{"id":10382,"date":"2025-03-04T11:01:00","date_gmt":"2025-03-04T10:01:00","guid":{"rendered":"https:\/\/s8.tgin.eu\/?p=10382"},"modified":"2025-06-11T14:05:23","modified_gmt":"2025-06-11T12:05:23","slug":"data-protection-digest-4032025-data-act-to-strengthen-eu-digital-market-vigilance-over-us-data-transfers","status":"publish","type":"post","link":"https:\/\/techgdpr.com\/blog\/data-protection-digest-4032025-data-act-to-strengthen-eu-digital-market-vigilance-over-us-data-transfers\/","title":{"rendered":"Data protection digest 16 Feb &#8211; 2 Mar 2025: Data Act to strengthen EU digital market, vigilance over US data transfers"},"content":{"rendered":"\n<h4 class=\"wp-block-heading\"><strong>The Data Act is almost here<\/strong><\/h4>\n\n\n\n<div class=\"wp-block-media-text is-stacked-on-mobile\" style=\"grid-template-columns:26% auto\"><figure class=\"wp-block-media-text__media\"><img decoding=\"async\" width=\"1024\" height=\"671\" src=\"https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/brussels-7826514_1280-1024x671.jpg\" alt=\"Data Act\" class=\"wp-image-10388 size-full\" srcset=\"https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/brussels-7826514_1280-1024x671.jpg 1024w, https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/brussels-7826514_1280-300x197.jpg 300w, https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/brussels-7826514_1280-768x503.jpg 768w, https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/brussels-7826514_1280.jpg 1280w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><div class=\"wp-block-media-text__content\">\n<p><\/p>\n\n\n\n<p>In February, the European Commission published a set of updated technical <a href=\"https:\/\/digital-strategy.ec.europa.eu\/en\/library\/commission-publishes-frequently-asked-questions-about-data-act\">FAQs<\/a> on the implementation of the legal provisions of the <a href=\"https:\/\/digital-strategy.ec.europa.eu\/en\/factpages\/data-act-explained\">Data Act, applicable as soon as of 12 September 2025<\/a>.\u00a0 It enhances data sharing and enables a fair distribution of data value by establishing clear rules related to the access and use of data within the EU &#8211; B2B, B2C, and B2G. The guide elaborates among other things on:<\/p>\n<\/div><\/div>\n\n\n\n<ul class=\"wp-block-list\">\n<li>the definitions of data users, data holders and third parties, as well as&nbsp;<\/li>\n\n\n\n<li>cloud and service interoperability requirements,&nbsp;<\/li>\n\n\n\n<li>fairness of data-sharing contracts, and&nbsp;<\/li>\n\n\n\n<li>enforcement and dispute resolution frameworks.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>The<strong><em> GDPR is fully applicable to all personal data processing activities under the Data Act.&nbsp; <\/em><\/strong>In some cases, the Data Act specifies and complements the GDPR, (eg, real-time portability of data from loT devices). The Data Act also restricts the re-use of data by third parties. In the event of a conflict between the GDPR and the Data Act, the GDPR rules on the protection of personal data will prevail.<\/p>\n\n\n\n<p><strong><em><a href=\"#newslettersignup\">Stay up to date! Sign on to receive our fortnightly digest via email.<\/a><\/em><\/strong><\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>US data transfers<\/strong><\/h4>\n\n\n\n<p>The Norwegian regulator Datatilsynet answered FAQs about the rules for US data transfers, due to a political situation in Washington. Although we currently have rules that make it easy to transfer personal data to the US, the Data Privacy Framework, the regulator expects that these <a href=\"https:\/\/www.datatilsynet.no\/aktuelt\/aktuelle-nyheter-2025\/informasjon-om-overforinger-til-usa\/\">rules will sooner or later be challenged<\/a> in the CJEU. An adequacy decision will remain in force until it is revoked by the Commission. <\/p>\n\n\n\n<p>This means that any changes in the US will not automatically result in the lapse of the adequacy decision. At the same time, if it is revoked, <a href=\"https:\/\/www.datatilsynet.no\/aktuelt\/aktuelle-nyheter-2025\/informasjon-om-overforinger-til-usa\/\">there will most likely not be a transition period<\/a>. It is important to be aware of this when <strong>purchasing US services<\/strong>. Also, the use of US cloud services on European soil could be negatively affected if the adequacy decision is lifted. The most important advice for your <a href=\"https:\/\/www.datatilsynet.no\/aktuelt\/aktuelle-nyheter-2025\/informasjon-om-overforinger-til-usa\/\">business is to have an exit strategy<\/a> for what you will do if you can no longer transfer personal data to the US in the same way as today.&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><\/h4>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>DORA implementation updates<\/strong><\/h4>\n\n\n\n<p>On 18 February, the European Supervisors, (ESAs) \u2014EBA, EIOPA, and ESMA \u2013 published a roadmap to designate <a href=\"https:\/\/www.digital-operational-resilience-act.com\/#:~:text=Collection%20of%20the%20Registers%20of,they%20received%20from%20financial%20entities.\">critical ICT third-party service providers (CTPPs<\/a>), such as cloud services and data hosting companies, that are critical to the functioning of financial entities under the <a href=\"https:\/\/techgdpr.com\/blog\/understanding-the-five-pillars-of-the-dora\/\">Digital Operational Resilience Act<\/a>. By 30 April, the competent authorities must submit the Registers of Information to the ESAs. These registers will list information regarding all ICT third-party arrangements that the financial entities have submitted to the authorities.<\/p>\n\n\n\n<p>By July, the ESAs will notify the affected ICT third-party service providers if they have been classified as critical, and by the end of 2025 will start overseeing them for non-compliance (risk management, testing, contractual agreements, location requirements, etc).