself. 

The threshold for notifying regulators of a data breach would also be raised from the current "risk" threshold to a 'high risk' standard, and the deadline would be extended from 72 to 96 hours. 

We’ve also got some proposed revisions of other digital laws, like the AI Act and the Data Act.

--

Some ideas look tenuous and unfinished; others might be worth considering. 

Noyb is doing its job by jumping on this leak, but perhaps most of us should wait until the official proposal before getting too excited.

The ICO is offering up to 40% off UK GDPR fines under its new draft Data Protection Enforcement Procedural Guidance. Here's how to take advantage of this special deal!

The draft guidance updates the ICO's Regulatory Action Plan, which has been in place since 2018.

There are two particularly interesting bits:

- New teeth available to the ICO under the Data (Use and Access) Act (DUAA), should it choose to bite with them

- A formal proposed settlement process

Now the ICO has settled cases before—recently with Capita and Advanced Computer Software Group, for example, and we’ve also seen many fines fall off a cliff edge after the Notice of Intent has gone public. 

British Airways and Marriott managed to have their proposed fines reduced by around 90% and 81%, respectively. 

But this is the first time the ICO has proposed a formal, structured settlement process.

The idea is to create a streamlined administrative procedure for cases where a penalty notice is likely. The core of the deal is this: in exchange for an early admission of the infringement and an agreement not to appeal the final decision, the ICO will offer a discount on the fine.

The draft guidance sets out a tiered discount structure, which provides a clear incentive for early resolution. 

• A case settled before the ICO issues a "notice of intent" could receive up to a 40% discount. 

• If it’s settled after the notice of intent but before the organisation submits its written representations, the discount is up to 30%. 

• Settle after that, and the discount drops to a maximum of 20%.

Now I expect some of you might disapprove of a measure that formalises the ICO’s tendency to whittle away at fines until they end up as a small fraction of the controller or processor’s turnover.

But it’s worth noting that a formal settlements process like this is already available to other regulators, like the Competition and Markets Authority (CMA), the Financial Conduct Authority (FCA) and Ofcom.

The DPC's TikTok decision is not that surprising if you understand the law, but it's actually a pretty huge deal to see this play out in reality. Are most international data transfers de facto illegal?

TikTok enabled remote access to EEA users' personal data in China, purportedly for purposes like maintenance and user support.

The DPC said: Remote access is a transfer. Not really surprising based on the post-Schrems II EDPB recommendations.

TikTok encrypted the data in transit and at rest and put various other technical and contractual safeguards in place.

The DPC said: These measures mean nothing if the Chinese government can undo them. Also not surprising; that was the whole point of Schrems II.

TikTok admitted that Chinese law was not "essentially equivalent" to the EU's, but argued that because the data was STORED on EEA servers, the Chinese government could not touch it.

The DPC said: Wrong. When the data is accessed on a Chinese employee's laptop, it's *in China*. The Chinese government can access it. That seems like common sense.

TikTok said the Chinese government had never requested access to the EEA user data and was very unlikely to ever do so.

The DPC said: Irrelevant. There is no "risk-based approach". Just because you say you've never received a request, that doesn't mean you actually haven't, or won't in future.

—

So from the DPC's perspective, each part of its decision makes sense based on previous EDPB recommendations and case law.

But let's put TikTok to one side. What's the cumulative, logical-consequence effect of these findings?

If there's no way any employee in China can even *look at* EEA-originating personal data, then transfers to China are effectively illegal.

And whose rule-of-law standards *are* "essentially equivalent" to the EU's? If there's no risk-based approach, is the threshold actually impossibly high?

India? Singapore? Australia? *Any* country without an adequacy decision?

If we flip a switch and automatically applied this decision universally—FULL compliance with the EDPB's interpretation of Schrems II overnight—what happens to the global economy?

Whatever your view on TikTok and the Chinese Communist Party, it's worth thinking this one through.

The EDPB just published its opinion on the UK's adequacy decision and it's pretty critical of the country's post-Brexit direction on data protection. But does the EDPB's opinion matter?

Probably not—directly, at least.

The Commission's draft adequacy decision now goes to a vote at the Comitology Committee and is very unlikely to be voted down, despite the EDPB's reservations.

But the opinion might provide some ammunition in potential future political or legal challenges to the UK's "adequate" status.

Here's a look at some of the long list of UK-related stuff that the EDPB wants the Commission to "monitor", including:

• Extensive new executive powers over data protection regulation

• The controversial Technical Capability Notices (TCNs)

• The UK's new "data protection test" for international data transfers 

What is going on between Clearview AI and the ICO?

Actions against Clearview have been a test of how far digital regulation actually has extraterritorial effect. 

This month, we got an answer on this from the UK’s Upper Tribunal, and it’s an important judgment about the territorial reach of the UK GDPR—at least on paper.

In May 2022, the ICO fined Clearview AI £7.5 million and ordered it to delete the data of UK residents. Clearview appealed. Then, in a quite surprising move in October 2023, the First-tier Tribunal overturned that fine. 

The FTT found that the ICO lacked jurisdiction because Clearview's service was used by foreign law enforcement for their national security and criminal law functions—activities which, the tribunal said, fell outside the material scope of the UK GDPR.

The ICO appealed that decision to the Upper Tribunal, resulting in a win for the regulator. The Upper Tribunal found that the First-tier Tribunal had made a material error of law.

The judgment hinged on two key questions about the UK GDPR's material scope and definition of "behavioural monitoring".

So, the result was a win for the ICO. The appeal was allowed, the First-tier Tribunal's decision is set aside, and the case is sent back to be decided on its merits—but on the clear basis that the ICO does have jurisdiction over Clearview AI.

But of course, the ICO now has to actually get some money out of Clearview, which might present some difficulties.