How can consumers' right to access payment accounts with basic features be reconciled with banks' anti-money laundering duties? AG de la Tour in Case C-81/24

The CJEU was recently asked to interpret Directive 2014/92/EU on access to payment accouts with basic features (PAD), which is to the best of my knowledge the first or at least one of the few preliminary rulings interpreting PAD. The question is how can the right to access payment accounts with basic features or basic bank accounts be reconciled with the bank's duty to comply with anti-money laundering rules. This essentially requires weighing two important policy goals, the financial inclusion of consumers, who have no other payment account, which is a cornerstone of financial inclusion,  and the aim to prevent the use of the the EU financial system for the purposes of money laundering and terrorist financing.

The question referred to the CJEU by the Slovenian Okrajno sodišče v Mariboru asks whether Article 16(4) of Directive 2014/92, read in the light of Directive 2015/849 or the Fourth Anti-Money Launderng Directive (4AMLD), may be interpreted as authorising Member States to require banks to reject a consumer’s application to open a payment account with basic features on the ground that he or she is included in a list of the Office of Foreign Assets Control (OFAC) of the United States Department of the Treasury. 

Article 16(1) of PAD provides a right for consumers to access basic payment accounts and confers a duty on Member States to ensure that all credit institutions or at least a sufficient number of them guarantee the provision of basic bank accounts. This right belongs to all consumers legally resident in the Member State, including asylum seekers or those with no fixed address (Article 16(2)). However, Article 16(4) provides an exception to the right. Banks can refuse the consumer's request to open the basic bank account where the opening of such an account would infringe the bank's duties to prevent money laundering and terrorism financing. The PAD therefore gives primary to national securty and financial stability matters over financial inclusion of individuals. However, the question is to what degree. The problem here was whether the mere fact of being included on an OFAC list, without having been convicted of any offence for which he is on that list, or having been subject to any restrictive measure from the United Nations, the European Union or a Member State is sufficient to constitute a breach of the provisions relating to the prevention of money laundering and terrorist financing which may therefore justify a refusal to open a payment account with basic features. Even if inclusion on such a list constitutes a special circumstance justifying increased vigilance, it was not clear whether it can justify a refusal to open a payment account with basic features.

As Advocate General Richard de la Tour notes in his Opinion delivered 4 Sepember 2025, the difficulty is that both directives are minimum harmonisation, allowing Member States to adopt more stringent measures. Nevertheless, the 4AMLD in Article 8 at minimum requires that Member States ensure banks have in place policies, controls and procedures to mitigate and manage effectively the risks of money laundering and terrorist financing identified at the level of the Union, the Member State and the bank. These should include customer due diligence set out in Article 10, which includes identifying the customer and verifying the customer’s identity on the basis of documents, data or information obtained from a reliable and independent source, assessing the purpose and intended nature of the business relationship and conducting ongoing monitoring of the business relationship. As the AG rightly notes in his analysis, while the fact of being included in OFAC may be a red flag warranting a more thorough due diligence, it should not be sufficient to outright refuse the open a basic bank account.

The AG therefore is of the opinion, that Article 16(4) of Directive must be interpreted as meaning that a banking institution may not refuse to open a payment account with basic features solely on the ground that the name of the consumer applying to open such an account is on the OFAC, unless, the applicable national law expressly provides for such a more stingent approach, given the minimum nature of the directives.

On the assignability of consumer claims under credit contracts: CJEU in Zwrotybankowe.pl (C‑80/24)

As consumer law remains under-enforced, it becomes all too common for consumers to assign their claims to third-party claim management companies, which typically operate on a contingency basis and take a percentage of the amounts successfully recovered. In Case C‑80/24, the consumer assigned their claim against a bank to Zwrotybankowe.pl, one such claim management company, which would retain 50% of the recovered amounts as remuneration. The assigned claim arose under Art. 30(1) of the Polish Law on Consumer Credit, which implements Art. 23 of the Consumer Credit Directive 2008 and imposes a penalty for the bank’s failure to comply with information obligations. In a proceeding brought by Zwrotybankowe.pl against the creditor bank, questions arose as to the assignability of the consumer claim in question and the court’s duty to assess the assignment agreement ex officio under the Unfair Terms Directive.