&nbsp;&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Legal updates worldwide<\/h4>\n\n\n\n<div class=\"wp-block-media-text is-stacked-on-mobile\" style=\"grid-template-columns:26% auto\"><figure class=\"wp-block-media-text__media\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXfnz-CD-cVYIIJbDWqgcXj5Pg05kH5201fmzTTlM65HFB9GP6Uw-zhySClcf6GWhmIGo1_X-cMl_nkedlv3vAvq4MZ_BdZ-0rHwW5hYATHExWm8bCgW4aOBCp_V2RjNogm46nU9?key=eFpRqlyCY3C_GwfSOeRb_GmK\" alt=\"\" \/><\/figure><div class=\"wp-block-media-text__content\">\n<p><\/p>\n\n\n\n<p><strong>China data audits: <\/strong>With effect from May 1, 2025, Chinese regulators will focus more on the data protection compliance audit requirements under the Personal Information Protection Law, according to DLA Piper&#8217;s legal analysis. The measures provide the conditions and rules for both <a href=\"https:\/\/privacymatters.dlapiper.com\/2025\/02\/china-mandatory-data-protection-compliance-audits-from-1-may-2025\/\">self-initiated and regulator-requested compliance audits regularly, covering the whole data lifetime<\/a>, (for large and high-risk data processing, they will be conducted every two years), with the possible rectification steps and further enforcement.&nbsp;&nbsp;<\/p>\n<\/div><\/div>\n\n\n\n<p><strong>US privacy enforcement: <\/strong>In the past two months, New York state has amended several rules on data breach notification. The amended law requires <a href=\"https:\/\/www.jdsupra.com\/legalnews\/new-york-state-amends-law-on-data-1263705\/\">New York residents to be notified of a data breach<\/a>, fixing a 30-day deadline for businesses; plus, responsible persons must inform the state\u2019s Attorney General, Department of State, the Police and Financial Services, (only for covered entities), about the <a href=\"https:\/\/www.nysenate.gov\/legislation\/bills\/2025\/S804\">timing, content, distribution of the notices, and the approximate number of affected individuals<\/a>. A copy of the template of the notice sent to affected persons must also be provided.&nbsp;<\/p>\n\n\n\n<p>Meanwhile, Virginia state passed a bill requiring social media platforms to use commercially reasonable methods, such as a neutral age screen mechanism, to <a href=\"https:\/\/www.jdsupra.com\/legalnews\/proposed-state-privacy-law-update-3577080\/\">determine whether a user is a minor<\/a>, (under 16 years of age), and to limit a minor\u2019s use of the platform to one hour per day, per service or application, while allowing a parent to give verifiable parental consent to increase or decrease the daily limit. The amendment goes into effect on January 1, 2026.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Automated decision CJEU ruling<\/strong><\/h4>\n\n\n\n<div class=\"wp-block-media-text is-stacked-on-mobile\" style=\"grid-template-columns:26% auto\"><figure class=\"wp-block-media-text__media\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXc0KhLWYdBf0IAM6Xqzw99b2gvTUusx75QRhVUOKGljPda4M6I478Ft4QN2J9HzysVAdF1elb-V3-mIXkEJThTJLTbOBWyJMwnRMlPU-YTNbvpXR2978FJ0jrXCXPjwm0DU7Dv35A?key=eFpRqlyCY3C_GwfSOeRb_GmK\" alt=\"Data Act\" \/><\/figure><div class=\"wp-block-media-text__content\">\n<p><\/p>\n\n\n\n<p>The Top European Court ruled that a data subject is entitled to an explanation as to how any decision was taken in respect of him or her. According to a judgement delivered on 27 February, a <a href=\"https:\/\/curia.europa.eu\/jcms\/upload\/docs\/application\/pdf\/2025-02\/cp250022en.pdf\">data subject is entitled to an explanation as to how a decision was taken in respect of him or her,<\/a> and the explanation provided must enable the data subject to understand and challenge the automated decision.&nbsp;<\/p>\n<\/div><\/div>\n\n\n\n<p>The case refers to a mobile telephone operator in Austria who refused to allow a customer to conclude a contract because of her credit standing. The operator relied in that regard on an automated assessment of the customer\u2019s credit standing carried out by Dun &amp; Bradstreet Austria. The contract would have involved a monthly payment of 10 euros.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Algorithmic discrimination and the GDPR<\/strong><\/h4>\n\n\n\n<p>The European Parliament&#8217;s recent research meanwhile states, that one of the AI Act&#8217;s main objectives is to mitigate discrimination and bias in the development, deployment and use of high-risk AI systems. To achieve this, the <strong>act allows &#8216;special categories of personal data&#8217; to be processed<\/strong>, based on a set of privacy-preserving conditions, to identify and avoid discrimination. The GDPR, however, is more restrictive in that respect. The legal uncertainty this creates might need to be addressed through <a href=\"https:\/\/www.europarl.europa.eu\/RegData\/etudes\/ATAG\/2025\/769509\/EPRS_ATA(2025)769509_EN.pdf\">legislative reform or further guidance<\/a>, states the report.&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">More from supervisory authorities<\/h4>\n\n\n\n<p><strong>DPIA guidance<\/strong>: The Swedish Data Protection Authority IMY has published guidance on <a href=\"https:\/\/www.imy.se\/publikationer\/vagledning-vid-konsekvensbedomning\/\">impact assessments<\/a> for activities that process personal data, (in Swedish). The <a href=\"https:\/\/www.imy.se\/globalassets\/dokument\/vagledningar\/en-praktisk-guide.pdf\">practical guide<\/a> is intended to facilitate the work of impact assessments and reduce uncertainty about how the various steps are carried out and how the regulations should be understood. It also contains some <a href=\"https:\/\/www.imy.se\/globalassets\/dokument\/vagledningar\/rattsligt-tolkningsstod.pdf\">legal interpretation support<\/a>, as well as detailed templates for an assessment.<\/p>\n\n\n\n<p><strong>Urban data platforms: <\/strong>As municipalities move towards becoming smart cities or smart regions, more and more systems are being equipped with communication interfaces, states the German Federal Office for Information Security. These include sensors for recording parking spaces, measuring river water levels or smart garbage cans. Urban data platforms, (UDPs), can be used to bundle various information streams and enable efficient decision-making, such as on <a href=\"https:\/\/www.bsi.bund.de\/DE\/Service-Navi\/Presse\/Alle-Meldungen-News\/Meldungen\/Sicherheit-urbane-Datenplattformen_250227.html\">optimized traffic control, and early warning systems in the event of disasters or urban planning<\/a>.