Data Protection Day 2026

2025 witnessed another seismic shift in the data protection law space as Europe's regulatory framework continued to evolve in response to technological advancements and accelerated digital transformation.

The various proposals to simplify the GDPR took centre stage, including the European Commission's proposed Digital Omnibus Package. In this update, members of our Technology group reflect on 2025's key developments and highlight some anticipated trends for 2026.

1. Proposed GDPR simplification and new rules

On 19 November 2025, the European Commission released its Digital Omnibus Package, a reform that seeks to overhaul significant parts of the EU's digital laws, including the GDPR (for detailed insights on the Package and related insights, read our updates here and here). The Digital Omnibus Package post-dated the European Data Protection Board (EDPB)'s Helsinki Statement in July 2025, which represented a commitment to make GDPR compliance more achievable for small businesses.

If implemented, the proposals will streamline and simplify rules across data protection, cybersecurity, and AI, particularly benefiting small-to-medium enterprises (SMEs) and small mid-caps (SMCs) through expanded compliance exemptions, such as relief from certain GDPR record keeping (e.g. the requirement to maintain a ROPA), and other operational obligations. The Digital Omnibus Package also introduces new provisions under the GDPR, including:

• to move existing cookie rules from the e-Privacy Directive to the GDPR, simplifying the standards of consent required for cookies where personal data is concerned; and
• to centralise certain responsibilities at an EU level, in particular imposing responsibilities on the EDPB. For example, it requires the EDPB to oversee a single list of processing activities that require a DPIA, and to prepare a "common notification" template for personal data breaches.

The proposals may also prove a welcome relief to organisations developing, training, or deploying AI in their businesses, as they expressly recognise legitimate interests as a legal basis for the development and operation of AI systems and models (subject to certain safeguards). The proposals also include new derogations from the general prohibition (under the GDPR) on processing special category personal data for:

• residual processing of that data for the development or operation of an AI system or model (subject to certain conditions being met); and
• processing biometric data for the purposes of identifying an individual (where the data in question is under the control of that individual).

Crucially, the Digital Omnibus Package proposes to clarify the definition of personal data by codifying Court of Justice of the European Union (CJEU) case law on identifiability and pseudonymisation, so that if a given entity does not have the means to identify someone from the personal data it holds (considering the means reasonably likely to be used by them), it will not be considered personal data. This approach adopts the standard set out in the CJEU's September 2025 judgment in C-413/23 P (EDPS v SRB). Read our article about this case at The Art of Staying Anonymous Confirmed.

What's coming next?

The Digital Omnibus Package is evolving, and its trajectory will be subject to heavy debate from European stakeholders as it moves through the EU's ordinary legislative process. For businesses, the momentum for simplification is building but will take more time. It is also important to note that the proposals seek to enhance the GDPR rather than revolutionise its rules.

2. Individuals & data protection claims for compensation

Ireland

2025 saw the continued judicial interpretation of the parameters for non-material damage claims under Article 82 of the GDPR, first established in May 2023 in UI v Österreichische Post AG (the Austrian Post case) (read our insights on the decision here).

In Ireland, the Circuit Court in M.H. v Child and Family Agency [2023] IECC 11 awarded €7,500, the highest GDPR award for non-material damages in an Irish court, emphasising that the seriousness of a breach, particularly involving sensitive or confidential personal data, directly influences the level of non-material damages recoverable. By July 2025, the Supreme Court in Dillon v. Irish Life Assurance plc [2025] IESC 37 clarified that standalone claims for emotional disturbance, such as anxiety, distress, or inconvenience, falling short of a recognised psychiatric injury, do not constitute personal injury claims and therefore a PIAB authorisation is unnecessary to bring such a claim. However, the Supreme Court stressed that such actions will attract only "very, very modest awards." For more information on these cases, please read our previous briefings here and here.