The first question concerns whether the Consumer Credit Directive precludes the assignment of consumer claims thereunder. This is because Art. 22(2) of said Directive prohibits the consumer from waiving their rights under it. A broad interpretation of this provision could suggest that consumers cannot assign claims arising under the Directive to third-party companies that make a profit from these legitimate claims (paras 13-14). However, the CJEU rejected such an interpretation. In particular, it drew an analogy with its reasoning in Case C‑11/23 concerning Art. 15 of Regulation (EC) No 261/2004, which similarly provides an ‘exclusion of waiver’. In that case, the airline’s general conditions included a prohibition of the transfer of passenger rights, in particular the right to compensation. The Court disallowed such a prohibition, in order ‘to ensure a high level of protection for air passengers and to enable [consumers] effectively to exercise their rights’, including ‘the freedom to choose the most effective way in which to defend his or her right’, such as ‘to transfer his or her claim to a third party in order to spare him- or herself difficulties and costs that might deter him or her from taking steps personally in relation to that carrier with the prospect of a limited financial return’ (para 27). Based on an analogous reasoning rooted in the rationale of weaker party protection, the Court held that Art. 22(2) of the Consumer Credit Directive likewise does not preclude the assignment of consumer claims arising under the Directive.

The second question goes on to ask: if the claim is assignable, should courts assess the unfairness of the assignment agreement ex officio – when the dispute before them arises from a different contract, namely the credit agreement? Recalling its case law on ex officio review under the Unfair Terms Directive, the Court confirmed that such a duty is limited to ‘the subject matter of the dispute’ (para 38). In this case, the assignment agreement ‘does not come within the limits of the subject matter of the dispute before it’ and therefore falls outside the ex officio review obligation under EU law (para 40). Moreover, since the consumer was not a party to the proceedings, the imbalance between a consumer and a trader, which justifies ex officio intervention, was also absent (paras 41-43). Accordingly, the Court concluded that the Unfair Terms Directive does not require national courts to assess the assignment agreement ex officio in such circumstances. Finally, the Court added that, where national law does allow such an ex officio review, the principle of effectiveness should serve to safeguard consumers’ procedural rights (para 46).

The reasoning in Zwrotybankowe.pl seems to give away a rather permissive stance towards third-party enforcement of consumer claims. Given that many instruments within the EU consumer acquis contain comparable prohibitions on waiver, one may ask whether the Court’s analogy extends to those regimes as well. Sure, consumers should have the freedom to spare themselves from the ‘difficulties and costs’ of private enforcement, but how much should they pay for such convenience? And if these ‘difficulties and costs’ stem from a systematic failure in consumer enforcement, is the privatisation of enforcement – and the shifting of its costs to consumers whose rights have been infringed in the first place – really the right call?

From dream vacation to legal dispute: CJEU in Tuleka (C-469/24)

Tirana Post 

Some consumers have truly bad luck, but their misfortune raises interesting legal questions. In Tuleka (C-469/24), the applicants booked a 1-week, all-inclusive package holiday in a 5-star hotel in Albania. What was meant to be a dream vacation quickly turned into an ordeal due to: 1) Demolition of hotel swimming pools, commissioned by Albanian authorities and carried out in the presence of media and police; 2) Consequential destruction of the seafront promenade and waterfront infrastructure, blocking access to the sea; 3) Long queues and limited meals at the hotel restaurant; 4) Construction work to add a fifth floor, with building materials transported by guest elevators. Unsurprisingly, the travellers filed a claim for damages upon their return. They sought compensation for material damages equal to the full price of the package (due to non-performance) and non-material damages (exceeding the amount of material losses). 

