
Digital Digest: A Summer Recap of Key Developments in the field of Technology, IP, Privacy & Cybersecurity
Catch up with key developments over the summer period in the field of Technology, IP, Privacy & Cybersecurity!
- Key decisions made and guidelines issued by data protection authorities over the summer period
- Evolutions in the field of AI and IP over the summer period
Key takeaways
Welcome to our very first newsflash on topics in the field of Technology, IP, Privacy, and Cybersecurity. In this first edition of our Digital Digest, we will delve into several key decisions made by data protection authorities over the summer period, highlighting their implications and significance. Additionally, we will explore some interesting guidelines from data protection authorities and EU bodies offering insights into their potential impact. We will also give you some insights on the evolutions in the field of AI and IP.
1. It was the Summer to eat Cookies
After the Belgian data protection authority (Gegevensbeschermingsautoriteit) focused on auditing various websites of businesses active in the media sector with respect to compliant cookie management, it was time for other national data protection authorities to do the same. In particular, the data protection authority of Norway (Datatilsynet) and Finland (Data Protection Ombudsman’s Office). Businesses active in the online pharmaceutical sector, or businesses which operate a website with focus on processing personal data of minors or sensitive personal data (e.g. health, religion, etc.) came in clear sight of these authorities.
Common mistakes in this area are still:
- providing incorrect and often misleading information to website visitors (e.g. anonymous browsing when it is not);
- providing information that is difficult to understand or does not explain the consequences of giving consent;
- sharing personal data, including special categories of personal data about visitors and personal data of minors with third parties in violation of the GDPR;
- placing cookies without the website visitor’s consent and incorrect design of the cookie banner;
- “nudging” visitors into consenting is still a common practice.
The Norwegian data protection authority mostly issued reprimands as it was its first time carrying out such audits. In one case it imposed an administrative fine of 250,000 NOK (ca. €20,000). In general, a clear warning was given by the authority that a stricter stance will be adopted for the future and that the authority is particularly concerned about the use of tracking tools for commercial or marketing purposes. The Finnish data protection authority issued an administrative fine of €1.1 million on an online pharmacy for non-compliant use of tracking technologies on its website.
The Norwegian data protection authority also issued guidance on the use of online tracking technologies. For your information our Belgian data protection authority also shared quite some information on its website on the topic of online trackers (available here in Dutch and here in French) and even issued a Cookie Checklist (available here in Dutch and here in French).
2. The Economic Benefits of GDPR Compliance
In 2023 the French data protection authority (CNIL) issued a joint declaration with the French competition authority (Autorité de la concurrence), titled ‘Competition and personal data: a common ambition’, regarding the economic benefits of compliance. The joint declaration starts out with the central question “how to turn consumer data protection into a competitive advantage?”. In this declaration both authorities stressed the interplay between the two areas of regulation.
Building further on this joint declaration, in 2025, the CNIL published two studies regarding the economic benefits of investing in GDPR compliance, one focusing on cybersecurity and the other one focusing on the role of the DPO. In this newsflash we will mainly focus on the publication regarding the DPO and add the findings of the publication on cybersecurity when linked.
The study focusing on the economic benefits of the DPO, published on 23 July 2025, highlights four categories of benefits:
- Leverage to win calls for tenders
- Avoidance of sanctions
- Avoidance of data breaches
- Rationalization of data management
In a tendering procedure, according to the CNIL, the presence of a DPO is an important vector of confidence, as the presence of a DPO reflects the candidates’ consideration of compliance issues throughout the performance of the services. The DPO plays an important role in increasing compliance with the GDPR and improving the protection of personal data. In their publication, the CNIL included a testimony of a DPO stating that his company’s chances of winning those tendering procedures increased by half.
The second category of benefits is the avoidance of sanctions. This is a very straightforward category of ‘benefits’ for an organization as the total amount of sanctions issued by the CNIL was €55 million in 2024 and for the Belgian data protection authority the total amount in 2024 was €708,371. On a European level the total amount of fines in the EU was €1.2 billion. Companies also need to consider that public financial sanctions are always accompanied by a negative impact on the company’s image with its customers and partners. Apparently, non-compliance with a regulation that aims to increase diligence when processing personal data impacts the company’s image towards potential business partners as organizations become more and more interdependent due to the subcontracting relationships, e.g. supply chain attacks. The DPO plays an essential role in preserving the company’s reputation through its role as (i) advisor by preventing risks through data protection impact assessments, data transfer impact assessments and supplier assessments & audits, (ii) trainer to improve awareness, and (iii) internal auditor to verify the level of maturity.