&nbsp;<\/p>\n\n\n\n<p>To that end, the regulator has prepared <a href=\"https:\/\/www.bsi.bund.de\/SharedDocs\/Downloads\/DE\/BSI\/Publikationen\/TechnischeRichtlinien\/TR03187\/BSI-TR-03187.pdf?__blob=publicationFile&amp;v=4\">technical guidance<\/a>, for developers, solution providers and operators of such platforms, (in German). It analyses various existing IT security standards and examines existing UDPs for their vulnerabilities.<\/p>\n\n\n\n<div class=\"wp-block-media-text is-stacked-on-mobile\" style=\"grid-template-columns:26% auto\"><figure class=\"wp-block-media-text__media\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXc1E3DA9PGpwrrEHFKbxEf4nGQJF8ODlJRpubpumQhjZsSd4nZYz2TiBBJXjizbljHI1egZEevM5Zq9vsTk4fzL1F1G6poA6UpuDFVSg2XQGaBXHm6sLLmuKd13H1KXncW9au6CaA?key=eFpRqlyCY3C_GwfSOeRb_GmK\" alt=\"\" \/><\/figure><div class=\"wp-block-media-text__content\">\n<p><\/p>\n\n\n\n<p><strong>Employment records: <\/strong>The UK ICO updated its <a href=\"https:\/\/ico.org.uk\/for-organisations\/uk-gdpr-guidance-and-resources\/employment\/employment-practices-and-data-protection-keeping-employment-records\/about-this-guidance\/\">guidance aimed at employers who keep employment records<\/a>. The data protection law does not stop you from collecting, holding and using records about workers. It helps to strike a balance between employer needs and every worker\u2019s right to a private life. <\/p>\n<\/div><\/div>\n\n\n\n<p>The terms \u2018worker\u2019 or \u2018former worker\u2019 mean all employment relationships, including employees, contractors, volunteers, and gig or platform workers. It can be combined with the other ICO guidance on data protection and employment \u2013 in particular, our detailed guidance on <a href=\"https:\/\/ico.org.uk\/for-organisations\/uk-gdpr-guidance-and-resources\/employment\/information-about-workers-health\/\">workers\u2019 health<\/a> information and <a href=\"https:\/\/ico.org.uk\/for-organisations\/uk-gdpr-guidance-and-resources\/employment\/monitoring-workers\/\">monitoring of workers<\/a>.<\/p>\n\n\n<div id=\"newslettersignup\"><\/div>\n<div id=\"role-block_b64a7214b1f60c56620cc018f738d4c8\" class=\"text-t-black bg-t-pink p-6 md:p-12 rounded-tr-50 rounded-bl-50 mb-4 lg:mb-12 text-center role\">\n  \n      <h2 class=\"text-xl lg:text-2xl max-w-screen-lg mx-auto text-t-black font-display mb-4\">\n      Receive our digest by email     <\/h2>\n        <h3 class=\"text-base max-w-screen-lg mx-auto text-t-black font-body mb-4\">Sign up to receive our digest by email every 2 weeks<\/h3>\n  \n  <div id=\"rmOrganism\">\n    <div class=\"rmEmbed rmLayout--vertical rmBase\">\n      <div data-page-type=\"formSubscribe\" class=\"rmBase__body rmSubscription\">\n                  <form method=\"post\" action=\"https:\/\/mailing.techgdpr.com\/145\/6351\/5e9fc3cdda\/subscribe\/form.html?_g=1698845230\" class=\"rmBase__content\">\n                  <div class=\"rmBase__container mx-auto max-w-screen-sm\">          \n            <div class=\"rmBase__section\">\n              <div class=\"text-left rmBase__el rmBase__el--input rmBase__el--label-pos-none\" data-field=\"email\">\n                <label for=\"email\" class=\"rmBase__compLabel rmBase__compLabel--hideable hidden\">\n                  Email address\n                <\/label>\n                <div class=\"rmBase__compContainer mb-2\">\n                  <input type=\"text\" name=\"email\" id=\"email\" placeholder=\"Email\" value=\"\" class=\"p-4 border rounded border-gray-400 w-full rmBase__comp--input comp__input\">\n                  <div class=\"rmBase__compError text-left font-display font-bold text-xs\"><\/div>\n                <\/div>\n              <\/div>\n            <\/div>\n            <div class=\"rmBase__section mb-4\">\n              <div class=\"rmBase__el rmBase__el--consent\" data-field=\"consent_text\">\n                <div class=\"rmBase__comp--checkbox\">\n                  <label for=\"consent_text\" class=\"flex space-x-2 items-baseline text-left vFormCheckbox comp__checkbox\">\n                    <input type=\"checkbox\" value=\"yes\" name=\"consent_text\" id=\"consent_text\" class=\"vFormCheckbox__input\">\n                    <div class=\"vFormCheckbox__indicator hidden\"><\/div>\n                    <div class=\"vFormCheckbox__label\">\n                                              I consent to the processing of my data, and to receiving regular updates from TechGDPR. Data is processed according to our <a href=\"https:\/\/techgdpr.com\/privacy-policy\/\"> Privacy Notice<\/a>.                                          <\/div>\n                  <\/label>\n                <\/div>\n                <div class=\"rmBase__compError text-left font-display font-bold text-xs\"><\/div>\n              <\/div>\n            <\/div>\n            <div class=\"rmBase__section\">\n              <div class=\"rmBase__el rmBase__el--cta\">\n                <button type=\"submit\" class=\"inline-flex items-center justify-center px-8 py-3 text-white visited:text-white font-bodybold rounded-md bg-t-navy border-3 border-t-navy hover:border-t-navy hover:bg-transparent hover:text-t-navy transition-all hover:text-white cursor-pointer rmBase__comp--cta\">\n                  Subscribe\n                <\/button>\n              <\/div>\n            <\/div>\n          <\/div>\n        <\/form>\n      <\/div>\n      <div data-page-type=\"pageSubscribeSuccess\" class=\"rmBase__body rmSubscription hidden\">\n        <div class=\"rmBase__content\">\n          <div class=\"rmBase__container\">\n            <div class=\"rmBase__section\">\n              <div class=\"rmBase__el rmBase__el--heading\">\n                <div class=\"rmBase__comp--heading\">\n                  Thank you for your subscription!