On June 19, 2025, the French Data Protection Authority (“CNIL”) published two recommendations for AI developers. The first recommendation covers reliance on the GDPR’s legitimate interest legal basis for developing an AI model. It provides examples of legitimate interests that can justify the use of personal data for AI development. The second recommendation discusses measures to implement when collecting personal data through “web scraping.” It provides a list of measures that, if followed, will ensure compliance with the GDPR’s accountability principle.Continue Reading CNIL Publishes Recommendations on Legitimate Interest as a Legal Basis for AI Training

Kristof Van Quathem
Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.
Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.
Kristof is admitted to practice in Belgium.
Overview of Key CJEU Rulings on EU Consumer Protection Law of May 2025
In May 2025, the Court of Justice of the EU (“CJEU”) ruled on five cases applying EU consumer protection law. This blog post provides an overview of the decisions.
- Three of these cases relate to the EU Unfair Contract Terms Directive (“UCTD”), which protects consumers from unfair terms in contracts with businesses. It applies to standard terms that have not been individually negotiated and ensures they are transparent, clear, and balanced. If a term is found to be unfair, it is not binding on the consumer—and its use can expose businesses to enforcement actions, including fines, under national laws.
- The fourth case relates to the EU Directive on Misleading and Comparative Advertising (“DMCA”), which aims to protect businesses and consumers by prohibiting advertising that misleads or distorts competition. It also sets out conditions for permitted comparative advertising—comparing one product or service with another—to ensure fairness and accuracy.
- The fifth case concerns the EU Directive on Electronic Commerce (“DEC”), which sets transparency obligations for online commercial communications. Specifically, it requires that online promotions clearly disclose the conditions for benefiting from the offer, ensuring that consumers are fully informed before making a decision.
We have summarized these cases below.Continue Reading Overview of Key CJEU Rulings on EU Consumer Protection Law of May 2025
Digital Fairness Act Series: Topic 2 – Transparency and Disclosure Obligations for AI Chatbots in Consumer Interactions
AI chatbots are transforming how businesses handle consumer inquiries and complaints, offering speed and availability that traditional channels often cannot match. However, the European Commission’s recent Digital Fairness Act Fitness Check has spotlighted a gap: EU consumers currently lack a cross-sectoral right to demand human contact when interacting with AI chatbots in business-to-consumer settings. It is still unclear whether and how the European Commission is proposing to address this. The Digital Fairness Act could do so, but the Commission’s proposal is only planned to be published in the 3rd quarter of 2026. This post highlights key consumer protection considerations for companies deploying AI chatbots in the EU market.Continue Reading Digital Fairness Act Series: Topic 2 – Transparency and Disclosure Obligations for AI Chatbots in Consumer Interactions
Italian Garante Launches Public Consultation on the Implementation of “Pay or Ok” Models
On April 29, 2025, the Italian data protection authority (“Garante”) launched a public consultation to collect feedback from stakeholders about the so-called “Pay or Ok” model.
“Pay or Ok” refers to the concept of making access to a website’s content or service conditional on the website visitor performing one of…
Continue Reading Italian Garante Launches Public Consultation on the Implementation of “Pay or Ok” ModelsFrench CNIL Issues Draft Guidance On The Use of Location Data From Connected Vehicles
On March 25, 2025, the French data protection authority (“CNIL”) published a draft recommendation on the use of location data from connected vehicles (the “Recommendation” – see here in French). The Recommendation is open for public consultation until May 20, 2025.Continue Reading French CNIL Issues Draft Guidance On The Use of Location Data From Connected Vehicles
Digital Fairness Act Series – Topic 1: Influencer Marketing
The European Commission (“Commission”) is working on a new EU consumer protection law called the Digital Fairness Act (“DFA”) to better protect consumers in the digital space. The DFA is expected to regulate, among other things, influencer marketing.
With EU consumer protection watchdogs starting to bring cases against companies whose products or services are promoted by influencers (see for example here), the DFA’s provisions may apply not only to influencers, but also to companies that deploy or use influencers, to ensure that advertising practices are fair and transparent. This blog post explores two key issues that the European Commission is expected to prioritize in its approach to influencer marketing. It also provides a brief overview of the French legal framework in this area, which some expect to serve as a model for the EU’s forthcoming rules in this area.Continue Reading Digital Fairness Act Series – Topic 1: Influencer Marketing
CJEU Rules on Fairness of Remuneration Clause in Sports Contract
On March 20, 2025, the Court of Justice of the European Union (“CJEU”) ruled on the fairness, under EU consumer protection law, of a contractual clause allocating a percentage of an athlete’s income to a professional services provider (Case C‑365/23 [Arce]). This ruling sets an important precedent and strengthens the protection afforded by consumer protection law to minors who enter into professional service contracts, whether in sport or elsewhere.Continue Reading CJEU Rules on Fairness of Remuneration Clause in Sports Contract
Consumer Watchdogs Turn Their Attention to the Online Gaming Industry
On March 21, 2025, the European Commission announced that the Consumer Protection Cooperation Network (“CPC-N”) had initiated enforcement proceedings against an online gaming company, for allegedly violating EU consumer protection laws and engaging in practices that could pose a particular risk to children. The gaming company now has one month to propose commitments to remedy the consumer law violations identified by the CPC-N. Concurrently, the CPC-N published guidelines to promote transparency and fairness in the online gaming industry’s use of virtual currencies.Continue Reading Consumer Watchdogs Turn Their Attention to the Online Gaming Industry
German SA Checks Whether Online Retailers Allow Consumers to Make Purchases Without Creating an Account
In January 2025, the German Supervisory Authority of Hamburg (“HSA”) examined the practices of online retailers based in Hamburg as to whether they allowed consumers to make purchases without creating a user account. This was mentioned in a press release issued by the HSA regarding a ruling by the Hamburg Higher Regional Court confirming a HSA’s decision that online retailers may, in certain circumstances, require consumers to create a user account. This, in turn, follows the guidance published by the German supervisory authorities (“German SAs”) in 2022 (in German), which stated that online retailers generally may not require consumers to create a user account in order to make a purchase.Continue Reading German SA Checks Whether Online Retailers Allow Consumers to Make Purchases Without Creating an Account
CJEU Rules on Right of Rectification of Gender Identity
On March 13, 2025, the Court of Justice of the EU (“CJEU”) ruled that the right of rectification (in Article 16 GDPR) requires a national authority to correct a person’s gender identity, where it is shown to be inaccurate (Case C‑247/23 [Deldits]). The authority, however, may require that person to provide relevant and sufficient evidence to establish that the information concerning their gender is inaccurate, but may not go so far as to require proof of gender reassignment surgery.Continue Reading CJEU Rules on Right of Rectification of Gender Identity