December Data Protection Newsletter

This month, we highlight key developments in data protection, AI, and tech regulation, including the EDPB’s new Recommendations on eCommerce accounts, the EU Fundamental Right Agency (FRA) report on high-risk AI systems, the adoption of an AI ethics resolution by international Francophone data protection authorities, and CNIL fines for unlawful cookie practices.

Whether you are managing compliance or simply aiming to stay safer and better informed online, this newsletter is for you.

As always, our Data Protection Team is here to help. If you would like tailored advice or to discuss a specific issue, please contact us using the details at the end of this page.

When Can E-Commerce Require an Account? The EDPB Weighs In

On December 3rd, 2025, the European Data Protection Board (EDPB) opened a public consultation for its Recommendations on the legal basis for requiring the creation of user accounts on e-commerce websites (the “Recommendations”).

🧩Key takeaway

The EDPB clarifies that requiring users to create an account may be justified under Article 6(1)(b) GDPR (performance of a contract) only in limited and specific scenarios, including:

• subscription services of fixed or indefinite duration;
• services restricted to a selective member community where membership is the core contractual service (e.g. VIP services);
• purchases limited to users with a verified status or characteristic (e.g., student discounts);
• a separately and clearly agreed contract for personalized recommendations, where the related processing is strictly necessary.

The EDPB explicitly states that after-sales services (such as returns, complaints handling, or contractual guarantees) do not normally justify mandatory account creation under Article 6(1)(b).

In addition, the EDPB considers that Article 6(1)(f) GDPR (legitimate interests) cannot be relied upon to require account creation for purposes such as:

• order tracking or order changes.
• loyalty programs.
• facilitating future purchases.
• fraud prevention.

❔Why is it important?

Requiring users to create an online account leads to the collection and ongoing processing of personal data, even when individuals only want to browse or make a one-off purchase. The EDPB clarifies that, in most cases, mandatory account creation lacks a valid legal basis under the GDPR.

For individuals, this strengthens the principle of genuine choice and limits unnecessary data collection. For companies, the Recommendations highlight the compliance risks of “account-by-default” models and provide clear guidance on when account creation is and is not permitted.

In practice, most e-commerce services should offer guest checkout options or voluntary account creation, unless account registration is strictly necessary for the service provided.

FRA report calls for effective fundamental rights assessment of high-risk AI 

On December 4th, 2025, the European Union Agency for Fundamental Rights published its report Assessing High-risk Artificial Intelligence (AI): Fundamental Rights Risks (the Report), identifying potential loopholes in certain provisions of the AI Act, and calls for more practical and implementation-focused guidance.

🧩Key takeaway

The FRA highlights that the classification of AI systems as “high-risk” is subject to differing interpretations in practice. It warns that the exceptions under Article 6(3) of the AI Act should be interpreted narrowly, in order to avoid excluding AI systems that may pose significant risks to fundamental rights.

The Report further finds that many AI providers and deployers lack sufficient awareness, experience, and structured processes to assess fundamental rights risks, despite their obligations under Articles 9 and 27 of the AI Act.

In practice, risk assessments tend to focus primarily on data protection, privacy, and bias, while broader fundamental rights impacts (such as impacts on equality, due process, freedom of expression, or access to services) are often overlooked.

Finally, the FRA observes a strong reliance on human oversight as a mitigation measure. While important, the Report stresses that human oversight alone is not a reliable or comprehensive safeguard, particularly in light of automation bias and the limited understanding many users have of how AI systems operate in practice.

❔Why is it important?

This Report is particularly relevant as most obligations for high-risk AI systems under the AI Act will apply from 2 August 2026.

Based on extensive interviews with AI developers and deployers operating in the EU, the FRA report provides practical insights into key compliance challenges. 

It underscores the need for providers and deployers to adopt cautious approaches to high-risk classification and to implement structured, well-documented fundamental rights risk assessments and mitigation measures in order to reduce regulatory and enforcement risks.

CNIL fined American Express €1.5 million for unlawful cookies practices

On 27 November 2025, the French Data Protection Authority (CNIL) imposed a €1.5 million fine on American Express Carte France, the French subsidiary of the American Express Group, for non-compliance with cookie rules under Article 82 of the French Data Protection Act.

🧩Key takeaway

American Express, whose parent company is based in the United States and is the world’s third-largest payment card issuer, distributes its products in France through American Express Carte France (the company). As such, its operations fall under CNIL’s regulatory authority.

The CNIL sanctioned the company for the following unlawful cookies settings: 

• Placing cookies without user consent: Upon a user’s arrival on the website of the company, several cookies, particularly for advertising purposes, were placed automatically, even before users were able to make a choice in the consent banner.
• Placing cookies despite user refusal: Advertising cookies were placed on users’ devices even when they had explicitly refused them.
• Reading previous cookies despite withdrawal of consent: When users initially accepted cookies but later withdrew consent, cookies previously placed continued to be read by the company, in violation of consent requirements.

❔Why is it important?

This decision is important because it confirms the strict enforcement of EU cookie consent rules, including under national ePrivacy laws. By fining a French subsidiary of a major U.S. group, the CNIL makes clear that multinational companies are fully subject to EU data protection authorities when operating in Europe. The case also shows that cookie compliance is a technical reality, not just a policy statement, and that ignoring user choices can lead to significant fines.

Francophone Data Protection Authorities Adopt AI Ethics Resolution

On 25 November 2025, members of the Francophone Association of Personal Data Protection Authorities (AFAPDP), including the CNPD (Luxembourg supervisory authority) adopted a Resolution on the ethical governance of AI (the Resolution) at the Association’s17th General Assembly held in Mauritius. 

🧩Key takeaway

AFAPDP is an international association of independent data protection authorities from French-speaking jurisdictions, established in Montréal in 2007. Through this Resolution, its members aim to (i) ensure respect for fundamental rights in all AI applications, (ii) promote transparency and accountability among actors involved in the design and deployment of intelligent systems, and (iii) encourage international cooperation between data protection authorities to harmonize ethical practices.

AFAPDP members reaffirmed core principles, including:

• Respect for privacy and protection of personal data.
• Fairness and non-discrimination in algorithms and decision-making processes.
• Security and reliability of AI systems to prevent risks and misuse.
• Traceability and explainability of automated decisions.

❔Why is it important?

This Resolution reflects a growing convergence among data protection authorities on the ethical governance of AI and signals a more coordinated and proactive supervisory approach to AI-related risks within the Francophone community.

For organisations developing or deploying AI systems, the Resolution provides a clear indication of supervisory expectations and reinforces the importance of embedding ethical, rights-based safeguards into AI governance frameworks, even beyond strictly binding legal requirements.

Contact

Need advice on Data Protection, AI, or Whistleblowing compliance?

Our Data Protection team is ready to help. Contact us to explore how we can assist you : Dara Kelly, Head of Advisory, or Pasquale Esposito, Data Protection Officer.