๐ฌ NicFab Newsletter
Issue Zero - December 9, 2025
Privacy, Data Protection, AI, Cybersecurity & Tech Law - Weekly Review
Welcome to the inaugural issue of the weekly newsletter dedicated to privacy, data protection, artificial intelligence, cybersecurity, and ethics. Every Tuesday, you’ll find a curated selection of the most relevant news from the previous week, with a focus on European regulatory developments, case law, enforcement, and technological innovation.
๐ฐ FROM LAST WEEK (December 1-7, 2025)
๐๏ธ FROM MY BLOG
Safer Internet Forum 2025 and the European Framework for Child Online Protection
The European Commission opened the Safer Internet Forum 2025 by presenting three fundamental pillars: DSA guidelines on minors’ protection (July 2025), an age-verification blueprint, and the first enforcement actions against Snapchat, YouTube, the Apple App Store, and Google Play. Comprehensive analysis of the European framework for children’s online safety.
๐ช๐บ FROM EUROPEAN INSTITUTIONS
โ๏ธ Court of Justice of the EU
Judgment C-492/23 - Russmedia Digital (December 2, 2025)
The CJEU establishes that the operator of an online marketplace is a data controller for personal data contained in advertisements published on the platform. They must implement technical measures to verify consent before publication, identify advertisements with sensitive data, and prevent unlawful copying to other sites. They cannot invoke the e-commerce directive to escape GDPR obligations.
๐ CJEU Press Release
๐๏ธ European Parliament + Council
Payment Services: Agreement on Protection from Online Fraud and Hidden Fees (November 27, 2025)
Parliament and Council reached a provisional agreement on a more open and competitive EU payment services sector, with strengthened defenses against fraud and data breaches. The new rules aim to protect consumers from growing cybercrime threats in the digital financial sector by imposing higher security standards and greater transparency on fees.
๐ EP Press Release
๐๏ธ European Commission
TikTok - Commitments on DSA Advertising Transparency (December 5, 2025)
The Commission accepts TikTok’s binding commitments on advertising transparency under the Digital Services Act, avoiding formal sanctions.
๐ Press Release
X (Twitter) - โฌ120 Million Fine for DSA Violations
Penalty for violations of transparency obligations, content moderation, and cooperation with authorities under the Digital Services Act.
๐ Press Release
EU Digital Omnibus Package (November 19, 2025)
๐ Digital Omnibus on AI: European Commission Proposes Simplifications to the AI Act
๐ Digital Omnibus: Cookies, GDPR and AI Training - New European Privacy Rules
๐ European Parliament
Report: Youth and Social Media (December 6, 2025)
In-depth analysis of risks for young people using social media, focusing on minors’ data protection, AI algorithm impact, inappropriate content, and addiction mechanisms.
๐ EU Think Tank Report
Study: Interplay between AI Act and EU Digital Legislation
A study commissioned by the ITRE Committee analyzes regulatory overlaps among the AI Act, GDPR, DSA, DMA, Data Act, and CRA. Highlights duplicate burdens, procedural uncertainties, and negative impact on competitiveness: only 3 EU companies in Forbes AI 50 vs. 42 US companies. Recommends enforcement coordination, mutual recognition of impact assessments, and medium- to long-term simplification.
๐ Full EP Study
๐ค EDPB + European Commission
Joint Guidelines DMA-GDPR (consultation closed December 4, 2025)
Joint EDPB-Commission guidelines on the interaction between Digital Markets Act and GDPR for gatekeepers. Next step: AI Act-GDPR guidelines (in preparation with AI Office) to clarify overlaps between impact assessments (FRIA vs. DPIA).
๐ EDPB Announcement
AI Standardisation: acceleration underway
The following information comes from the Inclusiveness Newsletter curated by ETUC (European Trade Union Confederation), which provides secretariat services to the CEN-CENELEC JTC 21 Inclusiveness Task Group. This newsletter represents a valuable source for tracking progress in European AI standardisation, ensuring representation of workers’ perspectives as well.
The European AI standardisation landscape is experiencing a phase of strong acceleration. During the CEN-CENELEC JTC 21 plenary meeting held in Copenhagen in November, the European Commission reiterated the tight deadlines for delivering standards supporting the AI Act. The most significant development concerns the Omnibus proposal presented on November 19th: the application of rules for high-risk AI systems will now be linked to the actual availability of harmonised standards, a shift in perspective that could ease immediate pressure on companies.
