Written by Netanella Treistman, Moshe Lehmann, Eyal Kimor and Yuval Eliaz
EU
CJEU Clarifies Transparency Requirements in Automated Decision-Making
The Court of Justice of the European Union (CJEU) emphasized the need for clear explanations of procedures and principles behind automated decisions. The GDPR requires controllers to disclose “meaningful information about the logic involved” in automated decision-making. The court understood this as a requirement to explain the procedure and principles actually applied to obtain a specific result (such as, in the case at hand, a credit profile). That being said, the court also ruled that data subjects’ access rights to such information should be balanced with the need to protect trade secrets and third-party data.
EDPB Publishes Guidance on the Use of Personal Data when Developing AI Models
The European Data Protection Board (EDPB)’s Opinion focuses on anonymity, legitimate interest, and unlawful data processing. According to the Opinion, an AI model may be considered anonymous if both: (1) the chance of extracting personal data about individuals used to develop the model is very low, and (2) the chance of getting such personal data from queries is also very low. When a supervisory authority looks to assess an AI system’s anonymity, the Opinion recommends a non-exhaustive list of criteria, which includes evaluating the selection of training data sources, data minimization strategies used throughout the system’s development, the implementation of measures to prevent the model from revealing personal data through its outputs, and the regular testing of the model against known attacks to ensure it remains secure. The Opinion also provides criteria for legitimate interest assessments and highlights the consequences of processing personal data without a legal basis.
EU’s Regulation of European Health Data Enters into Effect
The Regulation on European Health Data Space entered into force on March 26th, 2025. The Regulation establishes rules for processing and sharing electronic health data across the EU, distinguishing between the use of health data to provide healthcare services and the use of such data for research and similar purposes. The Regulation has a staggered roll-out of its requirements: some terms will enter into effect in March 2027 while others will only enter into effect in 2029 and still others only in 2031. Key rights of data subjects include the right to access health data, restrict access to such data, and opt-out of data sharing.
Austrian Supervisory Authority Issues Fine on Conflict of Interest for DPO
The Austrian supervisory authority, DSB, fined a controller €5,000 for appointing its managing director as its Data Protection Officer, breaching Article 38(6) of the GDPR, which requires the DPO to be free from conflicts of interest while performing their duties. In explaining its decision, the DSB stated that a conflict of interest can arise if the DPO is unable to allocate sufficient time to their responsibilities due to other obligations. In this case, the controller processed a significant amount of health data in its business as a diagnostic laboratory during the Covid-19 pandemic. Furthermore, a DPO cannot generally be entrusted with determining the means and purposes of processing as this is exactly what the DPO is supposed to independently monitor.
Dutch Supervisory Authority Hands a Fine to Netflix for GDPR Violations
The Dutch supervisory authority fined Netflix €4.75 million for lacking transparency in its privacy notice regarding the legal basis for processing personal data, which personal data is shared with third-parties and why, how long the data is retained, and what protocols are used to secure personal data when it is transferred internationally. Netflix has since updated its privacy statement.
Israel
Israeli Supervisory Authority Publishes Draft Opinion on Informed Consent
The Israeli Privacy Protection Authority (PPA) published a Draft Opinion on Informed Consent. The Opinion emphasizes, among other things, that to ensure informed consent, controllers must provide data subjects with clear and accessible information about the request for consent, including the purposes of the processing and the implications of providing or refusing to provide such consent. The PPA explained that while opt-out consent is valid under Israeli law, a data subject’s silence or lack of objection does not constitute opt-out consent. Even where opt-out consent is valid, controllers should strive to obtain opt-in consent to the extent possible, especially when the data concerned is sensitive or the potential violation of privacy is significant. The PPA further explains that in certain cases, such as profiling or where there exists a stark imbalance of power between the parties, opt-out consent is not considered valid. Public comments on the draft closed on March 24th, 2025.
The PPA Published Guidelines on the Transfer of Ownership of Databases
The PPA published Guidelines on the Transfer of Database Ownership, explaining that a transfer of ownership does not automatically allow the database owner to change the purposes for which the database is used. To change the purpose of a database, controllers are required to obtain data subjects’ informed, positive consent. Where a new database owner’s characteristics significantly differ from those of the previous owner and where it is reasonable to assume that the change in ownership will have a significant impact on data subject rights, the new owner must obtain the positive consent of the data subjects affected, even if the purposes of the database are not actually changed.
The information presented here is of a general nature and is not intended to answer the unique circumstances of any individual or entity. Although we strive to provide accurate and available information, we cannot guarantee the accuracy of the information on the day it is received, nor that the information will continue to be accurate in the future. Do not act on the information presented without appropriate professional advice after a comprehensive and thorough examination of the specific situation.
