Privacy & Cybersecurity #23
EU GPAI Compliance & AI Act; EDPB 2024 Report |Texas App Store Accountability Act | Oregon Launches GDPR Enforcement | Hamburg DPA Flags Non-Compliant Websites | Ubisoft Faces GDPR Complaint from Noyb
šŖšŗ EU Opens Consultation on GPAI Compliance Guidance Ahead of AI Act Enforcement
Why FLOPs, Fine-Tuning, and Open Source Licensing Are Now Legal Questions for AI Developers
In April 2025, the European Commission launched a consultation to clarify the rules for providers of general-purpose AI (GPAI) models under the EU AI Act (Regulation 2024/1689). The AI Act will become enforceable from August 2, 2025, with specific obligations for GPAI providers triggered by factors like model generality, training compute, and systemic risk.
To prepare the market, the Commission published a draft guidance document seeking feedback from industry, researchers, civil society, and regulators. The Commission is collecting feedback until 22 May 2025 (survey link).
The AI Act establishes a novel compliance regime specifically for providers of GPAI models. The guidance:
Defines who is a "provider" of GPAI;
Introduces a compute-based threshold (ā„10Ā²Ā² FLOP) to classify models as general-purpose;
Clarifies downstream modifiersā liability;
Details documentation, copyright, and systemic risk obligations;
Outlines how open-source exemptions workāand when they donāt;
Sets expectations for transparency and future enforcement.
Key Elements
Training Compute Threshold (10Ā²Ā² FLOP). A model that can generate text or images and exceeds 10Ā²Ā² FLOP is presumed to be GPAIāunless proven otherwise.
Downstream Modifiers Become Providers. If a downstream entity fine-tunes a GPAI using ā„ā of the original modelās training compute, they become a new providerāwith full compliance obligations.
Exemptions apply only if:
The model is under a fully open license (no monetization);
Parameters, weights, architecture, and usage info are publicly available;
The model does not pose systemic risk.
Systemic Risk Assessment. Models that exceed 10Ā²āµ FLOP or display high-impact capabilities require a full lifecycle risk management framework under Article 55 AI Act.
Although the guidelines are ānon-binding,ā they signal how the Commission will enforce obligations under Articles 52ā55.
Expect enforcement: Fines of up to 3% of global turnover apply from August 2026 for noncompliance.
Recommendations for Businesses:
AI developers working with foundational modelsāespecially in Europe or targeting EU marketsāshould evaluate whether their model will meet the āGPAIā threshold and start aligning architecture, licensing, and documentation practices accordingly.
Those relying on fine-tuning or offering models through APIs should consider legal exposure under downstream modification rules.
šŖšŗ EDPB 2024 Annual Report: Strategic Enforcement, AI Oversight, and Consent Reform Across the EU
In April 2025, the European Data Protection Board (EDPB) released its Annual Report for 2024, detailing its activities across guidance, enforcement, regulatory coordination, and digital policy development.
The EDPB adopted 28 consistency opinions in 2024ā20 under Article 64(1) and 8 under Article 64(2)ācovering issues such as Binding Corporate Rules, facial recognition, āConsent or Payā models, and AI data training.
In Opinion 08/2024, the EDPB found that many platforms do not offer valid consent under GDPR when users must either accept behavioral tracking or pay a fee. These models often:
Fail the āfreely givenā standard due to power imbalance;
Impose disproportionate financial burdens;
Do not offer true alternatives like non-personalized contextual ads.
EDPB Recommendation is - platforms should offer a free, privacy-respecting version of the service, ensure clarity in consent interfaces, and avoid coercively high fees.
In Opinion 28/2024, the EDPB confirmed that personal data may be used to train AI models under Art. 6(1)(f) GDPR (legitimate interest), but only if a structured three-part test is satisfied:
Purpose is clearly defined and proportionate;
Data is minimized and lawfully sourced;
Data subjects are informed transparently.
In Opinion 11/2024, the EDPB concluded that only biometric storage models where individuals control encryption keys meet GDPR requirements under Art. 5(1)(f), 25, and 32. Centralized databases without user control are non-compliant.
Opinion 22/2024 clarified controller obligations under Art. 28 GDPR:
Controllers must know and document all processors and sub-processors;
Verification duties are risk-based, but always apply;
Transfer chains outside the EEA must be fully auditable by controllers.
EDPB Strategy 2024ā2027 focuses on:
Strengthening harmonized enforcement;
Promoting compliance with accessible guidance;
Collaborating with AI, digital services, and consumer protection regulators;
Enhancing Europe's global role in setting data protection norms.
šŗš²Texas Senate Passes App Store Accountability Act
App Store Operators and Developers Prepare for Texas Age Verification Rules
On April 2025, the Texas Senate passed SB 2420, also known as the App Store Accountability Act, introducing new legal obligations for app store operators and software developers. The bill mandates age verification and parental consent prior to allowing minors to download or purchase mobile applications.
"App store" means a publicly available Internet website, software application, or other electronic service that distributes software applications from the owner or developer of a software application to the user of a mobile device.ā
SB 2420 imposes the following key requirements:
App store platforms and software developers must implement ācommercially reasonableā methods to verify the userās age.
If the user is under 18, verifiable parental consent must be obtained prior to app access or purchase.
The bill defines a minor as any individual under the age of 18, deviating from the federal standard under COPPA, which defines minors as individuals under 13.
The billās terminologyāsuch as āreasonable meansā of parental notification and ācommercially reasonableā verificationāremains undefined, creating uncertainty for regulated entities.