On the operational front, the first European standard โ prEN 18286 on quality management systems โ has entered Public Enquiry with a deadline of January 22nd, 2026. Standards on transparency, human oversight, and robustness of AI systems will follow shortly. Meanwhile, the Commission’s AI Service Desk has been operational since October, providing a dedicated helpdesk for AI Act questions accessible in all official EU languages.
For those seeking immediate practical tools, I recommend the Danish DS PAS 2500 guides (now available in English) on transparency, bias, and AI literacy, as well as the Academic Guide to AI Act Compliance prepared by French researchers, which offers an operational approach to compliance following the structure of ISO management system standards.
Useful links:
๐ FROM AROUND THE WORLD
๐บ๐ธ United States - Privacy & Data Protection
FTC Sanctions Illuminate Education for Data Breach (December 1, 2025)
A data breach affecting over 10 million students (December 2021) was caused by the former employee’s credentials not being revoked after 3.5 years. Settlement imposes: implementation of a comprehensive security program, deletion of unnecessary data, a public retention schedule, and rapid notification of future breaches.
๐ FTC Press Release
California Privacy Protection Agency - Enforcement (December 3, 2025)
CPPA fines marketing company ($56,600) for selling “custom audiences” without registration as a data broker, intensifying the Delete Act and data broker regulation enforcement in California.
๐ CPPA Announcements
20 US States with Comprehensive Privacy Laws (January 1, 2025)
New laws entered into force: Delaware, Iowa, Nebraska, New Hampshire, New Jersey. Emerging trends: lower applicability thresholds, broader definitions of sensitive data, profiling/automated decision-making regulation, strengthened protections for minors, reduction/elimination of right-to-cure periods.
๐ Chambers Practice Guide 2025
๐ค Artificial Intelligence
Trump Administration - AI Regulation Debate
US Senate votes almost unanimously to remove ten-year moratorium on state AI regulation from GOP legislative proposal. Federal vs. state tension: California, Colorado, Utah, Texas already have AI laws. Leaked Executive Order suggests possible preemption of state laws.
๐ The Stute Analysis
China Proposes World AI Cooperation Organization (WAICO)
President Xi Jinping relaunches proposal for global AI governance through dedicated international organization. Chinese focus: open-weight models, AI+ policy for economic growth, early regulation (since 2022), and a concentration on practical applications vs. AGI.
๐ Nature Article
๐ Cybersecurity
Global Data Breaches 2025 - Experian Report (December 7, 2025)
Over 8,000 global breaches in the first six months of 2025, with 345 million records exposed. 2026 projections: increased AI use by cybercriminals (agentic AI, polymorphic malware), growth of women in cybersecurity sector (from 11% to 35%), quantum computing + AI as new attack frontier.
๐ Report Analysis
Notable Breaches of the Week
Coupang (South Korea): 34 million customers. British Telco Brsk: 230,000+ records with personal and installation data. GitLab: 17,430 verified secrets in public repositories (API keys, passwords, tokens). Air France/KLM: incident on third-party customer support tool.
๐ Cyware Breach News
US Energy Infrastructure - Security Alert (December 3, 2025)
Congressional testimony confirms: US energy systems are already compromised by state actors (primarily China). Concern about reduced federal support for grid security programs amid rising threats.
Apache Tomcat Vulnerability CVE-2025-48989
Critical HTTP/2 “Made You Reset” flaw allows server memory exhaustion. Affected versions: 11.0.0-M1 to 11.0.9, 10.1.0-M1 to 10.1.43, 9.0.0.M1 to 9.0.107. Patches available: urgent update required.
๐ BrightDefense Alert
๐ฌ TECH & INNOVATION INSIGHTS
Quantum Technologies and AI: A Necessary Partnership (OECD, December 3, 2025)
OECD analyzes how AI has become fundamental to quantum technology development: supports quantum computing (optimization of error correction from 1% to 0.0001%, system emulation up to 50 qubits), quantum sensing (noise filtering, complex data interpretation, GPS-free navigation), and quantum communication (transmission error management, hybrid quantum-classical network optimization).