\n      <!-- this linebreak is important, don't remove it! this will force trailing linebreaks to be displayed -->\n                  <br>\n                <\/div>\n              <\/div>\n            <\/div>\n            <div class=\"rmBase__section\">\n              <div class=\"rmBase__el rmBase__el--text\">\n                <div class=\"rmBase__comp--text\">\n                  We have sent you an email &#8211; please confirm your email address by clicking the activation link in it.\n      <!-- this linebreak is important, don't remove it! this will force trailing linebreaks to be displayed -->\n                  <br>\n                <\/div>\n              <\/div>\n            <\/div>\n          <\/div>\n        <\/div>\n      <\/div>\n    <\/div>\n  <\/div>\n\n      <script src=\"https:\/\/mailing.techgdpr.com\/form\/145\/6069\/8a53c9178b\/embedded.js\" async><\/script>\n  \n<\/div>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Insurance companies data swaps<\/strong><\/h4>\n\n\n\n<p><strong> <\/strong>The North Rhine-Westphalia Data Protection Commissioner has initiated investigations against ten insurance companies in North Rhine-Westphalia for an illegal exchange of personal data. Specifically, <a href=\"https:\/\/www.ldi.nrw.de\/Versicherungen_Datenkartell\">the companies, together with almost 30 other insurers, shared data from customers in international travel health insurance<\/a> to uncover cases of fraud and identify fraud patterns. Since the insurance companies are based in ten federal states and other European countries, a joint coordinated investigation was launched. To exchange data, the insurers used a closed email distribution list, on which several employees of the companies involved were usually registered.&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Privacy polic<\/strong>y<\/h4>\n\n\n\n<p> The Latvian DVI looks at the most common<a href=\"https:\/\/www.dvi.gov.lv\/lv\/jaunums\/dviskaidro-kadas-nepilnibas-visbiezak-noverojam-privatuma-politikas\"> shortcomings in privacy policies<\/a> of the organisations it\u2019s investigated, and asks data controllers to take them into account:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Privacy policy is hard to find<\/li>\n\n\n\n<li>Complex and unclear text<\/li>\n\n\n\n<li>Not all legal bases and purposes of data processing are listed<\/li>\n\n\n\n<li>The purpose of data processing is not linked to the legal basis<\/li>\n\n\n\n<li>Failure to specify the organization&#8217;s legitimate interests&nbsp;<\/li>\n\n\n\n<li>Unclear information about the storage period<\/li>\n\n\n\n<li>Failure to specify recipients of personal data&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Finally, there is also a lack of guidance on data subjects&#8217; rights and their implementation, and complicated mechanisms are provided for the implementation of rights.&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Emotion recognition<\/strong><\/h4>\n\n\n\n<div class=\"wp-block-media-text is-stacked-on-mobile\" style=\"grid-template-columns:26% auto\"><figure class=\"wp-block-media-text__media\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXfTSZSjoZw2upplLbpkl8V6VBdqdTFYylkFucE66-MvMnq6W-S_OEidkfbvZDpx4wU5eFHMOaQciHLP4-Hp3Hyd5g4urXH97iiJYHkEQxQsD9NHk5Vd-Ngej8tsq50xf1U86srO?key=eFpRqlyCY3C_GwfSOeRb_GmK\" alt=\"\" \/><\/figure><div class=\"wp-block-media-text__content\">\n<p><\/p>\n\n\n\n<p>The Dutch Autoriteit Persoonsgegevens requested feedback on the AI Act&#8217;s ban on AI systems that recognize emotions in work or education, (unless for medical or safety reasons). The conditions outlined in data protection legislation must also be fulfilled if emotion recognition is done using personal information. <a href=\"https:\/\/www.dataguidance.com\/news\/netherlands-ap-announces-next-steps-prohibited-emotion\">Clarity is required on the definitions of emotions, biometric information, and the boundaries of &#8220;workplace&#8221; and &#8220;educational institutions<\/a>.&#8221;&nbsp;<\/p>\n<\/div><\/div>\n\n\n\n<p>In particular, in the GDPR, the definition of \u2018biometric data\u2019 is linked to the unique identification of a natural person that is allowed or confirmed by the processing of personal data. AP notes that the definition of the term \u2018biometric data\u2019 in the AI Act must be interpreted in the light of the GDPR. The <a href=\"https:\/\/www.autoriteitpersoonsgegevens.nl\/en\/documents\/summary-and-next-steps-call-for-input-on-prohibition-on-ai-systems-for-emotion-recognition-in-the-areas-of-workplace-or-education-institutions\">distinction between emotions and physical states and between emotions and easily visible expressions<\/a> also remains unclear.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">In other news<\/h4>\n\n\n\n<p><strong>Web browsing data fine: <\/strong>America\u2019s FTC requires <a href=\"https:\/\/www.ftc.gov\/legal-library\/browse\/cases-proceedings\/2023033-avast\">Avast to pay 16.5 million dollars,<\/a> (which will be used to compensate consumers), and prohibit the company from selling or licensing any web browsing data for advertising purposes to settle charges that the company and its subsidiaries sold such information to third parties after promising that its products would protect consumers from online tracking. The FTC alleged Avast sold that data to more than 100 third parties through its Czech subsidiary, unfairly collected consumers\u2019 browsing information through the company\u2019s browser extensions and antivirus software, stored it indefinitely, and sold it without adequate notice and consumer consent.&nbsp;<\/p>\n\n\n\n<p><strong>Refused bank loan: <\/strong>It is not possible to further process the data of a loan applicant if no customer agreement has been concluded with the bank, confirmed the Polish Supreme Administrative Court in its recent judgment. The court agreed with the data protection regulator UODO,&nbsp; that the processing of data in the scope of creditworthiness assessment and credit risk analysis, related to inquiries that did not end with the granting of a loan, <a href=\"https:\/\/uodo.gov.pl\/pl\/138\/3558\">cannot be used, (neither by the bank nor the credit information bureau), in connection with the legitimate interest of the data controller<\/a>.