This quarterly update highlights key privacy and data protection developments from Q4 2025 across the EU, Israel, and the United States. It covers proposed and enacted regulatory changes, landmark court rulings, and notable enforcement actions that collectively signal a continued shift in how personal data, pseudonymization, AI use, and cross-border processing are interpreted and enforced:
EU:
EU Digital Omnibus Proposal Seeks to Redefine Key GDPR Concepts
In November, the European Commission introduced the Digital Omnibus proposal – a series of amendments to the GDPR that would substantially alter the regulation’s scope and operation. For example, the proposal narrows the definition of “personal data”. The current interpretation of “personal data” includes any data that, when linked with other datasets, could identify an individual, even if the likelihood that such a link will occur is remote, such as if the second dataset is held by a separate entity. The proposed revision clarifies that data will only be considered “personal” when an entity has both the data and the means to identify the individual therein. This would render much personal data, as it is currently understood, non-personal and its processing would fall outside the scope of the GDPR. The proposal also eases certain restrictions on processing data for research and development purposes, including specific approval to use personal data to train AI models under certain conditions, limits certain data subject rights and a controller’s transparency obligations in certain cases. If passed, even with a selection of the proposed revisions, the impact on privacy compliance would be significant.
EU Data Act Enforcement Begins
The EU Data Act came into effect fully on September 12, 2025. The Data Act aims to give users more control over the data generated by their Internet-of-Things technologies and related services. The act complements but differs from the GDPR by focusing not on personal data protection but on all types of data, including non-personal and industrial data. The new act gives users greater rights to access and share their data, requires fair data sharing between businesses, grants public authorities access to data for certain public interests, and protects smaller companies from unfair contract terms. The key impact of the EU Data Act is in providing users with powerful switching rights, as well as de facto rights to termination at will.
CJEU and Regulators Provide Clarification on Pseudonymization and Personal Data
On September 4, 2025, the Court of Justice of the European Union (CJEU) ruled in EDPS v. SRB (C‑413/23)– to expand the cases in which pseudonymized data may not constitute personal data. The case concerned the Single Resolution Board’s (SRB), a regulatory agency in the EU, transmission to Deloitte and other third parties of pseudonymized comments from shareholders and creditors of Banco Popular Espanol, S.A. regarding the bank’s bankruptcy proceedings. The Court found that since SRB held the key to reverse the pseudonymization, the data (with respect to SRB) is considered personal. However, the Court further ruled that pseudonymized data would not constitute personal data if the entity in question cannot reasonably reidentify the data subjects on its own and suggested that the pseudonymized data would not constitute personal data for Deloitte and other third-party recipients without access to the pseudonymization key. Previously, pseudonymized data was considered personal data (with all the safeguards of the GDPR applicable to it) even where an entity did not have the means to reidentify data subjects itself as long as it could, in theory, procure those means from another entity. This ruling aligns with the EU Digital Omnibus’s revised definition of personal data and effectively narrows the definition of personal data under the GDPR.
Following the CJEU judgment, the Danish Data Protection Authority clarified that in controller–processor relationships, where the controller holds the key to pseudonymized data that it sends to the processor (without such key), the data is still considered personal insofar as the processor is concerned. The nature of the data must be assessed from the controller’s perspective: if the controller can re-identify individuals, the data remains personal, regardless of the processor’s inability to identify data subjects on its own. The DPA explained this is because processors act solely under the controller’s instructions and their processing of the data is seen as an extension of the controller itself. Any processing for the processor’s own purposes would require a separate legal basis.
CNIL Asserts Jurisdiction on Non-European Processor and Slams It with €1 Million Fine
On December 11th, CNIL, the French data protection supervisory authority, issued a €1 million fine to a processor based outside of the EU for GDPR violations. The processor provided advertising services to the controller, which is based in France, and used the controller personal data to improve its own services without the controller’s approval. Then, after the agreement with the controller was terminated, the processor failed to delete the controller personal data as it was contractually obligated to do. This personal data was then compromised through a data breach the processor suffered and became available on the dark web. The processor also did not keep a record of processing activities (ROPA) as is required under the GDPR. For these violations, CNIL fined the processor, asserting its jurisdiction in that the processing of the controller personal data constituted “monitoring individuals’ behavior” in the EU and therefore the GDPR applies. This case serves as a reminder that non-European entities are not protected from supervisory authority actions simply because they are not registered in the EU.
Israel:
Israeli Ministry of Justice Publishes Draft Regulations on Administrative Warnings under Privacy Law
The Ministry of Justice has published a draft of the Privacy Protection Regulations (Administrative Warning), 2025, which set out the circumstances under which the head of the Privacy Protection Authority may issue an administrative warning instead of imposing a monetary sanction. As a reminder, Amendment 13 to the Privacy Protection Law, which came into effect in August, expands the enforcement powers of the Privacy Protection Authority and, among other things, enables it to impose considerably heavier sanctions than before. In that context, it appears that the Privacy Protection Authority published the aforementioned draft as part of its preparation to exercise the enhanced enforcement powers granted to it by the amendment.
US:
California Expands Digital Safety and Accountability Framework
California has enacted a series of online safety measures aimed at protecting minors and regulating emerging technologies. The new statutes aim to extend oversight to artificial intelligence and online content access. Among others, California enacted:
- Assembly Bill 1043, effective January 2027, will require “operating system providers” to verify users’ ages and transmit this information to app developers, who must use it to comply with applicable laws. Violations can result in civil penalties.
- Assembly Bill 316, addresses lawsuits alleging harm to a plaintiff caused by an artificial intelligence (AI) system. The bill prohibits the provider of the AI system from claiming as a defense that the AI system acted autonomously and therefore the provider should not be liable. The bill does allow a defendant to assert a defense on the basis of causation or foreseeability claims.
Senate Bill 243, effective July 2027, addresses “companion chatbots,” and requires operators or entities which make the companion chatbot available, among other things, to clearly disclose when users are interacting with AI, implement and publish protocols to prevent the production of suicide, suicidal ideation, or self-harm content, and prevent the production of sexually explicit visual content. Operators must also report annually to the Office of Suicide Prevention on their intervention protocols and
The above content is a summary provided for informational purposes only and does not constitute legal advice. It should not be relied upon without obtaining further professional legal counsel.
