Privacy & Cybersecurity #21
EU’s AI Continent Strategy | UK Cyber Governance Code | Cookie Banner Enforcement in the Netherlands | GDPR Fines in Poland & Spain | IAB Consumer Privacy Research
🇪🇺 Europe launches AI Continent Plan
The European Commission has published its AI Continent Action Plan, a strategy to turn Europe into the global epicenter of artificial intelligence with over €10 billion in infrastructure investment and a target of €200 billion in total funding.
Components of the Plan:
Supercomputing Power: AI Factories & Gigafactories
Europe will triple its AI computing capacity with the creation of 13 AI Factories—regional ecosystems combining:
AI-optimized supercomputers.
Secure, federated data access (via EU Data Spaces).
Training labs, open-source tools, and model development support.
Expert teams aiding deployment for startups, SMEs, and the public sector.
A summary of the 13 selected EuroHPC AI Factories is included in the Annex to the Plan.
Polish Factory Example (Source)
The EU will also fund up to five Gigafactories—think CERN for AI—to train next-gen models with over 100,000 AI chips.
These facilities are built to support large foundation models, including work on Artificial General Intelligence (AGI).
(Source)
The Data Union Strategy
Launching in Q3 2025, this strategy will unlock high-quality, cross-border datasets, launch data labs linked to AI Factories, promote trusted data sharing under the Data Governance Act.
Cloud & AI Development Act
A new law (coming Q4 2025) will triple EU cloud/data center capacity by 2030, streamline permits for secure, energy-efficient infrastructure, and incentivize EU-based cloud solutions over foreign dependencies.
Apply AI Strategy
This initiative will support AI adoption in health, manufacturing, energy, defense, mobility, and public sector. Strategy includes regulatory sandboxes, testing facilities, and public procurement focused on “AI made in Europe”
AI Skills Academy & Research Council (RAISE)
Launching in Q2 2025, the AI Skills Academy will offer certified degrees, fellowships, and apprenticeships, specialized training in generative AI, cybersecurity, and cross-sector innovation.
In parallel, RAISE—Europe’s AI Research Council—will fund cutting-edge AI research and cultivate next-generation talent across the EU.
🇬🇧 UK Launches Cyber Governance Code of Practice
On April 8, 2025, the UK government introduced the Cyber Governance Code of Practice, a comprehensive framework designed to support boards and directors in governing cyber security risks. The Code was developed collaboratively by the Department for Science, Innovation and Technology (DSIT) and the National Cyber Security Centre (NCSC).
The Code is a non-statutory framework aimed at executive and non-executive directors, providing a practical roadmap for embedding cyber risk governance into core business practices. It focuses on:
Defining clear board-level responsibilities for cyber governance.
Encouraging integration of cyber into enterprise risk management (ERM).Promoting resilience-by-design and security-by-default principles.
Building leadership awareness, competence, and confidence in cyber matters
The Code is built on five overarching outcomes, each with detailed action points and guiding principles:
Risk Management & Oversight
Goal: Embed cyber into enterprise risk frameworks.
Treat cyber as a business risk, not just a technical one.
Establish risk appetite statements that include cyber risk.
Identify, prioritize, and regularly assess digital assets and critical services.
Assign board-level accountability for cyber oversight.
Cybersecurity Knowledge and Awareness
Goal: Empower leaders to make informed decisions.
Regular cyber training for the board.
Access to cyber threat intelligence and briefings from CISOs or external experts.
Encourage questions around preparedness, vulnerabilities, and cyber strategy.
Roles, Responsibilities and Accountability
Goal: Ensure clear accountability and governance.
Designate a senior executive accountable for cybersecurity.
Define responsibilities across teams and levels.
Enable escalation of risks to board level.
Ensure that third-party risk (vendors, cloud services) is owned and governed.
Resilience Planning and Incident Preparedness
Goal: Be ready to respond and recover.
Cyber incident response plans should be board-reviewed and tested.
Simulate real-world scenarios (e.g., ransomware, supply chain attacks).
Integrate cyber recovery into business continuity plans.
