Two-Minute Recap - Data Protection Law Matters Around The Globe - 2026 May

European Commission Urges Member States to Roll Out EU Age Verification App

The European Commission has called on Member States to accelerate the deployment of the EU Age Verification App and make it available by the end of 2026. The app is designed to allow users to prove they meet a required age threshold without disclosing their exact age, identity, or other personal information, thereby supporting both child protection and privacy objectives. Member States may deploy the solution as a standalone application or integrate it into the future European Digital Identity Wallet. The initiative is intended to support compliance with the Digital Services Act (DSA) and strengthen the protection of minors from harmful online content.

Irish Regulator Investigates SHEIN Over Data Transfers to China

The Irish Data Protection Commission (“DPC”) has launched an inquiry into SHEIN Ireland regarding the transfer of personal data of EU/ EEA users to China. The investigation will assess whether SHEIN Ireland has complied with its obligations under the GDPR, including the data processing principles set out in Article 5, the transparency obligations under Article 13, and the requirements governing transfers of personal data to third countries under Chapter V.

Announcing the inquiry, Deputy Commissioner Graham Doyle emphasised that personal data transferred outside the EU must be afforded a level of protection essentially equivalent to that guaranteed within the EU. The DPC further noted that recent regulatory actions and complaints concerning transfers of personal data to China have brought such transfers into sharper focus and identifies the inquiry as a strategic enforcement priority.

The investigation highlights the continued regulatory scrutiny of cross-border transfers of personal data, particularly where transfers are made to a European Commission adequacy decision.

Canadian Privacy Regulators Conclude OpenAI’s Early Chatgpt Training Practices Violated Privacy Laws

Canadian federal and provincial privacy regulators have concluded that OpenAI’s initial development and deployment of ChatGPT did not comply with applicable Canadian privacy laws. A joint investigation by the federal Privacy Commissioner and privacy authorities in Quebec, British Colombia and Alberts identified several concerns relating tot the collection and use of personal information for training the AI model.

The investigation found issues including the overcollection of personal information, insufficient consent and transparency mechanisms, inaccuracies involving personal data, limitations on individuals’ ability to access, correct or delete their information, and inadequate accountability measures. Regulators also noted that large volumes of personal information were used during the early training and deployment of ChatGPT.

In response to the investigation, OpenAI implemented a number of measures to strengthen privacy protections, including significantly limiting the personal and sensitive information used to train future models and enhancing transparency regarding the use of ChatGPT. The findings reflect increasing regulatory scrutiny of the use of personal data in AI development and highlight the importance of transparency, accountability and privacy-by-design principles in the deployment of generative AI systems.

Spanish Data Protection Authority Launches Interactive Data Breach Monitoring Tool

The Spanish Data Protection Authority (AEPD) has launched an interactive platform that enables users to monitor personal data breach notifications through a dynamic and visual interface. The new tool replaces the monthly publication of statistical reports in PDF format and provides real-time access to information relating to reported security incidents.

The platform allows users to analyse breach notifications based on a range of criteria, including the affected sector, the nature of the incident and its underlying cause. It also enables the examination of trends over specific periods, allowing users to track developments in reported data breaches over time.

The initiative forms part of the AEPD’s 20252030 Strategic Plan and reflects the authority’s commitment to enhancing transparency and accountability in the field of data protection The AEPD has also indicated that it intends to make relevant datasets available as open data in the future, facilitating further research and analysis by privacy professionals and academics.

Texas Sues Netflix Over Alleged Tracking and Use of Children’s Data

Texas Attorney General Ken Paxton filed a lawsuit against Netflix, alleging that the company collected and processed extensive user data, including data relating to children, without adequately informing users. The lawsuit further claims that Netflix used design features such as autoplay to increase user engagement and shared user data with data brokers for advertising-related purposes.

According to the complaint, these practices may violate the Texas Deceptive Trade Practices Act. Texas is seeking, among other remedies, the deletion of data allegedly collected from Texans through deceptive practices, restrictions on targeted advertising and the deactivation of autoplay by default for children’s profiles.

ICO Publishes Guidance on Protecting Organisations Against AI-Powered Cyber Threats

ICO has published guidance outlining five key steps organisations can take to strengthen their resilience against AI-powered cyber threats. The guidance highlights a range of emerging risks including AI-enhanced phishing attacks, deepfake-based social engineering, automated vulnerability scanning and exploitation, AI-powered malware, credential attacks, data poisoning, and indirect prompt injection attacks.

The ICO emphasises the importance of understanding AI-related cyber risks, strengthening foundational cybersecurity controls, adopting a layered defence strategy, restricting access privileges, enhancing monitoring and incident response capabilities, and ensuring appropriate protection of personal data through technical and organisational measures. The guidance also encourages organisations to implement AI governance frameworks and conduct data protection impact assessments where AI systems process high-risk personal data.

The publication reflects increasing regulatory attention to the cybersecurity implications of artificial intelligence and reinforces organisations’ obligations to safeguard personal data under the UK GDPR while adapting existing security frameworks to address AI-enabled threats.

ICO Recommendations to Restrict Cookie Consent Exemptions to Contextual Advertising

In May 2026, the Information Commissioner’s Office (“ICO”) released its recommendations to the UK Government on potential changes to online advertising rules under the Privacy and Electronic Communications Regulations (“PECR”). The advice formed part of the Government’s wider review into how online advertising rules might need to change to support innovation while still serving privacy protection purposes.

These potential reforms could reduce the number of situations in which consent is required and have been welcomed by many sectors that support a move away from this additional requirement for certain low-risk forms of online advertising, particularly contextual advertising where advertisements are shown based on the content being viewed rather than an individual’s online behaviour. The ICO indicated that consent should remain necessary for behavioural advertising models involving tracking and profiling, particularly where they rely on cross-site tracking.

The ICO noted that no legal changes have been made at this stage and that the current PECR framework remains in effect. Ultimately, any changes to the consent framework would be a matter for the UK Government to decide.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.