February Data Protection Newsletter

Grant Thornton Luxembourg welcomes you to the February Data Protection Newsletter!

We continue to share clear and practical insights on the latest developments in data protection, AI, and tech regulation, helping you stay informed and compliant in this ever-changing digital landscape

Whether you manage compliance or simply want to stay safer and better informed online, this newsletter is for you.

As always, our Data Protection Team is here to help. If you would like tailored advice or to discuss a specific issue, please contact us using the details at the end of this page.

CNIL presents the 2025 report regarding sanctions and corrective measures

On 9 February, the French Data Protection Authority (CNIL) published its annual report summarising the sanctions and corrective measures imposed in 2025.

Cookies, employee monitoring, and data security were the main focus areas. In total the CNIL imposed 83 sanctions amounting to €486,839,500.

🧩Key takeaway

CNIL’s 2025 enforcement actions included 78 fines: 27 of which were accompanied by penalty payments, 3 penalty payment orders and 2 warnings.

10 of these decisions were made public.

The main areas of non-compliance were:

• Cookies and tracking technologies: 21 entities were sanctioned for placing cookies without user consent, providing insufficient information, or failing to properly take into account users’ refusal or withdrawal of consent.
• Employee video surveillance: 16 organisations were sanctioned, primarily for continuous video monitoring of employees in the absence of exceptional circumstances, such as specific security concerns or anti-theft requirements.
• Obligations of the processor: Several decisions reminded processors of their duty to implement appropriate security measures, process data only on the controller’s instructions, and delete data at the end of the contractual relationship.
• Simplified sanction procedure: 14 organisations were sanctioned under this faster procedure, primarily for insufficient data security, lack of cooperation with the CNIL, or failure to comply with data subjects’ rights.
• Direct Marketing: 10 decisions concerned unlawful electronic marketing or improper data sharing with commercial partners. In addition, 5 political candidates in the 2024 European and parliamentary elections were sanctioned for failing to demonstrate the lawfulness of their campaign communications.

❔Why is it important?

The report confirms that cookies, employee monitoring, data security and direct marketing remain core enforcement priorities.

For organisations operating in France or targeting French users, the message is clear: consent mechanisms, workplace monitoring practices and security measures must be carefully reviewed and documented.

The scale of the fines, particularly in the cookies area, also shows that weaknesses in consent management tools or banner design can lead to significant financial and reputational consequences.

EDPB-EDPS Joint Opinion on the Digital Omnibus

On 10 February, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) adopted Joint Opinion 2/2026 (the Opinion) on the European Commission’s Digital Omnibus proposal (the Proposal) to simplify EU’s digital regulatory framework, including but not limited to the GDPR, the ePrivacy Directive and the Data Governance Act.

🧩Key takeaway

In their Opinion, the EDPB and the EDPS broadly support the proposed changes but they also call for clearer drafting and stronger safeguards.

Some the changes they welcome include:

• Special categories of data: allow the processing of biometric data for authentication purposes where the verification tool remains under the individual’s sole control (e.g. device-based authentication).
• Data breaches: raising the threshold for notifying only to data breaches that are likely to result in a high risk and extending the deadline to notify a data breaches from 72 to 96 hours, after having become aware of the breach.
• Data Protection Impact Assessment (DPIA): establish harmonised templates and lists across Member States.

However, the EDPB and EDPS ask for improvements or clarifications on some of the following points:

• Changes to the definition of “personal data”: the authorities both express concerns regarding proposed changes to the definition of personal data and the idea of using implementing acts to define the legal effects of pseudonymisation. In their view, these changes could create legal uncertainty and risk lowering the current level of data protection.
• Limitation to data subject access requests: The Proposal aims to prevent abuse of the right of access, particularly in cases of excessive or repetitive requests. While the EDPB and EDPS recognise that such requests can burden organisations, they stress that the right of access is a cornerstone under the GDPR. They therefore call for clear and narrow conditions for limiting access requests, along with safeguards to ensure the right is not unduly restricted.

❔Why is it important?

This Opinion offers an early indication of how EU data protection authorities view potential reforms to the GDPR, more than seven years after it became applicable.

While simplification may reduce compliance burdens in areas such as breach notification, DPIAs and transparency, the Opinion also shows that regulators remain cautious about any changes that could weaken core principles.

For organisations, this is a clear signal: simplification does not mean deregulation. Companies should follow the legislative process closely, especially if they rely on AI systems, biometric authentication, or large-scale data processing.

Statement on AI-Generated Imagery and the Protection of Privacy

On 23 February, 61 data protection authorities across the globe issued a Joint Statement on AI-Generated Imagery and the Protection of Privacy (the “Joint Statement”). Signatories include the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS), as well as national authorities from France, Germany, Belgium, Spain, Italy, and Switzerland.

🧩Key takeaway

The Joint Statement addresses concerns about artificial intelligence (AI) systems that generate realistic images and videos depicting identifiable individuals without their knowledge or consent. In certain jurisdictions, such conduct may constitute a criminal offence.

The signatories emphasise that AI content generation systems must be developed and used in accordance with applicable legal frameworks, including data protection and privacy laws.

While legal requirements vary across jurisdictions, the Joint Statement sets out common principles that organisations should follow :

• Implement robust safeguards to prevent the misuse of personal information and the generation of non-consensual intimate imagery and other harmful material, particularly where children are depicted.
• Ensure transparency regarding AI system capabilities, safeguards, acceptable uses, and the consequences of misuse.
• Provide effective and accessible mechanisms enabling individuals to request the removal of harmful content involving their personal information, and respond promptly to such requests.
• Address specific risks to children by implementing enhanced safeguards and providing clear, age-appropriate information to children, parents, guardians, and educators.

❔Why is it important?

If an AI-generated image or video makes a real person identifiable, it can qualify as personal data under the GDPR. Creating or sharing such content without a valid legal basis may therefore breach data protection law, and in some countries, could also trigger criminal liability.

The Joint Statement sends a strong signal that regulators are paying close attention to this issue and are prepared to cooperate across borders.

For organisations developing or deploying generative AI tools, this means privacy risks must be addressed from the outset, with clear safeguards, governance measures and response mechanisms in place.

Contact

Need advice on Data Protection, AI, or Whistleblowing compliance?

Our Data Protection team is here to support you. Contact us today to discuss your needs and explore how we can assist you: Dara Kelly, Head of Advisory, or Pasquale Esposito, Data Protection Officer.