Data Bytes 60: Your UK and European Data Privacy update for July and August 2025

UK’s adequacy finding by the EU 

The ICO chose the Summer months to publish a number of new pieces of guidance and request consultation on existing guidance:

• On July 7, 2025 it opened a consultation on its approach to enforcement of the regulation 6 consent requirements of the Privacy and Electronic Communications Regulations (“PECR”) which then closed on August 29. The ICO is exploring how publishers could deliver advertising to users who have not given consent, where the risks to privacy are low. 
• On July 7 it also opened a consultation on a new chapter within its draft guidance on storage and access technologies (“Detailed Cookie Guidance”). The chapter reflect changes to PECR introduced by the DUAA, i.e the ability to use certain non-essential cookies without consent for specific low-risk purposes.  This consultation is still open and closes on September 26, 2025.
• On 30 July 2025, the ICO published guidance on the use of profiling tools for online safety – on which see below. 
• On 31 July 2025, the ICO published guidance on disclosing documents to the public and how to minimise the risk of accidental breaches of personal information. It contains practical steps to help you check documents for hidden personal information, guidance to help you consider format for disclosure and videos and checklists to teach you how to support the development of your own policies, procedures and training.
• The ICO's call for views on its guidance on international transfers of personal data under the UK GDPR closed on 7 August 2025. The consultation was an opportunity for commercial stakeholders to give their views on improvements to the ICO's approach to guidance in general. Additionally, the ICO inquired about potential other tools or guidance respondents would like to see from the ICO to make understanding their international data transfer obligations clearer and more accessible. It is expected that the ICO will review the responses and take on board feasible suggestions when drafting new and updated guidance on international transfers. 

On 30 July 2025, the ICO published guidance on the use of profiling tools for online safety. Although not updated for the Data (Use and Access) Act, there are a few key points for organisations to consider:

• Do tools draw inferences from special category data? The guidance notes that in some cases, it may be possible to infer details about an individual which constitute special category data, even if it is unintentional. The ICO notes, however, that if the inference is not intentional, or the organisation does not intend to treat the user differently as a result of the inference, it is unlikely to constitute processing of special category data. 
• Intersection with the Online Safety Act 2023 (OSA). The guidance states that "The OSA requires regulated services to set out in their terms of service if they are using ‘proactive technology’ to comply with their Online safety duties. Services are also required to explain the kind of proactive technology they use, when they use it, and how it works. Complying with this duty may help you provide the transparency to users that UK GDPR requires. However, you must also provide the necessary transparency for data protection law." Therefore the ICO is placing the onus and responsibility on organisations to ensure they are complying with both regimes.
• Automated decision making. The guidance warns that certain profiling tools may constitute automated decision making which falls under Article 22 of the UK GDPR, e.g., "if it results in financial loss or discrimination" and suggests that organisations seek to understand the "full context" in which automated decisions take place.

Our key take away from this new guidance is that we now have two regulators in the UK (the ICO and OFCOM) who are actively involved in regulating this area and are producing guidance and have the potential to take enforcement action. Organisations should consider developing internal strategies and toolkits to manage any interactions with one, or both, regulators. 

On 24 July 2025, Ofcom published a reminder for tech firms on the requirement to introduce age checks to prevent children from accessing particular harmful content by 26 July 2025. 

As part of this reminder, Ofcom also announced: 

• A focus on age assurance for pornographic content. Ofcom noted it is "ready to enforce against any company that allows pornographic content and does not comply with age -check requirements" by 25 July 2025. Ofcom has since opened further string of investigation actions in relation to compliance with the duty to prevent children from preventing children from encountering pornographic content.  
• Wider enforcement action. Ofcom announced the launch of its new age assurance enforcement programme, that will specifically target sites dedicated to the dissemination of harmful content, including self-harm, suicide, eating disorder and extreme violence / gore content.
• Extensive monitoring and impact programme. Ofcom announced the launch of an extensive monitoring and impact programme, to hold sites and apps to account, and it will be focusing on the "biggest platforms where children spend the most time". Ofcom noted that this will include a comprehensive review of these platforms' efforts to assess risks to children, which must be submitted to Ofcom by 7 August and scrutinising these platforms' practical actions to keep children safe, details of which must be disclosed to Ofcom by 30 September.  

