GDPR Reform, AI, Digital Omnibus Among Key Privacy Issues in 2026, Lawyers Say
The new year will bring continued focus on the EU digital omnibus, GDPR reform in the U.K. and EU, AI governance, and cross-border data transfers, privacy lawyers predicted.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Review of and negotiations on the European Commission's digital omnibus package will continue in the European Parliament and Council, Tanguy Van Overstraeten, a Van Bael & Bellis digital, data and cyber attorney, emailed us Wednesday.
Some proposed changes should be "no-brainers," such as harmonization of data protection impact assessments and a single entry point for cybersecurity breach reporting, while other issues, such as reliance on grounds other than consent for cookies, are likely to be more controversial, Van Overstraeten said. He said he hoped the draft proposal would be split to allow adoption of some "low-hanging fruit" while debate on other issues continues.
Uncertainty around cross-border data transfers between the EU and U.S. "will persist," Van Overstraeten said. Monitoring potential changes will be crucial, including French Member of Parliament Philippe Latombe's challenge to the Data Privacy Framework (DPF) and further changes by the Trump administration that could affect the protection set out in the framework. "The private sector will need to get ready to implement viable alternative solutions."
The European Court of Justice agreed to hear Latombe's challenge to the EU General Court's dismissal of his challenge to the DPF (see 2512220034).
2026 will be an "absolute essential year" for how international data transfers are regulated, Hogan Lovells data protection attorney Eduardo Ustaran said in a Dec. 18 Data Chronicles video. In addition to the Latombe case, the EC is working on a new set of standard contractual clauses relating to data subjects who may be subject to the GDPR although outside the EU, and the European Data Protection Board is developing regulations for data processors using binding corporate rules, he said.
In the AI arena, the EC's proposal "will certainly undergo scrutiny" in 2026, Van Overstraeten said. Additionally, the intersection of AI regulation with personal and non-personal data protection rules will continue to raise compliance challenges, especially around automated processing and profiling activities. In the background of all this will be the need to boost EU competitiveness, said Van Overstraeten. "While ensuring the respect of EU core values, it will be important not to miss the train."
The EU's simplification strategy may have implications beyond Europe's borders, Van Overstraeten said. So far, the EU has been at the forefront of adopting rules, such as the GDPR, which have inspired lawmakers around the world. The question now is whether other jurisdictions will revisit their rules following EC reform proposals, he added.
In the U.K. and EU, reforming laws to make them more friendly to innovation was "very consistent" in 2025, Ustaran said. In parallel developments, the U.K. adopted the Data (Use and Access) Act, reforming the country's GDPR, followed by the EC's digital omnibus proposal, he noted.
These changes are controversial, and are viewed as a threat to the protections the law is meant to provide, Ustaran said. However, he added, he believes the reforms don't affect the principles of data protection law in the U.K. and EU but are instead an evolution to adapt the laws to new technologies.
AI governance will also be a top issue of 2026, Ustaran said. Additionally, online child protection is now a common denominator in DPAs' concerns, and that focus will continue, he added.