๐ OECD.AI Article
O’Reilly Radar Trends: Tech Landscape December 2025
Summary of relevant tech trends: release of next-generation AI models (Gemini 3, GPT-5.1, Opus 4.5, Olmo 3), AMD GPU tools (HipKittens), agentic IDEs (Antigravity), security (TEE attacks, CoPhishing via Copilot), infrastructure projects (space data centers, NANDA for decentralized AI agent network). Focus on LLM linguistic bias and AI-generated music copyright.
๐ O’Reilly Radar
๐ UPCOMING EVENTS (December 9-15, 2025)
EU Council - Transport, Telecommunications and Energy (December 9-10)
- Approval of conclusions on European competitiveness in the digital decade
- Exchange of views on DSA application regarding platforms and e-commerce
- Debate on simplification and digitalization to reduce business burdens in the digital sector
๐ก ANALYSIS COMMENTARY
The Week That Crystallized 2025’s Tensions
The first week of December 2025 offered a clear snapshot of the tensions that will characterize the coming year in the global tech-legal landscape.
On the European front, the Russmedia judgment represents an interpretive turning point: the Court of Justice confirms that the GDPR prevails over other digital regulations regarding personal data protection. The message is clear: platforms cannot hide behind the status of “mere hosting provider” to avoid data processing responsibilities. This hard line is also reflected in DSA enforcement against X (โฌ120M) and the closure of consultation on DMA-GDPR guidelines, signaling an acceleration in implementing the new European digital framework.
The agreement on payment services, with a reinforced focus on online fraud and data breaches, confirms that cybersecurity has become an integral part of financial regulation. It’s no longer just a technical issue: it’s a legal requirement with concrete consequences for those who don’t comply.
Paradoxically, while the EU intensifies enforcement, the Digital Omnibus implicitly admits what the European Parliament study explicitly documents: excessive regulation is stifling European innovation. Only 3 EU companies among the global top 50 AI companies is a figure that should alarm. The proposed simplification is a necessary but belated step, and raises an uncomfortable question: is it possible to maintain European regulatory leadership without technological competitiveness?
Across the Atlantic, the United States shows growing fragmentation. With 20 states having comprehensive privacy laws and others legislating on AI, the much-invoked federal law seems further away than ever. The Senate’s vote against the state AI moratorium is significant: even in a politically polarized context, there’s bipartisan consensus that AI regulations cannot wait. The question is how to regulate, not whether to regulate.
The cybersecurity dimension emerges as the common thread connecting all other themes. The 8,000+ breaches in the first half of 2025 are not just statistics: they’re symptoms of digital infrastructure built with security as an afterthought. The Illuminate Education case (credentials not revoked for 3.5 years!) is emblematic of a still-immature security culture, despite decades of breaches. And when the US Congress confirms that state actors already compromise critical energy infrastructure, we understand we’re not talking about future threats but about present vulnerabilities.
The quantum-AI convergence described by OECD opens fascinating but also concerning scenarios from a regulatory standpoint. How will the AI Act apply to hybrid quantum-AI systems? How to ensure transparency and explainability when quantum mechanics itself challenges our capacity for deterministic understanding? And above all: while Europe debates regulatory simplification, China and the US race ahead on quantum computing and generative AI. The risk is that when Europe has simplified its rules, the technology will already be elsewhere.
Online child protection, the subject of my article and the EP report, perhaps represents the only area where there’s convergence between rigorous enforcement (Snapchat, YouTube) and public consensus. But even here tensions emerge: the age verification systems required create new honeypots for attackers, as highlighted in the cybersecurity roundup. Every solution generates new problems.
In summary: 2025 confirms itself as the year of real accountability. Regulatory frameworks are no longer enough; enforcement is needed (Russmedia judgment, X fine, FTC vs. Illuminate). Proclaiming “privacy by design” is no longer enough; consequences are needed when you fail (โฌ120M is a credible deterrent). And talking about “ethical AI” is no longer enough; concrete choices are needed on how to balance innovation and protection.
The question this week leaves open is: Will Europe manage to find this balance before it’s too late? Or will we continue to be the continent that writes the best rules for technologies developed elsewhere?
๐ง Edited by Nicola Fabiano
Lawyer - Studio Legale Fabiano
๐ Studio Legale Fabiano: fabiano.law
๐ Blog: www.nicfab.eu
๐ DAPPREMO: www.dappremo.eu
This is the inaugural newsletter. Feedback and suggestions are welcome to improve future editions. See you next Tuesday!