Thirdly, avoiding data breaches as all cyberattacks represent a significant cost for companies. In 2024 IBM issued a report that indicated that the average cost of a data breach is approximately $5 million (€4.28 million). As with a public sanction, data breaches damage the image of an organization and research has shown that the value of the shares of large companies tend to decrease. On the other hand, data breaches could lead to identity theft where thieves can gain access to bank accounts, credit card information, PayPal accounts and shopping accounts. According to the study of the CNIL on cybersecurity, these forms of identity theft are linked to losses between €585 million and €1.4 billion at a European level, since most losses caused by identity theft are still compensated by companies themselves. The DPO has a key role in securing personal data within the company and will advise on potential security measures and participates in data protection impact assessments. The DPO also plays a vital role in all forms of awareness-raising.
Lastly, the rationalization or streamlining of data management also envisaged in the GDPR through the main principles of purpose limitation, minimization of data and limitation of retention, positively impacts the organization. Limiting the personal data, and in a broader sense data in general, to what is strictly necessary leads to operational savings regarding storage space. A testimony of a DPO of a company with a turnover of €150 million claims to save €400,000 in server costs. Limiting your organization’s collection of data means fewer entry points for cybercriminals, which can decrease the chance of a data breach happening. In general, when streamlining your data management your organization will have easier access to the relevant data, improving the efficiency of internal processes.
Following their study, the CNIL concludes that although GDPR compliance is mandatory and is accompanied by compliance costs, compliance also comes with a return on investment. However, the DPO can only have a positive impact, when a DPO can dedicate time to their role and the organization is willing to increase their level of compliance. The CNIL also highlights a few good practices to increase the beneficial impact of the DPO:
- Involving your DPO in certain executive committee meetings to align compliance with the overall strategy of the company;
- Integrate GDPR compliance with the Corporate Social Responsibility strategy and the information systems security strategy;
- Try to quantify the economic benefits linked to the role of the DPO;
- Raise awareness across the different business lines of the value of compliance issues.
3. AI Act: applicability of rules on general-purpose AI models
The applicability of the AI Act is going ahead as planned. After some hints and debate prior to the summer on whether or not there would be an extension of deadlines, the European Commission has confirmed that there will not be any delay or stop-the-clock.
As a result, on 2 August 2025, obligations relating to general-purpose AI models and general-purpose AI models with systemic risk have become applicable. The obligations apply to models that are placed on the market after this date. For models that are already on the market prior to 2 August 2025, there is a grace period for providers until 2 August 2027 to ensure the general-purpose AI models (with systemic risk) are in compliance with the AI Act. As of 2 August 2026, enforcement actions are also possible.
Meanwhile, on 18 July 2025 the European Commission has issued guidelines on the scope of obligations for general-purpose AI models. It provides clarification on what a general-purpose AI model is and what the difference is with a general-purpose AI model with systemic risk, what it means to place on the market a general-purpose AI model (with systemic risk), who the provider is (in particular in case of modifications by downstream actors), what the exemptions relating to open source models entail and how the European Commission looks at the enforcement of the rules and obligations.
In addition, the European Commission has adopted a Code of Practice, the adherence to which can assist providers of general-purpose AI models (with systemic risk) in demonstrating compliance with the AI Act, while harmonized standards are being developed. The Code of Practice consists of three chapters: transparency, copyright, and safety and security. Adherence to the Code of Practice is voluntary. Well-known companies, like Microsoft, IBM, OpenAI, and Amazon, are signatories to the Code. Notably missing is Meta.
4. Legal Crossroads: AI and copyright under fire in the United States and Europe
Artificial intelligence is rapidly transforming how content is created and consumed. Two major cases, one in the United States and one in the European Union are challenging how copyright law applies to generative AI systems.
In the United States, AI company Anthropic faces what could become the largest copyright class action in history, with millions of potential claimants and billions of dollars in damages at stake. Meanwhile, in Europe, the Court of Justice of the European Union (CJEU) is reviewing the case of Like Company v. Google Ireland, the first to directly address how EU copyright law applies to AI-generated content and training practices.
Together, these cases highlight the growing tension between technological innovation and intellectual property rights and signal a turning point for developers, legal teams, and policymakers navigating the future of AI.
The U.S. lawsuit: copyright class action
The AI industry is facing what could become the largest copyright lawsuit in history: a class action filed by three authors against the AI company Anthropic. The lawsuit concerns the use of copyrighted works to train AI models. While not the first of its kind, the scale and potential consequences are unprecedented.