European Union

Decisions at a European level have also proved to be insightful:

• In January, the General Court in Case T-354/22 (Bindl v European Commission) awarded €400 in compensation after the applicant's personal data, specifically his IP address, was transferred to a third country without adequate safeguards, which was sufficient to constitute non-material damage justifying compensation.
• In September, the CJEU in Case C-655/23 (IP v Quirin Privatbank AG) provided clarification on remedies under Article 82 of the GDPR. The Court confirmed that non-material damage includes negative emotional responses, such as fear or annoyance, stemming from loss of control or potential misuse of personal data, but must be proven by the data subject.
• Lastly, in October, in T-348/20 RENV (OC v Commission), the General Court awarded €50,000 where an OLAF press release rendered the applicant indirectly identifiable despite not actually naming them, underscoring that identifiability through contextual details can trigger liability for non-material damage.

What's coming next?

Looking ahead, a continued and growing stream of court decisions for these non-material damage claims is expected. However, damages awarded are anticipated to remain modest.

3. International data transfers

In 2025, several significant developments shaped international data transfers under the GDPR. In April, a decision by the Data Protection Commission of Ireland (DPC) found that TikTok's remote access practices amounted to a "transfer" under Chapter V of the GDPR, reinforcing that any remote access to personal data in the European Economic Area (EEA) from a third country could trigger international data transfer rules. The DPC also held that TikTok failed to verify that the personal data of those users was afforded a level of protection essentially equivalent to that guaranteed within the EU.

In June, the EDPB adopted the final version of its Guidelines on Article 48 of the GDPR, confirming that foreign court or authority orders have no effect in the EU without an international agreement. In September, the EU General Court upheld the EU–US Data Privacy Framework (DPF) in Case T-553/23 (Latombe v Commission), confirming that the United States (US) ensured an adequate level of protection at the time of the Commission's decision. In 2025, the European Commission also advanced two adequacy initiatives:

• it published a Draft Adequacy Decision for Brazil in September, followed by the EDPB's November opinion, moving closer to enabling EU–Brazil data flows (confirmation of adequacy is expected in the coming days); and
• On 19 December, it renewed both the United Kingdom (UK) adequacy decisions, confirming that transfers to the UK may continue without supplementary measures.

What's coming next?

Expect to see further data localisation by businesses and continued pressure on existing adequacy decisions, including on the DPF, which remains vulnerable to challenge amidst global geopolitical and national security tensions. Businesses should ensure that adequate mechanisms are in place across their contractual framework (e.g. standard contractual clauses (SCCs) and data transfer impact assessments) to ensure compliance while preparing for the possibility that external factors could upend key transfer mechanisms. In 2026, the European Commission is expected to issue a new set of SCCs for non-EU businesses subject to the GDPR's territorial scope under Article 3(2).

AI and data protection

The convergence of data protection and AI remained a core issue in data protection law in 2025, particularly as the data‑intensive nature of AI forced regulators to propose legislative pauses (e.g., the AI Act) and to release new guidance. In particular, the Digital Omnibus Package proposes to reshape elements of the AI Act (see our insights on this here).

In January, the EDPB issued guidelines on pseudonymisation, making clear that pseudonymisation must involve more than simply removing identifiers, but requires robust safeguards to ensure that re-identification is genuinely difficult. For organisations deploying AI systems, this meant that privacy protections cannot be an afterthought; they must be built into the design of models and data processes from the outset.

In February, the CJEU confirmed, in Case C‑203/22 (Dun & Bradstreet Austria GmbH), that individuals subject to automated decisions are entitled to a meaningful explanation of the logic involved, requiring controllers to give clear, understandable information while protecting third-party confidentiality. In April, the DPC brought an inquiry into X in respect to the processing of personal data contained in publicly accessible posts for the purposes of training its Grok LLM models. That inquiry also considered the adequacy of data protection impact assessments for generative AI.

By July, the European Commission settled its Code of Practice for General Purpose AI (GPAI) Models (read our insights here). And in August, the EU AI Act's obligations for GPAI came into force, introducing strict documentation and systemic risk management requirements. These overlap with GDPR duties on lawful bases and transparency. By the time the Digital Omnibus Proposal was published in November, many organisations had (or should have) begun mapping compliance requirements to avoid duplication and gaps across these legislative frameworks.

What's coming next?

