Monthly Update – September 2025
After a well-deserved summer break, we are back with a double-month update covering the most important privacy and tech developments. September brought a lot. We have picked three developments that actually matter for your business.
The European Data Act
The CJEU on pseudonymisation (EDPS v SRB)
The validity of the EU-US Data Privacy Framework (Latombe decision)
1. The European Data Act
Applicable since 12 September 2025.
Scope:
The Data Act has a very broad scope. It applies to companies generating, processing, or sharing data in the EU. Think connected products (smart devices, wearables, cars, industrial IoT), services linked to those products (apps, predictive maintenance, digital platforms), and providers of SaaS or cloud services. It also covers those building, advising, or managing data solutions that shape or support data sharing, access, and contracts under the Act.
Penalties:
Penalties are decided by each Member State. Proposed maximums include up to EUR 1,030,000 or 10% of EU-wide annual turnover, whichever is higher (the Netherlands), or 4% of annual turnover (Germany).
Key obligations include:
Data access: Users must be able to access product or service data, and, at their request, have it sent to a designated third party, free of charge. When data goes to a third party, the data holder may charge compensation based on FRAND principles (fair, reasonable, and non-discriminatory).
Transparency: Manufacturers and distributors of connected products must inform users upfront about what data is collected and shared, how it is stored, and how the user can access or retrieve it.
Switching cloud services: Customers must be able to move their data and services easily between providers without switching fees or egress charges.
Agreements: Review your B2B and B2C terms. The Act introduces unfair-terms rules for B2B data-sharing contracts: certain clauses are unenforceable if unilaterally imposed. It also foresees model contractual terms and mandatory switching terms for cloud contracts.
Interoperability: Data must be usable across different products and environments.
In short: more control for users, more responsibilities for companies.
2. The CJEU on pseudonymisation (EDPS v SRB)
Background
The Single Resolution Board collected stakeholder comments during the Banco Popular Español resolution in 2017, without informing participants that their data would be shared with Deloitte. The European Data Protection Supervisor found a transparency breach.
Why it matters
Until now, pseudonymised data was typically treated as personal data under the GDPR. The CJEU has now clarified that this is not automatically the case.
The key takeaway: pseudonymised data is not automatically personal data if the recipient cannot realistically re-identify the individuals. Classification must be assessed case by case, from the perspective of the recipient.
This is a notable shift for both regulators and businesses, with practical implications for data sharing, AI model training, and analytics workflows. The EDPB is currently updating its guidance on pseudonymisation to reflect this ruling.
3. The EU-US Data Privacy Framework (Latombe decision)
Philippe Latombe, a French MP and CNIL Commissioner, challenged the validity of the EU-US Data Privacy Framework, arguing that US surveillance powers and oversight mechanisms do not meet EU standards.
Outcome
The General Court dismissed the challenge on 3 September 2025 and confirmed the framework's validity. It concluded that the US Data Protection Review Court offers sufficient oversight, that US law places adequate limits on bulk surveillance, and that protections around data security and automated decision-making are essentially equivalent to EU standards.
For now, you can continue using the Data Privacy Framework for EU-US data transfers. However, Latombe filed an appeal with the Court of Justice of the European Union in October 2025 (Case C-703/25 P). That appeal is still pending as of mid-2026, and NOYB has indicated it may file a separate challenge. Close monitoring remains advised.
For a deeper look at where EU-US data transfers currently stand and what practical steps to take, see our earlier post: EU-US Data Transfers: Where Things Stand and What to Do Now.
Not sure what any of this means for your own roadmap? Book a free call with us and we will help you figure out what actually applies to your business.
We take great care in providing information to you, but please be aware of the fact that these blogposts can not be considered a substitute for professional legal advice, nor do they create an attorney-client relationship.