Anthropic warns that if up to 7 million claimants join the suit and a settlement is reached, the financial impact could devastate the entire AI sector. The company is seeking permission to appeal the class action certification, arguing that the district court judge in America, William Alsup, failed to properly analyze the scope of the claimant group.
The lawsuit could lead to hundreds of billions of dollars in damages, with each copyrighted work potentially incurring a fine of $150,000. Anthropic suggests that settling might be the only viable option, which could set a precedent for other generative AI companies facing similar legal challenges.
Industry groups like the Consumer Technology Association and the Computer and Communications Industry Association support Anthropic, warning that the lawsuit threatens not just one company but the entire emerging AI industry and the United States’ global tech competitiveness.
The EU lawsuit: four legal questions for the CJEU
The case of Like Company v. Google Ireland, currently under review by the CJEU, represents a critical moment in the intersection of copyright law and artificial intelligence. Referred on 3 April 2025 by the Budapest Környéki Törvényszék, this case - registered as C-250/25 - is the first to directly address how generative AI systems interact with copyrighted content under EU law. At the heart of the dispute is Google’s chatbot Gemini (formerly Bard), which allegedly reproduced and summarized Like Company’s news articles without permission.
The Hungarian court has asked the CJEU to clarify four critical legal questions:
- whether AI-generated text constitutes “communication to the public,”
- whether reproducing excerpts during training is a form of “reproduction,”
- whether such reproduction qualifies for the text and data mining (TDM) exception under Directive 2019/790, and
- whether the chatbot’s output can be legally attributed to its provider.
These questions challenge the boundaries of existing copyright directives, including the DSM Directive and the InfoSoc Directive, and could significantly impact how AI systems are trained and deployed across the EU.
As of September 2025, the CJEU has not yet issued a ruling, but the case remains under active review. Legal experts anticipate that the decision will have far-reaching consequences, potentially introducing licensing obligations for AI-generated content and limiting the use of copyrighted materials in training datasets. The outcome may also influence the implementation of the proposed AI Liability Directive, which introduces new standards for causality and disclosure in high-risk AI systems.
The case highlights the tension between innovation and rights protection, especially as jurisdictions like the UK and China adopt more flexible approaches to AI-assisted works compared to the EU’s stricter stance. For developers, legal professionals, and content creators, the pending decision underscores the need to audit training datasets, respect opt-out mechanisms, and align internal compliance strategies with evolving legal standards.
In conclusion, the CJEU’s ruling in Case C-250/25 will not only resolve a dispute between Like Company and Google Ireland, it will define the contours of copyright law in the AI era. As the digital landscape continues to evolve, this case serves as a critical benchmark for balancing technological advancement with the protection of intellectual property rights.
5. The longevity of (informed) consent in light of a transfer of (sensitive) personal data
In the United States, a bankruptcy judge in charge of the 23andMe case approved the sale of the firm to a nonprofit. For those not fully aware of the case, 23andMe, a California based company, offered DNA (saliva based) testing kits to customers to generate reports on the customer’s ancestry and genetic predispositions to health-related topics. In the beginning years of its conception the company knew great success and even became publicly traded. However, in 2023 it experienced a data breach exposing data of nearly 7 million customers after which its value started falling and the company filed for Chapter 11 bankruptcy. Given the company had gathered quite a large volume of sensitive personal data the sale of this data as part of the bankruptcy proceedings created quite some concern from a privacy and customer perspective.
A Consumer Privacy Ombudsman was appointed to help advise the court about the complex privacy issues involved in the sale of the data under the bankruptcy procedure. In the Ombudsman’s report, it was advised that the customers should consent to the sale of their data, which consent would need to be obtained ideally prior to the transfer. Also, the consent should be requested via email or through the company’s website or a mobile application and customers cannot be nudged into giving consent. Furthermore, data of customers who do not consent should be deleted.
In the case of 23andMe it became particularly clear that DNA data is not your usual corporate asset that can be easily transferred like any other asset in a bankruptcy (or other type of change of control) situation. When customers purchased their DNA kit, they were asked to accept terms of service which included an opt-in consent to share DNA data with third parties, including nonprofit foundations, academic institutions, or pharmaceutical companies. These terms of service also included selling data following bankruptcy, merger, or acquisition. Often such clauses also appear in a privacy policy and are nothing more than a boilerplate clause. In reality, customers cannot foresee how their data will be used in the future by the company, nor by a third-party acquirer.