On 18 July 2025, the European Commission has published guidelines ("Guidelines") to direct providers of general-purpose AI models in meeting their obligations under the AI Act. The Guidelines entered into force on 2 August 2025. For models already on the market before this date, a transitional period applies until 2 August 2027. In the first year, the Artificial Intelligence Office will actively assist providers in meeting the regulatory requirements. From 2 August 2026, the Commission will begin enforcing these requirements.

The CNIL has published its latest AI recommendations, clarifying GDPR applicability to models, security requirements, and conditions for annotating training data. Following a public consultation involving companies, researchers, academics, associations, and legal experts, these finalized recommendations address growing concerns about AI system development under the GDPR framework. 
 
The opinion adopted by the European data protection board (EDPB) in December 2024 reminds that the GDPR often applies to AI models trained on personal data due their memorisation capabilities and risk of disclosure of personal information. The CNIL's new guidance helps stakeholders determine whether their AI models fall under GDPR scope and proposes concrete solutions such as clear documentation or implementing robust filters to prevent personal data processing.

Two new practical fact sheets have been released: one on data annotation and another on ensuring secure AI system development. The new recommendations were developed with practical tools including summary sheets and checklists to help professionals verify compliance requirements.

Looking ahead, the CNIL's 2025-2028 strategic plan outlines sector-specific work including recommendations for education, health, and workplace AI usage. In the second half of 2025, the CNIL will release new recommendations to clarify the responsibilities of actors in the AI system creation chain (model designers, reusers, integrators, etc.) under the GDPR. The authority is also developing technical tools through the PANAME project and conducting research on AI explainability to provide legal certainty while fostering innovation. 

For more details, you can access the CNIL recommendations here (French and English versions available). 

The French Constitutional Council has ruled that the right to remain silent must be notified in CNIL sanction proceedings, including for legal entities (8 August 2025, n° 2025-1154 QPC, Sociétés Cosmospace et autres). It declared unconstitutional provisions of article 22 of the French Data Protection Act that failed to require informing individuals of their right to remain silent during CNIL sanction procedures. This decision, following a priority constitutional question, addresses due process rights in administrative sanctions. 

The Constitutional Council based its decision on article 9 of the 1789 Declaration of the Rights of Man and of the Citizen, from which derives the principle that no one is required to incriminate themselves. When individuals present observations or appear before the CNIL's restricted formation, they may acknowledge violations without being informed of their right to silence. 

The abrogation of said article 22 of the French Data Protection Act is postponed until October 1, 2026, during which time persons subject to CNIL sanction procedures must be notified of their right to remain silent. This decision extends silence rights from criminal to administrative proceedings, with broader implications for regulatory enforcement.

The Cour de cassation has confirmed that employees may exercise their GDPR access rights over the content and metadata of their professional emails, including after termination of employment, subject to third-party rights and confidentiality restrictions (18 June 2025, n° 23-19.022). Indeed, the Court ruled that professional emails sent or received by employees through their work email accounts constitute personal data under GDPR Article 4, and employees have the right to access these emails as well as metadata (timestamps, recipients) and content, including after employment termination. 

The Court established that the right of access applies unless the requested elements would infringe third-party rights and freedoms. In that regard, employers can invoke exceptions such as business secrets, intellectual property, privacy rights, or correspondence confidentiality. Non-compliance can result in civil liability and damages.

The CNIL maintains that access rights apply to personal data, not documents themselves, though employers may provide documents containing the data for practical purposes. The advocate general noted that access requests in employment disputes are often made to obtain evidence rather than for GDPR's intended purposes of data management, though the Court maintained its broad interpretation.