&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Data security<\/h4>\n\n\n\n<div class=\"wp-block-media-text is-stacked-on-mobile\" style=\"grid-template-columns:26% auto\"><figure class=\"wp-block-media-text__media\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXdT0UWtRQManoI693_oQjXQRmMy0NJ2Q-vtUdB5w7A8a0LRTajhQ7l0AA1OQeTaGEoGMqzY8C2T_wSWvBaYraKFznRfJ3-ht85xy7uYiRWSNoXTjPXqEWpCepn0wLztsKvv6cfv?key=eFpRqlyCY3C_GwfSOeRb_GmK\" alt=\"\" \/><\/figure><div class=\"wp-block-media-text__content\">\n<p><\/p>\n\n\n\n<p><strong>Location data: <\/strong>The Data Protection Commissioner in North Rhine-Westphalia warns citizens against being too careless with their location data. If people are careless when selecting an app and sharing personal data, they make it <a href=\"https:\/\/www.ldi.nrw.de\/Standortdaten\">easier for third parties to collect location data and resell it to data traders<\/a>. The data traders could then use the location information in conjunction with the device-specific ID to create individual movement profiles.<\/p>\n<\/div><\/div>\n\n\n\n<p>Consumers should ideally pick up their smartphone and check the system settings to see which app has been granted access rights. If in doubt, you should revoke permission.<\/p>\n\n\n\n<p><strong>Self-declared GDPR compliance:<\/strong> The Liechtenstein data protection authority asks organisations to be careful with self-declared GDPR compliance of software solutions or cloud services. Instead,<a href=\"https:\/\/www.datenschutzstelle.li\/aktuelles\/aktuelles-aus-der-datenschutzstelle-4\"> it is necessary to check whether the respective service can achieve the determined level of protection with appropriate settings or measures<\/a>. Security measures in the cloud include encryption mechanisms or regulations on access rights. Under certain conditions, the aforementioned check must be carried out in the form of a data protection impact assessment (DPIA).<\/p>\n\n\n\n<p>Suppose the data stored in the cloud is transferred to a third country outside the EU\/EEA area.  It must also be checked whether this offers a level of protection equivalent to that in the EU\/EEA area or can be ensured through suitable measures and guarantees under the GDPR. In addition, providers of cloud services are usually contracted as data processors, which is why the existence of a legally compliant data processing contract must be observed.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">In case you missed it<\/h4>\n\n\n\n<p><strong>AI from non-EU countries: <\/strong>A number of European regulators draw attention to the risks associated with the use of AI \u200b\u200btools like DeepSeek. Although this model of generative AI is freely accessible on the Internet, the manufacturer did not design it for the European market. Based on current knowledge, it can be assumed that the requirements of the AI Act and the GDPR in particular are not met. Some practical steps can be assumed:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Pay attention to the transparency of the provider and appropriate documentation.<\/li>\n\n\n\n<li>Use a separate, secure IT environment to avoid data leaks.<\/li>\n\n\n\n<li>If no privacy-preserving measures are known, it is reasonable to assume that none exist (and inform your employees of the risks associated).<\/li>\n\n\n\n<li>Take into account the AI \u200b\u200bcompetence and ban on prohibited AI practices that must be ensured from February following the AI Act.&nbsp;<\/li>\n\n\n\n<li>Make sure that the manufacturer of the AI \u200b\u200bapplication, if it is also responsible for data protection and is not based in the EU, has appointed a GDPR representative, (otherwise, the effective enforcement of the rights of those affected can become very difficult).<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-media-text is-stacked-on-mobile\" style=\"grid-template-columns:26% auto\"><figure class=\"wp-block-media-text__media\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXcLlP4joYCjGpw1KupPuaALxfjGltZGe9b3ScJx2C4pQZWDrDI1uKArRv_Xu2U1UXcEHUCGEkBHbOavkgsqD4AVpHkYU1mjTTK2tLj1vtVnTiZjIsj67F8qxDRi3w_owYzfIz61?key=eFpRqlyCY3C_GwfSOeRb_GmK\" alt=\"\" \/><\/figure><div class=\"wp-block-media-text__content\">\n<p><\/p>\n\n\n\n<p><strong>AI in education: <\/strong>The Future of Privacy Forum meanwhile highlights the Spectrum of AI in education in its latest <a href=\"https:\/\/fpf.org\/wp-content\/uploads\/2025\/02\/FPF_spectrum_of_AI_in_EDU_2-10-25.pdf\">infographics.<\/a> While generative AI tools that can write essays, generate and alter images, and engage with students have brought increased attention on the students, schools have been using AI-enabled applications for years for predictive or content-generating purposes too, including reasoning, pattern recognition, and learning from experience. <\/p>\n<\/div><\/div>\n\n\n\n<p>In practice, they often help with: <a href=\"https:\/\/fpf.org\/blog\/fpf-releases-infographic-highlighting-the-spectrum-of-ai-in-education\/\">automated grading and feedback, student monitoring, curriculum development, intelligent tutoring systems, school security<\/a> and much more.&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Data Act is almost here In February, the European Commission published a set of updated technical FAQs on the implementation of the legal provisions of the Data Act, applicable as soon as of 12 September 2025.