GDPR Weekly Dispatch: CNIL Fines Hit €2.7M & UK Adequacy Renewed
Dec 25, 2025
🚨 Headline Story: EDPB Sets Clear Rules for E-Commerce Account Requirements
The European Data Protection Board has adopted long-awaited recommendations clarifying when e-commerce websites can legally require users to create accounts. This guidance addresses one of the most common friction points in online shopping: the push to create accounts even for one-time purchases.
As a general rule, the EDPB states that users should have the option to engage with e-commerce websites—including making purchases—without creating an account. Websites should offer either a "guest" mode for purchases or the option to voluntarily create an account. This approach minimizes personal data collection and aligns with GDPR's data protection by design and by default principle.
However, mandatory account creation can be justified in limited cases, such as subscription services or exclusive offers. The recommendations are now subject to public consultation, providing stakeholders an opportunity to comment before final adoption.
The EDPB also had a preliminary discussion on the Digital Omnibus proposal, expressing concerns that the proposed modification of the definition of personal data goes further than recent CJEU case law and may adversely affect fundamental data protection rights. The Board appointed Jelena Virant Burnik, Information Commissioner of Slovenia, as the new Deputy Chair.
Why it matters:
For e-commerce businesses, this guidance provides much-needed clarity on a daily operational question. Companies that currently force account creation for all purchases will need to implement guest checkout options or risk regulatory scrutiny. The recommendations favor user choice and data minimization—principles that should already be embedded in privacy-by-design strategies. Retailers should review their checkout flows now, as these recommendations will likely influence enforcement priorities in 2026.
⚖️ Enforcement & Fines
CNIL Fines NEXPUBLICA FRANCE €1.7 Million for Security Failures: The French regulator has imposed a €1.7 million fine on NEXPUBLICA FRANCE for failing to implement sufficient security measures for its PCRM software, resulting in exposure of personal data. This substantial fine, issued on December 22, demonstrates CNIL's continued focus on data security obligations under GDPR Article 32.
Insight/Summary: Software vendors must ensure their products have robust security by design. This fine serves as a reminder that companies providing software to other organizations bear direct responsibility for data protection failures in their products.
Sources: CNIL
CNIL Fines MOBIUS SOLUTIONS €1 Million for DEEZER Data Breach: CNIL has fined subcontractor MOBIUS SOLUTIONS LTD €1 million for a data breach affecting users of music streaming service DEEZER. The fine, issued on December 11, highlights the accountability of data processors and subcontractors in the data processing chain.
Insight/Summary: This enforcement action reinforces that subcontractors cannot hide behind their clients. Data processors must implement appropriate technical and organizational measures, and face direct regulatory consequences for failures.
Sources: CNIL
Austrian Supreme Court Rules Meta Must Provide Full Data Access: In a landmark 11-year case, Austria's highest court has ruled that Meta must give users full access to their personal data. This decision reinforces Article 15 GDPR rights and sets a precedent for data access requests across the EU. The ruling clarifies that platforms cannot limit or restrict the scope of data subject access requests.
Insight/Summary: This victory for data subject rights demonstrates that persistence pays off. The 11-year timeline also highlights the need for faster enforcement mechanisms—something the recent cross-border complaints reform aims to address.
Sources: NOYB
ICO Launches Joint Investigation into Prospect Data Breach: The UK Information Commissioner's Office, together with Data Protection authorities from Jersey, Guernsey, and the Isle of Man, has launched a joint investigation into a cyber incident affecting trade union Prospect Custodian Trustees Ltd. The breach occurred in June 2025 and compromised personal data of union members.
Insight/Summary: Cross-jurisdictional cooperation is becoming the norm for significant breaches. Organizations operating across multiple jurisdictions should prepare for coordinated regulatory responses.
Sources: ICO
CNIL Sanctions Five Political Candidates for Unlawful Marketing: The French regulator has issued five simplified sanctions against candidates in the 2024 European and legislative elections for sending unsolicited political marketing messages without proper consent. This enforcement action, issued on December 18, demonstrates that political campaigns are not exempt from GDPR marketing rules.
Insight/Summary: Political parties and candidates must comply with GDPR's direct marketing requirements just like commercial organizations. The "simplified sanctions" procedure allows CNIL to act quickly against clear violations.
Sources: CNIL
🏛️ Legal & Regulatory Updates
EU Commission Renews UK Adequacy Decisions: The European Commission has renewed the adequacy decisions for the United Kingdom, confirming that the UK continues to ensure a substantially equivalent level of protection to the EU for personal data transfers. This renewal, announced on December 23, provides continued legal certainty for data flows between the EU and UK, avoiding the need for additional safeguards for most transfers.
Sources: CNIL
ICO Publishes Response to Cyber Security and Resilience Bill: The UK Information Commissioner's Office has published its response to the Cyber Security and Resilience (Network and Information Systems) Bill, welcoming the legislation that will strengthen the country's cyber resilience and better protect people's data. The ICO's response, published on December 23, emphasizes the importance of cybersecurity in protecting personal data.
Sources: ICO
EDPB Expresses Concerns Over Digital Omnibus Proposal: During its plenary, the EDPB had a preliminary discussion on the European Commission's Digital Omnibus proposal. The Board and EDPS will issue a Joint Opinion, but initial concerns include that the proposed modification of the definition of personal data goes beyond recent CJEU case law and may risk adversely affecting fundamental data protection rights.
Sources: EDPB
🌐 Industry & Tech News
NOYB Study: Users Prefer Tracking-Free "Third Option": Ahead of upcoming EDPB "Pay or Okay" guidelines, privacy advocacy group NOYB has released a study showing that users prefer a tracking-free "third option" over the binary choice between paying for a service or accepting tracking. The study provides evidence for regulators considering how to structure consent mechanisms.
Sources: NOYB
💡 Opinion & Analysis
CNIL's Aggressive Enforcement Week: A Signal to Software Vendors: With two significant fines totaling €2.7 million in one week, CNIL is sending a clear message: software vendors and subcontractors cannot escape accountability. The NEXPUBLICA fine (€1.7M) for security failures in its PCRM software, and the MOBIUS SOLUTIONS fine (€1M) for a data breach affecting DEEZER users, demonstrate that regulators will hold the entire data processing chain accountable. Software companies must build security into their products from the ground up, not as an afterthought. For organizations selecting vendors, this reinforces the importance of due diligence—your subcontractor's failures become your regulatory risk.
