TMT Newsletter | September 2025

Outlook

On 25.09.2025, AG Spielmann will deliver his opinion on the applicability of the GDPR to the online publication of doping violations, including whether such information constitutes health data under Art. 9 GDPR, and whether a balancing of interests is required prior to publication (C-474/24). On the same day, the German Federal Administrative Court will hear cases concerning press law claims for information against the German Federal Intelligence Service, one regarding the hiring of law firms (10 A 2.24), one on the military situation in Ukraine and the origin of the Coronavirus (10 A 3.24). On the same day, the German Federal Court of Justice will hear a case regarding the protectability of the film character "Miss Moneypenny" as a work title (Section 5, 15 Trademark Act), and whether the use of identical names constitutes infringement (I ZR 219/24). On 01.10.2025, the Federal Administrative Court will consider the relationship between the obligation to pay broadcasting fees and the fulfillment of public broadcasting's functional mandate (6 C 5.24). On 02.10.2025, AG Szpunar will publish the opinion whether offline streaming copies qualify as private copies under Art. 5(2) of the InfoSoc-Directive, and whether national exclusions of limitations for such copies are permissible (C-496/24). On 16.10.2025, AG Spielmann will publish the opinion on the compatibility of German civil procedure rules, particularly Art. 92 GG and §§ 138, 286, 355 ff. ZPO, with judicial data processing under the GDPR (Art. 6(1)(e) GDPR), focusing on the principles of specificity and proportionality (C-484/24). On 21.10.25, the EGC will hear Apple's DMA complaints against, i.a., its designation as a gatekeeper (Art. 3 DMA) and the classification of iMessage as a number-independent interpersonal communication service (Art. 2(9) DMA) (T-1079/23, T-1080/23, T-214/24).

CJEU – No prohibitory injunction without deletion under the GDPR

The data subject can only assert a claim for injunctive relief under the GDPR if they simultaneously request deletion (contrary to the opinion of AG Campos Sánchez-Bordona). Otherwise, recourse to national regulations (Sections 823, 1004 of the German Civil Code) is necessary. Due to the compensatory function of Art. 82(1) GDPR, either the issuance of a cease-and-desist order against the controller nor the latter's fault are relevant to the amount of damages. The burden of proving negative feelings as non-material damage remains with the data subject (C-655/23).

CJEU – Personal reference possible despite pseudonymization

The GDPR applies to pseudonymized data (Art. 4 No. 5 GDPR) only if the data subject is identifiable (cf. Art. 2(1) and Art. 4 No. 1 GDPR). This is not the case if the recipient of the transferred data cannot remove the pseudonymization and lacks reasonable means to assign the data to a specific individual. Regarding the duty to provide information (Art. 13(1)(e) GDPR), however, only the controller's perspective at the time of data collection applies (C-413/23).

CJEU – No technical analysis to determine the scope of protection

The "informed user" under Art. 10 of Regulation (EC) No. 6/2002 is not a technical expert, even in the context of modular systems (Art. 8(3) of Regulation (EC) No. 6/2002). Rather, it is a user with above-average attention and knowledge. Their overall impression is based on visual and non-technical features (Art. 3(a) of Regulation (EC) No. 6/2002). A limited design scope can facilitate determining a different overall impression (C-211/24).

CJEU-AG – GDPR also applies to commercial criminal record portals

rt. 85(2) GDPR allows national exceptions for the chapters expressly mentioned. According to AG Szpunar, the legal remedies under the GDPR (Chapter VIII) cannot be restricted by national law. The mere publication of information without processing or editing and in return for payment does not serve “journalistic purposes”. Art. 85(1) GDPR cannot be relied upon as a legal basis either, since this would render the notification obligation under Art. 85(3) GDPR ineffective, (C-199/24).

CJEU-AG – Storage of investigation data may fall under GDPR

Recording data from an investigation in a personnel file is within the scope of the GDPR (Art. 2(1) GDPR). According to AG Szpunar, this also applies if the investigating authority is an organizational unit of the recording authority and the data was collected during the investigation for the purposes of Art. 1(1) of Directive 2016/680, but the storage in the personnel file serves other purposes (C-312/24).

CJEU-AG – No subsidiarity relationship between the legal remedies under the GDPR

A supervisory authority may not reject a complaint under Art. 77(1) GDPR on the grounds that a judicial remedy has already been sought under Art. 79(1) GDPR or that a decision has not yet become final. Instead, the GDPR provides data subjects with independent legal remedies that coexist independently. According to AG de la Tour, conflicting decisions can be avoided by suspending proceedings  (C-414/24).

CJEU-AG – No licensing requirement for broadcasting in retirement homes

The criteria for "communication to the public" within the meaning of Art. 3 of InfoSoc-Directive 2001/29/EC – namely, communication using a "specific technical means" or to a "new public" – are, according to AG Szpunar, "independent" and therefore stand in an alternative relationship. The retransmission of a broadcast received via satellite and forwarded via cable to individual rooms does not involve a new technical means. Due to the comparability of care home residents with tenants, they also do not constitute a new public (C-127/24).

CJEU-AG – Even a first request for information may constitute an abuse of rights

Art. 12(5) sentence 2 GDPR names the "repetitive character" as just one example of an excessive request. According to AG Szpunar, therefore, an initial request — despite the high requirements — can be excessive if an intention to abuse is proven in individual cases. This occurs, e.g., when the data subject only consents to data processing to then submit a request for information and then claim damages. Public references to such conduct are not sufficient  (C-526/24).

CJEU-AG – Broad scope of application of the E-Commerce Directive

Obligations requiring platforms to implement technical measures to protect minors from pornographic content fall within the scope of Art. 2(h) E-Commerce Directive, even if these obligations are based on general criminal law. Protecting fundamental rights (Art. 24 CFR, Art. 8 ECHR) does not allow the procedure under Art. 3(4) E-Commerce Directive to be circumvented (C-188/24).

EGC – Adequate level of protection exists for data transfers to the US

The Court confirmed this by rejecting an annulment action against an EUCOM adequacy decision (Art. 45 GDPR). There are several safeguards and conditions that ensure the independence of the Data Protection Review Court (DPRC). Also, EUCOM continuously monitors the legal framework and can suspend, amend, revoke, or restrict the scope of the adequacy decision (press release of 3.9.25).

EGC – DSA supervisory fee notice contains a formal error

The EUCOM has violated Art. 43(3) to (5) and 87 DSA by adopting the methodology for calculating in an implementing act – the fee notice itself – and not in a delegated act. The EGC has temporarily upheld the effect of the void fee notices, meaning Meta and TikTok must pay for the time being. However, they can challenge said fee notices on the basis of the established illegality (T-55/24 and T-58/24).

EUCOM – Distortion of competition in the advertising technology industry

Google dominates both sides of the advertising space auction process. It controls the market for publisher ad servers with its "DFP" service and the market for programmatic ad-buying tools with its "Google Ads" and "DV360" services. Therefore, EUCOM found an abuse of a dominant market position (Art. 102 TFEU) and demanded remedial measures within 60 days. EUCOM also imposed a fine of €2.95 billion (press release of 5.9.25)

German Federal Government – Update of product liability law

The draft bill implements Directive (EU) 2024/2853. A key aspect is the explicit inclusion of software, including AI systems, within the scope of the Product Liability Act (see Art. 4 No. 1 Directive (EU) 2024/2853, as well as its national implementation by Section 2(1) No. 3 of the draft bill). The term "software" is not defined and is therefore open to technical developments (draft bill of 11.9.25).