It is definitely interesting to see how this case is creating quite some discussion in the United States on informed consent and the need to re-consent. The question of how long a data subject’s consent really remains valid is always difficult, yet new to the discussion is the need to revisit consent triggered by a fundamental change in company ownership and purpose (e.g. bankruptcy, acquisition, partnerships, etc.). Of course the particular context and the fact that very sensitive personal data was involved cannot be ignored.
Note that only shortly before the green light was given for the sale, the company was fined £2.31 million for failing to implement appropriate security measures to protect users’ data by the UK data protection authority (ICO) following a joint investigation with the Office of the Privacy Commissioner of Canada.
To circulate back to Belgium our team has had the privilege to advise clients on the transfer and sale of personal data in the context of a company in distress, or an asset deal. An interesting and recent decision from the Belgian data protection authority of January 2025 provides further insight into the legal basis and GDPR compliance in corporate transactions (full decision available here in Dutch and here in French).
6. Watch out for….
…guidelines and recommendations from national data protection authorities and EU bodies:
France (CNIL): draft guidelines on provision and deployment of web filtering gateways
The French data protection authority (CNIL) launched a draft recommendation on 28 July 2025 to support data controllers deploying web filtering gateways and their providers. What is a web filtering gateway (or ‘web proxy filter’)? As defined in the draft recommendation, it is a “device or service used to control and monitor Internet access by filtering web content according to predefined policies”. It is used to block access to certain websites or categories of content for security and compliance reasons.
In that sense, the recommendation applies to data controllers, public and private employers, who deploy web filtering solutions for the internet browsing in the professional context by their employees, agents, service providers or external visitors. Its aim is to assist employers in implementing such web filtering solutions in a GDPR compliant manner and to assist solution providers in implementing best practices from a security perspective.
The recommendation (available here) is open for public consultation until 30 September 2025.
The Netherlands (AP): guidelines on meaningful human intervention in (automated) decision-making
The Dutch data protection authority (Autoriteit Persoonsgegevens) issued guidelines on meaningful human intervention in algorithmic (automated) decision-making (available here). Think for instance of a job application process, or the process to request a bank loan or insurance. It can of course not suffice for the human intervention to be limited to a mere click on the button at the very end of the decision-process. In this respect the guideline offers quite a lot of useful insights with practical questions for organisations to consider throughout to make the human intervention in the decision-making process as meaningful as possible.
EU (EDPB/EDPS): joint opinion on simplification and expansion of exemption to keep a ROPA
On 21 May 2025, the European Commission issued a Proposal for a Regulation amending certain regulations, including the GDPR (available here). With respect to the GDPR, this proposal aims to simplify the existing exemption from the obligation to keep a record of processing activities (ROPA) as its usability in practice was more limited than intended. It also aims to broaden its scope so that not only small and medium enterprises (SMEs) can benefit from it but also the newly introduced category of ‘small mid-cap enterprises’ (SMCs). SMCs are bigger than SMEs, but smaller than large companies, and constitute a new intermediate category of company as per the Annex to the Commission Recommendation 2025/1099 of 21 May 2025 available here.
In the proposed text, enterprises or organizations employing fewer than 750 persons are no longer required to keep a record of processing activities, except for those processing activities that are likely to result in a high risk to the rights and freedoms of data subjects within the meaning of Art. 35 GDPR (i.e. for which it is mandatory to conduct a data protection impact assessment).
On 8 July 2025, the European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) have adopted a joint opinion on this proposal (available here). The EDPB and EDPS express their support of the general objective of the proposal to reduce the administrative burden for SMEs and SMCs. However among other points they request the legislator (i) to clarify why the threshold of 750 persons is more appropriate than the one of 500 employees initially considered, (ii) to refer in the exemption to the definitions of SMEs and SMCs which not only take into account employee count but also financial criteria, and (iii) to clarify that the exemption does not apply to public authorities and bodies. The EDPB and EDPS also stress that the consequences of the proposed changes to the GDPR on fundamental rights (i.e. the right to protection of personal data) need to be assessed.
* *
*
While this newsflash covers only a handful of developments, it is clear that the summer has proven to be highly productive. We hope you find this first edition valuable and useful. Your feedback is highly appreciated as we continue to refine and improve our content. While we aim to produce more Digital Digests like this in the future, we have yet to determine the frequency of these updates (monthly, quarterly, or otherwise).
Thank you for reading and don’t hesitate to reach out to your usual contact person at EY Law or any of the authors of this Digital Digest edition if you have any questions or would like further assistance!
Action Points
- Contact your EY Law contact person in case of questions.