Ensure compliance with legal duties, including data breach reporting (UK GDPR).
Assurance, Reporting and Continuous Improvement
Goal: Regularly measure and report on cyber health.
Ensure regular internal/external assurance activities.
Benchmark against standards (e.g., NCSC Cyber Essentials, ISO 27001).
Regular board reporting on KPIs like incident response time, vulnerability posture, third-party exposure, etc.
Set a cadence for reviewing cyber governance practices.
The Code is supported by additional resources, including the Cyber Governance Training and the Cyber Security Toolkit for Boards, to assist in implementation and ongoing management.
🇳🇱 Dutch DPA Enforces Compliance on Misleading Cookie Banners
In April 2025, the Autoriteit Persoonsgegevens (AP) reported that five Dutch organizations had modified their cookie banners following enforcement action. These organizations, including sectors such as finance, media, and hospitality, were found to have violated privacy laws by implementing cookie consent mechanisms that did not meet legal standards.
The AP's investigations revealed several common issues among the non-compliant cookie banners:
Buttons to refuse cookies were hidden or less prominent than acceptance options.
Consent boxes were pre-ticked, undermining the requirement for active user consent.
Cookies were placed before obtaining user consent or even after users had refused them.
These practices contravene the General Data Protection Regulation (GDPR), which mandates that consent must be freely given, specific, informed, and unambiguous.
To address these issues, the AP has initiated a systematic approach:
Monitoring: The AP is continuously scanning 10,000 websites to assess the clarity and compliance of their cookie banners.
Graduated Enforcement: Organizations found in violation receive warnings and are given the opportunity to rectify issues. Persistent non-compliance may lead to fines or other sanctions.
Recommendations for Businesses
Ensure that cookie banners provide equal prominence to acceptance and refusal options without pre-selected choices.
Inform website developers and internal teams about the legal requirements for cookie consent.
🇵🇱 Polish Supreme Administrative Court Confirms Limits on Data Retention Under GDPR
Stop retaining personal data “just in case” unless clear legal basis exists
On January 8, 2025 Naczelny Sąd Administracyjny (NSA – Polish Supreme Administrative Court) upheld UODO’s order requiring deletion of personal data and rejection of speculative legitimate interest claims (Case: III OSK 4868/21).
Two individuals objected to their personal data being used by a Polish bank for marketing purposes, and later withdrew their consent entirely, asking the bank to stop all processing and delete their data.
The bank refused, citing doubts over the identity of the requesters and arguing that it needed to keep the data under legitimate interest (Art. 6(1)(f) GDPR) to defend against potential future claims.
The President of the Polish Data Protection Authority (UODO) issued a decision ordering the deletion of the data and issued a formal reprimand.
The bank appealed, but both the Warsaw Administrative Court and now the NSA upheld the DPA’s ruling.
The NSA dismissed the bank’s cassation complaint and ruled that the bank violated GDPR by continuing to process personal data without a valid legal basis after the data subjects withdrew consent and objected to further processing.
The court emphasized that legitimate interest (Art. 6(1)(f) GDPR) cannot be invoked hypothetically—data cannot be retained “just in case” future claims are made.
Excerpt from court decision in original language:
“niedopuszczalne jest przetwarzanie danych osobowych niejako "na zapas" z założeniem, że mogą być one ewentualnie przydatne w przyszłości oraz z odwołaniem się do przepisów dotyczących przedawnienia roszczeń cywilnoprawnych.”
Key points from the judgment:
Art. 6(1)(f) GDPR (legitimate interests) applies only when a real, current interest exists—not speculative or future risk.
The right to object under Art. 21(3) and the withdrawal of consent under Art. 7(3) must be respected immediately and fully.
There were no actual claims filed by the data subjects, so the bank could not rely on the “defense against legal claims” justification.
The burden of proof under the GDPR’s accountability principle (Art. 5(2)) lies entirely on the data controller.
The ruling also indirectly clarifies that AML, accounting, and financial complaint handling laws (e.g. Polish AML Act, Banking Act, Accounting Act) do not override GDPR unless specific legal obligations explicitly require data retention.
