Friday, 12th of September 2025
The European Data Protection Board (EDPB) has created guidelines on how the DSA and the GDPR intersect.
Here are some of the key takeaways:
• Companies must have proper legal justification if they want to use personal data in fighting illegal content.
• If the mechanisms automatically detecting illegal content are fully automated, strict automated decision-making rules should apply.
• People reporting illegal content should not be required to submit their personal data unless identification is absolutely necessary.
• Online platforms cannot show ads based on profiling using special category data, even if they have legal permission to process that data.
• Platforms must explain in real-time why specific ads are shown to specific users.
• Platforms cannot show personalized ads to minors.
Read the full report below.
---
The recently released judgement of the EU General court was the third attempt at questioning the EU-US data sharing agreement in court. Previously, activist Max Schrems killed two frameworks: Safe Harbor (2015) and Privacy Shield (2020), arguing that US surveillance was too invasive.
This year, French citizen Philippe Latombe claimed that America's new Data Protection Review Court wasn't truly independent from government control, with judges put in place who could be influenced by intelligence agencies and the Attorney General.
The EU General Court disagreed, finding that sufficient safeguards exist to continue the EU-US data sharing agreement, and that there is no high risk of the judges being compromised.
This judgement will ensure that data will keep flowing between EU and US companies while maintaining adequate privacy protections. This is welcome news for businesses, although some surveillance concerns might still persist.
---
The General Court of the European Union revealed today that Meta and TikTok were right in appealing the EU Commission's DSA fees.
Background: the DSA allows the EU Commission to collect fees for supervising 'very large platforms' from the platforms themselves. This fee is calculated on the basis of the number of users a platform has in the EU.
In November 2023, Meta and TikTok brought an action before the General Court of the European Union, claiming that the fees the EU commission presented them with were wrong.
The General Court has today annulled the implementing decisions, maintaining that the EU Commission has to recalculate the fees correctly and change the methodology for calculating fees in the future.
Verdict: Meta and TikTok will still have to pay the DSA fees, but the amount will be recalculated by the EU Commission.
---
When a Spanish bank (Banco Popular Español) failed in 2017, Deloitte was hired to assess whether former shareholders and bank creditors should get compensation. As part of this assessment, the comments and feedback from affected people were shared with Deloitte after being pseudonymised beforehand (the names of the commenters were taken out).
However, the people were not informed that their comments would be shared with Deloitte, and complained to the European Data Protection Supervisor (EDPS) and eventually the case was brought before the CJEU.
The verdict of the CJEU is as following:
• Personal opinions are always personal data: opinions are inherently linked to the person who expressed them, and removing the name might make the author of a comment still identifiable.
• The original data collector failed in their duties: the people had to be informed that their data was being shared when they it was first collected, regardless of whether it would still be identifiable after pseudonymisation.
Takeaway: pseudonymisation can be used as additional protection, but it is not a replacement for proper notices about third-party data sharing.