Expect significant debate around the proposals to simplify the AI Act's obligations under the Digital Omnibus Package. While the Digital Omnibus Package is presented as an effort to simplify and save businesses a compliance burden, organisations may be confused by some elements. For example, the start date for the rules on high-risk AI systems is unclear. In addition, continued societal issues around the use of AI (e.g. transparency, the use of AI to generate "deep fakes" or illegal content by bad actors) will keep these rules in focus.

5. Protection of Children's Personal Data

2025 marked a pivotal year in which regulators sharpened their focus on protecting children's personal data, underscoring the need for stronger safeguards (as expected) across an increasingly digital environment. In February, in its Statement on Age Assurance, the EDPB urged proportionate age verification measures, warning that excessive data collection will result in a breach of the GDPR's data minimisation principle (read our insights here).

March brought EDPB guidelines clarifying how the obligations in the Digital Services Act (DSA) on advertising and recommender systems align with the GDPR. The guidelines identify risks to individuals where a lack of accuracy and transparency apply to personal data which is used to suggest content to individuals or influence their behaviour; and outlines that the prohibition on personalised advertising to minors based on profiling can qualify as a legal basis under the GDPR to process personal data in the context of age assurance (subject to conditions). In July, the EU Commission published guidance on the protection of minors under the DSA, introducing requirements for default privacy settings, profiling limits, and reporting pathways to protect minors.

In October, a cooperation agreement made between Coimisiún na Meán and the Data Protection Commission, signalled deeper regulatory convergence, with joint enforcement likely where content regulation or moderation overlaps with data protection.

What's coming next?

Looking ahead, regulators will continue to prioritise children's data and other areas which they perceive to be at risk of most harm. Concern over illegal content and online safety (particularly, the safety of children) will likely drive tougher scrutiny on age assurance, data minimisation and the collection of children's personal data by businesses. Expect more regulatory guidance, enforcement and decisions, particularly as risks linked to AI-generated content attract public attention.

6. Cybersecurity and Data Protection

Cybersecurity remained at the core of data protection issues in 2025. In January, the Digital Operational Resilience Act (DORA) took effect for financial entities, making ICT risk management a strategic priority. DORA introduced resilience testing and incident-reporting obligations that closely align with GDPR security requirements. Boards are now expected to demonstrate active oversight of third-party risk. At the same time, the Network and Information Systems (EU) 2022/2555 (NIS2) significantly widened the EU's cybersecurity net, imposing stringent risk management, board and management oversight responsibilities, and governance and incident reporting duties on essential entities across multiple sectors.

While Ireland has yet to implement NIS2 into Irish national law, the National Cyber Security Centre of Ireland (NCSC), as Ireland's lead competent authority authorised to supervise and enforce NIS2, has sought to be proactive in preparing for its imminent and expanded role under NIS2. In June, it published draft guidance setting out detailed Risk Management Measures to help organisations adhere to their obligations under NIS2, while it also announced its participation as a scheme co-owner in the Cyber Fundamentals Framework, a voluntary framework which will further support in-scope entities to implement NIS2 requirements (and eventually achieve certification, if desired). Read more about these updates here.

Additionally, at a European level, both the EU Commission and data protection regulators released cybersecurity guidance. In March, the EU Commission launched its cybersecurity plan for the health sector, setting baseline controls and resilience testing to address heightened sensitivity around medical data breaches. Controllers must integrate these measures with GDPR obligations to avoid dual exposure and maintain patient trust (read our previous briefing here). In April, the EDPB issued guidelines on blockchain technologies, highlighting the tension between blockchain's immutability and GDPR erasure rights (see more insights here).

What's coming next?

Expect full implementation of NIS2 in Ireland through the National Cyber Security Bill and sector-specific guidance. Geopolitical events and high-profile cybersecurity incidents are likely to continue to amplify scrutiny of critical infrastructure and the operational resilience of businesses, making harmonisation of DORA, NIS2, and GDPR security frameworks a strategic imperative for organisations operating in high-risk sectors.

Conclusion

As data protection law continues to evolve, we have seen a maturing regulatory framework that seeks to balance robust data protection rules with the practical realities of doing business in a digital economy. Organisations should closely monitor these developments and future trends to assess how their compliance strategies may be affected.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.