In formal comments submitted to the Texas Senate State Affairs Committee, the Computer & Communications Industry Association (CCIA) noticed that compliance with SB 2420 would likely require the collection of sensitive personal dataāsuch as government-issued identification or biometric data. CCIA also highlighted that SB 2420 introduces requirements that may conflict with privacy legislation in other states.
For organizations operating app distribution platforms or developing mobile software, SB 2420, if signed into law, may require:
Reassessment of existing privacy policies and verification workflows;
Increased data collection and retention obligations;
Potential constitutional litigation exposure depending on enforcement practices.
Recommendations for Businesses:
Begin internal mapping of age verification processes now.
Assess data collection practices against Texas requirements.
šŗšø Oregon Releases Six-Month Enforcement Report Under OCPA
In March 2025, the Oregon Department of Justice (DOJ) released its first enforcement report under the Oregon Consumer Privacy Act (OCPA), which took effect on July 1, 2024. The report outlines six months of implementation and enforcement activities.
OCPA applies to entities that process data of 100,000 Oregon consumers annually (or 25,000 if over 25% of revenue is from selling data). A cure period runs through January 1, 2026, requiring the DOJ to offer businesses 30 days to remedy fixable violations. The DOJ issued 21 cure notices and inquiry letters in the first six months, primarily targeting deficient privacy notices and inadequate consumer rights disclosures.
Oregon consumers can exercise rights to know, access, delete, correct, and opt-out of data processingāincluding a novel right to receive a list of third parties to whom their data was disclosed (not just categories).
Most Common Violations:
Missing or vague disclosures of consumer rights;
Inaccessible or confusing privacy policies;
Omission of Oregon from state-specific rights sections;
Poorly designed or burdensome rights request mechanisms.
The DOJ received 110 complaintsāover triple the number Connecticut received under a similar lawāmainly concerning social platforms and data brokers.
Cure letters are formal and corrective, with documented results. After January 2026, the agency will gain discretion to initiate enforcement without a cure period.
Recommendation for Businesses:
Audit your privacy notice for Oregon-specific compliance.
Include clear opt-out links.
List all data recipients.
Simplify rights request procedures.
š©šŖ Hamburg Data Protection Authority Identifies GDPR Violations on 185 Websites
In April 2025, the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) conducted an automated audit of 1,000 randomly selected Hamburg-based websites to assess compliance with data protection regulations concerning third-party tracking service. The audit revealed that 185 websites implemented third-party tracking toolsāsuch as Google Analytics, Google Ads, and YouTubeāwithout obtaining the legally required user consent.
The HmbBfDI's investigation uncovered that these 185 websites activated third-party services immediately upon page load, resulting in user tracking without prior consent. The most frequently misused services include: Google Analytics: 110 instances- Google Maps: 51 instances- Google Ads: 42 instances- YouTube: 20 instances- Facebook: 15 instances- Vimeo: 5 instances- Microsoft Advertising: 4 instances- Pinterest: 2 instances- LinkedIn: 2 instances.
These services were found to be embedded in ways that initiated data collection without user interaction, thereby violating the consent requirements stipulated by the General Data Protection Regulation (GDPR) and the German Telecommunications-Telemedia Data Protection Act.
Website operators identified with compliance issues have been formally notified and provided with guidance to rectify the violation. The authority emphasizes the necessity of obtaining explicit user consent before deploying any tracking technologies.
Under the GDPR the use of tracking technologies that process personal data requires informed and explicit consent from users. This applies to analytics tools, advertising services, and embedded content that collect user data. Failure to comply with these regulations can result in enforcement actions, including fines.
Recommendations for Businesses:
Conduct a comprehensive audit of your website to identify all third-party services that collect user data.
Implement a compliant consent management platform that ensures no tracking occurs without prior user consent.
Regularly review and update your data protection practices to align with current legal requirements.
š® Ubisoft Faces GDPR Complaint from Noyb for Tracking Users in Offline Games
In April 2025, Noyb filed a GDPR complaint with the Austrian data protection authority against French video game giant Ubisoft for alleged unlawful data collection in its single-player games. The complaint alleges that Ubisoft tracks playersāeven when they are playing offline, single-player titles like Far Cry Primalāwithout valid legal basis under Article 6 GDPR.
Despite being a purely single-player game, Far Cry Primal cannot be launched without internet access and user authentication via a Ubisoft account. Users are forced to log into a Ubisoft account. Through DNS and TLS-encrypted packet analysis, the complainant documented extensive data flows to Ubisoft and third parties during gameplayāeven without player interaction online. Data is sent to Ubisoft, Google, Amazon, and others throughout gameplay.
Ubisoftās End-User License Agreement (EULA) and privacy policy reference data collection āfor product improvementā and āsecurity,ā but the actual types of data, recipients, and purposes remain unclear. The user has no ability to opt-out of this processing.
The complaint argues that Ubisoftās claim of implied consent via EULA acceptance fails to meet GDPRās definition of informed, freely given, and specific consent.
Legal Grounds of the Complaint
No Valid Legal Basis: The data collected is considered personal data under GDPR (Article 4), and Ubisoft has not demonstrated that processing is necessary under any lawful basis in Article 6(1).
Violation of ePrivacy Directive: Under Article 5(3), even accessing data from a user's terminal device (e.g. for metrics or ad tech) requires explicit user consent, which Ubisoft does not seek.
***
Direct your questions to groundcontrol@kepler.consulting.
Until the next transmission, stay secure and steady on course. Ground Control, out.