Recommendations for Businesses
Audit your legitimate interest assessments (LIAs)—make sure they are concrete, current, and documented.
Stop retaining personal data “just in case” unless a clear legal basis exists.
Update objection-handling procedures to ensure prompt response and data deletion where required.
Avoid blanket retention policies that are not aligned with a real risk profile or active litigation.
Build granular deletion workflows for post-relationship data retention.
Be transparent about retention periods and ensure users can easily object or withdraw consent.
🇪🇸 Spain AEPD Fines Restaurant for GDPR Violation
Creating WhatsApp group can constitute a GDPR violation
In a recent enforcement action (PS-00261-2024), the Spanish Data Protection Authority (AEPD) fined the catering company TERRA, BRASA Y MAR, S.L. €500 for adding individuals to a WhatsApp promotional group without obtaining prior consent.
On December 13, 2023, a restaurant created a WhatsApp group called “A noche vieja TerraBrasayMar” to promote a New Year’s Eve event. The group included a large number of people (up to 200), many of whom did not know each other. One individual, whose number was added without consent, filed a complaint with the AEPD. The complaint included screenshots showing unsolicited promotional messages and visible phone numbers of all participants. The company did not respond to the AEPD’s inquiry, and the resolution proceeded without their input.
The AEPD found a breach of Article 6(1) GDPR (lawfulness of processing), imposing a fine of €500.
The AEPD concluded that:
Adding individuals to a WhatsApp group without consent involves processing of personal data (phone number, possibly profile name).
The restaurant was the data controller, having determined the purposes and means of processing.
There was no valid legal basis under Article 6(1) GDPR—neither consent nor legitimate interest applied.
The infringement was considered “very serious” under Spanish law (Article 72 LOPDGDD), though the small scale and low damage led to a relatively minor fine.
Recommendations for Businesses
Do not add individuals to WhatsApp, Telegram, Signal, or similar group chats unless you have explicit, documented consent.
Inform users how you will communicate with them at the point of data collection.
Provide opt-in/opt-out options for all messaging channels.
Train staff, build simple, role-specific guidance for using messaging apps in business contexts.
Document user consent with time stamps and logs (e.g., via forms, CRM systems).
Always respond promptly to inquiries from Data Protection Authorities.
🇪🇺 IAB Europe: Most EU Consumers Accept Personalised Ads—If They Understand the Value
Interactive Advertising Bureau (IAB) Europe’s latest research reveals that most Europeans accept personalised advertising as a fair exchange for free access to digital content—but remain skeptical about corporate compliance with privacy laws. The report, conducted with Kantar Media, surveyed 10,500+ consumers across 12 EU countries.
Key Findings
€212/month: The average European consumer is getting €212 of access to sites and services per month without payment, the bulk of which is being funded through advertising (search engines, email, and maps that are supported by advertising).
60% find a pay-or-consent model reasonable—once the value trade-off is explained. When presented with the option of either paying for access or consenting to personalized advertising, most users (60%) see consent as a reasonable trade-off—but only after understanding how ad revenues fund services.
54% of users accept all cookies by default—but mainly when they trust the website.
Only 25% feel fully confident in their control over personal data.
52% are concerned companies aren’t complying with privacy laws.
Personalized ads are often preferred—when done right:
80% say online ads are at least occasionally useful
56% prefer relevant ads over random ones
53% agree that fewer personalized ads are less intrusive than many generic ones
Negative experiences are linked more to poor targeting than to personalization itself
Consumers like relevance, but dislike feeling surveilled. Precision, frequency, and tone matter.
The report calls on EU policymakers to:
Safeguard ad-funded models while protecting consumer choice.
Collaborate with industry on improving consent flows.
Preserve current legislation (GDPR, DSA), focusing on implementation over reform.
Support standards like the Transparency and Consent Framework (TCF).
Revisit divergent ePrivacy interpretations that cause consent fatigue.
Enable GDPR Codes of Conduct to improve user experience at scale.
***
Direct your questions to groundcontrol@kepler.consulting.
Until the next transmission, stay secure and steady on course. Ground Control, out.