Article 13 of the Package Travel Directive 2015/2302 makes organisers responsible for the performance of the package, with an option for the Member States to extend that responsibility to retailers, as well. This is irrespective of which travel service provider is to perform the service. Organisers must offer alternative arrangements and otherwise remedy lack of conformity, unless doing so is impossible or entails disproportionate costs. In that case, Article 14 entitles travellers to a price reduction and appropriate compensation, unless the lack of conformity is "attributable to a third party unconnected with the provision of the travel services included in the package travel contract and is unforeseeable and unavoidable". The hotel indeed argued that the swimming pool's demolition was attributable to a third party (Albanian authorities) and constituted an extraordinary circumstance.

Burden of proof: Attribution does not require fault

Polish law implementing the PTD placed a burden of proof on organisers that the lack of conformity was due to the fault of a third party to escape liability. This higher threshold limited organisers' ability to exonerate themselves. The CJEU held this approach incompatible with Article 14(3)(b) PTD. The phrase "attributable to" must be interpreted autonomously, given its lack of definition in the PTD (para 31). Its ordinary meaning refers to an outcome resulting from a person's conduct - without implying intentional or negligent failure (para 32). Consequently, attribution does not require fault. This interpretation gives organisers more scope to avoid liability (para 33). This interpretation is further aligned with the Directive's structure and context (para 36). As the PTD provides maximum harmonisation, the Member States cannot impose stricter standards (para 38).

Full refund for serious non-conformity 

The second question inquired whether travellers could claim a full price reduction, that is the total cost of the package, even if some services were performed, but the lack of conformity was serious. Article 14(1) PTD grants an "appropriate" price reduction, assessed objectively across the entire period of non-conformity (para 45). The assessment must consider not only organisers' obligations "explicitly stipulated in that contract, but also those linked to it as a result of the purpose of that contract" (para 46). The longer and more serious the non-performance or improper performance, the greater the price reduction (para 47). Considering the objective of the high level of consumer protection behind the adoption of the PTD, the CJEU determines that where the lack of conformity is so severe that the package travel no longer serves its purpose, that is it is objectively no longer of interest to the traveller, travellers are entitled to a full refund (para 49).

Price reduction and compensation: Restorative, not punitive

The PTD allows claims for non-material damages, which are always more difficult to quantify. A question arose whether in estimating travellers' damages any punitive damages should be considered (para 56). The CJEU emphasises the language of Article 14 PTD and clarifies that it aims to restore contractual balance (para 57), and does not mention or permit punitive damages (para 58). Punitive damages are therefore excluded (para 60).

Extraordinary circumstances: Was demolition unforeseeable?

Finally, the Court considered whether the demolition order issued by national authorities qualified as an unavoidable and extraordinary circumstance. Article 3(12) PTD defines such circumstances as events beyond the control of the organiser that could not have been avoided with reasonable measures (para 62). Recital 31 PTD contains a non-exhaustive list (para 63) and prior case law likens this concept to force majeure (para 64), demanding these events were unforeseeable (para 65). An order to demolish the swimming pool was unlikely unforeseeable, as such decisions are typically debated and publicised (para 67). The national court must determine whether either the organiser or hotel manager was notified of the administrative procedure or the content of the decision before it was implemented (para 70). 

Reforming Consumer Alternative Dispute Resolution in the EU

Online shopping has transformed how we buy goods and services, but it has also exposed a recurring challenge: resolving disputes when things go wrong. Damaged products, delayed deliveries, or disputes over contract terms, can leave consumers frustrated. Traditional litigation is often slow, costly, and intimidating, particularly for low-value claims. Alternative Dispute Resolution (ADR) provides a faster, cheaper, and more accessible way for consumers and traders to settle disputes outside the courts. 

For the past decade, the EU has relied on ADR Directive, complemented by the European Online Dispute Resolution (ODR) platform established under ODR Regulation.

