Data Protection Update – September 2025

The last few weeks have been busy for Data Protection.

Our Data Protection Team has summarised a few key judgments:

1. EU-US Data Transfer Decision Upheld – Latombe v Commission (T‑553/23)

As mentioned in our previous articles (https://www.ofx.ie/6005-2/ , and https://www.ofx.ie/eu-uk-adequacy-decision-sunset-clause-extended-until-27-december-2025/) the GDPR restricts the transfer of personal data to third countries unless the rights of the individual, in respect of their personal data, are protected or the third country’s data protection regime is essentially equivalent to the EU.

There have been a number of data transfer frameworks set up to accommodate EU-US data transfer.  Previous transfer mechanisms such as Safe Harbour (2015) and Privacy Shield (2020) were declared invalid by the Court of Justice of the European Union (“CJEU”) in Schrems I and Schrems II, which decided US laws did not in fact provide essentially equivalent protection to EU citizens. In July 2023 the EU Commission adopted a new adequacy decision establishing the EU-US data privacy framework (“DPF”).

Latombe v Commission (T‑553/23) was a challenge by Phillippe Latombe a French member of Parliament seeking an annulment of the DPF under article 263(4) of the Treaty of the Functioning of European Union (“TFEU”), which is a direct challenge to the General Court of the European Union (“ECJ”). This was a different approach to Schrems I and Schrems II which were done by way of a preliminary ruling to the CJEU from the Irish High Court under article 267 of the TFEU.

Mr Latombe argued the DPF failed to sufficiently protect EU personal data and made two main arguments. Firstly, the US Data Protection Review Court (‘the DPRC’) which is meant to be an independent tribunal is neither impartial nor independent, but dependent on the executive. Mr Latombe also claimed US law does not provide for any safeguard against automated decision making.

The Commission defended its position and was supported by submissions from the US and Ireland.

On 3 September 2025 the action for annulment was dismissed in full by the General Court. The General Court upheld the finding of the European Commission and confirmed the adequacy of the protection afforded under the DPF. In coming to this conclusion, the General Court only examined the adoption of the DPF on the date it was adopted in July 2023 rather than examining the most up to date situation. However, the judgment did provide any decision of the Commission regarding a third country’s adequacy to protect individuals and their personal data is subject to ongoing review.

The transatlantic transfer of data, will as a result, continue as normal using the DPF. The ruling restores an air of certainty, and upholds the reliability of the procedure, providing stability for organisations relying on this mechanism.

It should be noted however, that there is still scope for appeal to the CJEU or the DPF could be reviewed by the Commission.

The decision can be read in full here.

 

 

2. Concept of ‘personal data’ – EDPS v SRB (C‑413/23 P)

 

This judgment was regarding a decision of the European Data Protection Supervisor (“EDPS”) which had found that Single Resolution Board (“SRB”) had breached its obligation with regards to the processing of personal data by sharing pseudonymised data with a third party, Deloitte, without the knowledge of the data subjects. The SRB brought an appeal to the General Court arguing that the decision of the EDSP should be annulled, as the data shared was not personal data. The General Court annulled the decision of the EDPS.

The EDPS appealed the decision to the CJEU. The EDPS was supported by the European Data Protection Board and the SRB was supported by the European Commission. The CJEU released their decision on 4 September 2025 and made a number of findings.

The CJEU held that information “relates” to an identified or identifiable natural person where, by reason of its content, purpose or effect, it is linked to an identifiable person.

The CJEU found that pseudonymised data will not automatically be considered personal data, rather it would depend on the circumstances of the particular case, as the CJEU found there would be some circumstances where pseudonymisation would effectively prevent persons other than the controller from identifying the data subject. The test being if the data subject is no longer identifiable.

The CJEU also held that in assessing the identifiable nature of the data subject, this must be assessed at the time of collection of the data and from the point of view of the controller rather than after pseudonymisation from the third parties’ point of view.

The CJEU found that the information provided to Deloitte constituted information relating to natural persons.

The decision can be read in full here.

 

 

 

3. Anyone home? – Frawley & Ors v Paymaster (1836) Limited (trading as Equiniti) [2025] EWCA Civ 1117

On the 22 August 2025, the England and Wales Court of Appeal (“the Court”) released their judgment regarding an appeal of an order striking out most individual claims in a collective action for a data breach. The case involved 432 appellants who were members of a pension scheme administered by the respondent, whose annual benefit statements were mistakenly posted to outdated addresses. They sought compensation for injury to feelings and, in some cases, psychiatric injury, suffered due to fear of third-party misuse of their personal data. The High Court allowed 14 claims to go forward because they could show an arguable case that the mis-addressed envelope had been opened, but the High Court dismissed the appellants because this had not happened to them. The appellants appealed this decision to the Court.

The first matter was whether or not there was an infringement of the GDPR. The Court held that it was not essential to prove third-party disclosure to bring a claim that the respondent had engaged in the unlawful processing of personal data.

While the Court agreed that compensation is not available for all emotional responses to infringement, it noted that the CJEU had consistently held that domestic courts could not impose a “threshold of seriousness” or impose a requirement of distress. However, the Court did rely on the CJEU case law which endorses the principle that mere infringement is not enough; that damage within the meaning of Article 82 of the GDPR, which provides for a right to compensation, must be proven and a if claim for compensation is based on a fear that the personal data will be misused due to the infringement, the domestic court must determine that the fear is well founded. The Court adopted the CJEU qualification that the applicant must demonstrate the existence of damage and a purely hypothetical risk of misuse by a third-party is not sufficient.

The Court held that in order for a claim to succeed, the appellant in this case must be able to prove a reasonable basis for fearing that their personal data had been / would be opened and read by a third party and that this would result in one of the consequences they feared happening. The Court remitted the matter to the High Court to make determinations on this point in each individual case.

While the Court agreed with the Irish Supreme Court’s assessment in Dillon v Irish Life Assurance PLC  [2025] IESC 37 that victims of data breaches seeking compensation for “…solely mental distress, upset and anxiety… cannot expect anything other than very, very modest award…” it stressed that the modest amount of the possible recovery is not sufficient alone to justify dismissal of a claim.

The Court indicated that the correct approach to modest claims was to consider whether there was a proportionate procedure to investigate its merits and striking out the claim should be a last resort.

The case affirms that actual disclosure and misuse of personal data is not required for a damages claim under data protection law, however the claimant’s fears must be well founded.

The decision can be read in full here.

 

Partner

jc@ofx.ie

Niamh Carey

Associate

nc@ofx.ie