\u00a0 It enhances data sharing and enables a fair distribution of data value by establishing clear rules related to [&hellip;]<\/p>\n","protected":false},"author":21,"featured_media":10385,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"categories":[94],"tags":[173,334,126,89,165,95,58],"class_list":["post-10382","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-data-protection-digest","tag-data-act","tag-dora","tag-dpia","tag-dpo","tag-employment-data","tag-eu-us-data-transfer","tag-gdpr-compliance"],"acf":[],"featured_image_urls":{"full":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/europe-palace-5414751_1280.jpg",1280,853,false],"thumbnail":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/europe-palace-5414751_1280-150x150.jpg",150,150,true],"medium":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/europe-palace-5414751_1280-300x200.jpg",300,200,true],"medium_large":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/europe-palace-5414751_1280-768x512.jpg",640,427,true],"large":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/europe-palace-5414751_1280-1024x682.jpg",640,426,true],"1536x1536":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/europe-palace-5414751_1280.jpg",1280,853,false],"2048x2048":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/europe-palace-5414751_1280.jpg",1280,853,false],"image-200-200":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/europe-palace-5414751_1280-200x200.jpg",200,200,true]},"post_excerpt_stackable":"<p>The Data Act is almost here In February, the European Commission published a set of updated technical FAQs on the implementation of the legal provisions of the Data Act, applicable as soon as of 12 September 2025.\u00a0 It enhances data sharing and enables a fair distribution of data value by establishing clear rules related to the access and use of data within the EU &#8211; B2B, B2C, and B2G. The guide elaborates among other things on: the definitions of data users, data holders and third parties, as well as&nbsp; cloud and service interoperability requirements,&nbsp; fairness of data-sharing contracts, and&nbsp; enforcement&hellip;<\/p>\n","category_list":"<a href=\"https:\/\/techgdpr.com\/blog\/category\/data-protection-digest\/\" rel=\"category tag\">Data Protection Digest<\/a>","author_info":{"name":"Olya Vasylyk","url":"https:\/\/techgdpr.com\/blog\/author\/olyav\/"},"comments_num":"0 comments","featured_image_urls_v2":{"full":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/europe-palace-5414751_1280.jpg",1280,853,false],"thumbnail":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/europe-palace-5414751_1280-150x150.jpg",150,150,true],"medium":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/europe-palace-5414751_1280-300x200.jpg",300,200,true],"medium_large":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/europe-palace-5414751_1280-768x512.jpg",640,427,true],"large":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/europe-palace-5414751_1280-1024x682.jpg",640,426,true],"1536x1536":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/europe-palace-5414751_1280.jpg",1280,853,false],"2048x2048":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/europe-palace-5414751_1280.jpg",1280,853,false],"image-200-200":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/europe-palace-5414751_1280-200x200.jpg",200,200,true]},"post_excerpt_stackable_v2":"<p>The Data Act is almost here In February, the European Commission published a set of updated technical FAQs on the implementation of the legal provisions of the Data Act, applicable as soon as of 12 September 2025.\u00a0 It enhances data sharing and enables a fair distribution of data value by establishing clear rules related to the access and use of data within the EU &#8211; B2B, B2C, and B2G. The guide elaborates among other things on: the definitions of data users, data holders and third parties, as well as&nbsp; cloud and service interoperability requirements,&nbsp; fairness of data-sharing contracts, and&nbsp; enforcement&hellip;<\/p>\n","category_list_v2":"<a href=\"https:\/\/techgdpr.com\/blog\/category\/data-protection-digest\/\" rel=\"category tag\">Data Protection Digest<\/a>","author_info_v2":{"name":"Olya Vasylyk","url":"https:\/\/techgdpr.com\/blog\/author\/olyav\/"},"comments_num_v2":"0 comments","yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Data protection digest 16 Feb - 2 Mar 2025: Data Act to strengthen EU digital market, vigilance over US data transfers - TechGDPR<\/title>\n<meta name=\"description\" content=\"TechGDPR\u2019s review of the most important data-related stories: Data Act to strengthen EU digital market, vigilance over US data transfers\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/techgdpr.com\/blog\/data-protection-digest-4032025-data-act-to-strengthen-eu-digital-market-vigilance-over-us-data-transfers\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Data protection digest 16 Feb - 2 Mar 2025: Data Act to strengthen EU digital market, vigilance over US data transfers - TechGDPR\" \/>\n<meta property=\"og:description\" content=\"TechGDPR\u2019s review of the most important data-related stories: Data Act to strengthen EU digital market, vigilance over US data transfers\" \/>\n<meta property=\"og:url\" content=\"https:\/\/techgdpr.com\/blog\/data-protection-digest-4032025-data-act-to-strengthen-eu-digital-market-vigilance-over-us-data-transfers\/\" \/>\n<meta property=\"og:site_name\" content=\"TechGDPR\" \/>\n<meta property=\"article:published_time\" content=\"2025-03-04T10:01:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-11T12:05:23+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/europe-palace-5414751_1280.