Over time, it has become evident that the existing ADR framework is unable to adequately address emerging types of disputes, such as those involving digital content, personal data in exchange for services, and pre-contractual obligations. According to the 2023 Consumer Conditions Scoreboard, one in four EU consumers faces a problem worthy of complaint, yet only a small proportion make use of ADR. Although the ODR platform, operational since 2016, attracted significant web traffic, it processed only around 200 cases per year across the EU, rendering its continuation both economically and practically unjustifiable. These shortcomings underscore the need to modernise the ADR provisions and replace the underutilised ODR platform with a more responsive mechanism that better reflects the realities of today’s digital market.

In response, the European Commission proposed a legislative package in October 2023, including a revision of the ADR Directive and the repeal of the ODR Regulation. Supporting this initiative, on July 17, 2025, the Council and the European Parliament reached an agreement on the final compromise text of the Proposal for a Directive amending the ADR Directive, currently pending formal adoption.

Forthcoming Changes in the ADR and ODR Regime

Expanded Scope: The proposed amendments extend the ADR Directive to pre- and post-contractual disputes, including misleading advertising, missing mandatory information, and digital content paid for with personal data. Non-EU traders may participate voluntarily, providing broader protection for EU consumers in cross-border cases.

Minimum harmonisation: Member States will be required to meet the baseline standards while retaining discretion to provide stronger consumer protection and extend ADR to additional disputes under EU or national law. Once adopted, consumer ADR will be governed under a single instrument, as the ODR Regulation has been repealed.

Clear deadlines: Traders must respond to ADR bodies within 20 working days (or 30 for complex disputes). Non-response counts as refusal to participate.

Automation: Digital tools and automated systems may be used, provided that: 

• Consumers are informed before the process begins;
• Consumers retain the right to human review;
• Personal data processed by automated systems complies with GDPR.

Incentives for participation: Member States are encouraged to introduce financial and non-financial incentives, such as reduced fees, awareness campaigns, or certification for compliant businesses. Sectors with low ADR participation or high complaint volumes, such as air transport and tourism, will receive special attention.

ADR contact points: Newly established ADR contact points will replace former ODR contact points, guiding consumers and traders to the competent ADR entity and explaining procedural rules. Contact points will be assigned based on the consumer’s residence, and Member States may extend their mandate to domestic disputes.

Additional measures:

• Consumers may be assisted by third parties (for example, consumer organisations or claims management companies), with transparency obligations maintained;
• ADR entities may bundle similar disputes to improve efficiency, with consumer consent;
• ADR entities will be required to publish biennial activity reports (Member States may set shorter reporting periods);
• Natural persons handling disputes will need to possess relevant expertise, including private international law.

The text is expected to be adopted by the European Parliament between 15-18 December 2025, followed by the Council. This indicates that the Proposal still remains subject to change and its final content may differ, so the current version should be considered provisional. 

Another key legislative step by the Parliament and the Council was Regulation (EU) 2024/3228 of 19 December 2024, repealing the ODR Regulation with regard to the discontinuation of the European ODR Platform. The document entered into force on January 19, 2025, and the ODR platform was discontinued on July 20, 2025. The European Commission was tasked with developing a new digital tool facilitating cross-border ADR with machine translation, which has yet to be developed.

Potential Implementation Challenges

While these reforms promise a more accessible and efficient system, implementing them in practice may present several challenges. Relying on automation can improve efficiency in ADR processes, but it may raise fairness and data protection risks. While GDPR compliance, transparent decision-making, and mandatory human review are essential to maintain consumer trust, implementing these safeguards in practice can be complex and resource-intensive. At the same time, Member State discretion allows for tailored approaches, yet risks creating inconsistent consumer experiences across the EU. Adequate resource allocation is also a concern since training staff and maintaining digital tools require investment, which may be challenging for smaller or less-resourced Member States. Finally, expanding ADR to non-EU traders broadens consumer protection but introduces cross-border enforcement challenges that necessitate clear guidance and oversight to ensure compliance. 

