As the first trimester of 2025 comes to a close, we at CRANIUM have compiled the key developments that DPOs should look out for.
This year continues the trend of the last few years as new rules enter into force. We can think i.a. of the first two chapters of the AI Act becoming applicable as of 2 February 2025, and the EU Data Act entering into force later this year, along with changes on the international landscape with a new US President in the White House.
With these seismic shifts on the horizon, this article highlights the key points for DPOs and, more broadly, privacy professionals to be aware of:
1. Data Act applicable September 2025
In September 2025, the rules of the EU Data Act will become applicable, establishing rules that empower and regulate data sharing and mobility related to connected products. Although not only applicable to personal data, and thus not solely the DPOs responsibility to oversee its implementation, data subjects’ information will be among the streams of data that the Data Act aims to open.
It is thus imperative for DPOs and privacy professionals to understand the rules under this new instrument, as Data Act implementations will surely affect data protection rights under the GDPR. The notable changes for DPOs and privacy professionals to be aware of are:
Enhanced data portability, data sharing and access.
The Data Act introduces new rules, as well as reinforces existing ones, ensuring that the data in connected products and services is easily shared and accessible. While DPOs are not specifically targeted by the Data Act, all privacy professionals must ensure that Data Sharing Agreements using this enhanced portability adhere to the principles of the GDPR. The Data Act creates a right for users to access data generated by connected products, and so DPOs and privacy professionals must always be in the loop that personal data is involved.
Contractual imbalances are addressed.
DPOs will need to be cognizant of power imbalances that may exist between data holders and parties who want access to the data they hold. The Data Act introduces safeguards to these power imbalances through minimum requirements, but additional safeguards should be introduced in case personal data is involved.
The public sector may access the data in cases of emergencies.
In cases of public emergencies, such as natural disasters, public bodies will have the right to access data from the private sector, which may include personal data. Although under exceptional circumstances, DPOs and privacy professionals will be important actors in monitoring the use of this right and ensuring that its performance remains compliant with the GDPR.
2. Impact of the AI act
With the first two chapters of the AI Act having entered into force in February, and the rules on obligations for General Purpose AI providers entering into force in August 2025, privacy professionals’ work will be impacted too, and it will be important for them to be aware of these changes. Training of AI models requires data, some of which may be personal data. And so as the AI Act influences the workflow of AI development in the EU, DPOs and privacy professionals will need to understand these rules in order to be prepared for their role.
Chapters 1 and 2 of the AI Act, applicable 2 February 2025, require the following:
- Providers must oversee mandatory AI literacy training across all staff involved with AI systems to ensure they understand AI risks. Since awareness training on data protection issues is one of the roles taken up by DPOs and privacy professionals, it may be advisable for them to be involved in these sessions and ensure awareness of data protection in these systems is also adhered to.
- The prohibition of certain AI practices, such as unlawful facial recognition, can be another tool used for the DPO in arguing against high-risk processing of personal data.
Rules regarding general-purpose AI, applicable from 2 August 2025, require the following, which is relevant for privacy professionals: Risk assessments and proper documentation will be required for systemic risk AI models.
Privacy professionals, as the centre of data protection knowledge in many organizations, will play a role in assessing the privacy risks and potential security concerns as these assessments are undergone.
3. Will we have a Schrems III with Trump in office?
Amid the reforms and actions in EU-US relations as President Donald Trump’s second term begins, the future of the Transatlantic Data Privacy Framework (DPF) is called into question. This framework is at the basis of the adequacy decision of the Commission on the US, allowing for EU to US international transfers under the GDPR. As key Democratic members of the Privacy and Civil Liberties Oversight Board (PCLOB) were dismissed, one of the key oversight mechanisms for the DPF has been left potentially non-functional, or at least questions may arise about the degree of independence. If this leads to threats towards the protection of personal data transferred to the US, EU controllers may no longer be able to rely on the current adequacy decision to transfer data to the US.
DPOs and privacy professionals must be aware of the risk that data transfers, notably to US cloud providers, may not be possible under an adequacy decision for much longer. At the very least, there is legal uncertainty, as the independence of the PCLOB leads to a precarious state of the DPF, which already had a plethora of weak spots.
It is critical for DPOs to prepare for the scenario in which the basis for the current data transfers becomes invalid. This may include alternative cloud providers and other partners, or potentially exploring other avenues to protect data abroad such as dusting off those old SCCs.