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1280\" \/>\n\t<meta property=\"og:image:height\" content=\"853\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Olya Vasylyk\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@techgdpr\" \/>\n<meta name=\"twitter:site\" content=\"@techgdpr\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Olya Vasylyk\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-4032025-data-act-to-strengthen-eu-digital-market-vigilance-over-us-data-transfers\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-4032025-data-act-to-strengthen-eu-digital-market-vigilance-over-us-data-transfers\\\/\"},\"author\":{\"name\":\"Olya Vasylyk\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#\\\/schema\\\/person\\\/07e9c14fd01b25bd2c1907537e8547e8\"},\"headline\":\"Data protection digest 16 Feb &#8211; 2 Mar 2025: Data Act to strengthen EU digital market, vigilance over US data transfers\",\"datePublished\":\"2025-03-04T10:01:00+00:00\",\"dateModified\":\"2025-06-11T12:05:23+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-4032025-data-act-to-strengthen-eu-digital-market-vigilance-over-us-data-transfers\\\/\"},\"wordCount\":2343,\"publisher\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-4032025-data-act-to-strengthen-eu-digital-market-vigilance-over-us-data-transfers\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/europe-palace-5414751_1280.jpg\",\"keywords\":[\"Data Act\",\"DORA\",\"DPIA\",\"dpo\",\"employment data\",\"EU-US data transfer\",\"GDPR Compliance\"],\"articleSection\":[\"Data Protection Digest\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-4032025-data-act-to-strengthen-eu-digital-market-vigilance-over-us-data-transfers\\\/\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-4032025-data-act-to-strengthen-eu-digital-market-vigilance-over-us-data-transfers\\\/\",\"name\":\"Data protection digest 16 Feb - 2 Mar 2025: Data Act to strengthen EU digital market, vigilance over US data transfers - TechGDPR\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-4032025-data-act-to-strengthen-eu-digital-market-vigilance-over-us-data-transfers\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-4032025-data-act-to-strengthen-eu-digital-market-vigilance-over-us-data-transfers\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/europe-palace-5414751_1280.jpg\",\"datePublished\":\"2025-03-04T10:01:00+00:00\",\"dateModified\":\"2025-06-11T12:05:23+00:00\",\"description\":\"TechGDPR\u2019s review of the most important data-related stories: Data Act to strengthen EU digital market, vigilance over US data transfers\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-4032025-data-act-to-strengthen-eu-digital-market-vigilance-over-us-data-transfers\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-4032025-data-act-to-strengthen-eu-digital-market-vigilance-over-us-data-transfers\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-4032025-data-act-to-strengthen-eu-digital-market-vigilance-over-us-data-transfers\\\/#primaryimage\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/europe-palace-5414751_1280.jpg\",\"contentUrl\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/europe-palace-5414751_1280.jpg\",\"width\":1280,\"height\":853,\"caption\":\"Data Act\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-4032025-data-act-to-strengthen-eu-digital-market-vigilance-over-us-data-transfers\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/techgdpr.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Data protection digest 16 Feb &#8211; 2 Mar 2025: Data Act to strengthen EU digital market, vigilance over US data transfers\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#website\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/\",\"name\":\"TechGDPR\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/techgdpr.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#organization\",\"name\":\"TechGDPR\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/staging.techgdpr.com\\\/wp-content\\\/uploads\\\/2018\\\/04\\\/TGDPR_logo_500px.png\",\"contentUrl\":\"https:\\\/\\\/staging.techgdpr.com\\\/wp-content\\\/uploads\\\/2018\\\/04\\\/TGDPR_logo_500px.png\",\"width\":501,\"height\":334,\"caption\":\"TechGDPR\"},\"image\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/techgdpr\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/techgdpr\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#\\\/schema\\\/person\\\/07e9c14fd01b25bd2c1907537e8547e8\",\"name\":\"Olya Vasylyk\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2021\\\/10\\\/readyIMG_3694-1-2-150x150.jpg\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2021\\\/10\\\/readyIMG_3694-1-2-150x150.jpg\",\"contentUrl\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2021\\\/10\\\/readyIMG_3694-1-2-150x150.jpg\",\"caption\":\"Olya Vasylyk\"},\"description\":\"Creator and editor of TechGDPR\u2019s weekly Digest. Postgraduate masters Diploma in Data Protection, Digital law and Management. Over a decade Olga previously was a broadcast journalist in Ukraine and France specializing in international affairs.\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/author\\\/olyav\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Data protection digest 16 Feb - 2 Mar 2025: Data Act to strengthen EU digital market, vigilance over US data transfers - TechGDPR","description":"TechGDPR\u2019s review of the most important data-related stories: Data Act to strengthen EU digital market, vigilance over US data transfers","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/techgdpr.com\/blog\/data-protection-digest-4032025-data-act-to-strengthen-eu-digital-market-vigilance-over-us-data-transfers\/","og_locale":"en_US","og_type":"article","og_title":"Data protection digest 16 Feb - 2 Mar 2025: Data Act to strengthen EU digital market, vigilance over US data transfers - TechGDPR","og_description":"TechGDPR\u2019s review of the most important data-related stories: Data Act to strengthen EU digital market, vigilance over US data transfers","og_url":"https:\/\/techgdpr.com\/blog\/data-protection-digest-4032025-data-act-to-strengthen-eu-digital-market-vigilance-over-us-data-transfers\/","og_site_name":"TechGDPR","article_published_time":"2025-03-04T10:01:00+00:00","article_modified_time":"2025-06-11T12:05:23+00:00","og_image":[{"width":1280,"height":853,"url":"https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/europe-palace-5414751_1280.jpg","type":"image\/jpeg"}],"author":"Olya Vasylyk","twitter_card":"summary_large_image","twitter_creator":"@techgdpr","twitter_site":"@techgdpr","twitter_misc":{"Written by":"Olya