Looking Ahead

The proposed amendments to the ADR Directive aim to make dispute resolution faster, more accessible, and better suited to the digital age. Monitoring Member State implementation will be essential to evaluate effectiveness. Applied consistently, these changes could create a reliable, inclusive, and digitally integrated system for resolving consumer disputes outside the courts.

By Sitora Saidova

PhD Candidate, School of Law

University of Essex

Conference: 50 Years of Consumer Law in the European Union: Past, Present, and Future

On Friday, November 21, a conference "50 Years of Consumer Law in the European Union: Past, Present, and Future" takes place at the University of Luxembourg. With the conference speakers including prominent European consumer law scholars, judges and AG of the Court of Justice of the EU, as well as representatives of the European Commission, this event promises to deliver engaging and informative discussions on the trends of consumer protection. The registration is free of charge (on this website) and you may also participate in the event online.

When Lightning Strikes: CJEU in AirHelp Germany (C-399/24)

On 16 October, the CJEU issued another flight-related judgment in the case of AirHelp Germany (C-399/24), offering further interpretation of the concept of "extraordinary circumstances" under Regulation 261/2004. The central question was as follows: Does a lightning strike to an aircraft, leading to mandatory safety inspections and a delayed return to service, qualify as an extraordinary circumstance exempting the air carrier from compensation obligations? 

The CJEU ruled that it does. While the notion of "extraordinary circumstances" must be interpreted strictly, since it creates exceptions to the high level of air passenger protection (para 18), meteorological conditions are explicitly recognised as such circumstances (para 21). This includes "the risk of the aircraft being struck by lightning" (para 23). 

The Court emphasised that this risk is not inherent to the normal nature of activities of air carriers, even though planes are designed to withstand such events (para 22). Drawing a parallel with bird strikes, the Court classified both as "collision with a foreign body" (para 24). Moreover, the mandatory safety inspections following a lightning strike are considered distinct from routine malfunctions of aircraft components. These inspections are not "intrinsically linked to the operating system" of the plane (para 26). The lightning strike itself is deemed an event outside the actual control of the air carrier (para 31). As a result, the two cumulative conditions required to classify an event as an "extraordinary circumstance" were found to be satisfied.

The judgment leaves it to national courts to assess whether the air carrier took all reasonable measures to avoid long delay for passengers. This includes evaluating whether the airline acted diligently, without being expected to make "intolerable sacrifices in the light of capacities of its undertaking at the relevant time" (para 37).

Pets as baggage in air travel - CJEU in Iberia (C-218/24)

From an outsider's perspective, the recent judgment may appear controversial. "Pets as baggage" is likely to strike non-lawyers as dehumanising - suggesting that animals are treated as mere objects. However, lawyers may appreciate the legal advantages of such classification. Under international travel rules, such as the Montreal Convention, categorising pets as baggage can trigger compensation mechanisms if they are lost, or damaged, during transit. But does this legal framing actually benefit pet owners? 

In the given case, passengers on a flight from Buenos Aires (a city known for its large dog population) to Barcelona were travelling with a dog. Due to its size, the dog could not be accommodated in the cabin and was instead to be placed in the aircraft hold, inside a special pet carrier. The owner checked in the pet carrier, but tragically, "the dog left the pet carrier, ran around in the vicinity of the aircraft and could not be recovered" (para 16).

The Montreal Convention standardises compensation for lost baggage, unless passengers make a "special declaration of interest in delivery at destination" during check-in, and pay any required surcharge. In this case, the dog's owner did not make such a declaration. The legal issue then became whether the owner could claim compensation for non-material damages, or whether the Montreal Convention's baggage rules limited such claims. Spanish law recognises pets as sentient beings, and thus does not equate their loss with that of material things typically found in baggage (para 19).

