A view from Brussels: Three themes from Congress 2025

Looking at the agenda of the IAPP European Data Protection Congress is always a good gauge of the hot and business-as-usual topics within the community of privacy professionals. This year's conference was dominated by three big themes.

The first was job descriptions. Many privacy professionals in attendance commented on the shifts of mission and duties over the past year. The addition of broader data policies and artificial intelligence obligations continues to be a solid trend for many professionals. Similarly, several sessions addressed how this change translates into the regulatory environment. Who is regulating AI? Who is responsible for what in the AI high-risk value chain? What is the role of the new chief trust officer position that starts to emerge in many companies?

The second theme that colored many discussions was the combination of values and technology. In the macro-economic context, the definition and impact of digital sovereignty emerged as very influential parameters, given their implications for the ecosystem, service providers' value chains, cross-border data transfers, and the permeability of rules and standards to the geopolitical current.

Last but certainly not least, the third and most obvious theme was simplification. The Digital Omnibus proposals published by the European Commission on 19 Nov. were the talk of the town. The level of anticipation made for very lively reactions. Many observers reached a general consensus that simplification is needed, but the devil is in the details. How far can rules be adapted without simplification being at the expense of core data protection principles? There may not be an answer to that yet, but European Data Protection Board Chair Anu Talus already cautioned that data protection authorities will pay close attention. 

Elsewhere, this week also marked a few General Data Protection Regulation developments.

The European Council's 17 Nov. adoption marked the final step for the GDPR Procedural Regulation. After more than two years of negotiations, the new EU rules aim to streamline national administrative procedures to improve cross-border enforcement of the GDPR. The regulation will enter into force shortly after its publication in the Official Journal of the EU. 

Organizations, individuals and national authorities will have 15 months to prepare for the changes, including harmonizing complaint admissibility requirements, revising rights of complainants and parties under investigation, simplifying the cooperation procedure between national DPAs for straightforward cases, and amending rules on deadlines for completing investigations.

In line with the promises set in the Helsinki Statement, the EDPB is working on finding ways to improve GDPR implementation. The EU data protection regulator is not looking to changing the law, but rather at how to facilitate its application. It is running a public consultation until 3 Dec., asking companies what templates it could develop to help them comply with GDPR rules. The EDPB already identified several topics to work on, including data protection impact assessments and data breach notifications, but this public consultation gives a chance for organizations to ask for plug-and-play tools on other relevant issues.

The EDPB published its opinion on the European Commission's draft adequacy decision for Brazil. In its opinion, the EDPB is positive about Brazil's data protection framework and its alignment with the European rules. However, it recommends taking a closer look at certain aspects, such as practical implementation of DPIA requirements, commercial and industry secrecy limitations to the provision of information to the data subject or the supervisory authority under Brazil’s data protection law, rules on onward transfers and government access. If adopted, this decision will make Brazil the 17th country to be benefit from the free flows of personal data from Europe.  

Isabelle Roccia, CIPP/E, is the managing director, Europe, for the IAPP.