Vasylyk","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/techgdpr.com\/blog\/data-protection-digest-4032025-data-act-to-strengthen-eu-digital-market-vigilance-over-us-data-transfers\/#article","isPartOf":{"@id":"https:\/\/techgdpr.com\/blog\/data-protection-digest-4032025-data-act-to-strengthen-eu-digital-market-vigilance-over-us-data-transfers\/"},"author":{"name":"Olya Vasylyk","@id":"https:\/\/techgdpr.com\/#\/schema\/person\/07e9c14fd01b25bd2c1907537e8547e8"},"headline":"Data protection digest 16 Feb &#8211; 2 Mar 2025: Data Act to strengthen EU digital market, vigilance over US data transfers","datePublished":"2025-03-04T10:01:00+00:00","dateModified":"2025-06-11T12:05:23+00:00","mainEntityOfPage":{"@id":"https:\/\/techgdpr.com\/blog\/data-protection-digest-4032025-data-act-to-strengthen-eu-digital-market-vigilance-over-us-data-transfers\/"},"wordCount":2343,"publisher":{"@id":"https:\/\/techgdpr.com\/#organization"},"image":{"@id":"https:\/\/techgdpr.com\/blog\/data-protection-digest-4032025-data-act-to-strengthen-eu-digital-market-vigilance-over-us-data-transfers\/#primaryimage"},"thumbnailUrl":"https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/europe-palace-5414751_1280.jpg","keywords":["Data Act","DORA","DPIA","dpo","employment data","EU-US data transfer","GDPR Compliance"],"articleSection":["Data Protection Digest"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/techgdpr.com\/blog\/data-protection-digest-4032025-data-act-to-strengthen-eu-digital-market-vigilance-over-us-data-transfers\/","url":"https:\/\/techgdpr.com\/blog\/data-protection-digest-4032025-data-act-to-strengthen-eu-digital-market-vigilance-over-us-data-transfers\/","name":"Data protection digest 16 Feb - 2 Mar 2025: Data Act to strengthen EU digital market, vigilance over US data transfers - TechGDPR","isPartOf":{"@id":"https:\/\/techgdpr.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/techgdpr.com\/blog\/data-protection-digest-4032025-data-act-to-strengthen-eu-digital-market-vigilance-over-us-data-transfers\/#primaryimage"},"image":{"@id":"https:\/\/techgdpr.com\/blog\/data-protection-digest-4032025-data-act-to-strengthen-eu-digital-market-vigilance-over-us-data-transfers\/#primaryimage"},"thumbnailUrl":"https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/europe-palace-5414751_1280.jpg","datePublished":"2025-03-04T10:01:00+00:00","dateModified":"2025-06-11T12:05:23+00:00","description":"TechGDPR\u2019s review of the most important data-related stories: Data Act to strengthen EU digital market, vigilance over US data transfers","breadcrumb":{"@id":"https:\/\/techgdpr.com\/blog\/data-protection-digest-4032025-data-act-to-strengthen-eu-digital-market-vigilance-over-us-data-transfers\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/techgdpr.com\/blog\/data-protection-digest-4032025-data-act-to-strengthen-eu-digital-market-vigilance-over-us-data-transfers\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/techgdpr.com\/blog\/data-protection-digest-4032025-data-act-to-strengthen-eu-digital-market-vigilance-over-us-data-transfers\/#primaryimage","url":"https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/europe-palace-5414751_1280.jpg","contentUrl":"https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/europe-palace-5414751_1280.jpg","width":1280,"height":853,"caption":"Data Act"},{"@type":"BreadcrumbList","@id":"https:\/\/techgdpr.com\/blog\/data-protection-digest-4032025-data-act-to-strengthen-eu-digital-market-vigilance-over-us-data-transfers\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/techgdpr.com\/"},{"@type":"ListItem","position":2,"name":"Data protection digest 16 Feb &#8211; 2 Mar 2025: Data Act to strengthen EU digital market, vigilance over US data transfers"}]},{"@type":"WebSite","@id":"https:\/\/techgdpr.com\/#website","url":"https:\/\/techgdpr.com\/","name":"TechGDPR","description":"","publisher":{"@id":"https:\/\/techgdpr.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/techgdpr.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/techgdpr.com\/#organization","name":"TechGDPR","url":"https:\/\/techgdpr.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/techgdpr.com\/#\/schema\/logo\/image\/","url":"https:\/\/staging.techgdpr.com\/wp-content\/uploads\/2018\/04\/TGDPR_logo_500px.png","contentUrl":"https:\/\/staging.techgdpr.com\/wp-content\/uploads\/2018\/04\/TGDPR_logo_500px.png","width":501,"height":334,"caption":"TechGDPR"},"image":{"@id":"https:\/\/techgdpr.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/techgdpr","https:\/\/www.linkedin.com\/company\/techgdpr"]},{"@type":"Person","@id":"https:\/\/techgdpr.com\/#\/schema\/person\/07e9c14fd01b25bd2c1907537e8547e8","name":"Olya Vasylyk","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/techgdpr.com\/wp-content\/uploads\/2021\/10\/readyIMG_3694-1-2-150x150.jpg","url":"https:\/\/techgdpr.com\/wp-content\/uploads\/2021\/10\/readyIMG_3694-1-2-150x150.jpg","contentUrl":"https:\/\/techgdpr.com\/wp-content\/uploads\/2021\/10\/readyIMG_3694-1-2-150x150.jpg","caption":"Olya Vasylyk"},"description":"Creator and editor of TechGDPR\u2019s weekly Digest. Postgraduate masters Diploma in Data Protection, Digital law and Management. Over a decade Olga previously was a broadcast journalist in Ukraine and France specializing in international affairs.","url":"https:\/\/techgdpr.com\/blog\/author\/olyav\/"}]}},"_links":{"self":[{"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/posts\/10382","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/users\/21"}],"replies":[{"embeddable":true,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/comments?post=10382"}],"version-history":[{"count":24,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/posts\/10382\/revisions"}],"predecessor-version":[{"id":10739,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/posts\/10382\/revisions\/10739"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/media\/10385"}],"wp:attachment":[{"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/media?parent=10382"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/categories?post=10382"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/tags?post=10382"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}