The CJEU emphasised that the Montreal Convention is designed to define the limits of air carriers' liability for transporting passengers and their baggage (para 23). Since the Convention does not explicitly define "baggage," the term must be interpreted uniformly and autonomously (para 26). 

While the ordinary meaning of "baggage" refers to objects (para 29), the CJEU noted that for the Montreal Convention to apply to pets, they must be classified either as "passengers" or "baggage". Given this binary, the Court found "baggage" to be the more appropriate legal category (paras 33-34). Importantly, the Convention's liability limits for lost baggage cover both material and non-material damages, meaning the pet's owner could not claim further compensation from the air carrier (para 41).

This ruling ultimately favours air carriers by providing greater legal certainty regarding the types of claims passengers can make for lost items - including pets. It also shields carriers from the complexities of differing national laws on non-material damages. The decision reflects the pragmatic logic of international air travel law.

Financial inlcusion and access to payment accounts with basic features: the current state of play in the EU

Financial inclusion, or access to affordable and useful financial services, is essential for our modern-day living. Access to payment accounts or bank accounts is a cornerstone of financial inclusion. It enables access to other essential services, such as receiving salary or pensions, social benefits, paying rent, making purchases at more favourable rates, paying bills, and accessing other financial services, including credit. Basic bank accounts move consumers from unbanked to banked.

The importance of basic bank accounts is recognised by the EU. Directive 2014/92 on the comparability of fees related to payment accounts provides a right to access payment accounts with basic features (Article 16), laying down minimal rules for Member States on providing access, ensuring affordability and raising awareness. 

While the objective of the Directive is to facilitate access to basic bank accounts across the EU, the 2023 Report from the European Commission on the application of Directive 2014/92 and the 2024 report from Finance Watch on Breaking down barriers to basic payment accounts suggest the Directive falls short of meeting its objective. 

The Finance Watch study relied on mystery shopping to provide a real picture of what is happening in the EU, based on examples of selected Member States, Spain, Germany and Romania. It has been found that:

• Basic bank accounts are often not affordable, e.g. in Germany, fees can reach up to £150, and in Spain, basic bank accounts are more expensive than standard accounts;

• These accounts are frequently not accessible; e.g. banks often impose documentary requirements such as a work contract, which then leaves out the unemployed, a poof of address that prevents homeless people from accessing these accounts. Often, these accounts cannot be opened online, and banks fail to offer them proactively; instead, consumers are pushed to ask for these accounts, explaining their own vulnerability;

• Perhaps most shockingly, the study shows little awareness of basic payment accounts. Bank staff are often unaware of these accounts or their eligibility, and there is little and hard-to-access information that consumers can access themselves.

Ten years after the adoption of the Directive, many, often the most vulnerable groups, are prevented from accessing these accounts.  According to the World Bank Findex (which has no data for Luxembourg), in 2021, 3.6% of Europe’s population were financially excluded. The highest number is recorded in Romania, where 30.9% of the population aged 15 or more did not own a bank account. They are followed by Bulgaria (16%), Hungary (11.8%), Croatia (8.2%), Portugal (7.4%), Cyprus (6.87%), the Czech Republic (5.6%), etc. 

These recent results signal the need for a more robust European legal regulatory framework that strengthens the above duties of access, affordability and awareness, and a need for better enforcement of the existing national rules.

Key GDPR Fines in Mid-2025: Luka (Replika), TikTok, and ING Bank Śląski

This post discusses three recent decisions of Data Protection Authorities imposing fines for GDPR infringements on Luka Inc., TikTok, and ING Bank Śląski. While most of our analyses usually focus on judgments of the Court of Justice of the European Union, in this case we turn to decisions of national authorities. Such decisions tend to attract significant attention, either because of the seriousness of the violations or the high amounts of the penalties, which makes them a frequent subject of debate. The three cases selected meet these criteria and, moreover, were issued within the past few months. They are also directly relevant to consumers, as they highlight risks that many of us face in everyday life when using apps or online services where personal data may be mishandled.

 

 

Luka Inc. 

On 10 April 2025, the Italian Data Protection Authority (Garante per la protezione dei dati personali) issued a decision against Luka Inc., the U.S. company behind the Replika chatbot. Replika is marketed as an AI “companion” designed to boost users’ mood and wellbeing, and can be set up as a friend, mentor, therapist or even a romantic partner. But according to the Garante, the way Luka handled users’ personal data fell far short of what the GDPR requires.

The investigation showed that Replika’s privacy policy did not clearly identify the legal ground for the many different ways in which users’ data were processed – for example, data used for running the chatbot versus data used for developing the large language model behind it. Instead of specifying purposes and corresponding legal bases, the policy only gave vague, generic statements like: “We care about the protection and confidentiality of your data. We therefore only process your data to the extent that: It is necessary to provide the Replika services you are requesting, you have given your consent to the processing, or we are otherwise authorized to do so under the data protection laws” (btw – doesn’t that sound familiar from many privacy policies?). This lack of granularity made it impossible for users to understand how their data were really being used, in breach of Articles 5(1)(a) and 6 GDPR.

What’s more, the privacy notice was only available in English, even though the service was offered in Italy. It also failed to explain key points required under GDPR: what kinds of data were collected, how long they were stored, whether data were transferred outside the EU, and for what purpose. Some statements were even misleading, for instance, suggesting that personal data might be transferred to the U.S., while the company later claimed no such transfers took place. Such gaps and contradictions meant that users could not make informed choices about their data.

However, the most troubling finding was that the Garante concluded Luka had failed to implement effective safeguards for children. Although the service was formally intended for adults, it lacked genuine age-verification mechanisms. Registration required only a name, email address, and gender, which allowed minors to create accounts. Even when users declared they were under 18, no technical barrier prevented them from accessing the platform. In practice, this meant that children could be exposed to age-inappropriate content, including sexually explicit material. Moreover, even after updates to the privacy policy, technical testing showed that under-18 users could still bypass the age restriction simply by editing their profile. 

 

For these violations, the Garante imposed an administrative fine of EUR 5,000,000, representing half of the maximum amount available under Article 83(5) GDPR.

 

 

TikTok Technology Limited

 

Another significant decision was issued by the Irish Data Protection Commission (DPC) in May 2025 against TikTok Technology Limited. Although the full text of the decision has not yet been published, the official press release provides insight into the reasons for the sanction.

 

The inquiry examined both the lawfulness of TikTok’s transfers of European users’ personal data to China and the adequacy of the company’s transparency regarding those transfers. The DPC concluded that TikTok had infringed the GDPR in two key respects.

 

First, the Commission found that TikTok’s transfers of user data to China violated Article 46(1) GDPR. The company failed to verify, guarantee, and demonstrate that personal data of European users – remotely accessed by staff in China – was afforded a level of protection essentially equivalent to that required within the EU. TikTok’s own assessments of Chinese law highlighted serious divergences from EU standards, particularly risks under the Anti-Terrorism Law, the Counter-Espionage Law, and the National Intelligence Law. Nevertheless, the company did not adequately address these risks or ensure that its contractual safeguards were effective.

 

Second, the DPC held that TikTok had not complied with the information duties set out in Article 13(1)(f) GDPR. Earlier versions of its privacy policy (in force between July 2020 and December 2022) failed to identify the countries involved in data transfers and did not explain the nature of the processing – for instance, that personnel in China could remotely access data stored in Singapore and the United States. This lack of clarity prevented users from understanding who could access their data and under what conditions.

 

The decision imposed not only administrative fines but also corrective measures. TikTok was given six months to bring its practices into compliance, failing which data transfers to China would have to be suspended altogether. The total fine amounted to EUR 530,000,000, comprising EUR 485,000,000 for the unlawful transfers and EUR 45,000,000 for the lack of transparency.

 

 

ING Bank Śląski

 

The third discussed decision was delivered on 23 July 2025 by the Polish Data Protection Authority (UODO) against ING Bank Śląski S.A., which was fined PLN 18,416,400 (around EUR 4,000,000). The case revolved around the bank’s widespread practice of copying and scanning ID cards of both existing and potential clients, even in situations where such a step was not required by law. The bank introduced this practice after the amendment of Polish anti-money laundering provisions, interpreting them as justifying the systematic copying of IDs.

 

The investigation revealed that between April 2019 and September 2020 the bank systematically scanned ID documents not only during customer onboarding, but also in contexts where no anti-money laundering (AML) obligations applied – for example, when a customer filed a complaint about an ATM. In practice, the bank’s internal procedures made the delivery of services conditional on handing over a scanned ID, leaving consumers with no real choice.

 

As emphasized in the decision, both AML law and the GDPR require banks to conduct a risk-based assessment and determine, case by case, whether copying an ID is genuinely necessary. ING failed to perform such assessments. Instead, it adopted blanket rules requiring ID copies in numerous situations, regardless of whether AML obligations applied. As a result, the bank processed extensive amounts of sensitive identifying information without a valid legal basis under Article 6 GDPR. Although no specific harm was demonstrated, the decision underscores that ID cards contain a wide range of personal data – including full name, date of birth, parents’ names, unique national ID number (PESEL), photograph, and document series. Taken together, these data significantly increase the risk of identity theft or fraudulent loans. Given that ING had millions of individual and corporate clients during the period in question, the potential consequences of such unnecessary data collection were substantial.

Produce Labels and the Circular Economy: CJEU interprets "Packaging" in Interfel (C-772/24)

On August 1, the CJEU delivered an interesting judgment in Interfel (C-772/24), which could assist in promoting sustainable consumption. 

Photo by amoon ra on Unsplash

In an effort to combat waste and support circular economy, French law prohibited the placing of labels directly on fruit or vegetables sold on French territory, unless the labels were home-compostable and made of bio-sourced materials (para 8). The idea was straightforward: consumers could more easily and sustainably dispose of spoiled fruit or vegetables. (Who has not spent hours of their life removing annoyingly sticky, unwilling-to-just-let-go labels from produce?) 

However, the question arose whether this national rule complied with Directive 94/62 on packaging and packaging waste. Article 18 of the Directive requires the Member States to permit the sale of products on their territory if their packaging complies with the Directive. This provision prevents Member States from imposing additional restrictions that could hinder the internal market.

The CJEU began by emphasising the Directive's environmental objectives: to reduce the impact of packaging and packaging waste on the environment, covering all packaging placed on the market (para 12). To assess whether the French measures complied with EU law, the Court examined the Directive's definition of "packaging". The term must be interpreted broadly (para 13), but still fulfil one of the functions set out in the Directive, namely: "containment, protection, handling, delivery and presentation of goods" (para 15). Packaging must also fall into one of the three categories: "sales packaging, grouped packaging or transport packaging" (para 17). Ancillary elements integrated into packaging are also considered packaging (para 20). Annex I to the Directive provides illustrative examples of packaging, including "labels hung directly on or attached to a product" (para 21).

In answering the national court's question, the CJEU stressed that, to qualify as packaging, a product must meet the above criteria (para 25). Specifically, it must perform at least one of the three main packaging functions: containment/protection, handling/delivery, or presentation. Labels on fruit and vegetables are typically smaller than the produce itself and therefore unlikely to provide containment or protection (para 28). Nor are they generally used for handling or delivery purposes (para 29). The remaining question was whether labels serve a presentation function - a matter the Court noted could depend on the specific context/ label (para 30).

In conclusion, the CJEU indicated that France may impose additional sustainable requirements for such labels, but only where the labels do not perform any of the three functions assigned to packaging under EU law.